Copyright (C) 2000-2012 |
Manpages LIBIPQSection: Linux Programmer's Manual (3)Updated: 16 October 2001 Index Return to Main Contents NAMElibipq - iptables userspace packet queuing library.SYNOPSIS#include <linux/netfilter.h>#include <libipq.h> DESCRIPTIONlibipq is a development library for iptables userspace packet queuing.Userspace Packet QueuingNetfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel.For each supported protocol, a kernel module called a queue handler may register with Netfilter to perform the mechanics of passing packets to and from userspace. The standard queue handler for IPv4 is ip_queue. It is provided as an experimental module with 2.4 kernels, and uses a Netlink socket for kernel/userspace communication. Once ip_queue is loaded, IP packets may be selected with iptables and queued for userspace processing via the QUEUE target. For example, running the following commands:
# modprobe iptable_filter will cause any locally generated ICMP packets (e.g. ping output) to be sent to the ip_queue module, which will then attempt to deliver the packets to a userspace application. If no userspace application is waiting, the packets will be dropped An application may receive and process these packets via libipq.
Libipq OverviewLibipq provides an API for communicating with ip_queue. The following is an overview of API usage, refer to individual man pages for more details on each function.
Initialisation
Setting the Queue Mode
Receiving Packets from the Queue
The type of packet may be determined with ipq_message_type(3). If it's a packet message, the metadata and optional payload may be retrieved with ipq_get_packet(3). To retrieve the value of an error message, use ipq_get_msgerr(3).
Issuing Verdicts on Packets
Error Handling
For simple applications, calling ipq_perror(3) will print the same message as ipq_errstr(3), as well as the string corresponding to the global errno value (if set) to stderr.
Cleaning Up
SUMMARY
EXAMPLEThe following is an example of a simple application which receives packets and issues NF_ACCEPT verdicts on each packet.
Pointers to more libipq application examples may be found in The Netfilter FAQ. DIAGNOSTICSFor information about monitoring and tuning ip_queue, refer to the Linux 2.4 Packet Filtering HOWTO.If an application modifies a packet, it needs to also update any checksums for the packet. Typically, the kernel will silently discard modified packets with invalid checksums. SECURITYProcesses require CAP_NET_ADMIN capabilty to access the kernel ip_queue module. Such processes can potentially access and modify any IP packets received, generated or forwarded by the kernel.TODOPer-handle ipq_errno values.BUGSProbably.AUTHORJames Morris <jmorris@intercode.com.au>COPYRIGHTCopyright (c) 2000-2001 Netfilter Core Team.Distributed under the GNU General Public License. CREDITSJoost Remijn implemented the ipq_read timeout feature, which appeared in the 1.2.4 release of iptables.Fernando Anton added support for IPv6. SEE ALSOiptables(8), ipq_create_handle(3), ipq_destroy_handle(3), ipq_errstr(3), ipq_get_msgerr(3), ipq_get_packet(3), ipq_message_type(3), ipq_perror(3), ipq_read(3), ipq_set_mode(3), ipq_set_verdict(3).The Netfilter home page at http://netfilter.samba.org/ which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO, The Netfilter FAQ and many other useful resources.
Index
This document was created by man2html, using the manual pages. Time: 09:13:51 GMT, April 24, 2024 |