static int packet_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { QHandler *handler = (QHandler *) data; u_int32_t id = get_pkt_id(nfa); char *payload; int payload_len; payload_len = nfq_get_payload(nfa, &payload); // Determine addresses IpAddress srcaddr((struct in_addr *) (payload + 12)); IpAddress dstaddr((struct in_addr *) (payload + 16)); // std::cout << "Got packet ID " << id << // " from " << srcaddr << " to " << dstaddr << std::endl; // Work out what proto it is... int proto = (int) (unsigned char) payload[9]; FnvHash hash; hash.addData(payload + 12, 8); // src + dst addr if (proto == IPPROTO_TCP) { // unsigned short sport = ntohs( *(unsigned short *) (payload+20)); // unsigned short dport = ntohs( *(unsigned short *) (payload+22)); // std::cout << "TCP sport " << sport << " dport " << dport // << std::endl; hash.addData(payload + 20, 4); // src + dst ports } int hashvalue = hash.get16rev(); // std::cout << "Hash value=" << hashvalue << std::endl; u_int32_t verdict = NF_DROP; if ((hashvalue >= handler->lowerHashLimit) && (hashvalue < handler->upperHashLimit)) verdict = NF_ACCEPT; std::cout << "Connection from " << srcaddr << " Hash value=" << hashvalue << " Accept: " << (verdict == NF_ACCEPT ? "yes" : "no") << std::endl; return nfq_set_verdict(handler->GetQh(), id, verdict, 0, NULL); }
/* * callback function for handling packets */ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int decision, id=0; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } /* check if we should block this packet */ decision = pkt_decision(nfa); if( decision == PKT_ACCEPT) { return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } #if defined(DMP_CAPTIVEPORTAL_1) else if (decision == PKT_REDIRECT) { printf("GlbRedirectUrl %s\n", GlbRedirectUrl); return AEI_send_redirect(qh, id, nfa, GlbRedirectUrl); } #endif else { return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
// function callback for packet processing // --------------------------------------- static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int id_protocol = 0, id = 0, len = 0; unsigned char *full_packet; // get data of packet (payload) unsigned char *new_packet = NULL; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { len = nfq_get_payload(nfa, &full_packet); id = ntohl(ph->packet_id); id_protocol = identify_ip_protocol(full_packet); if (id_protocol == IPPROTO_UDP) { /* Only UDP packets */ printf("Packet from %s:%d", get_src_ip_str(full_packet), get_udp_src_port(full_packet)); printf(" to %s:%d\n", get_dst_ip_str(full_packet), get_tcp_dst_port(full_packet)); /* Process packet... */ new_packet = process_packet(full_packet, &len, ph->hook); } // let the packet continue on. NF_ACCEPT will pass the packet // ----------------------------------------------------------- if (new_packet) { nfq_set_verdict(qh, id, NF_ACCEPT, len, new_packet); free(new_packet); } else nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { printf("NFQUEUE: can't get msg packet header.\n"); return ERR; // from nfqueue source: 0 = ok, >0 = soft error, <0 hard error } return OK; }
/* ---------------------------------------------------------------------------- */ static gint fwnfq_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { FWAction action; u_int32_t id = fwnfq_process_pkt(nfa, &action); printf("Entering callback [%d]\n", id); printf("Packet action: [%d]\n", action); if (action == ACTION_ACCEPT) { printf("ACTION: * ACCEPT * \n\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else if (action == ACTION_DROP) { printf("ACTION: * DROP * \n\n"); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } else if (action == ACTION_REJECT) { printf("ACTION: * REJECT (now DROP) * \n\n"); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } else { printf("ACTION: * DEFAULT: ASK (packet QUEUED) * \n\n"); return 0; // return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
int cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { int id; int len; int hlen; char *pkt; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; struct timeval tv; tv.tv_sec = 0; // init if ((ph = nfq_get_msg_packet_hdr(nfa))) id = ntohl(ph->packet_id); else id = 0; if ((hwph = nfq_get_packet_hw(nfa))) hlen = ntohs(hwph->hw_addrlen); else hlen = 0; /* hole payload ... falls es nicht klappt ... Paket durchreichen */ if ((len = nfq_get_payload (nfa, (char **) &pkt)) < 0) return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); nfq_get_timestamp(nfa,&tv); return nfq_set_verdict(qh, id, myworker (data, pkt, len,&tv) ? NF_DROP : NF_ACCEPT, 0, NULL); }
static int tc_nfq_process_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { int i, id = 0, payload_len = 0, ret, pass_through_flag = 0; unsigned char *payload; tc_ip_header_t *ip_hdr; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } payload_len = nfq_get_payload(nfa, &payload); if (payload_len < 40) { tc_log_info(LOG_WARN, 0, "payload len wrong:%d", payload_len); return TC_ERROR; } ip_hdr = (tc_ip_header_t *)payload; if (ip_hdr != NULL) { /* check if it is the valid user to pass through firewall */ for (i = 0; i < srv_settings.passed_ips.num; i++) { if (srv_settings.passed_ips.ips[i] == ip_hdr->daddr) { pass_through_flag = 1; break; } } tot_resp_packs++; if (pass_through_flag) { /* pass through the firewall */ ret = nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { tot_copy_resp_packs++; router_update(srv_settings.router_fd, ip_hdr); tc_check_cleaning(); /* drop the packet */ ret = nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } else { ret = TC_ERROR; } return ret; }
static void packet_verdict(struct packet *orig_pkt, filter_result result) { int ret; struct nfqueue_packet *pkt = (struct nfqueue_packet*)orig_pkt; if (pkt->data) { if (pkt->id == -1) { if (result == FILTER_ACCEPT) { ret = socket_send_packet(pkt->state->send_mark_fd, pkt->data, pkt->length); } else { ret = 0; } } else { /* Convert verdict to netfilter */ int verdict; switch (result) { case FILTER_ACCEPT: verdict = NF_ACCEPT; break; case FILTER_DROP: verdict = NF_DROP; break; default: message(HAKA_LOG_DEBUG, MODULE_NAME, L"unknown verdict"); verdict = NF_DROP; break; } if (pkt->modified) ret = nfq_set_verdict(pkt->state->queue, pkt->id, verdict, pkt->length, pkt->data); else ret = nfq_set_verdict(pkt->state->queue, pkt->id, verdict, 0, NULL); } if (pcap) { switch (result) { case FILTER_ACCEPT: dump_pcap(&pcap->out, pkt); break; case FILTER_DROP: default: dump_pcap(&pcap->drop, pkt); break; } } if (ret == -1) { message(HAKA_LOG_ERROR, MODULE_NAME, L"packet verdict failed"); } free(pkt->data); pkt->data = NULL; } }
/* :::: Funcion callback ::: ================ Es invocada cada vez que hay un paquete en la cola */ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id; struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; unsigned char *nf_packet; char saddr[2048]; int ret; char *valor_memcache; size_t len_memcache; char *key_memcache="autorizada"; uint32_t flags; // Obtenemos las headers: ph = nfq_get_msg_packet_hdr(nfa); // Y el ID de paquete, que hace falta para el veredicto final: id = ntohl(ph->packet_id); // Obtenemos la IP origen del paquete: // - Primero hay que obtener el paquete en si: ret = nfq_get_payload(nfa, &nf_packet); if ((ret <= 0)) { printf("Error, no hay paquete que recibir - wtf \n"); return; } struct iphdr *iph = ((struct iphdr *) nf_packet); inet_ntop(AF_INET, &(iph->saddr), saddr, sizeof(saddr)); // fprintf(stdout,"Recibido con origen%s\n",saddr); valor_memcache = memcached_get(memc, key_memcache, strlen(key_memcache), &len_memcache, &flags, &rc); if (rc == MEMCACHED_SUCCESS) { if (strcmp(saddr,valor_memcache) == 0) { free(valor_memcache); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { free(valor_memcache); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } else { printf("Key %s no se ha podido encontrar en memcached\n",key_memcache); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { unsigned char *payload; int pay_len, match, rlen; u_int32_t id = display_pkt(nfa); pay_len = nfq_get_payload(nfa, &payload); #ifdef DEBUG printf("Content inspection...pay_len=%d\n", pay_len); #endif match = inspect_tcp(payload, pay_len); // return 1 if matched, 0 otherwise if (match && p_queue.count < QSIZE) { // if queue is full, let them pass //print_ip_pkt(payload, pay_len); // now lock the queue pthread_mutex_lock (&lock_queue); enqueue(&p_queue, payload, pay_len, id); #ifdef DEBUG printf("Matched packet. Queue size: %d\n", p_queue.count); #endif pthread_mutex_unlock (&lock_queue); sem_post(&sem_queue); // wake up sending threads return 0; } else { #ifdef DEBUG printf("No match found\n"); // should be ok for not locking the queue #endif pthread_mutex_lock (&lock_qh); rlen = nfq_set_verdict(qh, id, NF_ACCEPT, pay_len, payload); pthread_mutex_unlock (&lock_qh); return rlen; } }
static int queue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; struct skb_buf skb; //get unique ID of packet in queue ph = nfq_get_msg_packet_hdr(nfa); if(!ph) { return -1; } skb.packet_id= ntohl(ph->packet_id); //get payload skb.pload_len = nfq_get_payload(nfa, &(skb.pload)); if(skb.pload_len <=0) { nfq_set_verdict(qh, skb.packet_id, NF_ACCEPT, skb.pload_len, skb.pload); return -1; } skb.pload[skb.pload_len]='\0'; process_tcp(&skb ,tcp_stream_handle); return 0; }
static int process_nfq_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int pkt_len = 0; int verdict; unsigned char *full_packet; fko_srv_options_t *opts = (fko_srv_options_t *)data; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { /* --DSS for ref id = ntohl(ph->packet_id); hook = ph->hook; hw_proto = ph->protocol; */ /* Retrieve packet payload */ pkt_len = nfq_get_payload(nfa, &full_packet); process_packet(opts, pkt_len, full_packet); /* Verdict on what to do with the packet. If it is coming from * the INPUT chain (NF_IP_LOCAL_IN), then it is assumed to be * a spa packet and can be dropped. Otherwise, let it through. */ verdict = (ph->hook == NF_IP_LOCAL_IN) ? NF_DROP : NF_ACCEPT; nfq_set_verdict(qh, ph->packet_id, verdict, 0, NULL); } return 0; }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = print_pkt(nfa); printf("entering callback\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
int cb(struct nfq_q_handle *h, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { printf("Packet received \n"); int id = ntohl(nfq_get_msg_packet_hdr(nfa)->packet_id); nfq_set_verdict(h, id, NF_QUEUE_NR(1), 0, NULL); }
static int cbUp(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *payload) { char *send_data; int i = 0, newSize = 0; u_int32_t id = build_advertisement(nfa, &newSize); i = nfq_get_payload(nfa, &send_data); return nfq_set_verdict(qh, id, NF_ACCEPT, newSize, (unsigned char *)send_data); }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = print_pkt(nfa); if(use_pcap == 1) record_pkt(nfa); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static int log_packet(struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* dat, void* data) { struct nfqnl_msg_packet_hdr* nfq_hdr = nfq_get_msg_packet_hdr(dat); unsigned char* payload; int len = nfq_get_payload(dat,&payload); printf("---\n"); printf("got a packet - len %d\n",len); nfq_set_verdict(qh, ntohl(nfq_hdr->packet_id), NF_ACCEPT, 0, NULL); return 0; }
static int cb( struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfqdata, void *data ) { /* TODO - should have an option "delay", to explicitly avoid offering a verdict right away */ static const char* verdict_opt[] = { "accept", "drop", NULL }; static int verdict_val[] = { NF_ACCEPT, NF_DROP, }; lua_State* L = data; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata); /* struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */ u_int32_t id = 0; if (ph) { /* TODO - why is this conditional in sample source? */ id = ntohl(ph->packet_id); } /* We expect stack to look like: * [1] qhandle * [2] cbfn */ check_handle(L); luaL_checktype(L, 2, LUA_TFUNCTION); lua_pushvalue(L, 2); /* Push copy of fn */ lua_pushlightuserdata(L, nfqdata); lua_call(L, 1, 2); /* Return will be: * [3] "accept", "drop", ..., default is accept * [4] string, the replacement packet, default is 0,NULL */ { int verdict = luaL_checkoption(L, 3, "accept", verdict_opt); size_t replacesz = 0; const char* replace = lua_tolstring(L, 4, &replacesz); /*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/ /* Reset stack, chopping any return values. */ lua_settop(L, 2); return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace); } }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { // u_int32_t id = print_pkt(nfa); u_int32_t id; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); id = ntohl(ph->packet_id); printf("entering callback\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static int daq_nfq_callback( struct nfq_q_handle* qh, struct nfgenmsg* nfmsg, struct nfq_data* nfad, void* data) { NfqImpl *impl = (NfqImpl*)data; struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfad); DAQ_Verdict verdict; DAQ_PktHdr_t hdr; uint8_t* pkt; int nf_verdict; uint32_t data_len; if ( impl->state != DAQ_STATE_STARTED ) return -1; if ( !ph || SetPktHdr(impl, nfad, &hdr, &pkt) ) { DPE(impl->error, "%s: can't setup packet header", __FUNCTION__); return -1; } if ( impl->fcode.bf_insns && sfbpf_filter(impl->fcode.bf_insns, pkt, hdr.caplen, hdr.caplen) == 0 ) { verdict = DAQ_VERDICT_PASS; impl->stats.packets_filtered++; } else { verdict = impl->user_func(impl->user_data, &hdr, pkt); if ( verdict >= MAX_DAQ_VERDICT ) verdict = DAQ_VERDICT_BLOCK; impl->stats.verdicts[verdict]++; impl->stats.packets_received++; } nf_verdict = ( impl->passive || s_fwd[verdict] ) ? NF_ACCEPT : NF_DROP; data_len = ( verdict == DAQ_VERDICT_REPLACE ) ? hdr.caplen : 0; nfq_set_verdict( impl->nf_queue, ntohl(ph->packet_id), nf_verdict, data_len, pkt); return 0; }
/* * callback function for handling packets */ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; int decision, id=0; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } /* check if we should block this packet */ decision = pkt_decision(nfa); if( decision == PKT_ACCEPT) { return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } else { return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } }
int manage_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data2) { struct nfqnl_msg_packet_hdr *packetHeader; uint32_t id; packetHeader = nfq_get_msg_packet_hdr(packet); if(packetHeader != NULL ) { id = packetHeader->packet_id; /* We should only be inspecting packets on the INPUT hook; * any others, return NF_ACCEPT immediately. */ if(packetHeader->hook != NF_IP_LOCAL_IN) { return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } log4c_category_log(log4c_cat, LOG4C_PRIORITY_NOTICE, "manage_packet: Received packet."); } else { log4c_category_log(log4c_cat, LOG4C_PRIORITY_DEBUG, "Error in nfq_get_msg_packet_hdr"); } return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = 0; int d; struct nfqnl_msg_packet_hdr *ph; ph = nfq_get_msg_packet_hdr(nfa); if(ph) id = ntohl(ph->packet_id); // verify some basic patterns and drop packet if it's // somehow unexpected if(verify_pkt(nfa) != 0) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); uint8_t ip_addr[4]; device_t dev; uint16_t port; if(get_info(nfa, &dev, ip_addr, &port) != 0) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); // check if this device already has an entry in the denied/allowed lists for(d=0;d<allowed_len;d++) { if(memcmp(allowed[d].hw_addr, dev.hw_addr, 6) == 0) return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); } for(d=0;d<denied_len;d++) if(memcmp(denied[d].hw_addr, dev.hw_addr, 6) == 0) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); // if we have a pending request then just drop everything // elso until the current request has been answered if(pending) return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); pending = malloc(sizeof(device_t)); *pending = dev; printf("REQ "); // print the info int i; for (i = 0; i < 5; i++) printf("%02x:", pending->hw_addr[i]); printf("%02x ", pending->hw_addr[5]); for (i = 0; i < 3; i++) printf("%u.", ip_addr[i]); printf("%u ", ip_addr[3]); printf("%u\n", port); printf("-> A(ccept), D(eny), I(gnore), Q(uit): "); fflush(stdout); // return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); }
int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { clock_gettime(CLOCK_REALTIME, &now); int inherent= (1000*1000*(now.tv_sec - last_time.tv_sec) + (now.tv_nsec - last_time.tv_nsec)/1000); if (nobuf && (inherent < 30)) { // packet comes from cache nfq_set_verdict(qh, id++, NF_DROP, 0, NULL); return OK; } /* read() inter-packet delay from stdin, sleep(), then accept() */ if (counter == period) { counter = 0; if (fgets(line, 49, stdin)) delay = atol(line); else delay = 0; } else { counter++; // only process every period'th packet delay = 0; } /* use pkd id from header or just count up? * - we must not re-order packets * - we must be fast, i.e. if possible don't copy packet contents * struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa); * u_int32_t id = ntohl(ph->packet_id); */ // struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfa); // u_int32_t id = ntohl(ph->packet_id); if DEBUG { printf("Run %d\n",id); printf("\t inherent delay: %dµs\n", inherent); printf("\t intended delay: %dµs\n", delay); } if (delay > 0) { usleep(delay); imprinted++; if DEBUG printf("\tdelay: %d µs\n",delay); } else {
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data){ char HTTP1_1[] = {0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a}; char Host_srt[] = {0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20}; u_int32_t id = getid(nfa); u_char *cp = nfmsg; struct ip *iph; struct tcphdr *tcph; cp += 28; iph = (struct ip*)cp; cp += sizeof(*iph); tcph = (struct tcphdr*)cp; cp += sizeof(*tcph); if(!memcmp(cp, HTTP1_1, sizeof(HTTP1_1))){ cp += sizeof(HTTP1_1); if(!memcmp(cp, Host_srt, sizeof(Host_srt))){ cp += sizeof(Host_srt); char host[64]; int i; for(i=0; *cp != '\r';i++){ host[i] = *cp++; } host[i] = '\0'; for(i=0; Mal_Site_Table[i][0]; i++){ if(!strstr(host, Mal_Site_Table[i])){ printf("%s Dropped\n", host); return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } } } } return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { struct nfqnl_msg_packet_hdr *ph; //m_stack_t *st = (m_stack_t *)data; unsigned char *packet; u_int32_t id, ret; ph = nfq_get_msg_packet_hdr(nfa); id = ntohl(ph->packet_id); if ((ret = nfq_get_payload(nfa, &packet)) >= 0){ syslog(LOG_NOTICE, "packet catched id: %d, payload_len=%d\n\r", id, ret); } return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }
void NetherNetlink::setVerdict(const u_int32_t packetId, const NetherVerdict verdict, int32_t mark) { int ret = 0; LOGD("id=" << packetId << " verdict=" << verdictToString(verdict) << " mark=" << mark); if(verdict == NetherVerdict::allow) { if (mark >= 0) { ret = nfq_set_verdict2(queueHandle, packetId, NF_ACCEPT, mark, 0, NULL); } else { ret = nfq_set_verdict(queueHandle, packetId, NF_ACCEPT, 0, NULL); } } if(verdict == NetherVerdict::deny) { ret = nfq_set_verdict2(queueHandle, packetId, NF_ACCEPT, /* if we're relaxed, let's not stress out */ /* if we get a mark from the verdict caster */ /* let's use it, maybe it knows better */ mark > 0 ? mark : (netherConfig.relaxed ? netherConfig.markAllowAndLog : netherConfig.markDeny), 0, NULL); } if(verdict == NetherVerdict::allowAndLog) ret = nfq_set_verdict2(queueHandle, packetId, NF_ACCEPT, netherConfig.markAllowAndLog, 0, NULL); if(ret == -1) LOGW("can't set verdict for packetId=" << packetId); }
static int cb( struct nfq_q_handle *q, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *arg ) { int id = 0; struct nfqnl_msg_packet_hdr *ph; size_t packet_length; unsigned char *packet_data; struct pkt_buff *packet; struct iphdr *ip_header; struct tcphdr *tcp_header; ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); } packet_length = nfq_get_payload(nfa, &packet_data); packet = pktb_alloc(AF_INET, packet_data, packet_length, 4096); ip_header = nfq_ip_get_hdr(packet); nfq_ip_set_transport_header(packet, ip_header); tcp_header = nfq_tcp_get_hdr(packet); if (ip_header) { struct in_addr *target; if (src_or_dst == src) { target = (struct in_addr *) &ip_header->saddr; } else if (src_or_dst == dst) { target = (struct in_addr *) &ip_header->daddr; } inet_aton(target_ip_address, target); nfq_ip_set_checksum(ip_header); nfq_tcp_compute_checksum_ipv4(tcp_header, ip_header); memcpy(packet_data, pktb_data(packet), packet_length); } pktb_free(packet); return nfq_set_verdict(q, id, NF_ACCEPT, packet_length, packet_data); }
