IPTables "QUEUE" Module and libipq
----------------------------------

The "QUEUE" mechanism has two parts, the kernel component is the
iptables "QUEUE" target to which packets can be sent using the "jump"
option of iptables.

Packets sent to this target can be "collected" by an application program
using the "libipq" library. The programs can read packets, inspect them
and pass a "verdict" back to the kernel. Two verdicts are possible:
"DROP" means that the packet is discarded completly and "ACCEPT" means
that the packet continues to be processed by the kernel as if an
"ACCEPT" target had been specified by the iptables rule.

No other verdict options are available; it is not (for example) possible
to pass the packet on for further iptables rules inspection. Passing a
packet to "QUEUE" means that the packet ceases to be processed by the
invoking chain.


Files in /proc

/proc/sys/net/ipv4/ip_queue_maxlen

/proc/net/ip_queue
	typical contents..
		Peer PID          : 0
		Copy mode         : 0
		Copy range        : 0
		Queue length      : 0
		Queue max. length : 1024
