Request for a DLT value (for nflog)

[Jakub Zawadzki <darkjames-ws () darkjames pl>]

Hi,

== START OF LEGAL NOTES ==
I haven't ready any documentation of nfnetlink, and this information was purely got 
from reading header and source files of Linux kernel, libnfnetlink[1] and libnetfilter_log[2].
== END :-) ==

!!! All structures are aligned to 4B !!!

DLT_NFLOG starts with struct nfgenmsg header defined in <linux/netfilter/nfnetlink.h>,
which looks like (changed to stdint.h types + my comments in /** **/):

struct nfgenmsg {
  uint8_t nfgen_family; /* AF_xxx */
                        /** Linux AF-VALUES, AF_INET=2, AF_INET6=10 **/
  uint8_t version;      /* nfnetlink version */
                        /** For now only NFNETLINK_V0 = 0 **/
  uint16_t res_id;      /* resource id */
                        /** on one socket netlink it's possible to listen to
                         ** several nflog-groups. Value in BIG ENDIAN **/
};

After which follow any numbers of TLVs.

(Structure From <linux/netfilter/nfnetlink_compat.h> header)

struct nfattr {
  uint16_t nfa_len;       /** length, including 4 bytes of header, host-order **/
  uint16_t nfa_type;  /* we use 15 bits for the type, and the highest
                       *bit to indicate whether the payload is nested */
                      /** type, host-order */

  /** uint8_t nfa_data[nfattr.nfa_len-4] **/
};

Known types are defined in enum nfulnl_attr_type (<linux/netfilter/nfnetlink_log.h>)

Some of these includes:
  - NFULA_PAYLOAD=0x9 /* opaque data payload */
    /** nfgen_family payload **/
  - NFULA_PREFIX=0xa /* string prefix */
    /** prefix (from --nflog-prefix) NUL-terminated */
  - NFULA_UID=0xb  /* user id of socket */
     /** 4B in BE */
  - NFULA_GID=0xe  /* group id of socket */
     /** 4B in BE */
  ...

Regards,
 Jakub Zawadzki.

[1] http://www.netfilter.org/projects/libnfnetlink/
[2] http://www.netfilter.org/projects/libnetfilter_log/
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.