nflog-go is a wrapper library for libnetfilter-log. The goal is to provide a library to gain access to packets queued by the kernel packet filter.
It is important to note that these bindings will not follow blindly libnetfilter_log API. For ex., some higher-level wrappers will be provided for the open/bind/create mechanism (using one function call instead of three).
The API is not yet stable.
To use the library, a program must
--nflog-groupfrom the iptables rules, see below
You must add rules in netfilter to send packets to the userspace queue. The number of the queue (--nflog-group option in netfilter) must match the number provided to create_queue().
Example of iptables rules:
iptables -A OUTPUT --destination 220.127.116.11 -j NFLOG --nflog-group 0
Of course, you should be more restrictive, depending on your needs.
nflog-go does not require root privileges, but needs to open a netlink socket and send/receive packets to the kernel.
You have several options:
setcap 'cap_net_admin=+ep' /path/to/program
rootand drop privileges
This library is licensed under the GNU General Public License version 2, or (at your option) any later version.