source-git / iptables

Clone
Source Code
GIT

Blame bootstrap_ver/libipq/libipq.3

c8 c8s master
  1.   c8
  2.   bootstrap_ver
  3.   libipq
  4.   libipq.3
Blob History Raw
Packit Service 2cd632 
.TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
Packit Service 2cd632 
.\"
Packit Service 2cd632 
.\"     Copyright (c) 2000-2001 Netfilter Core Team
Packit Service 2cd632 
.\"
Packit Service 2cd632 
.\"     This program is free software; you can redistribute it and/or modify
Packit Service 2cd632 
.\"     it under the terms of the GNU General Public License as published by
Packit Service 2cd632 
.\"     the Free Software Foundation; either version 2 of the License, or
Packit Service 2cd632 
.\"     (at your option) any later version.
Packit Service 2cd632 
.\"
Packit Service 2cd632 
.\"     This program is distributed in the hope that it will be useful,
Packit Service 2cd632 
.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 2cd632 
.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Packit Service 2cd632 
.\"     GNU General Public License for more details.
Packit Service 2cd632 
.\"
Packit Service 2cd632 
.\"     You should have received a copy of the GNU General Public License
Packit Service 2cd632 
.\"     along with this program; if not, write to the Free Software
Packit Service 2cd632 
.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Packit Service 2cd632 
.\"
Packit Service 2cd632 
.\"
Packit Service 2cd632 
.SH NAME
Packit Service 2cd632 
libipq \(em iptables userspace packet queuing library.
Packit Service 2cd632 
.SH SYNOPSIS
Packit Service 2cd632 
.B #include <linux/netfilter.h>
Packit Service 2cd632 
.br
Packit Service 2cd632 
.B #include <libipq.h>
Packit Service 2cd632 
.SH DESCRIPTION
Packit Service 2cd632 
libipq is a development library for iptables userspace packet queuing.
Packit Service 2cd632 
.SS Userspace Packet Queuing
Packit Service 2cd632 
Netfilter provides a mechanism for passing packets out of the stack for
Packit Service 2cd632 
queueing to userspace, then receiving these packets back into the kernel
Packit Service 2cd632 
with a verdict specifying what to do with the packets (such as ACCEPT
Packit Service 2cd632 
or DROP).  These packets may also be modified in userspace prior to
Packit Service 2cd632 
reinjection back into the kernel.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
For each supported protocol, a kernel module called a
Packit Service 2cd632 
.I queue handler
Packit Service 2cd632 
may register with Netfilter to perform the mechanics of passing
Packit Service 2cd632 
packets to and from userspace.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
The standard queue handler for IPv4 is ip_queue.  It is provided as an
Packit Service 2cd632 
experimental module with 2.4 kernels, and uses a Netlink socket for
Packit Service 2cd632 
kernel/userspace communication.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
Once ip_queue is loaded, IP packets may be selected with iptables
Packit Service 2cd632 
and queued for userspace processing via the QUEUE target.  For example,
Packit Service 2cd632 
running the following commands:
Packit Service 2cd632 
.PP
Packit Service 2cd632 
	# modprobe iptable_filter
Packit Service 2cd632 
.br
Packit Service 2cd632 
	# modprobe ip_queue
Packit Service 2cd632 
.br
Packit Service 2cd632 
	# iptables \-A OUTPUT \-p icmp \-j QUEUE
Packit Service 2cd632 
.PP
Packit Service 2cd632 
will cause any locally generated ICMP packets (e.g. ping output) to
Packit Service 2cd632 
be sent to the ip_queue module, which will then attempt to deliver the
Packit Service 2cd632 
packets to a userspace application.  If no userspace application is waiting,
Packit Service 2cd632 
the packets will be dropped
Packit Service 2cd632 
.PP
Packit Service 2cd632 
An application may receive and process these packets via libipq.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.SS Libipq Overview
Packit Service 2cd632 
Libipq provides an API for communicating with ip_queue.  The following is
Packit Service 2cd632 
an overview of API usage, refer to individual man pages for more details
Packit Service 2cd632 
on each function.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.B Initialisation
Packit Service 2cd632 
.br
Packit Service 2cd632 
To initialise the library, call
Packit Service 2cd632 
.BR ipq_create_handle (3).
Packit Service 2cd632 
This will attempt to bind to the Netlink socket used by ip_queue and
Packit Service 2cd632 
return an opaque context handle for subsequent library calls.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.B Setting the Queue Mode
Packit Service 2cd632 
.br
Packit Service 2cd632 
.BR ipq_set_mode (3)
Packit Service 2cd632 
allows the application to specify whether packet metadata, or packet
Packit Service 2cd632 
payloads as well as metadata are copied to userspace.  It is also used to
Packit Service 2cd632 
initially notify ip_queue that an application is ready to receive queue
Packit Service 2cd632 
messages.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.B Receiving Packets from the Queue
Packit Service 2cd632 
.br
Packit Service 2cd632 
.BR ipq_read (3)
Packit Service 2cd632 
waits for queue messages to arrive from ip_queue and copies
Packit Service 2cd632 
them into a supplied buffer.
