Re: libnetfilter_queue: mark-value byte ordering? --oops, pls discard previous copy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David F writes:

Pablo Neira Ayuso wrote:


I have applied the following patch. I think that, at least, new users
will not hit this problem again. I'm very sorry that this was not fixed
before. Let me know if you are OK with it, we're still in time to revert
the patch attached.


Waiting one version before deprecating might allow smoother changing.


For what it's worth, I had previously prepared this patch which just
clarifies the documentation on this parameter.  I think it still has
value since I also added some missing return-value docs and changed the
descriptions of a few parameters that I had found to be confusing.
Good work. Is the (current) generated doc available? I've found an older version in http://www.nufw.org/doc/libnetfilter_queue/
I attach a patch aimed at fixing the example, which is confusing, since rv can simultaneously be != 0 and >= 0 only if it is > 0. I haven't resisted an attempt at enumerating verdicts, though. 


--- libnetfilter_queue-0.0.17/src/libnetfilter_queue.original.c	2009-02-17 20:55:23.000000000 +0100
+++ libnetfilter_queue-0.0.17/src/libnetfilter_queue.c	2010-05-10 12:25:33.000000000 +0200
@@ -207,13 +207,22 @@
  * \verbatim
 	fd = nfq_fd(h);
 
-	while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
+	while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
 		printf("pkt received\n");
 		nfq_handle_packet(h, buf, rv);
 	}
 \endverbatim
  * When the decision on a packet has been choosed, the verdict has to be given
- * by calling nfq_set_verdict() or nfq_set_verdict_mark().
+ * by calling nfq_set_verdict() or nfq_set_verdict_mark(). The verdict
+ * determines the destiny of the packet as follows:
+ *
+ *   - NF_DROP discarded the packet
+ *   - NF_ACCEPT the packet passes, continue iterations
+ *   - NF_STOLEN gone away
+ *   - NF_QUEUE inject the packet into a different queue
+ *     (the target queue number is in the high 16 bits of the verdict)
+ *   - NF_REPEAT iterate the same cycle once more
+ *   - NF_STOP accept, but don't continue iterations
  *
  * Data and information about the packet can be fetch by using message parsing
  * functions (See \link Parsing \endlink).
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux