summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2011-09-06 13:48:25 +0200
committerPablo Neira Ayuso <pablo@gnumonks.org>2011-09-06 13:48:25 +0200
commit4b3d0a4763b440ef748d537d86f0869d09544ab2 (patch)
tree221310ec15b98e8191011a3ff6dad504a78765ca /src
parent1154021c599257edf2c3dcb4d29f6b4dcb67643a (diff)
src: add notes on NF_STOLEN and NF_REPEAT to documentation
The verdict NF_STOLEN must not be used. When using NF_REPEAT, one way to prevent re-queueing of the same packet is to also set an nfmark using nfq_set_verdict2, and set up the nefilter rules to only queue a packet when the mark is not (yet) set. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
Diffstat (limited to 'src')
-rw-r--r--src/libnetfilter_queue.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 358e9b1..d57a523 100644
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -244,12 +244,17 @@ struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)
*
* - NF_DROP discarded the packet
* - NF_ACCEPT the packet passes, continue iterations
- * - NF_STOLEN gone away
* - NF_QUEUE inject the packet into a different queue
* (the target queue number is in the high 16 bits of the verdict)
* - NF_REPEAT iterate the same cycle once more
* - NF_STOP accept, but don't continue iterations
*
+ * The verdict NF_STOLEN must not be used, as it has special meaning in the
+ * kernel.
+ * When using NF_REPEAT, one way to prevent re-queueing of the same packet
+ * is to also set an nfmark using nfq_set_verdict2, and set up the nefilter
+ * rules to only queue a packet when the mark is not (yet) set.
+ *
* Data and information about the packet can be fetch by using message parsing
* functions (See \link Parsing \endlink).
* @{