 |
netfilter
firewalling, NAT, and packet mangling for linux
|
|
|
netfilter
firewalling, NAT, and packet mangling for linux
|
|
Library initialisation is made in two steps. More...
Functions | |
| int | nfct_callback_register (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data) |
| nf_callback_register - register a callback More... | |
| void | nfct_callback_unregister (struct nfct_handle *h) |
| nfct_callback_unregister - unregister a callback More... | |
| int | nfct_callback_register2 (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data) |
| nf_callback_register2 - register a callback More... | |
| void | nfct_callback_unregister2 (struct nfct_handle *h) |
| nfct_callback_unregister2 - unregister a callback More... | |
| int | nfexp_callback_register (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data) |
| nfexp_callback_register - register a callback More... | |
| void | nfexp_callback_unregister (struct nfct_handle *h) |
| nfexp_callback_unregister - unregister a callback More... | |
| int | nfexp_callback_register2 (struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data), void *data) |
| nfexp_callback_register2 - register a callback More... | |
| void | nfexp_callback_unregister2 (struct nfct_handle *h) |
| nfexp_callback_unregister2 - unregister a callback More... | |
| struct nfct_handle * | nfct_open (u_int8_t subsys_id, unsigned subscriptions) |
| nfct_open - open a ctnetlink handler More... | |
| int | nfct_close (struct nfct_handle *cth) |
| nfct_close - close a ctnetlink handler More... | |
| int | nfct_fd (struct nfct_handle *cth) |
| nfct_fd - get the Netlink file descriptor of one existing ctnetlink handler More... | |
| const struct nfnl_handle * | nfct_nfnlh (struct nfct_handle *cth) |
| struct nflog_handle * | nflog_open (void) |
| nflog_open - open a nflog handler More... | |
| int | nflog_close (struct nflog_handle *h) |
| nflog_close - close a nflog handler More... | |
| int | nflog_bind_pf (struct nflog_handle *h, u_int16_t pf) |
| nflog_bind_pf - bind a nflog handler to a given protocol family More... | |
| int | nflog_unbind_pf (struct nflog_handle *h, u_int16_t pf) |
| nflog_unbind_pf - unbind nflog handler from a protocol family More... | |
| struct nfq_handle * | nfq_open (void) |
| nfq_open - open a nfqueue handler More... | |
| EXPORT_SYMBOL (nfq_open) | |
| int | nfq_close (struct nfq_handle *h) |
| nfq_close - close a nfqueue handler More... | |
| EXPORT_SYMBOL (nfq_close) | |
| int | nfq_bind_pf (struct nfq_handle *h, u_int16_t pf) |
| nfq_bind_pf - bind a nfqueue handler to a given protocol family More... | |
| EXPORT_SYMBOL (nfq_bind_pf) | |
| int | nfq_unbind_pf (struct nfq_handle *h, u_int16_t pf) |
| nfq_unbind_pf - unbind nfqueue handler from a protocol family More... | |
| EXPORT_SYMBOL (nfq_unbind_pf) | |
Library initialisation is made in two steps.
When the program has finished with libnetfilter_queue, it has to call the nfq_close() function to free all associated resources.
When the program has finished with libnetfilter_log, it has to call the nflog_close() function to release all associated resources.
First step is to call nfq_open() to open a NFQUEUE handler.
Second step is to tell the kernel that userspace queueing is handle by NFQUEUE for the selected protocol. This is made by calling nfq_unbind_pf() and nfq_bind_pf() with protocol information. The idea behind this is to enable simultaneously loaded modules to be used for queuing.
Here's a little code snippet that bind with AF_INET:
h = nfq_open();
if (!h) {
fprintf(stderr, "error during nfq_open()\n");
exit(1);
}
printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
if (nfq_unbind_pf(h, AF_INET) < 0) {
fprintf(stderr, "error during nfq_unbind_pf()\n");
exit(1);
}
printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
if (nfq_bind_pf(h, AF_INET) < 0) {
fprintf(stderr, "error during nfq_bind_pf()\n");
exit(1);
}
Once this is done, you can setup and use a Queue.
| EXPORT_SYMBOL | ( | nfq_open | ) |
| EXPORT_SYMBOL | ( | nfq_close | ) |
| EXPORT_SYMBOL | ( | nfq_bind_pf | ) |
| EXPORT_SYMBOL | ( | nfq_unbind_pf | ) |
| int nfct_callback_register | ( | struct nfct_handle * | h, |
| enum nf_conntrack_msg_type | type, | ||
| int(*)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) | cb, | ||
| void * | data | ||
| ) |
nf_callback_register - register a callback
| h | library handler |
| type | message type (see enum nf_conntrack_msg_type definition) |
| cb | callback used to process conntrack received |
| data | data used by the callback, if any. |
This function register a callback to handle the conntrack received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.
Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.
References __callback(), nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb, CTA_MAX, __data_container::data, nfnl_callback::data, data, __data_container::h, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, NULL, __data_container::type, and type.
