I have a question about the use of NFQUEUE from userspace.
Imagine two firewall rules:
(A): NFQUEUE tcp -- imp x.x.x.x tcp dpt:http NFQUEUE num 0
and
(B): NFQUEUE tcp -- imp x.x.x.x tcp dpt:http NFQUEUE num 1
I am interested in making the callback associated with rule (A)/NFQUEUE 0
remove rule (B) and replace it (usng firewalld/dbus in my case)
with another, more specific rule. For example, perhaps the callback for
NFQUEUE 0 would rewrite rule (B) to include a source port. I am further
interested in having this new rule apply to the packet being processed.
Is this type of modification in flight possible? By the time the callback
for (A)/NFQUEUE 0 is invoked, the kernel is obviously processing a packet
through the rule chain. In my experiments I have not been able to modify
the chain such that the kernel continues to push the packet through the
modified chain.
I assume that if this is possible it requires the proper use of NF_QUEUE,
NF_STOLEN, and so on. However, I have not yet come across a clear
description of the meaning of these values with respect to libnetfilter.
I can instead get what I want by copying some of the functionality in
(B)'s callback to (A)'s callback. However, the two callbacks really do
two different things, and futher (A) exists only for a short time. For
these reasons, I am trying to move the code to something which resembles
what I describe above.
Any comments would be helpful.
Thank you,
--
Mike
:wq
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
