1 .TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual"
3 .\" Copyright (c) 2000-2001 Netfilter Core Team
5 .\" This program is free software; you can redistribute it and/or modify
6 .\" it under the terms of the GNU General Public License as published by
7 .\" the Free Software Foundation; either version 2 of the License, or
8 .\" (at your option) any later version.
10 .\" This program is distributed in the hope that it will be useful,
11 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
12 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 .\" GNU General Public License for more details.
15 .\" You should have received a copy of the GNU General Public License
16 .\" along with this program; if not, write to the Free Software
17 .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 libipq \(em iptables userspace packet queuing library.
23 .B #include <linux/netfilter.h>
25 .B #include <libipq.h>
27 libipq is a development library for iptables userspace packet queuing.
28 .SS Userspace Packet Queuing
29 Netfilter provides a mechanism for passing packets out of the stack for
30 queueing to userspace, then receiving these packets back into the kernel
31 with a verdict specifying what to do with the packets (such as ACCEPT
32 or DROP). These packets may also be modified in userspace prior to
33 reinjection back into the kernel.
35 For each supported protocol, a kernel module called a
37 may register with Netfilter to perform the mechanics of passing
38 packets to and from userspace.
40 The standard queue handler for IPv4 is ip_queue. It is provided as an
41 experimental module with 2.4 kernels, and uses a Netlink socket for
42 kernel/userspace communication.
44 Once ip_queue is loaded, IP packets may be selected with iptables
45 and queued for userspace processing via the QUEUE target. For example,
46 running the following commands:
48 # modprobe iptable_filter
52 # iptables \-A OUTPUT \-p icmp \-j QUEUE
54 will cause any locally generated ICMP packets (e.g. ping output) to
55 be sent to the ip_queue module, which will then attempt to deliver the
56 packets to a userspace application. If no userspace application is waiting,
57 the packets will be dropped
59 An application may receive and process these packets via libipq.
63 Libipq provides an API for communicating with ip_queue. The following is
64 an overview of API usage, refer to individual man pages for more details
69 To initialise the library, call
70 .BR ipq_create_handle (3).
71 This will attempt to bind to the Netlink socket used by ip_queue and
72 return an opaque context handle for subsequent library calls.
74 .B Setting the Queue Mode
77 allows the application to specify whether packet metadata, or packet
78 payloads as well as metadata are copied to userspace. It is also used to
79 initially notify ip_queue that an application is ready to receive queue
82 .B Receiving Packets from the Queue
85 waits for queue messages to arrive from ip_queue and copies
86 them into a supplied buffer.
92 The type of packet may be determined with
93 .BR ipq_message_type (3).
95 If it's a packet message, the metadata and optional payload may be retrieved with
96 .BR ipq_get_packet (3).
98 To retrieve the value of an error message, use
99 .BR ipq_get_msgerr (3).
101 .B Issuing Verdicts on Packets
103 To issue a verdict on a packet, and optionally return a modified version
104 of the packet to the kernel, call
105 .BR ipq_set_verdict (3).
109 An error string corresponding to the current value of the internal error
115 For simple applications, calling
117 will print the same message as
119 as well as the string corresponding to the global
121 value (if set) to stderr.
125 To free up the Netlink socket and destroy resources associated with
126 the context handle, call
127 .BR ipq_destroy_handle (3).
130 .BR ipq_create_handle (3)
131 Initialise library, return context handle.
134 Set the queue mode, to copy either packet metadata, or payloads
135 as well as metadata to userspace.
138 Wait for a queue message to arrive from ip_queue and read it into
141 .BR ipq_message_type (3)
142 Determine message type in the buffer.
144 .BR ipq_get_packet (3)
145 Retrieve a packet message from the buffer.
147 .BR ipq_get_msgerr (3)
148 Retrieve an error message from the buffer.
150 .BR ipq_set_verdict (3)
151 Set a verdict on a packet, optionally replacing its contents.
154 Return an error message corresponding to the internal ipq_errno variable.
157 Helper function to print error messages to stderr.
159 .BR ipq_destroy_handle (3)
160 Destroy context handle and associated resources.
162 The following is an example of a simple application which receives
163 packets and issues NF_ACCEPT verdicts on each packet.
169 #include <linux/netfilter.h>
175 static void die(struct ipq_handle *h)
177 ipq_perror("passer");
178 ipq_destroy_handle(h);
182 int main(int argc, char **argv)
185 unsigned char buf[BUFSIZE];
186 struct ipq_handle *h;
188 h = ipq_create_handle(0, NFPROTO_IPV4);
192 status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
197 status = ipq_read(h, buf, BUFSIZE, 0);
201 switch (ipq_message_type(buf)) {
203 fprintf(stderr, "Received error message %d\\n",
204 ipq_get_msgerr(buf));
208 ipq_packet_msg_t *m = ipq_get_packet(buf);
210 status = ipq_set_verdict(h, m->packet_id,
218 fprintf(stderr, "Unknown message type!\\n");
223 ipq_destroy_handle(h);
229 Pointers to more libipq application examples may be found in The
232 For information about monitoring and tuning ip_queue, refer to the
233 Linux 2.4 Packet Filtering HOWTO.
235 If an application modifies a packet, it needs to also update any
236 checksums for the packet. Typically, the kernel will silently discard
237 modified packets with invalid checksums.
239 Processes require CAP_NET_ADMIN capabilty to access the kernel ip_queue
240 module. Such processes can potentially access and modify any IP packets
241 received, generated or forwarded by the kernel.
249 James Morris <jmorris@intercode.com.au>
251 Copyright (c) 2000-2001 Netfilter Core Team.
253 Distributed under the GNU General Public License.
255 Joost Remijn implemented the
257 timeout feature, which appeared in the 1.2.4 release of iptables.
259 Fernando Anton added support for IPv6.
262 .BR ipq_create_handle (3),
263 .BR ipq_destroy_handle (3),
265 .BR ipq_get_msgerr (3),
266 .BR ipq_get_packet (3),
267 .BR ipq_message_type (3),
270 .BR ipq_set_mode (3),
271 .BR ipq_set_verdict (3).
273 The Netfilter home page at http://netfilter.samba.org/
274 which has links to The Networking Concepts HOWTO, The Linux 2.4 Packet
275 Filtering HOWTO, The Linux 2.4 NAT HOWTO, The Netfilter Hacking HOWTO,
276 The Netfilter FAQ and many other useful resources.