 |
netfilter
firewalling, NAT, and packet mangling for linux
|
|
|
netfilter
firewalling, NAT, and packet mangling for linux
|
|
Once libnetfilter_queue library has been initialised (See LibrarySetup), it is possible to bind the program to a specific queue. More...
Functions | |
| int | nfq_fd (struct nfq_handle *h) |
| nfq_fd - get the file descriptor associated with the nfqueue handler More... | |
| EXPORT_SYMBOL (nfq_fd) | |
| struct nfq_q_handle * | nfq_create_queue (struct nfq_handle *h, u_int16_t num, nfq_callback *cb, void *data) |
| nfq_create_queue - create a new queue handle and return it. More... | |
| EXPORT_SYMBOL (nfq_create_queue) | |
| int | nfq_destroy_queue (struct nfq_q_handle *qh) |
| nfq_destroy_queue - destroy a queue handle More... | |
| EXPORT_SYMBOL (nfq_destroy_queue) | |
| int | nfq_handle_packet (struct nfq_handle *h, char *buf, int len) |
| nfq_handle_packet - handle a packet received from the nfqueue subsystem More... | |
| EXPORT_SYMBOL (nfq_handle_packet) | |
| int | nfq_set_mode (struct nfq_q_handle *qh, u_int8_t mode, u_int32_t range) |
| nfq_set_mode - set the amount of packet data that nfqueue copies to userspace More... | |
| EXPORT_SYMBOL (nfq_set_mode) | |
| int | nfq_set_queue_flags (struct nfq_q_handle *qh, uint32_t mask, uint32_t flags) |
| nfq_set_queue_flags - set flags (options) for the kernel queue More... | |
| EXPORT_SYMBOL (nfq_set_queue_flags) | |
| int | nfq_set_queue_maxlen (struct nfq_q_handle *qh, u_int32_t queuelen) |
| nfq_set_queue_maxlen - Set kernel queue maximum length parameter More... | |
| EXPORT_SYMBOL (nfq_set_queue_maxlen) | |
| int | nfq_set_verdict (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t data_len, const unsigned char *buf) |
| nfq_set_verdict - issue a verdict on a packet More... | |
| EXPORT_SYMBOL (nfq_set_verdict) | |
| int | nfq_set_verdict2 (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t mark, u_int32_t data_len, const unsigned char *buf) |
| nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark. More... | |
| EXPORT_SYMBOL (nfq_set_verdict2) | |
| int | nfq_set_verdict_batch (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict) |
| nfq_set_verdict_batch - issue verdicts on several packets at once More... | |
| EXPORT_SYMBOL (nfq_set_verdict_batch) | |
| int | nfq_set_verdict_batch2 (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t mark) |
| nfq_set_verdict_batch2 - like nfq_set_verdict_batch, but you can set a mark. More... | |
| EXPORT_SYMBOL (nfq_set_verdict_batch2) | |
| int | nfq_set_verdict_mark (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t mark, u_int32_t data_len, const unsigned char *buf) |
| nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark. More... | |
| EXPORT_SYMBOL (nfq_set_verdict_mark) | |
Once libnetfilter_queue library has been initialised (See LibrarySetup), it is possible to bind the program to a specific queue.
This can be done by using nfq_create_queue().
The queue can then be tuned via nfq_set_mode() or nfq_set_queue_maxlen().
Here's a little code snippet that create queue numbered 0:
printf("binding this socket to queue '0'\n");
qh = nfq_create_queue(h, 0, &cb, NULL);
if (!qh) {
fprintf(stderr, "error during nfq_create_queue()\n");
exit(1);
}
printf("setting copy_packet mode\n");
if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
fprintf(stderr, "can't set packet_copy mode\n");
exit(1);
}
Next step is the handling of incoming packets which can be done via a loop:
fd = nfq_fd(h);
while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
printf("pkt received\n");
nfq_handle_packet(h, buf, rv);
}
When the decision on a packet has been choosed, the verdict has to be given by calling nfq_set_verdict() or nfq_set_verdict2(). The verdict determines the destiny of the packet as follows:
The verdict NF_STOLEN must not be used, as it has special meaning in the kernel. When using NF_REPEAT, one way to prevent re-queueing of the same packet is to also set an nfmark using nfq_set_verdict2, and set up the nefilter rules to only queue a packet when the mark is not (yet) set.
