How to Configure, Install and Use libnefilter_queue on Linux
2013-08-27 15:57
896 查看
According to libnetfilter_queue home page, libnetfilter_queue is a userspace library that allows one to retrieve and manipulate the packets that have been queued by kernel packet filter. It is supposed to replace the old ip_queue/libipq mechanism.
0. Dependencies
libnetfilter_queue requires a kernel that includes nfnetlink_queue subsystem. If you Linux kernel is 2.6.14 or later, the subsystem is normally enabled.
You can confirm this by looking into your kernel configuration file. The configuration file is normally located at your system /boot/ directory, with the name like config-<your kernel version>. Open the file, and look for CONFIG_NETFILTER_NETLINK_QUEUE and
CONFIG_NETFILTER_ADVANCED. Make sure the two lines are not commented out.
In addition, libnetfilter_queue library depends on libnfnetlink. A lower-level library for netfitler related kernel/userspace communication. And since this library depends on nfnetlink kernel subsystem, you’ll need to ensure CONFIG_NETFITLER_NETLINK is not
commented out in your kernel configuration file.
In summary, you’ll need to check CONFIG_NETFILTER_ADVANCED, CONFIG_NETFITLER_NETLINK and CONFIG_NETFILTER_NETLINK_QUEUE in you kernel configuration file, and install libnfnetlink and libnetfilter_queue user space libraries.
2. Installation
This is simple. First, you need to install libnfnetlink library. Download the tar file here.
Then go the directory where the file is downloaded, follow the commands below,
tar -xvf libnfnetlink-1.0.0.tar.bz2
cd libnfnetlink-1.0.0/
./configure
make
sudo make install
Next, you need to install libnetfilter_queue library. Download the tar file here.
Then follow the same procedure above. Build and install the library.
After installation, issue sudo ldconfig command to create necessary links and cache to the newly installed libraries.
3. Understand the Sample Code
There’re not many tutorials and examples around, but libnetfilter_queue has provided a simple example and some documentation. You can find the sample code at the utiles/ nfqnl_test.c of the libnetfilter_queue folder you downloaded.
The basic idea of the code is to set up libnetfiter_queue library, and bind the program to a queue. You can refer to documentation here and here to
help you understand the code.
To compile the sample code, use the command below,
gcc -Wall -o test nfqnl_test.c -lnfnetlink -lnetfilter_queue
To run the code, use the command below,
sudo ./test
Note that you’ll need to set up a queue in kernel packet filter table in order to see how the program working. Suppose we want to queue all TCP packets sending out from our local machine, you’ll need to enter the command below,
sudo iptables -A OUTPUT -p tcp -j NFQUEUE –queue-num 0
Now you can see the test program is outputing some information about the packet,
…..
hw_protocol=0×0000 hook=3 id=422 outdev=2 payload_len=52
entering callback
pkt received
hw_protocol=0×0000 hook=3 id=423 outdev=2 payload_len=52
entering callback
To stopping running the program, kill test and then issue the command
iptables –flush
4. Additional Notes
libnetfilter_queue can be quite powerful combined with iptables rules. It doesn’t only allow you to receive the packet, but also provide the ability to modify the packet and inject the modified packet back to kernel. With these APIs, you can implement user
space NATing, packet sniffing/capturing programs etc.
References:
1. libnetfilter_queue home page: http://www.netfilter.org/projects/libnetfilter_queue/
0. Dependencies
libnetfilter_queue requires a kernel that includes nfnetlink_queue subsystem. If you Linux kernel is 2.6.14 or later, the subsystem is normally enabled.
You can confirm this by looking into your kernel configuration file. The configuration file is normally located at your system /boot/ directory, with the name like config-<your kernel version>. Open the file, and look for CONFIG_NETFILTER_NETLINK_QUEUE and
CONFIG_NETFILTER_ADVANCED. Make sure the two lines are not commented out.
