On 10/17/2014 3:18 AM, Filippo Carletti wrote: > Hi, > I'd like to use the --queue-bypass option of NFQUEUE. From iptables man page: > > --queue-bypass > By default, if no userspace program is listening on an > NFQUEUE, then all packets that are to be queued are dropped. When > this option is used, the NFQUEUE rule is silently bypassed instead. > The packet will move on to the next rule. > > I tried to create a new action in embedded perl, but I can't figure > out the syntax to add an option to a target. > Moreover, I think I can't use a custom action in a policy (now, I have > "loc net NFQUEUE"). > > What's the best way to add the --queue-bypass option to nfqueue? > > I quickly patched Rules.pm and it works as expected, but > --queue-bypass should be optional based on capabilities. > > > P.S. The final target of this work is to have snort/suricata setup > like described here: > http://www.spinics.net/lists/netfilter/msg55072.html >
Hi Filippo,
Assuming that you are using a recent version of Shorewall, you can
simply use:
IPTABLES(NFQUEUE --queue-bypass) ...
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
