1 /* libnetfilter_queue.c: generic library for access to nf_queue
3 * (C) 2005 by Harald Welte <laforge@gnumonks.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2
7 * as published by the Free Software Foundation
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 * 2006-01-23 Andreas Florath <andreas@florath.net>
19 * Fix __set_verdict() that it can now handle payload.
29 #include <netinet/in.h>
30 #include <sys/socket.h>
32 #include <libnfnetlink/libnfnetlink.h>
33 #include <libnetfilter_queue/libnetfilter_queue.h>
38 * libnetfilter_queue is a userspace library providing an API to packets that
39 * have been queued by the kernel packet filter. It is is part of a system that
40 * deprecates the old ip_queue / libipq mechanism.
42 * libnetfilter_queue homepage is:
43 * http://netfilter.org/projects/libnetfilter_queue/
45 * \section Dependencies
46 * libnetfilter_queue requires libnfnetlink and a kernel that includes the
47 * nfnetlink_queue subsystem (i.e. 2.6.14 or later).
49 * \section Main Features
50 * - receiving queued packets from the kernel nfnetlink_queue subsystem
51 * - issuing verdicts and/or reinjecting altered packets to the kernel
52 * nfnetlink_queue subsystem
55 * The current development version of libnetfilter_queue can be accessed
56 * at https://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=summary.
58 * \section Using libnetfilter_queue
60 * To write your own program using libnetfilter_queue, you should start by reading
61 * the doxygen documentation (start by \link LibrarySetup \endlink page) and nfqnl_test.c source file.
67 struct nfnl_handle *nfnlh;
68 struct nfnl_subsys_handle *nfnlssh;
69 struct nfq_q_handle *qh_list;
74 struct nfq_q_handle *next;
88 /***********************************************************************
90 ***********************************************************************/
92 static void del_qh(struct nfq_q_handle *qh)
94 struct nfq_q_handle *cur_qh, *prev_qh = NULL;
96 for (cur_qh = qh->h->qh_list; cur_qh; cur_qh = cur_qh->next) {
99 prev_qh->next = qh->next;
101 qh->h->qh_list = qh->next;
108 static void add_qh(struct nfq_q_handle *qh)
110 qh->next = qh->h->qh_list;
114 static struct nfq_q_handle *find_qh(struct nfq_handle *h, u_int16_t id)
116 struct nfq_q_handle *qh;
118 for (qh = h->qh_list; qh; qh = qh->next) {
125 /* build a NFQNL_MSG_CONFIG message */
127 __build_send_cfg_msg(struct nfq_handle *h, u_int8_t command,
128 u_int16_t queuenum, u_int16_t pf)
131 char buf[NFNL_HEADER_LEN
132 +NFA_LENGTH(sizeof(struct nfqnl_msg_config_cmd))];
135 struct nfqnl_msg_config_cmd cmd;
137 nfnl_fill_hdr(h->nfnlssh, &u.nmh, 0, AF_UNSPEC, queuenum,
138 NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
140 cmd.command = command;
142 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_CMD, &cmd, sizeof(cmd));
144 return nfnl_talk(h->nfnlh, &u.nmh, 0, 0, NULL, NULL, NULL);
147 static int __nfq_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[],
150 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
151 struct nfq_handle *h = data;
152 u_int16_t queue_num = ntohs(nfmsg->res_id);
153 struct nfq_q_handle *qh = find_qh(h, queue_num);
154 struct nfq_data nfqa;
164 return qh->cb(qh, nfmsg, &nfqa, qh->data);
167 static struct nfnl_callback pkt_cb = {
168 .call = &__nfq_rcv_pkt,
169 .attr_count = NFQA_MAX,
172 /* public interface */
174 struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)
181 * \defgroup Queue Queue handling
183 * Once libnetfilter_queue library has been initialised (See
184 * \link LibrarySetup \endlink), it is possible to bind the program to a
185 * specific queue. This can be done by using nfq_create_queue().
187 * The queue can then be tuned via nfq_set_mode() or nfq_set_queue_maxlen().
