nfnetlink_queue: which userspace library?

nfnetlink_queue: which userspace library?

[David F]

Hi,

I want to do some packet manipulation that seems beyond the scope of 
what can be done directly by existing iptables modules (ipv4 options 
mangling), so I'd like to queue the packets in question for userspace, 
for easy experimentation and development.

After a fair bit of googling, it seems to me that the most common and 
well-documented way to do this is via the QUEUE target and libipq.  But 
numerous references indicate that QUEUE and libipq are deprecated and 
NFQUEUE/nfnetlink_queue is the preferred method.  Setting up the 
iptables looks straightforward, but then how to receive/return them on 
the userspace side?  Aside from libipq, it seems that there are 3 
alternatives:

* libnetfilter_queue http://www.netfilter.org/projects/libnetfilter_queue/
* libnl and its "queue" group of functions 
http://www.infradead.org/~tgr/libnl/doc/group__queue.html 
<http://www.infradead.org/%7Etgr/libnl/doc/group__queue.html>
* Code your own using netlink sockets directly, and 
<linux/netfilter/nfnetlink_queue.h>.

None of these seem to have great documentation or example programs, 
although I have found a few resources.  So I'm wondering if anyone can 
give me a little direction as to what are the differences, which would 
be the best option, and why there seems to be a duplication between 
libnl and libnetfilter.  Is libipq truly deprecated?  I would prefer not 
to code into a "dead end" and eventually end up re-coding for a 
different library.

Thanks,
David F

Re: nfnetlink_queue: which userspace library?

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 2590 bytes --]

Hi,

Le mardi 27 avril 2010 à 13:48 -0400, David F a écrit :
> Hi,
> 
> I want to do some packet manipulation that seems beyond the scope of 
> what can be done directly by existing iptables modules (ipv4 options 
> mangling), so I'd like to queue the packets in question for userspace, 
> for easy experimentation and development.
> 
> After a fair bit of googling, it seems to me that the most common and 
> well-documented way to do this is via the QUEUE target and libipq.  But 
> numerous references indicate that QUEUE and libipq are deprecated

Yes, they really are.

>  and 
> NFQUEUE/nfnetlink_queue is the preferred method.  Setting up the 
> iptables looks straightforward, but then how to receive/return them on 
> the userspace side?  Aside from libipq, it seems that there are 3 
> alternatives:
> 
> * libnetfilter_queue http://www.netfilter.org/projects/libnetfilter_queue/
> * libnl and its "queue" group of functions 
> http://www.infradead.org/~tgr/libnl/doc/group__queue.html 
> <http://www.infradead.org/%7Etgr/libnl/doc/group__queue.html>
> * Code your own using netlink sockets directly, and 
> <linux/netfilter/nfnetlink_queue.h>.


libnetfilter_queue is the official and most used library. 

> 
> None of these seem to have great documentation or example programs, 

http://www.nufw.org/doc/libnetfilter_queue/ is the most accurate
libnetfilter_queue documentation.
An example program is available in the source :
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=blob;f=utils/nfqnl_test.c

Real life example can be found in :
      * suricata:
        http://www.openinfosecfoundation.org/index.php/download-suricata
      * NuFW:
        http://www.nufw.org/projects/nufw/repository/revisions/master/entry/src/nufw/packetsrv.c

You can even use libnetfilter_queue with high-level langage:
http://www.nufw.org/projects/nfqueue-bindings

> although I have found a few resources.  So I'm wondering if anyone can 
> give me a little direction as to what are the differences, which would 
> be the best option, and why there seems to be a duplication between 
> libnl and libnetfilter.

There's a idea of merging libnetfilter_queue inside libnl but the move
was not really succesfull (when talking about adoption by oter project).

ipqueue is deprecated and sucks by most aspect (not portable, only one
queue for example)

> Is libipq truly deprecated? 

Yes ! For some years !

BR,
-- 
Éric Leblond <eric@inl.fr>
EdenWall, http://www.edenwall.com/
NuFW, http://www.nufw.org

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: nfnetlink_queue: which userspace library?

[David F]

Eric Leblond wrote:
> libnetfilter_queue is the official and most used library.
[...]
> http://www.nufw.org/doc/libnetfilter_queue/ is the most accurate
> libnetfilter_queue documentation.
> An example program is available in the source :
> http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=blob;f=utils/nfqnl_test.c
>
> Real life example can be found in :
>       * suricata:
>         http://www.openinfosecfoundation.org/index.php/download-suricata
>       * NuFW:
>         http://www.nufw.org/projects/nufw/repository/revisions/master/entry/src/nufw/packetsrv.c
>
> You can even use libnetfilter_queue with high-level langage:
> http://www.nufw.org/projects/nfqueue-bindings
>   

Thank you very much!  These are great resources.
-- David F.