Next Previous Contents

4. Questions about netfilter development

4.1 I don't understand how to use the QUEUE target from userspace

A library called libipq is provided for userspace packet handling. There is now documentation for this in the form of man pages. You need to build and install the iptables development components:

make install-devel

then see libipq(3).

You may also be interested in the Perl bindings for libipq, Perlipq at: The binding itself is an example of using the library.

Other code examples include:

4.2 My libipq application says "Failed to received netlink message: No buffer space available"

This means that the kernel-side Netlink socket buffer ran out of space; the userspace application is not able to handle the amount of data being delivered from the kernel.

Is it possible to make those kernel buffers bigger so that I don't run into this problem?

Yes, these are standard Netlink sockets, and you can tune their receive buffer sizes via /proc/sys/net/core, sysctl, or use the SO_RCVBUF socket option on the file descriptor.

You can also try ensuring that your application is reading any received data as quickly as possible. If you don't need the entire packet, try copying less data to userspace (see ipq_set_mode(3)).

4.3 I want to contribute some code, but have no idea what to do

The netfilter core-team keeps a TODO list where it lists all the desired changes / new features. You can retrieve this list via anonymous SVN, instructions are on the netfilter Homepage. Alternatively you can also go to using CVSweb.

4.4 I've fixed a bug or written an extension. How do I contribute it?

If you want to publish it, please send it to the netfilter-devel mailinglist. Subscription instructions are at

The correct way of sending a patch is the following :

If you wrote a new extension, or added some new options to an old extension, it's usually a good idea to also update the netfilter-extension-HOWTO to include that new extension/functionality description. Additionally, it will draw more users to your extension, and will allow you to get more feedback in general.

4.5 Is there an C/C++ API for adding/removing rules?

The answer unfortunately is: No.

Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.

We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.

Next Previous Contents