src: add notes on NF_STOLEN and NF_REPEAT to documentation

The verdict NF_STOLEN must not be used.

When using NF_REPEAT, one way to prevent re-queueing of the
same packet is to also set an nfmark using nfq_set_verdict2,
and set up the nefilter rules to only queue a packet when the
mark is not (yet) set.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>

diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c
index 358e9b1..d57a523 100644 (file)
--- a/src/libnetfilter_queue.c
+++ b/src/libnetfilter_queue.c
@@ -244,12 +244,17 @@ struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)
  *
  *   - NF_DROP discarded the packet
  *   - NF_ACCEPT the packet passes, continue iterations
- *   - NF_STOLEN gone away
  *   - NF_QUEUE inject the packet into a different queue
  *     (the target queue number is in the high 16 bits of the verdict)
  *   - NF_REPEAT iterate the same cycle once more
  *   - NF_STOP accept, but don't continue iterations
  *
+ * The verdict NF_STOLEN must not be used, as it has special meaning in the
+ * kernel.
+ * When using NF_REPEAT, one way to prevent re-queueing of the same packet
+ * is to also set an nfmark using nfq_set_verdict2, and set up the nefilter
+ * rules to only queue a packet when the mark is not (yet) set.
+ *
  * Data and information about the packet can be fetch by using message parsing
  * functions (See \link Parsing \endlink).
  * @{