Referenced by ctnl_init(), main(), and nl_flush_conntrack_table_selective().
| int nfct_callback_register2 | ( | struct nfct_handle * | h, |
| enum nf_conntrack_msg_type | type, | ||
| int(*)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) | cb, | ||
| void * | data | ||
| ) |
nf_callback_register2 - register a callback
| h | library handler |
| cb | callback used to process conntrack received |
| data | data used by the callback, if any. |
This function register a callback to handle the conntrack received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.
Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.
NOTICE: The difference with nf_callback_register() is that this function uses the new callback interface that includes the Netlink header.
WARNING: Don't mix nf_callback_register() and nf_callback_register2() calls, use only once at a time.
References __callback(), nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb2, CTA_MAX, __data_container::data, nfnl_callback::data, data, __data_container::h, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, NULL, __data_container::type, and type.
Referenced by ctnl_init().
| void nfct_callback_unregister | ( | struct nfct_handle * | h | ) |
nfct_callback_unregister - unregister a callback
| h | library handler |
References nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb, nfnl_callback::data, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, and NULL.
| void nfct_callback_unregister2 | ( | struct nfct_handle * | h | ) |
nfct_callback_unregister2 - unregister a callback
| h | library handler |
References nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb2, nfnl_callback::data, IPCTNL_MSG_CT_DELETE, IPCTNL_MSG_CT_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_ct, nfct_handle::nfnlssh_ct, and NULL.
| int nfct_close | ( | struct nfct_handle * | cth | ) |
nfct_close - close a ctnetlink handler
| cth | handler obtained via nfct_open() |
This function returns -1 on error and errno is explicitly set.
References nfnl_callback::attr_count, nfnl_callback::call, nfct_handle::cb, nfct_handle::cb2, nfnl_callback::data, nfct_handle::expect_cb, nfct_handle::expect_cb2, nfct_handle::nfnl_cb_ct, nfct_handle::nfnl_cb_exp, nfnl_close(), nfnl_subsys_close(), nfct_handle::nfnlh, nfct_handle::nfnlssh_ct, nfct_handle::nfnlssh_exp, and NULL.
Referenced by ctnl_kill(), main(), and nl_flush_conntrack_table_selective().
| int nfct_fd | ( | struct nfct_handle * | cth | ) |
nfct_fd - get the Netlink file descriptor of one existing ctnetlink handler
| cth | handler obtained via nfct_open() |
References nfnl_fd(), and nfct_handle::nfnlh.
Referenced by ctnl_init(), main(), and nl_init_event_handler().
| const struct nfnl_handle* nfct_nfnlh | ( | struct nfct_handle * | cth | ) |
References nfct_handle::nfnlh.
Referenced by main(), nl_init_event_handler(), nl_resize_socket_buffer(), origin_register(), and origin_unregister().
| struct nfct_handle* nfct_open | ( | u_int8_t | subsys_id, |
| unsigned | subscriptions | ||
| ) |
nfct_open - open a ctnetlink handler
| subsys_id | can be NFNL_SUBSYS_CTNETLINK or NFNL_SUBSYS_CTNETLINK_EXP |
| subscriptions | ctnetlink groups to subscribe to events |
This function returns a handler to send commands to and receive replies from kernel-space. You can pass the following subsystem IDs:
On error, NULL is returned and errno is explicitly set.
References nfct_open_nfnl(), nfnl_close(), nfnl_open(), and NULL.
Referenced by ctnl_init(), main(), nl_flush_conntrack_table_selective(), and nl_init_event_handler().
| int nfexp_callback_register | ( | struct nfct_handle * | h, |
| enum nf_conntrack_msg_type | type, | ||
| int(*)(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) | cb, | ||
| void * | data | ||
| ) |
nfexp_callback_register - register a callback
| h | library handler |
| cb | callback used to process expect received |
| data | data used by the callback, if any. |
This function register a callback to handle the expect received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.
Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.
References __callback(), nfnl_callback::attr_count, nfnl_callback::call, CTA_EXPECT_MAX, __data_container::data, nfnl_callback::data, data, nfct_handle::expect_cb, __data_container::h, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, NULL, __data_container::type, and type.
Referenced by ctnl_init(), and main().
| int nfexp_callback_register2 | ( | struct nfct_handle * | h, |
| enum nf_conntrack_msg_type | type, | ||
| int(*)(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) | cb, | ||
| void * | data | ||
| ) |
nfexp_callback_register2 - register a callback
| h | library handler |
| cb | callback used to process expect received |
| data | data used by the callback, if any. |
This function register a callback to handle the expect received, in case of error -1 is returned and errno is set appropiately, otherwise 0 is returned.
Note that the data parameter is optional, if you do not want to pass any data to your callback, then use NULL.
NOTICE: The difference with nfexp_callback_register() is that this function uses the new callback interface that includes the Netlink header.
