On Wednesday 2011-11-30 16:48, U.Mutlu wrote: > Jan Engelhardt wrote, On 2011-11-30 11:09: >> On Wednesday 2011-11-30 09:53, U.Mutlu wrote: >> >>> Eric Leblond wrote, On 2011-11-30 09:07: >>>> Hello, >>>> >>>> Le mercredi 30 novembre 2011 à 08:58 +0100, U.Mutlu a écrit : >>>>> nfq_set_verdict() or nfq_set_verdict2(): >>>>> NF_DROP discard the packet >>>>> NF_ACCEPT the packet passes, continue iterations >>>>> >>>>> In my callback I pass NF_ACCEPT to let the packet continue its travel >>>>> through the subsequent rules (normal iptables rules). >>>> >>>> When NF_ACCEPT is issued, the packet is accepted for the current table. >>>> It will then only be checked by rules in other tables. >>> >>> I need to just inspect the hdrs and then let it continue its usual way. >>> What is needed to realize this functionality? >> >> Figuring out a way what to do with the packet if the ruleset changes >> while the packet is out in userspace for an indefinite time. > > Sorry, Jan, I don't get it. Why do you say the ruleset changes, it >doesn't IMO. But it _could_ change while the packet is away. And that is the case you have to protect against, somehow. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
