diff --git a/.gitignore b/.gitignore index 1c31cbd..dbef8d4 100755 --- a/.gitignore +++ b/.gitignore @@ -12,7 +12,7 @@ /backend/db/firegex.db /backend/db/firegex.db-journal -/backend/nfqueue/main +/backend/nfqueue/nfqueue docker-compose.yml # misc diff --git a/Dockerfile b/Dockerfile index b536724..8f0f113 100755 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ #Building main conteiner -FROM python:slim-buster +FROM python:slim-bullseye RUN apt-get update && apt-get -y install \ build-essential git iptables libpcre2-dev\ @@ -15,7 +15,8 @@ RUN mkdir /execute/ WORKDIR /execute COPY ./backend/nfqueue /execute/nfqueue -RUN gcc nfqueue/nfqueue.cpp -o nfqueue/nfqueue -lnetfilter_queue -pthread -lpcre2-8 -ltins -lmnl -lnfnetlink + +RUN g++ nfqueue/nfqueue.cpp -o nfqueue/nfqueue -O3 -march=native -lnetfilter_queue -pthread -lpcre2-8 -ltins -lmnl -lnfnetlink ADD ./backend/requirements.txt /execute/requirements.txt RUN pip install --no-cache-dir -r /execute/requirements.txt diff --git a/backend/nfqueue/nfqueue.cpp b/backend/nfqueue/nfqueue.cpp index c27b50e..519908d 100644 --- a/backend/nfqueue/nfqueue.cpp +++ b/backend/nfqueue/nfqueue.cpp @@ -149,8 +149,7 @@ class NetfilterQueue { struct mnl_socket* nl = NULL; NetfilterQueue(u_int16_t queue_num): queue_num(queue_num) { - - struct nlmsghdr *nlh; + nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { throw runtime_error( "mnl_socket_open" );} @@ -162,6 +161,7 @@ class NetfilterQueue { portid = mnl_socket_get_portid(nl); buf = (char*) malloc(BUF_SIZE); + if (!buf) { mnl_socket_close(nl); throw runtime_error( "allocate receive buffer" ); @@ -171,27 +171,34 @@ class NetfilterQueue { _clear(); throw runtime_error( "mnl_socket_send" ); } - -//TESTING QUEUE: TODO find a legal system to test if the queue was binded successfully - if (send_config_cmd(NFQNL_CFG_CMD_NONE) < 0) { + //TEST if BIND was successful + if (send_config_cmd(NFQNL_CFG_CMD_NONE) < 0) { // SEND A NONE cmmand to generate an error meessage _clear(); throw runtime_error( "mnl_socket_send" ); } - if (recv_packet() == -1) { + if (recv_packet() == -1) { //RECV the error message _clear(); throw std::runtime_error( "mnl_socket_recvfrom" ); } - /* - I checked that if this byte (that is the only one that changes) is set to 1, - this message is the NFQNL_CFG_CMD_BIND error, instead - if it is set to 0, this message is the error generated by NFQNL_CFG_CMD_NONE - So NFQNL_CFG_CMD_BIND doesn't sended any error and it's all ok. - */ - if (buf[44] == 1){ + + struct nlmsghdr *nlh = (struct nlmsghdr *) buf; + + if (nlh->nlmsg_type != NLMSG_ERROR) { + _clear(); + throw runtime_error( "unexpected packet from kernel (expected NLMSG_ERROR packet)" ); + } + //nfqnl_msg_config_cmd + nlmsgerr* error_msg = (nlmsgerr *)mnl_nlmsg_get_payload(nlh); + + // error code taken from the linux kernel: + // https://elixir.bootlin.com/linux/v5.18.12/source/include/linux/errno.h#L27 + #define ENOTSUPP 524 /* Operation is not supported */ + + if (error_msg->error != -ENOTSUPP) { _clear(); throw std::invalid_argument( "queueid is already busy" ); } -//END TESTING QUEUE + //END TESTING BIND nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_PACKET, 0xffff); @@ -271,8 +278,7 @@ class NetfilterQueue { //Get Payload uint16_t plen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]); void *payload = mnl_attr_get_payload(attr[NFQA_PAYLOAD]); - - + //Return result to the kernel struct nfqnl_msg_packet_hdr *ph = (nfqnl_msg_packet_hdr*) mnl_attr_get_payload(attr[NFQA_PACKET_HDR]); struct nfgenmsg *nfg = (nfgenmsg *)mnl_nlmsg_get_payload(nlh); @@ -466,6 +472,4 @@ WORKDIR /tmp/jpcre2 RUN ./configure; make; make install WORKDIR / -//NFQNL_CFG_CMD_UNBIND ??? - */ \ No newline at end of file