Hi, On Mon, 2017-03-13 at 21:18 -0400, W. Michael Petullo wrote: > I have a question about the use of NFQUEUE from userspace. > > Imagine two firewall rules: > > (A): NFQUEUE tcp -- imp x.x.x.x tcp dpt:http NFQUEUE num 0 > > and > > (B): NFQUEUE tcp -- imp x.x.x.x tcp dpt:http NFQUEUE num 1 > > I am interested in making the callback associated with rule > (A)/NFQUEUE 0 > remove rule (B) and replace it (usng firewalld/dbus in my case) > with another, more specific rule. For example, perhaps the callback > for > NFQUEUE 0 would rewrite rule (B) to include a source port. I am > further > interested in having this new rule apply to the packet being > processed. I don't think you can do this. What you could do a push a packet mark at verdict time on rule A. With a filter on mark on rule B, it will only match when rule A wants it to match. BR, -- Eric Leblond <eric@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
