README
¶
go-netfilter-queue
Go bindings for libnetfilter_queue
Forked from openshift/geard@be0423a for supporting recent environments.
This library provides access to packets in the IPTables netfilter queue (NFQUEUE). The libnetfilter_queue library is part of the Netfilter project.
Example
use IPTables to direct all outgoing Ping/ICMP requests to the queue 0:
iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 0
You can then use go-netfilter-queue to inspect the packets:
package main
import (
"fmt"
"github.com/TerraTech/go-netfilter-queue"
"os"
)
func main() {
var err error
nfq, err := netfilter.NewNFQueue(0, 100, netfilter.NF_DEFAULT_PACKET_SIZE)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
defer nfq.Close()
packets := nfq.GetPackets()
for true {
select {
case p := <-packets:
fmt.Println(p.Packet)
p.SetVerdict(netfilter.NF_ACCEPT)
}
}
}
To inject a new or modified packet in the place of the original packet, use:
p.SetVerdictWithPacket(netfilter.NF_ACCEPT, byte_slice)
Instead of:
p.SetVerdict(netfilter.NF_ACCEPT)
To undo the IPTables redirect. Run:
iptables -D OUTPUT -p icmp -j NFQUEUE --queue-num 0
Documentation
¶
Overview ¶
Go bindings for libnetfilter_queue
This library provides access to packets in the IPTables netfilter queue (NFQUEUE). The libnetfilter_queue library is part of the http://netfilter.org/projects/libnetfilter_queue/ project.
Index ¶
Constants ¶
const ( AF_INET = 2 AF_INET6 = 10 NF_DROP Verdict = 0 NF_ACCEPT Verdict = 1 NF_STOLEN Verdict = 2 NF_QUEUE Verdict = 3 NF_REPEAT Verdict = 4 NF_STOP Verdict = 5 // Avoid collisions by using high range 0x11000 - 0x11012 NF_MARK_DROP Mark = 0x11000 NF_MARK_ACCEPT Mark = 0x11001 NF_MARK_RETURN Mark = 0x11002 NF_MARK_REPEAT Mark = 0x11003 NF_MARK_DROP_LOG Mark = 0x11010 NF_MARK_ACCEPT_LOG Mark = 0x11011 NF_MARK_RETURN_LOG Mark = 0x11012 NF_DEFAULT_PACKET_SIZE uint32 = 0xffff )
Variables ¶
var FailureVerdict = NF_DROP
FailureVerdict is the default verdict in case of unexpected processing errors and is mutated by Fail-Open
Functions ¶
This section is empty.
Types ¶
type NFPacket ¶
type NFPacket struct {
Packet []byte
// contains filtered or unexported fields
}
func (*NFPacket) SetRequeueVerdict ¶
Set the verdict for the packet (in the case of requeue)
func (*NFPacket) SetRequeueVerdictMark ¶
SetRequeueVerdictMark will set the verdict and user defined mark for the packet (in the case of requeue)
func (*NFPacket) SetVerdict ¶
Set the verdict for the packet
func (*NFPacket) SetVerdictMark ¶
SetVerdictMark will set the packet mark. Verdict will be NF_ACCEPT or NF_REPEAT.
func (*NFPacket) SetVerdictWithPacket ¶
Set the verdict for the packet AND provide new packet content for injection
type NFQueue ¶
type NFQueue struct {
// contains filtered or unexported fields
}
func NewNFQueue ¶
Create and bind to queue specified by queueId
func (*NFQueue) Close ¶
func (nfq *NFQueue) Close()
Unbind and close the queue Close ensures that nfqueue resources are freed and closed. C.stop_reading_packets() stops the reading packets loop, which causes go-subroutine run() to exit. After exit, listening queue is destroyed and closed. If for some reason any of the steps stucks while closing it, we'll exit by timeout. reference: https://bit.ly/35ybNRF
func (*NFQueue) GetPackets ¶
Get the channel for packets
Source Files