NFQUEUE hello world-style program

NFQUEUE hello world-style program

[Simon Perreault]

Hello,

I'm trying to write a hello world-style program using NFQUEUE. It hangs in the 
select() call on the nfq file descriptor even though I can see 
with "iptables -L -n -v" that there are packets that match the rule.

Here's my iptables rule:

# iptables -A INPUT -p udp --dport 12345 -j NFQUEUE --queue-num=0

I generate packets thusly:

# echo "hello" | nc -u localhost 12345

Here's my C code:

=======================================================
#include <libnetfilter_queue/libnetfilter_queue.h>

#include <stdio.h>

int cb( struct nfq_q_handle* q, struct nfgenmsg *nfmsg,
        struct nfq_data *nfad, void *data )
{
    char* payload;
    printf( "received %d bytes\n", nfq_get_payload(nfad, &payload) );
    return 0;
}

int main()
{
    struct nfq_handle* h = nfq_open();
    struct nfq_q_handle* q = nfq_create_queue( h, 0, cb, 0 );
    int fd = nfq_fd(h);

    while (1) {
        fd_set readfds;
        FD_ZERO(&readfds);
        FD_SET(fd, &readfds);
        select( fd + 1, &readfds, 0, 0, 0 );

        char buf[8192];
        ssize_t size = recv( fd, buf, sizeof(buf), 0 );

        nfq_handle_packet( h, buf, size );
    }

    return 0;
}
=======================================================

Any idea what might be missing?

Thanks,
Simon

-- 
Please try Numb, a STUN/TURN server implementation.
Free access at http://numb.viagenie.ca/.

Re: NFQUEUE hello world-style program

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 774 bytes --]

Hello,

On Thursday, 2008 July  3 at 16:07:21 -0400, Simon Perreault wrote:
> 
> #include <stdio.h>
> 
> int cb( struct nfq_q_handle* q, struct nfgenmsg *nfmsg,
>         struct nfq_data *nfad, void *data )
> {
>     char* payload;
>     printf( "received %d bytes\n", nfq_get_payload(nfad, &payload) );
>     return 0;
> }
> 
> int main()
> {
>     struct nfq_handle* h = nfq_open();

You are missing the unbind  bind 
	
	nfq_unbind_pf(h, AF_INET);
	nfq_bind_pf(h, AF_INET);

You can have a look at for working  code: 
 * utils/nfqnl_test.c in libnetfilter_queue sources
 * http://software.inl.fr/trac/browser/mirror/edenwall/nufw/trunk/nufw/src/nufw/packetsrv.c#L219

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: NFQUEUE hello world-style program

[Simon Perreault]

On Friday 04 July 2008 05:26:38 Eric Leblond wrote:
> You are missing the unbind  bind
>
> 	nfq_unbind_pf(h, AF_INET);
> 	nfq_bind_pf(h, AF_INET);
>
> You can have a look at for working  code:
>  * utils/nfqnl_test.c in libnetfilter_queue sources
>  *
> http://software.inl.fr/trac/browser/mirror/edenwall/nufw/trunk/nufw/src/nuf
>w/packetsrv.c#L219

Many thanks!

I suppose if I want to bind to multiple families I do as in packetsrv.c, 
right?

nfq_unbind_pf(h, AF_INET);
nfq_bind_pf(h, AF_INET);
nfq_unbind_pf(h, AF_INET6);
nfq_bind_pf(h, AF_INET6);

And out of curiosity, is the unbind really needed or is it a relic of the 
past? :)

Thanks again,
Simon

-- 
Please try Numb, a STUN/TURN server implementation.
Free access at http://numb.viagenie.ca/.

Re: NFQUEUE hello world-style program

[Simon Perreault]

On Friday 04 July 2008 05:26:38 Eric Leblond wrote:
> You are missing the unbind  bind
>
> 	nfq_unbind_pf(h, AF_INET);
> 	nfq_bind_pf(h, AF_INET);

For the record, I was missing one other thing too:

nfq_set_mode( q, NFQNL_COPY_PACKET, 0xffff );

-- 
Please try Numb, a STUN/TURN server implementation.
Free access at http://numb.viagenie.ca/.

Re: NFQUEUE hello world-style program

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1023 bytes --]

Hello,

On Friday, 2008 July  4 at  8:28:37 -0400, Simon Perreault wrote:
> On Friday 04 July 2008 05:26:38 Eric Leblond wrote:
> > You are missing the unbind  bind
> >
> > 	nfq_unbind_pf(h, AF_INET);
> > 	nfq_bind_pf(h, AF_INET);
> >
> > You can have a look at for working  code:
> >  * utils/nfqnl_test.c in libnetfilter_queue sources
> >  *
> > http://software.inl.fr/trac/browser/mirror/edenwall/nufw/trunk/nufw/src/nuf
> >w/packetsrv.c#L219
> 
> Many thanks!
> 
> I suppose if I want to bind to multiple families I do as in packetsrv.c, 
> right?
> 
> nfq_unbind_pf(h, AF_INET);
> nfq_bind_pf(h, AF_INET);
> nfq_unbind_pf(h, AF_INET6);
> nfq_bind_pf(h, AF_INET6);


Exact !

> And out of curiosity, is the unbind really needed or is it a relic of the 
> past? :)

Don't know could you test this ? I did not change or look at my code on
NuFW since a long time now.

> 
> Thanks again,

You're welcome.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]