[Oisf-devel] [PATCH 0/2, RFC] Simulating a non-terminal NFQUEUE

[Eric Leblond]

Hello,

This patchset contains only two patches. First one fixes a remaining todo
and next one is doing the main work. The idea of this patch is to provide
a way to treat the NFQUEUE of all packets going through a gateway in a
convenient way.

NFQUEUE is a terminal target and thus the choice of the position of the
rule is not easy.

This patch brings an other solution by modifying the way suricata does an
accept verdict. In nfq.repeat_mode, suricata issues a NF_REPEAT verdict
instead of a NF_ACCEPT verdict and put a mark ($MARK) with respect to a
mask ($MASK) on the handled packet.

NF_REPEAT verdict has for effect to have the packet reinjected at start
of the hook after the verdict. As it has been marked by suricata during
the verdict it will not rematch the initial rules and make his way to
the following classical ruleset.

Thus, the necessary rule to have suricata intercept packet is the following
if we assume mark and mask are set to 1:
	-A FORWARD ! -i lo -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:1 

If you are interessed in more detailled discussion about this point, I've tried to
explain some possibilities on my blog: http://home.regit.org/?p=417

BR,
--
Eric