Netlink

Netlink is a socket-like mechanism for IPC between the kernel and user space processes, as well as between user space processes alone (like e.g., unix sockets) or a mixture of multiple user space and kernel space processes. However, unlike INET sockets, it cannot traverse host boundaries, as it addresses processes by their (inherently local) PIDs.

Netlink was designed for and is used to transfer miscellaneous networking information between the Linux kernel space and user space processes. Many networking utilities use Netlink to communicate with the Linux kernel from user space, for example iproute2. Netlink consists of a standard socket-based interface for user space processes and an internal kernel API for kernel modules. It is designed to be a more flexible successor to ioctl. Originally, Netlink uses the AF_NETLINK socket family.

RFC 3549 describes netlink protocol in detail.

History

As mentioned earlier, Netlink was created as a more flexible alternative to the sophisticated and awkward ioctl communication method which was used for setting and getting external socket options. Sockets ioctl interface is still supported by the Linux kernel for backward compatibility however. It can be used as follows:

error = ioctl(ip_socket, ioctl_type, &value_result);

Netlink was first provided in Linux 2.0 as a character device. This interface is obsolete, but as ioctl it can still be used too. The Netlink socket interface appeared in the 2.2 Linux kernel.

Packet structure

Unlike the BSD socket access to Internet protocols like TCP/etc. where the headers specifying flags and destination are autogenerated, the Netlink message header (available as struct nlmsghdr) must be prepared by the program itself, as the socket generally works in a SOCK_RAW-like mode, even if SOCK_DGRAM was used to create it.

The data portion then contains a subsystem-specific message that may be further nested.

Netlink Socket Families

For the AF_NETLINK family, there are multiple protocol subsets. Each of these interfaces to a different kernel component and has a different messaging subset. The following protocol is referenced in the field below:

int socket(AF_NETLINK, SOCK_DGRAM or SOCK_RAW, protocol)

Unfortunately, it seems that there is no standard, and it is unclear as to whether or not SOCK_DGRAM and SOCK_RAW are implemented on a given Linux (or other OS) release. Some sources state that both options are legitimate, and the reference below from Red Hat states that SOCK_RAW is always the parameter, however iproute2 uses both interchangeably.

This may change anytime as there is no "standard" to which the Linux development community sticks. However, a non-exhaustive list of the supported protocol entries follows:

NETLINK_ROUTE

NETLINK_ROUTE provides routing and link information. This information is used primarily for user-space routing daemons. There is a large subset of messages that Linux implements:

• Link Layer: RTM_NEWLINK, RTM_DELLINK, RTM_GETLINK, RTM_SETLINK
• Address Settings: RTM_NEWADDR, RTM_DELADDR, RTM_GETADDR
• Routing Tables: RTM_NEWROUTE, RTM_DELROUTE, RTM_GETROUTE
• Neighbor Cache: RTM_NEWNEIGH, RTM_DELNEIGH, RTM_GETNEIGH
• Routing Rules: RTM_NEWRULE, RTM_DELRULE, RTM_GETRULE
• Queuing Discipline Settings: RTM_NEWQDISC, RTM_DELQDISC, RTM_GETQDISC
• Traffic Classes used with Queues: RTM_NEWTCLASS, RTM_DELTCLASS, RTM_GETTCLASS
• Traffic filters: RTM_NEWTFILTER, RTM_DELTFILTER, RTM_GETTFILTER
• Others: RTM_NEWACTION, RTM_DELACTION, RTM_GETACTION, RTM_NEWPREFIX, RTM_GETPREFIX, RTM_GETMULTICAST, RTM_GETANYCAST, RTM_NEWNEIGHTBL,RTM_GETNEIGHTBL, RTM_SETNEIGHTBL

NETLINK_FIREWALL

NETLINK_FIREWALL provides an interface for a user-space app to receive packets from the firewall.

NETLINK_NFLOG

NETLINK_NFLOG provides an interface used to communicate between used Netfilter and iptables.

NETLINK_ARPD

NETLINK_ARPD provides an interface to manage the ARP table from user space.

NETLINK_AUDIT

NETLINK_AUDIT provides an interface to the audit subsystem found in kernel versions 2.6.6 and later.

NETLINK_IPV6_FW

NETLINK_ROUTE6

NETLINK_TAPBASE

NETLINK_TCPDIAG

NETLINK_XFRM

NETLINK_XFRM provides an interface to manage the IPsec security association and security policy databases. It is mostly used by Key Manager daemons when they are used in Internet Key Exchange protocol.

User-defined Netlink protocol

The user can add a netlink handler in their own kernel routines. This allows additional Netlink protocols to be developed to address new kernel modules. The Linux Journal article Why and How to Use Netlink Sockets provides some guidance on how to create Netlink sockets on the kernel side.

External links

Free software portal

• Pablo Neira Ayuso, Rafael M. Gasca, Laurent Lefèvre. Communicating between the kernel and user-space in Linux using Netlink sockets. Software: Practice and Experience, 40(9):797-810, August 2010
• Why and How to Use Netlink Sockets
• RFC 3549
• http://netfilter.org/projects/libmnl — “Minimalist Library for Netlink” — userspace library for construction and parsing of Netlink messages
• Manipulating the Networking Environment Using RTNETLINK
• Netlink Sockets - Overview