summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-06-21 20:34:19 +0200
committerFlorian Westphal <fw@strlen.de>2017-06-23 11:04:25 +0200
commit63973da8fe3efbe9108eb6f968c81e7c35c70605 (patch)
tree53db4aa163a4914ff0d0fc8507c31af0713681d6
parent003c2b107c185fb818f082c499c77b7188c7d5f7 (diff)
doc: extend the doxygen section about NFQA_CFG_F_GSO
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r--src/libnetfilter_queue.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 065d618..1702158 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -657,7 +657,16 @@ EXPORT_SYMBOL(nfq_set_mode);
*
* - NFQA_CFG_F_GSO (requires Linux kernel >= 3.10): the kernel will
* not normalize offload packets, i.e. your application will need to
- * be able to handle packets larger than the mtu (up to 64k).
+ * be able to handle packets larger than the mtu.
+ *
+ * Normalization is expensive, so this flag should always be set.
+ * Because attributes in netlink messages are limited to 65531 bytes,
+ * you also need to check the NFQA_CAP_LEN attribute, it contains the
+ * original size of the captured packet on the kernel side.
+ * If it is set and differs from the payload length, the packet was
+ * truncated. This also happens when limiting capture size
+ * with the NFQNL_COPY_PACKET setting, or when e.g. a local user
+ * sends a very large packet.
*
* If your application validates checksums (e.g., tcp checksum),
* then you must also check if the NFQA_SKB_INFO attribute is present.
@@ -671,6 +680,8 @@ EXPORT_SYMBOL(nfq_set_mode);
\endverbatim
* if this bit is set, the layer 3/4 checksums of the packet appear incorrect,
* but are not (because they will be corrected later by the kernel).
+ * Please see example/nf-queue.c in the libnetfilter_queue source for more
+ * details.
*
* - NFQA_CFG_F_UID_GID: the kernel will dump UID and GID of the socket to
* which each packet belongs.