Add NFQUEUE support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7218 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

manpages/shorewall-policy.xml

@@ -85,6 +85,7 @@
         role="bold">REJECT</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
+        role="bold">NFQUEUE</emphasis>[/<emphasis>queuenumber</emphasis>]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
         role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
         role="bold">None</emphasis>}]</term>
@@ -158,6 +159,17 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>NFQUEUE</term>
+
+              <listitem>
+                <para>Queue the request for a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not given, queue
+                zero (0) is assumed.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">CONTINUE</emphasis></term>
 

manpages/shorewall-rules.xml

@@ -123,7 +123,8 @@
         role="bold">CONTINUE</emphasis>[<option>!</option>]|<emphasis
         role="bold">LOG</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>[<option>!</option>]|<emphasis
-        role="bold">COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
+        role="bold">NFQUEUE</emphasis>[/<emphasis>queuenumber</emphasis>]<emphasis
+        role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
         role="bold">/</emphasis><emphasis>target</emphasis>]}<emphasis
         role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
         role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
@@ -341,6 +342,29 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>NFQUEUE</term>
+
+              <listitem>
+                <para>Only supported by Shorewall-perl &gt;= 4.0.3.</para>
+
+                <para>Queues the packet to a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>NFQUEUE!</term>
+
+              <listitem>
+                <para>like NFQUEUE but exempts the rule from being suppressed
+                by OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">COMMENT</emphasis></term>
 

manpages/shorewall.conf.xml

@@ -106,20 +106,30 @@
         role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
         role="bold">none</emphasis>}</term>
 
+        <listitem>
+          <para></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
+        role="bold">none</emphasis>} (Shorewall-perl 4.0.3 and later)</term>
+
         <listitem>
           <para>In earlier Shorewall versions, a "default action" for DROP and
           REJECT policies was specified in the file
           /usr/share/shorewall/actions.std.</para>
 
           <para>To allow for default rules to be applied when USE_ACTIONS=No,
-          the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT and QUEUE_DEFAULT
-          options have been added.</para>
+          the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
+          NFQUEUE_DEFAULT options have been added.</para>
 
           <para>DROP_DEFAULT describes the rules to be applied before a
           connection request is dropped by a DROP policy; REJECT_DEFAULT
           describes the rules to be applied if a connection request is
-          rejected by a REJECT policy. The other two are similar for ACCEPT
-          and QUEUE policies.</para>
+          rejected by a REJECT policy. The other three are similar for ACCEPT,
+          QUEUE and NFQUEUE policies.</para>
 
           <para>The value applied to these may be:</para>
 
@@ -144,6 +154,8 @@
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
+
+            <member>NFQUEUE_DEFAULT="None"</member>
           </simplelist>
 
           <para>If USE_ACTIONS=Yes, then these values refer to action.Drop and