/* * callback function for handling packets */ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int decision, id=0; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } /* check if we should block this packet */ decision = pkt_decision(nfa); if( decision == PKT_ACCEPT) { return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } #if defined(DMP_CAPTIVEPORTAL_1) else if (decision == PKT_REDIRECT) { printf("GlbRedirectUrl %s\n", GlbRedirectUrl); return AEI_send_redirect(qh, id, nfa, GlbRedirectUrl); } #endif else { return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
static int redirect_pkt(struct nfq_data* tb, int sockdes) { int id = 0; int len; unsigned char* data; struct nfqnl_msg_packet_hdr *ph; package_with_header curr_package; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); } len = nfq_get_payload(tb, &data); if (len < 0) { perror("payload"); exit(1); } curr_package.packet_id = id; printf("%i\n", id); memcpy(curr_package.data, data, len); if (send(sockdes, &curr_package, sizeof(package_with_header), 0) == -1) { perror("send"); exit(1); } return id; }
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; struct skb_buf skb; //get unique ID of packet in queue ph = nfq_get_msg_packet_hdr(nfa); if(!ph) { return -1; } skb.packet_id= ntohl(ph->packet_id); //get payload skb.pload_len = nfq_get_payload(nfa, &(skb.pload)); if(skb.pload_len <=0) { nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload); return -1; } skb.pload[skb.pload_len]='\0'; process_tcp(&skb ,tcp_stream_handle); return 0; }
int cb(struct nfq_q_handle *h, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { printf("Packet received \n"); int id = ntohl(nfq_get_msg_packet_hdr(nfa)->packet_id); nfq_set_verdict(h, id, NF_QUEUE_NR(1), 0, NULL); }
/* returns packet id */ static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; u_int32_t mark,ifi; int ret; char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph){ id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ret = nfq_get_payload(tb, &data); if (ret >= 0) printf("payload_len=%d ", ret); fputc('\n', stdout); return id; }
// function callback for packet processing // --------------------------------------- static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int id_protocol = 0, id = 0, len = 0; unsigned char *full_packet; // get data of packet (payload) unsigned char *new_packet = NULL; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { len = nfq_get_payload(nfa, &full_packet); id = ntohl(ph->packet_id); id_protocol = identify_ip_protocol(full_packet); if (id_protocol == IPPROTO_UDP) { /* Only UDP packets */ printf("Packet from %s:%d", get_src_ip_str(full_packet), get_udp_src_port(full_packet)); printf(" to %s:%d\n", get_dst_ip_str(full_packet), get_tcp_dst_port(full_packet)); /* Process packet... */ new_packet = process_packet(full_packet, &len, ph->hook); } // let the packet continue on. NF_ACCEPT will pass the packet // ----------------------------------------------------------- if (new_packet) { nfq_set_verdict(qh, id, NF_ACCEPT, len, new_packet); free(new_packet); } else nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { printf("NFQUEUE: can't get msg packet header.\n"); return ERR; // from nfqueue source: 0 = ok, >0 = soft error, <0 hard error } return OK; }
static int process_nfq_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int pkt_len = 0; int verdict; unsigned char *full_packet; fko_srv_options_t *opts = (fko_srv_options_t *)data; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { /* --DSS for ref id = ntohl(ph->packet_id); hook = ph->hook; hw_proto = ph->protocol; */ /* Retrieve packet payload */ pkt_len = nfq_get_payload(nfa, &full_packet); process_packet(opts, pkt_len, full_packet); /* Verdict on what to do with the packet. If it is coming from * the INPUT chain (NF_IP_LOCAL_IN), then it is assumed to be * a spa packet and can be dropped. Otherwise, let it through. */ verdict = (ph->hook == NF_IP_LOCAL_IN) ? NF_DROP : NF_ACCEPT; nfq_set_verdict(qh, ph->packet_id, verdict, 0, NULL); } return 0; }
int cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { int id; int len; int hlen; char *pkt; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; struct timeval tv; tv.tv_sec = 0; // init if ((ph = nfq_get_msg_packet_hdr(nfa))) id = ntohl(ph->packet_id); else id = 0; if ((hwph = nfq_get_packet_hw(nfa))) hlen = ntohs(hwph->hw_addrlen); else hlen = 0; /* hole payload ... falls es nicht klappt ... Paket durchreichen */ if ((len = nfq_get_payload (nfa, (char **) &pkt)) < 0) return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); nfq_get_timestamp(nfa,&tv); return nfq_set_verdict(qh, id, myworker (data, pkt, len,&tv) ? NF_DROP : NF_ACCEPT, 0, NULL); }
static int packet_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfad, void *data) { struct packet_module_state *state = data; struct nfqnl_msg_packet_hdr* packet_hdr; #if NFQ_GET_PAYLOAD_UNSIGNED_CHAR unsigned char *packet_data; #else char *packet_data; #endif int packet_len; state->error = 0; packet_hdr = nfq_get_msg_packet_hdr(nfad); if (!packet_hdr) { message(HAKA_LOG_ERROR, MODULE_NAME, L"unable to get packet header"); return 0; } packet_len = nfq_get_payload(nfad, &packet_data); if (packet_len > PACKET_BUFFER_SIZE) { message(HAKA_LOG_WARNING, MODULE_NAME, L"received packet is too large"); return 0; } else if (packet_len < 0) { message(HAKA_LOG_ERROR, MODULE_NAME, L"unable to get packet payload"); return 0; } state->current_packet = malloc(sizeof(struct nfqueue_packet)); if (!state->current_packet) { state->error = ENOMEM; return 0; } memset(state->current_packet,0,sizeof(struct nfqueue_packet)); state->current_packet->data = malloc(packet_len); if (!state->current_packet->data) { free(state->current_packet); state->error = ENOMEM; return 0; } state->current_packet->timestamp = time_gettimestamp(); state->current_packet->length = packet_len; state->current_packet->modified = 0; state->current_packet->id = ntohl(packet_hdr->packet_id); /* The copy is needed as the packet buffer will be overridden when the next * packet will arrive. */ memcpy(state->current_packet->data, packet_data, packet_len); return 0; }
/* returns packet id */ static u_int32_t getid (struct nfq_data *tb){ int id = 0; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(tb); if (ph) id = ntohl(ph->packet_id); return id; }
static uint32_t nfqueue_packet_get_id(struct nfq_data *packet) { uint32_t id = -1; struct nfqnl_msg_packet_hdr *packetHeader; if ((packetHeader = nfq_get_msg_packet_hdr(packet)) != NULL) id = ntohl(packetHeader->packet_id); return id; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = 0; int d; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); if(ph) id = ntohl(ph->packet_id); // verify some basic patterns and drop packet if it's // somehow unexpected if(verify_pkt(nfa) != 0) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); uint8_t ip_addr[4]; device_t dev; uint16_t port; if(get_info(nfa, &dev, ip_addr, &port) != 0) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); // check if this device already has an entry in the denied/allowed lists for(d=0;d<allowed_len;d++) { if(memcmp(allowed[d].hw_addr, dev.hw_addr, 6) == 0) return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } for(d=0;d<denied_len;d++) if(memcmp(denied[d].hw_addr, dev.hw_addr, 6) == 0) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); // if we have a pending request then just drop everything // elso until the current request has been answered if(pending) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); pending = malloc(sizeof(device_t)); *pending = dev; printf("REQ "); // print the info int i; for (i = 0; i < 5; i++) printf("%02x:", pending->hw_addr[i]); printf("%02x ", pending->hw_addr[5]); for (i = 0; i < 3; i++) printf("%u.", ip_addr[i]); printf("%u ", ip_addr[3]); printf("%u\n", port); printf("-> A(ccept), D(eny), I(gnore), Q(uit): "); fflush(stdout); // return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); }
static u_int32_t fwnfq_process_pkt (struct nfq_data *tb, FWAction *action) { struct nfqnl_msg_packet_hdr *ph; gint id = 0; u_int32_t mark, ifi, ifo, ifaceidx; gint ret, iphdrlen; gchar *data; FWDirection dir; struct ip *hdr; ph = nfq_get_msg_packet_hdr(tb); if ( ph ) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if ( mark ) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if ( ifi ) { printf("indev=%u ", ifi-1); dir = DIR_INCOMING; ifaceidx = ifi - 1; } ifo = nfq_get_outdev(tb); if ( ifo ) { printf("outdev=%u ", ifo-1); dir = DIR_OUTGOING; ifaceidx = ifo - 1; } ret = nfq_get_payload(tb, &data); if ( ret >= 0 ) printf("payload_len=%d ", ret); printf("\n\n"); /* Refresh every 50 packet */ // if ( (id % 50) == 0 ) { // fwproc_netentries_process(PROTO_TCP); // fwproc_netentries_process(PROTO_UDP); // fwproc_scan_procdir(); // } hdr = (struct ip *) data; iphdrlen = hdr->ip_hl * 4; // IP header len = ip_hl * 4 (32 bits) printf("*** PACKET PROTOCOL: %s ***\n", TxtProto[hdr->ip_p]); *action = fwnfq_process_rules(ifaceidx, dir, data, id); return id; }
static int log_packet(struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* dat, void* data) { struct nfqnl_msg_packet_hdr* nfq_hdr = nfq_get_msg_packet_hdr(dat); unsigned char* payload; int len = nfq_get_payload(dat,&payload); printf("---\n"); printf("got a packet - len %d\n",len); nfq_set_verdict(qh, ntohl(nfq_hdr->packet_id), NF_ACCEPT, 0, NULL); return 0; }
static uint32_t nfqueue_packet_get_hook(struct nfq_data *packet) { uint32_t hook = -1; struct nfqnl_msg_packet_hdr *packetHeader; if ((packetHeader = nfq_get_msg_packet_hdr(packet)) != NULL) hook = packetHeader->hook; return hook; }
static int cb( struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfqdata, void *data ) { /* TODO - should have an option "delay", to explicitly avoid offering a verdict right away */ static const char* verdict_opt[] = { "accept", "drop", NULL }; static int verdict_val[] = { NF_ACCEPT, NF_DROP, }; lua_State* L = data; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata); /* struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */ u_int32_t id = 0; if (ph) { /* TODO - why is this conditional in sample source? */ id = ntohl(ph->packet_id); } /* We expect stack to look like: * [1] qhandle * [2] cbfn */ check_handle(L); luaL_checktype(L, 2, LUA_TFUNCTION); lua_pushvalue(L, 2); /* Push copy of fn */ lua_pushlightuserdata(L, nfqdata); lua_call(L, 1, 2); /* Return will be: * [3] "accept", "drop", ..., default is accept * [4] string, the replacement packet, default is 0,NULL */ { int verdict = luaL_checkoption(L, 3, "accept", verdict_opt); size_t replacesz = 0; const char* replace = lua_tolstring(L, 4, &replacesz); /*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/ /* Reset stack, chopping any return values. */ lua_settop(L, 2); return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace); } }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { // u_int32_t id = print_pkt(nfa); u_int32_t id; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); id = ntohl(ph->packet_id); printf("entering callback\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; u_int32_t mark,ifi; int ret; char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } hwph = nfq_get_packet_hw(tb); if (hwph) { int i, hlen = ntohs(hwph->hw_addrlen); printf("hw_src_addr="); for (i = 0; i < hlen-1; i++) printf("%02x:", hwph->hw_addr[i]); printf("%02x ", hwph->hw_addr[hlen-1]); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ifi = nfq_get_physindev(tb); if (ifi) printf("physindev=%u ", ifi); ifi = nfq_get_physoutdev(tb); if (ifi) printf("physoutdev=%u ", ifi); ret = nfq_get_payload(tb, &data); if (ret >= 0) { printf("payload_len=%d ", ret); //processPacketData (data, ret); } fputc('\n', stdout); return id; }
static int tc_nfq_process_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { int i, id = 0, payload_len = 0, ret, pass_through_flag = 0; unsigned char *payload; tc_ip_header_t *ip_hdr; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } payload_len = nfq_get_payload(nfa, &payload); if (payload_len < 40) { tc_log_info(LOG_WARN, 0, "payload len wrong:%d", payload_len); return TC_ERROR; } ip_hdr = (tc_ip_header_t *)payload; if (ip_hdr != NULL) { /* check if it is the valid user to pass through firewall */ for (i = 0; i < srv_settings.passed_ips.num; i++) { if (srv_settings.passed_ips.ips[i] == ip_hdr->daddr) { pass_through_flag = 1; break; } } tot_resp_packs++; if (pass_through_flag) { /* pass through the firewall */ ret = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { tot_copy_resp_packs++; router_update(srv_settings.router_fd, ip_hdr); tc_check_cleaning(); /* drop the packet */ ret = nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } else { ret = TC_ERROR; } return ret; }
/* :::: Funcion callback ::: ================ Es invocada cada vez que hay un paquete en la cola */ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; unsigned char *nf_packet; char saddr[2048]; int ret; char *valor_memcache; size_t len_memcache; char *key_memcache="autorizada"; uint32_t flags; // Obtenemos las headers: ph = nfq_get_msg_packet_hdr(nfa); // Y el ID de paquete, que hace falta para el veredicto final: id = ntohl(ph->packet_id); // Obtenemos la IP origen del paquete: // - Primero hay que obtener el paquete en si: ret = nfq_get_payload(nfa, &nf_packet); if ((ret <= 0)) { printf("Error, no hay paquete que recibir - wtf \n"); return; } struct iphdr *iph = ((struct iphdr *) nf_packet); inet_ntop(AF_INET, &(iph->saddr), saddr, sizeof(saddr)); // fprintf(stdout,"Recibido con origen%s\n",saddr); valor_memcache = memcached_get(memc, key_memcache, strlen(key_memcache), &len_memcache, &flags, &rc); if (rc == MEMCACHED_SUCCESS) { if (strcmp(saddr,valor_memcache) == 0) { free(valor_memcache); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { free(valor_memcache); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } else { printf("Key %s no se ha podido encontrar en memcached\n",key_memcache); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; u_int32_t id; ph = nfq_get_msg_packet_hdr(nfa); assert (ph); id = ntohl(ph->packet_id); uint8_t *pkt; int len = nfq_get_payload(nfa, &pkt); printf("id %d: got %d bytes payload\n", id, len); u_int32_t verdict = NF_REPEAT; /* by default, just mark so we can REJECT */ if (len >= (signed)sizeof(struct iphdr)) { struct iphdr *iph = (struct iphdr *)pkt; if (iph->version == 4) { struct in_addr haddr = {.s_addr = iph->saddr}; printf("host: %s\n", inet_ntoa(haddr)); for (const char **host = hosts; *host; ++host) { printf("trying %s\n", *host); struct hostent *he = gethostbyname(*host); if (he) { for (char **alp = he->h_addr_list; *alp; ++alp) { if (((struct in_addr *)*alp)->s_addr == haddr.s_addr) { printf("ok\n"); verdict = NF_ACCEPT; break; } } } if (verdict == NF_ACCEPT) break; } } } int rv; rv = nfq_set_verdict2(qh, id, verdict, 1, 0, NULL); fprintf(stderr, "set_verdict2: %d\n", rv); assert (rv >= 0); return 0; } static void usage() { fprintf(stderr, "Usage: namematch [-h dest_hostname ...]\n"); }
static int daq_nfq_callback( struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* nfad, void* data) { NfqImpl *impl = (NfqImpl*)data; struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfad); DAQ_Verdict verdict; DAQ_PktHdr_t hdr; uint8_t* pkt; int nf_verdict; uint32_t data_len; if ( impl->state != DAQ_STATE_STARTED ) return -1; if ( !ph || SetPktHdr(impl, nfad, &hdr, &pkt) ) { DPE(impl->error, "%s: can't setup packet header", __FUNCTION__); return -1; } if ( impl->fcode.bf_insns && sfbpf_filter(impl->fcode.bf_insns, pkt, hdr.caplen, hdr.caplen) == 0 ) { verdict = DAQ_VERDICT_PASS; impl->stats.packets_filtered++; } else { verdict = impl->user_func(impl->user_data, &hdr, pkt); if ( verdict >= MAX_DAQ_VERDICT ) verdict = DAQ_VERDICT_BLOCK; impl->stats.verdicts[verdict]++; impl->stats.packets_received++; } nf_verdict = ( impl->passive || s_fwd[verdict] ) ? NF_ACCEPT : NF_DROP; data_len = ( verdict == DAQ_VERDICT_REPLACE ) ? hdr.caplen : 0; nfq_set_verdict( impl->nf_queue, ntohl(ph->packet_id), nf_verdict, data_len, pkt); return 0; }
static int verify_pkt (struct nfq_data *tb) { struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; struct iphdr *iph; struct tcphdr *tcph; ph = nfq_get_msg_packet_hdr(tb); if(!ph) return -1; // check for IP if(ntohs(ph->hw_protocol) != 0x800) return -1; hwph = nfq_get_packet_hw(tb); if(!hwph) return -1; // only accept 6 byte hw addresses // this may fail with USB net. But we don't want to restricht that // anyway if(ntohs(hwph->hw_addrlen) != 6) return -1; // the rest are payload checks // error or less than ip+tcp headers if(nfq_get_payload(tb, (unsigned char **)&iph) < 40) return -1; // check for valid ipv4 header if((iph->version != 4) || (iph->ihl != 5)) return -1; // don't allow fragmentation if((ntohs(iph->frag_off) & 0x1fff) != 0) return -1; // only deal with tcp if(iph->protocol != 6) return -1; // and take a peak into the tcp header tcph = (struct tcphdr*)(((char*)iph)+20); // ignore anything that doesn't have a syn flag if(!tcph->syn) return -1; return 0; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; //m_stack_t *st = (m_stack_t *)data; unsigned char *packet; u_int32_t id, ret; ph = nfq_get_msg_packet_hdr(nfa); id = ntohl(ph->packet_id); if ((ret = nfq_get_payload(nfa, &packet)) >= 0){ syslog(LOG_NOTICE, "packet catched id: %d, payload_len=%d\n\r", id, ret); } return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static int cb( struct nfq_q_handle *q, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *arg ) { int id = 0; struct nfqnl_msg_packet_hdr *ph; size_t packet_length; unsigned char *packet_data; struct pkt_buff *packet; struct iphdr *ip_header; struct tcphdr *tcp_header; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } packet_length = nfq_get_payload(nfa, &packet_data); packet = pktb_alloc(AF_INET, packet_data, packet_length, 4096); ip_header = nfq_ip_get_hdr(packet); nfq_ip_set_transport_header(packet, ip_header); tcp_header = nfq_tcp_get_hdr(packet); if (ip_header) { struct in_addr *target; if (src_or_dst == src) { target = (struct in_addr *) &ip_header->saddr; } else if (src_or_dst == dst) { target = (struct in_addr *) &ip_header->daddr; } inet_aton(target_ip_address, target); nfq_ip_set_checksum(ip_header); nfq_tcp_compute_checksum_ipv4(tcp_header, ip_header); memcpy(packet_data, pktb_data(packet), packet_length); } pktb_free(packet); return nfq_set_verdict(q, id, NF_ACCEPT, packet_length, packet_data); }
static int cb( struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfqdata, void *data ) { static const char* verdict_opt[] = { "accept", "drop", NULL }; static int verdict_val[] = { NF_ACCEPT, NF_DROP, }; lua_State* L = data; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata); /* struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */ u_int32_t id = 0; if (ph) { /* TODO - why is this conditional in sample source? */ id = ntohl(ph->packet_id); } /* Return will be: * [2] "accept", "drop", ..., default is accept * [3] string, the replacement packet, default is 0,NULL */ lua_settop(L, 1); /* Leave only the cb fn on the stack */ lua_pushvalue(L, 1); /* Push copy of fn */ lua_pushlightuserdata(L, nfqdata); lua_call(L, 1, 2); { int verdict = luaL_checkoption(L, 2, "accept", verdict_opt); size_t replacesz = 0; const char* replace = lua_tolstring(L, 3, &replacesz); /*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/ return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace); } }
