netfilter
firewalling, NAT, and packet mangling for linux
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
Library setup

Library initialisation is made in two steps. More...

Functions

int nfct_callback_register (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
 nf_callback_register - register a callback More...
 
void nfct_callback_unregister (struct nfct_handle *h)
 nfct_callback_unregister - unregister a callback More...
 
int nfct_callback_register2 (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
 nf_callback_register2 - register a callback More...
 
void nfct_callback_unregister2 (struct nfct_handle *h)
 nfct_callback_unregister2 - unregister a callback More...
 
int nfexp_callback_register (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
 nfexp_callback_register - register a callback More...
 
void nfexp_callback_unregister (struct nfct_handle *h)
 nfexp_callback_unregister - unregister a callback More...
 
int nfexp_callback_register2 (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data)
 nfexp_callback_register2 - register a callback More...
 
void nfexp_callback_unregister2 (struct nfct_handle *h)
 nfexp_callback_unregister2 - unregister a callback More...
 
struct nfct_handlenfct_open (u_int8_t subsys_id, unsigned subscriptions)
 nfct_open - open a ctnetlink handler More...
 
int nfct_close (struct nfct_handle *cth)
 nfct_close - close a ctnetlink handler More...
 
int nfct_fd (struct nfct_handle *cth)
 nfct_fd - get the Netlink file descriptor of one existing ctnetlink handler More...
 
const struct nfnl_handlenfct_nfnlh (struct nfct_handle *cth)
 
struct nflog_handlenflog_open (void)
 nflog_open - open a nflog handler More...
 
int nflog_close (struct nflog_handle *h)
 nflog_close - close a nflog handler More...
 
int nflog_bind_pf (struct nflog_handle *h, u_int16_t pf)
 nflog_bind_pf - bind a nflog handler to a given protocol family More...
 
int nflog_unbind_pf (struct nflog_handle *h, u_int16_t pf)
 nflog_unbind_pf - unbind nflog handler from a protocol family More...
 
struct nfq_handlenfq_open (void)
 nfq_open - open a nfqueue handler More...
 
 EXPORT_SYMBOL (nfq_open)
 
int nfq_close (struct nfq_handle *h)
 nfq_close - close a nfqueue handler More...
 
 EXPORT_SYMBOL (nfq_close)
 
int nfq_bind_pf (struct nfq_handle *h, u_int16_t pf)
 nfq_bind_pf - bind a nfqueue handler to a given protocol family More...
 
 EXPORT_SYMBOL (nfq_bind_pf)
 
int nfq_unbind_pf (struct nfq_handle *h, u_int16_t pf)
 nfq_unbind_pf - unbind nfqueue handler from a protocol family More...
 
 EXPORT_SYMBOL (nfq_unbind_pf)
 

Detailed Description

Library initialisation is made in two steps.

When the program has finished with libnetfilter_queue, it has to call the nfq_close() function to free all associated resources.

When the program has finished with libnetfilter_log, it has to call the nflog_close() function to release all associated resources.

First step is to call nfq_open() to open a NFQUEUE handler.

Second step is to tell the kernel that userspace queueing is handle by NFQUEUE for the selected protocol. This is made by calling nfq_unbind_pf() and nfq_bind_pf() with protocol information. The idea behind this is to enable simultaneously loaded modules to be used for queuing.

Here's a little code snippet that bind with AF_INET:

    h = nfq_open();
    if (!h) {
        fprintf(stderr, "error during nfq_open()\n");
        exit(1);
    }

    printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
    if (nfq_unbind_pf(h, AF_INET) < 0) {
        fprintf(stderr, "error during nfq_unbind_pf()\n");
        exit(1);
    }

    printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
    if (nfq_bind_pf(h, AF_INET) < 0) {
        fprintf(stderr, "error during nfq_bind_pf()\n");
        exit(1);
    }

Once this is done, you can setup and use a Queue.

Function Documentation

EXPORT_SYMBOL ( nfq_open  )
EXPORT_SYMBOL ( nfq_close  )
EXPORT_SYMBOL ( nfq_bind_pf  )
EXPORT_SYMBOL ( nfq_unbind_pf  )
int nfct_callback_register ( struct nfct_handle h,
enum nf_conntrack_msg_type  type,
int(*)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data cb,
void *  data 
)

nf_callback_register - register a callback

Parameters
hlibrary handler
typemessage type (see enum nf_conntrack_msg_type definition)
cbcallback used to process conntrack received
datadata used by the callback, if any.

This function register a callback to handle the conntrack received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.

Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.

References __callback(), nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb, CTA_MAX, __data_container::data, nfnl_callback::data, data, __data_container::h, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, NULL, __data_container::type, and type.

Referenced by ctnl_init(), main(), and nl_flush_conntrack_table_selective().

Here is the call graph for this function:

Here is the caller graph for this function:

int nfct_callback_register2 ( struct nfct_handle h,
enum nf_conntrack_msg_type  type,
int(*)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data cb,
void *  data 
)

nf_callback_register2 - register a callback

Parameters
hlibrary handler
cbcallback used to process conntrack received
datadata used by the callback, if any.

This function register a callback to handle the conntrack received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.

Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.

NOTICE: The difference with nf_callback_register() is that this function uses the new callback interface that includes the Netlink header.

WARNING: Don't mix nf_callback_register() and nf_callback_register2() calls, use only once at a time.

References __callback(), nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb2, CTA_MAX, __data_container::data, nfnl_callback::data, data, __data_container::h, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, NULL, __data_container::type, and type.

Referenced by ctnl_init().

Here is the call graph for this function:

Here is the caller graph for this function:

void nfct_callback_unregister ( struct nfct_handle h)

nfct_callback_unregister - unregister a callback

Parameters
hlibrary handler

References nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb, nfnl_callback::data, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, and NULL.

Here is the call graph for this function:

void nfct_callback_unregister2 ( struct nfct_handle h)

nfct_callback_unregister2 - unregister a callback

Parameters
hlibrary handler

References nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb2, nfnl_callback::data, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, and NULL.

Here is the call graph for this function:

int nfct_close ( struct nfct_handle cth)

nfct_close - close a ctnetlink handler

Parameters
cthhandler obtained via nfct_open()

This function returns -1 on error and errno is explicitly set.

References nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb, nfct_handle::cb2, nfnl_callback::data, nfct_handle::expect_cb, nfct_handle::expect_cb2, nfct_handle::nfnl_cb_ct, nfct_handle::nfnl_cb_exp, nfnl_close(), nfnl_subsys_close(), nfct_handle::nfnlh, nfct_handle::nfnlssh_ct, nfct_handle::nfnlssh_exp, and NULL.

Referenced by ctnl_kill(), main(), and nl_flush_conntrack_table_selective().

Here is the call graph for this function:

Here is the caller graph for this function:

int nfct_fd ( struct nfct_handle cth)

nfct_fd - get the Netlink file descriptor of one existing ctnetlink handler

Parameters
cthhandler obtained via nfct_open()

References nfnl_fd(), and nfct_handle::nfnlh.

Referenced by ctnl_init(), main(), and nl_init_event_handler().

Here is the call graph for this function:

Here is the caller graph for this function:

const struct nfnl_handle* nfct_nfnlh ( struct nfct_handle cth)

References nfct_handle::nfnlh.

Referenced by main(), nl_init_event_handler(), nl_resize_socket_buffer(), origin_register(), and origin_unregister().

Here is the caller graph for this function:

struct nfct_handle* nfct_open ( u_int8_t  subsys_id,
unsigned  subscriptions 
)

nfct_open - open a ctnetlink handler

Parameters
subsys_idcan be NFNL_SUBSYS_CTNETLINK or NFNL_SUBSYS_CTNETLINK_EXP
subscriptionsctnetlink groups to subscribe to events

This function returns a handler to send commands to and receive replies from kernel-space. You can pass the following subsystem IDs:

  • NFNL_SUBSYS_CTNETLINK: if you are only interested in conntrack operations (excluding expectations).
  • NFNL_SUBSYS_CTNETLINK_EXP: if you are only interested in expectation operations (exclude conntracks).
  • NFNL_SUBSYS_NONE: if you are interested in both conntrack and expectation operations.

On error, NULL is returned and errno is explicitly set.

References nfct_open_nfnl(), nfnl_close(), nfnl_open(), and NULL.

Referenced by ctnl_init(), main(), nl_flush_conntrack_table_selective(), and nl_init_event_handler().

Here is the call graph for this function:

Here is the caller graph for this function:

int nfexp_callback_register ( struct nfct_handle h,
enum nf_conntrack_msg_type  type,
int(*)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data cb,
void *  data 
)

nfexp_callback_register - register a callback

Parameters
hlibrary handler
cbcallback used to process expect received
datadata used by the callback, if any.

This function register a callback to handle the expect received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.

Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.

References __callback(), nfnl_callback::attr_count, nfnl_callback::call, CTA_EXPECT_MAX, __data_container::data, nfnl_callback::data, data, nfct_handle::expect_cb, __data_container::h, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, NULL, __data_container::type, and type.

Referenced by ctnl_init(), and main().

Here is the call graph for this function:

Here is the caller graph for this function:

int nfexp_callback_register2 ( struct nfct_handle h,
enum nf_conntrack_msg_type  type,
int(*)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data cb,
void *  data 
)

nfexp_callback_register2 - register a callback

Parameters
hlibrary handler
cbcallback used to process expect received
datadata used by the callback, if any.

This function register a callback to handle the expect received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.

Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.

NOTICE: The difference with nfexp_callback_register() is that this function uses the new callback interface that includes the Netlink header.

WARNING: Don't mix nfexp_callback_register() and nfexp_callback_register2() calls, use only once at a time.

References __callback(), nfnl_callback::attr_count, nfnl_callback::call, CTA_EXPECT_MAX, __data_container::data, nfnl_callback::data, data, nfct_handle::expect_cb2, __data_container::h, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, NULL, __data_container::type, and type.

