Hi, Le vendredi 30 novembre 2007 à 15:06 -0800, Gilad Benjamini a écrit : > I read about ULOG and NFQUEUE in the man page, and there is something > I don't understand, and that is, why is NFQUEUE needed. > If I understand this correctly, a ULOG target with no prefix, that > sends the entire packet to userland, and is followed by an equivalent > DROP rule, does the same thing as NFQUEUE. > Doesn't it ? > I admit that I am no big expert on nfnetlink_queue. Could I be missing > something there ? You're missing the whole thing. NFQUEUE is a terminal target where the userspace take the decision on accepting or dropping the packet. It is used by project like snort-inline (http://snort-inline.sourceforge.net/) or nufw (http://www.nufw.org) to improve Netfilter filtering capabilities. Snort-inline adds IPS capabilities to Netfilter and NuFW add identity-based rules. ULOG (or NFLOG) is a non-terminal target which is used for logging purpose. Packet is sent to user space but there is no user space to kernel space interaction. BR, -- Eric Leblond <eric@xxxxxx> INL
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=