Closed jllorente closed 3 years ago
I did some more digging and it seems this is a limitation of the NFQUEUE iptables module itself.
In this function the verdict is evaluated however NF_MAX_VERDICT is defined with value 5: (https://elixir.bootlin.com/linux/latest/source/net/netfilter/nfnetlink_queue.c#L1039)
static struct nfqnl_msg_verdict_hdr*
verdicthdr_get(const struct nlattr * const nfqa[])
{
struct nfqnl_msg_verdict_hdr *vhdr;
unsigned int verdict;
if (!nfqa[NFQA_VERDICT_HDR])
return NULL;
vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK;
if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN)
return NULL;
return vhdr;
}
I just came across this issue where I wanted to use the NFQUEUE as a way to get the data, print it out but continue the processing, much like LOG target does.
It seems we are missing these 2 verdicts
https://elixir.bootlin.com/linux/v4.9.200/source/include/uapi/linux/netfilter/x_tables.h#L81
/ CONTINUE verdict for targets /
define XT_CONTINUE 0xFFFFFFFF
/ For standard target /
define XT_RETURN (-NF_REPEAT - 1)