/*
* callback function for handling packets
*/
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
struct nfqnl_msg_packet_hdr *ph;
int decision, id=0;
ph = nfq_get_msg_packet_hdr(nfa);
if (ph)
{
id = ntohl(ph->packet_id);
}
/* check if we should block this packet */
decision = pkt_decision(nfa);
if( decision == PKT_ACCEPT)
{
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
#if defined(DMP_CAPTIVEPORTAL_1)
else if (decision == PKT_REDIRECT) {
printf("GlbRedirectUrl %s\n", GlbRedirectUrl);
return AEI_send_redirect(qh, id, nfa, GlbRedirectUrl);
}
#endif
else
{
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
}
static int redirect_pkt(struct nfq_data* tb, int sockdes)
{
int id = 0;
int len;
unsigned char* data;
struct nfqnl_msg_packet_hdr *ph;
package_with_header curr_package;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
id = ntohl(ph->packet_id);
}
len = nfq_get_payload(tb, &data);
if (len < 0) {
perror("payload");
exit(1);
}
curr_package.packet_id = id;
printf("%i\n", id);
memcpy(curr_package.data, data, len);
if (send(sockdes, &curr_package, sizeof(package_with_header), 0) == -1) {
perror("send");
exit(1);
}
return id;
}
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
struct nfqnl_msg_packet_hdr *ph;
struct skb_buf skb;
//get unique ID of packet in queue
ph = nfq_get_msg_packet_hdr(nfa);
if(!ph)
{
return -1;
}
skb.packet_id= ntohl(ph->packet_id);
//get payload
skb.pload_len = nfq_get_payload(nfa, &(skb.pload));
if(skb.pload_len <=0)
{
nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload);
return -1;
}
skb.pload[skb.pload_len]='\0';
process_tcp(&skb ,tcp_stream_handle);
return 0;
}
int cb(struct nfq_q_handle *h, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
printf("Packet received \n");
int id = ntohl(nfq_get_msg_packet_hdr(nfa)->packet_id);
nfq_set_verdict(h, id, NF_QUEUE_NR(1), 0, NULL);
}
/* returns packet id */
static u_int32_t print_pkt (struct nfq_data *tb)
{
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
u_int32_t mark,ifi;
int ret;
char *data;
ph = nfq_get_msg_packet_hdr(tb);
if (ph){
id = ntohl(ph->packet_id);
printf("hw_protocol=0x%04x hook=%u id=%u ",
ntohs(ph->hw_protocol), ph->hook, id);
}
mark = nfq_get_nfmark(tb);
if (mark)
printf("mark=%u ", mark);
ifi = nfq_get_indev(tb);
if (ifi)
printf("indev=%u ", ifi);
ifi = nfq_get_outdev(tb);
if (ifi)
printf("outdev=%u ", ifi);
ret = nfq_get_payload(tb, &data);
if (ret >= 0)
printf("payload_len=%d ", ret);
fputc('\n', stdout);
return id;
}
// function callback for packet processing
// ---------------------------------------
static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data) {
struct nfqnl_msg_packet_hdr *ph;
int id_protocol = 0, id = 0, len = 0;
unsigned char *full_packet; // get data of packet (payload)
unsigned char *new_packet = NULL;
ph = nfq_get_msg_packet_hdr(nfa);
if (ph) {
len = nfq_get_payload(nfa, &full_packet);
id = ntohl(ph->packet_id);
id_protocol = identify_ip_protocol(full_packet);
if (id_protocol == IPPROTO_UDP) { /* Only UDP packets */
printf("Packet from %s:%d", get_src_ip_str(full_packet), get_udp_src_port(full_packet));
printf(" to %s:%d\n", get_dst_ip_str(full_packet), get_tcp_dst_port(full_packet));
/* Process packet... */
new_packet = process_packet(full_packet, &len, ph->hook);
}
// let the packet continue on. NF_ACCEPT will pass the packet
// -----------------------------------------------------------
if (new_packet) {
nfq_set_verdict(qh, id, NF_ACCEPT, len, new_packet);
free(new_packet);
}
else
nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
} else {
printf("NFQUEUE: can't get msg packet header.\n");
return ERR; // from nfqueue source: 0 = ok, >0 = soft error, <0 hard error
}
return OK;
}
static int process_nfq_packet(struct nfq_q_handle *qh,
struct nfgenmsg *nfmsg,
struct nfq_data *nfa,
void *data)
{
struct nfqnl_msg_packet_hdr *ph;
int pkt_len = 0;
int verdict;
unsigned char *full_packet;
fko_srv_options_t *opts = (fko_srv_options_t *)data;
ph = nfq_get_msg_packet_hdr(nfa);
if (ph) {
/* --DSS for ref
id = ntohl(ph->packet_id);
hook = ph->hook;
hw_proto = ph->protocol;
*/
/* Retrieve packet payload
*/
pkt_len = nfq_get_payload(nfa, &full_packet);
process_packet(opts, pkt_len, full_packet);
/* Verdict on what to do with the packet. If it is coming from
* the INPUT chain (NF_IP_LOCAL_IN), then it is assumed to be
* a spa packet and can be dropped. Otherwise, let it through.
