How can I get these packets in the user space application? Performance Issues?

Steven J Scott sjscott at
Thu Dec 9 18:25:33 CET 2004

Hello Henrik and Maarten,

Thanks for the replies btw.

I am matching the source port in the kernel module, and then parsing the 
payload in the user space.  If there is a match its sent to NF_QUEUE.  In 
the user space app I am looking for certain criteria in the payload 
portion of the packet and then making a decision to accept or drop. 

My parsing algorithm consists of about 15 different checks per matching 
packet sent from the kernel module.  Its not that complicated, but I was 
wondering from a performance stand point if it was better to implement 
everything into kernel space?  The amount of network traffic being 
filtered will be relatively small.  On the size of maybe 2mb per second.

I don't think this is possible with IPTABLES... Please correct me if I'm 

Thanks again,

Rockwell Automation / Advanced Technology
sjscott at
(This email was sent via Notes running on Linux)

Henrik Nordstrom <hno at>
09/12/2004 11:02 AM

        To:     Steven J Scott <sjscott at>
        cc:     netfilter-devel at
        Subject:        Re: How can I get these packets in the user space application? Performance 

On Thu, 9 Dec 2004, Steven J Scott wrote:

> I have a side question on this.  I have a kernel module that creates a
> netfilter hook that looks for packets with a certain source port, and 
> directs them to NF_QUEUE, and I have a user space application that 
receives the queued packets.
> Since I am only queuing packets I want to monitor/modify is my 
> hit significant?  Or am I better off doing everything within the kernel
> module?

Only the packets you return NF_QUEUE on receives a noticeable performance 

But if all you do is to look into the source port then why not use plain 
iptables for the match?


More information about the netfilter-devel mailing list