libnetfilter_conntrack  1.0.6
conntrack_filter.c
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4 #include <errno.h>
5 #include <arpa/inet.h>
6 
7 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
8 #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
9 
10 static int event_cb(enum nf_conntrack_msg_type type,
11  struct nf_conntrack *ct,
12  void *data)
13 {
14  static int n = 0;
15  char buf[1024];
16 
17  nfct_snprintf(buf, sizeof(buf), ct, type, NFCT_O_PLAIN, NFCT_OF_TIME);
18  printf("%s\n", buf);
19 
20  if (++n == 10)
21  return NFCT_CB_STOP;
22 
23  return NFCT_CB_CONTINUE;
24 }
25 
26 int main(void)
27 {
28  int ret;
29  struct nfct_handle *h;
30  struct nfct_filter *filter;
31 
32  h = nfct_open(CONNTRACK, NF_NETLINK_CONNTRACK_NEW |
33  NF_NETLINK_CONNTRACK_UPDATE);
34  if (!h) {
35  perror("nfct_open");
36  return 0;
37  }
38 
39  filter = nfct_filter_create();
40  if (!filter) {
41  perror("nfct_create_filter");
42  return 0;
43  }
44 
45  nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO, IPPROTO_UDP);
46  nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO, IPPROTO_TCP);
47 
48  struct nfct_filter_proto filter_proto = {
49  .proto = IPPROTO_TCP,
50  .state = TCP_CONNTRACK_ESTABLISHED
51  };
52 
53  nfct_filter_add_attr(filter, NFCT_FILTER_L4PROTO_STATE, &filter_proto);
54 
55  /* BSF always wants data in host-byte order */
56  struct nfct_filter_ipv4 filter_ipv4 = {
57  .addr = ntohl(inet_addr("127.0.0.1")),
58  .mask = 0xffffffff,
59  };
60 
61  /* ignore whatever that comes from 127.0.0.1 */
62  nfct_filter_set_logic(filter,
63  NFCT_FILTER_SRC_IPV4,
64  NFCT_FILTER_LOGIC_NEGATIVE);
65 
66  nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV4, &filter_ipv4);
67 
68  /* BSF always wants data in host-byte order */
69  struct nfct_filter_ipv6 filter_ipv6 = {
70  .addr = { 0x0, 0x0, 0x0, 0x1 },
71  .mask = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff },
72  };
73 
74  /* ignore whatever that comes from ::1 (loopback) */
75  nfct_filter_set_logic(filter,
76  NFCT_FILTER_SRC_IPV6,
77  NFCT_FILTER_LOGIC_NEGATIVE);
78 
79  nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6, &filter_ipv6);
80 
81  if (nfct_filter_attach(nfct_fd(h), filter) == -1) {
82  perror("nfct_filter_attach");
83  return 0;
84  }
85 
86  /* release the filter object, this does not detach the filter */
87  nfct_filter_destroy(filter);
88 
89  nfct_callback_register(h, NFCT_T_ALL, event_cb, NULL);
90 
91  printf("TEST: waiting for 10 events...\n");
92 
93  ret = nfct_catch(h);
94 
95  printf("TEST: conntrack events ");
96  if (ret == -1)
97  printf("(%d)(%s)\n", ret, strerror(errno));
98  else
99  printf("(OK)\n");
100 
101  nfct_close(h);
102 
103  ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
104 }
void nfct_filter_destroy(struct nfct_filter *filter)
void nfct_filter_add_attr_u32(struct nfct_filter *filter, const enum nfct_filter_attr attr, const uint32_t value)
int nfct_close(struct nfct_handle *cth)
Definition: main.c:105
int nfct_fd(struct nfct_handle *cth)
Definition: main.c:144
int nfct_snprintf(char *buf, unsigned int size, const struct nf_conntrack *ct, const unsigned int msg_type, const unsigned int out_type, const unsigned int out_flags)
void nfct_filter_add_attr(struct nfct_filter *filter, const enum nfct_filter_attr attr, const void *value)
struct nfct_filter * nfct_filter_create(void)
int nfct_callback_register(struct nfct_handle *h, enum nf_conntrack_msg_type type, int(*cb)(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data), void *data)
int nfct_filter_set_logic(struct nfct_filter *filter, const enum nfct_filter_attr attr, const enum nfct_filter_logic logic)
int nfct_filter_attach(int fd, struct nfct_filter *filter)
int nfct_catch(struct nfct_handle *h)
struct nfct_handle * nfct_open(uint8_t, unsigned)
Definition: main.c:84