Functions | |
| int | nfq_fd (struct nfq_handle *h) |
| struct nfq_q_handle * | nfq_create_queue (struct nfq_handle *h, u_int16_t num, nfq_callback *cb, void *data) |
| int | nfq_destroy_queue (struct nfq_q_handle *qh) |
| int | nfq_handle_packet (struct nfq_handle *h, char *buf, int len) |
| int | nfq_set_mode (struct nfq_q_handle *qh, u_int8_t mode, u_int32_t range) |
| int | nfq_set_queue_maxlen (struct nfq_q_handle *qh, u_int32_t queuelen) |
| int | nfq_set_verdict (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t data_len, const unsigned char *buf) |
| int | nfq_set_verdict2 (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t mark, u_int32_t data_len, const unsigned char *buf) |
| int | nfq_set_verdict_mark (struct nfq_q_handle *qh, u_int32_t id, u_int32_t verdict, u_int32_t mark, u_int32_t data_len, const unsigned char *buf) |
Once libnetfilter_queue library has been initialised (See LibrarySetup), it is possible to bind the program to a specific queue. This can be done by using nfq_create_queue().
The queue can then be tuned via nfq_set_mode() or nfq_set_queue_maxlen().
Here's a little code snippet that create queue numbered 0:
printf("binding this socket to queue '0'\n");
qh = nfq_create_queue(h, 0, &cb, NULL);
if (!qh) {
fprintf(stderr, "error during nfq_create_queue()\n");
exit(1);
}
printf("setting copy_packet mode\n");
if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
fprintf(stderr, "can't set packet_copy mode\n");
exit(1);
}
Next step is the handling of incoming packets which can be done via a loop:
fd = nfq_fd(h);
while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
printf("pkt received\n");
nfq_handle_packet(h, buf, rv);
}
When the decision on a packet has been choosed, the verdict has to be given by calling nfq_set_verdict() or nfq_set_verdict2(). The verdict determines the destiny of the packet as follows:
Data and information about the packet can be fetch by using message parsing functions (See Parsing).
| struct nfq_q_handle* nfq_create_queue | ( | struct nfq_handle * | h, | |
| u_int16_t | num, | |||
| nfq_callback * | cb, | |||
| void * | data | |||
| ) | [read] |
nfq_create_queue - create a new queue handle and return it.
| h | Netfilter queue connection handle obtained via call to nfq_open() | |
| num | the number of the queue to bind to | |
| cb | callback function to call for each queued packet | |
| data | custom data to pass to the callback function |
Creates a new queue handle, and returns it. The new queue is identified by num, and the callback specified by cb will be called for each enqueued packet. The data argument will be passed unchanged to the callback. If a queue entry with id num already exists, this function will return failure and the existing entry is unchanged.
The nfq_callback type is defined in libnetfilter_queue.h as:
typedef int nfq_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfad, void *data);
Parameters:
The callback should return < 0 to stop processing.
Definition at line 489 of file libnetfilter_queue.c.
| int nfq_destroy_queue | ( | struct nfq_q_handle * | qh | ) |
nfq_destroy_queue - destroy a queue handle
| qh | queue handle that we want to destroy created via nfq_create_queue |
Removes the binding for the specified queue handle. This call also unbind from the nfqueue handler, so you don't have to call nfq_unbind_pf.
Definition at line 535 of file libnetfilter_queue.c.
| int nfq_fd | ( | struct nfq_handle * | h | ) |
nfq_fd - get the file descriptor associated with the nfqueue handler
| h | Netfilter queue connection handle obtained via call to nfq_open() |
This function returns a file descriptor that can be used for communication over the netlink connection associated with the given queue connection handle.
Definition at line 270 of file libnetfilter_queue.c.
| int nfq_handle_packet | ( | struct nfq_handle * | h, | |
| char * | buf, | |||
| int | len | |||
| ) |
nfq_handle_packet - handle a packet received from the nfqueue subsystem
| h | Netfilter queue connection handle obtained via call to nfq_open() | |
| buf | data to pass to the callback | |
| len | length of packet data in buffer |
Triggers an associated callback for the given packet received from the queue. Packets can be read from the queue using nfq_fd() and recv(). See example code for nfq_fd().
Definition at line 558 of file libnetfilter_queue.c.
| int nfq_set_mode | ( | struct nfq_q_handle * | qh, | |
| u_int8_t | mode, | |||
| u_int32_t | range | |||
| ) |
nfq_set_mode - set the amount of packet data that nfqueue copies to userspace
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). | |
| mode | the part of the packet that we are interested in | |
| range | size of the packet that we want to get |
Sets the amount of data to be copied to userspace for each packet queued to the given queue.
Definition at line 578 of file libnetfilter_queue.c.
| int nfq_set_queue_maxlen | ( | struct nfq_q_handle * | qh, | |
| u_int32_t | queuelen | |||
| ) |
nfq_set_queue_maxlen - Set kernel queue maximum length parameter
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). | |
| queuelen | the length of the queue |
Sets the size of the queue in kernel. This fixes the maximum number of packets the kernel will store before internally before dropping upcoming packets.
Definition at line 610 of file libnetfilter_queue.c.
| int nfq_set_verdict | ( | struct nfq_q_handle * | qh, | |
| u_int32_t | id, | |||
| u_int32_t | verdict, | |||
| u_int32_t | data_len, | |||
| const unsigned char * | buf | |||
| ) |
nfq_set_verdict - issue a verdict on a packet
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). | |
| id | ID assigned to packet by netfilter. | |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) | |
| data_len | number of bytes of data pointed to by buf | |
| buf | the buffer that contains the packet data |
Can be obtained by:
int id; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(tb); if (ph) id = ntohl(ph->packet_id);
Notifies netfilter of the userspace verdict for the given packet. Every queued packet _must_ have a verdict specified by userspace, either by calling this function, or by calling the nfq_set_verdict2() function.
Definition at line 712 of file libnetfilter_queue.c.
| int nfq_set_verdict2 | ( | struct nfq_q_handle * | qh, | |
| u_int32_t | id, | |||
| u_int32_t | verdict, | |||
| u_int32_t | mark, | |||
| u_int32_t | data_len, | |||
| const unsigned char * | buf | |||
| ) |
nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). | |
| id | ID assigned to packet by netfilter. | |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) | |
| mark | mark to put on packet | |
| data_len | number of bytes of data pointed to by buf | |
| buf | the buffer that contains the packet data |
Definition at line 728 of file libnetfilter_queue.c.
| int nfq_set_verdict_mark | ( | struct nfq_q_handle * | qh, | |
| u_int32_t | id, | |||
| u_int32_t | verdict, | |||
| u_int32_t | mark, | |||
| u_int32_t | data_len, | |||
| const unsigned char * | buf | |||
| ) |
nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark.
| qh | Netfilter queue handle obtained by call to nfq_create_queue(). | |
| id | ID assigned to packet by netfilter. | |
| verdict | verdict to return to netfilter (NF_ACCEPT, NF_DROP) | |
| mark | the mark to put on the packet, in network byte order. | |
| data_len | number of bytes of data pointed to by buf | |
| buf | the buffer that contains the packet data |
This function is deprecated since it is broken, its use is highly discouraged. Please, use nfq_set_verdict2 instead.
Definition at line 749 of file libnetfilter_queue.c.
1.7.1