Hi Paul, I'm still not sure why you wanted to automate such process at kernel level. But Its really an interesting thought. Ya It took a little long time to move on your problem, but I've a hope to achieve this. You know me too usually take interest in such adventures, so I took you personally ;-) Anyway from your description I'd define your goal as "Making System Calls from Kernel Space". I got this idea by khttpd module of kernel, and I got same deal on Internet from website of very popular Linux Identity "Alessandro Rubini". Just go through his guide on link http://www.linux.it/kerneldocs/ksys/ksys.html.
>> 2.- Can I use libiptc or another lib or *.h for manipulate the packet and >> compare with a file with IP's and enable go to the QUEUE without scripts >> below, for example: >> iptables -I FORWARD -j QUEUE or >> iptables -t mangle -I PREROUTING -j QUEUE To achieve this you require to write your own "Target" for netfilter, like ACECPT,REJECT,... Easiest to look into target "TOS". >> 3.- Why using table "mangle" for sent the packet to the QUEUE in >> PREROUTING the catch of the packet is more fast than using the QUEUE in >> the table "filter" in FORWARD. It depends on which traffic you wanted to intercept. If you Implement QUEUE in FORWARD then you will miss all those packets ehich intended to host. Just a Silly question here: Do you have clear idea of how packet travel into netfilter code? Which chains are travel and in which order? Don't get annoyed, from yours "see the comments...Step Table Chain Comment... " I can say that you have little idea atleast ;-). >> 4.- In the HOW-TO hacking-netfilter i read some functionality using KERNEL >> function for add rules i read this but How can I do ? It would be nice if you snapped that part of documentation in this mail. -- Sumit