tools/testing/selftests/netfilter/nf-queue.c - linux/torvalds/linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0

 #include <errno.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <time.h>
 #include <arpa/inet.h>

 #include <libmnl/libmnl.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_queue.h>

 struct options {
 	bool count_packets;
 	int verbose;
 	unsigned int queue_num;
 	unsigned int timeout;
 };

 static unsigned int queue_stats[5];
 static struct options opts;

 static void help(const char *p)
 {
 	printf("Usage: %s [-c|-v [-vv] ] [-t timeout] [-q queue_num]\n", p);
 }

 static int parse_attr_cb(const struct nlattr *attr, void *data)
 {
 	const struct nlattr **tb = data;
 	int type = mnl_attr_get_type(attr);

 	/* skip unsupported attribute in user-space */
 	if (mnl_attr_type_valid(attr, NFQA_MAX) < 0)
 		return MNL_CB_OK;

 	switch (type) {
 	case NFQA_MARK:
 	case NFQA_IFINDEX_INDEV:
 	case NFQA_IFINDEX_OUTDEV:
 	case NFQA_IFINDEX_PHYSINDEV:
 	case NFQA_IFINDEX_PHYSOUTDEV:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
 			perror("mnl_attr_validate");
 			return MNL_CB_ERROR;
 		}
 		break;
 	case NFQA_TIMESTAMP:
 		if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC,
 		    sizeof(struct nfqnl_msg_packet_timestamp)) < 0) {
 			perror("mnl_attr_validate2");
 			return MNL_CB_ERROR;
 		}
 		break;
 	case NFQA_HWADDR:
 		if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC,
 		    sizeof(struct nfqnl_msg_packet_hw)) < 0) {
 			perror("mnl_attr_validate2");
 			return MNL_CB_ERROR;
 		}
 		break;
 	case NFQA_PAYLOAD:
 		break;
 	}
 	tb[type] = attr;
 	return MNL_CB_OK;
 }

 static int queue_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nlattr *tb[NFQA_MAX+1] = { 0 };
 	struct nfqnl_msg_packet_hdr *ph = NULL;
 	uint32_t id = 0;

 	(void)data;

 	mnl_attr_parse(nlh, sizeof(struct nfgenmsg), parse_attr_cb, tb);
 	if (tb[NFQA_PACKET_HDR]) {
 		ph = mnl_attr_get_payload(tb[NFQA_PACKET_HDR]);
 		id = ntohl(ph->packet_id);

 		if (opts.verbose > 0)
 			printf("packet hook=%u, hwproto 0x%x",
 				ntohs(ph->hw_protocol), ph->hook);

 		if (ph->hook >= 5) {
 			fprintf(stderr, "Unknown hook %d\n", ph->hook);
 			return MNL_CB_ERROR;
 		}

 		if (opts.verbose > 0) {
 			uint32_t skbinfo = 0;

 			if (tb[NFQA_SKB_INFO])
 				skbinfo = ntohl(mnl_attr_get_u32(tb[NFQA_SKB_INFO]));
 			if (skbinfo & NFQA_SKB_CSUMNOTREADY)
 				printf(" csumnotready");
 			if (skbinfo & NFQA_SKB_GSO)
 				printf(" gso");
 			if (skbinfo & NFQA_SKB_CSUM_NOTVERIFIED)
 				printf(" csumnotverified");
 			puts("");
 		}

 		if (opts.count_packets)
 			queue_stats[ph->hook]++;
 	}

 	return MNL_CB_OK + id;
 }

 static struct nlmsghdr *
 nfq_build_cfg_request(char *buf, uint8_t command, int queue_num)
 {
 	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
 	struct nfqnl_msg_config_cmd cmd = {
 		.command = command,
 		.pf = htons(AF_INET),
 	};
 	struct nfgenmsg *nfg;

 	nlh->nlmsg_type	= (NFNL_SUBSYS_QUEUE << 8) | NFQNL_MSG_CONFIG;
 	nlh->nlmsg_flags = NLM_F_REQUEST;

