On Mon, Apr 02, 2012 at 11:11:34AM +0800, Amm Snort wrote: > ----- Original Message ----- > > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > >> So my request and suggestion is to add additional parameter to NFQUEUE > >> say, --treat-accept-as-continue (or rule not matched) > >> > >> > >> which means, if QUEUE program returns NF_ACCEPT then instead of ACCEPTing > >> the packet, continue processing next rule. (as if rule did not match) > > > > > > That will not be straight forward to implement. The existing code does > > not provide a way to resume packet filtering just after the rule that > > enqueued the packet to user-space. > > Umm. so how does NFLOG (libnetfilter_log) do it? > > From man page: (for NFLOG) > Like LOG, this is a non-terminating target, i.e. rule traversal continues at the next rule. > > If I am not wrong, NFLOG and NFQUEUE are much similar. If NFLOG can allow to continue to > next rule, may be NFQUEUE can, as well. NFLOG delivers the log using netlink multicast and it doesn't wait for user-space to issue any verdict on the log message. > We already have --queue-bypass option which bypasses to next rule of QUEUE is not present. > May be we can have modification to code, which bypasses when NF_ACCEPT is received from > userspace. I know, but that's a completely different situation. > Just a suggestion, I am not sure if this would need changes at kernel level. As said, this is not straight forward. Look at the code at you'll see why I'm telling you this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