Packit Service 2cd632 
Queue messages may be
Packit Service 2cd632 
.I packet messages
Packit Service 2cd632 
or
Packit Service 2cd632 
.I error messages.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
The type of packet may be determined with
Packit Service 2cd632 
.BR ipq_message_type (3).
Packit Service 2cd632 
.PP
Packit Service 2cd632 
If it's a packet message, the metadata and optional payload may be retrieved with
Packit Service 2cd632 
.BR ipq_get_packet (3).
Packit Service 2cd632 
.PP
Packit Service 2cd632 
To retrieve the value of an error message, use
Packit Service 2cd632 
.BR ipq_get_msgerr (3).
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.B Issuing Verdicts on Packets
Packit Service 2cd632 
.br
Packit Service 2cd632 
To issue a verdict on a packet, and optionally return a modified version
Packit Service 2cd632 
of the packet to the kernel, call
Packit Service 2cd632 
.BR ipq_set_verdict (3).
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.B Error Handling
Packit Service 2cd632 
.br
Packit Service 2cd632 
An error string corresponding to the current value of the internal error
Packit Service 2cd632 
variable
Packit Service 2cd632 
.B ipq_errno
Packit Service 2cd632 
may be obtained with
Packit Service 2cd632 
.BR ipq_errstr (3).
Packit Service 2cd632 
.PP
Packit Service 2cd632 
For simple applications, calling
Packit Service 2cd632 
.BR ipq_perror (3)
Packit Service 2cd632 
will print the same message as
Packit Service 2cd632 
.BR ipq_errstr (3),
Packit Service 2cd632 
as well as the string corresponding to the global
Packit Service 2cd632 
.B errno
Packit Service 2cd632 
value (if set) to stderr.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
.B Cleaning Up
Packit Service 2cd632 
.br
Packit Service 2cd632 
To free up the Netlink socket and destroy resources associated with
Packit Service 2cd632 
the context handle, call
Packit Service 2cd632 
.BR ipq_destroy_handle (3).
Packit Service 2cd632 
.SH SUMMARY
Packit Service 2cd632 
.TP 4
Packit Service 2cd632 
.BR ipq_create_handle (3)
Packit Service 2cd632 
Initialise library, return context handle.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_set_mode (3)
Packit Service 2cd632 
Set the queue mode, to copy either packet metadata, or payloads
Packit Service 2cd632 
as well as metadata to userspace.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_read (3)
Packit Service 2cd632 
Wait for a queue message to arrive from ip_queue and read it into
Packit Service 2cd632 
a buffer.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_message_type (3)
Packit Service 2cd632 
Determine message type in the buffer.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_get_packet (3)
Packit Service 2cd632 
Retrieve a packet message from the buffer.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_get_msgerr (3)
Packit Service 2cd632 
Retrieve an error message from the buffer.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_set_verdict (3)
Packit Service 2cd632 
Set a verdict on a packet, optionally replacing its contents.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_errstr (3)
Packit Service 2cd632 
Return an error message corresponding to the internal ipq_errno variable.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_perror (3)
Packit Service 2cd632 
Helper function to print error messages to stderr.
Packit Service 2cd632 
.TP
Packit Service 2cd632 
.BR ipq_destroy_handle (3)
Packit Service 2cd632 
Destroy context handle and associated resources.
Packit Service 2cd632 
.SH EXAMPLE
Packit Service 2cd632 
The following is an example of a simple application which receives
Packit Service 2cd632 
packets and issues NF_ACCEPT verdicts on each packet.
Packit Service 2cd632 
.RS
Packit Service 2cd632 
.nf
Packit Service 2cd632 
/*
Packit Service 2cd632 
 * This code is GPL.
Packit Service 2cd632 
 */
Packit Service 2cd632 
#include <linux/netfilter.h>
Packit Service 2cd632 
#include <libipq.h>
Packit Service 2cd632 
#include <stdio.h>
Packit Service 2cd632
Packit Service 2cd632 
#define BUFSIZE 2048
Packit Service 2cd632
Packit Service 2cd632 
static void die(struct ipq_handle *h)
Packit Service 2cd632 
{
Packit Service 2cd632 
	ipq_perror("passer");
Packit Service 2cd632 
	ipq_destroy_handle(h);
Packit Service 2cd632 
	exit(1);
Packit Service 2cd632 
}
Packit Service 2cd632
Packit Service 2cd632 
int main(int argc, char **argv)
Packit Service 2cd632 
{
Packit Service 2cd632 
	int status;
Packit Service 2cd632 
	unsigned char buf[BUFSIZE];
Packit Service 2cd632 
	struct ipq_handle *h;
Packit Service 2cd632
Packit Service 2cd632 
	h = ipq_create_handle(0, NFPROTO_IPV4);
Packit Service 2cd632 
	if (!h)
Packit Service 2cd632 
		die(h);
Packit Service 2cd632
Packit Service 2cd632 
	status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
Packit Service 2cd632 
	if (status < 0)
Packit Service 2cd632 
		die(h);
Packit Service 2cd632
Packit Service 2cd632 
	do{
Packit Service 2cd632 
		status = ipq_read(h, buf, BUFSIZE, 0);
Packit Service 2cd632 
		if (status < 0)
Packit Service 2cd632 
			die(h);
Packit Service 2cd632
Packit Service 2cd632 
		switch (ipq_message_type(buf)) {
Packit Service 2cd632 
			case NLMSG_ERROR:
Packit Service 2cd632 
				fprintf(stderr, "Received error message %d\\n",
Packit Service 2cd632 
				        ipq_get_msgerr(buf));
Packit Service 2cd632 
				break;
Packit Service 2cd632
Packit Service 2cd632 
			case IPQM_PACKET: {
Packit Service 2cd632 
				ipq_packet_msg_t *m = ipq_get_packet(buf);
Packit Service 2cd632
Packit Service 2cd632 
				status = ipq_set_verdict(h, m->packet_id,
Packit Service 2cd632 
				                         NF_ACCEPT, 0, NULL);
Packit Service 2cd632 
				if (status < 0)
Packit Service 2cd632 
					die(h);
Packit Service 2cd632 
				break;
Packit Service 2cd632 
			}
Packit Service 2cd632
Packit Service 2cd632 
			default:
Packit Service 2cd632 
				fprintf(stderr, "Unknown message type!\\n");
Packit Service 2cd632 
				break;
Packit Service 2cd632 
		}
Packit Service 2cd632 
	} while (1);
Packit Service 2cd632
Packit Service 2cd632 
	ipq_destroy_handle(h);
Packit Service 2cd632 
	return 0;
Packit Service 2cd632 
}
Packit Service 2cd632 
.RE
Packit Service 2cd632 
.fi
Packit Service 2cd632 
.PP
Packit Service 2cd632 
Pointers to more libipq application examples may be found in The
Packit Service 2cd632 
Netfilter FAQ.
Packit Service 2cd632 
.SH DIAGNOSTICS
Packit Service 2cd632 
For information about monitoring and tuning ip_queue, refer to the
Packit Service 2cd632 
Linux 2.4 Packet Filtering HOWTO.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
If an application modifies a packet, it needs to also update any
Packit Service 2cd632 
checksums for the packet.  Typically, the kernel will silently discard
Packit Service 2cd632 
modified packets with invalid checksums.
Packit Service 2cd632 
.SH SECURITY
Packit Service 2cd632 
Processes require CAP_NET_ADMIN capabilty to access the kernel ip_queue
Packit Service 2cd632 
module.  Such processes can potentially access and modify any IP packets
Packit Service 2cd632 
received, generated or forwarded by the kernel.
Packit Service 2cd632 
.SH TODO
Packit Service 2cd632 
Per-handle
Packit Service 2cd632 
.B ipq_errno
Packit Service 2cd632 
values.
Packit Service 2cd632 
.SH BUGS
Packit Service 2cd632 
Probably.
Packit Service 2cd632 
.SH AUTHOR
Packit Service 2cd632 
James Morris <jmorris@intercode.com.au>
Packit Service 2cd632 
.SH COPYRIGHT
Packit Service 2cd632 
Copyright (c) 2000-2001 Netfilter Core Team.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
Distributed under the GNU General Public License.
Packit Service 2cd632 
.SH CREDITS
Packit Service 2cd632 
Joost Remijn implemented the
Packit Service 2cd632 
.B ipq_read
Packit Service 2cd632 
timeout feature, which appeared in the 1.2.4 release of iptables.
Packit Service 2cd632 
.PP
Packit Service 2cd632 
Fernando Anton added support for IPv6.
Packit Service 2cd632 
.SH SEE ALSO
Packit Service 2cd632 
.BR iptables (8),
Packit Service 2cd632 
.BR ipq_create_handle (3),
Packit Service 2cd632 
.BR ipq_destroy_handle (3),
Packit Service 2cd632 
.BR ipq_errstr (3),
Packit Service 2cd632 
.BR ipq_get_msgerr (3),
Packit Service 2cd632 
.BR ipq_get_packet (3),
Packit Service 2cd632 
.BR ipq_message_type (3),
Packit Service 2cd632 
.BR ipq_perror (3),
Packit Service 2cd632 
.BR ipq_read (3),
Packit Service 2cd632 
.BR ipq_set_mode (3),
Packit Service 2cd632 
.BR ipq_set_verdict (3).
Packit Service 2cd632 
.PP
Packit Service 2cd632 
The Netfilter home page at http://netfilter.samba.org/
Packit Service 2cd632 
which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet
Packit Service 2cd632 
Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO,
Packit Service 2cd632 
The Netfilter FAQ and many other useful resources.
Packit Service 2cd632

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation