netfilter

How can I programatically manage iptables rules on the fly?

I need to query existing rules, as well as being able to easily add and delete rules. I haven't found any APIs for doing this, is there something that I'm missing? The closest I've come to a solution is using iptables-save | iptables-xml for querying, and manually calling the iptables command itself to add/delete rules. Another solution...

compiling multiple files in netfilter

How can I compile multiple files (files calling functions in other files) in kernel module? ...

IP Address from sk_buff

I am writing a kernel module which registers a netfilter hook. I am trying to get the ip address of the caller by using the sk_buff->saddr member. Is there a way I can get the IP in human readable i.e. x.x.x.x format? I found the function inet_ntop() but it doesn't seem to be available in kernel headers. How do I convert \xC0\xA8\x00\x...

Netfiler hook not getting called.

Hello, I am writing a kernel module which registers a hook with netfilter. The handler is not being called if I ssh/telnet into the machine where the module is loaded. struct nf_hook_ops my_hook_ops; my_hook_ops.hook = hook_handler; my_hook_ops.pf = PF_INET; my_hook_ops.hooknum = NF_INET_PRE_ROUTING; my_hook_ops.priority = NF_IP_PRI_F...

is there a limit for the number of sk_buffs in the kernel

Hi, I need to steal some SKBs in my NetFilter hook, and retain them for some time. Is there a limit in the kernel about how many SKBs can I use at a time? What are the consequences of having some 100,000 or even more SKBs held in my kernel module? I could avoid copying my packets two time if I can have many-many SKBs. Regards, Denes ...

linux netfilter pass the packet content to user space socket app

I want to write a linux 2.6 netfilter module, which can check the incoming IP packet information ,such as dest-ip ,source-ip. and then pass these information to user space app. that app (socket app,I think ) will handle these information as soon as the packet reach the HOOKs. I want to try two ways : 1, inside the netfilter module, ma...

Linux Netfilter modules, dynamic memory allocation and synchronization

Hey guys, I'm working on a netfilter module that modifies TCP ack behavior and I am having some trouble with crashes. I think my problem is that I don't fully understand the netfilter architecture (and maybe the kernel in general, I'm pretty new to this). I have two main questions: 1.) Using kmalloc with the GFP_KERNEL flag seems to ca...

Iptables administration - Big list of IP addresses

Hello all, How can we create a table of IP addresses for NetFilter? I would like to do so, just like table directive of PacketFilter. Thank you for any help. ...

How do you return stolen packets back to Netfilter

Let's say I have intercepted a packet from Netfilter and subsequently returned NF_STOLEN. At some point I want to re-inject that packet back to, in this case, the TCP stream it came from. I want to do this from Kernel space. So far I have been unable to find a way to do this. Thanks for the help. ...

a few questions on the queue mechanism in netfilter

hello. please forgive me if the question were asked before. after some research on netfilter there are few loose ends that i cant comprehend. where is the memory of the queue is and how is it being handled? when you are using the queue is it being copied to the userspace or that you map the memory and how it influences the system perfo...

Android SDK avd emulator kernel does not include netfilter/iptables

Where can I find the kernel including netfilter/iptables? Can I assume most market phones has netfilter included within their kernels? ...

Are there any c demos with netfilter?

I want to forward packets by netfilter, so I want to get some c demos to get start, thanks ...