extensions/libxt_NFQUEUE.man

This target passes the packet to userspace using the
\fBnfnetlink_queue\fP handler.  The packet is put into the queue
identified by its 16-bit queue number.  Userspace can inspect
and modify the packet if desired. Userspace must then drop or
reinject the packet into the kernel.  Please see libnetfilter_queue
for details.
.B
nfnetlink_queue
was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
\fBqueue-bypass\fP in 2.6.39.
.TP
\fB\-\-queue\-num\fP \fIvalue\fP
This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
.PP
.TP
\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP
This specifies a range of queues to use. Packets are then balanced across the given queues.
This is useful for multicore systems: start multiple instances of the userspace program on
queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP".
Packets belonging to the same connection are put into the same nfqueue.
.PP
.TP
\fB\-\-queue\-bypass\fP
By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued
are dropped.  When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet
will move on to the next table.
.PP
.TP
\fB\-\-queue\-cpu-fanout\fP
Available starting Linux kernel 3.10. When used together with
\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
the queues. The idea is that you can improve performance if there's a queue
per CPU. This requires \fB--queue-balance\fP to be specified.