 	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));

 	nfg->nfgen_family = AF_UNSPEC;
 	nfg->version = NFNETLINK_V0;
 	nfg->res_id = htons(queue_num);

 	mnl_attr_put(nlh, NFQA_CFG_CMD, sizeof(cmd), &cmd);

 	return nlh;
 }

 static struct nlmsghdr *
 nfq_build_cfg_params(char *buf, uint8_t mode, int range, int queue_num)
 {
 	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
 	struct nfqnl_msg_config_params params = {
 		.copy_range = htonl(range),
 		.copy_mode = mode,
 	};
 	struct nfgenmsg *nfg;

 	nlh->nlmsg_type	= (NFNL_SUBSYS_QUEUE << 8) | NFQNL_MSG_CONFIG;
 	nlh->nlmsg_flags = NLM_F_REQUEST;

 	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
 	nfg->nfgen_family = AF_UNSPEC;
 	nfg->version = NFNETLINK_V0;
 	nfg->res_id = htons(queue_num);

 	mnl_attr_put(nlh, NFQA_CFG_PARAMS, sizeof(params), &params);

 	return nlh;
 }

 static struct nlmsghdr *
 nfq_build_verdict(char *buf, int id, int queue_num, int verd)
 {
 	struct nfqnl_msg_verdict_hdr vh = {
 		.verdict = htonl(verd),
 		.id = htonl(id),
 	};
 	struct nlmsghdr *nlh;
 	struct nfgenmsg *nfg;

 	nlh = mnl_nlmsg_put_header(buf);
 	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) | NFQNL_MSG_VERDICT;
 	nlh->nlmsg_flags = NLM_F_REQUEST;
 	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
 	nfg->nfgen_family = AF_UNSPEC;
 	nfg->version = NFNETLINK_V0;
 	nfg->res_id = htons(queue_num);

 	mnl_attr_put(nlh, NFQA_VERDICT_HDR, sizeof(vh), &vh);

 	return nlh;
 }

 static void print_stats(void)
 {
 	unsigned int last, total;
 	int i;

 	if (!opts.count_packets)
 		return;

 	total = 0;
 	last = queue_stats[0];

 	for (i = 0; i < 5; i++) {
 		printf("hook %d packets %08u\n", i, queue_stats[i]);
 		last = queue_stats[i];
 		total += last;
 	}

 	printf("%u packets total\n", total);
 }

 struct mnl_socket *open_queue(void)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	unsigned int queue_num;
 	struct mnl_socket *nl;
 	struct nlmsghdr *nlh;
 	struct timeval tv;
 	uint32_t flags;

 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
 		perror("mnl_socket_open");
 		exit(EXIT_FAILURE);
 	}

 	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
 		perror("mnl_socket_bind");
 		exit(EXIT_FAILURE);
 	}

 	queue_num = opts.queue_num;
 	nlh = nfq_build_cfg_request(buf, NFQNL_CFG_CMD_BIND, queue_num);

 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_sendto");
 		exit(EXIT_FAILURE);
 	}

 	nlh = nfq_build_cfg_params(buf, NFQNL_COPY_PACKET, 0xFFFF, queue_num);

 	flags = NFQA_CFG_F_GSO | NFQA_CFG_F_UID_GID;
 	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
 	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));

 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 		perror("mnl_socket_sendto");
 		exit(EXIT_FAILURE);
 	}

 	memset(&tv, 0, sizeof(tv));
 	tv.tv_sec = opts.timeout;
 	if (opts.timeout && setsockopt(mnl_socket_get_fd(nl),
 				       SOL_SOCKET, SO_RCVTIMEO,
 				       &tv, sizeof(tv))) {
 		perror("setsockopt(SO_RCVTIMEO)");
 		exit(EXIT_FAILURE);
 	}

 	return nl;
 }

 static int mainloop(void)
 {
 	unsigned int buflen = 64 * 1024 + MNL_SOCKET_BUFFER_SIZE;
 	struct mnl_socket *nl;
 	struct nlmsghdr *nlh;
 	unsigned int portid;
 	char *buf;
 	int ret;

 	buf = malloc(buflen);
 	if (!buf) {
 		perror("malloc");
 		exit(EXIT_FAILURE);
 	}

 	nl = open_queue();
 	portid = mnl_socket_get_portid(nl);

 	for (;;) {
 		uint32_t id;

 		ret = mnl_socket_recvfrom(nl, buf, buflen);
 		if (ret == -1) {
 			if (errno == ENOBUFS)
 				continue;

 			if (errno == EAGAIN) {
 				errno = 0;
 				ret = 0;
 				break;
 			}

 			perror("mnl_socket_recvfrom");
 			exit(EXIT_FAILURE);
 		}

 		ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);
 		if (ret < 0) {
 			perror("mnl_cb_run");
 			exit(EXIT_FAILURE);
 		}

 		id = ret - MNL_CB_OK;
 		nlh = nfq_build_verdict(buf, id, opts.queue_num, NF_ACCEPT);
 		if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
 			perror("mnl_socket_sendto");
 			exit(EXIT_FAILURE);
 		}
 	}

 	mnl_socket_close(nl);

 	return ret;
 }

 static void parse_opts(int argc, char **argv)
 {
 	int c;

 	while ((c = getopt(argc, argv, "chvt:q:")) != -1) {
 		switch (c) {
 		case 'c':
 			opts.count_packets = true;
 			break;
 		case 'h':
 			help(argv[0]);
 			exit(0);
 			break;
 		case 'q':
 			opts.queue_num = atoi(optarg);
 			if (opts.queue_num > 0xffff)
 				opts.queue_num = 0;
 			break;
 		case 't':
 			opts.timeout = atoi(optarg);
 			break;
 		case 'v':
 			opts.verbose++;
 			break;
 		}
 	}
 }

 int main(int argc, char *argv[])
 {
 	int ret;

 	parse_opts(argc, argv);

 	ret = mainloop();
 	if (opts.count_packets)
 		print_stats();

 	return ret;
 }
	// SPDX-License-Identifier: GPL-2.0

	#include <errno.h>
	#include <stdbool.h>
	#include <stdio.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <string.h>
	#include <time.h>
	#include <arpa/inet.h>

	#include <libmnl/libmnl.h>
	#include <linux/netfilter.h>
	#include <linux/netfilter/nfnetlink.h>
	#include <linux/netfilter/nfnetlink_queue.h>

	struct options {
	bool count_packets;
	int verbose;
	unsigned int queue_num;
	unsigned int timeout;
	};

	static unsigned int queue_stats[5];
	static struct options opts;

	static void help(const char *p)
	{
	printf("Usage: %s [-c\|-v [-vv] ] [-t timeout] [-q queue_num]\n", p);
	}

	static int parse_attr_cb(const struct nlattr attr, void data)
	{
	const struct nlattr **tb = data;
	int type = mnl_attr_get_type(attr);

	/* skip unsupported attribute in user-space */
	if (mnl_attr_type_valid(attr, NFQA_MAX) < 0)
	return MNL_CB_OK;

	switch (type) {
	case NFQA_MARK:
	case NFQA_IFINDEX_INDEV:
	case NFQA_IFINDEX_OUTDEV:
	case NFQA_IFINDEX_PHYSINDEV:
	case NFQA_IFINDEX_PHYSOUTDEV:
	if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
	perror("mnl_attr_validate");
	return MNL_CB_ERROR;
	}
	break;
	case NFQA_TIMESTAMP:
	if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC,
	sizeof(struct nfqnl_msg_packet_timestamp)) < 0) {
	perror("mnl_attr_validate2");
	return MNL_CB_ERROR;
	}
	break;
	case NFQA_HWADDR:
	if (mnl_attr_validate2(attr, MNL_TYPE_UNSPEC,
	sizeof(struct nfqnl_msg_packet_hw)) < 0) {
	perror("mnl_attr_validate2");
	return MNL_CB_ERROR;
	}
	break;
	case NFQA_PAYLOAD:
	break;
	}
	tb[type] = attr;
	return MNL_CB_OK;
	}

	static int queue_cb(const struct nlmsghdr nlh, void data)
	{
	struct nlattr *tb[NFQA_MAX+1] = { 0 };
	struct nfqnl_msg_packet_hdr *ph = NULL;
	uint32_t id = 0;

	(void)data;

	mnl_attr_parse(nlh, sizeof(struct nfgenmsg), parse_attr_cb, tb);
	if (tb[NFQA_PACKET_HDR]) {
	ph = mnl_attr_get_payload(tb[NFQA_PACKET_HDR]);
	id = ntohl(ph->packet_id);

	if (opts.verbose > 0)
	printf("packet hook=%u, hwproto 0x%x",
	ntohs(ph->hw_protocol), ph->hook);

	if (ph->hook >= 5) {
	fprintf(stderr, "Unknown hook %d\n", ph->hook);
	return MNL_CB_ERROR;
	}

	if (opts.verbose > 0) {
	uint32_t skbinfo = 0;

	if (tb[NFQA_SKB_INFO])
	skbinfo = ntohl(mnl_attr_get_u32(tb[NFQA_SKB_INFO]));
	if (skbinfo & NFQA_SKB_CSUMNOTREADY)
	printf(" csumnotready");
	if (skbinfo & NFQA_SKB_GSO)
	printf(" gso");
	if (skbinfo & NFQA_SKB_CSUM_NOTVERIFIED)
	printf(" csumnotverified");
	puts("");
	}

	if (opts.count_packets)
	queue_stats[ph->hook]++;
	}

	return MNL_CB_OK + id;
	}

	static struct nlmsghdr *
	nfq_build_cfg_request(char *buf, uint8_t command, int queue_num)
	{
	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
	struct nfqnl_msg_config_cmd cmd = {
	.command = command,
	.pf = htons(AF_INET),
	};
	struct nfgenmsg *nfg;

	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) \| NFQNL_MSG_CONFIG;
	nlh->nlmsg_flags = NLM_F_REQUEST;

	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));

	nfg->nfgen_family = AF_UNSPEC;
	nfg->version = NFNETLINK_V0;
	nfg->res_id = htons(queue_num);

	mnl_attr_put(nlh, NFQA_CFG_CMD, sizeof(cmd), &cmd);

	return nlh;
	}

	static struct nlmsghdr *
	nfq_build_cfg_params(char *buf, uint8_t mode, int range, int queue_num)
	{
	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
	struct nfqnl_msg_config_params params = {
	.copy_range = htonl(range),
	.copy_mode = mode,
	};
	struct nfgenmsg *nfg;

	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) \| NFQNL_MSG_CONFIG;
	nlh->nlmsg_flags = NLM_F_REQUEST;

	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
	nfg->nfgen_family = AF_UNSPEC;
	nfg->version = NFNETLINK_V0;
	nfg->res_id = htons(queue_num);

	mnl_attr_put(nlh, NFQA_CFG_PARAMS, sizeof(params), &params);

	return nlh;
	}

	static struct nlmsghdr *
	nfq_build_verdict(char *buf, int id, int queue_num, int verd)
	{
	struct nfqnl_msg_verdict_hdr vh = {
	.verdict = htonl(verd),
	.id = htonl(id),
	};
	struct nlmsghdr *nlh;
	struct nfgenmsg *nfg;

	nlh = mnl_nlmsg_put_header(buf);
	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) \| NFQNL_MSG_VERDICT;
	nlh->nlmsg_flags = NLM_F_REQUEST;
	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
	nfg->nfgen_family = AF_UNSPEC;
	nfg->version = NFNETLINK_V0;
	nfg->res_id = htons(queue_num);

	mnl_attr_put(nlh, NFQA_VERDICT_HDR, sizeof(vh), &vh);

	return nlh;
	}

	static void print_stats(void)
	{
	unsigned int last, total;
	int i;

