Provided by: libnetfilter-queue-doc_1.0.5-4build1_all bug

NAME

       nfq_verd - Verdict helpers

SYNOPSIS

   Functions
       void nfq_nlmsg_verdict_put (struct nlmsghdr *nlh, int id, int verdict)
       void nfq_nlmsg_verdict_put_mark (struct nlmsghdr *nlh, uint32_t mark)
       void nfq_nlmsg_verdict_put_pkt (struct nlmsghdr *nlh, const void *pkt, uint32_t plen)

Detailed Description

Function Documentation

   void nfq_nlmsg_verdict_put (struct nlmsghdr * nlh, int id, int verdict)
       nfq_nlmsg_verdict_put - Put a verdict into a Netlink message

       Parameters
           nlh Pointer to netlink message
           id ID assigned to packet by netfilter
           verdict verdict to return to netfilter (see Verdicts below)

       Verdicts
           NF_DROP Drop the packet. This is final.
            NF_ACCEPT Accept the packet. Processing of the current base chain and any called
           chains terminates, but the packet may still be processed by subsequently invoked base
           chains.
            NF_STOP Like NF_ACCEPT, but skip any further base chains using the current hook.
            NF_REPEAT Like NF_ACCEPT, but re-queue this packet to the current base chain. One way
           to prevent a re-queueing loop is to also set a packet mark using
           nfq_nlmsg_verdict_put_mark() and have the program test for this mark in
           attr[NFQA_MARK]; or have the nefilter rules do this test.
            NF_QUEUE_NR(new_queue) Like NF_ACCEPT, but queue this packet to queue number
           new_queue. As with the command-line queue num verdict, if no process is listening to
           that queue then the packet is discarded; but again like with the command-line, one may
           OR in a flag to bypass new_queue if there is no listener, as in this snippet:

                  nfq_nlmsg_verdict_put(nlh, id, NF_QUEUE_NR(new_queue) |
                          NF_VERDICT_FLAG_QUEUE_BYPASS);

       See examples/nf-queue.c, line 46 for an example of how to use this function in context.
       The calling sequence is main --> mnl_cb_run --> queue_cb --> nfq_send_verdict -->
       nfq_nlmsg_verdict_put (cb being short for callback).

       Definition at line 72 of file nlmsg.c.

   void nfq_nlmsg_verdict_put_mark (struct nlmsghdr * nlh, uint32_t mark)
       nfq_nlmsg_verdict_put_mark - Put a packet mark into a netlink message

       Parameters
           nlh Pointer to netlink message
           mark Value of mark to put

       The mark becomes part of the packet's metadata, and may be tested by the nft primary
       expression meta mark

       See also
           nft(1)

       Definition at line 91 of file nlmsg.c.

   void nfq_nlmsg_verdict_put_pkt (struct nlmsghdr * nlh, const void * pkt, uint32_t plen)
       nfq_nlmsg_verdict_put_pkt - Put replacement packet content into a netlink message

       Parameters
           nlh Pointer to netlink message
           pkt Pointer to start of modified IP datagram
           plen Length of modified IP datagram

       There is only ever a need to return packet content if it has been modified. Usually one of
       the nfq_*_mangle_* functions does the modifying.

       This code snippet uses nfq_udp_mangle_ipv4. See nf-queue.c for context:

       // main calls queue_cb (line 64) to process an enqueued packet:
               // Extra variables
               uint8_t *payload, *rep_data;
               unsigned int match_offset, match_len, rep_len;

               // The next line was commented-out (with payload void*)
               payload = mnl_attr_get_payload(attr[NFQA_PAYLOAD]);
               // Copy data to a packet buffer (allow 255 bytes for mangling).
               pktb = pktb_alloc(AF_INET, payload, plen, 255);
               // (decide that this packet needs mangling)
               nfq_udp_mangle_ipv4(pktb, match_offset, match_len, rep_data, rep_len);
               // nfq_udp_mangle_ipv4 updates packet length, no need to track locally

               // Eventually nfq_send_verdict (line 39) gets called
               // The received packet may or may not have been modified.
               // Add this code before nfq_nlmsg_verdict_put call:
               if (pktb_mangled(pktb))
                       nfq_nlmsg_verdict_put_pkt(nlh, pktb_data(pktb), pktb_len(pktb));

       Definition at line 130 of file nlmsg.c.

Author

       Generated automatically by Doxygen for libnetfilter_queue from the source code.