/* returns packet id */ static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; u_int32_t mark,ifi; int ret; char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph){ id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ret = nfq_get_payload(tb, &data); if (ret >= 0) printf("payload_len=%d ", ret); fputc('\n', stdout); return id; }
static u_int32_t fwnfq_process_pkt (struct nfq_data *tb, FWAction *action) { struct nfqnl_msg_packet_hdr *ph; gint id = 0; u_int32_t mark, ifi, ifo, ifaceidx; gint ret, iphdrlen; gchar *data; FWDirection dir; struct ip *hdr; ph = nfq_get_msg_packet_hdr(tb); if ( ph ) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if ( mark ) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if ( ifi ) { printf("indev=%u ", ifi-1); dir = DIR_INCOMING; ifaceidx = ifi - 1; } ifo = nfq_get_outdev(tb); if ( ifo ) { printf("outdev=%u ", ifo-1); dir = DIR_OUTGOING; ifaceidx = ifo - 1; } ret = nfq_get_payload(tb, &data); if ( ret >= 0 ) printf("payload_len=%d ", ret); printf("\n\n"); /* Refresh every 50 packet */ // if ( (id % 50) == 0 ) { // fwproc_netentries_process(PROTO_TCP); // fwproc_netentries_process(PROTO_UDP); // fwproc_scan_procdir(); // } hdr = (struct ip *) data; iphdrlen = hdr->ip_hl * 4; // IP header len = ip_hl * 4 (32 bits) printf("*** PACKET PROTOCOL: %s ***\n", TxtProto[hdr->ip_p]); *action = fwnfq_process_rules(ifaceidx, dir, data, id); return id; }
static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; u_int32_t mark,ifi; int ret; char *data; ph = nfq_get_msg_packet_hdr(tb); if (ph) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } hwph = nfq_get_packet_hw(tb); if (hwph) { int i, hlen = ntohs(hwph->hw_addrlen); printf("hw_src_addr="); for (i = 0; i < hlen-1; i++) printf("%02x:", hwph->hw_addr[i]); printf("%02x ", hwph->hw_addr[hlen-1]); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ifi = nfq_get_physindev(tb); if (ifi) printf("physindev=%u ", ifi); ifi = nfq_get_physoutdev(tb); if (ifi) printf("physoutdev=%u ", ifi); ret = nfq_get_payload(tb, &data); if (ret >= 0) { printf("payload_len=%d ", ret); //processPacketData (data, ret); } fputc('\n', stdout); return id; }
int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data) { struct nfq_data *tb = (struct nfq_data *)data; int ret; char *pktdata; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(tb); if (ph != NULL) { p->nfq_v.id = ntohl(ph->packet_id); //p->nfq_v.hw_protocol = ntohs(p->nfq_v.ph->hw_protocol); p->nfq_v.hw_protocol = ph->hw_protocol; } p->nfq_v.mark = nfq_get_nfmark(tb); if (nfq_config.mode == NFQ_REPEAT_MODE) { if ((nfq_config.mark & nfq_config.mask) == (p->nfq_v.mark & nfq_config.mask)) { int iter = 0; if (already_seen_warning < MAX_ALREADY_TREATED) SCLogInfo("Packet seems already treated by suricata"); already_seen_warning++; do { ret = nfq_set_verdict(qh, p->nfq_v.id, NF_ACCEPT, 0, NULL); } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME)); if (ret < 0) { SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict of %p failed %" PRId32 "", p, ret); } return -1 ; } } p->nfq_v.ifi = nfq_get_indev(tb); p->nfq_v.ifo = nfq_get_outdev(tb); #ifdef NFQ_GET_PAYLOAD_SIGNED ret = nfq_get_payload(tb, &pktdata); #else ret = nfq_get_payload(tb, (unsigned char **) &pktdata); #endif /* NFQ_GET_PAYLOAD_SIGNED */ if (ret > 0) { /* nfq_get_payload returns a