189 * Here's a little code snippet that create queue numbered 0:
191 printf("binding this socket to queue '0'\n");
192 qh = nfq_create_queue(h, 0, &cb, NULL);
194 fprintf(stderr, "error during nfq_create_queue()\n");
198 printf("setting copy_packet mode\n");
199 if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
200 fprintf(stderr, "can't set packet_copy mode\n");
205 * Next step is the handling of incoming packets which can be done via a loop:
210 while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
211 printf("pkt received\n");
212 nfq_handle_packet(h, buf, rv);
215 * When the decision on a packet has been choosed, the verdict has to be given
216 * by calling nfq_set_verdict() or nfq_set_verdict_mark().
218 * Data and information about the packet can be fetch by using message parsing
219 * functions (See \link Parsing \endlink).
224 * nfq_fd - get the file descriptor associated with the nfqueue handler
225 * \param h Netfilter queue connection handle obtained via call to nfq_open()
227 * \return a file descriptor for the netlink connection associated with the
228 * given queue connection handle. The file descriptor can then be used for
229 * receiving the queued packets for processing.
231 * This function returns a file descriptor that can be used for communication
232 * over the netlink connection associated with the given queue connection
235 int nfq_fd(struct nfq_handle *h)
237 return nfnl_fd(nfq_nfnlh(h));
245 * \defgroup LibrarySetup Library setup
247 * Library initialisation is made in two steps.
249 * First step is to call nfq_open() to open a NFQUEUE handler.
251 * Second step is to tell the kernel that userspace queueing is handle by
252 * NFQUEUE for the selected protocol. This is made by calling nfq_unbind_pf()
253 * and nfq_bind_pf() with protocol information. The idea behind this is to
254 * enable simultaneously loaded modules to be used for queuing.
256 * Here's a little code snippet that bind with AF_INET:
260 fprintf(stderr, "error during nfq_open()\n");
264 printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
265 if (nfq_unbind_pf(h, AF_INET) < 0) {
266 fprintf(stderr, "error during nfq_unbind_pf()\n");
270 printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
271 if (nfq_bind_pf(h, AF_INET) < 0) {
272 fprintf(stderr, "error during nfq_bind_pf()\n");
276 * Once this is done, you can setup and use a \link Queue \endlink.
281 * nfq_open - open a nfqueue handler
283 * This function obtains a netfilter queue connection handle. When you are
284 * finished with the handle returned by this function, you should destroy
285 * it by calling nfq_close(). A new netlink connection is obtained internally
286 * and associated with the queue connection handle returned.
288 * \return a pointer to a new queue handle or NULL on failure.
290 struct nfq_handle *nfq_open(void)
292 struct nfnl_handle *nfnlh = nfnl_open();
293 struct nfq_handle *qh;
298 qh = nfq_open_nfnl(nfnlh);
310 * nfq_open_nfnl - open a nfqueue handler from a existing nfnetlink handler
311 * \param nfnlh Netfilter netlink connection handle obtained by calling nfnl_open()
313 * This function obtains a netfilter queue connection handle using an existing
314 * netlink connection. This function is used internally to implement
315 * nfq_open(), and should typically not be called directly.
317 * \return a pointer to a new queue handle or NULL on failure.
319 struct nfq_handle *nfq_open_nfnl(struct nfnl_handle *nfnlh)
321 struct nfq_handle *h;
324 h = malloc(sizeof(*h));
328 memset(h, 0, sizeof(*h));
331 h->nfnlssh = nfnl_subsys_open(h->nfnlh, NFNL_SUBSYS_QUEUE,
334 /* FIXME: nfq_errno */
339 err = nfnl_callback_register(h->nfnlssh, NFQNL_MSG_PACKET, &pkt_cb);
347 nfnl_subsys_close(h->nfnlssh);
354 * \addtogroup LibrarySetup
356 * When the program has finished with libnetfilter_queue, it has to call
357 * the nfq_close() function to free all associated resources.
363 * nfq_close - close a nfqueue handler
364 * \param h Netfilter queue connection handle obtained via call to nfq_open()
366 * This function closes the nfqueue handler and free associated resources.
368 * \return 0 on success, non-zero on failure.
370 int nfq_close(struct nfq_handle *h)
374 ret = nfnl_close(h->nfnlh);
381 * nfq_bind_pf - bind a nfqueue handler to a given protocol family
382 * \param h Netfilter queue connection handle obtained via call to nfq_open()
383 * \param pf protocol family to bind to nfqueue handler obtained from nfq_open()
385 * Binds the given queue connection handle to process packets belonging to
386 * the given protocol family (ie. PF_INET, PF_INET6, etc).
388 * \return integer inferior to 0 in case of failure
390 int nfq_bind_pf(struct nfq_handle *h, u_int16_t pf)
392 return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_BIND, 0, pf);
396 * nfq_unbind_pf - unbind nfqueue handler from a protocol family
397 * \param h Netfilter queue connection handle obtained via call to nfq_open()
398 * \param pf protocol family to unbind family from
400 * Unbinds the given queue connection handle from processing packets belonging
401 * to the given protocol family.
403 int nfq_unbind_pf(struct nfq_handle *h, u_int16_t pf)
405 return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf);
420 * nfq_create_queue - create a new queue handle and return it.
422 * \param h Netfilter queue connection handle obtained via call to nfq_open()
423 * \param num the number of the queue to bind to
424 * \param cb callback function to call for each queued packet
425 * \param data custom data to pass to the callback function
427 * \return a nfq_q_handle pointing to the newly created queue
429 * Creates a new queue handle, and returns it. The new queue is identified by
430 * #num, and the callback specified by #cb will be called for each enqueued
431 * packet. The #data argument will be passed unchanged to the callback. If
432 * a queue entry with id #num already exists, this function will return failure
433 * and the existing entry is unchanged.
435 * The nfq_callback type is defined in libnetfilter_queue.h as:
437 typedef int nfq_callback(struct nfq_q_handle *qh,
438 struct nfgenmsg *nfmsg,
439 struct nfq_data *nfad, void *data);
443 * - qh The queue handle returned by nfq_create_queue
444 * - nfmsg message objetc that contains the packet
445 * - nfad Netlink packet data handle
446 * - data the value passed to the data parameter of nfq_create_queue
448 * The callback should return < 0 to stop processing.
451 struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h,
457 struct nfq_q_handle *qh;
462 qh = malloc(sizeof(*qh));
464 memset(qh, 0, sizeof(*qh));
470 ret = __build_send_cfg_msg(h, NFQNL_CFG_CMD_BIND, num, 0);
491 * nfq_destroy_queue - destroy a queue handle
492 * \param qh queue handle that we want to destroy created via nfq_create_queue
494 * Removes the binding for the specified queue handle. This call also unbind
495 * from the nfqueue handler, so you don't have to call nfq_unbind_pf.
497 int nfq_destroy_queue(struct nfq_q_handle *qh)
499 int ret = __build_send_cfg_msg(qh->h, NFQNL_CFG_CMD_UNBIND, qh->id, 0);
509 * nfq_handle_packet - handle a packet received from the nfqueue subsystem
510 * \param h Netfilter queue connection handle obtained via call to nfq_open()
511 * \param buf data to pass to the callback
512 * \param len length of packet data in buffer
514 * Triggers an associated callback for the given packet received from the
515 * queue. Packets can be read from the queue using nfq_fd() and recv(). See
516 * example code for nfq_fd().
518 * \return 0 on success, non-zero on failure.
520 int nfq_handle_packet(struct nfq_handle *h, char *buf, int len)
522 return nfnl_handle_packet(h->nfnlh, buf, len);
526 * nfq_set_mode - set the amount of packet data that nfqueue copies to userspace
527 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
528 * \param mode the part of the packet that we are interested in
529 * \param range size of the packet that we want to get
531 * Sets the amount of data to be copied to userspace for each packet queued
532 * to the given queue.
534 * - NFQNL_COPY_NONE - do not copy any data
535 * - NFQNL_COPY_META - copy only packet metadata
536 * - NFQNL_COPY_PACKET - copy entire packet
538 int nfq_set_mode(struct nfq_q_handle *qh,
539 u_int8_t mode, u_int32_t range)
542 char buf[NFNL_HEADER_LEN
543 +NFA_LENGTH(sizeof(struct nfqnl_msg_config_params))];
546 struct nfqnl_msg_config_params params;
548 nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
549 NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
551 params.copy_range = htonl(range);
552 params.copy_mode = mode;
553 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_PARAMS, ¶ms,
556 return nfnl_talk(qh->h->nfnlh, &u.nmh, 0, 0, NULL, NULL, NULL);
560 * nfq_set_queue_maxlen - Set kernel queue maximum length parameter
561 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
562 * \param queuelen the length of the queue
564 * Sets the size of the queue in kernel. This fixes the maximum number
565 * of packets the kernel will store before internally before dropping
568 int nfq_set_queue_maxlen(struct nfq_q_handle *qh,
572 char buf[NFNL_HEADER_LEN
573 +NFA_LENGTH(sizeof(struct nfqnl_msg_config_params))];
576 u_int32_t queue_maxlen = htonl(queuelen);
578 nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
579 NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
581 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_QUEUE_MAXLEN, &queue_maxlen,
582 sizeof(queue_maxlen));
584 return nfnl_talk(qh->h->nfnlh, &u.nmh, 0, 0, NULL, NULL, NULL);
591 static int __set_verdict(struct nfq_q_handle *qh, u_int32_t id,
592 u_int32_t verdict, u_int32_t mark, int set_mark,
593 u_int32_t data_len, unsigned char *data)
595 struct nfqnl_msg_verdict_hdr vh;
597 char buf[NFNL_HEADER_LEN
598 +NFA_LENGTH(sizeof(mark))
599 +NFA_LENGTH(sizeof(vh))];
606 /* This must be declared here (and not inside the data
607 * handling block) because the iovec points to this. */
608 struct nfattr data_attr;
610 memset(iov, 0, sizeof(iov));
612 vh.verdict = htonl(verdict);
615 nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
616 NFQNL_MSG_VERDICT, NLM_F_REQUEST);
618 /* add verdict header */
619 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_VERDICT_HDR, &vh, sizeof(vh));
622 nfnl_addattr32(&u.nmh, sizeof(u), NFQA_MARK, mark);
624 iov[0].iov_base = &u.nmh;
625 iov[0].iov_len = NLMSG_TAIL(&u.nmh) - (void *)&u.nmh;
629 nfnl_build_nfa_iovec(&iov[1], &data_attr, NFQA_PAYLOAD,
632 /* Add the length of the appended data to the message
633 * header. The size of the attribute is given in the
634 * nfa_len field and is set in the nfnl_build_nfa_iovec()
636 u.nmh.nlmsg_len += data_attr.nfa_len;
639 return nfnl_sendiov(qh->h->nfnlh, iov, nvecs, 0);
648 * nfq_set_verdict - issue a verdict on a packet
649 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
650 * \param id ID assigned to packet by netfilter.
651 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
652 * \param data_len number of bytes of data pointed to by #buf
653 * \param buf the buffer that contains the packet data
655 * Can be obtained by:
658 struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(tb);
660 id = ntohl(ph->packet_id);
663 * Notifies netfilter of the userspace verdict for the given packet. Every
664 * queued packet _must_ have a verdict specified by userspace, either by
665 * calling this function, or by calling the nfq_set_verdict_mark() function.
667 int nfq_set_verdict(struct nfq_q_handle *qh, u_int32_t id,
668 u_int32_t verdict, u_int32_t data_len,
671 return __set_verdict(qh, id, verdict, 0, 0, data_len, buf);
675 * nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark.
676 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
677 * \param id ID assigned to packet by netfilter.
678 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
679 * \param mark mark to put on packet
680 * \param data_len number of bytes of data pointed to by #buf
681 * \param buf the buffer that contains the packet data
683 int nfq_set_verdict_mark(struct nfq_q_handle *qh, u_int32_t id,
684 u_int32_t verdict, u_int32_t mark,
685 u_int32_t data_len, unsigned char *buf)
687 return __set_verdict(qh, id, verdict, mark, 1, data_len, buf);
696 /*************************************************************
697 * Message parsing functions
698 *************************************************************/
701 * \defgroup Parsing Message parsing functions
706 * nfqnl_msg_packet_hdr - return the metaheader that wraps the packet
707 * \param nfad Netlink packet data handle passed to callback function
709 * \return the netfilter queue netlink packet header for the given
710 * nfq_data argument. Typically, the nfq_data value is passed as the 3rd
711 * parameter to the callback function set by a call to nfq_create_queue().
