All of lore.kernel.org
 help / color / mirror / Atom feed
From: "U.Mutlu" <for-gmane@mutluit.com>
To: netfilter@vger.kernel.org
Subject: [nfqueue] verdict NF_ACCEPT doesn't continue
Date: Wed, 30 Nov 2011 08:58:54 +0100	[thread overview]
Message-ID: <jb4nnu$s0u$1@dough.gmane.org> (raw)

nfq_set_verdict() or nfq_set_verdict2():
   NF_DROP    discard the packet
   NF_ACCEPT  the packet passes, continue iterations

In my callback I pass NF_ACCEPT to let the packet continue its travel
through the subsequent rules (normal iptables rules).
but the packet doesn't reach the subsequent rules.
The "obvious" explanation for that behavour would of course be
when not NF_ACCEPT but NF_DROP had been passed to the verdict routine.
But it's not the case. So, then NF_ACCEPT seems to behave anormal here,
that's mysterious.

Here's my script:

  ...
  iptables -A INPUT   -p all  -j NFQUEUE --queue-num 4711
  iptables -A INPUT   -p all  -j LOG --log-prefix "DEBUG ALL "
  ...

# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
...
NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 4711
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DEBUG ALL "
...

The logging normally functions well, but when NFQUEUE is active
then logging of the received packets mysteriously stops.


# uname -a
Linux s7 3.0.0-1-rt-amd64 #1 SMP PREEMPT RT Sat Aug 27 17:34:31 UTC 2011 x86_64 GNU/Linux


int grcCB = 0;
static int cb(struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* nfa, void* pUserData)
   { // this callback func is called from nfq_handle_packet()

     bool  fDrop = false;
     const u_int32_t id = process_pkt(nfa, fDrop);
     return grcCB = nfq_set_verdict(qh, id, fDrop ? NF_DROP : NF_ACCEPT, 0, NULL);
   }

...
const int rv = recv(fd, buf, sizeof(buf), 0);       // is blocking!
if (rv >= 0)
   {
     if (nfq_handle_packet(h, buf, rv) == 0)
       {
         //...
       }
     else
      {
        printf("ERR: rc of handle_packet is %d\n", grcCB);
      }
   }

nfq_set_verdict gives 0 and hence the "ERR" line doesn't get executed ever.

Is this a bug of the library or do I need to use something different than NF_ACCEPT?
What about the last 2 params of nfq_set_verdict, could they be the reason?


             reply	other threads:[~2011-11-30  7:58 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-30  7:58 U.Mutlu [this message]
2011-11-30  8:07 ` [nfqueue] verdict NF_ACCEPT doesn't continue Eric Leblond
2011-11-30  8:53   ` U.Mutlu
2011-11-30 10:09     ` Jan Engelhardt
2011-11-30 15:48       ` U.Mutlu
     [not found]         ` <8509432a-b261-412c-8688-705014007520@email.android.com>
2011-11-30 18:34           ` U.Mutlu
2011-12-04 21:02         ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='jb4nnu$s0u$1@dough.gmane.org' \
    --to=for-gmane@mutluit.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.