* [PATCH nft] doc: remove queue from verdict list
@ 2025-10-26 8:54 Florian Westphal
2025-10-27 22:23 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2025-10-26 8:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
While its correct that the queue statement is internally implemented
via the queue verdict, this is an implementation detail.
We don't list "stolen" as a verdict either.
nft ... queue will always use the nft_queue statement, so move the
reinject detail from statements to queue statement and remove this.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
doc/statements.txt | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/doc/statements.txt b/doc/statements.txt
index e275ee39dc4e..0633d023f2c0 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -4,7 +4,7 @@ The verdict statement alters control flow in the ruleset and issues policy decis
[verse]
____
-{*accept* | *drop* | *queue* | *continue* | *return*}
+{*accept* | *drop* | *continue* | *return*}
{*jump* | *goto*} 'CHAIN'
'CHAIN' := 'chain_name' | *{* 'statement' ... *}*
@@ -22,11 +22,6 @@ afterwards in the processing pipeline.
The drop occurs instantly, no further chains or hooks are evaluated.
It is not possible to accept the packet in a later chain again, as those
are not evaluated anymore for the packet.
-*queue*:: Terminate ruleset evaluation and queue the packet to userspace.
-Userspace must provide a drop or accept verdict. In case of accept, processing
-resumes with the next base chain hook, not the rule following the queue verdict.
-*continue*:: Continue evaluation with the next rule. This
- is the default behaviour in case a rule issues no verdict.
*return*:: Return from the current chain and continue evaluation at the
next rule in the last chain. If issued in a base chain, it is equivalent to the
base chain policy.
@@ -741,9 +736,10 @@ QUEUE STATEMENT
~~~~~~~~~~~~~~~
This statement passes the packet to userspace using the nfnetlink_queue handler.
The packet is put into the queue identified by its 16-bit queue number.
-Userspace can inspect and modify the packet if desired. Userspace must then drop
-or re-inject the packet into the kernel. See libnetfilter_queue documentation
-for details.
+Userspace can inspect and optionally modify the packet if desired.
+Userspace must provide a drop or accept verdict. In case of accept, processing
+resumes with the next base chain hook, not the rule following the queue verdict.
+See libnetfilter_queue documentation for details.
[verse]
____
--
2.51.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH nft] doc: remove queue from verdict list
2025-10-26 8:54 [PATCH nft] doc: remove queue from verdict list Florian Westphal
@ 2025-10-27 22:23 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2025-10-27 22:23 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Sun, Oct 26, 2025 at 09:54:36AM +0100, Florian Westphal wrote:
> While its correct that the queue statement is internally implemented
> via the queue verdict, this is an implementation detail.
> We don't list "stolen" as a verdict either.
>
> nft ... queue will always use the nft_queue statement, so move the
> reinject detail from statements to queue statement and remove this.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> doc/statements.txt | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/doc/statements.txt b/doc/statements.txt
> index e275ee39dc4e..0633d023f2c0 100644
> --- a/doc/statements.txt
> +++ b/doc/statements.txt
> @@ -4,7 +4,7 @@ The verdict statement alters control flow in the ruleset and issues policy decis
>
> [verse]
> ____
> -{*accept* | *drop* | *queue* | *continue* | *return*}
> +{*accept* | *drop* | *continue* | *return*}
> {*jump* | *goto*} 'CHAIN'
>
> 'CHAIN' := 'chain_name' | *{* 'statement' ... *}*
> @@ -22,11 +22,6 @@ afterwards in the processing pipeline.
> The drop occurs instantly, no further chains or hooks are evaluated.
> It is not possible to accept the packet in a later chain again, as those
> are not evaluated anymore for the packet.
> -*queue*:: Terminate ruleset evaluation and queue the packet to userspace.
> -Userspace must provide a drop or accept verdict. In case of accept, processing
> -resumes with the next base chain hook, not the rule following the queue verdict.
> -*continue*:: Continue evaluation with the next rule. This
> - is the default behaviour in case a rule issues no verdict.
> *return*:: Return from the current chain and continue evaluation at the
> next rule in the last chain. If issued in a base chain, it is equivalent to the
> base chain policy.
> @@ -741,9 +736,10 @@ QUEUE STATEMENT
> ~~~~~~~~~~~~~~~
> This statement passes the packet to userspace using the nfnetlink_queue handler.
> The packet is put into the queue identified by its 16-bit queue number.
> -Userspace can inspect and modify the packet if desired. Userspace must then drop
> -or re-inject the packet into the kernel. See libnetfilter_queue documentation
> -for details.
> +Userspace can inspect and optionally modify the packet if desired.
> +Userspace must provide a drop or accept verdict. In case of accept, processing
> +resumes with the next base chain hook, not the rule following the queue verdict.
> +See libnetfilter_queue documentation for details.
>
> [verse]
> ____
> --
> 2.51.0
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-27 22:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-26 8:54 [PATCH nft] doc: remove queue from verdict list Florian Westphal
2025-10-27 22:23 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.