Network coding isn't all about hacking your kernel and corrupting your filesystems. It's also about fucking things up badly in userspace, as we're about to see.
Using the netfilter_dev device, almost anything which can be done inside the kernel can now be done in userspace. This means that, with some speed penalty, you can develop your code entirely in userspace. Unless you are trying to filter large bandwidths, you should find this approach superior to in-kernel packet mangling.
In the very early days of netfilter, I proved this by porting an embryonic version of iptables to userspace. Netfilter opens the doors for more people to write their own, fairly effecient netmangling modules, in whatever language they want.
You need to create a character device called `/dev/netfilter_ipv4'. I'm currently using the temporary major number 120 (reserved for LOCAL/EXPERIMENTAL USE); the minor number represents the protocol (see linux/include/linux/socket.h), which for ipv4 (PF_INET) is 2. Hence the command to create /dev/netfilter_ipv4 is:
# mknod /dev/netfilter_ipv4 c 120 2
#
Note that this number will change later, to an official one. See linux/include/linux/netfilter_dev.h.
You can simply read from the device, and you will see an information header followed by the packet. You can seek and read as normal, but writing only works in the packet part of the device.
The header is a `struct nfdev_head', which contains:
The in interface name. May be the empty string.
The out interface name. May be the empty string.
The length of the packet; this, plus the size of the header, gives the larges offset you can seek to or read from.
The skbuff's nfmark field.
The skbuff's nfreason field.
The hook the packet was queued from.
You can read as much or as little as you like. When you are finished with the packet, you do an NFDIOSVERDICT ioctl(), handing it a pointer to a `struct nfdev_verdict'. This structure specifies the verdict (NF_ACCEPT, NF_DROP or NF_QUEUE), the new packet length (currently this cannot be used to grow the packet), the new nfmark value, and the new nfreason value.
The `passer' program in the test/ subdirectory gives a simple example of a program which simply returns NF_ACCEPT for each packet which is queued. In conjunction with the iptables `-j QUEUE' target, this can be developed into a simple userspace examination program.
When a program first opens `/dev/netfilter_ipv4', it gets all IPv4 packets on any hook, because the netfilter device registers an initial condition of `any hook, any mark, any reason'. There are two ioctls used to delete and add other specifications; usually this catch-all specification is deleted first, any packets drained from the queue, and then the specifications you want added.
Both the NFDIOSADDCOND and NFDIOSDELCOND ioctl take a pointer to a `struct nfdev_condition', which contains a hook mask, a mark value, and a reason value: see the section on Processing Queued Packets above for the meanings of these values.