From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nft] doc: remove queue from verdict list
Date: Mon, 27 Oct 2025 23:23:54 +0100 [thread overview]
Message-ID: <aP_w-ot_Fq7ftU48@calendula> (raw)
In-Reply-To: <20251026085439.12336-1-fw@strlen.de>
On Sun, Oct 26, 2025 at 09:54:36AM +0100, Florian Westphal wrote:
> While its correct that the queue statement is internally implemented
> via the queue verdict, this is an implementation detail.
> We don't list "stolen" as a verdict either.
>
> nft ... queue will always use the nft_queue statement, so move the
> reinject detail from statements to queue statement and remove this.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> doc/statements.txt | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/doc/statements.txt b/doc/statements.txt
> index e275ee39dc4e..0633d023f2c0 100644
> --- a/doc/statements.txt
> +++ b/doc/statements.txt
> @@ -4,7 +4,7 @@ The verdict statement alters control flow in the ruleset and issues policy decis
>
> [verse]
> ____
> -{*accept* | *drop* | *queue* | *continue* | *return*}
> +{*accept* | *drop* | *continue* | *return*}
> {*jump* | *goto*} 'CHAIN'
>
> 'CHAIN' := 'chain_name' | *{* 'statement' ... *}*
> @@ -22,11 +22,6 @@ afterwards in the processing pipeline.
> The drop occurs instantly, no further chains or hooks are evaluated.
> It is not possible to accept the packet in a later chain again, as those
> are not evaluated anymore for the packet.
> -*queue*:: Terminate ruleset evaluation and queue the packet to userspace.
> -Userspace must provide a drop or accept verdict. In case of accept, processing
> -resumes with the next base chain hook, not the rule following the queue verdict.
> -*continue*:: Continue evaluation with the next rule. This
> - is the default behaviour in case a rule issues no verdict.
> *return*:: Return from the current chain and continue evaluation at the
> next rule in the last chain. If issued in a base chain, it is equivalent to the
> base chain policy.
> @@ -741,9 +736,10 @@ QUEUE STATEMENT
> ~~~~~~~~~~~~~~~
> This statement passes the packet to userspace using the nfnetlink_queue handler.
> The packet is put into the queue identified by its 16-bit queue number.
> -Userspace can inspect and modify the packet if desired. Userspace must then drop
> -or re-inject the packet into the kernel. See libnetfilter_queue documentation
> -for details.
> +Userspace can inspect and optionally modify the packet if desired.
> +Userspace must provide a drop or accept verdict. In case of accept, processing
> +resumes with the next base chain hook, not the rule following the queue verdict.
> +See libnetfilter_queue documentation for details.
>
> [verse]
> ____
> --
> 2.51.0
>
>
prev parent reply other threads:[~2025-10-27 22:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-26 8:54 [PATCH nft] doc: remove queue from verdict list Florian Westphal
2025-10-27 22:23 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aP_w-ot_Fq7ftU48@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).