mirror of https://github.com/subgraph/fw-daemon
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
1.6 KiB
53 lines
1.6 KiB
# go-nfnetlink - A native Go library for interacting with netfilter subsystems
|
|
|
|
A library for communicating with Linux netfilter subsystems over netlink sockets.
|
|
|
|
## What is 'netfilter netlink'?
|
|
|
|
Linux/net/netfilter/nfnetlink.c:
|
|
|
|
Netfilter messages via netlink sockets. Allows for user space protocol helpers and general
|
|
trouble making from userspace.
|
|
|
|
Netfilter is composed of several subsystems in the Linux kernel, some of which provide access from userland
|
|
over a netlink socket interface. The protocol API for accessing these subsystems share a common set of protocol conventions
|
|
called nfnetlink (netfilter netlink).
|
|
|
|
## What is the nfqueue package?
|
|
|
|
A library for the netfilter queue subsystem built on top of the nfnetlink layer.
|
|
|
|
Here is a basic example of how to use it:
|
|
|
|
Set up IPTables
|
|
|
|
# iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 1 --queue-bypass
|
|
|
|
Read ICMP packets from queue number 1
|
|
|
|
q := nfqueue.NewNFQueue(1)
|
|
|
|
ps, err := q.Open()
|
|
if err != nil {
|
|
fmt.Printf("Error opening NFQueue: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
defer q.Close()
|
|
|
|
for p := range ps {
|
|
fmt.Printf("Packet: %v\n", p.Packet)
|
|
p.Accept()
|
|
}
|
|
|
|
|
|
## How can I implement support for other netfilter subsystems?
|
|
|
|
You'll probably have to read the C library code or the Linux kernel source to learn about the protocol as there
|
|
is usually no documentation at all. Look at nfqueue for an example of how to implement the protocol using
|
|
the nfnetlink layer.
|
|
|
|
We plan to add some basic support for conntrack in the near future. Pull requests welcome for new features and
|
|
subsystems.
|
|
|
|
|