libipq.3 7.61 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
.TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
.\"
.\"     Copyright (c) 2000-2001 Netfilter Core Team
.\"
.\"     This program is free software; you can redistribute it and/or modify
.\"     it under the terms of the GNU General Public License as published by
.\"     the Free Software Foundation; either version 2 of the License, or
.\"     (at your option) any later version.
.\"
.\"     This program is distributed in the hope that it will be useful,
.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"     GNU General Public License for more details.
.\"
.\"     You should have received a copy of the GNU General Public License
.\"     along with this program; if not, write to the Free Software
.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\"
.SH NAME
libipq \(em iptables userspace packet queuing library.
.SH SYNOPSIS
.B #include <linux/netfilter.h>
.br
.B #include <libipq.h>
.SH DESCRIPTION
libipq is a development library for iptables userspace packet queuing.
.SS Userspace Packet Queuing
Netfilter provides a mechanism for passing packets out of the stack for
queueing to userspace, then receiving these packets back into the kernel
with a verdict specifying what to do with the packets (such as ACCEPT
or DROP).  These packets may also be modified in userspace prior to
reinjection back into the kernel.
.PP
For each supported protocol, a kernel module called a
.I queue handler
may register with Netfilter to perform the mechanics of passing
packets to and from userspace.
.PP
The standard queue handler for IPv4 is ip_queue.  It is provided as an
experimental module with 2.4 kernels, and uses a Netlink socket for
kernel/userspace communication.
.PP
Once ip_queue is loaded, IP packets may be selected with iptables
and queued for userspace processing via the QUEUE target.  For example,
running the following commands:
.PP
	# modprobe iptable_filter
.br	
	# modprobe ip_queue
.br	
	# iptables \-A OUTPUT \-p icmp \-j QUEUE
.PP
will cause any locally generated ICMP packets (e.g. ping output) to
be sent to the ip_queue module, which will then attempt to deliver the
packets to a userspace application.  If no userspace application is waiting,
the packets will be dropped
.PP
An application may receive and process these packets via libipq.
.PP
.PP
.SS Libipq Overview
Libipq provides an API for communicating with ip_queue.  The following is
an overview of API usage, refer to individual man pages for more details
on each function.
.PP
.B Initialisation
.br
To initialise the library, call
.BR ipq_create_handle (3).
This will attempt to bind to the Netlink socket used by ip_queue and
return an opaque context handle for subsequent library calls.
.PP
.B Setting the Queue Mode
.br
.BR ipq_set_mode (3)
allows the application to specify whether packet metadata, or packet
payloads as well as metadata are copied to userspace.  It is also used to
initially notify ip_queue that an application is ready to receive queue
messages.
.PP
.B Receiving Packets from the Queue
.br
.BR ipq_read (3)
waits for queue messages to arrive from ip_queue and copies
them into a supplied buffer.
Queue messages may be
.I packet messages
or
.I error messages.
.PP
The type of packet may be determined with
.BR ipq_message_type (3).
.PP
If it's a packet message, the metadata and optional payload may be retrieved with
.BR ipq_get_packet (3).
.PP
To retrieve the value of an error message, use
.BR ipq_get_msgerr (3).
.PP
.B Issuing Verdicts on Packets
.br
To issue a verdict on a packet, and optionally return a modified version
of the packet to the kernel, call
.BR ipq_set_verdict (3).
.PP
.B Error Handling
.br
An error string corresponding to the current value of the internal error
variable
.B ipq_errno
may be obtained with
.BR ipq_errstr (3).
.PP
For simple applications, calling
.BR ipq_perror (3)
will print the same message as
.BR ipq_errstr (3),
as well as the string corresponding to the global
.B errno
value (if set) to stderr.
.PP
.B Cleaning Up
.br
To free up the Netlink socket and destroy resources associated with
the context handle, call
.BR ipq_destroy_handle (3).
.SH SUMMARY
.TP 4
.BR ipq_create_handle (3)
Initialise library, return context handle.
.TP
.BR ipq_set_mode (3)
Set the queue mode, to copy either packet metadata, or payloads
as well as metadata to userspace.
.TP
.BR ipq_read (3)
Wait for a queue message to arrive from ip_queue and read it into
a buffer.
.TP
.BR ipq_message_type (3)
Determine message type in the buffer.
.TP
.BR ipq_get_packet (3)
Retrieve a packet message from the buffer.
.TP
.BR ipq_get_msgerr (3)
Retrieve an error message from the buffer.
.TP
.BR ipq_set_verdict (3)
Set a verdict on a packet, optionally replacing its contents.
.TP
.BR ipq_errstr (3)
Return an error message corresponding to the internal ipq_errno variable.
.TP
.BR ipq_perror (3)
Helper function to print error messages to stderr.
.TP
.BR ipq_destroy_handle (3)
Destroy context handle and associated resources.
.SH EXAMPLE
The following is an example of a simple application which receives
packets and issues NF_ACCEPT verdicts on each packet.
.RS
.nf
/*
 * This code is GPL.
 */
#include <linux/netfilter.h>
#include <libipq.h>
#include <stdio.h>

