• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..24-Aug-2021-

README.nfq.mdH A D24-Aug-20213.2 KiB8058

daq_nfq.cH A D24-Aug-202127.7 KiB848633

libdaq_static_nfq.pc.inH A D24-Aug-2021310 1613

README.nfq.md

1NFQ Module
2==========
3
4A DAQ module built on top of the Linux netfilter packet filtering framework.
5Specifically, the module operates on packets queued by the kernel packet filter
6for userspace consumption via the NFQUEUE mechanism, usually controlled by
7iptables rules.  The input specification given to the DAQ module should be the
8integer value of the queue number to receive and process packets on.
9
10Packets will come up to the application with a datalink type of "RAW", which
11means the packet data begins with the IP header.
12
13The maximum netfilter queue length defaults to 1024 and can be overridden with
14the 'queue_maxlen' variable.
15
16The normal behavior for netfilter queues is to drop any packets that cannot fit
17in the target queue, usually due to the userspace application being overwhelmed.
18This behavior can be modified to instead bypass the queue if the 'fail_open'
19variable is given to the DAQ module.
20
21The NFQ module uses the modern minimalistic abstraction layer library for
22netfilter called libmnl.  It is available in the package repositories of most
23modern Linux distributions.
24
25Note: Packets will come up from the kernel defragmented, so a snaplen
26approaching 64k is suggested.
27
28Example Setup
29-------------
30
31The following steps set up a Linux system with two data interfaces (eth1 and
32eth2) and configures them as two forwarding (routing) interfaces with both IPv4
33and IPv6 addresses.  All traffic will be queued for inspection on queue number
3442 prior to being forwarded by the routing subsystem.
35
361. Give the interfaces both an IPv4 and IPv6 address.
37
38        ip addr add 172.16.1.1/24 dev eth1
39        ip -6 addr add 2011:11:11:11::1/64 dev eth1
40        ip addr add 172.16.2.1/24 dev eth2
41        ip -6 addr add 2011:22:22:22::1/64 dev eth2
42
432. Enable forwarding for the interfaces in the kernel.
44
45        sysctl -w net.ipv4.conf.eth1.forwarding=1
46        sysctl -w net.ipv4.conf.eth2.forwarding=1
47        sysctl -w net.ipv6.conf.all.forwarding=1
48
493. Add iptables/ip6tables rules to queue all packets that would be forwarded by
50the kernel for inspection on queue number 42.  The --queue-bypass option will
51allow all packets to bypass the queue while there is no userspace process
52attached to the queue.  The default behavior is to drop packets in such cases.
53(This is useful for those that value connectivity over security.)
54
55        iptables -A FORWARD -j NFQUEUE --queue-num 42 --queue-bypass
56        ip6tables -A FORWARD -j NFQUEUE --queue-num 42 --queue-bypass
57
58At this point, queue 42 is available to attach the DAQ module to and will the
59kernel will start queueing packets for it once it has registered.
60
61Limitations
62-----------
63
64* Multiple instantiation is technically supported, but there is currently no
65way to handle the same queue in multiple instances.  For now, the best way to
66use multiple instances is to have each listen on its own queue.
67
68* Last I checked, the process cannot operate in unprivileged mode.  This needs
69to be revalidated, but the module is marked as such in the meantime.
70
71Requirements
72------------
73* libmnl
74
75Additional Resources
76--------------------
77
78* The netfilter project homepage: <https://www.netfilter.org/>
79* The libmnl project homepage: <https://www.netfilter.org/projects/libmnl/index.html>
80