static int packet_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { QHandler *handler = (QHandler *) data; u_int32_t id = get_pkt_id(nfa); char *payload; int payload_len; payload_len = nfq_get_payload(nfa, &payload); // Determine addresses IpAddress srcaddr((struct in_addr *) (payload + 12)); IpAddress dstaddr((struct in_addr *) (payload + 16)); // std::cout << "Got packet ID " << id << // " from " << srcaddr << " to " << dstaddr << std::endl; // Work out what proto it is... int proto = (int) (unsigned char) payload[9]; FnvHash hash; hash.addData(payload + 12, 8); // src + dst addr if (proto == IPPROTO_TCP) { // unsigned short sport = ntohs( *(unsigned short *) (payload+20)); // unsigned short dport = ntohs( *(unsigned short *) (payload+22)); // std::cout << "TCP sport " << sport << " dport " << dport // << std::endl; hash.addData(payload + 20, 4); // src + dst ports } int hashvalue = hash.get16rev(); // std::cout << "Hash value=" << hashvalue << std::endl; u_int32_t verdict = NF_DROP; if ((hashvalue >= handler->lowerHashLimit) && (hashvalue < handler->upperHashLimit)) verdict = NF_ACCEPT; std::cout << "Connection from " << srcaddr << " Hash value=" << hashvalue << " Accept: " << (verdict == NF_ACCEPT ? "yes" : "no") << std::endl; return nfq_set_verdict(handler->GetQh(), id, verdict, 0, NULL); }
int cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { int id; int len; int hlen; char *pkt; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; struct timeval tv; tv.tv_sec = 0; // init if ((ph = nfq_get_msg_packet_hdr(nfa))) id = ntohl(ph->packet_id); else id = 0; if ((hwph = nfq_get_packet_hw(nfa))) hlen = ntohs(hwph->hw_addrlen); else hlen = 0; /* hole payload ... falls es nicht klappt ... Paket durchreichen */ if ((len = nfq_get_payload (nfa, (char **) &pkt)) < 0) return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); nfq_get_timestamp(nfa,&tv); return nfq_set_verdict(qh, id, myworker (data, pkt, len,&tv) ? NF_DROP : NF_ACCEPT, 0, NULL); }
static u_int32_t record_pkt (struct nfq_data *tb){ /*! create pcap specific header */ struct pcap_pkthdr phdr; /*! init capture time */ static struct timeval t; memset (&t, 0, sizeof(struct timeval)); gettimeofday(&t, NULL); phdr.ts.tv_sec = t.tv_sec; phdr.ts.tv_usec = t.tv_usec; /*! populate pcap struct with packet headers */ char *nf_packet; phdr.caplen = nfq_get_payload(tb,&nf_packet); phdr.len = phdr.caplen; /*! dump packet data to the file */ pcap_dump((u_char *)p_output, &phdr, (const u_char *)nf_packet); return 0; }
static int process_nfq_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int pkt_len = 0; int verdict; unsigned char *full_packet; fko_srv_options_t *opts = (fko_srv_options_t *)data; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { /* --DSS for ref id = ntohl(ph->packet_id); hook = ph->hook; hw_proto = ph->protocol; */ /* Retrieve packet payload */ pkt_len = nfq_get_payload(nfa, &full_packet); process_packet(opts, pkt_len, full_packet); /* Verdict on what to do with the packet. If it is coming from * the INPUT chain (NF_IP_LOCAL_IN), then it is assumed to be * a spa packet and can be dropped. Otherwise, let it through. */ verdict = (ph->hook == NF_IP_LOCAL_IN) ? NF_DROP : NF_ACCEPT; nfq_set_verdict(qh, ph->packet_id, verdict, 0, NULL); } return 0; }
static int redirect_pkt(struct nfq_data* tb, int sockdes) { int id = 0; int len; unsigned char* data; struct nfqnl_msg_packet_hdr *ph; package_with_header curr_package; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); } len = nfq_get_payload(tb, &data); if (len < 0) { perror("payload"); exit(1); } curr_package.packet_id = id; printf("%i\n", id); memcpy(curr_package.data, data, len); if (send(sockdes, &curr_package, sizeof(package_with_header), 0) == -1) { perror("send"); exit(1); } return id; }
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; struct skb_buf skb; //get unique ID of packet in queue ph = nfq_get_msg_packet_hdr(nfa); if(!ph) { return -1; } skb.packet_id= ntohl(ph->packet_id); //get payload skb.pload_len = nfq_get_payload(nfa, &(skb.pload)); if(skb.pload_len <=0) { nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload); return -1; } skb.pload[skb.pload_len]='\0'; process_tcp(&skb ,tcp_stream_handle); return 0; }
static inline int SetPktHdr ( NfqImpl* impl, struct nfq_data* nfad, DAQ_PktHdr_t* hdr, uint8_t** pkt ) { int len = nfq_get_payload(nfad, (char**)pkt); if ( len <= 0 ) return -1; hdr->caplen = ((uint32_t)len <= impl->snaplen) ? (uint32_t)len : impl->snaplen; hdr->pktlen = len; hdr->flags = 0; hdr->address_space_id = 0; // if nfq fails to provide a timestamp, we fall back on tod if ( nfq_get_timestamp(nfad, &hdr->ts) ) gettimeofday(&hdr->ts, NULL); hdr->ingress_index = nfq_get_physindev(nfad); hdr->egress_index = -1; hdr->ingress_group = -1; hdr->egress_group = -1; return 0; }
/* returns packet id */ static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; u_int32_t mark,ifi; int ret; char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph){ id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ret = nfq_get_payload(tb, &data); if (ret >= 0) printf("payload_len=%d ", ret); fputc('\n', stdout); return id; }
// function callback for packet processing // --------------------------------------- static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int id_protocol = 0, id = 0, len = 0; unsigned char *full_packet; // get data of packet (payload) unsigned char *new_packet = NULL; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { len = nfq_get_payload(nfa, &full_packet); id = ntohl(ph->packet_id); id_protocol = identify_ip_protocol(full_packet); if (id_protocol == IPPROTO_UDP) { /* Only UDP packets */ printf("Packet from %s:%d", get_src_ip_str(full_packet), get_udp_src_port(full_packet)); printf(" to %s:%d\n", get_dst_ip_str(full_packet), get_tcp_dst_port(full_packet)); /* Process packet... */ new_packet = process_packet(full_packet, &len, ph->hook); } // let the packet continue on. NF_ACCEPT will pass the packet // ----------------------------------------------------------- if (new_packet) { nfq_set_verdict(qh, id, NF_ACCEPT, len, new_packet); free(new_packet); } else nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { printf("NFQUEUE: can't get msg packet header.\n"); return ERR; // from nfqueue source: 0 = ok, >0 = soft error, <0 hard error } return OK; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { unsigned char *payload; int pay_len, match, rlen; u_int32_t id = display_pkt(nfa); pay_len = nfq_get_payload(nfa, &payload); #ifdef DEBUG printf("Content inspection...pay_len=%d\n", pay_len); #endif match = inspect_tcp(payload, pay_len); // return 1 if matched, 0 otherwise if (match && p_queue.count < QSIZE) { // if queue is full, let them pass //print_ip_pkt(payload, pay_len); // now lock the queue pthread_mutex_lock (&lock_queue); enqueue(&p_queue, payload, pay_len, id); #ifdef DEBUG printf("Matched packet. Queue size: %d\n", p_queue.count); #endif pthread_mutex_unlock (&lock_queue); sem_post(&sem_queue); // wake up sending threads return 0; } else { #ifdef DEBUG printf("No match found\n"); // should be ok for not locking the queue #endif pthread_mutex_lock (&lock_qh); rlen = nfq_set_verdict(qh, id, NF_ACCEPT, pay_len, payload); pthread_mutex_unlock (&lock_qh); return rlen; } }
static int packet_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfad, void *data) { struct packet_module_state *state = data; struct nfqnl_msg_packet_hdr* packet_hdr; #if NFQ_GET_PAYLOAD_UNSIGNED_CHAR unsigned char *packet_data; #else char *packet_data; #endif int packet_len; state->error = 0; packet_hdr = nfq_get_msg_packet_hdr(nfad); if (!packet_hdr) { message(HAKA_LOG_ERROR, MODULE_NAME, L"unable to get packet header"); return 0; } packet_len = nfq_get_payload(nfad, &packet_data); if (packet_len > PACKET_BUFFER_SIZE) { message(HAKA_LOG_WARNING, MODULE_NAME, L"received packet is too large"); return 0; } else if (packet_len < 0) { message(HAKA_LOG_ERROR, MODULE_NAME, L"unable to get packet payload"); return 0; } state->current_packet = malloc(sizeof(struct nfqueue_packet)); if (!state->current_packet) { state->error = ENOMEM; return 0; } memset(state->current_packet,0,sizeof(struct nfqueue_packet)); state->current_packet->data = malloc(packet_len); if (!state->current_packet->data) { free(state->current_packet); state->error = ENOMEM; return 0; } state->current_packet->timestamp = time_gettimestamp(); state->current_packet->length = packet_len; state->current_packet->modified = 0; state->current_packet->id = ntohl(packet_hdr->packet_id); /* The copy is needed as the packet buffer will be overridden when the next * packet will arrive. */ memcpy(state->current_packet->data, packet_data, packet_len); return 0; }
static int cbUp(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *payload) { char *send_data; int i = 0, newSize = 0; u_int32_t id = build_advertisement(nfa, &newSize); i = nfq_get_payload(nfa, &send_data); return nfq_set_verdict(qh, id, NF_ACCEPT, newSize, (unsigned char *)send_data); }
static u_int32_t fwnfq_process_pkt (struct nfq_data *tb, FWAction *action) { struct nfqnl_msg_packet_hdr *ph; gint id = 0; u_int32_t mark, ifi, ifo, ifaceidx; gint ret, iphdrlen; gchar *data; FWDirection dir; struct ip *hdr; ph = nfq_get_msg_packet_hdr(tb); if ( ph ) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if ( mark ) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if ( ifi ) { printf("indev=%u ", ifi-1); dir = DIR_INCOMING; ifaceidx = ifi - 1; } ifo = nfq_get_outdev(tb); if ( ifo ) { printf("outdev=%u ", ifo-1); dir = DIR_OUTGOING; ifaceidx = ifo - 1; } ret = nfq_get_payload(tb, &data); if ( ret >= 0 ) printf("payload_len=%d ", ret); printf("\n\n"); /* Refresh every 50 packet */ // if ( (id % 50) == 0 ) { // fwproc_netentries_process(PROTO_TCP); // fwproc_netentries_process(PROTO_UDP); // fwproc_scan_procdir(); // } hdr = (struct ip *) data; iphdrlen = hdr->ip_hl * 4; // IP header len = ip_hl * 4 (32 bits) printf("*** PACKET PROTOCOL: %s ***\n", TxtProto[hdr->ip_p]); *action = fwnfq_process_rules(ifaceidx, dir, data, id); return id; }
static int log_packet(struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* dat, void* data) { struct nfqnl_msg_packet_hdr* nfq_hdr = nfq_get_msg_packet_hdr(dat); unsigned char* payload; int len = nfq_get_payload(dat,&payload); printf("---\n"); printf("got a packet - len %d\n",len); nfq_set_verdict(qh, ntohl(nfq_hdr->packet_id), NF_ACCEPT, 0, NULL); return 0; }
static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; u_int32_t mark,ifi; int ret; char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } hwph = nfq_get_packet_hw(tb); if (hwph) { int i, hlen = ntohs(hwph->hw_addrlen); printf("hw_src_addr="); for (i = 0; i < hlen-1; i++) printf("%02x:", hwph->hw_addr[i]); printf("%02x ", hwph->hw_addr[hlen-1]); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ifi = nfq_get_physindev(tb); if (ifi) printf("physindev=%u ", ifi); ifi = nfq_get_physoutdev(tb); if (ifi) printf("physoutdev=%u ", ifi); ret = nfq_get_payload(tb, &data); if (ret >= 0) { printf("payload_len=%d ", ret); //processPacketData (data, ret); } fputc('\n', stdout); return id; }
static int tc_nfq_process_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { int i, id = 0, payload_len = 0, ret, pass_through_flag = 0; unsigned char *payload; tc_ip_header_t *ip_hdr; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } payload_len = nfq_get_payload(nfa, &payload); if (payload_len < 40) { tc_log_info(LOG_WARN, 0, "payload len wrong:%d", payload_len); return TC_ERROR; } ip_hdr = (tc_ip_header_t *)payload; if (ip_hdr != NULL) { /* check if it is the valid user to pass through firewall */ for (i = 0; i < srv_settings.passed_ips.num; i++) { if (srv_settings.passed_ips.ips[i] == ip_hdr->daddr) { pass_through_flag = 1; break; } } tot_resp_packs++; if (pass_through_flag) { /* pass through the firewall */ ret = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { tot_copy_resp_packs++; router_update(srv_settings.router_fd, ip_hdr); tc_check_cleaning(); /* drop the packet */ ret = nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } else { ret = TC_ERROR; } return ret; }
/*- * str = nfq.get_payload(cbctx) * * str is the IP payload, it has been stripped of link-layer headers! */ static int get_payload(lua_State* L) { struct nfq_data *nfqdata = checkudata(L); char* data = NULL; int datasz = nfq_get_payload(nfqdata, &data); luaL_argcheck(L, datasz >= 0, 1, "nfqdata not available"); lua_pushlstring(L, data, datasz); return 1; }
/* :::: Funcion callback ::: ================ Es invocada cada vez que hay un paquete en la cola */ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; unsigned char *nf_packet; char saddr[2048]; int ret; char *valor_memcache; size_t len_memcache; char *key_memcache="autorizada"; uint32_t flags; // Obtenemos las headers: ph = nfq_get_msg_packet_hdr(nfa); // Y el ID de paquete, que hace falta para el veredicto final: id = ntohl(ph->packet_id); // Obtenemos la IP origen del paquete: // - Primero hay que obtener el paquete en si: ret = nfq_get_payload(nfa, &nf_packet); if ((ret <= 0)) { printf("Error, no hay paquete que recibir - wtf \n"); return; } struct iphdr *iph = ((struct iphdr *) nf_packet); inet_ntop(AF_INET, &(iph->saddr), saddr, sizeof(saddr)); // fprintf(stdout,"Recibido con origen%s\n",saddr); valor_memcache = memcached_get(memc, key_memcache, strlen(key_memcache), &len_memcache, &flags, &rc); if (rc == MEMCACHED_SUCCESS) { if (strcmp(saddr,valor_memcache) == 0) { free(valor_memcache); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { free(valor_memcache); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } else { printf("Key %s no se ha podido encontrar en memcached\n",key_memcache); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; u_int32_t id; ph = nfq_get_msg_packet_hdr(nfa); assert (ph); id = ntohl(ph->packet_id); uint8_t *pkt; int len = nfq_get_payload(nfa, &pkt); printf("id %d: got %d bytes payload\n", id, len); u_int32_t verdict = NF_REPEAT; /* by default, just mark so we can REJECT */ if (len >= (signed)sizeof(struct iphdr)) { struct iphdr *iph = (struct iphdr *)pkt; if (iph->version == 4) { struct in_addr haddr = {.s_addr = iph->saddr}; printf("host: %s\n", inet_ntoa(haddr)); for (const char **host = hosts; *host; ++host) { printf("trying %s\n", *host); struct hostent *he = gethostbyname(*host); if (he) { for (char **alp = he->h_addr_list; *alp; ++alp) { if (((struct in_addr *)*alp)->s_addr == haddr.s_addr) { printf("ok\n"); verdict = NF_ACCEPT; break; } } } if (verdict == NF_ACCEPT) break; } } } int rv; rv = nfq_set_verdict2(qh, id, verdict, 1, 0, NULL); fprintf(stderr, "set_verdict2: %d\n", rv); assert (rv >= 0); return 0; } static void usage() { fprintf(stderr, "Usage: namematch [-h dest_hostname ...]\n"); }
