Version 0.1

kraman · kraman · commit a6397e96f347 · 2014-03-17T18:50:34.000Z
diff --git a/README.md b/README.md
@@ -2,3 +2,47 @@ go-netfilter-queue
 ==================
 
 Go bindings for libnetfilter_queue
+
+This library provides access to packets in the IPTables netfilter queue (NFQUEUE).
+The libnetfilter_queue library is part of the [Netfilter project| http://netfilter.org/projects/libnetfilter_queue/].
+
+Example
+=======
+
+use IPTables to direct all outgoing Ping/ICMP requests to the queue 0:
+
+    iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 0
+
+You can then use go-netfilter-queue to inspect the packets:
+
+    package main
+    
+    import (
+            "fmt"
+            "github.com/kraman/go-netfilter-queue"
+            "os"
+    )
+    
+    func main() {
+            var err error
+    
+            nfq, err := netfilter.NewNFQueue(0, 100, netfilter.NF_DEFAULT_PACKET_SIZE)
+            if err != nil {
+                    fmt.Println(err)
+                    os.Exit(1)
+            }
+            defer nfq.Close()
+            packets := nfq.GetPackets()
+    
+            for true {
+                    select {
+                    case p := <-packets:
+                            fmt.Println(p.Packet)
+                            p.SetVerdict(netfilter.NF_ACCEPT)
+                    }
+            }
+    }
+
+To undo the IPTables redirect. Run:
+
+    iptables -D OUTPUT -p icmp -j NFQUEUE --queue-num 0
diff --git a/netfilter.c b/netfilter.c
@@ -0,0 +1,18 @@
+/*
+   Copyright 2014 Krishna Raman <kraman@gmail.com>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+#include "netfilter.h"
+
diff --git a/netfilter.go b/netfilter.go
@@ -0,0 +1,146 @@
+/*
+   Copyright 2014 Krishna Raman <kraman@gmail.com>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+/*
+Go bindings for libnetfilter_queue
+
+This library provides access to packets in the IPTables netfilter queue (NFQUEUE).
+The libnetfilter_queue library is part of the http://netfilter.org/projects/libnetfilter_queue/ project.
+*/
+package netfilter
+
+/*
+#cgo pkg-config: libnetfilter_queue
+#cgo CFLAGS: -Wall -Werror -I/usr/include
+#cgo LDFLAGS: -L/usr/lib64/
+
+#include "netfilter.h"
+*/
+import "C"
+
+import (
+	"code.google.com/p/gopacket"
+	"code.google.com/p/gopacket/layers"
+	"fmt"
+	"unsafe"
+)
+
+type NFPacket struct {
+	Packet         gopacket.Packet
+	verdictChannel chan Verdict
+}
+
+//Set the verdict for the packet
+func (p *NFPacket) SetVerdict(v Verdict) {
+	p.verdictChannel <- v
+}
+
+type NFQueue struct {
+	h       *[0]byte
+	qh      *[0]byte
+	fd      C.int
+	packets chan NFPacket
+}
+
+//Verdict for a packet
+type Verdict C.int
+
+const (
+	AF_INET = 2
+
+	//Discarded the packet
+	NF_DROP Verdict = 0
+
+	//The packet passes, continue iterations
+	NF_ACCEPT Verdict = 1
+
+	NF_DEFAULT_PACKET_SIZE uint32 = 0xffff
+)
+
+//Create and bind to queue specified by queueId
+func NewNFQueue(queueId int, maxPacketsInQueue uint32, packetSize uint32) (*NFQueue, error) {
+	var nfq = NFQueue{}
+	var err error
+	var ret C.int
+
+	if nfq.h, err = C.nfq_open(); err != nil {
+		return nil, fmt.Errorf("Error opening NFQueue handle: %v\n", err)
+	}
+
+	if ret, err = C.nfq_unbind_pf(nfq.h, AF_INET); err != nil || ret < 0 {
+		return nil, fmt.Errorf("Error unbinding existing NFQ handler from AF_INET protocol family: %v\n", err)
+	}
+
+	if ret, err := C.nfq_bind_pf(nfq.h, AF_INET); err != nil || ret < 0 {
+		return nil, fmt.Errorf("Error binding to AF_INET protocol family: %v\n", err)
+	}
+
+	nfq.packets = make(chan NFPacket)
+	if nfq.qh, err = C.CreateQueue(nfq.h, C.int(queueId), unsafe.Pointer(&nfq.packets)); err != nil || nfq.qh == nil {
+		C.nfq_close(nfq.h)
+		return nil, fmt.Errorf("Error binding to queue: %v\n", err)
+	}
+
+	if ret, err = C.nfq_set_queue_maxlen(nfq.qh, C.u_int32_t(maxPacketsInQueue)); err != nil || ret < 0 {
+		C.nfq_destroy_queue(nfq.qh)
+		C.nfq_close(nfq.h)
+		return nil, fmt.Errorf("Unable to set max packets in queue: %v\n", err)
+	}
+
+	if C.nfq_set_mode(nfq.qh, C.u_int8_t(2), C.uint(packetSize)) < 0 {
+		C.nfq_destroy_queue(nfq.qh)
+		C.nfq_close(nfq.h)
+		return nil, fmt.Errorf("Unable to set packets copy mode: %v\n", err)
+	}
+
+	if nfq.fd, err = C.nfq_fd(nfq.h); err != nil {
+		C.nfq_destroy_queue(nfq.qh)
+		C.nfq_close(nfq.h)
+		return nil, fmt.Errorf("Unable to get queue file-descriptor. %v", err)
+	}
+
+	go nfq.run()
+
+	return &nfq, nil
+}
+
+//Unbind and close the queue
+func (nfq *NFQueue) Close() {
+	C.nfq_destroy_queue(nfq.qh)
+	C.nfq_close(nfq.h)
+}
+
+//Get the channel for packets
+func (nfq *NFQueue) GetPackets() <-chan NFPacket {
+	return nfq.packets
+}
+
+func (nfq *NFQueue) run() {
+	C.Run(nfq.h, nfq.fd)
+}
+
+//export go_callback
+func go_callback(queueId C.int, data *C.uchar, len C.int, cb *chan NFPacket) Verdict {
+	xdata := C.GoBytes(unsafe.Pointer(data), len)
+	packet := gopacket.NewPacket(xdata, layers.LayerTypeIPv4, gopacket.DecodeOptions{true, true})
+	p := NFPacket{verdictChannel: make(chan Verdict), Packet: packet}
+	select {
+	case (*cb) <- p:
+		return <-p.verdictChannel
+	default:
+		return NF_DROP
+	}
+}
diff --git a/netfilter.h b/netfilter.h
@@ -0,0 +1,65 @@
+/*
+   Copyright 2014 Krishna Raman <kraman@gmail.com>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+#ifndef _NETFILTER_H
+#define _NETFILTER_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <math.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <linux/types.h>
+#include <linux/socket.h>
+#include <linux/netfilter.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+
+extern int go_callback(int id, unsigned char* data, int len, void** cb_func);
+
+static int nf_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cb_func){
+    uint32_t id = -1;
+    struct nfqnl_msg_packet_hdr *ph = NULL;
+    unsigned char *buffer = NULL;
+    int ret = 0;
+    int verdict = 0;
+
+    ph = nfq_get_msg_packet_hdr(nfa);
+    id = ntohl(ph->packet_id);
+
+    ret = nfq_get_payload(nfa, &buffer);
+    verdict = go_callback(id, buffer, ret, cb_func);
+
+    return nfq_set_verdict(qh, id, verdict, 0, NULL);
+}
+
+static inline struct nfq_q_handle* CreateQueue(struct nfq_handle *h, int queue, void* cb_func)
+{
+    return nfq_create_queue(h, queue, &nf_callback, cb_func);
+}
+
+static inline void Run(struct nfq_handle *h, int fd)
+{
+    char buf[4096] __attribute__ ((aligned));
+    int rv;
+
+    while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
+        nfq_handle_packet(h, buf, rv);
+    }
+}
+
+#endif
+
+
