[PATCH libnetfilter_queue 1/2] src: doc: Update sample code to agree with documentation

[PATCH libnetfilter_queue 1/2] src: doc: Update sample code to agree with documentation

[Duncan Roe]

Updated:

 src/nlmsg.c: Update nfq_nlmsg_verdict_put_pkt() sample code to use pktb_len()
              as recommended in src/extra/pktbuff.c, pktb_len() doco

Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
---
 src/nlmsg.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/nlmsg.c b/src/nlmsg.c
index c40a9e4..c950110 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -90,14 +90,13 @@ EXPORT_SYMBOL
 	pktb = pktb_alloc(AF_INET, payload, plen, 255);
 	// (decide that this packet needs mangling)
 	nfq_udp_mangle_ipv4(pktb, match_offset, match_len, rep_data, rep_len);
-	// Update IP Datagram length
-	plen += rep_len - match_len;
+	// nfq_udp_mangle_ipv4 updates packet length, no need to track locally
 
 	// Eventually nfq_send_verdict (line 39) gets called
 	// The received packet may or may not have been modified.
 	// Add this code before nfq_nlmsg_verdict_put call:
 	if (pktb_mangled(pktb))
-		nfq_nlmsg_verdict_put_pkt(nlh, pktb_data(pktb), plen);
+		nfq_nlmsg_verdict_put_pkt(nlh, pktb_data(pktb), pktb_len(pktb));
 \endverbatim
  */
 void nfq_nlmsg_verdict_put_pkt(struct nlmsghdr *nlh, const void *pkt,
-- 
2.14.5

[PATCH libnetfilter_queue 2/2] src: doc: Fully document available verdicts

[Duncan Roe]

Updated:

 src/nlmsg.c - Document NF_DROP, NF_ACCEPT, NF_STOP, NF_REPEAT and
               NF_QUEUE_NR(new_queue).
             - Make line number of examples/nf-queue.c into a hyperlink.
             - Add hint that "cb" in function names is short for "callback".

Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
---
 src/nlmsg.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/nlmsg.c b/src/nlmsg.c
index c950110..cbf49a6 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -34,11 +34,39 @@
  * nfq_nlmsg_verdict_put - Put a verdict into a Netlink message
  * \param nlh Pointer to netlink message
  * \param id ID assigned to packet by netfilter
- * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
+ * \param verdict verdict to return to netfilter (see \b Verdicts below)
+ * \par Verdicts
+ * __NF_DROP__ Drop the packet. This is final.
+ * \n
+ * __NF_ACCEPT__ Accept the packet. Processing of the current base chain
+ * and any called chains terminates,
+ * but the packet may still be processed by subsequently invoked base chains.
+ * \n
+ * __NF_STOP__ Like __NF_ACCEPT__, but skip any further base chains using the
+ * current hook.
+ * \n
+ * __NF_REPEAT__ Like __NF_ACCEPT__, but re-queue this packet to the
+ * current base chain. One way to prevent a re-queueing loop is to
+ * also set a packet mark using nfq_nlmsg_verdict_put_mark() and have the
+ * program test for this mark in \c attr[NFQA_MARK]; or have the nefilter rules
+ * do this test.
+ * \n
+ * __NF_QUEUE_NR__(*new_queue*) Like __NF_ACCEPT__, but queue this packet to
+ * queue number *new_queue*. As with the command-line \b queue \b num verdict,
+ * if no process is listening to that queue then the packet is discarded; but
+ * again like with the command-line, one may OR in a flag to bypass *new_queue*
+ *  if there is no listener, as in this snippet:
+ * \verbatim
+       nfq_nlmsg_verdict_put(nlh, id, NF_QUEUE_NR(new_queue) |
+	       NF_VERDICT_FLAG_QUEUE_BYPASS);
+\endverbatim
  *
- * See examples/nf-queue.c, line 46 for an example of how to use this function.
+ * See examples/nf-queue.c, line
+ * <a class="el" href="nf-queue_8c_source.html#l00046">46</a>
+ * for an example of how to use this function in context.
  * The calling sequence is \b main --> \b mnl_cb_run --> \b queue_cb -->
  * \b nfq_send_verdict --> \b nfq_nlmsg_verdict_put
+ * (\b cb being short for \b callback).
  */
 EXPORT_SYMBOL
 void nfq_nlmsg_verdict_put(struct nlmsghdr *nlh, int id, int verdict)
-- 
2.14.5

Re: [PATCH libnetfilter_queue 1/2] src: doc: Update sample code to agree with documentation

[Pablo Neira Ayuso]

On Mon, Dec 09, 2019 at 11:05:05AM +1100, Duncan Roe wrote:
> Updated:
> 
>  src/nlmsg.c: Update nfq_nlmsg_verdict_put_pkt() sample code to use pktb_len()
>               as recommended in src/extra/pktbuff.c, pktb_len() doco

Applied, thanks.

Re: [PATCH libnetfilter_queue 2/2] src: doc: Fully document available verdicts

[Pablo Neira Ayuso]

On Mon, Dec 09, 2019 at 11:05:06AM +1100, Duncan Roe wrote:
> Updated:
> 
>  src/nlmsg.c - Document NF_DROP, NF_ACCEPT, NF_STOP, NF_REPEAT and
>                NF_QUEUE_NR(new_queue).
>              - Make line number of examples/nf-queue.c into a hyperlink.
>              - Add hint that "cb" in function names is short for "callback".

Also applied, thanks.