From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: Can NFQUEUE accept/continue when there is no userspace listener registered ? Date: Fri, 05 Nov 2010 01:08:05 +0100 Message-ID: <4CD34AE5.8090606@netfilter.org> References: <4CD22E08.2060300@netbauds.net> <4CD238A2.8070900@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: Darryl Miles , netfilter-devel@vger.kernel.org To: Patrick McHardy Return-path: Received: from mail.us.es ([193.147.175.20]:56767 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752065Ab0KEAH4 (ORCPT ); Thu, 4 Nov 2010 20:07:56 -0400 In-Reply-To: <4CD238A2.8070900@trash.net> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On 04/11/10 05:37, Patrick McHardy wrote: > On 04.11.2010 04:52, Darryl Miles wrote: >> Is there any mechanism which would allow additional options to NFQUEUE >> target to instruct the kernel what to do: >> >> --action-no-listener NF_ACCEPT|NF_DROP|CONTINUE (with NF_DROP being >> the default) >> --action-backlog-overflow NF_ACCEPT|NF_DROP|CONTINUE (with NF_DROP >> being the default) > > --action-no-listener is hard to do because the rule has no direct > connection to the queue and backend queueing mechanism and thus > it can't determine whether a listener exists. There's also currently > no way to propagate that information to the backend. Well, maybe > you could encode it in the verdict, similar to the queue number. > > --action-backlog-overflow should be pretty easy to add to the > queueing backend itself (nfnetlink_queue), however when the packet > reaches the backend, it has already left the ruleset, so it won't > continue in the chain but instead continue as if a verdict of > NF_ACCEPT had been issued. We can add two new netlink attributes like: * NFQA_CFG_NO_LISTENER_VERDICT * NFQA_CFG_OVERFLOW_VERDICT These can be used to send messages from user-space to configure the instance, these will remain per-process parameters. It's similar to what we do with NFQA_CFG_QUEUE_MAXLEN.