Data and information about the packet can be fetch by using message parsing functions (See Parsing).
| EXPORT_SYMBOL | ( | nfq_fd | ) |
| EXPORT_SYMBOL | ( | nfq_create_queue | ) |
| EXPORT_SYMBOL | ( | nfq_destroy_queue | ) |
| EXPORT_SYMBOL | ( | nfq_handle_packet | ) |
| EXPORT_SYMBOL | ( | nfq_set_mode | ) |
| EXPORT_SYMBOL | ( | nfq_set_queue_flags | ) |
| EXPORT_SYMBOL | ( | nfq_set_queue_maxlen | ) |
| EXPORT_SYMBOL | ( | nfq_set_verdict | ) |
| EXPORT_SYMBOL | ( | nfq_set_verdict2 | ) |
| EXPORT_SYMBOL | ( | nfq_set_verdict_batch | ) |
| EXPORT_SYMBOL | ( | nfq_set_verdict_batch2 | ) |
| EXPORT_SYMBOL | ( | nfq_set_verdict_mark | ) |
| struct nfq_q_handle* nfq_create_queue | ( | struct nfq_handle * | h, |
| u_int16_t | num, | ||
| nfq_callback * | cb, | ||
| void * | data | ||
| ) |
nfq_create_queue - create a new queue handle and return it.
| h | Netfilter queue connection handle obtained via call to nfq_open() |
| num | the number of the queue to bind to |
| cb | callback function to call for each queued packet |
| data | custom data to pass to the callback function |
Creates a new queue handle, and returns it. The new queue is identified by #num, and the callback specified by #cb will be called for each enqueued packet. The data argument will be passed unchanged to the callback. If a queue entry with id #num already exists, this function will return failure and the existing entry is unchanged.
The nfq_callback type is defined in libnetfilter_queue.h as:
typedef int nfq_callback(struct nfq_q_handle *qh,
struct nfgenmsg *nfmsg,
struct nfq_data *nfad, void *data);
Parameters:
The callback should return < 0 to stop processing.
References nfq_q_handle::cb, nfq_q_handle::data, data, nfq_q_handle::h, nfq_q_handle::id, nfq_errno, NFQNL_CFG_CMD_BIND, and NULL.
Referenced by main().
| int nfq_destroy_queue | ( | struct nfq_q_handle * | qh | ) |
nfq_destroy_queue - destroy a queue handle
| qh | queue handle that we want to destroy created via nfq_create_queue |
Removes the binding for the specified queue handle. This call also unbind from the nfqueue handler, so you don't have to call nfq_unbind_pf.
References nfq_q_handle::h, nfq_q_handle::id, and NFQNL_CFG_CMD_UNBIND.
Referenced by main().
| int nfq_fd | ( | struct nfq_handle * | h | ) |
nfq_fd - get the file descriptor associated with the nfqueue handler
| h | Netfilter queue connection handle obtained via call to nfq_open() |
This function returns a file descriptor that can be used for communication over the netlink connection associated with the given queue connection handle.
References nfnl_fd(), and nfq_nfnlh().
Referenced by main().
| int nfq_handle_packet | ( | struct nfq_handle * | h, |
| char * | buf, | ||
| int | len | ||
| ) |
nfq_handle_packet - handle a packet received from the nfqueue subsystem
| h | Netfilter queue connection handle obtained via call to nfq_open() |
| buf | data to pass to the callback |
| len | length of packet data in buffer |
Triggers an associated callback for the given packet received from the queue. Packets can be read from the queue using nfq_fd() and recv(). See example code for nfq_fd().
References nfnl_handle_packet(), and nfq_handle::nfnlh.
Referenced by main().
| int nfq_set_mode | ( | struct nfq_q_handle * | qh, |
| u_int8_t | mode, | ||
| u_int32_t | range | ||
| ) |
nfq_set_mode - set the amount of packet data that nfqueue copies to userspace
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| mode | the part of the packet that we are interested in |
| range | size of the packet that we want to get |
Sets the amount of data to be copied to userspace for each packet queued to the given queue.
References buf, nfqnl_msg_config_params::copy_mode, nfqnl_msg_config_params::copy_range, nfq_q_handle::h, nfq_q_handle::id, NFA_LENGTH, nfnl_addattr_l(), nfnl_fill_hdr(), NFNL_HEADER_LEN, nfnl_query(), nfq_handle::nfnlh, nfq_handle::nfnlssh, NFQA_CFG_PARAMS, NFQNL_MSG_CONFIG, NLM_F_ACK, and NLM_F_REQUEST.
| int nfq_set_queue_flags | ( | struct nfq_q_handle * | qh, |
| uint32_t | mask, | ||
| uint32_t | flags | ||
| ) |
nfq_set_queue_flags - set flags (options) for the kernel queue
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| mask | specifies which flag bits to modify |
| flag | bitmask of flags |
Existing flags, that you may want to combine, are:
NFQA_CFG_F_GSO (requires Linux kernel >= 3.10): the kernel will not normalize offload packets, i.e. your application will need to be able to handle packets larger than the mtu (up to 64k).
If your application validates checksums (e.g., tcp checksum), then you must also check if the NFQA_SKB_INFO attribute is present. If it is, you need to test the NFQA_SKB_CSUMNOTREADY bit:
if (attr[NFQA_SKB_INFO]) {
uint32_t info = ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO]));
if (info & NFQA_SKB_CSUMNOTREADY)
validate_checksums = false;
}
if this bit is set, the layer 3/4 checksums of the packet appear incorrect, but are not (because they will be corrected later by the kernel).
Here's a little code snippet to show how to use this API:
uint32_t flags = NFQA_CFG_F_FAIL_OPEN;
uint32_t mask = NFQA_CFG_F_FAIL_OPEN;
printf("Enabling fail-open on this q\n");
err = nfq_set_queue_flags(qh, mask, flags);
printf("Disabling fail-open on this q\n");
flags &= ~NFQA_CFG_F_FAIL_OPEN;
err = nfq_set_queue_flags(qh, mask, flags);
References buf, nfq_q_handle::h, nfq_q_handle::id, NFA_LENGTH, nfnl_addattr32(), nfnl_fill_hdr(), NFNL_HEADER_LEN, nfnl_query(), nfq_handle::nfnlh, nfq_handle::nfnlssh, NFQA_CFG_FLAGS, NFQA_CFG_MASK, NFQNL_MSG_CONFIG, NLM_F_ACK, and NLM_F_REQUEST.
Referenced by main().
| int nfq_set_queue_maxlen | ( | struct nfq_q_handle * | qh, |
| u_int32_t | queuelen | ||
| ) |
nfq_set_queue_maxlen - Set kernel queue maximum length parameter
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| queuelen | the length of the queue |
Sets the size of the queue in kernel. This fixes the maximum number of packets the kernel will store before internally before dropping upcoming packets.
References buf, nfq_q_handle::h, nfq_q_handle::id, NFA_LENGTH, nfnl_addattr_l(), nfnl_fill_hdr(), NFNL_HEADER_LEN, nfnl_query(), nfq_handle::nfnlh, nfq_handle::nfnlssh, NFQA_CFG_QUEUE_MAXLEN, NFQNL_MSG_CONFIG, NLM_F_ACK, and NLM_F_REQUEST.
| int nfq_set_verdict | ( | struct nfq_q_handle * | qh, |
| u_int32_t | id, | ||
| u_int32_t | verdict, | ||
| u_int32_t | data_len, | ||
| const unsigned char * | buf | ||
| ) |
nfq_set_verdict - issue a verdict on a packet
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| id | ID assigned to packet by netfilter. |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) |
| data_len | number of bytes of data pointed to by buf |
| buf | the buffer that contains the packet data |
Can be obtained by:
int id;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(tb);
if (ph)
id = ntohl(ph->packet_id);
Notifies netfilter of the userspace verdict for the given packet. Every queued packet must have a verdict specified by userspace, either by calling this function, the nfq_set_verdict2() function, or the _batch versions of these functions.
References NFQNL_MSG_VERDICT.
| int nfq_set_verdict2 | ( | struct nfq_q_handle * | qh, |
| u_int32_t | id, | ||
| u_int32_t | verdict, | ||
| u_int32_t | mark, | ||
| u_int32_t | data_len, | ||
| const unsigned char * | buf | ||
| ) |
nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| id | ID assigned to packet by netfilter. |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) |
| mark | mark to put on packet |
| data_len | number of bytes of data pointed to by buf |
| buf | the buffer that contains the packet data |
References NFQNL_MSG_VERDICT.
| int nfq_set_verdict_batch | ( | struct nfq_q_handle * | qh, |
| u_int32_t | id, | ||
| u_int32_t | verdict | ||
| ) |
nfq_set_verdict_batch - issue verdicts on several packets at once
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| id | maximum ID of the packets that the verdict should be applied to. |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) |
Unlike nfq_set_verdict, the verdict is applied to all queued packets whose packet id is smaller or equal to id.
batch support was added in Linux 3.1. These functions will fail silently on older kernels.
References NFQNL_MSG_VERDICT_BATCH, and NULL.
| int nfq_set_verdict_batch2 | ( | struct nfq_q_handle * | qh, |
| u_int32_t | id, | ||
| u_int32_t | verdict, | ||
| u_int32_t | mark | ||
| ) |
nfq_set_verdict_batch2 - like nfq_set_verdict_batch, but you can set a mark.
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| id | maximum ID of the packets that the verdict should be applied to. |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) |
| mark | mark to put on packet |
References NFQNL_MSG_VERDICT_BATCH, and NULL.
| int nfq_set_verdict_mark | ( | struct nfq_q_handle * | qh, |
| u_int32_t | id, | ||
| u_int32_t | verdict, | ||
| u_int32_t | mark, | ||
| u_int32_t | data_len, | ||
| const unsigned char * | buf | ||
| ) |
nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark.
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). |
| id | ID assigned to packet by netfilter. |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) |
| mark | the mark to put on the packet, in network byte order. |
| data_len | number of bytes of data pointed to by buf |
| buf | the buffer that contains the packet data |
This function is deprecated since it is broken, its use is highly discouraged. Please, use nfq_set_verdict2 instead.
References NFQNL_MSG_VERDICT.
1.8.8