diff --git a/backend/nfqueue/nfqueue b/backend/nfqueue/nfqueue index f65ef77..c50e928 100755 Binary files a/backend/nfqueue/nfqueue and b/backend/nfqueue/nfqueue differ diff --git a/backend/nfqueue/nfqueue.cpp b/backend/nfqueue/nfqueue.cpp index e624737..ab08abe 100644 --- a/backend/nfqueue/nfqueue.cpp +++ b/backend/nfqueue/nfqueue.cpp @@ -45,18 +45,18 @@ bool unhexlify(string const &hex, string &newString) { typedef pair regex_rule_pair; typedef vector regex_rule_vector; struct regex_rules{ - regex_rule_vector regex_s_c_w, regex_c_s_w, regex_s_c_b, regex_c_s_b; + regex_rule_vector output_whitelist, input_whitelist, output_blacklist, input_blacklist; regex_rule_vector* getByCode(char code){ switch(code){ case 'C': // Client to server Blacklist - return ®ex_c_s_b; break; + return &output_blacklist; break; case 'c': // Client to server Whitelist - return ®ex_c_s_w; break; + return &output_whitelist; break; case 'S': // Server to client Blacklist - return ®ex_s_c_b; break; + return &input_blacklist; break; case 's': // Server to client Whitelist - return ®ex_s_c_w; break; + return &input_whitelist; break; } throw invalid_argument( "Expected 'C' 'c' 'S' or 's'" ); } @@ -93,34 +93,36 @@ struct regex_rules{ return 0; } + bool check(unsigned char* data, const size_t& bytes_transferred, const bool in_input){ + string str_data((char *) data, bytes_transferred); + for (regex_rule_pair ele:(in_input?input_blacklist:output_blacklist)){ + try{ + if(ele.second.match(str_data)){ + unique_lock lck(stdout_mutex); + cout << "BLOCKED " << ele.first << endl; + return false; + } + } catch(...){ + cerr << "[info] [regex_rules.check] Error while matching blacklist regex: " << ele.first << endl; + } + } + for (regex_rule_pair ele:(in_input?input_whitelist:output_whitelist)){ + try{ + if(!ele.second.match(str_data)){ + unique_lock lck(stdout_mutex); + cout << "BLOCKED " << ele.first << endl; + return false; + } + } catch(...){ + cerr << "[info] [regex_rules.check] Error while matching whitelist regex: " << ele.first << endl; + } + } + return true; + } + }; -bool check(unsigned char* data, const size_t& bytes_transferred, const bool in_input, regex_rules* rules){ - string str_data((char *) data, bytes_transferred); - for (regex_rule_pair ele:in_input?rules->regex_c_s_b:rules->regex_s_c_b){ - try{ - if(ele.second.match(str_data)){ - unique_lock lck(stdout_mutex); - cout << "BLOCKED " << ele.first << endl; - return false; - } - } catch(...){ - cerr << "[info] [regex_rules.check] Error while matching blacklist regex: " << ele.first << endl; - } - } - for (regex_rule_pair ele:in_input?rules->regex_c_s_w:rules->regex_s_c_w){ - try{ - if(!ele.second.match(str_data)){ - unique_lock lck(stdout_mutex); - cout << "BLOCKED " << ele.first << endl; - return false; - } - } catch(...){ - cerr << "[info] [regex_rules.check] Error while matching whitelist regex: " << ele.first << endl; - } - } - return true; -} + shared_ptr regex_config; @@ -184,7 +186,7 @@ class NetfilterQueue { if it is set to 0, this message is the error generated by NFQNL_CFG_CMD_NONE So NFQNL_CFG_CMD_BIND doesn't sended any error and it's all ok. */ - if (nlh->nlmsg_len < 45 && buf[44] == 1){ + if (buf[44] == 1){ _clear(); throw std::invalid_argument( "queueid is already busy" ); } @@ -426,7 +428,7 @@ class NFQueueSequence{ template bool filter_callback(const uint8_t *data, uint32_t len){ shared_ptr current_config = regex_config; - return check((unsigned char *)data, len, is_input, current_config.get()); + return current_config->check((unsigned char *)data, len, is_input); } int main(int argc, char *argv[])