Documentation
¶
Overview ¶
Package nflog provides an API to interact with the log subsystem of the netfilter family from the linux kernel.
This package processes information directly from the kernel and therefore it requires special privileges. You can provide this privileges by adjusting the CAP_NET_ADMIN capabilities.
setcap 'cap_net_admin=+ep' /your/executable
Index ¶
Examples ¶
Constants ¶
const ( // Available copy modes for Config.Copymode. CopyNone byte = 0x00 CopyMeta byte = 0x01 // Provides a complete copy of the packet in the Msg map. // But can be limited by setting Config.Bufsize. CopyPacket byte = 0x02 // Flags that can be set on a connection FlagSeq uint16 = 0x0001 FlagGlobal uint16 = 0x0002 // Requires Kernel configuration of CONFIG_NETFILTER_NETLINK_GLUE_CT FlagConntrack uint16 = 0x0004 )
Various constants
const (
GenericGroup uint16 = 0x1
)
Various optional settings
Variables ¶
var ( ErrCopyMode = errors.New("unsupported copy mode") ErrUnknownFlag = errors.New("unsupported flag") )
Various errors
Functions ¶
This section is empty.
Types ¶
type Attribute ¶
type Attribute struct { Hook *uint8 Mark *uint32 Timestamp *time.Time InDev *uint32 PhysInDev *uint32 OutDev *uint32 PhysOutDev *uint32 Payload *[]byte Prefix *string UID *uint32 Seq *uint32 SeqGlobal *uint32 GID *uint32 HwType *uint16 HwAddr *[]byte HwHeader *[]byte HwLen *uint16 HwProtocol *uint16 CtInfo *uint32 Ct *[]byte Layer2Hdr *[]byte VLAN *VLAN }
Attribute contains various elements for nflog elements. As not every value is contained in every nflog message, the elements inside Attribute are pointers to these values or nil, if not present.
type Config ¶
type Config struct { // Network namespace the Nflog needs to operate in. If set to 0 (default), // no network namespace will be entered. NetNS int // Optional flags for the nflog communication Flags uint16 // Specifies the number of packets in the group, // until they will be pushed to userspace. QThresh uint32 // Maximum time in 1/100s that a packet in the nflog group will be queued, // until it is pushed to userspace. Timeout uint32 // Nflog group this socket will be assigned to. Group uint16 // Specifies how the kernel handles a packet in the nflog group. Copymode uint8 // If NfUlnlCopyPacket is set as CopyMode, // this parameter specifies the maximum number of bytes, // that will be copied to userspace. Bufsize uint32 // Optional settings to enable/disable features Settings uint16 // Time till a read action times out - only available for Go >= 1.12 // // Deprecated: Cancel the context passed to RegisterWithErrorFunc() or Register() // to remove the hook from the nfloq gracefully. Setting this value does no longer // have an effect on nflog. ReadTimeout time.Duration // Interface to log internals. Logger Logger }
Config contains options for a Conn.
type ErrorFunc ¶
ErrorFunc is a function that receives all errors that happen while reading from a Netlinkgroup. To stop receiving messages return something different than 0.
type HookFunc ¶
HookFunc is a function, that receives events from a Netlinkgroup To stop receiving messages on this HookFunc, return something different than 0
type Logger ¶
type Logger interface { Debugf(format string, args ...interface{}) Errorf(format string, args ...interface{}) }
Logger provides logging functionality.
type Nflog ¶
type Nflog struct { // Con is the pure representation of a netlink socket Con *netlink.Conn // contains filtered or unexported fields }
Nflog represents a netfilter log handler
func (*Nflog) Register
deprecated
Register your own function as callback for a netfilter log group. Errors other than net.Timeout() will be reported via the provided log interface and the receiving of netfilter log messages will be stopped.
To handle errors and continue receiving data with the registered callback use RegisterWithErrorFunc() instead.
Deprecated: Use RegisterWithErrorFunc() instead.
Example ¶
// Send outgoing pings to nflog group 100 // # sudo iptables -I OUTPUT -p icmp -j NFLOG --nflog-group 100 // Set configuration parameters config := nflog.Config{ Group: 100, Copymode: nflog.CopyPacket, } nf, err := nflog.Open(&config) if err != nil { fmt.Println("could not open nflog socket:", err) return } defer nf.Close() ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() // hook that is called for every received packet by the nflog group hook := func(attrs nflog.Attribute) int { // Just print out the payload of the nflog packet fmt.Fprintf(os.Stdout, "%#v\n", attrs.Payload) return 0 } // errFunc that is called for every error on the registered hook errFunc := func(e error) int { // Just log the error and return 0 to continue receiving packets fmt.Fprintf(os.Stderr, "received error on hook: %v", e) return 0 } // Register your function to listen on nflog group 100 err = nf.RegisterWithErrorFunc(ctx, hook, errFunc) if err != nil { fmt.Fprintf(os.Stderr, "failed to register hook function: %v", err) return } // Block till the context expires <-ctx.Done()
Output:
func (*Nflog) RegisterWithErrorFunc ¶
RegisterWithErrorFunc attaches a callback function to a callback to a netfilter log group and allows custom error handling for errors encountered when reading from the underlying netlink socket.