int main(void)
{
int ret;
u_int8_t family = AF_INET;
struct nfct_handle *h;
h = nfct_open(EXPECT, 0);
if (!h) {
perror("nfct_open");
return -1;
}
nfexp_callback_register(h, NFCT_T_ALL, cb, NULL);
ret = nfexp_query(h, NFCT_Q_DUMP, &family);
printf("TEST: dumo expectation ");
if (ret == -1)
printf("(%d)(%s)\n", ret, strerror(errno));
else
printf("(OK)\n");
nfct_close(h);
ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
}
int main(void)
{
int ret;
uint32_t family = AF_INET;
struct nfct_handle *h;
h = nfct_open(CONNTRACK, 0);
if (!h) {
perror("nfct_open");
return -1;
}
nfct_callback_register(h, NFCT_T_ALL, cb, NULL);
ret = nfct_query(h, NFCT_Q_DUMP, &family);
printf("TEST: get conntrack ");
if (ret == -1)
printf("(%d)(%s)\n", ret, strerror(errno));
else
printf("(OK)\n");
nfct_close(h);
ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
}
int main()
{
int ret;
struct nfct_handle *h;
struct nf_conntrack *ct;
ct = nfct_new();
if (!ct) {
perror("nfct_new");
return 0;
}
nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20));
nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10));
h = nfct_open(CONNTRACK, 0);
if (!h) {
perror("nfct_open");
return -1;
}
ret = nfct_query(h, NFCT_Q_DESTROY, ct);
printf("TEST: delete conntrack (%d)(%s)\n", ret, strerror(errno));
if (ret == -1)
exit(EXIT_FAILURE);
nfct_close(h);
}
int main()
{
int ret;
struct nfct_handle *h;
h = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW);
if (!h) {
perror("nfct_open");
return -1;
}
nfexp_callback_register(h, NFCT_T_ALL, event_cb, NULL);
printf("TEST: waiting for 10 expectation events...\n");
ret = nfexp_catch(h);
printf("TEST: OK (%d)(%s)\n", ret, strerror(errno));
nfct_close(h);
if (ret == -1)
exit(EXIT_FAILURE);
exit(EXIT_SUCCESS);
}
int main(int argc, char **argv)
{
struct nfq_handle *qh;
struct nfq_q_handle *qqh;
// struct nfnl_handle *nh;
int fd;
int rv;
char buf[4096] __attribute__ ((aligned));
struct nfct_handle *cth;
if (init_nfct(&cth) != 0) {
exit(1);
}
if (init_nfq(&qh, &qqh, cth) != 0) {
exit(1);
}
fd = nfq_fd(qh);
for (;;) {
if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
printf("pkt received\n");
nfq_handle_packet(qh, buf, rv);
continue;
}
/* if your application is too slow to digest the packets that
* are sent from kernel-space, the socket buffer that we use
* to enqueue packets may fill up returning ENOBUFS. Depending
* on your application, this error may be ignored. Please, see
* the doxygen documentation of this library on how to improve
* this situation.
*/
if (rv < 0 && errno == ENOBUFS) {
printf("losing packets!\n");
continue;
}
perror("recv failed");
break;
}
printf("unbinding from queue 0\n");
nfq_destroy_queue(qqh);
#ifdef INSANE
/* normally, applications SHOULD NOT issue this command, since
* it detaches other programs/sockets from AF_INET, too ! */
printf("unbinding from AF_INET\n");
nfq_unbind_pf(h, AF_INET);
#endif
printf("closing library handle\n");
nfq_close(qh);
nfct_close(cth);
exit(0);
}
int main(void)
{
int ret;
struct nfct_handle *h;
struct nf_conntrack *expected;
struct nf_expect *exp;
expected = nfct_new();
if (!expected) {
perror("nfct_new");
exit(EXIT_FAILURE);
}
nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0);
nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241));
exp = nfexp_new();
if (!exp) {
perror("nfexp_new");
nfct_destroy(expected);
exit(EXIT_FAILURE);
}
nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected);
h = nfct_open(EXPECT, 0);
if (!h) {
perror("nfct_open");
nfct_destroy(expected);
return -1;
}
ret = nfexp_query(h, NFCT_Q_DESTROY, exp);
printf("TEST: delete expectation ");
if (ret == -1)
printf("(%d)(%s)\n", ret, strerror(errno));
else
printf("(OK)\n");
nfct_close(h);
nfct_destroy(expected);
ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
}
int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp)
{
struct nf_conntrack *ct;
struct nfct_handle *h;
gotit = 0;
if ((ct = nfct_new()))
{
nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP);
nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port));
#ifdef HAVE_IPV6
if (peer_addr->sa.sa_family == AF_INET6)
{
nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6);
nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr);
nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port);
nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr);
}
else
#endif
{
nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr);
nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port);
nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr);
}
if ((h = nfct_open(CONNTRACK, 0)))
{
nfct_callback_register(h, NFCT_T_ALL, callback, (void *)markp);
if (nfct_query(h, NFCT_Q_GET, ct) == -1)
{
static int warned = 0;
if (!warned)
{
my_syslog(LOG_ERR, _("Conntrack connection mark retrieval failed: %s"), strerror(errno));
warned = 1;
}
}
nfct_close(h);
}
nfct_destroy(ct);
}
return gotit;
}
static void internal_bypass_ct_dump(int fd, int type)
{
struct nfct_handle *h;
u_int32_t family = AF_UNSPEC;
int ret;
h = nfct_open(CONFIG(netlink).subsys_id, 0);
if (h == NULL) {
dlog(LOG_ERR, "can't allocate memory for the internal cache");
return;
}
nfct_callback_register(h, NFCT_T_ALL, internal_bypass_ct_dump_cb, &fd);
ret = nfct_query(h, NFCT_Q_DUMP, &family);
if (ret == -1) {
dlog(LOG_ERR, "can't dump kernel table");
}
nfct_close(h);
}
int nl_flush_conntrack_table_selective(void)
{
struct nfct_handle *h;
int ret;
h = nfct_open(CONNTRACK, 0);
if (h == NULL) {
dlog(LOG_ERR, "cannot open handle");
return -1;
}
nfct_callback_register(h, NFCT_T_ALL, nl_flush_selective_cb, NULL);
ret = nfct_query(h, NFCT_Q_DUMP, &family);
nfct_close(h);
return ret;
}
static void
ForwardingRule_dealloc(ForwardingRule *self)
{
struct nfct_handle *ct_handle;
PyObject_GC_UnTrack(self);
ForwardingRule_clear(self);
if (self->is_active) {
forwarding_rules[ntohs(nfct_get_attr_u16(self->conntrack, ATTR_ORIG_PORT_DST))] = NULL;
Py_BEGIN_ALLOW_THREADS
ct_handle = nfct_open(CONNTRACK, 0);
if (ct_handle != NULL) {
nfct_query(ct_handle, NFCT_Q_DESTROY, self->conntrack);
nfct_close(ct_handle);
}
Py_END_ALLOW_THREADS
}
int main()
{
int ret;
struct nfct_handle *h;
struct nf_conntrack *ct;
ct = nfct_new();
if (!ct) {
perror("nfct_new");
return 0;
}
nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20));
nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10));
nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN);
nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100);
nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("8.8.8.8"));
h = nfct_open(CONNTRACK, 0);
if (!h) {
perror("nfct_open");
return -1;
}
ret = nfct_query(h, NFCT_Q_CREATE, ct);
printf("TEST: create conntrack (%d)(%s)\n", ret, strerror(errno));
if (ret == -1)
exit(EXIT_FAILURE);
nfct_close(h);
}
int main()
{
int ret;
u_int8_t family = AF_INET;
struct nfct_handle *h;
char buf[1024];
h = nfct_open(CONNTRACK, 0);
if (!h) {
perror("nfct_open");
return -1;
}
nfct_callback_register(h, NFCT_T_ALL, cb, NULL);
ret = nfct_query(h, NFCT_Q_DUMP, &family);
printf("TEST: dump conntrack (%d)(%s)\n", ret, strerror(errno));
if (ret == -1)
exit(EXIT_FAILURE);
nfct_close(h);
}
static void external_inject_close(void)
{
origin_unregister(inject);
nfct_close(inject);
}
int main(void)
{
int ret;
struct nfct_handle *h;
struct nf_conntrack *master, *expected, *mask, *nat;
struct nf_expect *exp;
/*
* Step 1: Setup master conntrack
*/
master = nfct_new();
if (!master) {
perror("nfct_new");
exit(EXIT_FAILURE);
}
nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(1025));
nfct_set_attr_u16(master, ATTR_PORT_DST, htons(21));
nfct_setobjopt(master, NFCT_SOPT_SETUP_REPLY);
nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_ESTABLISHED);
nfct_set_attr_u32(master, ATTR_TIMEOUT, 200);
nfct_set_attr(master, ATTR_HELPER_NAME, "ftp");
h = nfct_open(CONNTRACK, 0);
if (!h) {
perror("nfct_open");
nfct_destroy(master);
return -1;
}
ret = nfct_query(h, NFCT_Q_CREATE, master);
printf("TEST: add master conntrack ");
if (ret == -1)
printf("(%d)(%s)\n", ret, strerror(errno));
else
printf("(OK)\n");
nfct_close(h);
expected = nfct_new();
if (!expected) {
perror("nfct_new");
exit(EXIT_FAILURE);
}
nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0);
nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241));
