#netfilter #queue #nfqueue


Netfilter NFQUEUE high-level bindings

2 releases

Uses old Rust 2015

0.9.1 Jun 27, 2017
0.9.0 Aug 23, 2016

#7 in #netfilter

Download history 9/week @ 2022-01-28 6/week @ 2022-02-04 7/week @ 2022-02-11 9/week @ 2022-02-18 12/week @ 2022-02-25 9/week @ 2022-03-04 9/week @ 2022-03-11 12/week @ 2022-03-18 6/week @ 2022-03-25 9/week @ 2022-04-01 8/week @ 2022-04-08 9/week @ 2022-04-15 9/week @ 2022-04-22 23/week @ 2022-04-29 17/week @ 2022-05-06 42/week @ 2022-05-13

92 downloads per month


356 lines


Build Status

nfqueue-rs is a wrapper library for libnetfilter-queue. The goal is to provide a library to gain access to packets queued by the kernel packet filter.

It is important to note that these bindings will not follow blindly libnetfilter_queue API. For ex., some higher-level wrappers will be provided for the open/bind/create mechanism (using one function call instead of three).

The API is not yet stable.

To use the library, a program must

  • open a queue
  • bind to a network family (AF_PACKET for IPv4)
  • provide a callback function, which will be automatically called when a packet is received. The callback must return a verdict
  • create the queue, providing the queue number (which must match the --queue-num from the iptables rules, see below
  • run a loop, waiting for events. The program should also provide a clean way to exit the loop (for ex on SIGINT)


See nfq-example for a minimal example.


You must add rules in netfilter to send packets to the userspace queue. The number of the queue (--queue-num option in netfilter) must match the number provided to create_queue().

Example of iptables rules:

iptables -A OUTPUT --destination -j NFQUEUE --queue-num 0

Of course, you should be more restrictive, depending on your needs.


nfqueue-rs does not require root privileges, but needs to open a netlink socket and send/receive packets to the kernel.

You have several options:

  • Use the CAP_NET_ADMIN capability in order to allow your application to receive from and to send packets to kernel-space: setcap 'cap_net_admin=+ep' /path/to/program
  • Run your program as root and drop privileges