nfqueue-go
nfqueue-go is a wrapper library for libnetfilter-queue. The goal is to provide a library to gain access to packets queued by the kernel packet filter.
It is important to note that these bindings will not follow blindly libnetfilter_queue API. For ex., some higher-level wrappers will be provided for the open/bind/create mechanism (using one function call instead of three).
The API is not yet stable.
To use the library, a program must
- open a queue
- bind to a network family (
AF_PACKETfor IPv4) - provide a callback function, which will be automatically called when a packet is received. The callback must return a verdict
- create the queue, providing the queue number (which must match the
--queue-numfrom the iptables rules, see below - run a loop, waiting for events. The program should also provide a clean way to exit the loop (for ex on
SIGINT)
Using library
import "github.com/chifflier/nfqueue-go/nfqueue"Example
See test_nfqueue for a minimal example, and test_nfqueue_gopacket for an example using the gopacket library to decode the packets.
IPtables
You must add rules in netfilter to send packets to the userspace queue. The number of the queue (--queue-num option in netfilter) must match the number provided to create_queue().
Example of iptables rules:
iptables -A OUTPUT --destination 1.2.3.4 -j NFQUEUE --queue-num 0Of course, you should be more restrictive, depending on your needs.
Privileges
nfqueue-go does not require root privileges, but needs to open a netlink socket and send/receive packets to the kernel.
You have several options:
- Use the CAP_NET_ADMIN capability in order to allow your application to receive from and to send packets to kernel-space:
setcap 'cap_net_admin=+ep' /path/to/program - Run your program as
rootand drop privileges
License
This library is licensed under the GNU General Public License version 2, or (at your option) any later version.