* First userspace, then module
@ 2009-04-16 7:02 Kristian Evensen
2009-04-16 7:28 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Kristian Evensen @ 2009-04-16 7:02 UTC (permalink / raw)
To: netfilter-devel
Hello,
I am playing around with an idea for a module that will manipulate the
packets in userspace before passing them on to the xtables module. In
other words, there will be two rules in iptables (in the samle table)
and after userspace is done with the packet, it will be passed onto the
next rule.
However, when creating a small prototype to see if this is possible, I
did not find an equivalant to "XT_CONTINUE" that can be passed to
nfq_set_verdict and I therefore did not get the prortype working.So my
question is, is it possible to first send a packet to userspace, make a
verdict and then have it processed by a rule in the same iptables-table?
Thanks,
Kristian
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: First userspace, then module
2009-04-16 7:02 First userspace, then module Kristian Evensen
@ 2009-04-16 7:28 ` Jan Engelhardt
2009-04-16 8:31 ` Kristian Evensen
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2009-04-16 7:28 UTC (permalink / raw)
To: Kristian Evensen; +Cc: netfilter-devel
On Thursday 2009-04-16 09:02, Kristian Evensen wrote:
>
> I am playing around with an idea for a module that will manipulate the packets
> in userspace before passing them on to the xtables module. In other words,
> there will be two rules in iptables (in the samle table) and after userspace is
> done with the packet, it will be passed onto the next rule.
Not possible. But you can have it reenter at the start using
NF_REPEAT, I think.
> However, when creating a small prototype to see if this is possible, I did not
> find an equivalant to "XT_CONTINUE" that can be passed to nfq_set_verdict and I
> therefore did not get the prortype working.So my question is, is it possible to
> first send a packet to userspace, make a verdict and then have it processed by
> a rule in the same iptables-table?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: First userspace, then module
2009-04-16 7:28 ` Jan Engelhardt
@ 2009-04-16 8:31 ` Kristian Evensen
0 siblings, 0 replies; 3+ messages in thread
From: Kristian Evensen @ 2009-04-16 8:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On Thu, Apr 16, 2009 at 9:28 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Thursday 2009-04-16 09:02, Kristian Evensen wrote:
>>
>> I am playing around with an idea for a module that will manipulate the packets
>> in userspace before passing them on to the xtables module. In other words,
>> there will be two rules in iptables (in the samle table) and after userspace is
>> done with the packet, it will be passed onto the next rule.
>
> Not possible. But you can have it reenter at the start using
> NF_REPEAT, I think.
Ok, thank you. I guess the best way then is to try and somehow mark
the packet, make it reenter and have the other rule higher up. This
rule will then also require a match on mark.
-Kristian
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-04-16 8:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-16 7:02 First userspace, then module Kristian Evensen
2009-04-16 7:28 ` Jan Engelhardt
2009-04-16 8:31 ` Kristian Evensen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).