NFLOG support

[vorner]

Hello

I'm searching for a nice library to use for reading network packets coming from NFLOG and came about this crate. How hard would it be to add support for that protocol?

I'm trying to read the libnl code. From a high level, I have the impression the protocol should be quite simple ‒ sending two control messages, then subscribing into a multicast group and then the packets should start appearing. However, I'm having trouble finding any documentation how the structure of such messages would look like and how it translates into neli code. If you'd give me few hints how you usually go about finding such information, I might try submitting the new message types as a PR.

Thank you

[jbaublitz]

Hi @vorner, in its current state, neli technically does support nflog at the socket level. If you do find out how nflog works, you could create your own structs that implement the Nl trait and make that the type of the Nlmsghdr payload (the P type parameter). If you do end up figuring out the structure of the protocol and want to have me support it in neli, I'd be happy to work it into the library upstream. I unfortunately don't know how the nflog protocol is structured, so I'm unable to give you any advice on how to structure it beyond general advice. /usr/include/linux/netfilter/nfnetlink_log.h seems to include the structures you want, but I'm uncertain where this protocol is used (my guess is some sort of logging for netfilter, but I've never used this protocol personally), so I don't think I would even be able to code against the messages the kernel generates like I did with some aspects of generic netlink. I hope this helps somewhat. If you get to the point where you have the necessary structs and they implement the Nl trait, I could certainly give you more guidance.

[vorner]

Thank you for the hint with nfnetlink_log.h. I guess I hoped for somewhat better documentation about how the protocol works, but this might be the missing link. I'll try to reverse-engineer it from some C examples.

The protocol is used to send copies of packets to userspace ‒ an iptables rule can be created and all applications connected to the relevant queue will get the packets to look at.

[jbaublitz]

I did also find this code. If you're familiar with Go, this might be helpful for reconstructing something in Rust. I would build support based on this code myself as I've written a fair amount of Go, but I have nothing I can really test it against as I don't know how nflog is used in Linux. If this helps you and you want to submit a PR, I'll gladly look it over. If you do, please also submit it with an example in the examples/ directory so I can test against it. For now, I'm going to close this out as I don't think I'll be able to help too much more here.

[vorner]

You could have just assigned the issue onto me, I'm working on this and I think I'm slowly getting somewhere. For now, I have code that's full of magic constants that'll have to be made into proper types and enums, but I'm reverse engineering the protocol slowly.

As for testing, there's not much, really. Just doing iptables -I INPUT -j NFLOG --nflog-group 0 and listening onto the group 0 should just start spitting packets, one message each. I just need to figure how to build the first few config messages to turn it on.

[jbaublitz]

I'll reopen and assign this to you.