Pablo: Created page with "= Basic operation = '''Important note''': You require a Linux kernel 3.14 to enqueue packets to userspace using nftables. Like in ''iptables'', you can use the nfqueue infra..."

2016-07-13T17:57:43Z

Created page with "= Basic operation = '''Important note''': You require a Linux kernel 3.14 to enqueue packets to userspace using nftables. Like in ''iptables'', you can use the nfqueue infra..."

New page

= Basic operation =

'''Important note''': You require a Linux kernel 3.14 to enqueue packets to userspace using nftables.

Like in ''iptables'', you can use the nfqueue infrastructure to enqueue packet to your userspace application that uses the [http://www.netfilter.org/projects/libnetfilter_queue/ libnetfilter_queue] library.

You can just test this with the example application:

<source lang="bash">
libnetfilter_queue/utils% ./nfqnl_test
</source>

After that, you have to add the rule to enqueue packets to userspace. If no queue is specified, the packet are sent to the queue number 0:

<source lang="bash">
% nft add filter input counter queue
</source>

Then, you should start seeing packet when generating some traffic:

<source lang="bash">
...
pkt received
hw_protocol=0x0800 hook=1 id=28 hw_src_addr=00:80:48:52:ff:8a indev=3 uid=1000 gid=1000 payload_len=110
entering callback
pkt received
hw_protocol=0x0800 hook=1 id=29 hw_src_addr=00:80:48:52:ff:8a indev=3 uid=1000 gid=1000 payload_len=98
entering callback
...
</source>

There are up to 65535. You can select a different queue with the following command:

<source lang="bash">
% nft add filter input counter queue num 3
</source>

Then, you have to launch the test application including the argument that indicates the queue number to listen for packets:

<source lang="bash">
libnetfilter_queue/utils% ./nfqnl_test 3
</source>

'''Important note''': If there is no userspace application listening to that queue, then all packets will be dropped.

= A bit more advanced configuration =

You can also enable the ''bypass'' option which will skip the enqueue of the packet to userspace if no application is listening to the queue. The rule will behave as an ''accept'' rule if there is no application waiting for packet.

<source lang="bash">
% nft add filter input counter queue num 0 bypass
</source>

You can also load balance traffic to several queues:

<source lang="bash">
% nft add filter input counter queue num 0-3
</source>

Thus, the queue number from 0 to 3 will be used for this. You can run four instances of ''nfqnl_test'' to test this.

<source lang="bash">
libnetfilter_queue/utils% ./nfqnl_test 0 &
libnetfilter_queue/utils% ./nfqnl_test 1 &
libnetfilter_queue/utils% ./nfqnl_test 2 &
libnetfilter_queue/utils% ./nfqnl_test 3 &
</source>

When doing load balancing, you can optionally use the ''fanout'' option to use the CPU ID as an index to map packets to the queues. The idea is that you can improve performance if there's a queue/userspace application per CPU:

<source lang="bash">
% nft add filter input counter queue num 0-3 fanout
</source>

Of course, the options can be combined, so you can for example use:

<source lang="bash">
% nft add filter input counter queue num 0-3 fanout,bypass
</source>

Queueing to userspace - Revision history

Pablo: Created page with "= Basic operation = '''Important note''': You require a Linux kernel 3.14 to enqueue packets to userspace using nftables. Like in ''iptables'', you can use the nfqueue infra..."