----- Original Message ----- > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> >> So my request and suggestion is to add additional parameter to NFQUEUE >> say, --treat-accept-as-continue (or rule not matched) >> >> >> which means, if QUEUE program returns NF_ACCEPT then instead of ACCEPTing >> the packet, continue processing next rule. (as if rule did not match) > > That will not be straight forward to implement. The existing code does > not provide a way to resume packet filtering just after the rule that > enqueued the packet to user-space. Umm. so how does NFLOG (libnetfilter_log) do it? >From man page: (for NFLOG) Like LOG, this is a non-terminating target, i.e. rule traversal continues at the next rule. If I am not wrong, NFLOG and NFQUEUE are much similar. If NFLOG can allow to continue to next rule, may be NFQUEUE can, as well. We already have --queue-bypass option which bypasses to next rule of QUEUE is not present. May be we can have modification to code, which bypasses when NF_ACCEPT is received from userspace. Just a suggestion, I am not sure if this would need changes at kernel level. Thanks AMM -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
