int main(void) { int ret; u_int8_t family = AF_INET; struct nfct_handle *h; h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); return -1; } nfexp_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfexp_query(h, NFCT_Q_DUMP, &family); printf("TEST: dumo expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int main(void) { int ret; uint32_t family = AF_INET; struct nfct_handle *h; h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); printf("TEST: get conntrack "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10)); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_DESTROY, ct); printf("TEST: delete conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int main() { int ret; struct nfct_handle *h; h = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW); if (!h) { perror("nfct_open"); return -1; } nfexp_callback_register(h, NFCT_T_ALL, event_cb, NULL); printf("TEST: waiting for 10 expectation events...\n"); ret = nfexp_catch(h); printf("TEST: OK (%d)(%s)\n", ret, strerror(errno)); nfct_close(h); if (ret == -1) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { struct nfq_handle *qh; struct nfq_q_handle *qqh; // struct nfnl_handle *nh; int fd; int rv; char buf[4096] __attribute__ ((aligned)); struct nfct_handle *cth; if (init_nfct(&cth) != 0) { exit(1); } if (init_nfq(&qh, &qqh, cth) != 0) { exit(1); } fd = nfq_fd(qh); for (;;) { if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) { printf("pkt received\n"); nfq_handle_packet(qh, buf, rv); continue; } /* if your application is too slow to digest the packets that * are sent from kernel-space, the socket buffer that we use * to enqueue packets may fill up returning ENOBUFS. Depending * on your application, this error may be ignored. Please, see * the doxygen documentation of this library on how to improve * this situation. */ if (rv < 0 && errno == ENOBUFS) { printf("losing packets!\n"); continue; } perror("recv failed"); break; } printf("unbinding from queue 0\n"); nfq_destroy_queue(qqh); #ifdef INSANE /* normally, applications SHOULD NOT issue this command, since * it detaches other programs/sockets from AF_INET, too ! */ printf("unbinding from AF_INET\n"); nfq_unbind_pf(h, AF_INET); #endif printf("closing library handle\n"); nfq_close(qh); nfct_close(cth); exit(0); }
int main(void) { int ret; struct nfct_handle *h; struct nf_conntrack *expected; struct nf_expect *exp; expected = nfct_new(); if (!expected) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0); nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); exp = nfexp_new(); if (!exp) { perror("nfexp_new"); nfct_destroy(expected); exit(EXIT_FAILURE); } nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); nfct_destroy(expected); return -1; } ret = nfexp_query(h, NFCT_Q_DESTROY, exp); printf("TEST: delete expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); nfct_destroy(expected); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp) { struct nf_conntrack *ct; struct nfct_handle *h; gotit = 0; if ((ct = nfct_new())) { nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port)); #ifdef HAVE_IPV6 if (peer_addr->sa.sa_family == AF_INET6) { nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6); nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr); nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port); nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr); } else #endif { nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr); nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port); nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr); } if ((h = nfct_open(CONNTRACK, 0))) { nfct_callback_register(h, NFCT_T_ALL, callback, (void *)markp); if (nfct_query(h, NFCT_Q_GET, ct) == -1) { static int warned = 0; if (!warned) { my_syslog(LOG_ERR, _("Conntrack connection mark retrieval failed: %s"), strerror(errno)); warned = 1; } } nfct_close(h); } nfct_destroy(ct); } return gotit; }
static void internal_bypass_ct_dump(int fd, int type) { struct nfct_handle *h; u_int32_t family = AF_UNSPEC; int ret; h = nfct_open(CONFIG(netlink).subsys_id, 0); if (h == NULL) { dlog(LOG_ERR, "can't allocate memory for the internal cache"); return; } nfct_callback_register(h, NFCT_T_ALL, internal_bypass_ct_dump_cb, &fd); ret = nfct_query(h, NFCT_Q_DUMP, &family); if (ret == -1) { dlog(LOG_ERR, "can't dump kernel table"); } nfct_close(h); }
int nl_flush_conntrack_table_selective(void) { struct nfct_handle *h; int ret; h = nfct_open(CONNTRACK, 0); if (h == NULL) { dlog(LOG_ERR, "cannot open handle"); return -1; } nfct_callback_register(h, NFCT_T_ALL, nl_flush_selective_cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); nfct_close(h); return ret; }
static void ForwardingRule_dealloc(ForwardingRule *self) { struct nfct_handle *ct_handle; PyObject_GC_UnTrack(self); ForwardingRule_clear(self); if (self->is_active) { forwarding_rules[ntohs(nfct_get_attr_u16(self->conntrack, ATTR_ORIG_PORT_DST))] = NULL; Py_BEGIN_ALLOW_THREADS ct_handle = nfct_open(CONNTRACK, 0); if (ct_handle != NULL) { nfct_query(ct_handle, NFCT_Q_DESTROY, self->conntrack); nfct_close(ct_handle); } Py_END_ALLOW_THREADS }
int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10)); nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN); nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100); nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("8.8.8.8")); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, ct); printf("TEST: create conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int main() { int ret; u_int8_t family = AF_INET; struct nfct_handle *h; char buf[1024]; h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); printf("TEST: dump conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
static void external_inject_close(void) { origin_unregister(inject); nfct_close(inject); }
int main(void) { int ret; struct nfct_handle *h; struct nf_conntrack *master, *expected, *mask, *nat; struct nf_expect *exp; /* * Step 1: Setup master conntrack */ master = nfct_new(); if (!master) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(1025)); nfct_set_attr_u16(master, ATTR_PORT_DST, htons(21)); nfct_setobjopt(master, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_ESTABLISHED); nfct_set_attr_u32(master, ATTR_TIMEOUT, 200); nfct_set_attr(master, ATTR_HELPER_NAME, "ftp"); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); nfct_destroy(master); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, master); printf("TEST: add master conntrack "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); expected = nfct_new(); if (!expected) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0); nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); mask = nfct_new(); if (!mask) { perror("nfct_new"); nfct_destroy(master); nfct_destroy(expected); exit(EXIT_FAILURE); } nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff); nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff); nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000); nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff); nat = nfct_new(); if (!nat) { perror("nfct_new"); nfct_destroy(mask); nfct_destroy(master); nfct_destroy(expected); exit(EXIT_FAILURE); } nfct_set_attr_u8(nat, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(nat, ATTR_IPV4_SRC, inet_addr("3.3.3.3")); nfct_set_attr_u32(nat, ATTR_IPV4_DST, 0); nfct_set_attr_u8(nat, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(nat, ATTR_PORT_SRC, 12345); nfct_set_attr_u16(nat, ATTR_PORT_DST, 0); /* * Step 2: Setup expectation */ exp = nfexp_new(); if (!exp) { perror("nfexp_new"); nfct_destroy(master); nfct_destroy(expected); nfct_destroy(mask); exit(EXIT_FAILURE); } nfexp_set_attr(exp, ATTR_EXP_MASTER, master); nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); nfexp_set_attr(exp, ATTR_EXP_MASK, mask); nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat); nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, 0); nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200); nfct_destroy(master); nfct_destroy(expected); nfct_destroy(mask); nfct_destroy(nat); h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfexp_query(h, NFCT_Q_CREATE, exp); printf("TEST: create expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int main(int argc, char *argv[]) { pid_t pid, sid; int c, ret; char buf[BUF_LEN]; int syslog_facility = LOG_LOCAL4; while (1) { static struct option long_options[] = { /* Flags */ {"verbose", no_argument, 0, 'v'}, {"daemon", no_argument, 0, 'd'}, {"help", no_argument, 0, 'h'}, {"facility",required_argument, 0, 'f'}, {0, 0, 0, 0} }; /* getopt_long stores the option index here. */ int option_index = 0; c = getopt_long (argc, argv, "vdhf:",long_options, &option_index); if (c == -1) break; switch(c) { case 'v': verbose_flag = 1; break; case 'd': daemon_flag = 1; break; case 'h': usage(); exit(EXIT_SUCCESS); break; case 'f': syslog_facility = __str2facility(optarg); if (syslog_facility == -1) { ret = snprintf(buf,BUF_LEN-1, "Invalid syslog facility parameter: %s", optarg); buf[ret] = '\0'; write_msg(LOG_ERR,buf); usage(); exit(EXIT_FAILURE); } break; case '?': default: usage(); exit(EXIT_FAILURE); break; } } if (daemon_flag) { setlogmask(LOG_UPTO(LOG_INFO)); openlog(PROGNAME, LOG_CONS, syslog_facility); /* Fork off the parent process */ pid = fork(); if (pid < 0) { exit(EXIT_FAILURE); } /* If we got a good PID, then we can exit the parent process. */ if (pid > 0) { exit(EXIT_SUCCESS); } /* Create a new SID for the child process */ sid = setsid(); if (sid < 0) { /* Log the failure */ exit(EXIT_FAILURE); } /* Change the current working directory */ if ((chdir("/")) < 0) { /* Log the failure */ exit(EXIT_FAILURE); } /* Close out the standard file descriptors */ close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); } cth = nfct_open(CONNTRACK, NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_DESTROY); if (!cth) { ret = snprintf(buf, BUF_LEN-1, "Can't open a ctnetlink handler (%s)", strerror(errno)); buf[ret] = '\0'; write_msg(LOG_ERR, buf); exit(EXIT_FAILURE); } signal(SIGINT, event_sighandler); signal(SIGTERM, event_sighandler); nfct_callback_register(cth, NFCT_T_NEW|NFCT_T_DESTROY, event_cb, NULL); if (nfct_catch(cth) == -1) { ret = snprintf(buf, BUF_LEN-1, "Can't catch events (%s)", strerror(errno)); buf[ret] = '\0'; write_msg(LOG_ERR, buf); } nfct_close(cth); return EXIT_SUCCESS; }
static void event_sighandler(int s) { nfct_close(cth); write_msg(LOG_INFO, PROGNAME " exiting..."); exit(EXIT_SUCCESS); }
/*- -- nfct.close(cthandle) Close the conntrack handle, freeing its resources. */ static int gc(lua_State* L) { struct nfct_handle* cthandle = check_cthandle(L); nfct_close(cthandle); return 0; }