libpcap  1.10.1
About: libpcap is a packet filter library used by tools like tcpdump.
  Fossies Dox: libpcap-1.10.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  
pcap-netfilter-linux.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 Jakub Zawadzki
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  * 3. The name of the author may not be used to endorse or promote
15  * products derived from this software without specific prior written
16  * permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 #ifdef HAVE_CONFIG_H
32 #include <config.h>
33 #endif
34 
35 #include "pcap-int.h"
36 
37 #ifdef NEED_STRERROR_H
38 #include "strerror.h"
39 #endif
40 
41 #include <errno.h>
42 #include <stdlib.h>
43 #include <unistd.h>
44 #include <string.h>
45 #include <sys/socket.h>
46 #include <arpa/inet.h>
47 
48 #include <time.h>
49 #include <sys/time.h>
50 #include <netinet/in.h>
51 #include <linux/types.h>
52 
53 #include <linux/netlink.h>
54 #include <linux/netfilter.h>
55 #include <linux/netfilter/nfnetlink.h>
56 #include <linux/netfilter/nfnetlink_log.h>
57 #include <linux/netfilter/nfnetlink_queue.h>
58 
59 /* NOTE: if your program drops privileges after pcap_activate() it WON'T work with nfqueue.
60  * It took me quite some time to debug ;/
61  *
62  * Sending any data to nfnetlink socket requires CAP_NET_ADMIN privileges,
63  * and in nfqueue we need to send verdict reply after recving packet.
64  *
65  * In tcpdump you can disable dropping privileges with -Z root
66  */
67 
68 #include "pcap-netfilter-linux.h"
69 
70 #define HDR_LENGTH (NLMSG_LENGTH(NLMSG_ALIGN(sizeof(struct nfgenmsg))))
71 
72 #define NFLOG_IFACE "nflog"
73 #define NFQUEUE_IFACE "nfqueue"
74 
75 typedef enum { OTHER = -1, NFLOG, NFQUEUE } nftype_t;
76 
77 /*
78  * Private data for capturing on Linux netfilter sockets.
79  */
80 struct pcap_netfilter {
81  u_int packets_read; /* count of packets read with recvfrom() */
82  u_int packets_nobufs; /* ENOBUFS counter */
83 };
84 
85 static int nfqueue_send_verdict(const pcap_t *handle, uint16_t group_id, u_int32_t id, u_int32_t verdict);
86 
87 
88 static int
89 netfilter_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
90 {
91  struct pcap_netfilter *handlep = handle->priv;
92  register u_char *bp, *ep;
93  int count = 0;
94  ssize_t len;
95 
96  /*
97  * Has "pcap_breakloop()" been called?
98  */
99  if (handle->break_loop) {
100  /*
101  * Yes - clear the flag that indicates that it
102  * has, and return PCAP_ERROR_BREAK to indicate
103  * that we were told to break out of the loop.
104  */
105  handle->break_loop = 0;
106  return PCAP_ERROR_BREAK;
107  }
108  len = handle->cc;
109  if (len == 0) {
110  /*
111  * The buffer is empty; refill it.
112  *
113  * We ignore EINTR, as that might just be due to a signal
114  * being delivered - if the signal should interrupt the
115  * loop, the signal handler should call pcap_breakloop()
116  * to set handle->break_loop (we ignore it on other
117  * platforms as well).
118  */
119  do {
120  len = recv(handle->fd, handle->buffer, handle->bufsize, 0);
121  if (handle->break_loop) {
122  handle->break_loop = 0;
123  return PCAP_ERROR_BREAK;
124  }
125  if (errno == ENOBUFS)
126  handlep->packets_nobufs++;
127  } while ((len == -1) && (errno == EINTR || errno == ENOBUFS));
128 
129  if (len < 0) {
130  pcap_fmt_errmsg_for_errno(handle->errbuf,
131  PCAP_ERRBUF_SIZE, errno, "Can't receive packet");
132  return PCAP_ERROR;
133  }
134 
135  bp = (unsigned char *)handle->buffer;
136  } else
137  bp = handle->bp;
138  ep = bp + len;
139  while (bp < ep) {
140  const struct nlmsghdr *nlh = (const struct nlmsghdr *) bp;
141  uint32_t msg_len;
142  nftype_t type = OTHER;
143  /*
144  * Has "pcap_breakloop()" been called?
145  * If so, return immediately - if we haven't read any
146  * packets, clear the flag and return PCAP_ERROR_BREAK
147  * to indicate that we were told to break out of the loop,
148  * otherwise leave the flag set, so that the *next* call
149  * will break out of the loop without having read any
150  * packets, and return the number of packets we've
151  * processed so far.
152  */
153  if (handle->break_loop) {
154  handle->bp = bp;
155  handle->cc = (int)(ep - bp);
156  if (count == 0) {
157  handle->break_loop = 0;
158  return PCAP_ERROR_BREAK;
159  } else
160  return count;
161  }
162  /*
163  * NLMSG_SPACE(0) might be signed or might be unsigned,
164  * depending on whether the kernel defines NLMSG_ALIGNTO
165  * as 4, which older kernels do, or as 4U, which newer
166  * kernels do.
167  *
168  * ep - bp is of type ptrdiff_t, which is signed.
169  *
170  * To squelch warnings, we cast both to size_t, which
171  * is unsigned; ep >= bp, so the cast is safe.
172  */
173  if ((size_t)(ep - bp) < (size_t)NLMSG_SPACE(0)) {
174  /*
175  * There's less than one netlink message left
176  * in the buffer. Give up.
177  */
178  break;
179  }
180 
181  if (nlh->nlmsg_len < sizeof(struct nlmsghdr) || (u_int)len < nlh->nlmsg_len) {
182  snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "Message truncated: (got: %zd) (nlmsg_len: %u)", len, nlh->nlmsg_len);
183  return -1;
184  }
185 
186  if (NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_ULOG &&
187  NFNL_MSG_TYPE(nlh->nlmsg_type) == NFULNL_MSG_PACKET)
188  type = NFLOG;
189  else if (NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_QUEUE &&
190  NFNL_MSG_TYPE(nlh->nlmsg_type) == NFQNL_MSG_PACKET)
191  type = NFQUEUE;
192 
193  if (type != OTHER) {
194  const unsigned char *payload = NULL;
195  struct pcap_pkthdr pkth;
196 
197  const struct nfgenmsg *nfg = NULL;
198  int id = 0;
199 
200  if (handle->linktype != DLT_NFLOG) {
201  const struct nfattr *payload_attr = NULL;
202 
203  if (nlh->nlmsg_len < HDR_LENGTH) {
204  snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "Malformed message: (nlmsg_len: %u)", nlh->nlmsg_len);
205  return -1;
206  }
207 
208  nfg = NLMSG_DATA(nlh);
209  if (nlh->nlmsg_len > HDR_LENGTH) {
210  struct nfattr *attr = NFM_NFA(nfg);
211  int attr_len = nlh->nlmsg_len - NLMSG_ALIGN(HDR_LENGTH);
212 
213  while (NFA_OK(attr, attr_len)) {
214  if (type == NFQUEUE) {
215  switch (NFA_TYPE(attr)) {
216  case NFQA_PACKET_HDR:
217  {
218  const struct nfqnl_msg_packet_hdr *pkt_hdr = (const struct nfqnl_msg_packet_hdr *) NFA_DATA(attr);
219 
220  id = ntohl(pkt_hdr->packet_id);
221  break;
222  }
223  case NFQA_PAYLOAD:
224  payload_attr = attr;
225  break;
226  }
227 
228  } else if (type == NFLOG) {
229  switch (NFA_TYPE(attr)) {
230  case NFULA_PAYLOAD:
231  payload_attr = attr;
232  break;
233  }
234  }
235  attr = NFA_NEXT(attr, attr_len);
236  }
237  }
238 
239  if (payload_attr) {
240  payload = NFA_DATA(payload_attr);
241  pkth.len = pkth.caplen = NFA_PAYLOAD(payload_attr);
242  }
243 
244  } else {
245  payload = NLMSG_DATA(nlh);
246  pkth.caplen = pkth.len = nlh->nlmsg_len-NLMSG_ALIGN(sizeof(struct nlmsghdr));
247  }
248 
249  if (payload) {
250  /* pkth.caplen = min (payload_len, handle->snapshot); */
251 
252  gettimeofday(&pkth.ts, NULL);
253  if (handle->fcode.bf_insns == NULL ||
254  pcap_filter(handle->fcode.bf_insns, payload, pkth.len, pkth.caplen))
255  {
256  handlep->packets_read++;
257  callback(user, &pkth, payload);
258  count++;
259  }
260  }
261 
262  if (type == NFQUEUE) {
263  /* XXX, possible responses: NF_DROP, NF_ACCEPT, NF_STOLEN, NF_QUEUE, NF_REPEAT, NF_STOP */
264  /* if type == NFQUEUE, handle->linktype is always != DLT_NFLOG,
265  so nfg is always initialized to NLMSG_DATA(nlh). */
266  if (nfg != NULL)
267  nfqueue_send_verdict(handle, ntohs(nfg->res_id), id, NF_ACCEPT);
268  }
269  }
270 
271  msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
272  /*
273  * If the message length would run past the end of the
274  * buffer, truncate it to the remaining space in the
275  * buffer.
276  *
277  * To squelch warnings, we cast ep - bp to uint32_t, which
278  * is unsigned and is the type of msg_len; ep >= bp, and
279  * len should fit in 32 bits (either it's set from an int
280  * or it's set from a recv() call with a buffer size that's
281  * an int, and we're assuming either ILP32 or LP64), so
282  * the cast is safe.