	if (!opts.count_packets)
	return;

	total = 0;
	last = queue_stats[0];

	for (i = 0; i < 5; i++) {
	printf("hook %d packets %08u\n", i, queue_stats[i]);
	last = queue_stats[i];
	total += last;
	}

	printf("%u packets total\n", total);
	}

	struct mnl_socket *open_queue(void)
	{
	char buf[MNL_SOCKET_BUFFER_SIZE];
	unsigned int queue_num;
	struct mnl_socket *nl;
	struct nlmsghdr *nlh;
	struct timeval tv;
	uint32_t flags;

	nl = mnl_socket_open(NETLINK_NETFILTER);
	if (nl == NULL) {
	perror("mnl_socket_open");
	exit(EXIT_FAILURE);
	}

	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
	perror("mnl_socket_bind");
	exit(EXIT_FAILURE);
	}

	queue_num = opts.queue_num;
	nlh = nfq_build_cfg_request(buf, NFQNL_CFG_CMD_BIND, queue_num);

	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
	perror("mnl_socket_sendto");
	exit(EXIT_FAILURE);
	}

	nlh = nfq_build_cfg_params(buf, NFQNL_COPY_PACKET, 0xFFFF, queue_num);

	flags = NFQA_CFG_F_GSO \| NFQA_CFG_F_UID_GID;
	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(flags));
	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(flags));

	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
	perror("mnl_socket_sendto");
	exit(EXIT_FAILURE);
	}

	memset(&tv, 0, sizeof(tv));
	tv.tv_sec = opts.timeout;
	if (opts.timeout && setsockopt(mnl_socket_get_fd(nl),
	SOL_SOCKET, SO_RCVTIMEO,
	&tv, sizeof(tv))) {
	perror("setsockopt(SO_RCVTIMEO)");
	exit(EXIT_FAILURE);
	}

	return nl;
	}

	static int mainloop(void)
	{
	unsigned int buflen = 64 * 1024 + MNL_SOCKET_BUFFER_SIZE;
	struct mnl_socket *nl;
	struct nlmsghdr *nlh;
	unsigned int portid;
	char *buf;
	int ret;

	buf = malloc(buflen);
	if (!buf) {
	perror("malloc");
	exit(EXIT_FAILURE);
	}

	nl = open_queue();
	portid = mnl_socket_get_portid(nl);

	for (;;) {
	uint32_t id;

	ret = mnl_socket_recvfrom(nl, buf, buflen);
	if (ret == -1) {
	if (errno == ENOBUFS)
	continue;

	if (errno == EAGAIN) {
	errno = 0;
	ret = 0;
	break;
	}

	perror("mnl_socket_recvfrom");
	exit(EXIT_FAILURE);
	}

	ret = mnl_cb_run(buf, ret, 0, portid, queue_cb, NULL);
	if (ret < 0) {
	perror("mnl_cb_run");
	exit(EXIT_FAILURE);
	}

	id = ret - MNL_CB_OK;
	nlh = nfq_build_verdict(buf, id, opts.queue_num, NF_ACCEPT);
	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
	perror("mnl_socket_sendto");
	exit(EXIT_FAILURE);
	}
	}

	mnl_socket_close(nl);

	return ret;
	}

	static void parse_opts(int argc, char **argv)
	{
	int c;

	while ((c = getopt(argc, argv, "chvt:q:")) != -1) {
	switch (c) {
	case 'c':
	opts.count_packets = true;
	break;
	case 'h':
	help(argv[0]);
	exit(0);
	break;
	case 'q':
	opts.queue_num = atoi(optarg);
	if (opts.queue_num > 0xffff)
	opts.queue_num = 0;
	break;
	case 't':
	opts.timeout = atoi(optarg);
	break;
	case 'v':
	opts.verbose++;
	break;
	}
	}
	}

	int main(int argc, char *argv[])
	{
	int ret;

	parse_opts(argc, argv);

	ret = mainloop();
	if (opts.count_packets)
	print_stats();

	return ret;
	}