netfilter queue

netfilter queue

[Michael Mefford]

I need to know how to interact with the netfilter queue.  My project 
needs to capture TCP packets from the queue, process them in userspace, 
and then re-insert them back into the firewall to forwarded on.  
However, I can't find any recent documentation that explains how to do 
this.  The most I can find is about 3 years old (and seemingly out of 
date).  Does anyone have good working knowledge that might help me 
understand this?


Michael.

Re: netfilter queue

[Vincent Bernat]

OoO En cette aube naissante du dimanche 31 mai 2009, vers 07:56, Michael
Mefford <meffordm@gmail.com> disait :

> I need to know how to interact with the netfilter queue.  My project
> needs to capture TCP packets from the queue, process them in
> userspace, and then re-insert them back into the firewall to forwarded
> on.  However, I can't find any recent documentation that explains how
> to do this.  The most I can find is about 3 years old (and seemingly
> out of date).  Does anyone have good working knowledge that might help
> me understand this?

You have a basic example in the sources:
 https://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=blob;f=utils/nfqnl_test.c;hb=HEAD

I have a pet project using Netfilter queue if you want another example:
 http://cgit.luffy.cx/udpproxy/tree/src/proxy.c

There is also nufw and mxallowd that uses netfilter queue.

To modify a packet, just modify your received copy (or another copy) and
use the two last arguments of  nf_queue_set_verdict to be the size and a
pointer to your copy. Otherwise, set them to 0 and NULL.
-- 
#ifdef STUPIDLY_TRUST_BROKEN_PCMD_ENA_BIT
        2.4.0-test2 /usr/src/linux/drivers/ide/cmd640.c

netfilter queue

[ratheesh k]

Hi all ,

               xt_time module is not handling DST . So i am writing a
userspace application to handle time based pkt filtering by queuing
pkts to userspace using  NFQUEUE target .
There are some concerns and doubts

1 ) All packets will be copied to userspace , one pkt at a time ,
based on the iptables rule . But , if i use any system call in my user
space application before reinjecting the pkt back to kernel , will it
severely dampen the network throughput ?

2)  Creating /proc entries and passing DST values to kernel and Handle
Time by xt_time module will be a better solution ?

Thanks,
Ratheesh

Netfilter Queue

[Andreas Hess]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have written a UDP packet processing kernel module that registers itself to 
the PREROUTING hook of the Netfilter architecture. Now, each UDP packet that 
arrives at this hook is passed  to my module. 
And this is the point!
What exactly does this mean?
As far as I understand it: there are module-specific queues, in which the 
packets are inserted?
If so, is there a possibility to influence the lengths of these queues?

I would like to realize a means to adapt the queue length respectively the 
amount of packets waiting to be processed by a module according the current 
traffic load. (high traffic load -> short queue length).

Is such a thing possible?

Thanks muchly for your time

Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAHi+r68eBr8WIgcgRApAfAJ49XWvaqKUA5Grc+Xm9XufnN+NKdACgiSMd
X1aJF7qTk8PmtW5Wb/Y1t74=
=Wkb1
-----END PGP SIGNATURE-----

Re: Netfilter Queue

[Henrik Nordstrom]

On Mon, 2 Feb 2004, Andreas Hess wrote:

> I have written a UDP packet processing kernel module that registers itself to 
> the PREROUTING hook of the Netfilter architecture. Now, each UDP packet that 
> arrives at this hook is passed  to my module. 

Ok.

> As far as I understand it: there are module-specific queues, in which the 
> packets are inserted?

What queues?

Netfilter modules are called inline in the normal packet forwarding of the 
Linux kernel. If your system receives packets faster than it can process 
then packets are dropped.

In most Ethernet drivers there is a relatively small queue between the
interrupt handler and the rest of the kernel. This queue is not related to
Netfilter but part of how the specific drivers work.


The only queue mechanism in netfilter is if your hook function returns
NF_QUEUE as verdict, in which case the packet will be sent to userspace
via ip_queue. I am not sure if there is a queue size limitation or not
when using NF_QUEUE.


Regards
Henrik

Re: Netfilter Queue

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]

On Mon, Feb 02, 2004 at 12:08:27PM +0100, Andreas Hess wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I have written a UDP packet processing kernel module that registers itself to 
> the PREROUTING hook of the Netfilter architecture. Now, each UDP packet that 
> arrives at this hook is passed  to my module. 

this is exactly what you wanted to do.  If you register to a hook in the
stack, you will get all packets traversing that point in the stack.

This is what netfilter is all about!!

I think you might have a general misconception about what netfilter is.

> As far as I understand it: there are module-specific queues, in which the 
> packets are inserted?

no, why should there be any queues?

> I would like to realize a means to adapt the queue length respectively the 
> amount of packets waiting to be processed by a module according the current 
> traffic load. (high traffic load -> short queue length).
> 
> Is such a thing possible?

no, you are called inline in the network RX softirq.  There is only a
single backlog queue between hardirq and softirq in front of you.

> Andreas

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]