Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3203460
  • 博文数量: 369
  • 博客积分: 1241
  • 博客等级: 中尉
  • 技术积分: 5005
  • 用 户 组: 普通用户
  • 注册时间: 2011-01-27 06:48
个人简介

下死功夫,动活脑筋;读好书,交益友

文章分类

全部博文(369)

文章存档

2021年(5)

2020年(16)

2019年(16)

2018年(23)

2017年(67)

2016年(42)

2015年(51)

2014年(57)

2013年(52)

2012年(35)

2011年(5)

分类: 网络与安全

2015-11-25 16:21:49

google的代码有大量问题,做了相应的修改。
centos安装 开发包

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel

yum install epel-release

yum -y install libnetfilter_queue-devel

代码

点击(此处)折叠或打开

  1. /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
  2. /*
  3.  * Copyright (c) 2007 Joe Kopena, Drexel University
  4.  *
  5.  * This program is free software; you can redistribute it and/or modify
  6.  * it under the terms of the GNU General Public License version 2 as
  7.  * published by the Free Software Foundation;
  8.  *
  9.  * This program is distributed in the hope that it will be useful,
  10.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12.  * GNU General Public License for more details.
  13.  *
  14.  * You should have received a copy of the GNU General Public License
  15.  * along with this program; if not, write to the Free Software
  16.  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  17.  *
  18.  * Authors: Joe Kopena <tjkopena@cs.drexel.edu>
  19.  */

  20. #include <iostream>
  21. #include <iomanip>
  22. #include <stdlib.h>
  23. #include <time.h>

  24. #include <netinet/in.h>
  25. extern "C" {
  26.   #include <linux/netfilter.h> /* Defines verdicts (NF_ACCEPT, etc) */
  27.   #include <libnetfilter_queue/libnetfilter_queue.h>
  28. }

  29. using namespace std;

  30. //----------------------------------------------------------------------
  31. //------------------------------------------------------
  32. static int Callback(nfq_q_handle *myQueue, struct nfgenmsg *msg,
  33.                     nfq_data *pkt, void *cbData) {
  34.   uint32_t id = 0;
  35.   nfqnl_msg_packet_hdr *header;

  36.   cout << "pkt recvd: ";
  37.   if ((header = nfq_get_msg_packet_hdr(pkt))) {
  38.     id = ntohl(header->packet_id);
  39.     cout << "id " << id << "; hw_protocol " << setfill('0') << setw(4) <<
  40.       hex << ntohs(header->hw_protocol) << "; hook " << ('0'+header->hook)
  41.          << " ; ";
  42.   }

  43.   // The HW address is only fetchable at certain hook points
  44.   nfqnl_msg_packet_hw *macAddr = nfq_get_packet_hw(pkt);
  45.   if (macAddr) {
  46.     cout << "mac len " << ntohs(macAddr->hw_addrlen) << " addr ";
  47.     for (int i = 0; i < 8; i++) {
  48.       cout << setfill('0') << setw(2) << hex << macAddr->hw_addr;
  49.     }
  50.     // end if macAddr
  51.   } else {
  52.     cout << "no MAC addr";
  53.   }

  54.   timeval tv;
  55.   if (!nfq_get_timestamp(pkt, &tv)) {
  56.     cout << "; tstamp " << tv.tv_sec << "." << tv.tv_usec;
  57.   } else {
  58.     cout << "; no tstamp";
  59.   }

  60.   cout << "; mark " << nfq_get_nfmark(pkt);

  61.   // Note that you can also get the physical devices
  62.   cout << "; indev " << nfq_get_indev(pkt);
  63.   cout << "; outdev " << nfq_get_outdev(pkt);

  64.   cout << endl;

  65.   // Print the payload; in copy meta mode, only headers will be included;
  66.   // in copy packet mode, whole packet will be returned.
  67.   char *pktData;
  68.   int len = nfq_get_payload(pkt, (unsigned char**)&pktData);
  69.   if (len) {
  70.     cout << "data[" << len << "]: '";
  71.     for (int i = 0; i < len; i++) {
  72.       if (isprint(pktData[i]))
  73.         cout << pktData[i];
  74.       else cout << " ";
  75.     }
  76.     cout << "'" << endl;
  77.     // end data found
  78.   }

  79.   // For this program we'll always accept the packet...
  80.   return nfq_set_verdict(myQueue, id, NF_ACCEPT, 0, NULL);

  81.   // end Callback
  82. }

  83. //----------------------------------------------------------------------
  84. //------------------------------------------------------
  85. int main(int argc, char **argv) {
  86.   struct nfq_handle *nfqHandle;

  87.   struct nfq_q_handle *myQueue;
  88.   struct nfnl_handle *netlinkHandle;

  89.   int fd, res;
  90.   char buf[4096];

  91.   // Get a queue connection handle from the module
  92.   if (!(nfqHandle = nfq_open())) {
  93.     cerr << "Error in nfq_open()" << endl;
  94.     exit(-1);
  95.   }

  96.   // Unbind the handler from processing any IP packets
  97.   // Not totally sure why this is done, or if it's necessary...
  98.   if (nfq_unbind_pf(nfqHandle, AF_INET) < 0) {
  99.     cerr << "Error in nfq_unbind_pf()" << endl;
  100.     exit(1);
  101.   }

  102.   // Bind this handler to process IP packets...
  103.   if (nfq_bind_pf(nfqHandle, AF_INET) < 0) {
  104.     cerr << "Error in nfq_bind_pf()" << endl;
  105.     exit(1);
  106.   }

  107.   // Install a callback on queue 0
  108.   if (!(myQueue = nfq_create_queue(nfqHandle, 0, &Callback, NULL))) {
  109.     cerr << "Error in nfq_create_queue()" << endl;
  110.     exit(1);
  111.   }

  112.   // Turn on packet copy mode
  113.   if (nfq_set_mode(myQueue, NFQNL_COPY_PACKET, 0xffff) < 0) {
  114.     cerr << "Could not set packet copy mode" << endl;
  115.     exit(1);
  116.   }

  117.   netlinkHandle = nfq_nfnlh(nfqHandle);
  118.   fd = nfnl_fd(netlinkHandle);

  119.   while ((res = recv(fd, buf, sizeof(buf), 0)) && res >= 0) {
  120.     // I am not totally sure why a callback mechanism is used
  121.     // rather than just handling it directly here, but that
  122.     // seems to be the convention...
  123.     nfq_handle_packet(nfqHandle, buf, res);
  124.     // end while receiving traffic
  125.   }

  126.   nfq_destroy_queue(myQueue);

  127.   nfq_close(nfqHandle);

  128.   return 0;

  129.   // end main
  130. }
编译
 g++ -o nftest nftest.cc -lnfnetlink  -lnetfilter_queue
运行
./nftest 

在另一个终端运行
iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 0
ping 192.168.9.253

nftest 的终端显示

pkt recvd: id 1; hw_protocol 0800; hook 33 ; no MAC addr; no tstamp; mark 0; indev 0; outdev 2
data[54]: 'E  T} @ @ =    d       w      UV     z                       !"#$%&'()*+,-./01234567'
pkt recvd: id 2; hw_protocol 0800; hook 33 ; no MAC addr; no tstamp; mark 0; indev 0; outdev 2
data[54]: 'E  T} @ @ =    d       o      UV                             !"#$%&'()*+,-./01234567'
pkt recvd: id 3; hw_protocol 0800; hook 33 ; no MAC addr; no tstamp; mark 0; indev 0; outdev 2
data[54]: 'E  T} @ @ =    d      %l      UV                             !"#$%&'()*+,-./01234567'
pkt recvd: id 4; hw_protocol 0800; hook 33 ; no MAC addr; no tstamp; mark 0; indev 0; outdev 2
data[54]: 'E  T} @ @ =    d       f      UV    "                        !"#$%&'()*+,-./01234567'
pkt recvd: id 5; hw_protocol 0800; hook 33 ; no MAC addr; no tstamp; mark 0; indev 0; outdev 2
data[54]: 'E  T} @ @ =    d      ?b      UV                             !"#$%&'()*+,-./01234567'
pkt recvd: id 6; hw_protocol 0800; hook 33 ; no MAC addr; no tstamp; mark 0; indev 0; outdev 2
data[54]: 'E  T} @ @ =    d       ]      UV    @                        !"#$%&'()*+,


删除iptables命令
iptables -D OUTPUT -p icmp -j NFQUEUE --queue-num 0
阅读(1679) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~