283  */
284  if (msg_len > (uint32_t)(ep - bp))
285  msg_len = (uint32_t)(ep - bp);
286 
287  bp += msg_len;
288  if (count >= max_packets && !PACKET_COUNT_IS_UNLIMITED(max_packets)) {
289  handle->bp = bp;
290  handle->cc = (int)(ep - bp);
291  if (handle->cc < 0)
292  handle->cc = 0;
293  return count;
294  }
295  }
296 
297  handle->cc = 0;
298  return count;
299 }
300 
301 static int
302 netfilter_set_datalink(pcap_t *handle, int dlt)
303 {
304  handle->linktype = dlt;
305  return 0;
306 }
307 
308 static int
309 netfilter_stats_linux(pcap_t *handle, struct pcap_stat *stats)
310 {
311  struct pcap_netfilter *handlep = handle->priv;
312 
313  stats->ps_recv = handlep->packets_read;
314  stats->ps_drop = handlep->packets_nobufs;
315  stats->ps_ifdrop = 0;
316  return 0;
317 }
318 
319 static int
320 netfilter_inject_linux(pcap_t *handle, const void *buf _U_, int size _U_)
321 {
322  snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
323  "Packet injection is not supported on netfilter devices");
324  return (-1);
325 }
326 
327 struct my_nfattr {
328  uint16_t nfa_len;
329  uint16_t nfa_type;
330  void *data;
331 };
332 
333 static int
334 netfilter_send_config_msg(const pcap_t *handle, uint16_t msg_type, int ack, u_int8_t family, u_int16_t res_id, const struct my_nfattr *mynfa)
335 {
336  char buf[1024] __attribute__ ((aligned));
337  memset(buf, 0, sizeof(buf));
338 
339  struct nlmsghdr *nlh = (struct nlmsghdr *) buf;
340  struct nfgenmsg *nfg = (struct nfgenmsg *) (buf + sizeof(struct nlmsghdr));
341 
342  struct sockaddr_nl snl;
343  static unsigned int seq_id;
344 
345  if (!seq_id)
346  seq_id = time(NULL);
347  ++seq_id;
348 
349  nlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct nfgenmsg));
350  nlh->nlmsg_type = msg_type;
351  nlh->nlmsg_flags = NLM_F_REQUEST | (ack ? NLM_F_ACK : 0);
352  nlh->nlmsg_pid = 0; /* to kernel */
353  nlh->nlmsg_seq = seq_id;
354 
355  nfg->nfgen_family = family;
356  nfg->version = NFNETLINK_V0;
357  nfg->res_id = htons(res_id);
358 
359  if (mynfa) {
360  struct nfattr *nfa = (struct nfattr *) (buf + NLMSG_ALIGN(nlh->nlmsg_len));
361 
362  nfa->nfa_type = mynfa->nfa_type;
363  nfa->nfa_len = NFA_LENGTH(mynfa->nfa_len);
364  memcpy(NFA_DATA(nfa), mynfa->data, mynfa->nfa_len);
365  nlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + NFA_ALIGN(nfa->nfa_len);
366  }
367 
368  memset(&snl, 0, sizeof(snl));
369  snl.nl_family = AF_NETLINK;
370 
371  if (sendto(handle->fd, nlh, nlh->nlmsg_len, 0, (struct sockaddr *) &snl, sizeof(snl)) == -1)
372  return -1;
373 
374  if (!ack)
375  return 0;
376 
377  /* waiting for reply loop */
378  do {
379  socklen_t addrlen = sizeof(snl);
380  int len;
381 
382  /* ignore interrupt system call error */
383  do {
384  /*
385  * The buffer is not so big that its size won't
386  * fit into an int.
