1 unstable release
Uses old Rust 2015
0.9.0 | Aug 23, 2016 |
---|
#13 in #netfilter
28KB
433 lines
nflog-bindings-rust
Overview
nflog-rust is a wrapper library for libnetfilter-log. The goal is to provide a library to gain access to packets queued by the kernel packet filter.
It is important to note that these bindings will not follow blindly libnetfilter_log API. For ex., some higher-level wrappers will be provided for the open/bind/create mechanism (using one function call instead of three).
Since libraries to decode ip packets are already available, the bindings will use them.
To use the library, a program must
- open a queue
- bind to a network family (
AF_PACKET
for IPv4) - provide a callback function, which will be automatically called when a packet is received.
- create the queue, providing the queue number (which must match the
--nflog-group
from the iptables rules, see below - run a loop, waiting for events. The program should also provide a clean way to exit the loop (for ex on
SIGINT
)
Documentation
Documentation is created using the cargo doc
command.
Example
See test_nflog for a minimal example.
IPtables
You must add rules in netfilter to send packets to the userspace queue. The number of the queue (--nflog-group option in netfilter) must match the number provided to create_queue().
Example of iptables rules:
iptables -A OUTPUT --destination 1.2.3.4 -j NFLOG --nflog-group 0
Of course, you should be more restrictive, depending on your needs.
Privileges
nflog-rust does not require root privileges, but needs to open a netlink socket and send/receive packets to the kernel.
You have several options:
- Use the CAP_NET_ADMIN capability in order to allow your application to receive from and to send packets to kernel-space:
setcap 'cap_net_admin=+ep' /path/to/program
- Run your program as
root
and drop privileges
License
This library is licensed under the GNU General Public License version 2.0, or (at your option) any later version.
Dependencies
~43KB