*/
verdict = (ph->hook == NF_IP_LOCAL_IN) ? NF_DROP : NF_ACCEPT;
nfq_set_verdict(qh, ph->packet_id, verdict, 0, NULL);
}
return 0;
}
int cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data)
{
int id;
int len;
int hlen;
char *pkt;
struct nfqnl_msg_packet_hdr *ph;
struct nfqnl_msg_packet_hw *hwph;
struct timeval tv;
tv.tv_sec = 0; // init
if ((ph = nfq_get_msg_packet_hdr(nfa)))
id = ntohl(ph->packet_id);
else
id = 0;
if ((hwph = nfq_get_packet_hw(nfa)))
hlen = ntohs(hwph->hw_addrlen);
else
hlen = 0;
/* hole payload ... falls es nicht klappt ... Paket durchreichen */
if ((len = nfq_get_payload (nfa, (char **) &pkt)) < 0)
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
nfq_get_timestamp(nfa,&tv);
return nfq_set_verdict(qh, id, myworker (data, pkt, len,&tv) ? NF_DROP :
NF_ACCEPT, 0, NULL);
}
static int packet_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfad, void *data)
{
struct packet_module_state *state = data;
struct nfqnl_msg_packet_hdr* packet_hdr;
#if NFQ_GET_PAYLOAD_UNSIGNED_CHAR
unsigned char *packet_data;
#else
char *packet_data;
#endif
int packet_len;
state->error = 0;
packet_hdr = nfq_get_msg_packet_hdr(nfad);
if (!packet_hdr) {
message(HAKA_LOG_ERROR, MODULE_NAME, L"unable to get packet header");
return 0;
}
packet_len = nfq_get_payload(nfad, &packet_data);
if (packet_len > PACKET_BUFFER_SIZE) {
message(HAKA_LOG_WARNING, MODULE_NAME, L"received packet is too large");
return 0;
}
else if (packet_len < 0) {
message(HAKA_LOG_ERROR, MODULE_NAME, L"unable to get packet payload");
return 0;
}
state->current_packet = malloc(sizeof(struct nfqueue_packet));
if (!state->current_packet) {
state->error = ENOMEM;
return 0;
}
memset(state->current_packet,0,sizeof(struct nfqueue_packet));
state->current_packet->data = malloc(packet_len);
if (!state->current_packet->data) {
free(state->current_packet);
state->error = ENOMEM;
return 0;
}
state->current_packet->timestamp = time_gettimestamp();
state->current_packet->length = packet_len;
state->current_packet->modified = 0;
state->current_packet->id = ntohl(packet_hdr->packet_id);
/* The copy is needed as the packet buffer will be overridden when the next
* packet will arrive.