static int verify_pkt (struct nfq_data *tb) { struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; struct iphdr *iph; struct tcphdr *tcph; ph = nfq_get_msg_packet_hdr(tb); if(!ph) return -1; // check for IP if(ntohs(ph->hw_protocol) != 0x800) return -1; hwph = nfq_get_packet_hw(tb); if(!hwph) return -1; // only accept 6 byte hw addresses // this may fail with USB net. But we don't want to restricht that // anyway if(ntohs(hwph->hw_addrlen) != 6) return -1; // the rest are payload checks // error or less than ip+tcp headers if(nfq_get_payload(tb, (unsigned char **)&iph) < 40) return -1; // check for valid ipv4 header if((iph->version != 4) || (iph->ihl != 5)) return -1; // don't allow fragmentation if((ntohs(iph->frag_off) & 0x1fff) != 0) return -1; // only deal with tcp if(iph->protocol != 6) return -1; // and take a peak into the tcp header tcph = (struct tcphdr*)(((char*)iph)+20); // ignore anything that doesn't have a syn flag if(!tcph->syn) return -1; return 0; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; //m_stack_t *st = (m_stack_t *)data; unsigned char *packet; u_int32_t id, ret; ph = nfq_get_msg_packet_hdr(nfa); id = ntohl(ph->packet_id); if ((ret = nfq_get_payload(nfa, &packet)) >= 0){ syslog(LOG_NOTICE, "packet catched id: %d, payload_len=%d\n\r", id, ret); } return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static int cb( struct nfq_q_handle *q, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *arg ) { int id = 0; struct nfqnl_msg_packet_hdr *ph; size_t packet_length; unsigned char *packet_data; struct pkt_buff *packet; struct iphdr *ip_header; struct tcphdr *tcp_header; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } packet_length = nfq_get_payload(nfa, &packet_data); packet = pktb_alloc(AF_INET, packet_data, packet_length, 4096); ip_header = nfq_ip_get_hdr(packet); nfq_ip_set_transport_header(packet, ip_header); tcp_header = nfq_tcp_get_hdr(packet); if (ip_header) { struct in_addr *target; if (src_or_dst == src) { target = (struct in_addr *) &ip_header->saddr; } else if (src_or_dst == dst) { target = (struct in_addr *) &ip_header->daddr; } inet_aton(target_ip_address, target); nfq_ip_set_checksum(ip_header); nfq_tcp_compute_checksum_ipv4(tcp_header, ip_header); memcpy(packet_data, pktb_data(packet), packet_length); } pktb_free(packet); return nfq_set_verdict(q, id, NF_ACCEPT, packet_length, packet_data); }
int get_info(struct nfq_data *tb, device_t *dev, char *ip_addr, uint16_t *port) { struct nfqnl_msg_packet_hw *hwph; struct iphdr *iph; struct tcphdr *tcph; hwph = nfq_get_packet_hw(tb); if(!hwph) return -1; memcpy(dev->hw_addr, hwph->hw_addr, 6); if(nfq_get_payload(tb, (unsigned char **)&iph) < 40) return -1; memcpy(ip_addr, &iph->saddr, 4); tcph = (struct tcphdr*)(((char*)iph)+20); *port = ntohs(tcph->dest); return 0; }
static inline int SetPktHdr ( NfqImpl* impl, struct nfq_data* nfad, DAQ_PktHdr_t* hdr, uint8_t** pkt ) { int len = nfq_get_payload(nfad, (char**)pkt); if ( len <= 0 ) return -1; hdr->caplen = ((uint32_t)len <= impl->snaplen) ? (uint32_t)len : impl->snaplen; hdr->pktlen = len; hdr->flags = 0; nfq_get_timestamp(nfad, &hdr->ts); hdr->device_index = nfq_get_physindev(nfad); return 0; }
int disrupt_ip_packet_analysis(struct nfq_data *nfa, int32_t pkt_id) { #ifdef NFQ_V0 char *payload_data; #else unsigned char *payload_data; #endif uint16_t payload_len = nfq_get_payload(nfa, &payload_data); struct iphdr * ip_hdr = (struct iphdr *)(payload_data); packet.size= payload_len + DATALINK_OVERHEAD; /* Detect transport protocol */ if ( ip_hdr->protocol == IPPROTO_TCP ) { return disrupt_tcp_packet_analysis(payload_data + sizeof(struct iphdr), pkt_id); } else if ( ip_hdr->protocol == IPPROTO_UDP ) { disrupt_stream_detection(ip_hdr, (struct udphdr *) (payload_data + sizeof(struct iphdr)) ); return disrupt_udp_packet_analysis(payload_data + sizeof(struct iphdr), pkt_id); } }