713 * The nfqnl_msg_packet_hdr structure is defined in libnetfilter_queue.h as:
716 struct nfqnl_msg_packet_hdr {
717 u_int32_t packet_id; // unique ID of packet in queue
718 u_int16_t hw_protocol; // hw protocol (network order)
719 u_int8_t hook; // netfilter hook
720 } __attribute__ ((packed));
723 struct nfqnl_msg_packet_hdr *nfq_get_msg_packet_hdr(struct nfq_data *nfad)
725 return nfnl_get_pointer_to_data(nfad->data, NFQA_PACKET_HDR,
726 struct nfqnl_msg_packet_hdr);
730 * nfq_get_nfmark - get the packet mark
731 * \param nfad Netlink packet data handle passed to callback function
733 * \return the netfilter mark currently assigned to the given queued packet.
735 uint32_t nfq_get_nfmark(struct nfq_data *nfad)
737 return ntohl(nfnl_get_data(nfad->data, NFQA_MARK, u_int32_t));
741 * nfq_get_timestamp - get the packet timestamp
742 * \param nfad Netlink packet data handle passed to callback function
743 * \param tv structure to fill with timestamp info
745 * Retrieves the received timestamp when the given queued packet.
747 * \return 0 on success, non-zero on failure.
749 int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv)
751 struct nfqnl_msg_packet_timestamp *qpt;
752 qpt = nfnl_get_pointer_to_data(nfad->data, NFQA_TIMESTAMP,
753 struct nfqnl_msg_packet_timestamp);
757 tv->tv_sec = __be64_to_cpu(qpt->sec);
758 tv->tv_usec = __be64_to_cpu(qpt->usec);
764 * nfq_get_indev - get the interface that the packet was received through
765 * \param nfad Netlink packet data handle passed to callback function
767 * \return The index of the device the queued packet was received via. If the
768 * returned index is 0, the packet was locally generated or the input
769 * interface is not known (ie. POSTROUTING?).
771 * \warning all nfq_get_dev() functions return 0 if not set, since linux
772 * only allows ifindex >= 1, see net/core/dev.c:2600 (in 2.6.13.1)
774 u_int32_t nfq_get_indev(struct nfq_data *nfad)
776 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_INDEV, u_int32_t));
780 * nfq_get_physindev - get the physical interface that the packet was received
781 * \param nfad Netlink packet data handle passed to callback function
783 * \return The index of the physical device the queued packet was received via.
784 * If the returned index is 0, the packet was locally generated or the
785 * physical input interface is no longer known (ie. POSTROUTING?).
787 u_int32_t nfq_get_physindev(struct nfq_data *nfad)
789 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSINDEV, u_int32_t));
793 * nfq_get_outdev - gets the interface that the packet will be routed out
794 * \param nfad Netlink packet data handle passed to callback function
796 * \return The index of the device the queued packet will be sent out. If the
797 * returned index is 0, the packet is destined for localhost or the output
798 * interface is not yet known (ie. PREROUTING?).
800 u_int32_t nfq_get_outdev(struct nfq_data *nfad)
802 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_OUTDEV, u_int32_t));
806 * nfq_get_physoutdev - get the physical interface that the packet output
807 * \param nfad Netlink packet data handle passed to callback function
809 * The index of the physical device the queued packet will be sent out.
810 * If the returned index is 0, the packet is destined for localhost or the
811 * physical output interface is not yet known (ie. PREROUTING?).
813 * \return The index of physical interface that the packet output will be routed out.
815 u_int32_t nfq_get_physoutdev(struct nfq_data *nfad)
817 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSOUTDEV, u_int32_t));
821 * nfq_get_indev_name - get the name of the interface the packet
822 * was received through
823 * \param nlif_handle pointer to a nlif interface resolving handle
824 * \param nfad Netlink packet data handle passed to callback function
825 * \param name pointer that will be set to the interface name string
826 * \return -1 in case of error, >0 if it succeed.
828 * The #name variable will point to the name of the input interface.
830 * To use a nlif_handle, You need first to call nlif_open() and to open
831 * an handler. Don't forget to store the result as it will be used
832 * during all your program life:
840 * Once the handler is open, you need to fetch the interface table at a
841 * whole via a call to nlif_query.