*/
memcpy(state->current_packet->data, packet_data, packet_len);
return 0;
}
/* returns packet id */
static u_int32_t getid (struct nfq_data *tb){
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
ph = nfq_get_msg_packet_hdr(tb);
if (ph)
id = ntohl(ph->packet_id);
return id;
}
static uint32_t nfqueue_packet_get_id(struct nfq_data *packet) {
uint32_t id = -1;
struct nfqnl_msg_packet_hdr *packetHeader;
if ((packetHeader = nfq_get_msg_packet_hdr(packet)) != NULL)
id = ntohl(packetHeader->packet_id);
return id;
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data) {
u_int32_t id = 0;
int d;
struct nfqnl_msg_packet_hdr *ph;
ph = nfq_get_msg_packet_hdr(nfa);
if(ph) id = ntohl(ph->packet_id);
// verify some basic patterns and drop packet if it's
// somehow unexpected
if(verify_pkt(nfa) != 0)
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
uint8_t ip_addr[4];
device_t dev;
uint16_t port;
if(get_info(nfa, &dev, ip_addr, &port) != 0)
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
// check if this device already has an entry in the denied/allowed lists
for(d=0;d<allowed_len;d++) {
if(memcmp(allowed[d].hw_addr, dev.hw_addr, 6) == 0)
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
for(d=0;d<denied_len;d++)
if(memcmp(denied[d].hw_addr, dev.hw_addr, 6) == 0)
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
// if we have a pending request then just drop everything
// elso until the current request has been answered
if(pending)
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
pending = malloc(sizeof(device_t));
*pending = dev;
printf("REQ ");
// print the info
int i;
for (i = 0; i < 5; i++)
printf("%02x:", pending->hw_addr[i]);
printf("%02x ", pending->hw_addr[5]);
for (i = 0; i < 3; i++)
printf("%u.", ip_addr[i]);
printf("%u ", ip_addr[3]);
printf("%u\n", port);
printf("-> A(ccept), D(eny), I(gnore), Q(uit): ");
fflush(stdout);
// return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
static u_int32_t fwnfq_process_pkt (struct nfq_data *tb, FWAction *action)
{
struct nfqnl_msg_packet_hdr *ph;
gint id = 0;
u_int32_t mark, ifi, ifo, ifaceidx;
gint ret, iphdrlen;
gchar *data;
FWDirection dir;
struct ip *hdr;
ph = nfq_get_msg_packet_hdr(tb);
if ( ph ) {
id = ntohl(ph->packet_id);
printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id);
}
mark = nfq_get_nfmark(tb);
if ( mark )
printf("mark=%u ", mark);
ifi = nfq_get_indev(tb);
if ( ifi ) {
printf("indev=%u ", ifi-1);
dir = DIR_INCOMING;
ifaceidx = ifi - 1;
}
ifo = nfq_get_outdev(tb);
if ( ifo ) {
printf("outdev=%u ", ifo-1);
dir = DIR_OUTGOING;
ifaceidx = ifo - 1;
}
ret = nfq_get_payload(tb, &data);
if ( ret >= 0 )
printf("payload_len=%d ", ret);
printf("\n\n");
/* Refresh every 50 packet */
// if ( (id % 50) == 0 ) {
// fwproc_netentries_process(PROTO_TCP);
// fwproc_netentries_process(PROTO_UDP);
// fwproc_scan_procdir();
// }
hdr = (struct ip *) data;
iphdrlen = hdr->ip_hl * 4; // IP header len = ip_hl * 4 (32 bits)
printf("*** PACKET PROTOCOL: %s ***\n", TxtProto[hdr->ip_p]);
*action = fwnfq_process_rules(ifaceidx, dir, data, id);
return id;
}
static int log_packet(struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* dat, void* data)
{
struct nfqnl_msg_packet_hdr* nfq_hdr = nfq_get_msg_packet_hdr(dat);
unsigned char* payload;
int len = nfq_get_payload(dat,&payload);
printf("---\n");
printf("got a packet - len %d\n",len);
nfq_set_verdict(qh, ntohl(nfq_hdr->packet_id), NF_ACCEPT, 0, NULL);
return 0;
}
static uint32_t nfqueue_packet_get_hook(struct nfq_data *packet) {
uint32_t hook = -1;
struct nfqnl_msg_packet_hdr *packetHeader;
if ((packetHeader = nfq_get_msg_packet_hdr(packet)) != NULL)
hook = packetHeader->hook;
return hook;
}
static int cb(
struct nfq_q_handle *qh,
struct nfgenmsg *nfmsg,
struct nfq_data *nfqdata,
void *data
)
{
/* TODO - should have an option "delay", to explicitly avoid
offering a verdict right away */
static const char* verdict_opt[] = {
"accept", "drop", NULL
};
static int verdict_val[] = {
NF_ACCEPT, NF_DROP,
};
lua_State* L = data;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata);
/* struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */
u_int32_t id = 0;
if (ph) {
/* TODO - why is this conditional in sample source? */
id = ntohl(ph->packet_id);
}
/* We expect stack to look like:
* [1] qhandle
* [2] cbfn
*/
check_handle(L);
luaL_checktype(L, 2, LUA_TFUNCTION);
lua_pushvalue(L, 2); /* Push copy of fn */
lua_pushlightuserdata(L, nfqdata);
lua_call(L, 1, 2);
/* Return will be:
* [3] "accept", "drop", ..., default is accept
* [4] string, the replacement packet, default is 0,NULL
*/
{
int verdict = luaL_checkoption(L, 3, "accept", verdict_opt);
size_t replacesz = 0;
const char* replace = lua_tolstring(L, 4, &replacesz);
/*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/
/* Reset stack, chopping any return values. */
lua_settop(L, 2);
return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace);
}
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
// u_int32_t id = print_pkt(nfa);
u_int32_t id;
struct nfqnl_msg_packet_hdr *ph;
ph = nfq_get_msg_packet_hdr(nfa);
id = ntohl(ph->packet_id);
printf("entering callback\n");
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
static u_int32_t print_pkt (struct nfq_data *tb)
{
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
struct nfqnl_msg_packet_hw *hwph;
u_int32_t mark,ifi;
int ret;
char *data;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
id = ntohl(ph->packet_id);
printf("hw_protocol=0x%04x hook=%u id=%u ",
ntohs(ph->hw_protocol), ph->hook, id);
}
hwph = nfq_get_packet_hw(tb);
if (hwph) {
int i, hlen = ntohs(hwph->hw_addrlen);
printf("hw_src_addr=");
for (i = 0; i < hlen-1; i++)
printf("%02x:", hwph->hw_addr[i]);
printf("%02x ", hwph->hw_addr[hlen-1]);
}
mark = nfq_get_nfmark(tb);
if (mark)
printf("mark=%u ", mark);
ifi = nfq_get_indev(tb);
if (ifi)
printf("indev=%u ", ifi);
ifi = nfq_get_outdev(tb);
if (ifi)
printf("outdev=%u ", ifi);
ifi = nfq_get_physindev(tb);
if (ifi)
printf("physindev=%u ", ifi);
ifi = nfq_get_physoutdev(tb);
if (ifi)
printf("physoutdev=%u ", ifi);
ret = nfq_get_payload(tb, &data);
if (ret >= 0) {
printf("payload_len=%d ", ret);
//processPacketData (data, ret);
}
fputc('\n', stdout);
return id;
}
static int tc_nfq_process_packet(struct nfq_q_handle *qh,
struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
int i, id = 0, payload_len = 0, ret,
pass_through_flag = 0;
unsigned char *payload;
tc_ip_header_t *ip_hdr;
struct nfqnl_msg_packet_hdr *ph;
ph = nfq_get_msg_packet_hdr(nfa);
if (ph) {
id = ntohl(ph->packet_id);
}
payload_len = nfq_get_payload(nfa, &payload);
if (payload_len < 40) {
tc_log_info(LOG_WARN, 0, "payload len wrong:%d", payload_len);
return TC_ERROR;
}
ip_hdr = (tc_ip_header_t *)payload;
if (ip_hdr != NULL) {
/* check if it is the valid user to pass through firewall */
for (i = 0; i < srv_settings.passed_ips.num; i++) {
if (srv_settings.passed_ips.ips[i] == ip_hdr->daddr) {
pass_through_flag = 1;
break;
}
}
tot_resp_packs++;
if (pass_through_flag) {
/* pass through the firewall */
ret = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
} else {
tot_copy_resp_packs++;
router_update(srv_settings.router_fd, ip_hdr);
tc_check_cleaning();
/* drop the packet */
ret = nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
} else {
ret = TC_ERROR;
}
return ret;
}
/*
:::: Funcion callback :::
================
Es invocada cada vez que hay un paquete en la cola
*/
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
u_int32_t id;
struct nfqnl_msg_packet_hdr *ph;
struct nfqnl_msg_packet_hw *hwph;
unsigned char *nf_packet;
char saddr[2048];
int ret;
char *valor_memcache;
size_t len_memcache;
char *key_memcache="autorizada";
uint32_t flags;
// Obtenemos las headers:
ph = nfq_get_msg_packet_hdr(nfa);
// Y el ID de paquete, que hace falta para el veredicto final:
id = ntohl(ph->packet_id);
// Obtenemos la IP origen del paquete:
// - Primero hay que obtener el paquete en si:
ret = nfq_get_payload(nfa, &nf_packet);
if ((ret <= 0))
{
printf("Error, no hay paquete que recibir - wtf \n");
return;
}
struct iphdr *iph = ((struct iphdr *) nf_packet);
inet_ntop(AF_INET, &(iph->saddr), saddr, sizeof(saddr));
// fprintf(stdout,"Recibido con origen%s\n",saddr);
valor_memcache = memcached_get(memc, key_memcache, strlen(key_memcache), &len_memcache, &flags, &rc);
if (rc == MEMCACHED_SUCCESS)
{
if (strcmp(saddr,valor_memcache) == 0)
{
free(valor_memcache);
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
else
{
free(valor_memcache);
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
}
else
{
printf("Key %s no se ha podido encontrar en memcached\n",key_memcache);
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data) {
struct nfqnl_msg_packet_hdr *ph;
u_int32_t id;
ph = nfq_get_msg_packet_hdr(nfa);
assert (ph);
id = ntohl(ph->packet_id);
uint8_t *pkt;
int len = nfq_get_payload(nfa, &pkt);
printf("id %d: got %d bytes payload\n", id, len);
u_int32_t verdict = NF_REPEAT; /* by default, just mark so we can REJECT */
if (len >= (signed)sizeof(struct iphdr)) {
struct iphdr *iph = (struct iphdr *)pkt;
if (iph->version == 4) {
struct in_addr haddr = {.s_addr = iph->saddr};
printf("host: %s\n", inet_ntoa(haddr));
for (const char **host = hosts; *host; ++host) {
printf("trying %s\n", *host);
struct hostent *he = gethostbyname(*host);
if (he) {
for (char **alp = he->h_addr_list; *alp; ++alp) {
if (((struct in_addr *)*alp)->s_addr == haddr.s_addr) {
printf("ok\n");
verdict = NF_ACCEPT;
break;
}
}
}
if (verdict == NF_ACCEPT) break;
}
}
}
int rv;
rv = nfq_set_verdict2(qh, id, verdict, 1, 0, NULL);
fprintf(stderr, "set_verdict2: %d\n", rv);
assert (rv >= 0);
return 0;
}
static void usage() {
fprintf(stderr, "Usage: namematch [-h dest_hostname ...]\n");
}
static int daq_nfq_callback(
struct nfq_q_handle* qh,
struct nfgenmsg* nfmsg,
struct nfq_data* nfad,
void* data)
{
NfqImpl *impl = (NfqImpl*)data;
struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfad);
DAQ_Verdict verdict;
DAQ_PktHdr_t hdr;
uint8_t* pkt;
int nf_verdict;
uint32_t data_len;
if ( impl->state != DAQ_STATE_STARTED )
return -1;
if ( !ph || SetPktHdr(impl, nfad, &hdr, &pkt) )
{
DPE(impl->error, "%s: can't setup packet header",
__FUNCTION__);
return -1;
}
if (
impl->fcode.bf_insns &&
sfbpf_filter(impl->fcode.bf_insns, pkt, hdr.caplen, hdr.caplen) == 0
) {
verdict = DAQ_VERDICT_PASS;
impl->stats.packets_filtered++;
}
else
{
verdict = impl->user_func(impl->user_data, &hdr, pkt);
if ( verdict >= MAX_DAQ_VERDICT )
verdict = DAQ_VERDICT_BLOCK;
impl->stats.verdicts[verdict]++;
impl->stats.packets_received++;
}
nf_verdict = ( impl->passive || s_fwd[verdict] ) ? NF_ACCEPT : NF_DROP;
data_len = ( verdict == DAQ_VERDICT_REPLACE ) ? hdr.caplen : 0;
nfq_set_verdict(
impl->nf_queue, ntohl(ph->packet_id),
nf_verdict, data_len, pkt);
return 0;
}
static int verify_pkt (struct nfq_data *tb) {
struct nfqnl_msg_packet_hdr *ph;
struct nfqnl_msg_packet_hw *hwph;
struct iphdr *iph;
struct tcphdr *tcph;
ph = nfq_get_msg_packet_hdr(tb);
if(!ph) return -1;
