First userspace, then module

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* First userspace, then module
@ 2009-04-16  7:02 Kristian Evensen
  2009-04-16  7:28 ` Jan Engelhardt
  0 siblings, 1 reply; 3+ messages in thread
From: Kristian Evensen @ 2009-04-16  7:02 UTC (permalink / raw)
  To: netfilter-devel

Hello,

I am playing around with an idea for a module that will manipulate the 
packets in userspace before passing them on to the xtables module. In 
other words, there will be two rules in iptables (in the samle table) 
and after userspace is done with the packet, it will be passed onto the 
next rule.

However, when creating a small prototype to see if this is possible, I 
did not find an equivalant to "XT_CONTINUE" that can be passed to 
nfq_set_verdict and I therefore did not get the prortype working.So my 
question is, is it possible to first send a packet to userspace, make a 
verdict and then have it processed by a rule in the same iptables-table?

Thanks,
Kristian

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: First userspace, then module
  2009-04-16  7:02 First userspace, then module Kristian Evensen
@ 2009-04-16  7:28 ` Jan Engelhardt
  2009-04-16  8:31   ` Kristian Evensen
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2009-04-16  7:28 UTC (permalink / raw)
  To: Kristian Evensen; +Cc: netfilter-devel


On Thursday 2009-04-16 09:02, Kristian Evensen wrote:
>
> I am playing around with an idea for a module that will manipulate the packets
> in userspace before passing them on to the xtables module. In other words,
> there will be two rules in iptables (in the samle table) and after userspace is
> done with the packet, it will be passed onto the next rule.

Not possible. But you can have it reenter at the start using
NF_REPEAT, I think.

> However, when creating a small prototype to see if this is possible, I did not
> find an equivalant to "XT_CONTINUE" that can be passed to nfq_set_verdict and I
> therefore did not get the prortype working.So my question is, is it possible to
> first send a packet to userspace, make a verdict and then have it processed by
> a rule in the same iptables-table?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: First userspace, then module
  2009-04-16  7:28 ` Jan Engelhardt
@ 2009-04-16  8:31   ` Kristian Evensen
  0 siblings, 0 replies; 3+ messages in thread
From: Kristian Evensen @ 2009-04-16  8:31 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: netfilter-devel

On Thu, Apr 16, 2009 at 9:28 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Thursday 2009-04-16 09:02, Kristian Evensen wrote:
>>
>> I am playing around with an idea for a module that will manipulate the packets
>> in userspace before passing them on to the xtables module. In other words,
>> there will be two rules in iptables (in the samle table) and after userspace is
>> done with the packet, it will be passed onto the next rule.
>
> Not possible. But you can have it reenter at the start using
> NF_REPEAT, I think.

Ok, thank you. I guess the best way then is to try and somehow mark
the packet, make it reenter and have the other rule higher up. This
rule will then also require a match on mark.

-Kristian

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-04-16  8:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-16  7:02 First userspace, then module Kristian Evensen
2009-04-16  7:28 ` Jan Engelhardt
2009-04-16  8:31   ` Kristian Evensen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).