How to Build and Use libnetfilter_queue for Android

If you’re looking for general information about how to use libnetfilter_queue for Linux, please refer here.

0. Preparation
First, you’ll need to check if your Android system kernel is compiled with support for libentfilter_queue. Follow the following steps,

  • Connect your android device to your computer.
  • Enter command “adb pull /proc/config.gz” to get the config.gz file from your android device.
  • Extract config.gz file, you’ll get a file named config. This is actually your Android Linux kernel build configuration file.
  • Search for CONFIG_NETFILTER_ADVANCED, CONFIG_NETFITLER_NETLINK and CONFIG_NETFILTER_NETLINK_QUEUE in config file, make sure they’re not commented out.

If your Android build is not compiled with these features, you’ll need to compile customized kernel build to use libnetfilter_queue.

Next you’ll need to root your Android device. This is not the focus of this post, so it’s not covered here. But you can find lots of information online.

Thirdly, make sure your phone has iptables program. iptables program is used to configure the kernel packet filter table. Follow the command below to check,

adb shell

su

iptables –list

If the terminal doens’t complain about program not found, then you have iptables installed. If you don’t have iptables installed on your Android device, you may consider install busybox, or compile your own iptables program. I checked out the Android source code tree, it includes iptables in the external folder. So it should be doable to build on your own.

1. Build the Libraries and Test Executable
libnetfilter_queue depends on libnfnetlink, so we’ll need to download both libraries from here and here. After downloading, extract the libraries to your Android project jni folder.
Copy the nfqnl_test.c file from libnetfilter_queue-1.0.0/utils/ folder to jni folder. And create a Android.mk file with the content below,

#LOCAL_PATH is used to locate source files in the development tree.

#the macro my-dir provided by the build system, indicates the path of the current directory

LOCAL_PATH:=$(call my-dir)

 

#####################################################################

#            build libnflink                    #

#####################################################################

include $(CLEAR_VARS)

LOCAL_MODULE:=nflink

LOCAL_C_INCLUDES := $(LOCAL_PATH)/libnfnetlink-1.0.0/include

LOCAL_SRC_FILES:=

    libnfnetlink-1.0.0/src/iftable.c 

    libnfnetlink-1.0.0/src/rtnl.c 

    libnfnetlink-1.0.0/src/libnfnetlink.c

include $(BUILD_STATIC_LIBRARY)

#include $(BUILD_SHARED_LIBRARY)

 

#####################################################################

#            build libnetfilter_queue            #

#####################################################################

include $(CLEAR_VARS)

LOCAL_C_INCLUDES := $(LOCAL_PATH)/libnfnetlink-1.0.0/include 

    $(LOCAL_PATH)/libnetfilter_queue-1.0.0/include

LOCAL_MODULE:=netfilter_queue

LOCAL_SRC_FILES:=libnetfilter_queue-1.0.0/src/libnetfilter_queue.c

LOCAL_STATIC_LIBRARIES:=libnflink

include $(BUILD_STATIC_LIBRARY)

#include $(BUILD_SHARED_LIBRARY)

 

#####################################################################

#            build our code                    #

#####################################################################

include $(CLEAR_VARS)

LOCAL_C_INCLUDES := $(LOCAL_PATH)/libnfnetlink-1.0.0/include 

    $(LOCAL_PATH)/libnetfilter_queue-1.0.0/include

LOCAL_MODULE:=nfqnltest

LOCAL_SRC_FILES:=nfqnl_test.c

LOCAL_STATIC_LIBRARIES:=libnetfilter_queue

LOCAL_LDLIBS:=-llog -lm

#include $(BUILD_SHARED_LIBRARY)

include $(BUILD_EXECUTABLE)

Then issue “ndk-build” command to build the libraries and executable nfqnltest.

Note that you’ll probably encounter an error “undefined reference to __fswab64”. This is an known issue as indicated here. Just apply the patch (or change according to the patch) to your NDK header file (platforms/android-9/arch-arm/usr/include/linux/byteorder/swab.h, replace “android-9” in the path with your targeted android version). It will resolve the build error.

2. Running the Code on Android
Follow the command below to copy and executable to your Android device and run it,

  • adb shell
  • su
  • mkdir /data/data/nfqnltest
  • chmod 777 /data/data/nfqnltest
  • Open another terminal. Go to libs/<armeabi*> folder of your Android project. Issue command “adb push nfqnltest /data/data/nfqnltest/”
  • Switch back to first terminal, “cd /data/data/nfqnltest”
  • ./nfqnltest

To configure iptables rules, you can open a new terminal, then follow the command below,

adb shell

su

iptables -A OUTPUT -p tcp -j NFQUEUE –queue-num 0

Then in terminal you’re running nfqnltest, you can see the program outputs. If you open browser app on your phone, and try to open google.com. You’ll see some packet information displayed,

pkt received

…….

hw_protocol=0x0000 hook=3 id=0 outdev=12 payload_len=288

entering callback

pkt received

hw_protocol=0x0000 hook=3 id=1 outdev=12 payload_len=869

entering callback

With libnetfilter_queue, you can do a lot of interesting stuff, like user space NATing, packet sniffing/capturing etc.

0 thoughts on “How to Build and Use libnetfilter_queue for Android”

  1. What if I get “./nfqnltest: permission denied” while trying the last command. I typed su and then tried to run it, but again didn’t work.

  2. I’m trying to build the stock 4.3 Android for my nexus, and want to add libnetfilter_queue back into the kernel. Can I do it all at once? When you say, “After downloading, extract the libraries to your Android project jni folder.” I don’t have an application folder, just the main source tree, which doesn’t have a JNI folder, at least one that makes sense wrt to this. (plenty in developer and test, for example.) Can I place it somewhere in the source tree I have, or do I need to create a dummy application? Not really sure how to proceed. TIA

  3. Hi there – finally figured this out, compiled it, pushed to the device, and followed the rest of your directions, but iptables gives me an error

    root@flo:/ # iptables -A OUTPUT -p tcp -j NFQUEUE –queue-num 0
    Bad argument `–queue-num’
    Try `iptables -h’ or ‘iptables –help’ for more information.

    any ideas?

  4. the test program seems to be running, but no packets are being logged, because iptables doesn’t have libnetfilter_queue…

    root@flo:/data/data/nfqnltest # ./nfqnltest
    opening library handle
    unbinding existing nf_queue handler for AF_INET (if any)
    binding nfnetlink_queue as nf_queue handler for AF_INET
    binding this socket to queue ‘0’
    setting copy_packet mode

  5. Thank you ,
    I followed these steps, but when I try to run the executable nfqnltest on the device it gives me the error
    “unbinding existing nf_queue handler for AF_INET (if any)
    error during nfq_unbind_pf()”
    the nfq_unbind_pf() returns a value less than zero ,,
    why ?

  6. This might be my fault, but when trying to build libnetfilter_queue 1.0 I’ve had to modify jni/libnetfilter_queue/src/internal.h from include “src/internal.h” to “internal.h”. Maybe the Android.mk pathing is missing something.

    More importantly internal.h includes “config.h”, which isn’t included in libnetfilter_queue and libnfnetlink. It might be somethnig dumb like this is a standard library file and my pathing isn’t correct.

    Any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *