doxygen/html/nf-queue_8c_source.html

 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <time.h>
 #include <arpa/inet.h>

 #include <libmnl/libmnl.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>

 #include <linux/types.h>
 #include <linux/netfilter/nfnetlink_queue.h>

 #include <libnetfilter_queue/libnetfilter_queue.h>

 /* only for NFQA_CT, not needed otherwise: */
 #include <linux/netfilter/nfnetlink_conntrack.h>

 static struct mnl_socket *nl;

 static void
 nfq_send_verdict(int queue_num, uint32_t id)
 {
         char buf[MNL_SOCKET_BUFFER_SIZE];
         struct nlmsghdr *nlh;
         struct nlattr *nest;

         nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
         nfq_nlmsg_verdict_put(nlh, id, NF_ACCEPT);

         /* example to set the connmark. First, start NFQA_CT section: */
         nest = mnl_attr_nest_start(nlh, NFQA_CT);

         /* then, add the connmark attribute: */
         mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));
         /* more conntrack attributes, e.g. CTA_LABELS could be set here */

         /* end conntrack section */
         mnl_attr_nest_end(nlh, nest);

         if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
                 perror("mnl_socket_send");
                 exit(EXIT_FAILURE);
         }
 }

 static int queue_cb(const struct nlmsghdr *nlh, void *data)
 {
         struct nfqnl_msg_packet_hdr *ph = NULL;
         struct nlattr *attr[NFQA_MAX+1] = {};
         uint32_t id = 0, skbinfo;
         struct nfgenmsg *nfg;
         uint16_t plen;

         if (nfq_nlmsg_parse(nlh, attr) < 0) {
                 perror("problems parsing");
                 return MNL_CB_ERROR;
         }

         nfg = mnl_nlmsg_get_payload(nlh);

         if (attr[NFQA_PACKET_HDR] == NULL) {
                 fputs("metaheader not set\n", stderr);
                 return MNL_CB_ERROR;
         }

         ph = mnl_attr_get_payload(attr[NFQA_PACKET_HDR]);

         plen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]);
         /* void *payload = mnl_attr_get_payload(attr[NFQA_PAYLOAD]); */

         skbinfo = attr[NFQA_SKB_INFO] ? ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO])) : 0;

         if (attr[NFQA_CAP_LEN]) {
                 uint32_t orig_len = ntohl(mnl_attr_get_u32(attr[NFQA_CAP_LEN]));
                 if (orig_len != plen)
                         printf("truncated ");
         }

         if (skbinfo & NFQA_SKB_GSO)
                 printf("GSO ");

         id = ntohl(ph->packet_id);
         printf("packet received (id=%u hw=0x%04x hook=%u, payload len %u",
                 id, ntohs(ph->hw_protocol), ph->hook, plen);

         /*
          * ip/tcp checksums are not yet valid, e.g. due to GRO/GSO.
          * The application should behave as if the checksums are correct.
          *
          * If these packets are later forwarded/sent out, the checksums will
          * be corrected by kernel/hardware.
          */
         if (skbinfo & NFQA_SKB_CSUMNOTREADY)
                 printf(", checksum not ready");
         puts(")");

         nfq_send_verdict(ntohs(nfg->res_id), id);

         return MNL_CB_OK;
 }

 int main(int argc, char *argv[])
 {
         char *buf;
         /* largest possible packet payload, plus netlink data overhead: */
         size_t sizeof_buf = 0xffff + (MNL_SOCKET_BUFFER_SIZE/2);
         struct nlmsghdr *nlh;
         int ret;
         unsigned int portid, queue_num;

         if (argc != 2) {
                 printf("Usage: %s [queue_num]\n", argv[0]);
                 exit(EXIT_FAILURE);
         }
         queue_num = atoi(argv[1]);

         nl = mnl_socket_open(NETLINK_NETFILTER);
         if (nl == NULL) {
                 perror("mnl_socket_open");
                 exit(EXIT_FAILURE);
         }

         if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
                 perror("mnl_socket_bind");
                 exit(EXIT_FAILURE);
         }
         portid = mnl_socket_get_portid(nl);

         buf = malloc(sizeof_buf);
         if (!buf) {
                 perror("allocate receive buffer");
                 exit(EXIT_FAILURE);
         }

         nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
         nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);

         if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
                 perror("mnl_socket_send");
                 exit(EXIT_FAILURE);
         }

         nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
         nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff);

         mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
         mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));

         if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
                 perror("mnl_socket_send");
                 exit(EXIT_FAILURE);
         }

         /* ENOBUFS is signalled to userspace when packets were lost
          * on kernel side.  In most cases, userspace isn't interested
          * in this information, so turn it off.
          */
         ret = 1;
         mnl_socket_setsockopt(nl, NETLINK_NO_ENOBUFS, &ret, sizeof(int));

         for (;;) {
                 ret = mnl_socket_recvfrom(nl, buf, sizeof_buf);
                 if (ret == -1) {
                         perror("mnl_socket_recvfrom");
                         exit(EXIT_FAILURE);
                 }

                 ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);
                 if (ret < 0){
                         perror("mnl_cb_run");
                         exit(EXIT_FAILURE);
                 }
         }

         mnl_socket_close(nl);

         return 0;
 }
nfq_nlmsg_cfg_put_cmd
void nfq_nlmsg_cfg_put_cmd(struct nlmsghdr *nlh, uint16_t pf, uint8_t cmd)
Definition: nlmsg.c:166

nfq_nlmsg_verdict_put
void nfq_nlmsg_verdict_put(struct nlmsghdr *nlh, int id, int verdict)
Definition: nlmsg.c:72

nfq_nlmsg_put
struct nlmsghdr * nfq_nlmsg_put(char *buf, int type, uint32_t queue_num)
Definition: nlmsg.c:283

nfq_nlmsg_parse
int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr)
Definition: nlmsg.c:269

nfq_nlmsg_cfg_put_params
void nfq_nlmsg_cfg_put_params(struct nlmsghdr *nlh, uint8_t mode, int range)
Definition: nlmsg.c:182