summaryrefslogtreecommitdiffstats
path: root/src/nlmsg.c
diff options
context:
space:
mode:
authorDuncan Roe <duncan_roe@optusnet.com.au>2019-12-09 11:05:06 +1100
committerPablo Neira Ayuso <pablo@netfilter.org>2019-12-09 22:15:09 +0100
commitba386c9006ab420d82bd66404654f983f3aa30e6 (patch)
tree1ad56a0129976c4478689e939c57540f74f23f3a /src/nlmsg.c
parent3223e4e26f21e94fb9f2304cce0b4115939669ec (diff)
src: doc: Fully document available verdicts
Updated: src/nlmsg.c - Document NF_DROP, NF_ACCEPT, NF_STOP, NF_REPEAT and NF_QUEUE_NR(new_queue). - Make line number of examples/nf-queue.c into a hyperlink. - Add hint that "cb" in function names is short for "callback". Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/nlmsg.c')
-rw-r--r--src/nlmsg.c32
1 files changed, 30 insertions, 2 deletions
diff --git a/src/nlmsg.c b/src/nlmsg.c
index c950110..cbf49a6 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -34,11 +34,39 @@
* nfq_nlmsg_verdict_put - Put a verdict into a Netlink message
* \param nlh Pointer to netlink message
* \param id ID assigned to packet by netfilter
- * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
+ * \param verdict verdict to return to netfilter (see \b Verdicts below)
+ * \par Verdicts
+ * __NF_DROP__ Drop the packet. This is final.
+ * \n
+ * __NF_ACCEPT__ Accept the packet. Processing of the current base chain
+ * and any called chains terminates,
+ * but the packet may still be processed by subsequently invoked base chains.
+ * \n
+ * __NF_STOP__ Like __NF_ACCEPT__, but skip any further base chains using the
+ * current hook.
+ * \n
+ * __NF_REPEAT__ Like __NF_ACCEPT__, but re-queue this packet to the
+ * current base chain. One way to prevent a re-queueing loop is to
+ * also set a packet mark using nfq_nlmsg_verdict_put_mark() and have the
+ * program test for this mark in \c attr[NFQA_MARK]; or have the nefilter rules
+ * do this test.
+ * \n
+ * __NF_QUEUE_NR__(*new_queue*) Like __NF_ACCEPT__, but queue this packet to
+ * queue number *new_queue*. As with the command-line \b queue \b num verdict,
+ * if no process is listening to that queue then the packet is discarded; but
+ * again like with the command-line, one may OR in a flag to bypass *new_queue*
+ * if there is no listener, as in this snippet:
+ * \verbatim
+ nfq_nlmsg_verdict_put(nlh, id, NF_QUEUE_NR(new_queue) |
+ NF_VERDICT_FLAG_QUEUE_BYPASS);
+\endverbatim
*
- * See examples/nf-queue.c, line 46 for an example of how to use this function.
+ * See examples/nf-queue.c, line
+ * <a class="el" href="nf-queue_8c_source.html#l00046">46</a>
+ * for an example of how to use this function in context.
* The calling sequence is \b main --> \b mnl_cb_run --> \b queue_cb -->
* \b nfq_send_verdict --> \b nfq_nlmsg_verdict_put
+ * (\b cb being short for \b callback).
*/
EXPORT_SYMBOL
void nfq_nlmsg_verdict_put(struct nlmsghdr *nlh, int id, int verdict)