florianl / go-nfqueue Goto Github PK

Under load it is likely that any reading operation will get the enobuf error, and the default error handling stop reading at this point.

To make things worse there is no way for the application to know that something wrong has happened apart from the fact that it stop getting callbacks.

Right now robust application MUST write their own error handling to avoid those problems. This is probably the right solution and it should just be documented.

But in addition to documenting the behaviour it is probably better to ignore by default enobuf errors.

Currently, this project has three different git tags

• v1.0.0
• v1.1.0
• v2.0.0

All three of them are not reflected in https://github.com/florianl/go-nfqueue/blob/master/go.mod and vice versa. In addtion, this leads to confusion for some users.

As most users of this pkg are using go modules, I will delete these git tags to reduce confusion in the future.

Therefore, on September 1st 2020 I will delete the git tags.

If there are concerns with the removal of these git tags, please speak up.

In the past git tag versioning and Go module versioning diverged on this repository. As a result there are pitfalls to using this Go package.

• Clarity and Consistency: Matching the Go module version with a Git tag creates a clear correspondence between the code and its version. This makes it easier for developers to understand exactly which code revision they are using.

• Dependency Management: The go tool relies on Git tags to identify specific versions of Go modules. When the module version and Git tag are aligned, the go tool can effortlessly download and manage dependencies. This ensures everyone using your module gets the intended version.

• Version Discovery: Proxy services like the Go proxy (https://proxy.golang.org/) use Git tags to discover new module versions. Aligning the versions allows for faster discovery and adoption of new releases by consumers of your module.

To start aligning git tags with Go module versions, the following changes are planned for May 2024::

Introduce a new major git tag

Use this new major git tag as Go module version

From this point onwards major git tags should always be aligned with Go module versions.

I am trying to process TCP payload to perform HTTP header data checks before deciding on verdict.

I have notice the HTTP payload is not received as part of the packet copied to the callback function.

Please do you know how can achieve this? is there a specific flag or strategy I can use to achieve this?

Please suggest.

Thanks

Hi,

I am trying to modify a DNS packet and need some help.
Currently I am receiving following payload via nfqueue.Attribute:

00000000  45 00 00 48 7a 24 40 00  40 11 27 51 0a 00 42 fe  |E..Hz$@.@.'Q..B.|
00000010  0a 00 42 32 00 35 92 c8  00 34 4e da 32 c9 81 80  |..B2.5...4N.2...|
00000020  00 01 00 01 00 00 00 00  06 67 69 74 68 75 62 03  |.........github.|
00000030  63 6f 6d 00 00 01 00 01  c0 0c 00 01 00 01 00 00  |com.............|
00000040  00 04 00 04 8c 52 79 03                           |.....Ry.|

And my goal is to change the IP address from 140.82.121.3 to 140.82.212.3.
Then the payload looks like:

00000000  45 00 00 48 7a 24 40 00  40 11 27 51 0a 00 42 fe  |E..Hz$@.@.'Q..B.|
00000010  0a 00 42 32 00 35 92 c8  00 34 4e da 32 c9 81 80  |..B2.5...4N.2...|
00000020  00 01 00 01 00 00 00 00  06 67 69 74 68 75 62 03  |.........github.|
00000030  63 6f 6d 00 00 01 00 01  c0 0c 00 01 00 01 00 00  |com.............|
00000040  00 04 00 04 8c 52 d4 03                           |.....R..|

If I now run the packet via SetVerdictModPacketWithMark(id, 1, nfqueue.NfAccept, packet).
The modified packet wont be submitted. I also tried to simply send the original payload:

SetVerdictModPacketWithMark(id, 1, nfqueue.NfAccept, *attr.Payload)

Which doesn't work either. Have I misunderstood the function or is something fishy here =?

Kind regards,
zauberstuhl

Hello, How can i get ip and port from incoming packet?

In [1] a default value is defined for the NfQueue maximum length. If not set explicit, the default value for this parameter [2] in this Go implementation is 0. This can result in unexpected behaviour. Therefore, find a way to check if MaxQueueLen is set - if not use the kernel default value.

[1] https://github.com/torvalds/linux/blob/cd8dead0c39457e58ec1d36db93aedca811d48f1/net/netfilter/nfnetlink_queue.c#L51
[2] https://github.com/florianl/go-nfqueue/blob/master/types.go#L22

Is it possible to modify the packet content with go-nfqueue, I couldn't see an example of how to achieve this. Some of the other modules out there do permit modifying the packet data, but they rely on the C library. I'd much prefer to stay 100% go only.