387  */
388  len = (int)recvfrom(handle->fd, buf, sizeof(buf), 0, (struct sockaddr *) &snl, &addrlen);
389  } while ((len == -1) && (errno == EINTR));
390 
391  if (len <= 0)
392  return len;
393 
394  if (addrlen != sizeof(snl) || snl.nl_family != AF_NETLINK) {
395  errno = EINVAL;
396  return -1;
397  }
398 
399  nlh = (struct nlmsghdr *) buf;
400  if (snl.nl_pid != 0 || seq_id != nlh->nlmsg_seq) /* if not from kernel or wrong sequence skip */
401  continue;
402 
403  while ((u_int)len >= NLMSG_SPACE(0) && NLMSG_OK(nlh, (u_int)len)) {
404  if (nlh->nlmsg_type == NLMSG_ERROR || (nlh->nlmsg_type == NLMSG_DONE && nlh->nlmsg_flags & NLM_F_MULTI)) {
405  if (nlh->nlmsg_len < NLMSG_ALIGN(sizeof(struct nlmsgerr))) {
406  errno = EBADMSG;
407  return -1;
408  }
409  errno = -(*((int *)NLMSG_DATA(nlh)));
410  return (errno == 0) ? 0 : -1;
411  }
412  nlh = NLMSG_NEXT(nlh, len);
413  }
414  } while (1);
415 
416  return -1; /* never here */
417 }
418 
419 static int
420 nflog_send_config_msg(const pcap_t *handle, uint8_t family, u_int16_t group_id, const struct my_nfattr *mynfa)
421 {
422  return netfilter_send_config_msg(handle, (NFNL_SUBSYS_ULOG << 8) | NFULNL_MSG_CONFIG, 1, family, group_id, mynfa);
423 }
424 
425 static int
426 nflog_send_config_cmd(const pcap_t *handle, uint16_t group_id, u_int8_t cmd, u_int8_t family)
427 {
428  struct nfulnl_msg_config_cmd msg;
429  struct my_nfattr nfa;
430 
431  msg.command = cmd;
432 
433  nfa.data = &msg;
434  nfa.nfa_type = NFULA_CFG_CMD;
435  nfa.nfa_len = sizeof(msg);
436 
437  return nflog_send_config_msg(handle, family, group_id, &nfa);
438 }
439 
440 static int
441 nflog_send_config_mode(const pcap_t *handle, uint16_t group_id, u_int8_t copy_mode, u_int32_t copy_range)
442 {
443  struct nfulnl_msg_config_mode msg;
444  struct my_nfattr nfa;
445 
446  msg.copy_range = htonl(copy_range);
447  msg.copy_mode = copy_mode;
448 
449  nfa.data = &msg;
450  nfa.nfa_type = NFULA_CFG_MODE;
451  nfa.nfa_len = sizeof(msg);
452 
453  return nflog_send_config_msg(handle, AF_UNSPEC, group_id, &nfa);
454 }
455 
456 static int
457 nfqueue_send_verdict(const pcap_t *handle, uint16_t group_id, u_int32_t id, u_int32_t verdict)
458 {
459  struct nfqnl_msg_verdict_hdr msg;
460  struct my_nfattr nfa;
461 
462  msg.id = htonl(id);
463  msg.verdict = htonl(verdict);
464 
465  nfa.data = &msg;
466  nfa.nfa_type = NFQA_VERDICT_HDR;
467  nfa.nfa_len = sizeof(msg);
468 
469  return netfilter_send_config_msg(handle, (NFNL_SUBSYS_QUEUE << 8) | NFQNL_MSG_VERDICT, 0, AF_UNSPEC, group_id, &nfa);
470 }
471 
472 static int
473 nfqueue_send_config_msg(const pcap_t *handle, uint8_t family, u_int16_t group_id, const struct my_nfattr *mynfa)
474 {
475  return netfilter_send_config_msg(handle, (NFNL_SUBSYS_QUEUE << 8) | NFQNL_MSG_CONFIG, 1, family, group_id, mynfa);
476 }
477 
478 static int
479 nfqueue_send_config_cmd(const pcap_t *handle, uint16_t group_id, u_int8_t cmd, u_int16_t pf)
480 {
481  struct nfqnl_msg_config_cmd msg;
482  struct my_nfattr nfa;
483 
484  msg.command = cmd;
485  msg.pf = htons(pf);
486 
487  nfa.data = &msg;
488  nfa.nfa_type = NFQA_CFG_CMD;
489  nfa.nfa_len = sizeof(msg);
490 
491  return nfqueue_send_config_msg(handle, AF_UNSPEC, group_id, &nfa);
492 }
493 
494 static int
495 nfqueue_send_config_mode(const pcap_t *handle, uint16_t group_id, u_int8_t copy_mode, u_int32_t copy_range)
496 {
497  struct nfqnl_msg_config_params msg;
498  struct my_nfattr nfa;
499 
500  msg.copy_range = htonl(copy_range);
501  msg.copy_mode = copy_mode;
502 
503  nfa.data = &msg;
504  nfa.nfa_type = NFQA_CFG_PARAMS;
505  nfa.nfa_len = sizeof(msg);
506 
507  return nfqueue_send_config_msg(handle, AF_UNSPEC, group_id, &nfa);
508 }
509 
510 static int
511 netfilter_activate(pcap_t* handle)
512 {
513  const char *dev = handle->opt.device;
514  unsigned short groups[32];
515  int group_count = 0;
516  nftype_t type = OTHER;
517  int i;
518 
519  if (strncmp(dev, NFLOG_IFACE, strlen(NFLOG_IFACE)) == 0) {
520  dev += strlen(NFLOG_IFACE);
521  type = NFLOG;
522 
523  } else if (strncmp(dev, NFQUEUE_IFACE, strlen(NFQUEUE_IFACE)) == 0) {
524  dev += strlen(NFQUEUE_IFACE);
525  type = NFQUEUE;
526  }
527 
528  if (type != OTHER && *dev == ':') {
529  dev++;
530  while (*dev) {
531  long int group_id;
532  char *end_dev;
533 
534  if (group_count == 32) {
535  snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
536  "Maximum 32 netfilter groups! dev: %s",
537  handle->opt.device);
538  return PCAP_ERROR;
539  }
540 
541  group_id = strtol(dev, &end_dev, 0);
542  if (end_dev != dev) {
543  if (group_id < 0 || group_id > 65535) {
544  snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
545  "Netfilter group range from 0 to 65535 (got %ld)",
546  group_id);
547  return PCAP_ERROR;
548  }
549 
550  groups[group_count++] = (unsigned short) group_id;
551  dev = end_dev;
552  }
553  if (*dev != ',')
554  break;
555  dev++;
556  }
557  }
558 
559  if (type == OTHER || *dev) {
560  snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
561  "Can't get netfilter group(s) index from %s",
562  handle->opt.device);
563  return PCAP_ERROR;
564  }
565 
566  /* if no groups, add default: 0 */
567  if (!group_count) {
568  groups[0] = 0;
569  group_count = 1;
570  }
571 
572  /*
573  * Turn a negative snapshot value (invalid), a snapshot value of
574  * 0 (unspecified), or a value bigger than the normal maximum
575  * value, into the maximum allowed value.
576  *
577  * If some application really *needs* a bigger snapshot
578  * length, we should just increase MAXIMUM_SNAPLEN.
579  */
580  if (handle->snapshot <= 0 || handle->snapshot > MAXIMUM_SNAPLEN)
581  handle->snapshot = MAXIMUM_SNAPLEN;
582 
583  /* Initialize some components of the pcap structure. */
584  handle->bufsize = 128 + handle->snapshot;
585  handle->offset = 0;
586  handle->read_op = netfilter_read_linux;
587  handle->inject_op = netfilter_inject_linux;
588  handle->setfilter_op = install_bpf_program; /* no kernel filtering */
589  handle->setdirection_op = NULL;
590  handle->set_datalink_op = netfilter_set_datalink;
591  handle->getnonblock_op = pcap_getnonblock_fd;
592  handle->setnonblock_op = pcap_setnonblock_fd;
593  handle->stats_op = netfilter_stats_linux;
594 
595  /* Create netlink socket */
596  handle->fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);
597  if (handle->fd < 0) {
598  pcap_fmt_errmsg_for_errno(handle->errbuf, PCAP_ERRBUF_SIZE,
599  errno, "Can't create raw socket");
600  return PCAP_ERROR;
601  }
602 
603  if (type == NFLOG) {
604  handle->linktype = DLT_NFLOG;
605  handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
606  if (handle->dlt_list != NULL) {
607  handle->dlt_list[0] = DLT_NFLOG;
608  handle->dlt_list[1] = DLT_IPV4;
609  handle->dlt_count = 2;
610  }
611 
612  } else
613  handle->linktype = DLT_IPV4;
614 
615  handle->buffer = malloc(handle->bufsize);
616  if (!handle->buffer) {
617  pcap_fmt_errmsg_for_errno(handle->errbuf, PCAP_ERRBUF_SIZE,
618  errno, "Can't allocate dump buffer");
619  goto close_fail;
620  }
621 
622  if (type == NFLOG) {
623  if (nflog_send_config_cmd(handle, 0, NFULNL_CFG_CMD_PF_UNBIND, AF_INET) < 0) {
624  pcap_fmt_errmsg_for_errno(handle->errbuf,
625  PCAP_ERRBUF_SIZE, errno,
626  "NFULNL_CFG_CMD_PF_UNBIND");
627  goto close_fail;
628  }
629 
630  if (nflog_send_config_cmd(handle, 0, NFULNL_CFG_CMD_PF_BIND, AF_INET) < 0) {
631  pcap_fmt_errmsg_for_errno(handle->errbuf,
632  PCAP_ERRBUF_SIZE, errno, "NFULNL_CFG_CMD_PF_BIND");
633  goto close_fail;
634  }
635 
636  /* Bind socket to the nflog groups */
637  for (i = 0; i < group_count; i++) {
638  if (nflog_send_config_cmd(handle, groups[i], NFULNL_CFG_CMD_BIND, AF_UNSPEC) < 0) {
639  pcap_fmt_errmsg_for_errno(handle->errbuf,
640  PCAP_ERRBUF_SIZE, errno,
641  "Can't listen on group index");
642  goto close_fail;
643  }
644 
645  if (nflog_send_config_mode(handle, groups[i], NFULNL_COPY_PACKET, handle->snapshot) < 0) {
646  pcap_fmt_errmsg_for_errno(handle->errbuf,
647  PCAP_ERRBUF_SIZE, errno,
648  "NFULNL_COPY_PACKET");
649  goto close_fail;
650  }
651  }
652 
653  } else {
654  if (nfqueue_send_config_cmd(handle, 0, NFQNL_CFG_CMD_PF_UNBIND, AF_INET) < 0) {
655  pcap_fmt_errmsg_for_errno(handle->errbuf,
656  PCAP_ERRBUF_SIZE, errno, "NFQNL_CFG_CMD_PF_UNBIND");
657  goto close_fail;
658  }
659 
660  if (nfqueue_send_config_cmd(handle, 0, NFQNL_CFG_CMD_PF_BIND, AF_INET) < 0) {
661  pcap_fmt_errmsg_for_errno(handle->errbuf,
662  PCAP_ERRBUF_SIZE, errno, "NFQNL_CFG_CMD_PF_BIND");
663  goto close_fail;
664  }
665 
666  /* Bind socket to the nfqueue groups */
667  for (i = 0; i < group_count; i++) {
668  if (nfqueue_send_config_cmd(handle, groups[i], NFQNL_CFG_CMD_BIND, AF_UNSPEC) < 0) {
669  pcap_fmt_errmsg_for_errno(handle->errbuf,
670  PCAP_ERRBUF_SIZE, errno,
671  "Can't listen on group index");
672  goto close_fail;
673  }
674 
675  if (nfqueue_send_config_mode(handle, groups[i], NFQNL_COPY_PACKET, handle->snapshot) < 0) {
676  pcap_fmt_errmsg_for_errno(handle->errbuf,
677  PCAP_ERRBUF_SIZE, errno,
678  "NFQNL_COPY_PACKET");
679  goto close_fail;
680  }
681  }
682  }
683 
684  if (handle->opt.rfmon) {
685  /*
686  * Monitor mode doesn't apply to netfilter devices.
687  */
688  pcap_cleanup_live_common(handle);
689  return PCAP_ERROR_RFMON_NOTSUP;
690  }
691 
692  if (handle->opt.buffer_size != 0) {
693  /*
694  * Set the socket buffer size to the specified value.
695  */
696  if (setsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF, &handle->opt.buffer_size, sizeof(handle->opt.buffer_size)) == -1) {
697  pcap_fmt_errmsg_for_errno(handle->errbuf,
698  PCAP_ERRBUF_SIZE, errno, "SO_RCVBUF");
699  goto close_fail;
700  }
701  }
702 
703  handle->selectable_fd = handle->fd;
704  return 0;
705 
706 close_fail:
707  pcap_cleanup_live_common(handle);
708  return PCAP_ERROR;
709 }
710 
711 pcap_t *
712 netfilter_create(const char *device, char *ebuf, int *is_ours)
713 {
714  const char *cp;
715  pcap_t *p;
716 
717  /* Does this look like an netfilter device? */
718  cp = strrchr(device, '/');
719  if (cp == NULL)
720  cp = device;
721 
722  /* Does it begin with NFLOG_IFACE or NFQUEUE_IFACE? */
723  if (strncmp(cp, NFLOG_IFACE, sizeof NFLOG_IFACE - 1) == 0)
724  cp += sizeof NFLOG_IFACE - 1;
725  else if (strncmp(cp, NFQUEUE_IFACE, sizeof NFQUEUE_IFACE - 1) == 0)
726  cp += sizeof NFQUEUE_IFACE - 1;
727  else {
728  /* Nope, doesn't begin with NFLOG_IFACE nor NFQUEUE_IFACE */
729  *is_ours = 0;
730  return NULL;
731  }
732 
733  /*
734  * Yes - is that either the end of the name, or is it followed
735  * by a colon?
736  */
737  if (*cp != ':' && *cp != '\0') {
738  /* Nope */
739  *is_ours = 0;
740  return NULL;
741  }
742 
743  /* OK, it's probably ours. */
744  *is_ours = 1;
745 
746  p = PCAP_CREATE_COMMON(ebuf, struct pcap_netfilter);
747  if (p == NULL)
748  return (NULL);
749 
750  p->activate_op = netfilter_activate;
751  return (p);
752 }
753 
754 int
755 netfilter_findalldevs(pcap_if_list_t *devlistp, char *err_str)
756 {
757  int sock;
758 
759  sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);
760  if (sock < 0) {
761  /* if netlink is not supported this is not fatal */
762  if (errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT)
763  return 0;
764  pcap_fmt_errmsg_for_errno(err_str, PCAP_ERRBUF_SIZE,
765  errno, "Can't open netlink socket");
766  return -1;
767  }
768  close(sock);
769 
770  /*
771  * The notion of "connected" vs. "disconnected" doesn't apply.
772  * XXX - what about "up" and "running"?
773  */
774  if (add_dev(devlistp, NFLOG_IFACE,
775  PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE,
776  "Linux netfilter log (NFLOG) interface", err_str) == NULL)
777  return -1;
778  if (add_dev(devlistp, NFQUEUE_IFACE,
779  PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE,
780  "Linux netfilter queue (NFQUEUE) interface", err_str) == NULL)
781  return -1;
782  return 0;
783 }
pcap_filter
u_int pcap_filter(const struct bpf_insn *pc, const u_char *p, u_int wirelen, u_int buflen)
Definition: bpf_filter.c:391
DLT_IPV4
#define DLT_IPV4
Definition: dlt.h:1041
DLT_NFLOG
#define DLT_NFLOG
Definition: dlt.h:1114
pcap_fmt_errmsg_for_errno
void pcap_fmt_errmsg_for_errno(char *errbuf, size_t errbuflen, int errnum, const char *fmt,...)
Definition: fmtutils.c:269
NFULA_PAYLOAD
#define NFULA_PAYLOAD
Definition: nflog.h:84
install_bpf_program
int install_bpf_program(pcap_t *p, struct bpf_program *fp)
Definition: optimize.c:2939
snprintf
int snprintf(char *, size_t, const char *,...)
recvfrom
int recvfrom(int, char *, u_int, int, struct sockaddr *, int *)
gettimeofday
int gettimeofday(struct timeval *, struct timezone *)
strtol
long strtol(const char *, char **, int)
recv
int recv(int, char *, u_int, int)
setsockopt
int setsockopt(int, int, int, char *, int)
sendto
int sendto(int, char *, u_int, int, struct sockaddr *, int)
time
time_t time(time_t *)
socket
int socket(int, int, int)
close
int close(int)
_U_
#define _U_
Definition: pcap-dos.h:93
errno
int errno
MAXIMUM_SNAPLEN
#define MAXIMUM_SNAPLEN
Definition: pcap-int.h:131
PACKET_COUNT_IS_UNLIMITED
#define PACKET_COUNT_IS_UNLIMITED(count)
Definition: pcap-int.h:444
add_dev
pcap_if_t * add_dev(pcap_if_list_t *, const char *, bpf_u_int32, const char *, char *)
Definition: pcap.c:1308
pcap_cleanup_live_common
void pcap_cleanup_live_common(pcap_t *)
Definition: pcap.c:3987
pcap_getnonblock_fd
int pcap_getnonblock_fd(pcap_t *)
Definition: pcap.c:3537
pcap_setnonblock_fd
int pcap_setnonblock_fd(pcap_t *p, int)
Definition: pcap.c:3583
PCAP_CREATE_COMMON
#define PCAP_CREATE_COMMON(ebuf, type)
Definition: pcap-int.h:474
socklen_t
int socklen_t
Definition: pcap-linux.c:168
nfqueue_send_verdict
static int nfqueue_send_verdict(const pcap_t *handle, uint16_t group_id, u_int32_t id, u_int32_t verdict)
Definition: pcap-netfilter-linux.c:457
NFQUEUE_IFACE
#define NFQUEUE_IFACE
Definition: pcap-netfilter-linux.c:73
netfilter_read_linux
static int netfilter_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
Definition: pcap-netfilter-linux.c:89
netfilter_findalldevs
int netfilter_findalldevs(pcap_if_list_t *devlistp, char *err_str)
Definition: pcap-netfilter-linux.c:755
HDR_LENGTH
#define HDR_LENGTH
Definition: pcap-netfilter-linux.c:70
netfilter_stats_linux
static int netfilter_stats_linux(pcap_t *handle, struct pcap_stat *stats)
Definition: pcap-netfilter-linux.c:309
nfqueue_send_config_mode
static int nfqueue_send_config_mode(const pcap_t *handle, uint16_t group_id, u_int8_t copy_mode, u_int32_t copy_range)
Definition: pcap-netfilter-linux.c:495
netfilter_inject_linux
static int netfilter_inject_linux(pcap_t *handle, const void *buf, int size)
Definition: pcap-netfilter-linux.c:320
nflog_send_config_msg
static int nflog_send_config_msg(const pcap_t *handle, uint8_t family, u_int16_t group_id, const struct my_nfattr *mynfa)
Definition: pcap-netfilter-linux.c:420
nfqueue_send_config_cmd
static int nfqueue_send_config_cmd(const pcap_t *handle, uint16_t group_id, u_int8_t cmd, u_int16_t pf)
Definition: pcap-netfilter-linux.c:479
netfilter_set_datalink
static int netfilter_set_datalink(pcap_t *handle, int dlt)
Definition: pcap-netfilter-linux.c:302
netfilter_send_config_msg
static int netfilter_send_config_msg(const pcap_t *handle, uint16_t msg_type, int ack, u_int8_t family, u_int16_t res_id, const struct my_nfattr *mynfa)
Definition: pcap-netfilter-linux.c:334
nflog_send_config_mode
static int nflog_send_config_mode(const pcap_t *handle, uint16_t group_id, u_int8_t copy_mode, u_int32_t copy_range)
Definition: pcap-netfilter-linux.c:441
nflog_send_config_cmd
static int nflog_send_config_cmd(const pcap_t *handle, uint16_t group_id, u_int8_t cmd, u_int8_t family)
Definition: pcap-netfilter-linux.c:426
netfilter_activate
static int netfilter_activate(pcap_t *handle)
Definition: pcap-netfilter-linux.c:511
netfilter_create
pcap_t * netfilter_create(const char *device, char *ebuf, int *is_ours)
Definition: pcap-netfilter-linux.c:712
nfqueue_send_config_msg
static int nfqueue_send_config_msg(const pcap_t *handle, uint8_t family, u_int16_t group_id, const struct my_nfattr *mynfa)
Definition: pcap-netfilter-linux.c:473
NFLOG_IFACE
#define NFLOG_IFACE
Definition: pcap-netfilter-linux.c:72
PCAP_ERROR_RFMON_NOTSUP
#define PCAP_ERROR_RFMON_NOTSUP
Definition: pcap.h:344
PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE
#define PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE
Definition: pcap.h:317
pcap_handler
void(* pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *)
Definition: pcap.h:330
PCAP_ERROR_BREAK
#define PCAP_ERROR_BREAK
Definition: pcap.h:340
PCAP_ERRBUF_SIZE
#define PCAP_ERRBUF_SIZE
Definition: pcap.h:152
PCAP_ERROR
#define PCAP_ERROR
Definition: pcap.h:339
bpf_program::bf_insns
struct bpf_insn * bf_insns
Definition: bpf.h:119
my_nfattr
Definition: pcap-netfilter-linux.c:327
my_nfattr::nfa_type
uint16_t nfa_type
Definition: pcap-netfilter-linux.c:329
my_nfattr::nfa_len
uint16_t nfa_len
Definition: pcap-netfilter-linux.c:328
my_nfattr::data
void * data
Definition: pcap-netfilter-linux.c:330
pcap_if_list
Definition: pcap.c:654
pcap_netfilter
Definition: pcap-netfilter-linux.c:80
pcap_netfilter::packets_read
u_int packets_read
Definition: pcap-netfilter-linux.c:81
pcap_netfilter::packets_nobufs
u_int packets_nobufs
Definition: pcap-netfilter-linux.c:82
pcap_opt::device
char * device
Definition: pcap-int.h:146
pcap_opt::rfmon
int rfmon
Definition: pcap-int.h:150
pcap_opt::buffer_size
u_int buffer_size
Definition: pcap-int.h:148
pcap_pkthdr
Definition: pcap.h:245
pcap_pkthdr::caplen
bpf_u_int32 caplen
Definition: pcap.h:247
pcap_pkthdr::ts
struct timeval ts
Definition: pcap.h:246
pcap_pkthdr::len
bpf_u_int32 len
Definition: pcap.h:248
pcap_stat
Definition: pcap.h:254
pcap_stat::ps_drop
u_int ps_drop
Definition: pcap.h:256
pcap_stat::ps_recv
u_int ps_recv
Definition: pcap.h:255
pcap_stat::ps_ifdrop
u_int ps_ifdrop
Definition: pcap.h:257
pcap
Definition: pcap-int.h:200
pcap::stats_op
stats_op_t stats_op
Definition: pcap-int.h:320
pcap::activate_op
activate_op_t activate_op
Definition: pcap-int.h:311
pcap::setnonblock_op
setnonblock_op_t setnonblock_op
Definition: pcap-int.h:319
pcap::setfilter_op
setfilter_op_t setfilter_op
Definition: pcap-int.h:315
pcap::break_loop
sig_atomic_t break_loop
Definition: pcap-int.h:225
pcap::dlt_count
int dlt_count
Definition: pcap-int.h:299
pcap::bufsize
u_int bufsize
Definition: pcap-int.h:220
pcap::priv
void * priv
Definition: pcap-int.h:227
pcap::getnonblock_op
getnonblock_op_t getnonblock_op
Definition: pcap-int.h:318
pcap::offset
int offset
Definition: pcap-int.h:250
pcap::dlt_list
u_int * dlt_list
Definition: pcap-int.h:300
pcap::read_op
read_op_t read_op
Definition: pcap-int.h:204
pcap::buffer
void * buffer
Definition: pcap-int.h:221
pcap::bp
u_char * bp
Definition: pcap-int.h:222
pcap::snapshot
int snapshot
Definition: pcap-int.h:247
pcap::setdirection_op
setdirection_op_t setdirection_op
Definition: pcap-int.h:316
pcap::inject_op
inject_op_t inject_op
Definition: pcap-int.h:313
pcap::cc
int cc
Definition: pcap-int.h:223
pcap::fcode
struct bpf_program fcode
Definition: pcap-int.h:293
pcap::set_datalink_op
set_datalink_op_t set_datalink_op
Definition: pcap-int.h:317
pcap::errbuf
char errbuf[256+1]
Definition: pcap-int.h:295
pcap::linktype
int linktype
Definition: pcap-int.h:248
pcap::selectable_fd
int selectable_fd
Definition: pcap-int.h:274
pcap::fd
int fd
Definition: pcap-int.h:214
pcap::opt
struct pcap_opt opt
Definition: pcap-int.h:254