Example #1
0
/* ---------------------------------------------------------------------------- */
static gint       fwnfq_callback(struct nfq_q_handle *qh, 
				  struct nfgenmsg     *nfmsg, 
				  struct nfq_data     *nfa, 
				  void *data)
{
	FWAction action;
	u_int32_t id = fwnfq_process_pkt(nfa, &action);

	printf("Entering callback [%d]\n", id);
	printf("Packet action: [%d]\n", action);
	
	if (action == ACTION_ACCEPT) {
		printf("ACTION: * ACCEPT * \n\n");
		return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
	} 
	else if (action == ACTION_DROP) {
	  printf("ACTION: * DROP * \n\n");
	  return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
	}
	else if (action == ACTION_REJECT) {
		printf("ACTION: * REJECT (now DROP) * \n\n");
		return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
	}
	else {    
		printf("ACTION: * DEFAULT: ASK (packet QUEUED) * \n\n");
		return 0;
		//    return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);	  
	}
}
Example #2
0
// function callback for packet processing
// ---------------------------------------
static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
                      struct nfq_data *nfa, void *data) {
    struct nfqnl_msg_packet_hdr *ph;
    int id_protocol = 0, id = 0, len = 0;
    unsigned char *full_packet; // get data of packet (payload)
    unsigned char *new_packet = NULL;
    
    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph) {
        len = nfq_get_payload(nfa, &full_packet);
        id = ntohl(ph->packet_id);
        id_protocol = identify_ip_protocol(full_packet);
        if (id_protocol == IPPROTO_UDP) { /* Only UDP packets */
            printf("Packet from %s:%d", get_src_ip_str(full_packet), get_udp_src_port(full_packet));
            printf(" to %s:%d\n", get_dst_ip_str(full_packet), get_tcp_dst_port(full_packet));
            /* Process packet... */
            new_packet = process_packet(full_packet, &len, ph->hook);
        }
        // let the packet continue on.  NF_ACCEPT will pass the packet
        // -----------------------------------------------------------
        if (new_packet) {
            nfq_set_verdict(qh, id, NF_ACCEPT, len, new_packet);
            free(new_packet);
        }
        else
            nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
    } else {
        printf("NFQUEUE: can't get msg packet header.\n");
        return ERR;		// from nfqueue source: 0 = ok, >0 = soft error, <0 hard error
    }

    return OK;
}
Example #3
0
/*
 * callback function for handling packets
 */
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
	struct nfqnl_msg_packet_hdr *ph;
	int decision, id=0;

	ph = nfq_get_msg_packet_hdr(nfa);
	if (ph)
	{
		id = ntohl(ph->packet_id);
	}

	/* check if we should block this packet */
	decision = pkt_decision(nfa);
	if( decision == PKT_ACCEPT)
	{
		return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
	}
#if defined(DMP_CAPTIVEPORTAL_1)
    else if (decision == PKT_REDIRECT) {
    	printf("GlbRedirectUrl %s\n", GlbRedirectUrl);
		return AEI_send_redirect(qh, id, nfa, GlbRedirectUrl);
	}                        
#endif
	else
	{
		return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
	}

}
Example #4
0
int cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
    struct nfq_data *nfa, void *data)
{
  int id;
  int len;
  int hlen;
  char *pkt;
  struct nfqnl_msg_packet_hdr *ph;
  struct nfqnl_msg_packet_hw *hwph;
  struct timeval tv;

  tv.tv_sec = 0; // init

  if ((ph = nfq_get_msg_packet_hdr(nfa)))
    id = ntohl(ph->packet_id);
  else
    id = 0;

  if ((hwph = nfq_get_packet_hw(nfa)))
    hlen = ntohs(hwph->hw_addrlen);
  else
    hlen = 0;

  /* hole payload ... falls es nicht klappt ... Paket durchreichen */
  if ((len = nfq_get_payload (nfa, (char **) &pkt)) < 0)
    return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);

  nfq_get_timestamp(nfa,&tv);
  return nfq_set_verdict(qh, id, myworker (data, pkt, len,&tv) ? NF_DROP :
                          NF_ACCEPT, 0, NULL);
}
Example #5
0
static int tc_nfq_process_packet(struct nfq_q_handle *qh, 
        struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
    int                          i, id = 0, payload_len = 0, ret,
                                 pass_through_flag = 0;
    unsigned char               *payload;
    tc_ip_header_t              *ip_hdr;
    struct nfqnl_msg_packet_hdr *ph;

    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph) {
        id = ntohl(ph->packet_id);
    }

    payload_len = nfq_get_payload(nfa, &payload);
    if (payload_len < 40) {
        tc_log_info(LOG_WARN, 0, "payload len wrong:%d", payload_len);
        return TC_ERROR;
    }

    ip_hdr = (tc_ip_header_t *)payload;

    if (ip_hdr != NULL) {
        /* check if it is the valid user to pass through firewall */
        for (i = 0; i < srv_settings.passed_ips.num; i++) {
            if (srv_settings.passed_ips.ips[i] == ip_hdr->daddr) {
                pass_through_flag = 1;
                break;
            }
        }

        tot_resp_packs++;

        if (pass_through_flag) {

            /* pass through the firewall */
            ret = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
        } else {

            tot_copy_resp_packs++;
            router_update(srv_settings.router_fd, ip_hdr);

            tc_check_cleaning();

            /* drop the packet */
            ret = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
        }
    } else {
        ret = TC_ERROR;
    }


    return ret;
}
Example #6
0
static void packet_verdict(struct packet *orig_pkt, filter_result result)
{
	int ret;
	struct nfqueue_packet *pkt = (struct nfqueue_packet*)orig_pkt;

	if (pkt->data) {
		if (pkt->id == -1) {
			if (result == FILTER_ACCEPT) {
				ret = socket_send_packet(pkt->state->send_mark_fd, pkt->data, pkt->length);
			}
			else {
				ret = 0;
			}
		}
		else {
			/* Convert verdict to netfilter */
			int verdict;
			switch (result) {
			case FILTER_ACCEPT: verdict = NF_ACCEPT; break;
			case FILTER_DROP:   verdict = NF_DROP; break;
			default:
				message(HAKA_LOG_DEBUG, MODULE_NAME, L"unknown verdict");
				verdict = NF_DROP;
				break;
			}

			if (pkt->modified)
				ret = nfq_set_verdict(pkt->state->queue, pkt->id, verdict, pkt->length, pkt->data);
			else
				ret = nfq_set_verdict(pkt->state->queue, pkt->id, verdict, 0, NULL);
		}

		if (pcap) {
			switch (result) {
			case FILTER_ACCEPT:
				dump_pcap(&pcap->out, pkt);
				break;

			case FILTER_DROP:
			default:
				dump_pcap(&pcap->drop, pkt);
				break;
			}
		}

		if (ret == -1) {
			message(HAKA_LOG_ERROR, MODULE_NAME, L"packet verdict failed");
		}

		free(pkt->data);
		pkt->data = NULL;
	}
}
/*
	::::	Funcion callback	:::
		================
	Es invocada cada vez que hay un paquete en la cola
*/
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
	u_int32_t id;
        struct nfqnl_msg_packet_hdr *ph;
	struct nfqnl_msg_packet_hw *hwph;
	unsigned char *nf_packet;
	char saddr[2048];
	int ret;
	char *valor_memcache;
	size_t len_memcache;
	char *key_memcache="autorizada";
	uint32_t flags;

	// Obtenemos las headers:
	ph = nfq_get_msg_packet_hdr(nfa);	
	// Y el ID de paquete, que hace falta para el veredicto final:
	id = ntohl(ph->packet_id);
     	// Obtenemos la IP origen del paquete:
	// - Primero hay que obtener el paquete en si:
	ret = nfq_get_payload(nfa, &nf_packet);
	if ((ret <= 0))
	{
		printf("Error, no hay paquete que recibir - wtf \n");
		return;
    	}

	struct iphdr *iph = ((struct iphdr *) nf_packet);
	inet_ntop(AF_INET, &(iph->saddr), saddr, sizeof(saddr));
//    	fprintf(stdout,"Recibido con origen%s\n",saddr);

  	valor_memcache  = memcached_get(memc, key_memcache, strlen(key_memcache), &len_memcache, &flags, &rc);

	if (rc == MEMCACHED_SUCCESS) 
	{
		if (strcmp(saddr,valor_memcache) == 0)
		{
			free(valor_memcache);
			return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
		}
		else
		{
			free(valor_memcache);
			return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
		}
	}
	else
	{
		printf("Key %s no se ha podido encontrar en memcached\n",key_memcache);
		return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
	}

}
Example #8
0
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
    struct nfqnl_msg_packet_hdr *ph;
    struct skb_buf skb;

    //get unique ID of packet in queue
    ph = nfq_get_msg_packet_hdr(nfa);
    if(!ph)
    {
        return -1;
    }
    skb.packet_id= ntohl(ph->packet_id);

    //get payload
    skb.pload_len = nfq_get_payload(nfa, &(skb.pload));
    if(skb.pload_len <=0)
    {
        nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload);
        return -1;
    }

    skb.pload[skb.pload_len]='\0';

    process_tcp(&skb ,tcp_stream_handle);

    return 0;

}
Example #9
0
static int process_nfq_packet(struct nfq_q_handle *qh,
        struct nfgenmsg *nfmsg,
        struct nfq_data *nfa,
        void *data)
{
    struct nfqnl_msg_packet_hdr *ph;
    int pkt_len = 0;
    int verdict;
    unsigned char *full_packet;
    fko_srv_options_t   *opts = (fko_srv_options_t *)data;

    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph) {

        /* --DSS for ref
          id = ntohl(ph->packet_id);
          hook = ph->hook;
          hw_proto = ph->protocol;
        */

        /* Retrieve packet payload
        */
        pkt_len = nfq_get_payload(nfa, &full_packet);

        process_packet(opts, pkt_len, full_packet);

        /* Verdict on what to do with the packet.  If it is coming from
         * the INPUT chain (NF_IP_LOCAL_IN), then it is assumed to be
         * a spa packet and can be dropped. Otherwise, let it through.
        */
        verdict = (ph->hook == NF_IP_LOCAL_IN) ? NF_DROP : NF_ACCEPT;
        nfq_set_verdict(qh, ph->packet_id, verdict, 0, NULL);
    }
    return 0;
}
Example #10
0
int cb(struct nfq_q_handle *h, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
        printf("Packet received \n");
int id = ntohl(nfq_get_msg_packet_hdr(nfa)->packet_id);
	nfq_set_verdict(h, id, NF_QUEUE_NR(1), 0, NULL);

}
static int packet_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
              struct nfq_data *nfa, void *data)
{
	QHandler *handler = (QHandler *) data;

	u_int32_t id = get_pkt_id(nfa);
	char *payload;
	int payload_len;
	payload_len = nfq_get_payload(nfa, &payload);