static int cb( struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfqdata, void *data ) { static const char* verdict_opt[] = { "accept", "drop", NULL }; static int verdict_val[] = { NF_ACCEPT, NF_DROP, }; lua_State* L = data; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(nfqdata); /* struct nfqnl_msg_packet_hw *hwph = nfq_get_msg_packet_hw(nfdata); */ u_int32_t id = 0; if (ph) { /* TODO - why is this conditional in sample source? */ id = ntohl(ph->packet_id); } /* Return will be: * [2] "accept", "drop", ..., default is accept * [3] string, the replacement packet, default is 0,NULL */ lua_settop(L, 1); /* Leave only the cb fn on the stack */ lua_pushvalue(L, 1); /* Push copy of fn */ lua_pushlightuserdata(L, nfqdata); lua_call(L, 1, 2); { int verdict = luaL_checkoption(L, 2, "accept", verdict_opt); size_t replacesz = 0; const char* replace = lua_tolstring(L, 3, &replacesz); /*printf("verdict %s data %p data_len %zd\n", verdict_opt[verdict], replace, replacesz);*/ return nfq_set_verdict(qh, id, verdict_val[verdict], replacesz, (void*)replace); } }
void debug_unknown (packet_struct_t *packet, int readcount){ int i,j,x; extern struct nfq_q_handle *gqh; extern int current_packet_id; if (packet->type) x = sizeof(struct ip) + sizeof(struct udphdr) + readcount -1; else x = sizeof(struct ip) + sizeof(struct udphdr) + readcount -1; for (i=0,j=0;i<=packet->packet_length;i++){ if (i==0) printf("IP Header start \n"); if (i==sizeof(struct ip)) printf("UDP Header start \n"); if (i>= sizeof(struct ip) + sizeof(struct udphdr)){ if (x == i) printf(" %3i %3i: %3i <-----\n",i,j++,packet->packet_backup[i]); else printf(" %3i %3i: %3i \n",i,j++,packet->packet_backup[i]); }else{ if (x == i) printf(" %3i: %3i <-----\n",i,packet->packet_backup[i]); else printf(" %3i: %3i \n",i,packet->packet_backup[i]); } if (i==(sizeof(struct ip) + sizeof(struct udphdr) -1)) printf("Header stop \n"); } nfq_set_verdict(gqh, current_packet_id, NF_ACCEPT,0,0); Clear_Packet_Struct(packet); printf("%i\n",x); exit(1); }
static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { u_int32_t id = -1; struct nfqnl_msg_packet_hdr* ph = nfq_get_msg_packet_hdr(nfa); if (ph) { id = ntohl(ph->packet_id); printf("hw_protocol=0x%04x hook=%u id=%u ", ntohs(ph->hw_protocol), ph->hook, id); char* packet_data = (char*) calloc(1, 10000); char* packet_data_2 = (char*) calloc(1, 10000); int count = nfq_get_payload(nfa, (unsigned char**)&packet_data); printf("count: [%d], ", count); int protocol = (int) packet_data[9]; printf("protocol: [%d]", protocol); //Get the source and destination IPs char srcIP[33]; inet_ntop(AF_INET, packet_data+12, srcIP, INET_ADDRSTRLEN); srcIP[32] = '\0'; char destIP[33]; inet_ntop(AF_INET, packet_data+16, destIP, INET_ADDRSTRLEN); destIP[32] = '\0'; struct in_addr* destAddr = getInAddr(destIP); struct in_addr* sourceAddr = getInAddr(srcIP); //If we're blocking the flow, drop the packet. if(checkForFilteredFlows(sourceAddr, destAddr) == TRUE){ return nfq_set_verdict(qh, id, NF_DROP, 0, NULL); } //Means the route record shim is not already there, so add it. if(protocol != ROUTE_RECORD_PROTOCOL){ RouteRecord* rr = createRouteRecord(gatewayAddr, randomValue); char* rr_buf = writeRouteRecordAsNetworkBuffer(rr); memcpy(packet_data_2, packet_data + 20, count - 20); memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE); memcpy(packet_data + 20 + MAX_RR_HEADER_SIZE, packet_data_2, count - 20); packet_data[9] = (char) ROUTE_RECORD_PROTOCOL; printf("Modifying Packet\n\n"); } else{ // CHange the route record to add new gateway information RouteRecord* rr = readRouteRecord(packet_data + 20); addGatewayInfo(rr, gatewayAddr, -1l); char* rr_buf = writeRouteRecordAsNetworkBuffer(rr); memcpy(packet_data + 20, rr_buf, MAX_RR_HEADER_SIZE); } return nfq_set_verdict(qh, id, NF_ACCEPT, count + MAX_RR_HEADER_SIZE, (unsigned char*) packet_data); } printf("entering callback\n\n"); return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); }