dear all, I'm trying my hand on the NFLOG target of iptables, so I setup the below ones on my ubuntu machine 10.4 : libnetfilter_log-1.0.0 libnfnetlink-dev_1.0.0 $ uname -a Linux ubuntu 2.6.32.21 #2 SMP Wed Jul 6 22:03:07 PDT 2011 i686 GNU/Linux but when I try to build and run the utils nfulnl_test.c this is what I'm getting using the below command gcc -o nfulnl_test nfulnl_test.c -L /usr/local/lib/ -lnetfilter_log $ ./nfulnl_test binding nfnetlink_log to AF_INET error during nflog_bind_pf() Am I missing something, any help is appreciated. Many thanks, GK
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <netinet/in.h> #include <libnetfilter_log/libnetfilter_log.h> static int print_pkt(struct nflog_data *ldata) { struct nfulnl_msg_packet_hdr *ph = nflog_get_msg_packet_hdr(ldata); u_int32_t mark = nflog_get_nfmark(ldata); u_int32_t indev = nflog_get_indev(ldata); u_int32_t outdev = nflog_get_outdev(ldata); char *prefix = nflog_get_prefix(ldata); char *payload; int payload_len = nflog_get_payload(ldata, &payload); if (ph) { printf("hw_protocol=0x%04x hook=%u ", ntohs(ph->hw_protocol), ph->hook); } printf("mark=%u ", mark); if (indev > 0) printf("indev=%u ", indev); if (outdev > 0) printf("outdev=%u ", outdev); if (prefix) { printf("prefix=\"%s\" ", prefix); } if (payload_len >= 0) printf("payload_len=%d ", payload_len); fputc('\n', stdout); return 0; } static int cb(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg, struct nflog_data *nfa, void *data) { print_pkt(nfa); } int main(int argc, char **argv) { struct nflog_handle *h; struct nflog_g_handle *qh; struct nflog_g_handle *qh100; int rv, fd; char buf[4096]; h = nflog_open(); if (!h) { fprintf(stderr, "error during nflog_open()\n"); exit(1); } printf("unbinding existing nf_log handler for AF_INET (if any)\n"); if (nflog_unbind_pf(h, AF_INET) < 0) { fprintf(stderr, "error nflog_unbind_pf()\n"); exit(1); } printf("binding nfnetlink_log to AF_INET\n"); if (nflog_bind_pf(h, AF_INET) < 0) { fprintf(stderr, "error during nflog_bind_pf()\n"); exit(1); } printf("binding this socket to group 0\n"); qh = nflog_bind_group(h, 0); if (!qh) { fprintf(stderr, "no handle for grup 0\n"); exit(1); } printf("binding this socket to group 100\n"); qh100 = nflog_bind_group(h, 100); if (!qh100) { fprintf(stderr, "no handle for group 100\n"); exit(1); } printf("setting copy_packet mode\n"); if (nflog_set_mode(qh, NFULNL_COPY_PACKET, 0xffff) < 0) { fprintf(stderr, "can't set packet copy mode\n"); exit(1); } fd = nflog_fd(h); printf("registering callback for group 0\n"); nflog_callback_register(qh, &cb, NULL); printf("going into main loop\n"); while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) { struct nlmsghdr *nlh; printf("pkt received (len=%u)\n", rv); /* handle messages in just-received packet */ nflog_handle_packet(h, buf, rv); } printf("unbinding from group 100\n"); nflog_unbind_group(qh100); printf("unbinding from group 0\n"); nflog_unbind_group(qh); #ifdef INSANE /* norally, applications SHOULD NOT issue this command, * since it detaches other programs/sockets from AF_INET, too ! */ printf("unbinding from AF_INET\n"); nflog_unbind_pf(h, AF_INET); #endif printf("closing handle\n"); nflog_close(h); exit(0); }