In addition, libnetfilter_queue library depends on libnfnetlink. A lower-level library for netfitler related kernel/userspace communication. And since this library depends on nfnetlink kernel subsystem, you’ll need to ensure CONFIG_NETFITLER_NETLINK is not
commented out in your kernel configuration file.
In summary, you’ll need to check CONFIG_NETFILTER_ADVANCED, CONFIG_NETFITLER_NETLINK and CONFIG_NETFILTER_NETLINK_QUEUE in you kernel configuration file, and install libnfnetlink and libnetfilter_queue user space libraries.
2. Installation
This is simple. First, you need to install libnfnetlink library. Download the tar file here.
Then go the directory where the file is downloaded, follow the commands below,
tar -xvf libnfnetlink-1.0.0.tar.bz2
cd libnfnetlink-1.0.0/
./configure
make
sudo make install
Next, you need to install libnetfilter_queue library. Download the tar file here.
Then follow the same procedure above. Build and install the library.
After installation, issue sudo ldconfig command to create necessary links and cache to the newly installed libraries.
3. Understand the Sample Code
There’re not many tutorials and examples around, but libnetfilter_queue has provided a simple example and some documentation. You can find the sample code at the utiles/ nfqnl_test.c of the libnetfilter_queue folder you downloaded.
The basic idea of the code is to set up libnetfiter_queue library, and bind the program to a queue. You can refer to documentation here and here to
help you understand the code.
To compile the sample code, use the command below,
gcc -Wall -o test nfqnl_test.c -lnfnetlink -lnetfilter_queue
To run the code, use the command below,
sudo ./test
Note that you’ll need to set up a queue in kernel packet filter table in order to see how the program working. Suppose we want to queue all TCP packets sending out from our local machine, you’ll need to enter the command below,
sudo iptables -A OUTPUT -p tcp -j NFQUEUE –queue-num 0
Now you can see the test program is outputing some information about the packet,
…..
hw_protocol=0×0000 hook=3 id=422 outdev=2 payload_len=52
entering callback
pkt received
hw_protocol=0×0000 hook=3 id=423 outdev=2 payload_len=52
entering callback
To stopping running the program, kill test and then issue the command
iptables –flush
4. Additional Notes
libnetfilter_queue can be quite powerful combined with iptables rules. It doesn’t only allow you to receive the packet, but also provide the ability to modify the packet and inject the modified packet back to kernel. With these APIs, you can implement user
space NATing, packet sniffing/capturing programs etc.
References:
1. libnetfilter_queue home page: http://www.netfilter.org/projects/libnetfilter_queue/
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- How to Configure, Install and Use libnefilter_queue on Linux
- How to Install and Configure a VNC Server on RedHat Enterprise Linux (RHEL) 6
- How To Install And Configure Ganglia On Red Hat Enterprise Linux 5---YUM 安装篇
- How to install and configure Jabber Server (Ejabberd) on Debian Lenny GNU / Linux
- How to install and configure Apache, PHP, MySql and phpMyadmin on ubuntu
- How to Install AMQP PHP Extension and RabbitMQ Client on Linux
- Howto Install and Configure Chinese Input Methods on Ubuntu
- 在64位系统下安装32位ODBC驱动问题How to install and configure a 32 bit ODBC driver on a 64 bit Operating System?
- How to install and run Microsoft Windows for free on Linux
- How to build & install GLFW 3 and use it in a Linux project
- How to Build and Use libnetfilter_queue for Android
- 171201 How to install Chrome and SurfEasy on Linux
- Howto Install and Configure Doxygen for QtCreator on Ubuntu
- How to Install and Use Python Pip on Ubuntu 14.04 and pip install pytz
- Howto Install and Configure VTK on Ubuntu
- How to Configure and Install ownCloud on Ubuntu 16.04
- [转载]How To Set Up And Use X11 Forwarding On Linux And Mac
- How to install java and eclipse on linux
- Howto Install and Configure QtCreator on Ubuntu