Referenced by ctnl_init().

Here is the call graph for this function:

Here is the caller graph for this function:

void nfexp_callback_unregister ( struct nfct_handle h)

nfexp_callback_unregister - unregister a callback

Parameters
hlibrary handler

References nfnl_callback::attr_count, nfnl_callback::call, nfnl_callback::data, nfct_handle::expect_cb, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, and NULL.

Here is the call graph for this function:

void nfexp_callback_unregister2 ( struct nfct_handle h)

nfexp_callback_unregister2 - unregister a callback

Parameters
hlibrary handler

References nfnl_callback::attr_count, nfnl_callback::call, nfnl_callback::data, nfct_handle::expect_cb2, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, and NULL.

Here is the call graph for this function:

int nflog_bind_pf ( struct nflog_handle h,
u_int16_t  pf 
)

nflog_bind_pf - bind a nflog handler to a given protocol family

Parameters
hNetfilter log handle obtained via call to nflog_open()
pfprotocol family to bind to nflog handler obtained from nflog_open()

Binds the given log connection handle to process packets belonging to the given protocol family (ie. PF_INET, PF_INET6, etc).

Returns
integer inferior to 0 in case of failure

References NFULNL_CFG_CMD_PF_BIND.

Referenced by ipulog_create_handle(), and main().

Here is the caller graph for this function:

int nflog_close ( struct nflog_handle h)

nflog_close - close a nflog handler

Parameters
hNetfilter log handle obtained via call to nflog_open()

This function closes the nflog handler and free associated resources.

Returns
0 on success, non-zero on failure.

References nfnl_close(), and nflog_handle::nfnlh.

Referenced by ipulog_destroy_handle(), and main().

Here is the call graph for this function:

Here is the caller graph for this function:

struct nflog_handle* nflog_open ( void  )

nflog_open - open a nflog handler

This function obtains a netfilter log connection handle. When you are finished with the handle returned by this function, you should destroy it by calling nflog_close(). A new netlink connection is obtained internally and associated with the log connection handle returned.

Returns
a pointer to a new log handle or NULL on failure.

References nflog_open_nfnl(), nfnl_close(), nfnl_open(), nfnl_unset_sequence_tracking(), and NULL.

Referenced by ipulog_create_handle(), and main().

Here is the call graph for this function:

Here is the caller graph for this function:

int nflog_unbind_pf ( struct nflog_handle h,
u_int16_t  pf 
)

nflog_unbind_pf - unbind nflog handler from a protocol family

Parameters
hNetfilter log handle obtained via call to nflog_open()
pfprotocol family to unbind family from

Unbinds the given nflog handle from processing packets belonging to the given protocol family.

References NFULNL_CFG_CMD_PF_UNBIND.

Referenced by main().

Here is the caller graph for this function:

int nfq_bind_pf ( struct nfq_handle h,
u_int16_t  pf 
)

nfq_bind_pf - bind a nfqueue handler to a given protocol family

Parameters
hNetfilter queue connection handle obtained via call to nfq_open()
pfprotocol family to bind to nfqueue handler obtained from nfq_open()

Binds the given queue connection handle to process packets belonging to the given protocol family (ie. PF_INET, PF_INET6, etc). This call is obsolete, Linux kernels from 3.8 onwards ignore it.

Returns
integer inferior to 0 in case of failure

References NFQNL_CFG_CMD_PF_BIND.

Referenced by main().

Here is the caller graph for this function:

int nfq_close ( struct nfq_handle h)

nfq_close - close a nfqueue handler

Parameters
hNetfilter queue connection handle obtained via call to nfq_open()

This function closes the nfqueue handler and free associated resources.

Returns
0 on success, non-zero on failure.

References nfnl_close(), and nfq_handle::nfnlh.

Referenced by main().

Here is the call graph for this function:

Here is the caller graph for this function:

struct nfq_handle* nfq_open ( void  )

nfq_open - open a nfqueue handler

This function obtains a netfilter queue connection handle. When you are finished with the handle returned by this function, you should destroy it by calling nfq_close(). A new netlink connection is obtained internally and associated with the queue connection handle returned.

Returns
a pointer to a new queue handle or NULL on failure.

References nfnl_close(), nfnl_open(), nfnl_unset_sequence_tracking(), nfq_open_nfnl(), and NULL.

Referenced by main().

Here is the call graph for this function:

Here is the caller graph for this function:

int nfq_unbind_pf ( struct nfq_handle h,
u_int16_t  pf 
)

nfq_unbind_pf - unbind nfqueue handler from a protocol family

Parameters
hNetfilter queue connection handle obtained via call to nfq_open()
pfprotocol family to unbind family from

Unbinds the given queue connection handle from processing packets belonging to the given protocol family.

This call is obsolete, Linux kernels from 3.8 onwards ignore it.

References NFQNL_CFG_CMD_PF_UNBIND.

Referenced by main().

Here is the caller graph for this function: