nfq-go is a Go library that wraps libnetfilter_queue. It aims to:
- contain a minimal amount of C code
- be thread-safe (including closing the queue handler)
import nfq "github.com/hownetworks/nfq-go"To creaate a new queue handle call New with the queue number (0 in the following example) and a callback for receiving packets:
queue, err := nfq.New(0, func(pkt nfq.Packet) {
...
})You should give every packet a verdict. Do this by calling one of the methods outlined below. Note that giving a verdict more than once for a single packet produces an error.
Let the packet pass the filter with a NF_ACCEPT verdict:
err := pkt.Accept()Drop the packet with NF_DROP:
err := pkt.Drop()Pass the packet through the filter again with NF_REPEAT:
err := pkt.Repeat()Send the packet to some (other) queue with NF_QUEUE - this also requires the queue number:
err := pkt.Queue(5)Use WithData(data []byte) and WithMark(mark uint32) to modify the packet's data and mark. Instead of modifying the original these methods return a new Packet and can be chained.
As an example, here's how to (re)queue the packet to queue number 5, this time its data set to newData and mark set to 1234:
err := pkt.WithData(newData).WithMark(1234).Queue(5)At any point you can close the queue handle:
queue.Close()