Hi, Le jeudi 01 janvier 2009 à 21:55 +0100, ilninno a écrit : > Hello! I have some problems with netfilter_queue: > > I created a queue and registered my c program, when a packet matchs > with the iptables rules my code get the event. i usually return > NF_ACCEPT and NF_DROP, but sometimes i need to leave the packet to > continue with iptables rules checking, i tried with: > > How can i leave the packet to continue in iptables ruleset without > beginning again? Thanks for your time. You really can't. The only known workaround is to send the NF_REPEAT verdict and mark the packet. The mark can then be used to "jump" to the correct rule. This is not really nice but it works. I've recently cooked a patch for snort-inline using this method: http://sourceforge.net/mailarchive/forum.php?thread_name=1228209364-7798-1-git-send-email-eric%40inl.fr&forum_name=snort-inline-users The method seems to work quiet well but it may not be suitable for more complex cases. BR, -- Eric Leblond <eric@xxxxxx> INL: http://www.inl.fr/ NuFW: http://www.nufw.org/
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
