Netfilter queue packet/nfqueue

Description

This module uses the netfilter queue library to capture packets from a given network interface.

This module will install iptable rules in the raw table during its initialization . The table will be cleared when the application terminates.

When using this module, haka needs to be run with the appropriate permissions.

Parameters

interfaces

Comma-separated list of interfaces or the any keyword.

Example :

# Capture loopback traffic
interfaces = "lo"
# Capture on interface eth1 and eth2
# interfaces = "eth1, eth2"
# Capture on all interfaces
# interfaces = "any"
dump=[yes|no]

Enable dumping feature.

dump_input=`file`

Save all received packets to a pcap file.

dump_output=`file`

Save packets that were accepted to to a pcap file.

Example :

dump = true
dump_input = "/tmp/input.pcap"
enable_iptables=[yes|no]
Default value:yes

Enable the iptables rules. If set to no, the user should create the rules to select the traffic that should go through haka.

See also

Customize iptables rules.

Customize iptables rules

By default, Haka will create iptables rules to process all traffic. However it is possible for the user to customize the rules by using the option enable_iptables=no. In this mode, Haka will only create rules in the targets HAKA-PRE and HAKA-OUT. It will not change any other rules in the table raw and will rely on the user rules to get some packets.

Haka targets

You first need to create two custom targets named HAKA-PRE and HAKA-OUT. These targets will be overridden by Haka when it will be started. Any packet sent to this target will be processed by Haka.

# iptables -t raw -N HAKA-PRE
# iptables -t raw -N HAKA-OUT

The target HAKA-PRE should be used to create rules in PREROUTING, HAKA-OUT should be used in OUTPUT.

Custom rules

It is then possible to create new rules to send some traffic to Haka. For instance, the following rule will send all packets:

# iptables -t raw -A PREROUTING -j HAKA-PRE
# iptables -t raw -A OUTPUT -j HAKA-OUT

Note

This is what Haka do by default or when enable_iptables is set to yes.

Now to only send udp packets to Haka, you can create the following rules:

# iptables -t raw -A PREROUTING -p udp -j HAKA-PRE
# iptables -t raw -A OUTPUT -p udp -j HAKA-OUT

You can imagine more complex rules using iptables features to select precisely which packets should by processed and which should not. It enables seamlessly integration of Haka with iptables.