Re: QUEUE target and IPT_CONTINUE verdict ?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tobias DiPasquale <codeslinger@gmail.com>
To: Laurent Guyon <laurent.guyon@adelux.fr>
Cc: nf-devel <netfilter-devel@lists.netfilter.org>
Subject: Re: QUEUE target and IPT_CONTINUE verdict ?
Date: Sun, 15 May 2005 13:05:34 -0400	[thread overview]
Message-ID: <876ef97a05051510053c6827c2@mail.gmail.com> (raw)
In-Reply-To: <200505131729.39430.laurent.guyon@adelux.fr>

On 5/13/05, Laurent Guyon <laurent.guyon@adelux.fr> wrote:
> Just wondering why we can't return an IPT_CONTINUE verdict at the end of the
> QUEUE target.
> 
> I understand that the QUEUE target registers on a Netfilter queue_handler
> (that is a special kind of hook), and then it must call nf_reinject in the
> end.
> 
> I understand too that the nf_reinject function accepts only NF_ACCEPT,
> NF_DROP ... verdicts, but why ? Is it technically impossible to give
> nf_reinject an IPT_CONTINUE verdict and implement the relevant code to
> let packets continue their path in the rules ? or anyone hadn't ever thought
> about such a feature ?

I believe the reason for this is that, to do this, the kernel would
have to remember where it was in the processing of the rules and thus
save some state with every packet sent to userspace to be used in the
case where the ip_queue handler returned IPT_CONTINUE.

I don't believe that such state is hard to add, it would just waste
space. Feel free to code up a patch and submit it.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

next prev parent reply	other threads:[~2005-05-15 17:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-13 15:29 QUEUE target and IPT_CONTINUE verdict ? Laurent Guyon
2005-05-15 17:05 ` Tobias DiPasquale [this message]
2005-05-15 20:51   ` Henrik Nordstrom
2005-05-15 22:12     ` Tobias DiPasquale
2005-05-16  6:52       ` Henrik Nordstrom
2005-05-16 11:03         ` Tobias DiPasquale
     [not found]     ` <200505161201.02379.laurent.guyon@adelux.fr>
2005-05-16 10:02       ` Henrik Nordstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=876ef97a05051510053c6827c2@mail.gmail.com \
    --to=codeslinger@gmail.com \
    --cc=laurent.guyon@adelux.fr \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.