Missing verdicts for Packet() ? XT_CONTINUE XT_RETURN

Question

Missing verdicts for Packet() ? XT_CONTINUE XT_RETURN

jllorente opened this issue 5 years ago · 2 comments

I just came across this issue where I wanted to use the NFQUEUE as a way to get the data, print it out but continue the processing, much like LOG target does.

It seems we are missing these 2 verdicts

https://elixir.bootlin.com/linux/v4.9.200/source/include/uapi/linux/netfilter/x_tables.h#L81

/* CONTINUE verdict for targets */
#define XT_CONTINUE 0xFFFFFFFF

/* For standard target */
#define XT_RETURN (-NF_REPEAT - 1)

Answer 1 · 2019-11-11T15:50:59.000Z

Also, the verdict parameter for these 2 functions is defined as u_int32_t verdict:

nfq_set_verdict
nfq_set_verdict2
See the code here here

while in cdef void verdict is defined as u_int8_t here

Answer 2 · 2019-11-11T22:00:09.000Z

I did some more digging and it seems this is a limitation of the NFQUEUE iptables module itself.

In this function the verdict is evaluated however NF_MAX_VERDICT is defined with value 5: (https://elixir.bootlin.com/linux/latest/source/net/netfilter/nfnetlink_queue.c#L1039)

static struct nfqnl_msg_verdict_hdr*
verdicthdr_get(const struct nlattr * const nfqa[])
{
	struct nfqnl_msg_verdict_hdr *vhdr;
	unsigned int verdict;

	if (!nfqa[NFQA_VERDICT_HDR])
		return NULL;

	vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
	verdict = ntohl(vhdr->verdict) & NF_VERDICT_MASK;
	if (verdict > NF_MAX_VERDICT || verdict == NF_STOLEN)
		return NULL;
	return vhdr;
}