845 * libnfnetlink is able to update the interface mapping when a new interface
846 * appears. To do so, you need to call nlif_catch() on the handler after each
847 * interface related event. The simplest way to get and treat event is to run
848 * a select() or poll() against the nlif file descriptor. To get this file
849 * descriptor, you need to use nlif_fd:
853 * Don't forget to close the handler when you don't need the feature anymore:
859 int nfq_get_indev_name(struct nlif_handle *nlif_handle,
860 struct nfq_data *nfad, char *name)
862 u_int32_t ifindex = nfq_get_indev(nfad);
863 return nlif_index2name(nlif_handle, ifindex, name);
867 * nfq_get_physindev_name - get the name of the physical interface the
868 * packet was received through
869 * \param nlif_handle pointer to a nlif interface resolving handle
870 * \param nfad Netlink packet data handle passed to callback function
871 * \param name pointer that will be set to the interface name string
873 * The #name variable will point to the name of the input physical
876 * See nfq_get_indev_name() documentation for nlif_handle usage.
878 * \return -1 in case of error, > 0 if it succeed.
880 int nfq_get_physindev_name(struct nlif_handle *nlif_handle,
881 struct nfq_data *nfad, char *name)
883 u_int32_t ifindex = nfq_get_physindev(nfad);
884 return nlif_index2name(nlif_handle, ifindex, name);
888 * nfq_get_outdev_name - get the name of the physical interface the
889 * packet will be sent to
890 * \param nlif_handle pointer to a nlif interface resolving handle
891 * \param nfad Netlink packet data handle passed to callback function
892 * \param name pointer that will be set to the interface name string
894 * The #name variable will point to the name of the output interface.
896 * See nfq_get_indev_name() documentation for nlif_handle usage.
898 * \return -1 in case of error, > 0 if it succeed.
900 int nfq_get_outdev_name(struct nlif_handle *nlif_handle,
901 struct nfq_data *nfad, char *name)
903 u_int32_t ifindex = nfq_get_outdev(nfad);
904 return nlif_index2name(nlif_handle, ifindex, name);
908 * nfq_get_physoutdev_name - get the name of the interface the
909 * packet will be sent to
910 * \param nlif_handle pointer to a nlif interface resolving handle
911 * \param nfad Netlink packet data handle passed to callback function
912 * \param name pointer that will be set to the interface name string
913 * The #name variable will point to the name of the physical
916 * See nfq_get_indev_name() documentation for nlif_handle usage.
918 * \return -1 in case of error, > 0 if it succeed.
921 int nfq_get_physoutdev_name(struct nlif_handle *nlif_handle,
922 struct nfq_data *nfad, char *name)
924 u_int32_t ifindex = nfq_get_physoutdev(nfad);
925 return nlif_index2name(nlif_handle, ifindex, name);
931 * get hardware address
933 * \param nfad Netlink packet data handle passed to callback function
935 * Retrieves the hardware address associated with the given queued packet.
936 * For ethernet packets, the hardware address returned (if any) will be the
937 * MAC address of the packet source host. The destination MAC address is not
938 * known until after POSTROUTING and a successful ARP request, so cannot
939 * currently be retrieved.
941 * The nfqnl_msg_packet_hw structure is defined in libnetfilter_queue.h as:
943 struct nfqnl_msg_packet_hw {
944 u_int16_t hw_addrlen;
947 } __attribute__ ((packed));
950 struct nfqnl_msg_packet_hw *nfq_get_packet_hw(struct nfq_data *nfad)
952 return nfnl_get_pointer_to_data(nfad->data, NFQA_HWADDR,
953 struct nfqnl_msg_packet_hw);
957 * nfq_get_payload - get payload
958 * \param nfad Netlink packet data handle passed to callback function
959 * \param data Pointer of pointer that will be pointed to the payload
961 * Retrieve the payload for a queued packet. The actual amount and type of
962 * data retrieved by this function will depend on the mode set with the
963 * nfq_set_mode() function.
965 * \return -1 on error, otherwise > 0.
967 int nfq_get_payload(struct nfq_data *nfad, char **data)
969 *data = nfnl_get_pointer_to_data(nfad->data, NFQA_PAYLOAD, char);
971 return NFA_PAYLOAD(nfad->data[NFQA_PAYLOAD-1]);