// check for IP
if(ntohs(ph->hw_protocol) != 0x800)
return -1;
hwph = nfq_get_packet_hw(tb);
if(!hwph) return -1;
// only accept 6 byte hw addresses
// this may fail with USB net. But we don't want to restricht that
// anyway
if(ntohs(hwph->hw_addrlen) != 6)
return -1;
// the rest are payload checks
// error or less than ip+tcp headers
if(nfq_get_payload(tb, (unsigned char **)&iph) < 40)
return -1;
// check for valid ipv4 header
if((iph->version != 4) || (iph->ihl != 5))
return -1;
// don't allow fragmentation
if((ntohs(iph->frag_off) & 0x1fff) != 0)
return -1;
// only deal with tcp
if(iph->protocol != 6)
return -1;
// and take a peak into the tcp header
tcph = (struct tcphdr*)(((char*)iph)+20);
// ignore anything that doesn't have a syn flag
if(!tcph->syn)
return -1;
return 0;
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
struct nfqnl_msg_packet_hdr *ph;
//m_stack_t *st = (m_stack_t *)data;
unsigned char *packet;
u_int32_t id, ret;
ph = nfq_get_msg_packet_hdr(nfa);
id = ntohl(ph->packet_id);
if ((ret = nfq_get_payload(nfa, &packet)) >= 0){
syslog(LOG_NOTICE, "packet catched id: %d, payload_len=%d\n\r", id, ret);
}
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
static int cb(
struct nfq_q_handle *q,
struct nfgenmsg *nfmsg,
struct nfq_data *nfa,
void *arg
) {
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
size_t packet_length;
unsigned char *packet_data;
struct pkt_buff *packet;
struct iphdr *ip_header;
struct tcphdr *tcp_header;
ph = nfq_get_msg_packet_hdr(nfa);
if (ph) {
id = ntohl(ph->packet_id);
}
packet_length = nfq_get_payload(nfa, &packet_data);
packet = pktb_alloc(AF_INET, packet_data, packet_length, 4096);
ip_header = nfq_ip_get_hdr(packet);
nfq_ip_set_transport_header(packet, ip_header);
tcp_header = nfq_tcp_get_hdr(packet);
if (ip_header) {
struct in_addr *target;
if (src_or_dst == src) {
target = (struct in_addr *) &ip_header->saddr;
} else if (src_or_dst == dst) {
target = (struct in_addr *) &ip_header->daddr;
}
inet_aton(target_ip_address, target);
nfq_ip_set_checksum(ip_header);
nfq_tcp_compute_checksum_ipv4(tcp_header, ip_header);
memcpy(packet_data, pktb_data(packet), packet_length);
}
pktb_free(packet);
return nfq_set_verdict(q, id, NF_ACCEPT, packet_length, packet_data);
}
static int cb(
struct nfq_q_handle *qh,
struct nfgenmsg *nfmsg,
struct nfq_data *nfqdata,
void *data
)
{
static const char* verdict_opt[] = {
"accept", "drop", NULL
};
static int verdict_val[] = {
NF_ACCEPT, NF_DROP,
};
lua_State* L = data;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata);
/* struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */
u_int32_t id = 0;
if (ph) {
/* TODO - why is this conditional in sample source? */
id = ntohl(ph->packet_id);
}
/* Return will be:
* [2] "accept", "drop", ..., default is accept
* [3] string, the replacement packet, default is 0,NULL
*/
lua_settop(L, 1); /* Leave only the cb fn on the stack */
lua_pushvalue(L, 1); /* Push copy of fn */
lua_pushlightuserdata(L, nfqdata);
lua_call(L, 1, 2);
{
int verdict = luaL_checkoption(L, 2, "accept", verdict_opt);
size_t replacesz = 0;
const char* replace = lua_tolstring(L, 3, &replacesz);
/*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/
return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace);
}
}
int NetherNetlink::callback(struct nfq_q_handle *, struct nfgenmsg *, struct nfq_data *nfa, void *data)
{
NetherNetlink *me = static_cast<NetherNetlink *>(data);
NetherPacket packet;
unsigned char *secctx;
int secctxSize = 0;
struct nfqnl_msg_packet_hdr *ph;
unsigned char *payload;
if((ph = nfq_get_msg_packet_hdr(nfa)))
{
packet.id = ntohl(ph->packet_id);
}
else
{
LOGI("Failed to get packet id");
