@@ -238,6 +238,31 @@ until they've been given a verdict (accept, drop, or repeat). Also, the
238238kernel stores the enqueued packets in a linked list, so keeping lots of packets
239239outstanding is likely to adversely impact performance.
240240
241+ Monitoring a different network namespace
242+ ----------------------------------------
243+
244+ If you are using Linux network namespaces (``man 7
245+ network_namespaces ``) in some kind of containerization system, all of
246+ the Netfilter queue state is kept per-namespace; queue 1 in namespace
247+ X is not the same as queue 1 in namespace Y. NetfilterQueue will
248+ ordinarily pass you the traffic for the network namespace you're a
249+ part of. If you want to monitor a different one, you can do so with a
250+ bit of trickery and cooperation from a process in that
251+ namespace; this section describes how.
252+
253+ You'll need to arrange for a process in the network namespace you want
254+ to monitor to call ``socket(AF_NETLINK, SOCK_RAW, 12) `` and pass you
255+ the resulting file descriptor using something like
256+ ``socket.send_fds() `` over a Unix domain socket. (12 is
257+ ``NETLINK_NETFILTER ``, a constant which is not exposed by the Python
258+ ``socket `` module.) Once you've received that file descriptor in your
259+ process, you can create a NetfilterQueue object using the special
260+ constructor ``NetfilterQueue(sockfd=N) `` where N is the file
261+ descriptor you received. Because the socket was originally created
262+ in the other network namespace, the kernel treats it as part of that
263+ namespace, and you can use it to access that namespace even though it's
264+ not the namespace you're in yourself.
265+
241266Usage
242267=====
243268
0 commit comments