From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Amm Snort <ammdispose-snort@yahoo.com>
Cc: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: Re: NFQUEUE target with --treat-accept-as-continue?
Date: Mon, 2 Apr 2012 11:13:03 +0200 [thread overview]
Message-ID: <20120402091303.GA14599@1984> (raw)
In-Reply-To: <1333336294.99244.YahooMailNeo@web193406.mail.sg3.yahoo.com>
On Mon, Apr 02, 2012 at 11:11:34AM +0800, Amm Snort wrote:
> ----- Original Message -----
> > From: Pablo Neira Ayuso <pablo@netfilter.org>
>
> >> So my request and suggestion is to add additional parameter to NFQUEUE
> >> say, --treat-accept-as-continue (or rule not matched)
> >>
> >>
> >> which means, if QUEUE program returns NF_ACCEPT then instead of ACCEPTing
> >> the packet, continue processing next rule. (as if rule did not match)
>
>
> >
> > That will not be straight forward to implement. The existing code does
> > not provide a way to resume packet filtering just after the rule that
> > enqueued the packet to user-space.
>
> Umm. so how does NFLOG (libnetfilter_log) do it?
>
> From man page: (for NFLOG)
> Like LOG, this is a non-terminating target, i.e. rule traversal continues at the next rule.
>
> If I am not wrong, NFLOG and NFQUEUE are much similar. If NFLOG can allow to continue to
> next rule, may be NFQUEUE can, as well.
NFLOG delivers the log using netlink multicast and it doesn't wait
for user-space to issue any verdict on the log message.
> We already have --queue-bypass option which bypasses to next rule of QUEUE is not present.
> May be we can have modification to code, which bypasses when NF_ACCEPT is received from
> userspace.
I know, but that's a completely different situation.
> Just a suggestion, I am not sure if this would need changes at kernel level.
As said, this is not straight forward. Look at the code at you'll see
why I'm telling you this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-04-02 9:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-31 14:09 NFQUEUE target with --treat-accept-as-continue? Amm Snort
2012-04-01 17:51 ` Pablo Neira Ayuso
2012-04-02 3:11 ` Amm Snort
2012-04-02 9:13 ` Pablo Neira Ayuso [this message]
2012-04-03 12:25 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120402091303.GA14599@1984 \
--to=pablo@netfilter.org \
--cc=ammdispose-snort@yahoo.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).