Advanced OS Customizations & Bootloaders

Building Custom Netfilter Hooks in Android LKMs: Advanced Traffic Filtering & Manipulation

By Antigravity Research Published May 30, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Netfilter in Android

Android’s network stack, built upon the Linux kernel, heavily relies on Netfilter for packet filtering, NAT, and connection tracking. While standard iptables and ip6tables commands offer powerful capabilities, there are scenarios where deeper, more specialized control over network traffic is required. This is where custom Netfilter hooks, implemented as Linux Kernel Modules (LKMs), become indispensable. They allow developers to intercept packets at specific points in the network stack, perform arbitrary logic, and manipulate packets in ways not possible with userspace tools.

This article delves into the intricacies of developing custom Netfilter hooks within an Android LKM. We’ll cover the necessary kernel development environment setup, the core Netfilter API, and provide a practical example of building and deploying a custom packet filtering module on an Android device.

Understanding Netfilter Hook Points and API

Netfilter defines several hook points in the networking stack where packets can be intercepted. For IPv4, these are:

  • NF_IP_PRE_ROUTING: Before routing decisions are made.
  • NF_IP_LOCAL_IN: For packets destined for the local host, after routing.
  • NF_IP_FORWARD: For packets being forwarded.
  • NF_IP_POST_ROUTING: After routing decisions, just before packets leave the host.
  • NF_IP_LOCAL_OUT: For locally generated packets, before routing.

Each hook point can have multiple hooks registered, which are executed in a specified priority order. A hook function typically receives the network buffer (sk_buff or skb) and other context information. Its return value dictates the packet’s fate:

  • NF_ACCEPT: Let the packet continue its journey.
  • NF_DROP: Discard the packet.
  • NF_STOLEN: The hook function has taken ownership of the packet (e.g., queued it for user space), and Netfilter should not process it further.
  • NF_QUEUE: Enqueue the packet for userspace processing (e.g., using libnetfilter_queue).
  • NF_REPEAT: Re-evaluate the packet at the current hook point.

Key Netfilter API Structures

The primary structure for registering a Netfilter hook is struct nf_hook_ops:

struct nf_hook_ops {  nf_hookfn      hook;         /* The hook function itself */  struct net_device *dev;      /* Optional: specific device */  void           *priv;        /* Private data */  u8             pf;           /* Protocol family (e.g., PF_INET) */  unsigned int   hooknum;      /* The hook point (e.g., NF_IP_PRE_ROUTING) */  int            priority;     /* Priority for execution */};

You register and unregister these operations using nf_register_net_hook() and nf_unregister_net_hook(), respectively. Note that nf_register_net_hook() requires a pointer to struct net, which can be obtained via &init_net for the default network namespace.

Setting Up the Android Kernel Build Environment

Before writing code, you need a matching Android kernel source tree and cross-compilation toolchain. This typically involves:

  1. Obtaining Kernel Source: Download the kernel source code for your specific Android device/ROM from its vendor (e.g., AOSP, device manufacturer, LineageOS).

  2. Android NDK: Download and install the Android NDK, which provides the necessary cross-compilation toolchains (e.g., AArch64 Linux Android GNU/LLVM).

  3. Configuring Kernel: Ensure your kernel is configured with CONFIG_NETFILTER and other necessary networking options enabled. You might need to run make menuconfig or similar.

  4. Environment Variables: Set ARCH (e.g., arm64), CROSS_COMPILE (e.g., aarch64-linux-android-), and point to your NDK toolchain.

export PATH=$PATH:/path/to/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/binexport ARCH=arm64export CROSS_COMPILE=aarch64-linux-android-

Developing Your Custom Netfilter LKM

Let’s create a simple LKM that drops all incoming UDP packets on a specific port (e.g., 12345) using the NF_IP_LOCAL_IN hook.

1. Define the Hook Function

Your hook function must match the nf_hookfn signature:

unsigned int my_udp_drop_hook(void *priv,              struct sk_buff *skb,              const struct nf_hook_state *state){    struct iphdr *iph;    struct udphdr *udph;    if (!skb)        return NF_ACCEPT;    // Check if it's an IP packet    if (skb->protocol != htons(ETH_P_IP))        return NF_ACCEPT;    iph = ip_hdr(skb);    // Check if it's a UDP packet    if (iph->protocol != IPPROTO_UDP)        return NF_ACCEPT;    udph = udp_hdr(skb);    // Check for our target UDP destination port    if (ntohs(udph->dest) == 12345) {        printk(KERN_INFO "my_netfilter_module: Dropping UDP packet from %pI4:%d to %pI4:%dn",               &iph->saddr, ntohs(udph->source),               &iph->daddr, ntohs(udph->dest));        return NF_DROP;    }    return NF_ACCEPT;}

2. Register the Hook Operation

Define an instance of struct nf_hook_ops and register it in init_module.

static struct nf_hook_ops my_nf_ops;static int __init my_netfilter_init(void){    int err;    my_nf_ops.hook     = my_udp_drop_hook;    my_nf_ops.pf       = NFPROTO_IPV4;    my_nf_ops.hooknum  = NF_IP_LOCAL_IN;    my_nf_ops.priority = NF_IP_PRI_FIRST; // Execute first    err = nf_register_net_hook(&init_net, &my_nf_ops);    if (err < 0) {        printk(KERN_ERR "my_netfilter_module: Failed to register hook!n");        return err;    }    printk(KERN_INFO "my_netfilter_module: Module loaded, UDP port 12345 filter active.n");    return 0;}static void __exit my_netfilter_exit(void){    nf_unregister_net_hook(&init_net, &my_nf_ops);    printk(KERN_INFO "my_netfilter_module: Module unloaded, UDP filter inactive.n");}module_init(my_netfilter_init);module_exit(my_netfilter_exit);MODULE_LICENSE("GPL");MODULE_AUTHOR("Your Name");MODULE_DESCRIPTION("Custom Netfilter Hook for Android");

Compiling the LKM for Android

Create a Makefile in the same directory as your .c file:

obj-m := my_netfilter_module.oKDIR := /path/to/your/android/kernel/sourcePWD := $(shell pwd)all:    $(MAKE) -C $(KDIR) M=$(PWD) modulesclean:    $(MAKE) -C $(KDIR) M=$(PWD) clean

Now, compile your module:

cd /path/to/your/module/sourcemake

This will generate my_netfilter_module.ko.

Deployment and Testing on Android

  1. Push to Device: Transfer the .ko file to your rooted Android device.

    adb push my_netfilter_module.ko /data/local/tmp/

  2. Load Module: Use insmod to load the module. You might need root privileges (su).

    adb shellsuinsmod /data/local/tmp/my_netfilter_module.ko

    Check kernel logs for messages:

    dmesg | grep my_netfilter_module

  3. Test Filtering: From another machine or an app on the Android device, try sending a UDP packet to port 12345 on the Android device’s IP address. For instance, using netcat on a Linux host:

    echo "Hello" | nc -u <ANDROID_IP> 12345

    Observe dmesg on the Android device. You should see

    Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Kernel #LKM #Netfilter #Networking #Traffic Filtering

Related Technical Guides

Deep Dive: Dissecting Android’s UEFI Secure Boot Chain & Key Management Internals

May 29, 2026

Mastering Android Kernel Module Signing: A Step-by-Step Guide for Secure Boot

May 29, 2026

Unlocking Secure Boot: A Step-by-Step Lab for Replacing OEM Keys (PK/KEK) on Android

May 30, 2026