dear all,
I'm trying my hand on the NFLOG target of iptables, so I setup
the below ones on my ubuntu machine 10.4 :
libnetfilter_log-1.0.0
libnfnetlink-dev_1.0.0
$ uname -a
Linux ubuntu 2.6.32.21 #2 SMP Wed Jul 6 22:03:07 PDT 2011 i686 GNU/Linux
but when I try to build and run the utils nfulnl_test.c this is what
I'm getting using the below command
gcc -o nfulnl_test nfulnl_test.c -L /usr/local/lib/ -lnetfilter_log
$ ./nfulnl_test
binding nfnetlink_log to AF_INET
error during nflog_bind_pf()
Am I missing something, any help is appreciated.
Many thanks,
GK
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <libnetfilter_log/libnetfilter_log.h>
static int print_pkt(struct nflog_data *ldata)
{
struct nfulnl_msg_packet_hdr *ph = nflog_get_msg_packet_hdr(ldata);
u_int32_t mark = nflog_get_nfmark(ldata);
u_int32_t indev = nflog_get_indev(ldata);
u_int32_t outdev = nflog_get_outdev(ldata);
char *prefix = nflog_get_prefix(ldata);
char *payload;
int payload_len = nflog_get_payload(ldata, &payload);
if (ph) {
printf("hw_protocol=0x%04x hook=%u ",
ntohs(ph->hw_protocol), ph->hook);
}
printf("mark=%u ", mark);
if (indev > 0)
printf("indev=%u ", indev);
if (outdev > 0)
printf("outdev=%u ", outdev);
if (prefix) {
printf("prefix=\"%s\" ", prefix);
}
if (payload_len >= 0)
printf("payload_len=%d ", payload_len);
fputc('\n', stdout);
return 0;
}
static int cb(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg,
struct nflog_data *nfa, void *data)
{
print_pkt(nfa);
}
int main(int argc, char **argv)
{
struct nflog_handle *h;
struct nflog_g_handle *qh;
struct nflog_g_handle *qh100;
int rv, fd;
char buf[4096];
h = nflog_open();
if (!h) {
fprintf(stderr, "error during nflog_open()\n");
exit(1);
}
printf("unbinding existing nf_log handler for AF_INET (if any)\n");
if (nflog_unbind_pf(h, AF_INET) < 0) {
fprintf(stderr, "error nflog_unbind_pf()\n");
exit(1);
}
printf("binding nfnetlink_log to AF_INET\n");
if (nflog_bind_pf(h, AF_INET) < 0) {
fprintf(stderr, "error during nflog_bind_pf()\n");
exit(1);
}
printf("binding this socket to group 0\n");
qh = nflog_bind_group(h, 0);
if (!qh) {
fprintf(stderr, "no handle for grup 0\n");
exit(1);
}
printf("binding this socket to group 100\n");
qh100 = nflog_bind_group(h, 100);
if (!qh100) {
fprintf(stderr, "no handle for group 100\n");
exit(1);
}
printf("setting copy_packet mode\n");
if (nflog_set_mode(qh, NFULNL_COPY_PACKET, 0xffff) < 0) {
fprintf(stderr, "can't set packet copy mode\n");
exit(1);
}
fd = nflog_fd(h);
printf("registering callback for group 0\n");
nflog_callback_register(qh, &cb, NULL);
printf("going into main loop\n");
while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
struct nlmsghdr *nlh;
printf("pkt received (len=%u)\n", rv);
/* handle messages in just-received packet */
nflog_handle_packet(h, buf, rv);
}
printf("unbinding from group 100\n");
nflog_unbind_group(qh100);
printf("unbinding from group 0\n");
nflog_unbind_group(qh);
#ifdef INSANE
/* norally, applications SHOULD NOT issue this command,
* since it detaches other programs/sockets from AF_INET, too ! */
printf("unbinding from AF_INET\n");
nflog_unbind_pf(h, AF_INET);
#endif
printf("closing handle\n");
nflog_close(h);
exit(0);
}
