Skip to main content

NFQ Support For Linux Distributions

Zenarmor (Sensei) employs the netmap framework to access raw Ethernet frames. To use all of the ZENARMOR's filtering features, you must have the netmap framework installed on your system. Netmap is already included and enabled by default in recent releases of FreeBSD (>= 10.x), OPNsense(r), and pfSense® Software, and these firewall systems are ready for the ZENARMOR to be installed.

However, if you want to use Zenarmor in Routed Mode (L3 Mode, Reporting, and Blocking) on supported Linux distributions (Centos 7, & 8, Debian 10, Ubuntu 18.04 LTS & 20.04 LTS, and AlmaLinux 1), you must install Netmap manually.

Although Netmap provides extremely fast and efficient packet I/O in the kernel, userspace, and virtual machine platforms, and is capable of handling tens of millions of packets per second, matching the speed of 10G and 40G ports even with small frames, installing and maintaining Netmap on Linux operating systems may be difficult. Furthermore, netmap has some ethernet driver compatibility issues because not all NIC drivers support it. This means that users who want to take advantage of the Zenarmor must buy specific network adapters, such as Intel-based adapters, which have been shown to perform well in terms of stability and performance.

Sunny Valley Networks developers recently completed the implementation of the NFQUEUE on Zenarmor as an alternative to netmap for packet inspection. Linux users may configure their next-generation firewalls, Zenarmor, to use NFQUEUE, instead of installing and maintaining the netmap on their Linux systems. Because NFQUEUE is a framework that is natively supported by the Linux kernel, Zenarmor can be used by users of any supported Linux distribution without any difficulties. With the release of v1.10, ZENARMOR, formerly known as Sensei, has begun to support NFQUEUE.

What is NFQUEUE?#

Netfilter is a Linux kernel framework that enables various networking-related operations to be deployed in the form of customized handlers. Netfilter provides various packet filtering, network address translation, and port translation functions, as well as the functionality required for directing packets through a network and preventing packets from reaching sensitive network locations.

NFQUEUE, which stands for Netfilter Queue, is a kernel and user mode module used in iptables to manage network packets. It enables the creation of netfilter target modules in userspace. It is an iptables and ip6tables target entity that delegates packet decision-making to user-space software such as ZENARMOR. NFQUEUE works with Netlink sockets, but it's much easier to use the default library, libnetfilter_queue.so.

NFQUEUE can be used for packet inspection, traffic filtering, or traffic shaping. In other words, it allows you to monitor, analyze, filter, and shape network traffic as needed. Both open-source and commercial intrusion prevention systems make extensive use of NFQUEUE targets.

Main Features#

NFQUEUE has the following features:

  • Receiving queued packets from the kernel nfnetlink queue subsystem.
  • Issuing verdicts, and potentially reinjecting altered packets into the kernel nfnetlink queue subsystem

How does NFQUEUE work?#

NFQUEUE processes the network packets as described below.

  • When a nft rule with an action queue matches, the kernel ends the current nft chain and places the packet in a chained list. It then formats and sends a nfnetlink message to the userspace program via a socket containing the packet id and whatever information the userspace program has configured to receive (packet data and/or metadata).
  • The userspace program must return a decision advising the kernel whether to accept or reject the packet. Either verdict removes the packet from the queue: drop discards it, while accept forwards it to the next chain. Userspace can also change the contents of packets or metadata (e.g. packet mark, contrack mark). Because the only information required is the packet id, the verdict can be performed asynchronously.

The NFQUEUE target allows packets to be sent to separate and specific queues.

sudo iptables -A INPUT -i eno1 -p tcp -j NFQUEUE --queue-bypass --queue-num 1sudo iptables -A OUTPUT -o eno1 -p tcp -j NFQUEUE --queue-bypass --queue-num 0sudo iptables -A INPUT -i eno1 -p udp -j NFQUEUE --queue-bypass --queue-num 1sudo iptables -A OUTPUT -o eno1 -p udp -j NFQUEUE --queue-bypass --queue-num 0

--queue-num option: It specifies which queue to use and to send the queue'd data to. When a packet reaches an NFQUEUE target it is en-queued to the queue corresponding to the number given by this option. If this option is skipped, the default queue 0 is used. The queue number is a 16-bit unsigned integer, which means it can take any value between 0 and 65535. The default 0 queue is also used by the QUEUE target.

--queue-bypass option: When no userspace software is connected to the queue, it modifies the behavior of iptables rules. Instead of dropping packets, if no software is listening to the queue, the packets are authorized.

For the iptables rules given below,

  • All TCP and UDP packets were received by the eno1 interface are sent to queue 1.
  • All TCP and UDP packets are going to be sent through the eno1 interface are sent to queue 0.