mask = nfct_new();
if (!mask) {
perror("nfct_new");
nfct_destroy(master);
nfct_destroy(expected);
exit(EXIT_FAILURE);
}
nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff);
nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff);
nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000);
nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff);
nat = nfct_new();
if (!nat) {
perror("nfct_new");
nfct_destroy(mask);
nfct_destroy(master);
nfct_destroy(expected);
exit(EXIT_FAILURE);
}
nfct_set_attr_u8(nat, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(nat, ATTR_IPV4_SRC, inet_addr("3.3.3.3"));
nfct_set_attr_u32(nat, ATTR_IPV4_DST, 0);
nfct_set_attr_u8(nat, ATTR_L4PROTO, IPPROTO_TCP);
nfct_set_attr_u16(nat, ATTR_PORT_SRC, 12345);
nfct_set_attr_u16(nat, ATTR_PORT_DST, 0);
/*
* Step 2: Setup expectation
*/
exp = nfexp_new();
if (!exp) {
perror("nfexp_new");
nfct_destroy(master);
nfct_destroy(expected);
nfct_destroy(mask);
exit(EXIT_FAILURE);
}
nfexp_set_attr(exp, ATTR_EXP_MASTER, master);
nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected);
nfexp_set_attr(exp, ATTR_EXP_MASK, mask);
nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat);
nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, 0);
nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200);
nfct_destroy(master);
nfct_destroy(expected);
nfct_destroy(mask);
nfct_destroy(nat);
h = nfct_open(EXPECT, 0);
if (!h) {
perror("nfct_open");
return -1;
}
ret = nfexp_query(h, NFCT_Q_CREATE, exp);
printf("TEST: create expectation ");
if (ret == -1)
printf("(%d)(%s)\n", ret, strerror(errno));
else
printf("(OK)\n");
nfct_close(h);
ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
}
int main(int argc, char *argv[]) {
pid_t pid, sid;
int c, ret;
char buf[BUF_LEN];
int syslog_facility = LOG_LOCAL4;
while (1) {
static struct option long_options[] = {
/* Flags */
{"verbose", no_argument, 0, 'v'},
{"daemon", no_argument, 0, 'd'},
{"help", no_argument, 0, 'h'},
{"facility",required_argument, 0, 'f'},
{0, 0, 0, 0}
};
/* getopt_long stores the option index here. */
int option_index = 0;
c = getopt_long (argc, argv, "vdhf:",long_options, &option_index);
if (c == -1)
break;
switch(c) {
case 'v':
verbose_flag = 1;
break;
case 'd':
daemon_flag = 1;
break;
case 'h':
usage();
exit(EXIT_SUCCESS);
break;
case 'f':
syslog_facility = __str2facility(optarg);
if (syslog_facility == -1) {
ret = snprintf(buf,BUF_LEN-1,
"Invalid syslog facility parameter: %s", optarg);
buf[ret] = '\0';
write_msg(LOG_ERR,buf);
usage();
exit(EXIT_FAILURE);
}
break;
case '?':
default:
usage();
exit(EXIT_FAILURE);
break;
}
}
if (daemon_flag) {
setlogmask(LOG_UPTO(LOG_INFO));
openlog(PROGNAME, LOG_CONS, syslog_facility);
/* Fork off the parent process */
pid = fork();
if (pid < 0) {
exit(EXIT_FAILURE);
}
/* If we got a good PID, then
we can exit the parent process. */
if (pid > 0) {
exit(EXIT_SUCCESS);
}
/* Create a new SID for the child process */
sid = setsid();
if (sid < 0) {
/* Log the failure */
exit(EXIT_FAILURE);
}
/* Change the current working directory */
if ((chdir("/")) < 0) {
/* Log the failure */
exit(EXIT_FAILURE);
}
/* Close out the standard file descriptors */
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
}
cth = nfct_open(CONNTRACK,
NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_DESTROY);
if (!cth) {
ret = snprintf(buf, BUF_LEN-1, "Can't open a ctnetlink handler (%s)",
strerror(errno));
buf[ret] = '\0';
write_msg(LOG_ERR, buf);
exit(EXIT_FAILURE);
}
signal(SIGINT, event_sighandler);
signal(SIGTERM, event_sighandler);
nfct_callback_register(cth, NFCT_T_NEW|NFCT_T_DESTROY, event_cb, NULL);
if (nfct_catch(cth) == -1) {
ret = snprintf(buf, BUF_LEN-1, "Can't catch events (%s)",
strerror(errno));
buf[ret] = '\0';
write_msg(LOG_ERR, buf);
}
nfct_close(cth);
return EXIT_SUCCESS;
}
static void event_sighandler(int s) {
nfct_close(cth);
write_msg(LOG_INFO, PROGNAME " exiting...");
exit(EXIT_SUCCESS);
}
/*-
-- nfct.close(cthandle)
Close the conntrack handle, freeing its resources.
*/
static int gc(lua_State* L)
{
struct nfct_handle* cthandle = check_cthandle(L);
nfct_close(cthandle);
return 0;
}
