libnetfilter_conntrack: expect_create

00001 #include <stdio.h>
00002 #include <stdlib.h>
00003 #include <string.h>
00004 #include <errno.h>
00005 #include <arpa/inet.h>
00006 
00007 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
00008 #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
00009 
00010 /*
00011  * This example shows how to setup a user-space expectation. This requires
00012  * a Linux kernel >= 2.6.37.
00013  */
00014 
00015 int main(void)
00016 {
00017         int ret;
00018         struct nfct_handle *h;
00019         struct nf_conntrack *master, *expected, *mask;
00020         struct nf_expect *exp;
00021 
00022         /*
00023          * Step 1: Setup master conntrack
00024          */
00025 
00026         master = nfct_new();
00027         if (!master) {
00028                 perror("nfct_new");
00029                 exit(EXIT_FAILURE);
00030         }
00031 
00032         nfct_set_attr_u8(master, ATTR_L3PROTO, AF_INET);
00033         nfct_set_attr_u32(master, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
00034         nfct_set_attr_u32(master, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
00035 
00036         nfct_set_attr_u8(master, ATTR_L4PROTO, IPPROTO_TCP);
00037         nfct_set_attr_u16(master, ATTR_PORT_SRC, htons(1025));
00038         nfct_set_attr_u16(master, ATTR_PORT_DST, htons(21));
00039 
00040         nfct_setobjopt(master, NFCT_SOPT_SETUP_REPLY);
00041 
00042         nfct_set_attr_u8(master, ATTR_TCP_STATE, TCP_CONNTRACK_ESTABLISHED);
00043         nfct_set_attr_u32(master, ATTR_TIMEOUT, 200);
00044 
00045         h = nfct_open(CONNTRACK, 0);
00046         if (!h) {
00047                 perror("nfct_open");
00048                 return -1;
00049         }
00050 
00051         /*
00052          * In a real scenario in which you want to implement an helper in
00053          * user-space with NFQUEUE, the master conntrack does not need to
00054          * be created, since it should already exist.
00055          */
00056         ret = nfct_query(h, NFCT_Q_CREATE, master);
00057 
00058         printf("TEST: add master conntrack ");
00059         if (ret == -1)
00060                 printf("(%d)(%s)\n", ret, strerror(errno));
00061         else
00062                 printf("(OK)\n");
00063 
00064         nfct_close(h);
00065 
00066         expected = nfct_new();
00067         if (!expected) {
00068                 perror("nfct_new");
00069                 exit(EXIT_FAILURE);
00070         }
00071 
00072         nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
00073         nfct_set_attr_u32(expected, ATTR_IPV4_SRC, inet_addr("1.1.1.1"));
00074         nfct_set_attr_u32(expected, ATTR_IPV4_DST, inet_addr("2.2.2.2"));
00075 
00076         nfct_set_attr_u8(expected, ATTR_L4PROTO, IPPROTO_TCP);
00077         nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0);
00078         nfct_set_attr_u16(expected, ATTR_PORT_DST, htons(10241));
00079 
00080         mask = nfct_new();
00081         if (!mask) {
00082                 perror("nfct_new");
00083                 exit(EXIT_FAILURE);
00084         }
00085 
00086         nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET);
00087         nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff);
00088         nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff);
00089 
00090         nfct_set_attr_u8(mask, ATTR_L4PROTO, IPPROTO_TCP);
00091         nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000);
00092         nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff);
00093 
00094         /*
00095          * Step 2: Setup expectation
00096          */
00097 
00098         exp = nfexp_new();
00099         if (!exp) {
00100                 perror("nfexp_new");
00101                 exit(EXIT_FAILURE);
00102         }
00103 
00104         nfexp_set_attr(exp, ATTR_EXP_MASTER, master);
00105         nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected);
00106         nfexp_set_attr(exp, ATTR_EXP_MASK, mask);
00107         nfexp_set_attr_u32(exp, ATTR_EXP_TIMEOUT, 200);
00108 
00109         nfct_destroy(master);
00110         nfct_destroy(expected);
00111         nfct_destroy(mask);
00112 
00113         h = nfct_open(EXPECT, 0);
00114         if (!h) {
00115                 perror("nfct_open");
00116                 return -1;
00117         }
00118 
00119         ret = nfexp_query(h, NFCT_Q_CREATE, exp);
00120 
00121         printf("TEST: create expectation ");
00122         if (ret == -1)
00123                 printf("(%d)(%s)\n", ret, strerror(errno));
00124         else
00125                 printf("(OK)\n");
00126 
00127         nfct_close(h);
00128 
00129         ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS);
00130 }
expect_create_userspace.c