int NetherNetlink::callback(struct nfq_q_handle *, struct nfgenmsg *, struct nfq_data *nfa, void *data) { NetherNetlink *me = static_cast<NetherNetlink *>(data); NetherPacket packet; unsigned char *secctx; int secctxSize = 0; struct nfqnl_msg_packet_hdr *ph; unsigned char *payload; if((ph = nfq_get_msg_packet_hdr(nfa))) { packet.id = ntohl(ph->packet_id); } else { LOGI("Failed to get packet id"); return (1); } /* get interface information if requested */ me->getInterfaceInfo(nfa, packet); if(nfq_get_uid(nfa, &packet.uid) == 0) LOGW("Failed to get uid for packet id=" << packet.id); nfq_get_gid(nfa, &packet.gid); secctxSize = nfq_get_secctx(nfa, &secctx); if(secctxSize > 0) packet.securityContext = std::string((char *)secctx, secctxSize); else LOGD("Failed to get security context for packet id=" << packet.id); if(me->netherConfig.copyPackets && nfq_get_payload(nfa, &payload) > 0) decodePacket(packet, payload); me->processNetherPacket(packet); /* this call if from the NetherPacketProcessor class */ return (0); }
/* returns packet id */ static u_int32_t display_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; int ret; unsigned char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); #ifdef DEBUG printf("hw_protocol=0x%04x hook=%u id=%u \n", ntohs(ph->hw_protocol), ph->hook, id); #endif } ret = nfq_get_payload(tb, &data); // if (ret >= 0) print_ip_pkt(data, ret); return id; }
/* Definition of callback function */ int disruptor_nfq_call_back(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { //struct disrupt_stream_s *stream = (struct disrupt_stream_s *) data; //struct scenario_s * scenario = &stream->scenario; int16_t verdict = true; int32_t pkt_id; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa); if (ph) { pkt_id = ntohl(ph->packet_id); } // NF_DROP 0 // NF_ACCEPT 1 // NF_STOLEN 2 // NF_QUEUE 3 // NF_REPEAT 4 // NF_STOP 5 verdict = disrupt_ip_packet_analysis(nfa, pkt_id); if(verdict){ nfq_set_verdict(qh, pkt_id, verdict, 0, NULL); /* if scenario is not keeping the packet we release it immediatly */ } return 1; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = -1; struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); char* packet_data = (char*) calloc(1, 10000); char* packet_data_2 = (char*) calloc(1, 10000); int count = nfq_get_payload(nfa, (unsigned char**)&packet_data); printf("count: [%d], ", count); int protocol = (int) packet_data[9]; printf("protocol: [%d]", protocol); //Get the source and destination IPs char srcIP[33]; inet_ntop(AF_INET, packet_data+12, srcIP, INET_ADDRSTRLEN); srcIP[32] = '\0'; char destIP[33]; inet_ntop(AF_INET, packet_data+16, destIP, INET_ADDRSTRLEN); destIP[32] = '\0'; struct in_addr* destAddr = getInAddr(destIP); struct in_addr* sourceAddr = getInAddr(srcIP); //If we're blocking the flow, drop the packet. if(checkForFilteredFlows(sourceAddr, destAddr) == TRUE){ return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } //Means the route record shim is not already there, so add it. if(protocol != ROUTE_RECORD_PROTOCOL){ RouteRecord* rr = createRouteRecord(gatewayAddr, randomValue); char* rr_buf = writeRouteRecordAsNetworkBuffer(rr); memcpy(packet_data_2, packet_data + 20, count - 20); memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE); memcpy(packet_data + 20 + MAX_RR_HEADER_SIZE, packet_data_2, count - 20); packet_data[9] = (char) ROUTE_RECORD_PROTOCOL; printf("Modifying Packet\n\n"); } else{ // CHange the route record to add new gateway information RouteRecord* rr = readRouteRecord(packet_data + 20); addGatewayInfo(rr, gatewayAddr, -1l); char* rr_buf = writeRouteRecordAsNetworkBuffer(rr); memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE); } return nfq_set_verdict(qh, id, NF_ACCEPT, count + MAX_RR_HEADER_SIZE, (unsigned char*) packet_data); } printf("entering callback\n\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }