Documentation ¶
Overview ¶
Package nfqueue provides an API to interact with the nfqueue subsystem of the netfilter family from the linux kernel.
This package processes information directly from the kernel and therefore it requires special privileges. You can provide this privileges by adjusting the CAP_NET_ADMIN capabilities.
setcap 'cap_net_admin=+ep' /your/executable
Index ¶
- Constants
- Variables
- type Attribute
- type Config
- type ErrorFunc
- type HookFunc
- type Nfqueue
- func (nfqueue *Nfqueue) Close() error
- func (nfqueue *Nfqueue) Register(ctx context.Context, fn HookFunc) error
- func (nfqueue *Nfqueue) RegisterWithErrorFunc(ctx context.Context, fn HookFunc, errfn ErrorFunc) error
- func (nfqueue *Nfqueue) SetVerdict(id uint32, verdict int) error
- func (nfqueue *Nfqueue) SetVerdictBatch(id uint32, verdict int) error
- func (nfqueue *Nfqueue) SetVerdictModPacket(id uint32, verdict int, packet []byte) error
- func (nfqueue *Nfqueue) SetVerdictModPacketWithMark(id uint32, verdict, mark int, packet []byte) error
- func (nfqueue *Nfqueue) SetVerdictWithMark(id uint32, verdict, mark int) error
Constants ¶
const ( NfQaCfgFlagFailOpen = (1 << iota) NfQaCfgFlagConntrack = (1 << iota) NfQaCfgFlagGSO = (1 << iota) NfQaCfgFlagUIDGid = (1 << iota) NfQaCfgFlagSecCx = (1 << iota) )
Various configuration flags
const ( NfQnlCopyNone = iota NfQnlCopyMeta NfQnlCopyPacket )
copy modes
const ( NfDrop = iota NfAccept NfStolen NfQeueue NfRepeat )
Verdicts
Variables ¶
var ( ErrRecvMsg = errors.New("received error message") ErrUnexpMsg = errors.New("received unexpected message from kernel") ErrInvFlag = errors.New("invalid Flag") ErrNotLinux = errors.New("not implemented for OS other than linux") ErrInvalidVerdict = errors.New("invalid verdict") )
Various errors
Functions ¶
This section is empty.
Types ¶
type Attribute ¶ added in v1.2.0
type Attribute struct { PacketID *uint32 Hook *uint8 Timestamp *time.Time Mark *uint32 InDev *uint32 PhysInDev *uint32 OutDev *uint32 PhysOutDev *uint32 Payload *[]byte CapLen *uint32 UID *uint32 GID *uint32 SecCtx *string L2Hdr *[]byte HwAddr *[]byte HwProtocol *uint16 Ct *[]byte CtInfo *uint32 SkbInfo *[]byte Exp *[]byte }
Attribute contains various elements for nfqueue elements. As not every value is contained in every nfqueue message, the elements inside Attribute are pointers to these values or nil, if not present.
type Config ¶
type Config struct { // Network namespace the Nfqueue needs to operate in. If set to 0 (default), // no network namespace will be entered. NetNS int // Queue this Nfqueue socket will be assigned to NfQueue uint16 // Maximum number of packages within the Nfqueue. MaxQueueLen uint32 // Only used in combination with NfQnlCopyPacket. MaxPacketLen uint32 // Specifies how the kernel handles a packet in the nfqueue queue. Copymode uint8 // Optional flags for this Nfqueue socket. Flags uint32 // AfFamily for this Nfqueue socket. AfFamily uint8 // Time till a read action times out - only available for Go >= 1.12 ReadTimeout time.Duration // Time till a write action times out - only available for Go >= 1.12 WriteTimeout time.Duration // Interface to log internals. Logger *log.Logger }
Config contains options for a Conn.
type ErrorFunc ¶ added in v1.2.0
ErrorFunc is a function that receives all errors that happen while reading from a Netlinkgroup. To stop receiving messages return something different than 0.
type HookFunc ¶
HookFunc is a function, that receives events from a Netlinkgroup To stop receiving messages on this HookFunc, return something different than 0.
type Nfqueue ¶
type Nfqueue struct { // Con is the pure representation of a netlink socket Con *netlink.Conn // contains filtered or unexported fields }
Nfqueue represents a netfilter queue handler
func (*Nfqueue) RegisterWithErrorFunc ¶ added in v1.2.0
func (nfqueue *Nfqueue) RegisterWithErrorFunc(ctx context.Context, fn HookFunc, errfn ErrorFunc) error
RegisterWithErrorFunc is like Register but allows custom error handling for errors encountered when reading from the underlying netlink socket.
func (*Nfqueue) SetVerdict ¶
SetVerdict signals the kernel the next action for a specified package id
func (*Nfqueue) SetVerdictBatch ¶
SetVerdictBatch signals the kernel the next action for a batch of packages till id
func (*Nfqueue) SetVerdictModPacket ¶ added in v1.2.0
SetVerdictModPacket signals the kernel the next action for an altered packet