NFQueue - Githubissues

main 함수에서 nfq_handle_packet 으로 패킷을 전달함

int nfq_handle_packet ( struct nfq_handle * h,
                        char * buf,
                        int len  
                      )

nfq_handle_packet - handle a packet received from the nfqueue subsystem

Parameters:

h Netfilter queue connection handle obtained via call to nfq_open()
buf data to pass to the callback
len length of packet data in buffer

Triggers an associated callback for the given packet received from the queue. Packets can be read from the queue using nfq_fd() and recv(). See example code for nfq_fd().

Returns:

0 on success, non-zero on failure.

Definition at line 558 of file libnetfilter_queue.c. http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html 참고

전달된 패킷은 cb 함수를 호출하며 cb함수는 nfq_set_verdict 함수를 리턴하면서 종료된다.

static int cb(struct nfq_q_handle qh, struct nfgenmsg nfmsg, struct nfq_data nfa, void data)

*nfa에 패킷이 변환되서 담겨져 오는걸로 보이며, 원하는 행동을 한 다음 nfq_set_verdict 함수를 리턴하여 해당 패킷을 accept 할지 deny 할지 정함

nfa는 const가 아니므로 우리가 원하는대로 패킷 변환을 할 수 있을 것으로 보인다
int nfq_set_verdict (struct nfq_q_handle qh, u_int32_t id, u_int32_t verdict, u_int32_t data_len, const unsigned char buf) 에서 verdict 인자에 NF_ACCEPT, NF_DROP 를 넣음으로써 패킷을 억셉할지 드랍할지 정함. http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html 참고
main 함수의 nfq_handle_packet 다음으로 넘어가 진행된다.

static u_int32_t print_pkt (struct nfq_data *tb) { ... int ret; char *nf_packet; ret = nfq_get_payload(tb, &nf_packet); ... struct iphdr *iph = ((struct iphdr *) nf_packet); fprintf(stdout, "IP{v=%u; ihl=%u; tos=%u; tot_len=%u; id=%u; ttl=%u; protocol=%u; " ,iph->version, iph->ihl*4, iph->tos, ntohs(iph->tot_len), ntohs(iph->id), iph->ttl, iph->protocol); char *saddr = inet_ntoa(*(struct in_addr *)&iph->saddr); fprintf(stdout,"saddr=%s; ",saddr); char *daddr = inet_ntoa(*(struct in_addr *)&iph->daddr); fprintf(stdout,"daddr=%s}\n",daddr); ... // if protocol is tcp if (iph->protocol == 6){ // extract tcp header from packet /* Calculate the size of the IP Header. iph->ihl contains the number of 32 bit words that represent the header size. Therfore to get the number of bytes multiple this number by 4 */ struct tcphdr *tcp = ((struct tcphdr *) (nf_packet + (iph->ihl << 2))); /* Calculate the size of the TCP Header. tcp->doff contains the number of 32 bit words that represent the header size. Therfore to get the number of bytes multiple this number by 4 */ //int tcphdr_size = (tcp->doff << 2); /* to print the TCP headers, we access the structure defined in tcp.h line 89 and convert values from hexadecimal to ascii */ fprintf(stdout, "TCP{sport=%u; dport=%u; seq=%u; ack_seq=%u; flags=u%ua%up%ur%us%uf%u; window=%u; urg=%u}\n", ntohs(tcp->source), ntohs(tcp->dest), ntohl(tcp->seq), ntohl(tcp->ack_seq) ,tcp->urg, tcp->ack, tcp->psh, tcp->rst, tcp->syn, tcp->fin, ntohs(tcp->window), tcp->urg_ptr); } // if protocol is udp if(iph->protocol == 17){ struct udphdr *udp = ((struct udphdr *) (nf_packet + (iph->ihl << 2))); fprintf(stdout,"UDP{sport=%u; dport=%u; len=%u}\n", ntohs(udp->source), ntohs(udp->dest), udp->len); } fprintf(stdout,"\n");

cn-snu-2015f / project

NFQueue #3

main 함수에서 nfq_handle_packet 으로 패킷을 전달함

전달된 패킷은 cb 함수를 호출하며 cb함수는 nfq_set_verdict 함수를 리턴하면서 종료된다.

main 함수의 nfq_handle_packet 다음으로 넘어가 진행된다.