Eric Leblond wrote, On 2011-11-30 17:09:
Hello
"U.Mutlu"<for-gmane@xxxxxxxxxxx> a écrit :
Jan Engelhardt wrote, On 2011-11-30 11:09:
On Wednesday 2011-11-30 09:53, U.Mutlu wrote:
Eric Leblond wrote, On 2011-11-30 09:07:
Hello,
Le mercredi 30 novembre 2011 à 08:58 +0100, U.Mutlu a écrit :
nfq_set_verdict() or nfq_set_verdict2():
NF_DROP discard the packet
NF_ACCEPT the packet passes, continue iterations
In my callback I pass NF_ACCEPT to let the packet continue its
travel
through the subsequent rules (normal iptables rules).
When NF_ACCEPT is issued, the packet is accepted for the current
table.
It will then only be checked by rules in other tables.
I need to just inspect the hdrs and then let it continue its usual
way.
What is needed to realize this functionality?
Figuring out a way what to do with the packet if the ruleset changes
while the packet is out in userspace for an indefinite time.
Sorry, Jan, I don't get it. Why do you say the ruleset changes, it
doesn't IMO.
The fact ruleset can change is a generic problem that explain the lack of a real return.
I must be missing some important API-information I guess, if even such
a simple thing like reading the payload hdrs is not possible
w/o disturbing the normal flow.
I tried also NF_QUEUE, but the net result is the same like NF_ACCEPT,
not what I need.
I need a simple "NF_RETURN", but that is undefined...
Looks like you could use a sniffing library like pcap?
For advanced usage of nfq you can have a look at http://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/
BR,
I finally managed to get it working by marking the currently processed pkt and
reinjecting it with NF_REPEAT. This seems to do what I wanted/needed; still testing...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
