Missing verdicts for Packet() ? XT_CONTINUE XT_RETURN

[jllorente]

I just came across this issue where I wanted to use the NFQUEUE as a way to get the data, print it out but continue the processing, much like LOG target does.

It seems we are missing these 2 verdicts

https://elixir.bootlin.com/linux/v4.9.200/source/include/uapi/linux/netfilter/x_tables.h#L81

/ CONTINUE verdict for targets /

define XT_CONTINUE 0xFFFFFFFF

/ For standard target /

define XT_RETURN (-NF_REPEAT - 1)

[jllorente]

Also, the verdict parameter for these 2 functions is defined as u_int32_t verdict:

• nfq_set_verdict
• nfq_set_verdict2
• See the code here here

while in cdef void verdict is defined as u_int8_t here

[jllorente]

I did some more digging and it seems this is a limitation of the NFQUEUE iptables module itself.

In this function the verdict is evaluated however NF_MAX_VERDICT is defined with value 5: (https://elixir.bootlin.com/linux/latest/source/net/netfilter/nfnetlink_queue.c#L1039)

static struct nfqnl_msg_verdict_hdr*
verdicthdr_get(const struct nlattr * const nfqa[])
{
    struct nfqnl_msg_verdict_hdr *vhdr;
    unsigned int verdict;

    if (!nfqa[NFQA_VERDICT_HDR])
        return NULL;

    vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
    verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK;
    if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN)
        return NULL;
    return vhdr;
}