summaryrefslogtreecommitdiffstats
path: root/daemon/ipqapi.c
blob: b0649bc456891344d232299192881876ea3aac92 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#include <string.h>
#include <time.h>

#include <daemon-log.h>

#include "icmp.h"
#include "ipqapi.h"
#include "main.h"
#include "client.h"
#include "packet.h"

#define BUFSIZE (10*1024)

static struct ipq_handle *ipq = NULL;

int ipqapi_init() {
    int status;
    
    if (!(ipq = ipq_create_handle(0, PF_INET))) { 
        daemon_log(LOG_ERR, "ipq_create_handle(): %s", ipq_errstr()); 
        return -1;
    } 
    
    if ((status = ipq_set_mode(ipq, IPQ_COPY_PACKET, BUFSIZE)) < 0) {
        daemon_log(LOG_ERR, "ipq_set_mode(): %s", ipq_errstr());
        daemon_log(LOG_INFO, "Perhaps you should run 'modprobe ip_queue'?");
        ipq_destroy_handle(ipq);
        ipq = NULL;
        return -1;
    } 

    FD_SET(ipq->fd, &listen_rfds);
    
    return 0;
}

void ipqapi_done() {
    if (ipq) {
        FD_CLR(ipq->fd, &listen_rfds);
        ipq_destroy_handle(ipq);
    }
    
    ipq = NULL;
}

int ipqapi_work() {
    int status;
    static guint8 buf[BUFSIZE];
    
    if (!FD_ISSET(ipq->fd, &select_rfds))
        return 0;
    
    if ((status = ipq_read(ipq, buf, BUFSIZE, 0)) < 0) {
        daemon_log(LOG_ERR, "ipq_read(): %s", ipq_errstr()); 
        return -1;
    }
    
    switch (ipq_message_type(buf)) {
        case NLMSG_ERROR:
            daemon_log(LOG_ERR, "Received error message: %s\n", strerror(ipq_get_msgerr(buf)));
            return -1;
            
        case IPQM_PACKET: {
            ipq_packet_msg_t *m = ipq_get_packet(buf);
            
            if (!m->timestamp_sec)
                time(&m->timestamp_sec);

            if (log_packets)
                daemon_log(LOG_DEBUG, "[%lu] Recieved packet, forwarding to client", m->packet_id);
            
            if (client_is_connected()) {
                packet_new(m);
                client_send_enqueue(message_new(MSG_PACKET, (guint8*) m, sizeof(ipq_packet_msg_t)+m->data_len));
            } else {
                if (log_packets)
                    daemon_log(LOG_DEBUG, "[%lu] No clients listening, verdicting", m->packet_id);
                
                if (ipqapi_verdict(m, default_verdict) < 0) {
                    daemon_log(LOG_ERR, "Sending verdict failed.");
                    return -1;
                }
            }
            
            return 0;
        }
            
        default:
            daemon_log(LOG_WARNING, "Recieved invalid IPQ message.");
            return -1;
    }
}

int ipqapi_verdict(ipq_packet_msg_t *m, guint32 resp) {
    int nf = NF_DROP, icmp = 0;

    if (resp > 17) resp = 17;
    
    if (resp == 0)
        nf = NF_DROP;
    else if (resp == 1)
        nf = NF_ACCEPT;
    else {
        nf = NF_DROP;
        icmp = 1;
    }
    
    if (ipq_set_verdict(ipq, m->packet_id, nf, 0, NULL) < 0) {
        daemon_log(LOG_ERR, "ipq_set_verdict(): %s", ipq_errstr()); 
        return -1;
    }

    
    if (icmp)
        return reply_icmp_error(m, resp-2);

    return 0;
}