On Wed, Oct 30, 2019 at 08:38:02PM +1100, Duncan Roe wrote: > On Wed, Oct 30, 2019 at 10:15:21AM +0100, Pablo Neira Ayuso wrote: > > On Wed, Oct 30, 2019 at 08:07:07PM +1100, Duncan Roe wrote: > > > Hi Pablo, > > > > > > When setting verdicts, does sending amended packet contents imply to accept the > > > packet? In my app I have assumed not and that seems to work fine, but I'd like > > > to be sure for the doco. > > > > If you set the verdict to NF_ACCEPT and the packet that you send back > > to the kernel is mangled, then the kernel takes your mangled packet > > contents. > > > > Thanks. > > Thanks Pablo I knew that, but what happens if you send back mangled contents > and no NF_ACCEPT or NF_DROP? > > Does the kernel keep waiting until you send one of these? If you don't specify the verdict attribute, then kernel says -EINVAL. For reference, the function to handle the netlink message that comes from userspace is nfqnl_recv_verdict() [1]. The nfqueue netlink protocol forces the user to send the verdict along with the packet contents (only relevent if the contents have been updated, if packet is left untouched, you can skip sending the packets contents so the kernel assumes packet is not altered). Setting verbosity mode on here, many of this information you might already know, but I prefer this for clarity. Thanks. [1] https://elixir.bootlin.com/linux/latest/source/net/netfilter/nfnetlink_queue.c#L1167