	// Determine addresses
	IpAddress srcaddr((struct in_addr *) (payload + 12));
	IpAddress dstaddr((struct in_addr *) (payload + 16));
	// std::cout << "Got packet ID " << id << 
	// 	" from " << srcaddr << " to " << dstaddr << std::endl;
	// Work out what proto it is...
	int proto = (int) (unsigned char) payload[9];
	FnvHash hash;
	hash.addData(payload + 12, 8); // src + dst addr
	if (proto == IPPROTO_TCP) {
		// unsigned short sport = ntohs( *(unsigned short *) (payload+20));
		// unsigned short dport = ntohs( *(unsigned short *) (payload+22));
		// std::cout << "TCP sport " << sport << " dport " << dport
		// 	<< std::endl;
		hash.addData(payload + 20, 4); // src + dst ports
	}
	int hashvalue = hash.get16rev();
	// std::cout << "Hash value=" << hashvalue << std::endl;
	u_int32_t verdict = NF_DROP;
	if ((hashvalue >= handler->lowerHashLimit) && (hashvalue < handler->upperHashLimit))
		verdict = NF_ACCEPT;
	std::cout << "Connection from " << srcaddr << " Hash value=" << hashvalue << " Accept: " << (verdict == NF_ACCEPT ? "yes" : "no") << std::endl;
	return nfq_set_verdict(handler->GetQh(), id, verdict, 0, NULL);
}
Example #12
0
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
	      struct nfq_data *nfa, void *data)
{
	u_int32_t id = print_pkt(nfa);
	printf("entering callback\n");
	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
Example #13
0
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
	      struct nfq_data *nfa, void *data)
{
	unsigned char *payload;
	int pay_len, match, rlen; 
	u_int32_t id = display_pkt(nfa);
	pay_len = nfq_get_payload(nfa, &payload);  
#ifdef DEBUG
        printf("Content inspection...pay_len=%d\n", pay_len); 
#endif
        match = inspect_tcp(payload, pay_len);  // return 1 if matched, 0 otherwise 
        if (match && p_queue.count < QSIZE) {  // if queue is full, let them pass 
           //print_ip_pkt(payload, pay_len); 
           // now lock the queue
           pthread_mutex_lock (&lock_queue); 
           enqueue(&p_queue, payload, pay_len, id);  
#ifdef DEBUG
	   printf("Matched packet. Queue size: %d\n", p_queue.count); 
#endif
           pthread_mutex_unlock (&lock_queue); 
           sem_post(&sem_queue);   // wake up sending threads 
	   return 0; 
       } else {
#ifdef DEBUG
	   printf("No match found\n");         // should be ok for not locking the queue
#endif
           pthread_mutex_lock (&lock_qh); 
	   rlen = nfq_set_verdict(qh, id, NF_ACCEPT, pay_len, payload);
           pthread_mutex_unlock (&lock_qh); 
	   return rlen; 
       }
}
static int cbUp(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
        struct nfq_data *nfa, void *payload) {
    char *send_data;
    int i = 0, newSize = 0;
    u_int32_t id = build_advertisement(nfa, &newSize);
    i = nfq_get_payload(nfa, &send_data);
    return nfq_set_verdict(qh, id, NF_ACCEPT, newSize, (unsigned char *)send_data);
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
          struct nfq_data *nfa, void *data)
{
    u_int32_t id = print_pkt(nfa);
    if(use_pcap == 1)
        record_pkt(nfa);

    return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
Example #16
0
static int log_packet(struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* dat, void* data)
{
    struct nfqnl_msg_packet_hdr* nfq_hdr = nfq_get_msg_packet_hdr(dat);
    unsigned char* payload;
    int len = nfq_get_payload(dat,&payload);
    printf("---\n");
    printf("got a packet - len %d\n",len);
    nfq_set_verdict(qh, ntohl(nfq_hdr->packet_id), NF_ACCEPT, 0, NULL);
    return 0;
}
Example #17
0
static int cb(
        struct nfq_q_handle *qh,
        struct nfgenmsg *nfmsg,
        struct nfq_data *nfqdata,
        void *data
        )
{
    /* TODO - should have an option "delay", to explicitly avoid
       offering a verdict right away */
    static const char* verdict_opt[] = {
        "accept", "drop", NULL
    };
    static int verdict_val[] = {
        NF_ACCEPT, NF_DROP,
    };

    lua_State* L = data;
    struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata);
/*  struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */
    u_int32_t id = 0;

    if (ph) {
        /* TODO - why is this conditional in sample source? */
        id = ntohl(ph->packet_id);
    }

    /* We expect stack to look like:
     *   [1] qhandle
     *   [2] cbfn
     */
    check_handle(L);
    luaL_checktype(L, 2, LUA_TFUNCTION);

    lua_pushvalue(L, 2); /* Push copy of fn */
    lua_pushlightuserdata(L, nfqdata);
    lua_call(L, 1, 2);

    /* Return will be:
     *   [3] "accept", "drop", ..., default is accept
     *   [4] string, the replacement packet, default is 0,NULL
     */

    {
        int verdict = luaL_checkoption(L, 3, "accept", verdict_opt);
        size_t replacesz = 0;
        const char* replace = lua_tolstring(L, 4, &replacesz);

        /*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/

        /* Reset stack, chopping any return values. */
        lua_settop(L, 2);

        return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace);
    }
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
//	u_int32_t id = print_pkt(nfa);
	u_int32_t id;

        struct nfqnl_msg_packet_hdr *ph;
	ph = nfq_get_msg_packet_hdr(nfa);	
	id = ntohl(ph->packet_id);
	printf("entering callback\n");
	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
Example #19
0
static int daq_nfq_callback(
    struct nfq_q_handle* qh,
    struct nfgenmsg* nfmsg,
    struct nfq_data* nfad,
    void* data)
{
    NfqImpl *impl = (NfqImpl*)data;
    struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfad);

    DAQ_Verdict verdict;
    DAQ_PktHdr_t hdr;
    uint8_t* pkt;
    int nf_verdict;
    uint32_t data_len;

    if ( impl->state != DAQ_STATE_STARTED )
        return -1;

    if ( !ph || SetPktHdr(impl, nfad, &hdr, &pkt) )
    {
        DPE(impl->error, "%s: can't setup packet header",
            __FUNCTION__);
        return -1;
    }

    if (
        impl->fcode.bf_insns &&
        sfbpf_filter(impl->fcode.bf_insns, pkt, hdr.caplen, hdr.caplen) == 0
    ) {
        verdict = DAQ_VERDICT_PASS;
        impl->stats.packets_filtered++;
    }
    else
    {
        verdict = impl->user_func(impl->user_data, &hdr, pkt);

        if ( verdict >= MAX_DAQ_VERDICT )
            verdict = DAQ_VERDICT_BLOCK;

        impl->stats.verdicts[verdict]++;
        impl->stats.packets_received++;
    }
    nf_verdict = ( impl->passive || s_fwd[verdict] ) ? NF_ACCEPT : NF_DROP;
    data_len = ( verdict == DAQ_VERDICT_REPLACE ) ? hdr.caplen : 0;

    nfq_set_verdict(
        impl->nf_queue, ntohl(ph->packet_id),
        nf_verdict, data_len, pkt);

    return 0;
}
Example #20
0
int manage_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data2)
{
    struct nfqnl_msg_packet_hdr *packetHeader;
    uint32_t id;

    packetHeader = nfq_get_msg_packet_hdr(packet);
    if(packetHeader != NULL ) {
        id = packetHeader->packet_id;

        /* We should only be inspecting packets on the INPUT hook;
        * any others, return NF_ACCEPT immediately.
        */
        if(packetHeader->hook != NF_IP_LOCAL_IN) {
            return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
        }

        log4c_category_log(log4c_cat, LOG4C_PRIORITY_NOTICE, "manage_packet: Received packet.");
    } else {
        log4c_category_log(log4c_cat, LOG4C_PRIORITY_DEBUG, "Error in nfq_get_msg_packet_hdr");
    }

    return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
Example #21
0
/*
 * callback function for handling packets
 */
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
              struct nfq_data *nfa, void *data)
{
    struct nfqnl_msg_packet_hdr *ph;
    int decision, id=0;

    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph)
    {
        id = ntohl(ph->packet_id);
    }

    /* check if we should block this packet */
    decision = pkt_decision(nfa);
    if( decision == PKT_ACCEPT)
    {
        return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
    }
    else
    {
        return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
    }
}
Example #22
0
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
              struct nfq_data *nfa, void *data) {
  u_int32_t id = 0;
  int d;
  struct nfqnl_msg_packet_hdr *ph;
  ph = nfq_get_msg_packet_hdr(nfa);
  if(ph) id = ntohl(ph->packet_id);

  // verify some basic patterns and drop packet if it's
  // somehow unexpected
  if(verify_pkt(nfa) != 0)
    return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);

  uint8_t ip_addr[4];
  device_t dev;
  uint16_t port;
  if(get_info(nfa, &dev, ip_addr, &port) != 0)
    return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);

  // check if this device already has an entry in the denied/allowed lists
  for(d=0;d<allowed_len;d++) {
    if(memcmp(allowed[d].hw_addr, dev.hw_addr, 6) == 0)
      return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
  }
    
  for(d=0;d<denied_len;d++)
    if(memcmp(denied[d].hw_addr, dev.hw_addr, 6) == 0)
      return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
  
  // if we have a pending request then just drop everything
  // elso until the current request has been answered
  if(pending)
    return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
  
  pending = malloc(sizeof(device_t));
  *pending = dev;
       
  printf("REQ ");
  
  // print the info
  int i;
  for (i = 0; i < 5; i++)
    printf("%02x:", pending->hw_addr[i]);
  printf("%02x ", pending->hw_addr[5]);

  for (i = 0; i < 3; i++)
    printf("%u.", ip_addr[i]);
  printf("%u ", ip_addr[3]);

  printf("%u\n", port);

  printf("-> A(ccept), D(eny), I(gnore), Q(uit): ");
  fflush(stdout);
  
  //   return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
  return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
Example #23
0
int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
							struct nfq_data	*nfa, void *data) {


	clock_gettime(CLOCK_REALTIME, &now);

	int inherent= (1000*1000*(now.tv_sec - last_time.tv_sec) +
						(now.tv_nsec - last_time.tv_nsec)/1000);

	if (nobuf && (inherent < 30)) { // packet comes from cache
		nfq_set_verdict(qh, id++, NF_DROP, 0, NULL);
		return OK;
	}

	/* read() inter-packet delay from stdin, sleep(), then accept() */

	if (counter == period) {
		counter = 0;
		if (fgets(line, 49, stdin))
			delay = atol(line);
		else
		delay = 0;
	} else {
		counter++; // only process every period'th packet
		delay = 0;
	}
    
	/* use pkd id from header or just count up? 
	 *   - we must not re-order packets
	 *   - we must be fast, i.e. if possible don't copy packet contents
     * struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);
     * u_int32_t id = ntohl(ph->packet_id);
	 */
     // struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);
     // u_int32_t id = ntohl(ph->packet_id);

	
    if DEBUG {
        printf("Run %d\n",id);
        printf("\t  inherent delay: %dµs\n", inherent);
        printf("\t  intended delay: %dµs\n", delay);
    }
    
	if (delay > 0) {
		usleep(delay);
        imprinted++;
		if DEBUG
            printf("\tdelay: %d µs\n",delay);
	} else {
Example #24
0
File: main.c Project: Ri0S/mal_site
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
              struct nfq_data *nfa, void *data){
    char HTTP1_1[] = {0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a};
    char Host_srt[] = {0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20};
    u_int32_t id = getid(nfa);
    u_char *cp = nfmsg;
    struct ip *iph;
    struct tcphdr *tcph;
    cp += 28;

    iph = (struct ip*)cp;
    cp += sizeof(*iph);
    tcph = (struct tcphdr*)cp;
    cp += sizeof(*tcph);

    if(!memcmp(cp, HTTP1_1, sizeof(HTTP1_1))){
        cp += sizeof(HTTP1_1);
        if(!memcmp(cp, Host_srt, sizeof(Host_srt))){
            cp += sizeof(Host_srt);
            char host[64];
            int i;
            for(i=0; *cp != '\r';i++){
                host[i] = *cp++;
            }
            host[i] = '\0';
            for(i=0; Mal_Site_Table[i][0]; i++){
                if(!strstr(host, Mal_Site_Table[i])){
                    printf("%s Dropped\n", host);
                    return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
                }
            }
        }
    }

    return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
Example #25
0
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
    struct nfqnl_msg_packet_hdr *ph;
    //m_stack_t *st = (m_stack_t *)data;
    unsigned char *packet;
    u_int32_t id, ret;

    ph = nfq_get_msg_packet_hdr(nfa);
    id = ntohl(ph->packet_id);

    if ((ret = nfq_get_payload(nfa, &packet)) >= 0){
        syslog(LOG_NOTICE, "packet catched id: %d, payload_len=%d\n\r", id, ret);

    }

    return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
Example #26
0
void NetherNetlink::setVerdict(const u_int32_t packetId, const NetherVerdict verdict, int32_t mark)
{
	int ret = 0;
	LOGD("id=" << packetId << " verdict=" << verdictToString(verdict) << " mark=" << mark);

	if(verdict == NetherVerdict::allow)
	{
		if (mark >= 0)
		{
			ret = nfq_set_verdict2(queueHandle,
								packetId,
								NF_ACCEPT,
								mark,
								0,
								NULL);
		}
		else
		{
			ret = nfq_set_verdict(queueHandle,
								packetId,
								NF_ACCEPT,
								0,
								NULL);
		}
	}

	if(verdict == NetherVerdict::deny)
	{
		ret = nfq_set_verdict2(queueHandle,
								packetId,
								NF_ACCEPT,
								/* if we're relaxed, let's not stress out */
								/* if we get a mark from the verdict caster */
								/* let's use it, maybe it knows better */
								mark > 0 ? mark : (netherConfig.relaxed ? netherConfig.markAllowAndLog : netherConfig.markDeny),
								0,
								NULL);
	}

	if(verdict == NetherVerdict::allowAndLog)
		ret = nfq_set_verdict2(queueHandle, packetId, NF_ACCEPT, netherConfig.markAllowAndLog, 0, NULL);

	if(ret == -1)
		LOGW("can't set verdict for packetId=" << packetId);
}
Example #27
0
static int cb(
    struct nfq_q_handle *q,
    struct nfgenmsg *nfmsg,
    struct nfq_data *nfa,
    void *arg
) {
    int id = 0;
    struct nfqnl_msg_packet_hdr *ph;
    
    size_t packet_length;
    unsigned char   *packet_data;
    struct pkt_buff *packet;
    struct iphdr    *ip_header;
    struct tcphdr   *tcp_header;
    
    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph) {
        id = ntohl(ph->packet_id);
    }
    
    packet_length = nfq_get_payload(nfa, &packet_data);
    packet = pktb_alloc(AF_INET, packet_data, packet_length, 4096);
    
    ip_header = nfq_ip_get_hdr(packet);
    nfq_ip_set_transport_header(packet, ip_header);
    tcp_header = nfq_tcp_get_hdr(packet);
    
    if (ip_header) {
        struct in_addr *target;
        if (src_or_dst == src) {
            target = (struct in_addr *) &ip_header->saddr;
        } else if (src_or_dst == dst) {
            target = (struct in_addr *) &ip_header->daddr;
        }
        inet_aton(target_ip_address, target);
        
        nfq_ip_set_checksum(ip_header);
        nfq_tcp_compute_checksum_ipv4(tcp_header, ip_header);
        memcpy(packet_data, pktb_data(packet), packet_length);
    }
    
    pktb_free(packet);
    
    return nfq_set_verdict(q, id, NF_ACCEPT, packet_length, packet_data);
}
Example #28
0
File: nfq.c Project: uweber/libnet
static int cb(
        struct nfq_q_handle *qh,
        struct nfgenmsg *nfmsg,
        struct nfq_data *nfqdata,
        void *data
        )
{
    static const char* verdict_opt[] = {
        "accept", "drop", NULL
    };
    static int verdict_val[] = {
        NF_ACCEPT, NF_DROP,
    };

    lua_State* L = data;
    struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata);
/*  struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */
    u_int32_t id = 0;

    if (ph) {
        /* TODO - why is this conditional in sample source? */
        id = ntohl(ph->packet_id);
    }

    /* Return will be:
     *   [2] "accept", "drop", ..., default is accept
     *   [3] string, the replacement packet, default is 0,NULL
     */

    lua_settop(L, 1); /* Leave only the cb fn on the stack */
    lua_pushvalue(L, 1); /* Push copy of fn */
    lua_pushlightuserdata(L, nfqdata);
    lua_call(L, 1, 2);

    {
        int verdict = luaL_checkoption(L, 2, "accept", verdict_opt);
        size_t replacesz = 0;
        const char* replace = lua_tolstring(L, 3, &replacesz);

        /*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/

        return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace);
    }
}
Example #29
0
void debug_unknown (packet_struct_t *packet, int	readcount){

	int i,j,x;
	extern struct nfq_q_handle *gqh;
	extern int current_packet_id;

	if (packet->type)
		x = sizeof(struct ip) + sizeof(struct udphdr) + readcount -1;
	else 
		x =  sizeof(struct ip) + sizeof(struct udphdr) + readcount -1;

	for (i=0,j=0;i<=packet->packet_length;i++){
		if (i==0)
			printf("IP Header start \n");
		if (i==sizeof(struct ip))
			printf("UDP Header start \n");
		if (i>= sizeof(struct ip) + sizeof(struct udphdr)){
			if (x == i)
				printf("	%3i %3i: %3i <-----\n",i,j++,packet->packet_backup[i]);
			else
				printf("	%3i %3i: %3i \n",i,j++,packet->packet_backup[i]);
		}else{
			if (x == i)
				printf("	%3i: %3i <-----\n",i,packet->packet_backup[i]);
			else
				printf("	%3i: %3i \n",i,packet->packet_backup[i]);

		}
		if (i==(sizeof(struct ip) + sizeof(struct udphdr) -1))
		printf("Header stop \n");
	}

	nfq_set_verdict(gqh, current_packet_id, NF_ACCEPT,0,0);
	Clear_Packet_Struct(packet);

	printf("%i\n",x);

	
	exit(1);

}
Example #30
-1
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
	struct nfq_data *nfa, void *data)
{
	u_int32_t id = -1;
	struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfa);
	if (ph) {
		id = ntohl(ph->packet_id);
		printf("hw_protocol=0x%04x hook=%u id=%u ",
		ntohs(ph->hw_protocol), ph->hook, id);

		char* packet_data = (char*) calloc(1, 10000);
		char* packet_data_2 = (char*) calloc(1, 10000);
		int count = nfq_get_payload(nfa, (unsigned char**)&packet_data);
		printf("count: [%d], ", count);

		int protocol = (int) packet_data[9];
		printf("protocol: [%d]", protocol);

		//Get the source and destination IPs
		char srcIP[33];
		inet_ntop(AF_INET, packet_data+12, srcIP, INET_ADDRSTRLEN);
		srcIP[32] = '\0';
		char destIP[33];
		inet_ntop(AF_INET, packet_data+16, destIP, INET_ADDRSTRLEN);
		destIP[32] = '\0';

		struct in_addr* destAddr = getInAddr(destIP);
		struct in_addr* sourceAddr = getInAddr(srcIP);

		//If we're blocking the flow, drop the packet.
		if(checkForFilteredFlows(sourceAddr, destAddr) == TRUE){
			return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
		}

		//Means the route record shim is not already there, so add it.
		if(protocol != ROUTE_RECORD_PROTOCOL){
			RouteRecord* rr = createRouteRecord(gatewayAddr, randomValue);
			char* rr_buf = writeRouteRecordAsNetworkBuffer(rr);

			memcpy(packet_data_2, packet_data + 20, count - 20);
			memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE);
			memcpy(packet_data + 20 + MAX_RR_HEADER_SIZE, packet_data_2, count - 20);
			packet_data[9] = (char) ROUTE_RECORD_PROTOCOL;
			printf("Modifying Packet\n\n");
		}
		else{
			// CHange the route record to add new gateway information
			RouteRecord* rr = readRouteRecord(packet_data + 20);
			addGatewayInfo(rr, gatewayAddr, -1l);

			char* rr_buf = writeRouteRecordAsNetworkBuffer(rr);
			memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE);
		}

		return nfq_set_verdict(qh, id, NF_ACCEPT, count + MAX_RR_HEADER_SIZE, (unsigned char*) packet_data);
	}

	printf("entering callback\n\n");
	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}