return (1);
}
/* get interface information if requested */
me->getInterfaceInfo(nfa, packet);
if(nfq_get_uid(nfa, &packet.uid) == 0)
LOGW("Failed to get uid for packet id=" << packet.id);
nfq_get_gid(nfa, &packet.gid);
secctxSize = nfq_get_secctx(nfa, &secctx);
if(secctxSize > 0)
packet.securityContext = std::string((char *)secctx, secctxSize);
else
LOGD("Failed to get security context for packet id=" << packet.id);
if(me->netherConfig.copyPackets && nfq_get_payload(nfa, &payload) > 0)
decodePacket(packet, payload);
me->processNetherPacket(packet); /* this call if from the NetherPacketProcessor class */
return (0);
}
/* returns packet id */
static u_int32_t display_pkt (struct nfq_data *tb)
{
int id = 0;
struct nfqnl_msg_packet_hdr *ph;
int ret;
unsigned char *data;
ph = nfq_get_msg_packet_hdr(tb);
if (ph) {
id = ntohl(ph->packet_id);
#ifdef DEBUG
printf("hw_protocol=0x%04x hook=%u id=%u \n",
ntohs(ph->hw_protocol), ph->hook, id);
#endif
}
ret = nfq_get_payload(tb, &data);
// if (ret >= 0) print_ip_pkt(data, ret);
return id;
}
/* Definition of callback function */
int disruptor_nfq_call_back(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data)
{
//struct disrupt_stream_s *stream = (struct disrupt_stream_s *) data;
//struct scenario_s * scenario = &stream->scenario;
int16_t verdict = true;
int32_t pkt_id;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa);
if (ph) {
pkt_id = ntohl(ph->packet_id);
}
// NF_DROP 0
// NF_ACCEPT 1
// NF_STOLEN 2
// NF_QUEUE 3
// NF_REPEAT 4
// NF_STOP 5
verdict = disrupt_ip_packet_analysis(nfa, pkt_id);
if(verdict){
nfq_set_verdict(qh, pkt_id, verdict, 0, NULL); /* if scenario is not keeping the packet we release it immediatly */
}
return 1;
}
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data)
{
u_int32_t id = -1;
struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfa);
if (ph) {
id = ntohl(ph->packet_id);
printf("hw_protocol=0x%04x hook=%u id=%u ",
ntohs(ph->hw_protocol), ph->hook, id);
char* packet_data = (char*) calloc(1, 10000);
char* packet_data_2 = (char*) calloc(1, 10000);
int count = nfq_get_payload(nfa, (unsigned char**)&packet_data);
printf("count: [%d], ", count);
int protocol = (int) packet_data[9];
printf("protocol: [%d]", protocol);
//Get the source and destination IPs
char srcIP[33];
inet_ntop(AF_INET, packet_data+12, srcIP, INET_ADDRSTRLEN);
srcIP[32] = '\0';
char destIP[33];
inet_ntop(AF_INET, packet_data+16, destIP, INET_ADDRSTRLEN);
destIP[32] = '\0';
struct in_addr* destAddr = getInAddr(destIP);
struct in_addr* sourceAddr = getInAddr(srcIP);
//If we're blocking the flow, drop the packet.
if(checkForFilteredFlows(sourceAddr, destAddr) == TRUE){
return nfq_set_verdict(qh, id, NF_DROP, 0, NULL);
}
//Means the route record shim is not already there, so add it.
if(protocol != ROUTE_RECORD_PROTOCOL){
RouteRecord* rr = createRouteRecord(gatewayAddr, randomValue);
char* rr_buf = writeRouteRecordAsNetworkBuffer(rr);
memcpy(packet_data_2, packet_data + 20, count - 20);
memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE);
memcpy(packet_data + 20 + MAX_RR_HEADER_SIZE, packet_data_2, count - 20);
packet_data[9] = (char) ROUTE_RECORD_PROTOCOL;
printf("Modifying Packet\n\n");
}
else{
// CHange the route record to add new gateway information
RouteRecord* rr = readRouteRecord(packet_data + 20);
addGatewayInfo(rr, gatewayAddr, -1l);
char* rr_buf = writeRouteRecordAsNetworkBuffer(rr);
memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE);
}
return nfq_set_verdict(qh, id, NF_ACCEPT, count + MAX_RR_HEADER_SIZE, (unsigned char*) packet_data);
}
printf("entering callback\n\n");
return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
}
