I am trying to capture when a packet is created inside a container. I have containerd using the runc runtime to actually run and create the containers.
I have a kernel module loaded in the host to capture packets using netfilter. Below is the configuration of the hook.
ipv4_local_out_hook->hooknum = NF_INET_LOCAL_OUT;ipv4_local_out_hook->pf = PF_INET;ipv4_local_out_hook->priority = NF_IP_PRI_FIRST;It works well for udp and tcp packets sent from the host, but doesn't capture anything created inside the containers.
To make it work, I have to set the hooknum to at leastNF_INET_FORWARD. The issue with this is that the socket struct is null in sk_buff. I would like to capture container packets as early as possible so that the socket struct is populated. How can I configure the netfilter hook to do this?