Verdict helpers

Functions
void	nfq_nlmsg_verdict_put (struct nlmsghdr *nlh, int id, int verdict)
void	nfq_nlmsg_verdict_put_mark (struct nlmsghdr *nlh, uint32_t mark)
void	nfq_nlmsg_verdict_put_pkt (struct nlmsghdr *nlh, const void *pkt, uint32_t plen)

Detailed Description

Function Documentation

nfq_nlmsg_verdict_put()

void nfq_nlmsg_verdict_put	(	struct nlmsghdr *	nlh,
		int	id,
		int	verdict
	)

nfq_nlmsg_verdict_put - Put a verdict into a Netlink message

Parameters

nlh	Pointer to netlink message
id	ID assigned to packet by netfilter
verdict	verdict to return to netfilter (see Verdicts below)

Verdicts

NF_DROP Drop the packet. This is final.
NF_ACCEPT Accept the packet. Processing of the current base chain and any called chains terminates, but the packet may still be processed by subsequently invoked base chains.
NF_STOP Like NF_ACCEPT, but skip any further base chains using the current hook.
NF_REPEAT Like NF_ACCEPT, but re-queue this packet to the current base chain. One way to prevent a re-queueing loop is to also set a packet mark using nfq_nlmsg_verdict_put_mark() and have the program test for this mark in attr[NFQA_MARK]; or have the nefilter rules do this test.
NF_QUEUE_NR(new_queue) Like NF_ACCEPT, but queue this packet to queue number new_queue. As with the command-line queue num verdict, if no process is listening to that queue then the packet is discarded; but again like with the command-line, one may OR in a flag to bypass new_queue if there is no listener, as in this snippet:

       nfq_nlmsg_verdict_put(nlh, id, NF_QUEUE_NR(new_queue) |
               NF_VERDICT_FLAG_QUEUE_BYPASS);

See examples/nf-queue.c, line 46 for an example of how to use this function in context. The calling sequence is main –> mnl_cb_run –> queue_cb –> nfq_send_verdict –> nfq_nlmsg_verdict_put (cb being short for callback).

Definition at line 72 of file nlmsg.c.

nfq_nlmsg_verdict_put_mark()

void nfq_nlmsg_verdict_put_mark	(	struct nlmsghdr *	nlh,
		uint32_t	mark
	)

nfq_nlmsg_verdict_put_mark - Put a packet mark into a netlink message

Parameters

nlh	Pointer to netlink message
mark	Value of mark to put

The mark becomes part of the packet's metadata, and may be tested by the nft primary expression meta mark

See also

nft(1)

Definition at line 91 of file nlmsg.c.

nfq_nlmsg_verdict_put_pkt()

void nfq_nlmsg_verdict_put_pkt	(	struct nlmsghdr *	nlh,
		const void *	pkt,
		uint32_t	plen
	)

nfq_nlmsg_verdict_put_pkt - Put replacement packet content into a netlink message

Parameters

nlh	Pointer to netlink message
pkt	Pointer to start of modified IP datagram
plen	Length of modified IP datagram

There is only ever a need to return packet content if it has been modified. Usually one of the nfq_*_mangle_* functions does the modifying.

This code snippet uses nfq_udp_mangle_ipv4. See nf-queue.c for context:

// main calls queue_cb (line 64) to process an enqueued packet:
        // Extra variables
        uint8_t *payload, *rep_data;
        unsigned int match_offset, match_len, rep_len;

        // The next line was commented-out (with payload void*)
        payload = mnl_attr_get_payload(attr[NFQA_PAYLOAD]);
        // Copy data to a packet buffer (allow 255 bytes for mangling).
        pktb = pktb_alloc(AF_INET, payload, plen, 255);
        // (decide that this packet needs mangling)
        nfq_udp_mangle_ipv4(pktb, match_offset, match_len, rep_data, rep_len);
        // nfq_udp_mangle_ipv4 updates packet length, no need to track locally

        // Eventually nfq_send_verdict (line 39) gets called
        // The received packet may or may not have been modified.
        // Add this code before nfq_nlmsg_verdict_put call:
        if (pktb_mangled(pktb))
                nfq_nlmsg_verdict_put_pkt(nlh, pktb_data(pktb), pktb_len(pktb));

Definition at line 130 of file nlmsg.c.