* libipq: man page != online doc and a question @ 2004-10-15 18:21 Jvalencia 2004-10-16 16:29 ` Pablo Neira 0 siblings, 1 reply; 5+ messages in thread From: Jvalencia @ 2004-10-15 18:21 UTC (permalink / raw) To: netfilter-devel I've been looking at ipq_set_verdict man page, finding two verdicts: NF_ACCEPT and NF_DROP. This man page dates from 2001 :S Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT. Can I send the packet to another chain with verdicts? Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: libipq: man page != online doc and a question 2004-10-15 18:21 libipq: man page != online doc and a question Jvalencia @ 2004-10-16 16:29 ` Pablo Neira 2004-10-16 16:59 ` Jvalencia 0 siblings, 1 reply; 5+ messages in thread From: Pablo Neira @ 2004-10-16 16:29 UTC (permalink / raw) To: Jvalencia; +Cc: netfilter-devel Jvalencia wrote: >I've been looking at ipq_set_verdict man page, finding two verdicts: NF_ACCEPT and NF_DROP. > > correct >This man page dates from 2001 :S > >Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT. > > yes, these are all possibles verdicts in a *kernel hook*, not in ip_queue >Can I send the packet to another chain with verdicts? > > what do you mean? regards, Pablo ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: libipq: man page != online doc and a question 2004-10-16 16:29 ` Pablo Neira @ 2004-10-16 16:59 ` Jvalencia 2004-10-16 16:52 ` Pablo Neira 0 siblings, 1 reply; 5+ messages in thread From: Jvalencia @ 2004-10-16 16:59 UTC (permalink / raw) To: netfilter-devel On Sat, 16 Oct 2004 18:29:04 +0200 Pablo Neira <pablo@eurodev.net> wrote: > Jvalencia wrote: > > >I've been looking at ipq_set_verdict man page, finding two verdicts: NF_ACCEPT and NF_DROP. > > > > > > correct > > >This man page dates from 2001 :S > > > >Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT. > > > > > > yes, these are all possibles verdicts in a *kernel hook*, not in ip_queue mmm but I was able to use NF_QUEUE in ipq_set_verdict using libipq. ipq_set_verdict(h, m->packet_id, NF_QUEUE, 0, NULL); Exit code was 28, a success. > > >Can I send the packet to another chain with verdicts? > > > > > > what do you mean? > In iptables you have various chains, as INPUT, OUTPUT and other user created as "icmp_traffic" for example. I want to move a packet to a chain as "strange_traffic" from libipq because of its content. Is this possible? > regards, > Pablo ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: libipq: man page != online doc and a question 2004-10-16 16:59 ` Jvalencia @ 2004-10-16 16:52 ` Pablo Neira 2004-10-16 17:21 ` Jvalencia 0 siblings, 1 reply; 5+ messages in thread From: Pablo Neira @ 2004-10-16 16:52 UTC (permalink / raw) To: Jvalencia; +Cc: Netfilter Development Mailinglist Jvalencia wrote: >>>This man page dates from 2001 :S >>> >>>Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT. >>> >>> >>> >>> >>yes, these are all possibles verdicts in a *kernel hook*, not in ip_queue >> >> > >mmm but I was able to use NF_QUEUE in ipq_set_verdict using libipq. > >ipq_set_verdict(h, m->packet_id, NF_QUEUE, 0, NULL); >Exit code was 28, a success. > > you are right, actually I was having a look at that right now :), but does it make any sense issuing NF_QUEUE as verdict from an ip_queue user space program? You are right again, you can also issue a NF_REPEAT. Maybe you could update that manpage, have a look at the CVS and post a patch to the maillist. >>>Can I send the packet to another chain with verdicts? >>> >>> >>> >>> >>what do you mean? >> >> >> > >In iptables you have various chains, as INPUT, OUTPUT and other user created as "icmp_traffic" for example. >I want to move a packet to a chain as "strange_traffic" from libipq because of its content. Is this possible? > > no, AFAIK iptables and ip_queue doesn't have a way to interchange information between them. If you like, give me more information about you want to do, I'll see if I can help you out. regards, Pablo ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: libipq: man page != online doc and a question 2004-10-16 16:52 ` Pablo Neira @ 2004-10-16 17:21 ` Jvalencia 0 siblings, 0 replies; 5+ messages in thread From: Jvalencia @ 2004-10-16 17:21 UTC (permalink / raw) To: netfilter-devel > > no, AFAIK iptables and ip_queue doesn't have a way to interchange > information between them. If you like, give me more information about > you want to do, I'll see if I can help you out. > Not really, just trying what sort of things libipq let me do. Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-10-16 17:21 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-10-15 18:21 libipq: man page != online doc and a question Jvalencia 2004-10-16 16:29 ` Pablo Neira 2004-10-16 16:59 ` Jvalencia 2004-10-16 16:52 ` Pablo Neira 2004-10-16 17:21 ` Jvalencia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.