1 /* libnetfilter_queue.c: generic library for access to nf_queue
3 * (C) 2005 by Harald Welte <laforge@gnumonks.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2
7 * as published by the Free Software Foundation
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 * 2006-01-23 Andreas Florath <andreas@florath.net>
19 * Fix __set_verdict() that it can now handle payload.
29 #include <netinet/in.h>
30 #include <sys/socket.h>
32 #include <libnfnetlink/libnfnetlink.h>
33 #include <libnetfilter_queue/libnetfilter_queue.h>
38 * libnetfilter_queue is a userspace library providing an API to packets that
39 * have been queued by the kernel packet filter. It is is part of a system that
40 * deprecates the old ip_queue / libipq mechanism.
42 * libnetfilter_queue homepage is:
43 * http://netfilter.org/projects/libnetfilter_queue/
45 * \section Dependencies
46 * libnetfilter_queue requires libnfnetlink and a kernel that includes the
47 * nfnetlink_queue subsystem (i.e. 2.6.14 or later).
49 * \section Main Features
50 * - receiving queued packets from the kernel nfnetlink_queue subsystem
51 * - issuing verdicts and/or reinjecting altered packets to the kernel
52 * nfnetlink_queue subsystem
55 * The current development version of libnetfilter_queue can be accessed
56 * at https://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=summary.
59 * You need the CAP_NET_ADMIN capability in order to allow your application
60 * to receive from and to send packets to kernel-space.
62 * \section Using libnetfilter_queue
64 * To write your own program using libnetfilter_queue, you should start by reading
65 * the doxygen documentation (start by \link LibrarySetup \endlink page) and nfqnl_test.c source file.
71 struct nfnl_handle *nfnlh;
72 struct nfnl_subsys_handle *nfnlssh;
73 struct nfq_q_handle *qh_list;
78 struct nfq_q_handle *next;
92 /***********************************************************************
94 ***********************************************************************/
96 static void del_qh(struct nfq_q_handle *qh)
98 struct nfq_q_handle *cur_qh, *prev_qh = NULL;
100 for (cur_qh = qh->h->qh_list; cur_qh; cur_qh = cur_qh->next) {
103 prev_qh->next = qh->next;
105 qh->h->qh_list = qh->next;
112 static void add_qh(struct nfq_q_handle *qh)
114 qh->next = qh->h->qh_list;
118 static struct nfq_q_handle *find_qh(struct nfq_handle *h, u_int16_t id)
120 struct nfq_q_handle *qh;
122 for (qh = h->qh_list; qh; qh = qh->next) {
129 /* build a NFQNL_MSG_CONFIG message */
131 __build_send_cfg_msg(struct nfq_handle *h, u_int8_t command,
132 u_int16_t queuenum, u_int16_t pf)
135 char buf[NFNL_HEADER_LEN
136 +NFA_LENGTH(sizeof(struct nfqnl_msg_config_cmd))];
139 struct nfqnl_msg_config_cmd cmd;
141 nfnl_fill_hdr(h->nfnlssh, &u.nmh, 0, AF_UNSPEC, queuenum,
142 NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
144 cmd.command = command;
146 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_CMD, &cmd, sizeof(cmd));
148 return nfnl_query(h->nfnlh, &u.nmh);
151 static int __nfq_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[],
154 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
155 struct nfq_handle *h = data;
156 u_int16_t queue_num = ntohs(nfmsg->res_id);
157 struct nfq_q_handle *qh = find_qh(h, queue_num);
158 struct nfq_data nfqa;
168 return qh->cb(qh, nfmsg, &nfqa, qh->data);
171 static struct nfnl_callback pkt_cb = {
172 .call = &__nfq_rcv_pkt,
173 .attr_count = NFQA_MAX,
176 /* public interface */
178 struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)
185 * \defgroup Queue Queue handling
187 * Once libnetfilter_queue library has been initialised (See
188 * \link LibrarySetup \endlink), it is possible to bind the program to a
189 * specific queue. This can be done by using nfq_create_queue().
191 * The queue can then be tuned via nfq_set_mode() or nfq_set_queue_maxlen().
193 * Here's a little code snippet that create queue numbered 0:
195 printf("binding this socket to queue '0'\n");
196 qh = nfq_create_queue(h, 0, &cb, NULL);
198 fprintf(stderr, "error during nfq_create_queue()\n");
202 printf("setting copy_packet mode\n");
203 if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
204 fprintf(stderr, "can't set packet_copy mode\n");
209 * Next step is the handling of incoming packets which can be done via a loop:
214 while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
215 printf("pkt received\n");
216 nfq_handle_packet(h, buf, rv);
219 * When the decision on a packet has been choosed, the verdict has to be given
220 * by calling nfq_set_verdict() or nfq_set_verdict_mark().
222 * Data and information about the packet can be fetch by using message parsing
223 * functions (See \link Parsing \endlink).
228 * nfq_fd - get the file descriptor associated with the nfqueue handler
229 * \param h Netfilter queue connection handle obtained via call to nfq_open()
231 * \return a file descriptor for the netlink connection associated with the
232 * given queue connection handle. The file descriptor can then be used for
233 * receiving the queued packets for processing.
235 * This function returns a file descriptor that can be used for communication
236 * over the netlink connection associated with the given queue connection
239 int nfq_fd(struct nfq_handle *h)
241 return nfnl_fd(nfq_nfnlh(h));
249 * \defgroup LibrarySetup Library setup
251 * Library initialisation is made in two steps.
253 * First step is to call nfq_open() to open a NFQUEUE handler.
255 * Second step is to tell the kernel that userspace queueing is handle by
256 * NFQUEUE for the selected protocol. This is made by calling nfq_unbind_pf()
257 * and nfq_bind_pf() with protocol information. The idea behind this is to
258 * enable simultaneously loaded modules to be used for queuing.
260 * Here's a little code snippet that bind with AF_INET:
264 fprintf(stderr, "error during nfq_open()\n");
268 printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
269 if (nfq_unbind_pf(h, AF_INET) < 0) {
270 fprintf(stderr, "error during nfq_unbind_pf()\n");
274 printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
275 if (nfq_bind_pf(h, AF_INET) < 0) {
276 fprintf(stderr, "error during nfq_bind_pf()\n");
280 * Once this is done, you can setup and use a \link Queue \endlink.
285 * nfq_open - open a nfqueue handler
287 * This function obtains a netfilter queue connection handle. When you are
288 * finished with the handle returned by this function, you should destroy
289 * it by calling nfq_close(). A new netlink connection is obtained internally
290 * and associated with the queue connection handle returned.
292 * \return a pointer to a new queue handle or NULL on failure.
294 struct nfq_handle *nfq_open(void)
296 struct nfnl_handle *nfnlh = nfnl_open();
297 struct nfq_handle *qh;
302 /* unset netlink sequence tracking by default */
303 nfnl_unset_sequence_tracking(nfnlh);
305 qh = nfq_open_nfnl(nfnlh);
317 * nfq_open_nfnl - open a nfqueue handler from a existing nfnetlink handler
318 * \param nfnlh Netfilter netlink connection handle obtained by calling nfnl_open()
320 * This function obtains a netfilter queue connection handle using an existing
321 * netlink connection. This function is used internally to implement
322 * nfq_open(), and should typically not be called directly.
324 * \return a pointer to a new queue handle or NULL on failure.
326 struct nfq_handle *nfq_open_nfnl(struct nfnl_handle *nfnlh)
328 struct nfq_handle *h;
331 h = malloc(sizeof(*h));
335 memset(h, 0, sizeof(*h));
338 h->nfnlssh = nfnl_subsys_open(h->nfnlh, NFNL_SUBSYS_QUEUE,
341 /* FIXME: nfq_errno */
346 err = nfnl_callback_register(h->nfnlssh, NFQNL_MSG_PACKET, &pkt_cb);
354 nfnl_subsys_close(h->nfnlssh);
361 * \addtogroup LibrarySetup
363 * When the program has finished with libnetfilter_queue, it has to call
364 * the nfq_close() function to free all associated resources.
370 * nfq_close - close a nfqueue handler
371 * \param h Netfilter queue connection handle obtained via call to nfq_open()
373 * This function closes the nfqueue handler and free associated resources.
375 * \return 0 on success, non-zero on failure.
377 int nfq_close(struct nfq_handle *h)
381 ret = nfnl_close(h->nfnlh);
388 * nfq_bind_pf - bind a nfqueue handler to a given protocol family
389 * \param h Netfilter queue connection handle obtained via call to nfq_open()
390 * \param pf protocol family to bind to nfqueue handler obtained from nfq_open()
392 * Binds the given queue connection handle to process packets belonging to
393 * the given protocol family (ie. PF_INET, PF_INET6, etc).
395 * \return integer inferior to 0 in case of failure
397 int nfq_bind_pf(struct nfq_handle *h, u_int16_t pf)
399 return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_BIND, 0, pf);
403 * nfq_unbind_pf - unbind nfqueue handler from a protocol family
404 * \param h Netfilter queue connection handle obtained via call to nfq_open()
405 * \param pf protocol family to unbind family from
407 * Unbinds the given queue connection handle from processing packets belonging
408 * to the given protocol family.
410 int nfq_unbind_pf(struct nfq_handle *h, u_int16_t pf)
412 return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf);
427 * nfq_create_queue - create a new queue handle and return it.
429 * \param h Netfilter queue connection handle obtained via call to nfq_open()
430 * \param num the number of the queue to bind to
431 * \param cb callback function to call for each queued packet
432 * \param data custom data to pass to the callback function
434 * \return a nfq_q_handle pointing to the newly created queue
436 * Creates a new queue handle, and returns it. The new queue is identified by
437 * #num, and the callback specified by #cb will be called for each enqueued
438 * packet. The #data argument will be passed unchanged to the callback. If
439 * a queue entry with id #num already exists, this function will return failure
440 * and the existing entry is unchanged.
442 * The nfq_callback type is defined in libnetfilter_queue.h as:
444 typedef int nfq_callback(struct nfq_q_handle *qh,
445 struct nfgenmsg *nfmsg,
446 struct nfq_data *nfad, void *data);
450 * - qh The queue handle returned by nfq_create_queue
451 * - nfmsg message objetc that contains the packet
452 * - nfad Netlink packet data handle
453 * - data the value passed to the data parameter of nfq_create_queue
455 * The callback should return < 0 to stop processing.
458 struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h,
464 struct nfq_q_handle *qh;
469 qh = malloc(sizeof(*qh));
471 memset(qh, 0, sizeof(*qh));
477 ret = __build_send_cfg_msg(h, NFQNL_CFG_CMD_BIND, num, 0);
498 * nfq_destroy_queue - destroy a queue handle
499 * \param qh queue handle that we want to destroy created via nfq_create_queue
501 * Removes the binding for the specified queue handle. This call also unbind
502 * from the nfqueue handler, so you don't have to call nfq_unbind_pf.
504 int nfq_destroy_queue(struct nfq_q_handle *qh)
506 int ret = __build_send_cfg_msg(qh->h, NFQNL_CFG_CMD_UNBIND, qh->id, 0);
516 * nfq_handle_packet - handle a packet received from the nfqueue subsystem
517 * \param h Netfilter queue connection handle obtained via call to nfq_open()
518 * \param buf data to pass to the callback
519 * \param len length of packet data in buffer
521 * Triggers an associated callback for the given packet received from the
522 * queue. Packets can be read from the queue using nfq_fd() and recv(). See
523 * example code for nfq_fd().
525 * \return 0 on success, non-zero on failure.
527 int nfq_handle_packet(struct nfq_handle *h, char *buf, int len)
529 return nfnl_handle_packet(h->nfnlh, buf, len);
533 * nfq_set_mode - set the amount of packet data that nfqueue copies to userspace
534 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
535 * \param mode the part of the packet that we are interested in
536 * \param range size of the packet that we want to get
538 * Sets the amount of data to be copied to userspace for each packet queued
539 * to the given queue.
541 * - NFQNL_COPY_NONE - do not copy any data
542 * - NFQNL_COPY_META - copy only packet metadata
543 * - NFQNL_COPY_PACKET - copy entire packet
545 int nfq_set_mode(struct nfq_q_handle *qh,
546 u_int8_t mode, u_int32_t range)
549 char buf[NFNL_HEADER_LEN
550 +NFA_LENGTH(sizeof(struct nfqnl_msg_config_params))];
553 struct nfqnl_msg_config_params params;
555 nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
556 NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
558 params.copy_range = htonl(range);
559 params.copy_mode = mode;
560 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_PARAMS, ¶ms,
563 return nfnl_query(qh->h->nfnlh, &u.nmh);
567 * nfq_set_queue_maxlen - Set kernel queue maximum length parameter
568 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
569 * \param queuelen the length of the queue
571 * Sets the size of the queue in kernel. This fixes the maximum number
572 * of packets the kernel will store before internally before dropping
575 int nfq_set_queue_maxlen(struct nfq_q_handle *qh,
579 char buf[NFNL_HEADER_LEN
580 +NFA_LENGTH(sizeof(struct nfqnl_msg_config_params))];
583 u_int32_t queue_maxlen = htonl(queuelen);
585 nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
586 NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
588 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_QUEUE_MAXLEN, &queue_maxlen,
589 sizeof(queue_maxlen));
591 return nfnl_query(qh->h->nfnlh, &u.nmh);
598 static int __set_verdict(struct nfq_q_handle *qh, u_int32_t id,
599 u_int32_t verdict, u_int32_t mark, int set_mark,
600 u_int32_t data_len, unsigned char *data)
602 struct nfqnl_msg_verdict_hdr vh;
604 char buf[NFNL_HEADER_LEN
605 +NFA_LENGTH(sizeof(mark))
606 +NFA_LENGTH(sizeof(vh))];
613 /* This must be declared here (and not inside the data
614 * handling block) because the iovec points to this. */
615 struct nfattr data_attr;
617 memset(iov, 0, sizeof(iov));
619 vh.verdict = htonl(verdict);
622 nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,
623 NFQNL_MSG_VERDICT, NLM_F_REQUEST);
625 /* add verdict header */
626 nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_VERDICT_HDR, &vh, sizeof(vh));
629 nfnl_addattr32(&u.nmh, sizeof(u), NFQA_MARK, mark);
631 iov[0].iov_base = &u.nmh;
632 iov[0].iov_len = NLMSG_TAIL(&u.nmh) - (void *)&u.nmh;
636 nfnl_build_nfa_iovec(&iov[1], &data_attr, NFQA_PAYLOAD,
639 /* Add the length of the appended data to the message
640 * header. The size of the attribute is given in the
641 * nfa_len field and is set in the nfnl_build_nfa_iovec()
643 u.nmh.nlmsg_len += data_attr.nfa_len;
646 return nfnl_sendiov(qh->h->nfnlh, iov, nvecs, 0);
655 * nfq_set_verdict - issue a verdict on a packet
656 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
657 * \param id ID assigned to packet by netfilter.
658 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
659 * \param data_len number of bytes of data pointed to by #buf
660 * \param buf the buffer that contains the packet data
662 * Can be obtained by:
665 struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(tb);
667 id = ntohl(ph->packet_id);
670 * Notifies netfilter of the userspace verdict for the given packet. Every
671 * queued packet _must_ have a verdict specified by userspace, either by
672 * calling this function, or by calling the nfq_set_verdict_mark() function.
674 int nfq_set_verdict(struct nfq_q_handle *qh, u_int32_t id,
675 u_int32_t verdict, u_int32_t data_len,
678 return __set_verdict(qh, id, verdict, 0, 0, data_len, buf);
682 * nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.
683 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
684 * \param id ID assigned to packet by netfilter.
685 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
686 * \param mark mark to put on packet
687 * \param data_len number of bytes of data pointed to by #buf
688 * \param buf the buffer that contains the packet data
690 int nfq_set_verdict2(struct nfq_q_handle *qh, u_int32_t id,
691 u_int32_t verdict, u_int32_t mark,
692 u_int32_t data_len, unsigned char *buf)
694 return __set_verdict(qh, id, verdict, htonl(mark), 1, data_len, buf);
698 * nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark.
699 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().
700 * \param id ID assigned to packet by netfilter.
701 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)
702 * \param mark mark to put on packet
703 * \param data_len number of bytes of data pointed to by #buf
704 * \param buf the buffer that contains the packet data
706 * This function is deprecated since it is broken, its use is highly
707 * discouraged. Please, use nfq_set_verdict2 instead.
709 int nfq_set_verdict_mark(struct nfq_q_handle *qh, u_int32_t id,
710 u_int32_t verdict, u_int32_t mark,
711 u_int32_t data_len, unsigned char *buf)
713 return __set_verdict(qh, id, verdict, mark, 1, data_len, buf);
722 /*************************************************************
723 * Message parsing functions
724 *************************************************************/
727 * \defgroup Parsing Message parsing functions
732 * nfqnl_msg_packet_hdr - return the metaheader that wraps the packet
733 * \param nfad Netlink packet data handle passed to callback function
735 * \return the netfilter queue netlink packet header for the given
736 * nfq_data argument. Typically, the nfq_data value is passed as the 3rd
737 * parameter to the callback function set by a call to nfq_create_queue().
739 * The nfqnl_msg_packet_hdr structure is defined in libnetfilter_queue.h as:
742 struct nfqnl_msg_packet_hdr {
743 u_int32_t packet_id; // unique ID of packet in queue
744 u_int16_t hw_protocol; // hw protocol (network order)
745 u_int8_t hook; // netfilter hook
746 } __attribute__ ((packed));
749 struct nfqnl_msg_packet_hdr *nfq_get_msg_packet_hdr(struct nfq_data *nfad)
751 return nfnl_get_pointer_to_data(nfad->data, NFQA_PACKET_HDR,
752 struct nfqnl_msg_packet_hdr);
756 * nfq_get_nfmark - get the packet mark
757 * \param nfad Netlink packet data handle passed to callback function
759 * \return the netfilter mark currently assigned to the given queued packet.
761 uint32_t nfq_get_nfmark(struct nfq_data *nfad)
763 return ntohl(nfnl_get_data(nfad->data, NFQA_MARK, u_int32_t));
767 * nfq_get_timestamp - get the packet timestamp
768 * \param nfad Netlink packet data handle passed to callback function
769 * \param tv structure to fill with timestamp info
771 * Retrieves the received timestamp when the given queued packet.
773 * \return 0 on success, non-zero on failure.
775 int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv)
777 struct nfqnl_msg_packet_timestamp *qpt;
778 qpt = nfnl_get_pointer_to_data(nfad->data, NFQA_TIMESTAMP,
779 struct nfqnl_msg_packet_timestamp);
783 tv->tv_sec = __be64_to_cpu(qpt->sec);
784 tv->tv_usec = __be64_to_cpu(qpt->usec);
790 * nfq_get_indev - get the interface that the packet was received through
791 * \param nfad Netlink packet data handle passed to callback function
793 * \return The index of the device the queued packet was received via. If the
794 * returned index is 0, the packet was locally generated or the input
795 * interface is not known (ie. POSTROUTING?).
797 * \warning all nfq_get_dev() functions return 0 if not set, since linux
798 * only allows ifindex >= 1, see net/core/dev.c:2600 (in 2.6.13.1)
800 u_int32_t nfq_get_indev(struct nfq_data *nfad)
802 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_INDEV, u_int32_t));
806 * nfq_get_physindev - get the physical interface that the packet was received
807 * \param nfad Netlink packet data handle passed to callback function
809 * \return The index of the physical device the queued packet was received via.
810 * If the returned index is 0, the packet was locally generated or the
811 * physical input interface is no longer known (ie. POSTROUTING?).
813 u_int32_t nfq_get_physindev(struct nfq_data *nfad)
815 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSINDEV, u_int32_t));
819 * nfq_get_outdev - gets the interface that the packet will be routed out
820 * \param nfad Netlink packet data handle passed to callback function
822 * \return The index of the device the queued packet will be sent out. If the
823 * returned index is 0, the packet is destined for localhost or the output
824 * interface is not yet known (ie. PREROUTING?).
826 u_int32_t nfq_get_outdev(struct nfq_data *nfad)
828 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_OUTDEV, u_int32_t));
832 * nfq_get_physoutdev - get the physical interface that the packet output
833 * \param nfad Netlink packet data handle passed to callback function
835 * The index of the physical device the queued packet will be sent out.
836 * If the returned index is 0, the packet is destined for localhost or the
837 * physical output interface is not yet known (ie. PREROUTING?).
839 * \return The index of physical interface that the packet output will be routed out.
841 u_int32_t nfq_get_physoutdev(struct nfq_data *nfad)
843 return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSOUTDEV, u_int32_t));
847 * nfq_get_indev_name - get the name of the interface the packet
848 * was received through
849 * \param nlif_handle pointer to a nlif interface resolving handle
850 * \param nfad Netlink packet data handle passed to callback function
851 * \param name pointer that will be set to the interface name string
852 * \return -1 in case of error, >0 if it succeed.
854 * The #name variable will point to the name of the input interface.
856 * To use a nlif_handle, You need first to call nlif_open() and to open
857 * an handler. Don't forget to store the result as it will be used
858 * during all your program life:
866 * Once the handler is open, you need to fetch the interface table at a
867 * whole via a call to nlif_query.
871 * libnfnetlink is able to update the interface mapping when a new interface
872 * appears. To do so, you need to call nlif_catch() on the handler after each
873 * interface related event. The simplest way to get and treat event is to run
874 * a select() or poll() against the nlif file descriptor. To get this file
875 * descriptor, you need to use nlif_fd:
879 * Don't forget to close the handler when you don't need the feature anymore:
885 int nfq_get_indev_name(struct nlif_handle *nlif_handle,
886 struct nfq_data *nfad, char *name)
888 u_int32_t ifindex = nfq_get_indev(nfad);
889 return nlif_index2name(nlif_handle, ifindex, name);
893 * nfq_get_physindev_name - get the name of the physical interface the
894 * packet was received through
895 * \param nlif_handle pointer to a nlif interface resolving handle
896 * \param nfad Netlink packet data handle passed to callback function
897 * \param name pointer that will be set to the interface name string
899 * The #name variable will point to the name of the input physical
902 * See nfq_get_indev_name() documentation for nlif_handle usage.
904 * \return -1 in case of error, > 0 if it succeed.
906 int nfq_get_physindev_name(struct nlif_handle *nlif_handle,
907 struct nfq_data *nfad, char *name)
909 u_int32_t ifindex = nfq_get_physindev(nfad);
910 return nlif_index2name(nlif_handle, ifindex, name);
914 * nfq_get_outdev_name - get the name of the physical interface the
915 * packet will be sent to
916 * \param nlif_handle pointer to a nlif interface resolving handle
917 * \param nfad Netlink packet data handle passed to callback function
918 * \param name pointer that will be set to the interface name string
920 * The #name variable will point to the name of the output interface.
922 * See nfq_get_indev_name() documentation for nlif_handle usage.
924 * \return -1 in case of error, > 0 if it succeed.
926 int nfq_get_outdev_name(struct nlif_handle *nlif_handle,
927 struct nfq_data *nfad, char *name)
929 u_int32_t ifindex = nfq_get_outdev(nfad);
930 return nlif_index2name(nlif_handle, ifindex, name);
934 * nfq_get_physoutdev_name - get the name of the interface the
935 * packet will be sent to
936 * \param nlif_handle pointer to a nlif interface resolving handle
937 * \param nfad Netlink packet data handle passed to callback function
938 * \param name pointer that will be set to the interface name string
939 * The #name variable will point to the name of the physical
942 * See nfq_get_indev_name() documentation for nlif_handle usage.
944 * \return -1 in case of error, > 0 if it succeed.
947 int nfq_get_physoutdev_name(struct nlif_handle *nlif_handle,
948 struct nfq_data *nfad, char *name)
950 u_int32_t ifindex = nfq_get_physoutdev(nfad);
951 return nlif_index2name(nlif_handle, ifindex, name);
957 * get hardware address
959 * \param nfad Netlink packet data handle passed to callback function
961 * Retrieves the hardware address associated with the given queued packet.
962 * For ethernet packets, the hardware address returned (if any) will be the
963 * MAC address of the packet source host. The destination MAC address is not
964 * known until after POSTROUTING and a successful ARP request, so cannot
965 * currently be retrieved.
967 * The nfqnl_msg_packet_hw structure is defined in libnetfilter_queue.h as:
969 struct nfqnl_msg_packet_hw {
970 u_int16_t hw_addrlen;
973 } __attribute__ ((packed));
976 struct nfqnl_msg_packet_hw *nfq_get_packet_hw(struct nfq_data *nfad)
978 return nfnl_get_pointer_to_data(nfad->data, NFQA_HWADDR,
979 struct nfqnl_msg_packet_hw);
983 * nfq_get_payload - get payload
984 * \param nfad Netlink packet data handle passed to callback function
985 * \param data Pointer of pointer that will be pointed to the payload
987 * Retrieve the payload for a queued packet. The actual amount and type of
988 * data retrieved by this function will depend on the mode set with the
989 * nfq_set_mode() function.
991 * \return -1 on error, otherwise > 0.
993 int nfq_get_payload(struct nfq_data *nfad, char **data)
995 *data = nfnl_get_pointer_to_data(nfad->data, NFQA_PAYLOAD, char);
997 return NFA_PAYLOAD(nfad->data[NFQA_PAYLOAD-1]);