[PATCH libnetfilter_queue v4] src: Add nfq_nlmsg_put2() - user specifies header flags

[PATCH libnetfilter_queue v4] src: Add nfq_nlmsg_put2() - user specifies header flags

[Duncan Roe]

Enable mnl programs to check whether a config request was accepted.
(nfnl programs do this already).

v4: other requested changes

v3: force on NLM_F_REQUEST

v2: take flags as an arg (Pablo request)
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
---
 .../libnetfilter_queue/libnetfilter_queue.h   |  1 +
 src/nlmsg.c                                   | 54 ++++++++++++++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
index 3d8e444..f254984 100644
--- a/include/libnetfilter_queue/libnetfilter_queue.h
+++ b/include/libnetfilter_queue/libnetfilter_queue.h
@@ -151,6 +151,7 @@ void nfq_nlmsg_verdict_put_pkt(struct nlmsghdr *nlh, const void *pkt, uint32_t p
 
 int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr);
 struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num);
+struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num, uint16_t flags);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/src/nlmsg.c b/src/nlmsg.c
index 5400dd7..0c6229e 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -309,10 +309,62 @@ int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr)
  */
 EXPORT_SYMBOL
 struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num)
+{
+	return nfq_nlmsg_put2(buf, type, queue_num, 0);
+}
+
+/**
+ * nfq_nlmsg_put2 - Set up a netlink header with user-specified flags
+ *                  in a memory buffer
+ * \param *buf Pointer to memory buffer
+ * \param type Either NFQNL_MSG_CONFIG or NFQNL_MSG_VERDICT
+ * \param queue_num Queue number
+ * \param flags additional flags to put in message header, commonly NLM_F_ACK
+ * \returns Pointer to netlink header
+ *
+ * Use NLM_F_ACK before performing an action that might fail, e.g.
+ * attempt to configure NFQA_CFG_F_SECCTX on a system not runnine SELinux.
+ * \n
+ * The kernel always sends a message in response to a failed command.
+ * NLM_F_ACK instructs the kernel to also send a message in response
+ * to a successful command.
+ * \n
+ * This code snippet demonstrates reading these responses:
+ * \verbatim
+	nlh = nfq_nlmsg_put2(nltxbuf, NFQNL_MSG_CONFIG, queue_num, NLM_F_ACK);
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, NFQA_CFG_F_SECCTX);
+	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, NFQA_CFG_F_SECCTX);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, nlrxbuf, sizeof nlrxbuf);
+	if (ret == -1) {
+		perror("mnl_socket_recvfrom");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_cb_run(nlrxbuf, ret, 0, portid, NULL, NULL);
+	if (ret == -1)
+		perror("configure NFQA_CFG_F_SECCTX");
+\endverbatim
+ *
+ * \note
+ * The program above can continue after the error because NFQA_CFG_F_SECCTX
+ * was the only item in the preceding **mnl_socket_sendto**.
+ * If there had been other items, they would not have been actioned and it would
+ * not now be safe to proceed.
+ */
+
+EXPORT_SYMBOL
+struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num,
+				uint16_t flags)
 {
 	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
 	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) | type;
-	nlh->nlmsg_flags = NLM_F_REQUEST;
+	nlh->nlmsg_flags = NLM_F_REQUEST | flags;
 
 	struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
 	nfg->nfgen_family = AF_UNSPEC;
-- 
2.35.8

Re: [PATCH libnetfilter_queue v4] src: Add nfq_nlmsg_put2() - user specifies header flags

[Pablo Neira Ayuso]

On Mon, Nov 20, 2023 at 12:08:49PM +1100, Duncan Roe wrote:
> Enable mnl programs to check whether a config request was accepted.
> (nfnl programs do this already).
> 
> v4: other requested changes
> 
> v3: force on NLM_F_REQUEST
> 
> v2: take flags as an arg (Pablo request)
> Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
> ---
>  .../libnetfilter_queue/libnetfilter_queue.h   |  1 +
>  src/nlmsg.c                                   | 54 ++++++++++++++++++-
>  2 files changed, 54 insertions(+), 1 deletion(-)
> 
> diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
> index 3d8e444..f254984 100644
> --- a/include/libnetfilter_queue/libnetfilter_queue.h
> +++ b/include/libnetfilter_queue/libnetfilter_queue.h
> @@ -151,6 +151,7 @@ void nfq_nlmsg_verdict_put_pkt(struct nlmsghdr *nlh, const void *pkt, uint32_t p
>  
>  int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr);
>  struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num);
> +struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num, uint16_t flags);
>  
>  #ifdef __cplusplus
>  } /* extern "C" */
> diff --git a/src/nlmsg.c b/src/nlmsg.c
> index 5400dd7..0c6229e 100644
> --- a/src/nlmsg.c
> +++ b/src/nlmsg.c
> @@ -309,10 +309,62 @@ int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr)
>   */
>  EXPORT_SYMBOL
>  struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num)
> +{
> +	return nfq_nlmsg_put2(buf, type, queue_num, 0);
> +}
> +
> +/**
> + * nfq_nlmsg_put2 - Set up a netlink header with user-specified flags
> + *                  in a memory buffer
> + * \param *buf Pointer to memory buffer
> + * \param type Either NFQNL_MSG_CONFIG or NFQNL_MSG_VERDICT


This can be any value in enum nfqnl_msg_types.

> + * \param queue_num Queue number
> + * \param flags additional flags to put in message header, commonly NLM_F_ACK

This can be any NLM_F_* flag, as define in include/linux/netlink.h

> + * \returns Pointer to netlink header
> + *
> + * Use NLM_F_ACK before performing an action that might fail, e.g.
> + * attempt to configure NFQA_CFG_F_SECCTX on a system not runnine SELinux.

typo: 'runnine'

> + * \n
> + * The kernel always sends a message in response to a failed command.
> + * NLM_F_ACK instructs the kernel to also send a message in response
> + * to a successful command.
> + * \n

Please, also specify that recommended buffer size in this case is
MNL_SOCKET_BUFFER_SIZE.

> + * This code snippet demonstrates reading these responses:
> + * \verbatim

I'd suggest to add:

        char nltxbuf[MNL_SOCKET_BUFFER_SIZE];

> +	nlh = nfq_nlmsg_put2(nltxbuf, NFQNL_MSG_CONFIG, queue_num, NLM_F_ACK);
> +	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, NFQA_CFG_F_SECCTX);
> +	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, NFQA_CFG_F_SECCTX);
> +
> +	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
> +		perror("mnl_socket_send");
> +		exit(EXIT_FAILURE);
> +	}
> +
> +	ret = mnl_socket_recvfrom(nl, nlrxbuf, sizeof nlrxbuf);
> +	if (ret == -1) {
> +		perror("mnl_socket_recvfrom");
> +		exit(EXIT_FAILURE);
> +	}
> +
> +	ret = mnl_cb_run(nlrxbuf, ret, 0, portid, NULL, NULL);
> +	if (ret == -1)
> +		perror("configure NFQA_CFG_F_SECCTX");
> +\endverbatim
> + *
> + * \note
> + * The program above can continue after the error because NFQA_CFG_F_SECCTX
> + * was the only item in the preceding **mnl_socket_sendto**.

Not sure what you mean in this sentence. The program above can
continue because you do not bail out mnl_cb_run().

Suggestion: To keep it simpler, I would simply do exit(EXIT_FAILURE)
in the example above and remove these two sentences.

Here above you are requesting to toggle this flag, if kernel reports
an error (which one? EOPNOTSUPP?) then this means such
NFAQ_CFG_F_SECCTX feature is not available.

Please, send v5, this is looking better and better, thanks!

[PATCH libnetfilter_queue v5 0/1] src: Add nfq_nlmsg_put2() - user specifies header flags

[Duncan Roe]

Hi Pablo,

This is as you requested, except as below and the sample prints the message
> "This kernel version does not allow to retrieve security context.\n"
(i.e. same as what utils/nfqnl_test.c does) instead of exit(EXIT_FAILURE)
as you suggested.
 Looking at an 80cc man page, I think NLM_F_xxx looks better than NLM_F_*.
 Also the code sample wrapped on the nfq_nlmsg_put2() line, so split it.
 The code sample mixed nlrxbuf and nltxbuf. Now all just buf.
 
 On Fri, Nov 24, 2023 at 09:38:55AM +0100, Pablo Neira Ayuso wrote:
 > On Mon, Nov 20, 2023 at 12:08:49PM +1100, Duncan Roe wrote:
 [...]
 > > +
 > > +/**
 > > + * nfq_nlmsg_put2 - Set up a netlink header with user-specified flags
 > > + *                  in a memory buffer
 > > + * \param *buf Pointer to memory buffer
 > > + * \param type Either NFQNL_MSG_CONFIG or NFQNL_MSG_VERDICT
 >
 >
 > This can be any value in enum nfqnl_msg_types.
 
 I think not. NFQNL_MSG_PACKET is from kernel to userspace. Have added
 NFQNL_MSG_VERDICT_BATCH to complete the list of allowed values.
 
 Cheers ... Duncan.

Duncan Roe (1):
  src: Add nfq_nlmsg_put2() - user specifies header flags

 .../libnetfilter_queue/libnetfilter_queue.h   |  1 +
 src/nlmsg.c                                   | 57 ++++++++++++++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)

-- 
2.35.8

[PATCH libnetfilter_queue v5 1/1] src: Add nfq_nlmsg_put2() - user specifies header flags

[Duncan Roe]

Enable mnl programs to check whether a config request was accepted.
(nfnl programs do this already).

v5: documentation tweaks

v4: other requested changes

v3: force on NLM_F_REQUEST

v2: take flags as an arg (Pablo request)
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
---
 .../libnetfilter_queue/libnetfilter_queue.h   |  1 +
 src/nlmsg.c                                   | 57 ++++++++++++++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h
index 3d8e444..f254984 100644
--- a/include/libnetfilter_queue/libnetfilter_queue.h
+++ b/include/libnetfilter_queue/libnetfilter_queue.h
@@ -151,6 +151,7 @@ void nfq_nlmsg_verdict_put_pkt(struct nlmsghdr *nlh, const void *pkt, uint32_t p
 
 int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr);
 struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num);
+struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num, uint16_t flags);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/src/nlmsg.c b/src/nlmsg.c
index 5400dd7..af7fb67 100644
--- a/src/nlmsg.c
+++ b/src/nlmsg.c
@@ -309,10 +309,65 @@ int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr)
  */
 EXPORT_SYMBOL
 struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num)
+{
+	return nfq_nlmsg_put2(buf, type, queue_num, 0);
+}
+
+/**
+ * nfq_nlmsg_put2 - Set up a netlink header with user-specified flags
+ *                  in a memory buffer
+ * \param *buf Pointer to memory buffer
+ * \param type One of NFQNL_MSG_CONFIG, NFQNL_MSG_VERDICT
+ *             or NFQNL_MSG_VERDICT_BATCH
+ * \param queue_num Queue number
+ * \param flags additional NLM_F_xxx flags to put in message header. These are
+ *              defined in /usr/include/linux/netlink.h. nfq_nlmsg_put2() always
+ *              sets NLM_F_REQUEST
+ * \returns Pointer to netlink header
+ *
+ * For most applications, the only sensible flag will be NLM_F_ACK.
+ * Use it before performing an action that might fail, e.g.
+ * attempt to configure NFQA_CFG_F_SECCTX on a system not running SELinux.
+ * \n
+ * The kernel always sends a message in response to a failed command.
+ * NLM_F_ACK instructs the kernel to also send a message in response
+ * to a successful command.
+ * \n
+ * This code snippet demonstrates reading these responses:
+ * \verbatim
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+
+	nlh = nfq_nlmsg_put2(buf, NFQNL_MSG_CONFIG, queue_num,
+			     NLM_F_ACK);
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, NFQA_CFG_F_SECCTX);
+	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, NFQA_CFG_F_SECCTX);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof buf);
+	if (ret == -1) {
+		perror("mnl_socket_recvfrom");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_cb_run(buf, ret, 0, portid, NULL, NULL);
+	if (ret == -1)
+		fprintf(stderr, "This kernel version does not allow to "
+				"retrieve security context.\n");
+\endverbatim
+ *
+ */
+
+EXPORT_SYMBOL
+struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num,
+				uint16_t flags)
 {
 	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
 	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) | type;
-	nlh->nlmsg_flags = NLM_F_REQUEST;
+	nlh->nlmsg_flags = NLM_F_REQUEST | flags;
 
 	struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
 	nfg->nfgen_family = AF_UNSPEC;
-- 
2.35.8

Re: [PATCH libnetfilter_queue v5 1/1] src: Add nfq_nlmsg_put2() - user specifies header flags

[Pablo Neira Ayuso]

On Sun, Nov 26, 2023 at 12:53:52PM +1100, Duncan Roe wrote:
> Enable mnl programs to check whether a config request was accepted.
> (nfnl programs do this already).

Applied, thanks