libipq: man page != online doc and a question

libipq: man page != online doc and a question

[Jvalencia]

I've been looking at ipq_set_verdict man page, finding two verdicts: NF_ACCEPT and NF_DROP.
This man page dates from 2001 :S

Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT.

Can I send the packet to another chain with verdicts?

Thanks.

Re: libipq: man page != online doc and a question

[Pablo Neira]

Jvalencia wrote:

>I've been looking at ipq_set_verdict man page, finding two verdicts: NF_ACCEPT and NF_DROP.
>  
>

correct

>This man page dates from 2001 :S
>
>Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT.
>  
>

yes, these are all possibles verdicts in a *kernel hook*, not in ip_queue

>Can I send the packet to another chain with verdicts?
>  
>

what do you mean?

regards,
Pablo

Re: libipq: man page != online doc and a question

[Pablo Neira]

Jvalencia wrote:

>>>This man page dates from 2001 :S
>>>
>>>Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT.
>>> 
>>>
>>>      
>>>
>>yes, these are all possibles verdicts in a *kernel hook*, not in ip_queue
>>    
>>
>
>mmm but I was able to use NF_QUEUE in ipq_set_verdict using libipq.
>
>ipq_set_verdict(h, m->packet_id, NF_QUEUE, 0, NULL);
>Exit code was 28, a success.
>  
>

you are right, actually I was having a look at that right now :), but 
does it make any sense issuing NF_QUEUE as verdict from an ip_queue user 
space program?

You are right again, you can also issue a NF_REPEAT. Maybe you could 
update that manpage, have a look at the CVS and post a patch to the 
maillist.

>>>Can I send the packet to another chain with verdicts?
>>> 
>>>
>>>      
>>>
>>what do you mean?
>>
>>    
>>
>
>In iptables you have various chains, as INPUT, OUTPUT and other user created as "icmp_traffic" for example. 
>I want to move a packet to a chain as "strange_traffic" from libipq because of its content. Is this possible?
>  
>

no, AFAIK iptables and ip_queue doesn't have a way to interchange 
information between them. If you like, give me more information about 
you want to do, I'll see if I can help you out.

regards,
Pablo

Re: libipq: man page != online doc and a question

[Jvalencia]

On Sat, 16 Oct 2004 18:29:04 +0200
Pablo Neira <pablo@eurodev.net> wrote:

> Jvalencia wrote:
> 
> >I've been looking at ipq_set_verdict man page, finding two verdicts: NF_ACCEPT and NF_DROP.
> >  
> >
> 
> correct
> 
> >This man page dates from 2001 :S
> >
> >Online netfilter hacking guide tells about NF_ACCEPT, NF_DROP, NF_QUEUE and NF_REPEAT.
> >  
> >
> 
> yes, these are all possibles verdicts in a *kernel hook*, not in ip_queue

mmm but I was able to use NF_QUEUE in ipq_set_verdict using libipq.

ipq_set_verdict(h, m->packet_id, NF_QUEUE, 0, NULL);
Exit code was 28, a success.

> 
> >Can I send the packet to another chain with verdicts?
> >  
> >
> 
> what do you mean?
> 

In iptables you have various chains, as INPUT, OUTPUT and other user created as "icmp_traffic" for example. 
I want to move a packet to a chain as "strange_traffic" from libipq because of its content. Is this possible?


> regards,
> Pablo

Re: libipq: man page != online doc and a question

[Jvalencia]

> 
> no, AFAIK iptables and ip_queue doesn't have a way to interchange 
> information between them. If you like, give me more information about 
> you want to do, I'll see if I can help you out.
> 

Not really, just trying what sort of things libipq let me do.

Thanks.