From 4b3d0a4763b440ef748d537d86f0869d09544ab2 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 6 Sep 2011 13:48:25 +0200 Subject: src: add notes on NF_STOLEN and NF_REPEAT to documentation The verdict NF_STOLEN must not be used. When using NF_REPEAT, one way to prevent re-queueing of the same packet is to also set an nfmark using nfq_set_verdict2, and set up the nefilter rules to only queue a packet when the mark is not (yet) set. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- src/libnetfilter_queue.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c index 358e9b1..d57a523 100644 --- a/src/libnetfilter_queue.c +++ b/src/libnetfilter_queue.c @@ -244,12 +244,17 @@ struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h) * * - NF_DROP discarded the packet * - NF_ACCEPT the packet passes, continue iterations - * - NF_STOLEN gone away * - NF_QUEUE inject the packet into a different queue * (the target queue number is in the high 16 bits of the verdict) * - NF_REPEAT iterate the same cycle once more * - NF_STOP accept, but don't continue iterations * + * The verdict NF_STOLEN must not be used, as it has special meaning in the + * kernel. + * When using NF_REPEAT, one way to prevent re-queueing of the same packet + * is to also set an nfmark using nfq_set_verdict2, and set up the nefilter + * rules to only queue a packet when the mark is not (yet) set. + * * Data and information about the packet can be fetch by using message parsing * functions (See \link Parsing \endlink). * @{ -- cgit v1.2.3