From 3b9f613680cbcf6efe7b5aac7da80c29a614c10b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 14 Mar 2013 12:11:06 +0100 Subject: src: document NFQA_CFG_F_CONNTRACK flag Suggested by Eric Leblond. Signed-off-by: Pablo Neira Ayuso --- src/libnetfilter_queue.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'src/libnetfilter_queue.c') diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c index 55180a8..2894ccd 100644 --- a/src/libnetfilter_queue.c +++ b/src/libnetfilter_queue.c @@ -630,6 +630,15 @@ int nfq_set_mode(struct nfq_q_handle *qh, * \param mask specifies which flag bits to modify * \param flag bitmask of flags * + * Existing flags, that you may want to combine, are: + * + * - NFQA_CFG_F_FAIL_OPEN (requires Linux kernel >= 3.6): the kernel will + * accept the packets if the kernel queue gets full. If this flag is not + * set, the default action in this case is to drop packets. + * + * - NFQA_CFG_F_CONNTRACK (requires Linux kernel >= 3.6): the kernel will + * include the Connection Tracking system information. + * * Here's a little code snippet to show how to use this API: * \verbatim uint32_t flags = NFQA_CFG_F_FAIL_OPEN; @@ -642,11 +651,6 @@ int nfq_set_mode(struct nfq_q_handle *qh, flags &= ~NFQA_CFG_F_FAIL_OPEN; err = nfq_set_queue_flags(qh, mask, flags); \endverbatim - * - * If NFQA_CFG_F_FAIL_OPEN is used, the kernel will accept instead of - * drop packets that should have been enqueued to a full queue. This - * results in the system being able to handle high network load but at - * the depend of the control of the packets. * * \return -1 on error with errno set appropriately; =0 otherwise. */ -- cgit v1.2.3