int NetherNetlink::callback(struct nfq_q_handle *, struct nfgenmsg *, struct nfq_data *nfa, void *data) { NetherNetlink *me = static_cast<NetherNetlink *>(data); NetherPacket packet; unsigned char *secctx; int secctxSize = 0; struct nfqnl_msg_packet_hdr *ph; unsigned char *payload; if((ph = nfq_get_msg_packet_hdr(nfa))) { packet.id = ntohl(ph->packet_id); } else { LOGI("Failed to get packet id"); return (1); } /* get interface information if requested */ me->getInterfaceInfo(nfa, packet); if(nfq_get_uid(nfa, &packet.uid) == 0) LOGW("Failed to get uid for packet id=" << packet.id); nfq_get_gid(nfa, &packet.gid); secctxSize = nfq_get_secctx(nfa, &secctx); if(secctxSize > 0) packet.securityContext = std::string((char *)secctx, secctxSize); else LOGD("Failed to get security context for packet id=" << packet.id); if(me->netherConfig.copyPackets && nfq_get_payload(nfa, &payload) > 0) decodePacket(packet, payload); me->processNetherPacket(packet); /* this call if from the NetherPacketProcessor class */ return (0); }
/* returns packet id */ static u_int32_t display_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; int ret; unsigned char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); #ifdef DEBUG printf("hw_protocol=0x%04x hook=%u id=%u \n", ntohs(ph->hw_protocol), ph->hook, id); #endif } ret = nfq_get_payload(tb, &data); // if (ret >= 0) print_ip_pkt(data, ret); return id; }
static int Callback123(nfq_q_handle* myQueue, struct nfgenmsg* msg, nfq_data* pkt, void *cbData) { unsigned int id=0; nfqnl_msg_packet_hdr *header; double currentTime=0; fprintf(stdout,"enter the callback\n"); fprintf(stdout,"***********ALL entry in UDP table\n"); printAllUdp(&udpHead); fprintf(stdout,"\n**********All entry in tCP table\n"); printAllTcp(&tcpHead); fprintf(stdout,"\n*****end***************\n\n"); //get time // struct timeval tv; // if (!nfq_get_timestamp(pkt,&tv) ) { // double currentTime = tv.tv_sec + (double) tv.tv_usec / 1000000; // printf(" Timestamp: %lf\n",currentTime); // } // else { // printf(" Timestamp: nil\n"); // } time_t now; now=time(0); currentTime=(double)now; printf("pkt recvd: "); if ( (header = nfq_get_msg_packet_hdr(pkt) )) { id = ntohl(header->packet_id); printf(" id: %u\n", id); printf(" hw_protocol: %u\n", ntohs(header->hw_protocol)); printf(" hook: %u\n", header->hook); } unsigned char *pktData; int len=nfq_get_payload(pkt, (char**)&pktData); /* convert the pktData to ip header and check the ip header's protocol: TCP : process UDP : process Neither TCP or UDP: drop */ struct ip* ip_hdr = (struct ip *) pktData; switch(ip_hdr->ip_p) { case IPPROTO_TCP: { // struct tcphdr* tcp_hdr = (struct tcphdr*) ( (unsigned char*)pktData + (ip_hdr->ip_hl << 2) ); int processResult = processTcp(&tcpHead,ip_hdr); if ( processResult==1 ) { return nfq_set_verdict(myQueue, id, NF_ACCEPT, len, pktData); } else if ( processResult==0 ) { return nfq_set_verdict(myQueue, id, NF_DROP, 0, NULL); } else { fprintf(stderr,"The processUdp gives a wrong number, don't know whether to drop or accept\n"); return nfq_set_verdict(myQueue, id, NF_DROP, 0, NULL); } break; } case IPPROTO_UDP: { // struct udphdr* udp_hdr = (struct udphdr*) ( (unsigned char*)pktData + (ip_hdr->ip_hl << 2) ); /* UDP part */ int processResult = processUdp(&udpHead,ip_hdr,currentTime); if ( processResult==1 ) { printf("Packet Source: %u\n",ntohl(ip_hdr->ip_src.s_addr)); fprintf(stdout,"Packet Accepted. \n"); return nfq_set_verdict(myQueue, id, NF_ACCEPT, len, pktData); } else if ( processResult ==0 ) { fprintf(stdout,"Packet Dropped. \n"); return nfq_set_verdict(myQueue, id, NF_DROP, 0, NULL); } else { fprintf(stderr,"The processUdp gives a wrong number, don't know whether to drop or accept\n"); return nfq_set_verdict(myQueue, id, NF_DROP, 0, NULL); } break; } default: { printf("Neither TCP or UDP, just drop it"); return nfq_set_verdict(myQueue, id, NF_DROP, 0, NULL); break; } } }