#define BUFSIZE 2048 

static void die(struct ipq_handle *h)
{
	ipq_perror("passer");
	ipq_destroy_handle(h);
	exit(1);
}

int main(int argc, char **argv)
{
	int status;
	unsigned char buf[BUFSIZE];
	struct ipq_handle *h;
	
	h = ipq_create_handle(0, NFPROTO_IPV4);
	if (!h)
		die(h);
		
	status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
	if (status < 0)
		die(h);
		
	do{
		status = ipq_read(h, buf, BUFSIZE, 0);
		if (status < 0)
			die(h);
			
		switch (ipq_message_type(buf)) {
			case NLMSG_ERROR:
				fprintf(stderr, "Received error message %d\\n",
				        ipq_get_msgerr(buf));
				break;
				
			case IPQM_PACKET: {
				ipq_packet_msg_t *m = ipq_get_packet(buf);
				
				status = ipq_set_verdict(h, m->packet_id,
				                         NF_ACCEPT, 0, NULL);
				if (status < 0)
					die(h);
				break;
			}
			
			default:
				fprintf(stderr, "Unknown message type!\\n");
				break;
		}
	} while (1);
	
	ipq_destroy_handle(h);
	return 0;
}
.RE
.fi
.PP
Pointers to more libipq application examples may be found in The
Netfilter FAQ.
.SH DIAGNOSTICS
For information about monitoring and tuning ip_queue, refer to the
Linux 2.4 Packet Filtering HOWTO.
.PP
If an application modifies a packet, it needs to also update any
checksums for the packet.  Typically, the kernel will silently discard
modified packets with invalid checksums. 
.SH SECURITY
Processes require CAP_NET_ADMIN capabilty to access the kernel ip_queue
module.  Such processes can potentially access and modify any IP packets
received, generated or forwarded by the kernel.
.SH TODO
Per-handle
.B ipq_errno
values.
.SH BUGS
Probably.
.SH AUTHOR
James Morris <jmorris@intercode.com.au>
.SH COPYRIGHT
Copyright (c) 2000-2001 Netfilter Core Team.
.PP
Distributed under the GNU General Public License.
.SH CREDITS
Joost Remijn implemented the
.B ipq_read
timeout feature, which appeared in the 1.2.4 release of iptables.
.PP
Fernando Anton added support for IPv6.
.SH SEE ALSO
.BR iptables (8),
.BR ipq_create_handle (3),
.BR ipq_destroy_handle (3),
.BR ipq_errstr (3),
.BR ipq_get_msgerr (3),
.BR ipq_get_packet (3),
.BR ipq_message_type (3),
.BR ipq_perror (3),
.BR ipq_read (3),
.BR ipq_set_mode (3),
.BR ipq_set_verdict (3).
.PP
The Netfilter home page at http://netfilter.samba.org/
which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet
Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO,
The Netfilter FAQ and many other useful resources.