source-nfq: add queue redirect support

This patch adds the support of queue redirect. If 'next_queue' variable is set, the verdict sent to kernel is modified to contain the indication of a queue number (equal to 'next_queue') which will receive the packet after the verdict. This feature can be used to chain easily tools using NFQUEUE. Signed-off-by: Eric Leblond <eric@regit.org>
15 years ago · 94596ff282
parent aded7b4fae
commit 94596ff282
1 changed files with 10 additions and 1 deletions
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@ -131,6 +131,7 @@ typedef struct NFQCnf_ {
    int repeat_mode;
    uint32_t mark;
    uint32_t mask;
+    uint32_t next_queue;
 } NFQCnf;

 NFQCnf nfq_config;
@ -190,6 +191,10 @@ void NFQInitConfig(char quiet)
        nfq_config.mask = (uint32_t)value;
    }

+    if ((ConfGetInt("nfq.next_queue", &value)) == 1) {
+        nfq_config.next_queue = ((uint32_t)value) << 16;
+    }
+
    if (!quiet) {
        if (nfq_config.repeat_mode == TRUE) {
            SCLogInfo("NFQ running in REPEAT mode with mark %"PRIu32"/%"PRIu32,
@ -725,7 +730,11 @@ void NFQSetVerdict(Packet *p) {
 #endif /* COUNTERS */
    } else {
        if (nfq_config.repeat_mode == FALSE) {
-            verdict = NF_ACCEPT;
+            if (nfq_config.next_queue) {
+                verdict = ((uint32_t) NF_QUEUE) | nfq_config.next_queue;
+            } else {
+                verdict = NF_ACCEPT;
+            }
        } else {
            verdict = NF_REPEAT;
        }