int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data) { struct nfq_data *tb = (struct nfq_data *)data; int ret; char *pktdata; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(tb); if (ph != NULL) { p->nfq_v.id = ntohl(ph->packet_id); //p->nfq_v.hw_protocol = ntohs(p->nfq_v.ph->hw_protocol); p->nfq_v.hw_protocol = ph->hw_protocol; } p->nfq_v.mark = nfq_get_nfmark(tb); if (nfq_config.mode == NFQ_REPEAT_MODE) { if ((nfq_config.mark & nfq_config.mask) == (p->nfq_v.mark & nfq_config.mask)) { int iter = 0; if (already_seen_warning < MAX_ALREADY_TREATED) SCLogInfo("Packet seems already treated by suricata"); already_seen_warning++; do { ret = nfq_set_verdict(qh, p->nfq_v.id, NF_ACCEPT, 0, NULL); } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME)); if (ret < 0) { SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict of %p failed %" PRId32 "", p, ret); } return -1 ; } } p->nfq_v.ifi = nfq_get_indev(tb); p->nfq_v.ifo = nfq_get_outdev(tb); #ifdef NFQ_GET_PAYLOAD_SIGNED ret = nfq_get_payload(tb, &pktdata); #else ret = nfq_get_payload(tb, (unsigned char **) &pktdata); #endif /* NFQ_GET_PAYLOAD_SIGNED */ if (ret > 0) { /* nfq_get_payload returns a pointer to a part of memory * that is not preserved over the lifetime of our packet. * So we need to copy it. */ if (ret > 65536) { /* Will not be able to copy data ! Set length to 0 * to trigger an error in packet decoding. * This is unlikely to happen */ SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "NFQ sent too big packet"); SET_PKT_LEN(p, 0); } else { PacketCopyData(p, (uint8_t *)pktdata, ret); } } else if (ret == -1) { /* unable to get pointer to data, ensure packet length is zero. * This will trigger an error in packet decoding */ SET_PKT_LEN(p, 0); } ret = nfq_get_timestamp(tb, &p->ts); if (ret != 0) { memset (&p->ts, 0, sizeof(struct timeval)); gettimeofday(&p->ts, NULL); } p->datalink = DLT_RAW; return 0; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = -1; struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); char* packet_data = (char*) calloc(1, 10000); char* packet_data_2 = (char*) calloc(1, 10000); int count = nfq_get_payload(nfa, (unsigned char**)&packet_data); printf("count: [%d], ", count); int protocol = (int) packet_data[9]; printf("protocol: [%d]", protocol); //Get the source and destination IPs char srcIP[33]; inet_ntop(AF_INET, packet_data+12, srcIP, INET_ADDRSTRLEN); srcIP[32] = '\0'; char destIP[33]; inet_ntop(AF_INET, packet_data+16, destIP, INET_ADDRSTRLEN); destIP[32] = '\0'; struct in_addr* destAddr = getInAddr(destIP); struct in_addr* sourceAddr = getInAddr(srcIP); //If we're blocking the flow, drop the packet. if(checkForFilteredFlows(sourceAddr, destAddr) == TRUE){ return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } //Means the route record shim is not already there, so add it. if(protocol != ROUTE_RECORD_PROTOCOL){ RouteRecord* rr = createRouteRecord(gatewayAddr, randomValue); char* rr_buf = writeRouteRecordAsNetworkBuffer(rr); memcpy(packet_data_2, packet_data + 20, count - 20); memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE); memcpy(packet_data + 20 + MAX_RR_HEADER_SIZE, packet_data_2, count - 20); packet_data[9] = (char) ROUTE_RECORD_PROTOCOL; printf("Modifying Packet\n\n"); } else{ // CHange the route record to add new gateway information RouteRecord* rr = readRouteRecord(packet_data + 20); addGatewayInfo(rr, gatewayAddr, -1l); char* rr_buf = writeRouteRecordAsNetworkBuffer(rr); memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE); } return nfq_set_verdict(qh, id, NF_ACCEPT, count + MAX_RR_HEADER_SIZE, (unsigned char*) packet_data); } printf("entering callback\n\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }