QUEUE target and IPT_CONTINUE verdict ?
Tobias DiPasquale
codeslinger at gmail.com
Sun May 15 19:05:34 CEST 2005
On 5/13/05, Laurent Guyon <laurent.guyon at adelux.fr> wrote:
> Just wondering why we can't return an IPT_CONTINUE verdict at the end of the
> QUEUE target.
>
> I understand that the QUEUE target registers on a Netfilter queue_handler
> (that is a special kind of hook), and then it must call nf_reinject in the
> end.
>
> I understand too that the nf_reinject function accepts only NF_ACCEPT,
> NF_DROP ... verdicts, but why ? Is it technically impossible to give
> nf_reinject an IPT_CONTINUE verdict and implement the relevant code to
> let packets continue their path in the rules ? or anyone hadn't ever thought
> about such a feature ?
I believe the reason for this is that, to do this, the kernel would
have to remember where it was in the processing of the rules and thus
save some state with every packet sent to userspace to be used in the
case where the ip_queue handler returned IPT_CONTINUE.
I don't believe that such state is hard to add, it would just waste
space. Feel free to code up a patch and submit it.
--
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d
More information about the netfilter-devel
mailing list