int main(void) { int ret; u_int8_t family = AF_INET; struct nfct_handle *h; h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); return -1; } nfexp_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfexp_query(h, NFCT_Q_DUMP, &family); printf("TEST: dumo expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int main(void) { int ret; uint32_t family = AF_INET; struct nfct_handle *h; h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); printf("TEST: get conntrack "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int main() { int ret; struct nfct_handle *h; h = nfct_open(EXPECT, NF_NETLINK_CONNTRACK_EXP_NEW); if (!h) { perror("nfct_open"); return -1; } nfexp_callback_register(h, NFCT_T_ALL, event_cb, NULL); printf("TEST: waiting for 10 expectation events...\n"); ret = nfexp_catch(h); printf("TEST: OK (%d)(%s)\n", ret, strerror(errno)); nfct_close(h); if (ret == -1) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); }
int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10)); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_DESTROY, ct); printf("TEST: delete conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int nl_init_event_handler(void) { STATE(event) = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS); if (!STATE(event)) return -1; fcntl(nfct_fd(STATE(event)), F_SETFL, O_NONBLOCK); /* set up socket buffer size */ if (CONFIG(netlink_buffer_size)) nfnl_rcvbufsiz(nfct_nfnlh(STATE(event)), CONFIG(netlink_buffer_size)); else { socklen_t socklen = sizeof(unsigned int); unsigned int read_size; /* get current buffer size */ getsockopt(nfct_fd(STATE(event)), SOL_SOCKET, SO_RCVBUF, &read_size, &socklen); CONFIG(netlink_buffer_size) = read_size; } /* ensure that maximum grown size is >= than maximum size */ if (CONFIG(netlink_buffer_size_max_grown) < CONFIG(netlink_buffer_size)) CONFIG(netlink_buffer_size_max_grown) = CONFIG(netlink_buffer_size); /* register callback for events */ nfct_callback_register(STATE(event), NFCT_T_ALL, event_handler, NULL); return 0; }
/*- -- cthandle = nfct.open(subsys, [subscription...]) subsys is "track" or "expect" subscription is the groups for which notifications are requested, zero or more of "none", "new", "update", "destroy", or "all" (default is "none"). Returns a conntrack handle on success, or nil,emsg,errno on failure. There is no garbage collection, nfct.fini() must be called on the handle to release it's resources. */ static int hopen(lua_State *L) { static const char* subsys_opts[] = { "track", "expect", NULL }; static u_int8_t subsys_vals[] = { NFNL_SUBSYS_CTNETLINK, NFNL_SUBSYS_CTNETLINK_EXP, }; int subsys_opt = luaL_checkoption(L, 1, NULL, subsys_opts); u_int8_t subsys_val = subsys_vals[subsys_opt]; static const char* subscription_opts[] = { "none", "new", "update", "destroy", "all", NULL }; unsigned subscription_vals[2][5] = { { /* [0] == "track" */ 0, NF_NETLINK_CONNTRACK_NEW, NF_NETLINK_CONNTRACK_UPDATE, NF_NETLINK_CONNTRACK_DESTROY, NFCT_ALL_CT_GROUPS }, { /* [1] == "expect" */ 0, NF_NETLINK_CONNTRACK_EXP_NEW, NF_NETLINK_CONNTRACK_EXP_UPDATE, NF_NETLINK_CONNTRACK_EXP_DESTROY, NF_NETLINK_CONNTRACK_EXP_NEW |NF_NETLINK_CONNTRACK_EXP_UPDATE |NF_NETLINK_CONNTRACK_EXP_DESTROY } }; unsigned subscription_val = 0; int narg = 0; struct nfct_handle* ct = NULL; /* the check option should have ensured that the opt index is 0 or 1, * so we can safely use it to index into the watfor vals */ assert(subsys_opt == 0 || subsys_opt == 1); for(narg = 2; narg <= lua_gettop(L); narg++) { int subscription_opt = luaL_checkoption(L, narg, NULL, subscription_opts); subscription_val |= subscription_vals[subsys_opt][subscription_opt]; } ct = nfct_open(subsys_val, subscription_val); if(!ct) { push_error(L); return 3; } lua_pushlightuserdata(L, ct); return 1; }
int main(void) { int ret; struct nfct_handle *h; struct nf_conntrack *expected; struct nf_expect *exp; expected = nfct_new(); if (!expected) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0); nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); exp = nfexp_new(); if (!exp) { perror("nfexp_new"); nfct_destroy(expected); exit(EXIT_FAILURE); } nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); nfct_destroy(expected); return -1; } ret = nfexp_query(h, NFCT_Q_DESTROY, exp); printf("TEST: delete expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); nfct_destroy(expected); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
static int external_inject_init(void) { /* handler to directly inject conntracks into kernel-space */ inject = nfct_open(CONFIG(netlink).subsys_id, 0); if (inject == NULL) { dlog(LOG_ERR, "can't open netlink handler: %s", strerror(errno)); dlog(LOG_ERR, "no ctnetlink kernel support?"); return -1; } /* we are directly injecting the entries into the kernel */ origin_register(inject, CTD_ORIGIN_INJECT); return 0; }
int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp) { struct nf_conntrack *ct; struct nfct_handle *h; gotit = 0; if ((ct = nfct_new())) { nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port)); #ifdef HAVE_IPV6 if (peer_addr->sa.sa_family == AF_INET6) { nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6); nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr); nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port); nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr); } else #endif { nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr); nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port); nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr); } if ((h = nfct_open(CONNTRACK, 0))) { nfct_callback_register(h, NFCT_T_ALL, callback, (void *)markp); if (nfct_query(h, NFCT_Q_GET, ct) == -1) { static int warned = 0; if (!warned) { my_syslog(LOG_ERR, _("Conntrack connection mark retrieval failed: %s"), strerror(errno)); warned = 1; } } nfct_close(h); } nfct_destroy(ct); } return gotit; }
int nl_init_dump_handler(void) { /* open dump netlink socket */ STATE(dump) = nfct_open(CONNTRACK, 0); if (!STATE(dump)) return -1; /* register callback for dumped entries */ nfct_callback_register(STATE(dump), NFCT_T_ALL, dump_handler, NULL); if (nl_dump_conntrack_table() == -1) return -1; return 0; }
int nl_flush_conntrack_table_selective(void) { struct nfct_handle *h; int ret; h = nfct_open(CONNTRACK, 0); if (h == NULL) { dlog(LOG_ERR, "cannot open handle"); return -1; } nfct_callback_register(h, NFCT_T_ALL, nl_flush_selective_cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); nfct_close(h); return ret; }
static void internal_bypass_ct_dump(int fd, int type) { struct nfct_handle *h; u_int32_t family = AF_UNSPEC; int ret; h = nfct_open(CONFIG(netlink).subsys_id, 0); if (h == NULL) { dlog(LOG_ERR, "can't allocate memory for the internal cache"); return; } nfct_callback_register(h, NFCT_T_ALL, internal_bypass_ct_dump_cb, &fd); ret = nfct_query(h, NFCT_Q_DUMP, &family); if (ret == -1) { dlog(LOG_ERR, "can't dump kernel table"); } nfct_close(h); }
static void ForwardingRule_dealloc(ForwardingRule *self) { struct nfct_handle *ct_handle; PyObject_GC_UnTrack(self); ForwardingRule_clear(self); if (self->is_active) { forwarding_rules[ntohs(nfct_get_attr_u16(self->conntrack, ATTR_ORIG_PORT_DST))] = NULL; Py_BEGIN_ALLOW_THREADS ct_handle = nfct_open(CONNTRACK, 0); if (ct_handle != NULL) { nfct_query(ct_handle, NFCT_Q_DESTROY, self->conntrack); nfct_close(ct_handle); } Py_END_ALLOW_THREADS }
int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10)); nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_LISTEN); nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100); nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("8.8.8.8")); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, ct); printf("TEST: create conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int main() { int ret; u_int8_t family = AF_INET; struct nfct_handle *h; char buf[1024]; h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); ret = nfct_query(h, NFCT_Q_DUMP, &family); printf("TEST: dump conntrack (%d)(%s)\n", ret, strerror(errno)); if (ret == -1) exit(EXIT_FAILURE); nfct_close(h); }
int main(void) { int ret; struct nfct_handle *h; struct nf_conntrack *master, *expected, *mask, *nat; struct nf_expect *exp; /* * Step 1: Setup master conntrack */ master = nfct_new(); if (!master) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(1025)); nfct_set_attr_u16(master, ATTR_PORT_DST, htons(21)); nfct_setobjopt(master, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_ESTABLISHED); nfct_set_attr_u32(master, ATTR_TIMEOUT, 200); nfct_set_attr(master, ATTR_HELPER_NAME, "ftp"); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); nfct_destroy(master); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, master); printf("TEST: add master conntrack "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); expected = nfct_new(); if (!expected) { perror("nfct_new"); exit(EXIT_FAILURE); } nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1")); nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2")); nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0); nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241)); mask = nfct_new(); if (!mask) { perror("nfct_new"); nfct_destroy(master); nfct_destroy(expected); exit(EXIT_FAILURE); } nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff); nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff); nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000); nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff); nat = nfct_new(); if (!nat) { perror("nfct_new"); nfct_destroy(mask); nfct_destroy(master); nfct_destroy(expected); exit(EXIT_FAILURE); } nfct_set_attr_u8(nat, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(nat, ATTR_IPV4_SRC, inet_addr("3.3.3.3")); nfct_set_attr_u32(nat, ATTR_IPV4_DST, 0); nfct_set_attr_u8(nat, ATTR_L4PROTO, IPPROTO_TCP); nfct_set_attr_u16(nat, ATTR_PORT_SRC, 12345); nfct_set_attr_u16(nat, ATTR_PORT_DST, 0); /* * Step 2: Setup expectation */ exp = nfexp_new(); if (!exp) { perror("nfexp_new"); nfct_destroy(master); nfct_destroy(expected); nfct_destroy(mask); exit(EXIT_FAILURE); } nfexp_set_attr(exp, ATTR_EXP_MASTER, master); nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected); nfexp_set_attr(exp, ATTR_EXP_MASK, mask); nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat); nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, 0); nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200); nfct_destroy(master); nfct_destroy(expected); nfct_destroy(mask); nfct_destroy(nat); h = nfct_open(EXPECT, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfexp_query(h, NFCT_Q_CREATE, exp); printf("TEST: create expectation "); if (ret == -1) printf("(%d)(%s)\n", ret, strerror(errno)); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); }
int main(int argc, char *argv[]) { pid_t pid, sid; int c, ret; char buf[BUF_LEN]; int syslog_facility = LOG_LOCAL4; while (1) { static struct option long_options[] = { /* Flags */ {"verbose", no_argument, 0, 'v'}, {"daemon", no_argument, 0, 'd'}, {"help", no_argument, 0, 'h'}, {"facility",required_argument, 0, 'f'}, {0, 0, 0, 0} }; /* getopt_long stores the option index here. */ int option_index = 0; c = getopt_long (argc, argv, "vdhf:",long_options, &option_index); if (c == -1) break; switch(c) { case 'v': verbose_flag = 1; break; case 'd': daemon_flag = 1; break; case 'h': usage(); exit(EXIT_SUCCESS); break; case 'f': syslog_facility = __str2facility(optarg); if (syslog_facility == -1) { ret = snprintf(buf,BUF_LEN-1, "Invalid syslog facility parameter: %s", optarg); buf[ret] = '\0'; write_msg(LOG_ERR,buf); usage(); exit(EXIT_FAILURE); } break; case '?': default: usage(); exit(EXIT_FAILURE); break; } } if (daemon_flag) { setlogmask(LOG_UPTO(LOG_INFO)); openlog(PROGNAME, LOG_CONS, syslog_facility); /* Fork off the parent process */ pid = fork(); if (pid < 0) { exit(EXIT_FAILURE); } /* If we got a good PID, then we can exit the parent process. */ if (pid > 0) { exit(EXIT_SUCCESS); } /* Create a new SID for the child process */ sid = setsid(); if (sid < 0) { /* Log the failure */ exit(EXIT_FAILURE); } /* Change the current working directory */ if ((chdir("/")) < 0) { /* Log the failure */ exit(EXIT_FAILURE); } /* Close out the standard file descriptors */ close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); } cth = nfct_open(CONNTRACK, NF_NETLINK_CONNTRACK_NEW|NF_NETLINK_CONNTRACK_DESTROY); if (!cth) { ret = snprintf(buf, BUF_LEN-1, "Can't open a ctnetlink handler (%s)", strerror(errno)); buf[ret] = '\0'; write_msg(LOG_ERR, buf); exit(EXIT_FAILURE); } signal(SIGINT, event_sighandler); signal(SIGTERM, event_sighandler); nfct_callback_register(cth, NFCT_T_NEW|NFCT_T_DESTROY, event_cb, NULL); if (nfct_catch(cth) == -1) { ret = snprintf(buf, BUF_LEN-1, "Can't catch events (%s)", strerror(errno)); buf[ret] = '\0'; write_msg(LOG_ERR, buf); } nfct_close(cth); return EXIT_SUCCESS; }
struct nfct_handle *nl_init_event_handler(void) { struct nfct_handle *h; h = nfct_open(CONFIG(netlink).subsys_id, CONFIG(netlink).groups); if (h == NULL) return NULL; if (CONFIG(netlink).events_reliable) { int on = 1; setsockopt(nfct_fd(h), SOL_NETLINK, NETLINK_BROADCAST_SEND_ERROR, &on, sizeof(int)); setsockopt(nfct_fd(h), SOL_NETLINK, NETLINK_NO_ENOBUFS, &on, sizeof(int)); dlog(LOG_NOTICE, "reliable ctnetlink event delivery " "is ENABLED."); } if (STATE(filter)) { if (CONFIG(filter_from_kernelspace)) { if (nfct_filter_attach(nfct_fd(h), STATE(filter)) == -1) { dlog(LOG_ERR, "cannot set event filtering: %s", strerror(errno)); } dlog(LOG_NOTICE, "using kernel-space event filtering"); } else dlog(LOG_NOTICE, "using user-space event filtering"); nfct_filter_destroy(STATE(filter)); } fcntl(nfct_fd(h), F_SETFL, O_NONBLOCK); /* set up socket buffer size */ if (CONFIG(netlink_buffer_size) && CONFIG(netlink_buffer_size) <= CONFIG(netlink_buffer_size_max_grown)) { /* we divide netlink_buffer_size by 2 here since value passed to kernel gets doubled in SO_RCVBUF; see net/core/sock.c */ CONFIG(netlink_buffer_size) = nfnl_rcvbufsiz(nfct_nfnlh(h), CONFIG(netlink_buffer_size)/2); } else { dlog(LOG_NOTICE, "NetlinkBufferSize is either not set or " "is greater than NetlinkBufferSizeMaxGrowth. " "Using current system buffer size"); socklen_t socklen = sizeof(unsigned int); unsigned int read_size; /* get current buffer size */ getsockopt(nfct_fd(h), SOL_SOCKET, SO_RCVBUF, &read_size, &socklen); CONFIG(netlink_buffer_size) = read_size; } dlog(LOG_NOTICE, "netlink event socket buffer size has been set " "to %u bytes", CONFIG(netlink_buffer_size)); return h; }