WARNING: Don't mix nfexp_callback_register() and nfexp_callback_register2() calls, use only once at a time.
References __callback(), nfnl_callback::attr_count, nfnl_callback::call, CTA_EXPECT_MAX, __data_container::data, nfnl_callback::data, data, nfct_handle::expect_cb2, __data_container::h, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_register(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, NULL, __data_container::type, and type.
Referenced by ctnl_init().
| void nfexp_callback_unregister | ( | struct nfct_handle * | h | ) |
nfexp_callback_unregister - unregister a callback
| h | library handler |
References nfnl_callback::attr_count, nfnl_callback::call, nfnl_callback::data, nfct_handle::expect_cb, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, and NULL.
| void nfexp_callback_unregister2 | ( | struct nfct_handle * | h | ) |
nfexp_callback_unregister2 - unregister a callback
| h | library handler |
References nfnl_callback::attr_count, nfnl_callback::call, nfnl_callback::data, nfct_handle::expect_cb2, IPCTNL_MSG_EXP_DELETE, IPCTNL_MSG_EXP_NEW, nfnl_callback_unregister(), nfct_handle::nfnl_cb_exp, nfct_handle::nfnlssh_exp, and NULL.
| int nflog_bind_pf | ( | struct nflog_handle * | h, |
| u_int16_t | pf | ||
| ) |
nflog_bind_pf - bind a nflog handler to a given protocol family
| h | Netfilter log handle obtained via call to nflog_open() |
| pf | protocol family to bind to nflog handler obtained from nflog_open() |
Binds the given log connection handle to process packets belonging to the given protocol family (ie. PF_INET, PF_INET6, etc).
References NFULNL_CFG_CMD_PF_BIND.
Referenced by ipulog_create_handle(), and main().
| int nflog_close | ( | struct nflog_handle * | h | ) |
nflog_close - close a nflog handler
| h | Netfilter log handle obtained via call to nflog_open() |
This function closes the nflog handler and free associated resources.
References nfnl_close(), and nflog_handle::nfnlh.
Referenced by ipulog_destroy_handle(), and main().
| struct nflog_handle* nflog_open | ( | void | ) |
nflog_open - open a nflog handler
This function obtains a netfilter log connection handle. When you are finished with the handle returned by this function, you should destroy it by calling nflog_close(). A new netlink connection is obtained internally and associated with the log connection handle returned.
References nflog_open_nfnl(), nfnl_close(), nfnl_open(), nfnl_unset_sequence_tracking(), and NULL.
Referenced by ipulog_create_handle(), and main().
| int nflog_unbind_pf | ( | struct nflog_handle * | h, |
| u_int16_t | pf | ||
| ) |
nflog_unbind_pf - unbind nflog handler from a protocol family
| h | Netfilter log handle obtained via call to nflog_open() |
| pf | protocol family to unbind family from |
Unbinds the given nflog handle from processing packets belonging to the given protocol family.
References NFULNL_CFG_CMD_PF_UNBIND.
Referenced by main().
| int nfq_bind_pf | ( | struct nfq_handle * | h, |
| u_int16_t | pf | ||
| ) |
nfq_bind_pf - bind a nfqueue handler to a given protocol family
| h | Netfilter queue connection handle obtained via call to nfq_open() |
| pf | protocol family to bind to nfqueue handler obtained from nfq_open() |
Binds the given queue connection handle to process packets belonging to the given protocol family (ie. PF_INET, PF_INET6, etc). This call is obsolete, Linux kernels from 3.8 onwards ignore it.
References NFQNL_CFG_CMD_PF_BIND.
Referenced by main().
| int nfq_close | ( | struct nfq_handle * | h | ) |
nfq_close - close a nfqueue handler
| h | Netfilter queue connection handle obtained via call to nfq_open() |
This function closes the nfqueue handler and free associated resources.
References nfnl_close(), and nfq_handle::nfnlh.
Referenced by main().
| struct nfq_handle* nfq_open | ( | void | ) |
nfq_open - open a nfqueue handler
This function obtains a netfilter queue connection handle. When you are finished with the handle returned by this function, you should destroy it by calling nfq_close(). A new netlink connection is obtained internally and associated with the queue connection handle returned.
References nfnl_close(), nfnl_open(), nfnl_unset_sequence_tracking(), nfq_open_nfnl(), and NULL.
Referenced by main().
| int nfq_unbind_pf | ( | struct nfq_handle * | h, |
| u_int16_t | pf | ||
| ) |
nfq_unbind_pf - unbind nfqueue handler from a protocol family
| h | Netfilter queue connection handle obtained via call to nfq_open() |
| pf | protocol family to unbind family from |
Unbinds the given queue connection handle from processing packets belonging to the given protocol family.
This call is obsolete, Linux kernels from 3.8 onwards ignore it.
References NFQNL_CFG_CMD_PF_UNBIND.
Referenced by main().
1.8.8