allows userspace to ask for large gso packets via nfqueue.
Signed-off-by: Florian Westphal <fw@strlen.de>
NFQA_IFINDEX_PHYSOUTDEV, /* u_int32_t ifindex */
NFQA_HWADDR, /* nfqnl_msg_packet_hw */
NFQA_PAYLOAD, /* opaque data payload */
+ NFQA_CT, /* nf_conntrack_netlink.h */
+ NFQA_CT_INFO, /* enum ip_conntrack_info */
+ NFQA_CAP_LEN, /* __u32 length of captured packet */
+ NFQA_SKB_INFO, /* __u32 skb meta information */
__NFQA_MAX
};
/* Flags/options for NFQA_CFG_FLAGS */
#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
#define NFQA_CFG_F_CONNTRACK (1 << 1)
-#define NFQA_CFG_F_MAX (1 << 2)
+#define NFQA_CFG_F_GSO (1 << 2)
+#define NFQA_CFG_F_MAX (1 << 3)
+
+/* flags for NFQA_SKB_INFO */
+/* packet appears to have wrong checksums, but they are ok */
+#define NFQA_SKB_CSUMNOTREADY (1 << 0)
+/* packet is GSO (i.e., exceeds device mtu) */
+#define NFQA_SKB_GSO (1 << 1)
#endif /* _NFNETLINK_QUEUE_H */
NFQA_PAYLOAD, /* opaque data payload */
NFQA_CT, /* nf_conntrack_netlink.h */
NFQA_CT_INFO, /* enum ip_conntrack_info */
+ NFQA_CAP_LEN, /* __u32 length of captured packet */
+ NFQA_SKB_INFO, /* __u32 skb meta information */
__NFQA_MAX
};
__u8 copy_mode; /* enum nfqnl_config_mode */
} __attribute__ ((packed));
-enum nfqnl_flags {
- NFQNL_F_NONE = 0,
- NFQNL_F_CONNTRACK = (1 << 0),
-};
enum nfqnl_attr_config {
NFQA_CFG_UNSPEC,
NFQA_CFG_CMD, /* nfqnl_msg_config_cmd */
NFQA_CFG_PARAMS, /* nfqnl_msg_config_params */
NFQA_CFG_QUEUE_MAXLEN, /* __u32 */
- NFQA_CFG_FLAGS, /* __u32 */
+ NFQA_CFG_MASK, /* identify which flags to change */
+ NFQA_CFG_FLAGS, /* value of these flags (__u32) */
__NFQA_CFG_MAX
};
#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
+#define NFQA_CFG_F_CONNTRACK (1 << 1)
+#define NFQA_CFG_F_GSO (1 << 2)
+#define NFQA_CFG_F_MAX (1 << 3)
+
+/* flags for NFQA_SKB_INFO */
+/* packet appears to have wrong checksums, but they are ok */
+#define NFQA_SKB_CSUMNOTREADY (1 << 0)
+/* packet is GSO (i.e., exceeds device mtu) */
+#define NFQA_SKB_GSO (1 << 1)
+
#endif /* _NFNETLINK_QUEUE_H */
* - NFQA_CFG_F_CONNTRACK (requires Linux kernel >= 3.6): the kernel will
* include the Connection Tracking system information.
*
+ * - NFQA_CFG_F_GSO (requires Linux kernel >= 3.10): the kernel will
+ * not normalize offload packets, i.e. your application will need to
+ * be able to handle packets larger than the mtu (up to 64k).
+ *
+ * If your application validates checksums (e.g., tcp checksum),
+ * then you must also check if the NFQA_SKB_INFO attribute is present.
+ * If it is, you need to test the NFQA_SKB_CSUMNOTREADY bit:
+ * \verbatim
+ if (attr[NFQA_SKB_INFO]) {
+ uint32_t info = ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO]));
+ if (info & NFQA_SKB_CSUMNOTREADY)
+ validate_checksums = false;
+ }
+\endverbatim
+ * if this bit is set, the layer 3/4 checksums of the packet appear incorrect,
+ * but are not (because they will be corrected later by the kernel).
+ *
* Here's a little code snippet to show how to use this API:
* \verbatim
uint32_t flags = NFQA_CFG_F_FAIL_OPEN;
case NFQA_IFINDEX_OUTDEV:
case NFQA_IFINDEX_PHYSINDEV:
case NFQA_IFINDEX_PHYSOUTDEV:
+ case NFQA_CAP_LEN:
+ case NFQA_SKB_INFO:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
return MNL_CB_ERROR;
break;
projects / platform / upstream / libnetfilter_queue.git / commitdiff