Enable mnl programs to check whether a config request was accepted. (nfnl programs do this already). Signed-off-by: Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> --- .../libnetfilter_queue/libnetfilter_queue.h | 1 + src/nlmsg.c | 72 ++++++++++++++++--- 2 files changed, 65 insertions(+), 8 deletions(-) diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h index 3d8e444..084a2ea 100644 --- a/include/libnetfilter_queue/libnetfilter_queue.h +++ b/include/libnetfilter_queue/libnetfilter_queue.h @@ -151,6 +151,7 @@ void nfq_nlmsg_verdict_put_pkt(struct nlmsghdr *nlh, const void *pkt, uint32_t p int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr); struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num); +struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num); #ifdef __cplusplus } /* extern "C" */ diff --git a/src/nlmsg.c b/src/nlmsg.c index 5400dd7..ba53df2 100644 --- a/src/nlmsg.c +++ b/src/nlmsg.c @@ -300,6 +300,21 @@ int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr) nfq_pkt_parse_attr_cb, attr); } +static struct nlmsghdr *__nfq_nlmsg_put(char *buf, int type, uint32_t queue_num, + uint16_t flags) +{ + struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf); + nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) | type; + nlh->nlmsg_flags = flags; + + struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg)); + nfg->nfgen_family = AF_UNSPEC; + nfg->version = NFNETLINK_V0; + nfg->res_id = htons(queue_num); + + return nlh; +} + /** * nfq_nlmsg_put - Convert memory buffer into a Netlink buffer * \param *buf Pointer to memory buffer @@ -310,16 +325,57 @@ int nfq_nlmsg_parse(const struct nlmsghdr *nlh, struct nlattr **attr) EXPORT_SYMBOL struct nlmsghdr *nfq_nlmsg_put(char *buf, int type, uint32_t queue_num) { - struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf); - nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) | type; - nlh->nlmsg_flags = NLM_F_REQUEST; + return __nfq_nlmsg_put(buf, type, queue_num, NLM_F_REQUEST); +} - struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg)); - nfg->nfgen_family = AF_UNSPEC; - nfg->version = NFNETLINK_V0; - nfg->res_id = htons(queue_num); +/** + * nfq_nlmsg_put2 - Convert memory buffer into a Netlink buffer with NLM_F_ACK + * flag present + * \param *buf Pointer to memory buffer + * \param type Either NFQNL_MSG_CONFIG or NFQNL_MSG_VERDICT + * \param queue_num Queue number + * \returns Pointer to netlink message + * + * Use this function before performing an action that might fail, e.g. + * attempt to configure NFQA_CFG_F_SECCTX on a system not runnine SELinux. + * \n + * NLM_F_ACK instructs the kernel to send a message in response + * to a successful command. + * The kernel always sends a message in response to a failed command. + * \n + * This code snippet demonstrates reading these responses: + * \verbatim + nlh = nfq_nlmsg_put2(nltxbuf, NFQNL_MSG_CONFIG, queue_num); + mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, NFQA_CFG_F_SECCTX); + mnl_attr_put_u32(nlh, NFQA_CFG_MASK, NFQA_CFG_F_SECCTX); - return nlh; + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, nlrxbuf, sizeof nlrxbuf); + if (ret == -1) { + perror("mnl_socket_recvfrom"); + exit(EXIT_FAILURE); + } + + ret = mnl_cb_run(nlrxbuf, ret, 0, portid, NULL, NULL); + if (ret == -1) + perror("configure NFQA_CFG_F_SECCTX"); +\endverbatim + * + * \note + * The program above can continue after the error because NFQA_CFG_F_SECCTX + * was the only item in the preceding **mnl_socket_sendto**. + * If there had been other items, they would not have been actioned and it would + * not now be safe to proceed. + */ + +EXPORT_SYMBOL +struct nlmsghdr *nfq_nlmsg_put2(char *buf, int type, uint32_t queue_num) +{ + return __nfq_nlmsg_put(buf, type, queue_num, NLM_F_REQUEST|NLM_F_ACK); } /** -- 2.35.8