Netfilter documentation

Netfilter is Linux firewall: http://www.netfilter.org/

Netfilter schema: http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/

Netfilter modules

  • MANGLE table (-t mangle)
    • kernel module: iptable_mangle
  • NAT table (-t nat):
    • kernel module: iptable_nat, ip_nat
  • MARK match (-m mark):
    • kernel module: xt_mark
  • CONNMARK:
    • test: grep xt_connmark /proc/kallsyms
    • kernel module: : xt_conntrack
  • -j CONNMARK
    • kernl module: ipt_CONNMARK
    • kernel option: NETFILTER_XT_TARGET_CONNMARK
    • Ubuntu miss this module for version older than Ubuntu Gutsy
  • -j NFQUEUE
    • test: grep xt_nfqueue_init /proc/kallsyms
    • kernel option: CONFIG_NETFILTER_XT_TARGET_NFQUEUE,
    • iptables module filename: /lib/iptables/libipt_NFQUEUE.so
  • Netfilter events
    • test: conntrack -E
    • test: grep ctnetlink_init /proc/kallsyms
    • kernel module: ip_conntrack_netlink
    • kernel option: CONFIG_IP_NF_CONNTRACK_EVENTS, CONFIG_IP_NF_CONNTRACK
    • Ubuntu Edgy doesn't have this option
  • Netlink
    • test: lsmod|grep nfnetlink
    • kernel modules: nfnetlink, nfnetlink_queue
  • FIXED TIMEOUT
    • Available with Linux kernel 2.6.18+
  • iptables-save
    • ip_tables: IPv4 Netfilter tables (create /proc/net/ip_table_names)
    • iptable_filter (depends on ip_tables): IPv4 Netfilter filter (fill /proc/net/ip_table_names)
  • ip6tables-save
    • ip6_tables : IPv6 Netfilter tables (/proc/net/ip6_table_names)
    • ip6table_filter (depends on ip6_tables): IPv6 Netfilter filter (fill /proc/net/ip6_table_names)

nfnetlink development

libnetfilter_queue

See packetsrv.c for a code example.

libnetfilter_conntrack

See conntrack.c for a code example.

Proc interface

A proc interface is available for nfnetlink_queue. Information is available from the file: 

$ sudo cat /proc/net/netfilter/nfnetlink_queue
    0  10073     8 2 65535     0     0       10  1
    2  10525     0 2 65535     0     0        0  1

Each line contains information about a specific queue:

  • queue_num: id of the queue
  • peer_pid: pid of process handling the queue
  • queue_total: number of packets waiting for a decision
  • copy_mode: indicate how userspace receive packets
  • copy_range: size of copy
  • queue_dropped: number of items dropped by the kernel because too many packets were waiting a decision. It queue_total is superior to queue_max_len (1024 per default) the packets are dropped.
  • queue_user_dropped: number of packets dropped by userspace (due to kernel send failure on the netlink socket)
  • id_sequence: sequence number of packets queued. It gives a correct approximation of the number of queued packets.
  • use: internal value (number of entity using the queue)

A proc interface is available for nfnetlink_log. Information is available from the file: 

$ sudo cat /proc/net/netfilter/nfnetlink_log
    1  17754     0 2 65535    100  1

Each line contains information about a specific log queue :

  • group_num: id of the group log
  • peer_pid: pid of process handling the queue
  • qlen: number of packets waiting for treatment
  • copy_mode: indicate how userspace receive packets
  • copy_range: size of copy
  • flushtimeout: timeout until queue flush
  • use: number of entity using the log group