You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fw-daemon/vendor/github.com/subgraph/go-nfnetlink
Stephen Watt a8f61a2d4e
Re-sync to master.
7 years ago
..
nfqueue Re-sync to master. 7 years ago
.gitignore Re-sync to master. 7 years ago
LICENSE Re-sync to master. 7 years ago
README.md Re-sync to master. 7 years ago
nfnl.go Re-sync to master. 7 years ago
nfnl_attr.go Re-sync to master. 7 years ago
nfnl_sock.go Re-sync to master. 7 years ago

README.md

go-nfnetlink - A native Go library for interacting with netfilter subsystems

A library for communicating with Linux netfilter subsystems over netlink sockets.

Linux/net/netfilter/nfnetlink.c:

Netfilter messages via netlink sockets.  Allows for user space protocol helpers and general
trouble making from userspace.

Netfilter is composed of several subsystems in the Linux kernel, some of which provide access from userland over a netlink socket interface. The protocol API for accessing these subsystems share a common set of protocol conventions called nfnetlink (netfilter netlink).

What is the nfqueue package?

A library for the netfilter queue subsystem built on top of the nfnetlink layer.

Here is a basic example of how to use it:

Set up IPTables

# iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 1 --queue-bypass

Read ICMP packets from queue number 1

q := nfqueue.NewNFQueue(1)

ps, err := q.Open()
if err != nil {
        fmt.Printf("Error opening NFQueue: %v\n", err)
        os.Exit(1)
}
defer q.Close()

for p := range ps {
        fmt.Printf("Packet: %v\n", p.Packet)
        p.Accept()
}

How can I implement support for other netfilter subsystems?

You'll probably have to read the C library code or the Linux kernel source to learn about the protocol as there is usually no documentation at all. Look at nfqueue for an example of how to implement the protocol using the nfnetlink layer.

We plan to add some basic support for conntrack in the near future. Pull requests welcome for new features and subsystems.