From: Julien Vehent <julien@linuxwall.info>
To: Gilad Benjamini <gilad.benjamini@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Userland Netfilter
Date: Thu, 30 Oct 2008 18:52:28 +0100 [thread overview]
Message-ID: <166fef934704cc25bd539e4c412b36c3@localhost> (raw)
In-Reply-To: <1225385229.5690.33.camel@roken.inl.fr>
[-- Attachment #1: Type: text/plain, Size: 1526 bytes --]
On Thu, 30 Oct 2008 17:47:09 +0100, Sebastien Tricaud <stricaud@inl.fr>
wrote:
> On Thu, 2008-10-30 at 08:49 -0700, Gilad Benjamini wrote:
>> I need to create a userland simulation for filtering packets.
>> I remember running into a userland netfilter, but can't seem to find it.
>> Any
>> pointers or info would be appreciated.
>> Another option is to feed the packets into tun/tap devices, and let the
>> real
>> netfilter do the job. Performance, of course, is not a concern in my
>> case.
>> Does that sound reasonable ? Tun/tap seems to be an almost dead project.
>> Will it work in newer distributions ?
>>
>
> Hello Gilad,
>
> I highly recommend you to use Pierre easy bindings, so that you can
> write your simulation in either Perl or Python :
>
> http://software.inl.fr/trac/wiki/nfqueue-bindings
>
Hi There,
Processing packets in perl or python ? Even if performances are not an
issue, you may want to be able to do something on the packet before the
user dies, no ?... :)
Just kidding, in fact, I found the regular netfilter queue library very
easy and convenient to use in C (see the code attached). And the
performances have nothing to be ashamed of...
http://netfilter.org/projects/libnetfilter_queue/downloads.html
Regards,
Julien
>
> Regards,
> Sebastien Tricaud.
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
www.linuxwall.info
[-- Attachment #2: netfilter_queue.c --]
[-- Type: text/plain, Size: 2645 bytes --]
/*! netfilter_queue.c
*
\brief test file
*
\code gcc -o netfilter_queue netfilter_queue.c -lnetfilter_queue
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/netfilter.h> /* for NF_ACCEPT */
#include <libnetfilter_queue/libnetfilter_queue.h>
/* returns packet id */
static u_int32_t print_pkt (struct nfq_data *tb)
{
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
u_int32_t mark,ifi;
int ret;
char *data;
ph = nfq_get_msg_packet_hdr(tb);
if (ph){
id = ntohl(ph->packet_id);
printf("hw_protocol=0x%04x hook=%u id=%u ",
ntohs(ph->hw_protocol), ph->hook, id);
}
mark = nfq_get_nfmark(tb);
if (mark)
printf("mark=%u ", mark);
ifi = nfq_get_indev(tb);
if (ifi)
printf("indev=%u ", ifi);
ifi = nfq_get_outdev(tb);
if (ifi)
printf("outdev=%u ", ifi);
ret = nfq_get_payload(tb, &data);
if (ret >= 0)
printf("payload_len=%d ", ret);
fputc('\n', stdout);
return id;
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data)
{
u_int32_t id = print_pkt(nfa);
printf("entering callback\n");
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
int main(int argc, char **argv)
{
struct nfq_handle *h;
struct nfq_q_handle *qh;
struct nfnl_handle *nh;
int fd;
int rv;
char buf[4096];
printf("opening library handle\n");
h = nfq_open();
if (!h) {
fprintf(stderr, "error during nfq_open()\n");
exit(1);
}
printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
if (nfq_unbind_pf(h, AF_INET) < 0) {
fprintf(stderr, "error during nfq_unbind_pf()\n");
exit(1);
}
printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
if (nfq_bind_pf(h, AF_INET) < 0) {
fprintf(stderr, "error during nfq_bind_pf()\n");
exit(1);
}
printf("binding this socket to queue '0'\n");
qh = nfq_create_queue(h, 0, &cb, NULL);
if (!qh) {
fprintf(stderr, "error during nfq_create_queue()\n");
exit(1);
}
printf("setting copy_packet mode\n");
if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
fprintf(stderr, "can't set packet_copy mode\n");
exit(1);
}
nh = nfq_nfnlh(h);
fd = nfnl_fd(nh);
while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
printf("pkt received\n");
nfq_handle_packet(h, buf, rv);
}
printf("unbinding from queue 0\n");
nfq_destroy_queue(qh);
#ifdef INSANE
/* normally, applications SHOULD NOT issue this command, since
* it detaches other programs/sockets from AF_INET, too ! */
printf("unbinding from AF_INET\n");
nfq_unbind_pf(h, AF_INET);
#endif
printf("closing library handle\n");
nfq_close(h);
exit(0);
}
prev parent reply other threads:[~2008-10-30 17:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-30 15:49 Userland Netfilter Gilad Benjamini
2008-10-30 16:47 ` Sebastien Tricaud
2008-10-30 17:52 ` Julien Vehent [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=166fef934704cc25bd539e4c412b36c3@localhost \
--to=julien@linuxwall.info \
--cc=gilad.benjamini@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.