https://stackoverflow.com/questions/20584967
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianA quick grep through the code shows that NETLINK_FIREWALL only occurs twice in the kernel:
include/uapi/linux/netlink.h
11:#define NETLINK_FIREWALL 3 /* Unused number, formerly ip_queue */
security/selinux/hooks.c
1184: case NETLINK_FIREWALL:
1185: return SECCLASS_NETLINK_FIREWALL_SOCKET;
So, it's defined and the comment claims that it's unused, and it's only mentioned once, in type conversion code for selinux. There's never a call to netlink_kernel_create(), so NETLINK_FIREWALL is never hooked up. It won't do anything.
NETLINK_NETFILTER does have a netlink_kernel_create() call associated with it, so that's the interface you want to look at.
It's been a while, but I once implemented (partial) code for configuratin netfilter rules and I remember doing that through a setsockopt() call, rather than through netlink sockets. I'm not sure what NETLINK_NETFILTER actually does.
A quick look through git log seems to suggest that NETLINK_NETFILTER is used to interface with thinks like connection tracking, not actually configuring firewall rules (which the iptables userspace command does).
If you actually want to create firewall rules (i.e. do what iptables does) you should be looking at libiptc (which is part of the iptables source tree). The interface for configuring these rules is complicated and undocumented.
