conntrack_filter.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <arpa/inet.h>

#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>

static int event_cb(enum nf_conntrack_msg_type type,
                    struct nf_conntrack *ct,
                    void *data)
{
        static int n = 0;
        char buf[1024];

        nfct_snprintf(buf, sizeof(buf), ct, type, NFCT_O_PLAIN, NFCT_OF_TIME);
        printf("%s\n", buf);

        if (++n == 10)
                return NFCT_CB_STOP;

        return NFCT_CB_CONTINUE;
}

int main(void)
{
        int ret;
        struct nfct_handle *h;
        struct nfct_filter *filter;

        h = nfct_open(CONNTRACK, NF_NETLINK_CONNTRACK_NEW | 
                                 NF_NETLINK_CONNTRACK_UPDATE);
        if (!h) {
                perror("nfct_open");
                return 0;
        }

        filter = nfct_filter_create();
        if (!filter) {
                perror("nfct_create_filter");
                return 0;
        }

        nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO, IPPROTO_UDP);
        nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO, IPPROTO_TCP);

        struct nfct_filter_proto filter_proto = {
                .proto = IPPROTO_TCP,
                .state = TCP_CONNTRACK_ESTABLISHED
        };

        nfct_filter_add_attr(filter, NFCT_FILTER_L4PROTO_STATE, &filter_proto);

        /* BSF always wants data in host-byte order */
        struct nfct_filter_ipv4 filter_ipv4 = {
                .addr = ntohl(inet_addr("127.0.0.1")),
                .mask = 0xffffffff,
        };

        /* ignore whatever that comes from 127.0.0.1 */
        nfct_filter_set_logic(filter,
                              NFCT_FILTER_SRC_IPV4,
                              NFCT_FILTER_LOGIC_NEGATIVE);

        nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV4, &filter_ipv4);

        /* BSF always wants data in host-byte order */
        struct nfct_filter_ipv6 filter_ipv6 = {
                .addr = { 0x0, 0x0, 0x0, 0x1 },
                .mask = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff },
        }; 

        /* ignore whatever that comes from ::1 (loopback) */
        nfct_filter_set_logic(filter,
                              NFCT_FILTER_SRC_IPV6,
                              NFCT_FILTER_LOGIC_NEGATIVE);

        nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, &filter_ipv6);

        if (nfct_filter_attach(nfct_fd(h), filter) == -1) {
                perror("nfct_filter_attach");
                return 0;
        }

        /* release the filter object, this does not detach the filter */
        nfct_filter_destroy(filter);

        nfct_callback_register(h, NFCT_T_ALL, event_cb, NULL);

        printf("TEST: waiting for 10 events...\n");

        ret = nfct_catch(h);

        printf("TEST: conntrack events ");
        if (ret == -1)
                printf("(%d)(%s)\n", ret, strerror(errno));
        else
                printf("(OK)\n");

        nfct_close(h);

        ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
}