pointer to a part of memory * that is not preserved over the lifetime of our packet. * So we need to copy it. */ if (ret > 65536) { /* Will not be able to copy data ! Set length to 0 * to trigger an error in packet decoding. * This is unlikely to happen */ SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "NFQ sent too big packet"); SET_PKT_LEN(p, 0); } else { PacketCopyData(p, (uint8_t *)pktdata, ret); } } else if (ret == -1) { /* unable to get pointer to data, ensure packet length is zero. * This will trigger an error in packet decoding */ SET_PKT_LEN(p, 0); } ret = nfq_get_timestamp(tb, &p->ts); if (ret != 0) { memset (&p->ts, 0, sizeof(struct timeval)); gettimeofday(&p->ts, NULL); } p->datalink = DLT_RAW; return 0; }
int payload_get_nfmark(struct payload *self) { return nfq_get_nfmark(self->nfad); }
/** * \brief Callback called by NetFilter when a packet with target QUEUE is matched. * * For TCP packet with flags different than SYN, just send it to NuAuth and * accept it. * * For other packet: First of all, fill a structure ::packet_idl (identifier, * timestamp, ...). Try to add the new packet to ::packets_list (fails if the * list is full). Ask an authentication to NuAuth using auth_request_send(), * If the packet can't be sended, remove it from the list. * * \return If an error occurs, returns 0, else returns 1. */ static int treat_packet(struct nfq_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { packet_idl *current; struct queued_pckt q_pckt; struct nfqnl_msg_packet_hdr *ph; struct timeval timestamp; int ret; #ifdef HAVE_NFQ_INDEV_NAME struct nlif_handle *nlif_handle = (struct nlif_handle *) data; #endif debug_log_printf(DEBUG_AREA_PACKET, DEBUG_LEVEL_VERBOSE_DEBUG, "(*) New packet"); q_pckt.payload_len = nfq_get_payload(nfa, &(q_pckt.payload)); if (q_pckt.payload_len == -1) { log_area_printf(DEBUG_AREA_PACKET, DEBUG_LEVEL_INFO, "Unable to get payload"); return 0; } q_pckt.mark = nfq_get_nfmark(nfa); #ifdef HAVE_NFQ_INDEV_NAME if (!get_interface_information(nlif_handle, &q_pckt, nfa)) { log_area_printf(DEBUG_AREA_PACKET, DEBUG_LEVEL_INFO, "Can not get interfaces information for message"); return 0; } #else snprintf(q_pckt.indev, sizeof(q_pckt.indev), "*"); snprintf(q_pckt.physindev, sizeof(q_pckt.physindev), "*"); snprintf(q_pckt.outdev, sizeof(q_pckt.outdev), "*"); snprintf(q_pckt.physoutdev, sizeof(q_pckt.physoutdev), "*"); #endif ret = nfq_get_timestamp(nfa, ×tamp); if (ret == 0) { q_pckt.timestamp = timestamp.tv_sec; } else { q_pckt.timestamp = time(NULL); } if (look_for_tcp_flags ((unsigned char *) q_pckt.payload, q_pckt.payload_len)) { ph = nfq_get_msg_packet_hdr(nfa); if (ph) { q_pckt.packet_id = ntohl(ph->packet_id); auth_request_send(AUTH_CONTROL, &q_pckt); IPQ_SET_VERDICT(q_pckt.packet_id, NF_ACCEPT); RETURN_NO_LOG 1; } else { log_area_printf(DEBUG_AREA_PACKET, DEBUG_LEVEL_VERBOSE_DEBUG, "Can not get the packet headers"); return 0; } } current = calloc(1, sizeof(packet_idl)); current->nfmark = q_pckt.mark; current->timestamp = q_pckt.timestamp ; current->id = 0; if (current == NULL) { log_area_printf(DEBUG_AREA_MAIN, DEBUG_LEVEL_MESSAGE, "Can not allocate packet_id"); return 0; } #ifdef PERF_DISPLAY_ENABLE gettimeofday(&(current->arrival_time), NULL); #endif /* Get unique identifier of packet in queue */ ph = nfq_get_msg_packet_hdr(nfa); if (ph) { current->id = ntohl(ph->packet_id); } else { free(current); log_area_printf(DEBUG_AREA_PACKET, DEBUG_LEVEL_INFO, "Can not get id for message"); return 0; } /* Try to add the packet to the list */ ret = padd(current); q_pckt.packet_id = current->id; if (ret == 0) { /* send an auth request packet */ if (!auth_request_send(AUTH_REQUEST, &q_pckt)) { int sandf = 0; /* send failure dropping packet */ IPQ_SET_VERDICT(q_pckt.packet_id, NF_DROP); /* we fail to send the packet so we free packet related to current */ /* search and destroy packet by packet_id */ sandf = psearch_and_destroy(q_pckt.packet_id, &(q_pckt.mark)); if (!sandf) { log_area_printf(DEBUG_AREA_MAIN, DEBUG_LEVEL_WARNING, "Packet could not be removed: %u", q_pckt.packet_id); } } } return 1; }
/* returns packet id */ static u_int32_t print_pkt (struct nfq_data *tb) { int id = 0; struct nfqnl_msg_packet_hdr *ph; u_int32_t mark,ifi; int ret; char *nf_packet; ph = nfq_get_msg_packet_hdr(tb); if (ph){ id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); } mark = nfq_get_nfmark(tb); if (mark) printf("mark=%u ", mark); ifi = nfq_get_indev(tb); if (ifi) printf("indev=%u ", ifi); ifi = nfq_get_outdev(tb); if (ifi) printf("outdev=%u ", ifi); ret = nfq_get_payload(tb, &nf_packet); if ((ret >= 0)){ printf("payload_len=%d bytes", ret); fputc('\n', stdout); } // parse the packet headers struct iphdr *iph = ((struct iphdr *) nf_packet); // Computing IP address translation from 32 bits words to 4*8bits decimal /* NOTE ON THE LENGTHS all lengths used in headers are specified in 32bits words thus, to print the size in bytes, we need to multiply this value by 4 */ // display IP HEADERS : ip.h line 45 // ntohs convert short unsigned int, ntohl do the same for long unsigned int fprintf(stdout, "IP{v=%u; ihl=%u; tos=%u; tot_len=%u; id=%u; ttl=%u; protocol=%u; " ,iph->version, iph->ihl*4, iph->tos, ntohs(iph->tot_len), ntohs(iph->id), iph->ttl, iph->protocol); char *saddr = inet_ntoa(*(struct in_addr *)&iph->saddr); fprintf(stdout,"saddr=%s; ",saddr); char *daddr = inet_ntoa(*(struct in_addr *)&iph->daddr); fprintf(stdout,"daddr=%s}\n",daddr); // if protocol is tcp if (iph->protocol == 6){ // extract tcp header from packet /* Calculate the size of the IP Header. iph->ihl contains the number of 32 bit words that represent the header size. Therfore to get the number of bytes multiple this number by 4 */ struct tcphdr *tcp = ((struct tcphdr *) (nf_packet + (iph->ihl << 2))); /* Calculate the size of the TCP Header. tcp->doff contains the number of 32 bit words that represent the header size. Therfore to get the number of bytes multiple this number by 4 */ //int tcphdr_size = (tcp->doff << 2); /* to print the TCP headers, we access the structure defined in tcp.h line 89 and convert values from hexadecimal to ascii */ fprintf(stdout, "TCP{sport=%u; dport=%u; seq=%u; ack_seq=%u; flags=u%ua%up%ur%us%uf%u; window=%u; urg=%u}\n", ntohs(tcp->source), ntohs(tcp->dest), ntohl(tcp->seq), ntohl(tcp->ack_seq) ,tcp->urg, tcp->ack, tcp->psh, tcp->rst, tcp->syn, tcp->fin, ntohs(tcp->window), tcp->urg_ptr); } // if protocol is udp if(iph->protocol == 17){ struct udphdr *udp = ((struct udphdr *) (nf_packet + (iph->ihl << 2))); fprintf(stdout,"UDP{sport=%u; dport=%u; len=%u}\n", ntohs(udp->source), ntohs(udp->dest), udp->len); } fprintf(stdout,"\n"); return id; }