Re: libnetfilter_queue: mark-value byte ordering? --oops, pls discard previous copy

[Alessandro Vesely <vesely@tana.it>]

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

David F writes:
> Pablo Neira Ayuso wrote:
>>
>> I have applied the following patch. I think that, at least, new users
>> will not hit this problem again. I'm very sorry that this was not fixed
>> before. Let me know if you are OK with it, we're still in time to revert
>> the patch attached.

Waiting one version before deprecating might allow smoother changing.

> For what it's worth, I had previously prepared this patch which just
> clarifies the documentation on this parameter.  I think it still has
> value since I also added some missing return-value docs and changed the
> descriptions of a few parameters that I had found to be confusing.

Good work. Is the (current) generated doc available? I've found an 
older version in http://www.nufw.org/doc/libnetfilter_queue/

I attach a patch aimed at fixing the example, which is confusing, 
since rv can simultaneously be != 0 and >= 0 only if it is > 0. I 
haven't resisted an attempt at enumerating verdicts, though.


[-- Attachment #2: libnetfilter_queue17.patch --]
[-- Type: text/plain, Size: 1196 bytes --]

--- libnetfilter_queue-0.0.17/src/libnetfilter_queue.original.c	2009-02-17 20:55:23.000000000 +0100
+++ libnetfilter_queue-0.0.17/src/libnetfilter_queue.c	2010-05-10 12:25:33.000000000 +0200
@@ -207,13 +207,22 @@
  * \verbatim
 	fd = nfq_fd(h);
 
-	while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
+	while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
 		printf("pkt received\n");
 		nfq_handle_packet(h, buf, rv);
 	}
 \endverbatim
  * When the decision on a packet has been choosed, the verdict has to be given
- * by calling nfq_set_verdict() or nfq_set_verdict_mark().
+ * by calling nfq_set_verdict() or nfq_set_verdict_mark(). The verdict
+ * determines the destiny of the packet as follows:
+ *
+ *   - NF_DROP discarded the packet
+ *   - NF_ACCEPT the packet passes, continue iterations
+ *   - NF_STOLEN gone away
+ *   - NF_QUEUE inject the packet into a different queue
+ *     (the target queue number is in the high 16 bits of the verdict)
+ *   - NF_REPEAT iterate the same cycle once more
+ *   - NF_STOP accept, but don't continue iterations
  *
  * Data and information about the packet can be fetch by using message parsing
  * functions (See \link Parsing \endlink).