* ULOG vs. NFQUEUE
@ 2007-11-30 23:06 Gilad Benjamini
2007-12-01 11:14 ` Eric Leblond
0 siblings, 1 reply; 3+ messages in thread
From: Gilad Benjamini @ 2007-11-30 23:06 UTC (permalink / raw)
To: netfilter
I read about ULOG and NFQUEUE in the man page, and there is something
I don't understand, and that is, why is NFQUEUE needed.
If I understand this correctly, a ULOG target with no prefix, that
sends the entire packet to userland, and is followed by an equivalent
DROP rule, does the same thing as NFQUEUE.
Doesn't it ?
I admit that I am no big expert on nfnetlink_queue. Could I be missing
something there ?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ULOG vs. NFQUEUE
2007-11-30 23:06 ULOG vs. NFQUEUE Gilad Benjamini
@ 2007-12-01 11:14 ` Eric Leblond
[not found] ` <d95317090712011033k6e02776eiabff90210c7fb97d@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Eric Leblond @ 2007-12-01 11:14 UTC (permalink / raw)
To: Gilad Benjamini; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]
Hi,
Le vendredi 30 novembre 2007 à 15:06 -0800, Gilad Benjamini a écrit :
> I read about ULOG and NFQUEUE in the man page, and there is something
> I don't understand, and that is, why is NFQUEUE needed.
> If I understand this correctly, a ULOG target with no prefix, that
> sends the entire packet to userland, and is followed by an equivalent
> DROP rule, does the same thing as NFQUEUE.
> Doesn't it ?
> I admit that I am no big expert on nfnetlink_queue. Could I be missing
> something there ?
You're missing the whole thing.
NFQUEUE is a terminal target where the userspace take the decision on
accepting or dropping the packet. It is used by project like
snort-inline (http://snort-inline.sourceforge.net/) or nufw
(http://www.nufw.org) to improve Netfilter filtering capabilities.
Snort-inline adds IPS capabilities to Netfilter and NuFW add
identity-based rules.
ULOG (or NFLOG) is a non-terminal target which is used for logging
purpose. Packet is sent to user space but there is no user space to
kernel space interaction.
BR,
--
Eric Leblond <eric@inl.fr>
INL
[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ULOG vs. NFQUEUE
[not found] ` <d95317090712011033k6e02776eiabff90210c7fb97d@mail.gmail.com>
@ 2007-12-01 22:33 ` Eric Leblond
0 siblings, 0 replies; 3+ messages in thread
From: Eric Leblond @ 2007-12-01 22:33 UTC (permalink / raw)
To: Gilad Benjamini; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 696 bytes --]
Hi,
Le samedi 01 décembre 2007 à 10:33 -0800, Gilad Benjamini a écrit :
> Thanks.
> If I wouldn't be missing the whole thing, I wouldn't have asked this question.
> Your example implies that the packets need to be "injected" back into
> the packet flow.
> How is this done ?
This is done by calling nfq_set_verdict or nfq_set_verdict_mark in
userspace.
kernel gives a id to the packet before sending it to userspace via
[nf]netlink. It then waits for a [nf]netlink message from userspace
which will tell them what to do with the packet identified by its id.
As you may guess, the packet id is an argument of the verdict function.
BR,
--
Eric Leblond <eric@inl.fr>
INL
[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-12-01 22:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-30 23:06 ULOG vs. NFQUEUE Gilad Benjamini
2007-12-01 11:14 ` Eric Leblond
[not found] ` <d95317090712011033k6e02776eiabff90210c7fb97d@mail.gmail.com>
2007-12-01 22:33 ` Eric Leblond
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox