/* libnetfilter_queue.c: generic library for access to nf_queue

 *

 * (C) 2005 by Harald Welte <laforge@gnumonks.org>

 * (C) 2005, 2008-2010 by Pablo Neira Ayuso <pablo@netfilter.org>

 *

 *  This program is free software; you can redistribute it and/or modify

 *  it under the terms of the GNU General Public License version 2

 *  as published by the Free Software Foundation (or any later at your option)

 *

 *  This program is distributed in the hope that it will be useful,

 *  but WITHOUT ANY WARRANTY; without even the implied warranty of

 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *  GNU General Public License for more details.

 *

 *  You should have received a copy of the GNU General Public License

 *  along with this program; if not, write to the Free Software

 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

 *

 *  2006-01-23 Andreas Florath <andreas@florath.net>

 *	Fix __set_verdict() that it can now handle payload.

 */

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <ctype.h>

#include <time.h>

#include <errno.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <libnfnetlink/libnfnetlink.h>

#include <libnetfilter_queue/libnetfilter_queue.h>

#include "internal.h"

/**

 * \mainpage

 *

 * libnetfilter_queue is a userspace library providing an API to packets that

 * have been queued by the kernel packet filter. It is is part of a system that

 * replaces the old ip_queue / libipq mechanism (withdrawn in kernel 3.5).

 *

 * libnetfilter_queue homepage is:

 * 	https://netfilter.org/projects/libnetfilter_queue/

 *

 * \section deps Dependencies

 * libnetfilter_queue requires libmnl, libnfnetlink and a kernel that includes

 * the Netfilter NFQUEUE over NFNETLINK interface (i.e. 2.6.14 or later).

 *

 * \section features Main Features

 *  - receiving queued packets from the kernel nfnetlink_queue subsystem

 *  - issuing verdicts and possibly reinjecting altered packets to the kernel

 *  nfnetlink_queue subsystem

 *

 * The cinematic is the following: When an nft rule with action **queue**

 * matches, the kernel terminates the current nft chain and enqueues the packet

 * in a chained list. It then formats and sends an nfnetlink message containing

 * the packet id and whatever information the userspace program configured to

 * receive (packet data and/or metadata) via a socket to the userspace program.

 *

 * The userspace program must issue a verdict advising the kernel to **accept**

 * or **drop** the packet. Either verdict takes the packet off the queue:

 * **drop** discards the packet while

 * **accept** passes it on to the next chain.

 * Userspace can also alter packet contents or metadata (e.g. packet mark,

 * contrack mark). Verdict can be done in asynchronous manner, as the only

 * needed information is the packet id.

 *

 * When a queue is full, packets that should have been enqueued are dropped by

 * kernel instead of being enqueued.

 *

 * \section git Git Tree

 * The current development version of libnetfilter_queue can be accessed at

 * https://git.netfilter.org/libnetfilter_queue.

 *

 * \section privs Privileges

 * You need the CAP_NET_ADMIN capability in order to allow your application

 * to receive from and to send packets to kernel-space.

 *

 * \section using Using libnetfilter_queue

 *

 * To write your own program using libnetfilter_queue, you should start by

 * reading (or, if feasible, compiling and stepping through with *gdb*)

 * nf-queue.c source file.

 * Simple compile line:

 * \verbatim

gcc -g3 -ggdb -Wall -lmnl -lnetfilter_queue -o nf-queue nf-queue.c

\endverbatim

 * The doxygen documentation \link LibrarySetup \endlink is Deprecated and

 * incompatible with non-deprecated functions. It is hoped to produce a

 * corresponding non-deprecated (*Current*) topic soon.

 *

 * Somewhat outdated but possibly providing some insight into

 * libnetfilter_queue usage is the following

 * article:

 *  https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/

 *

 * \section errors ENOBUFS errors in recv()

 *

 * recv() may return -1 and errno is set to ENOBUFS in case that your

 * application is not fast enough to retrieve the packets from the kernel.

 * In that case, you can increase the socket buffer size by means of

 * nfnl_rcvbufsiz(). Although this delays the appearance of ENOBUFS errors,

 * you may hit it again sooner or later. The next section provides some hints

 * on how to obtain the best performance for your application.

 *

 * \section perf Performance

 * To improve your libnetfilter_queue application in terms of performance,

 * you may consider the following tweaks:

 *

 * - increase the default socket buffer size by means of nfnl_rcvbufsiz().

 * - set nice value of your process to -20 (maximum priority).

 * - set the CPU affinity of your process to a spare core that is not used

 * to handle NIC interruptions.

 * - set NETLINK_NO_ENOBUFS socket option to avoid receiving ENOBUFS errors

 * (requires Linux kernel >= 2.6.30).

 * - see --queue-balance option in NFQUEUE target for multi-threaded apps

 * (it requires Linux kernel >= 2.6.31).

 * - consider using fail-open option see nfq_set_queue_flags() (it requires

 *  Linux kernel >= 3.6)

 * - increase queue max length with nfq_set_queue_maxlen() to resist to packets

 * burst

 */

struct nfq_handle

{

	struct nfnl_handle *nfnlh;

	struct nfnl_subsys_handle *nfnlssh;

	struct nfq_q_handle *qh_list;

};

struct nfq_q_handle

{

	struct nfq_q_handle *next;

	struct nfq_handle *h;

	uint16_t id;

	nfq_callback *cb;

	void *data;

};

struct nfq_data {

	struct nfattr **data;

};

EXPORT_SYMBOL int nfq_errno;

/***********************************************************************

 * low level stuff

 ***********************************************************************/

static void del_qh(struct nfq_q_handle *qh)

{

	struct nfq_q_handle *cur_qh, *prev_qh = NULL;

	for (cur_qh = qh->h->qh_list; cur_qh; cur_qh = cur_qh->next) {

		if (cur_qh == qh) {

			if (prev_qh)

				prev_qh->next = qh->next;

			else

				qh->h->qh_list = qh->next;

			return;

		}

		prev_qh = cur_qh;

	}

}

static void add_qh(struct nfq_q_handle *qh)

{

	qh->next = qh->h->qh_list;

	qh->h->qh_list = qh;

}

static struct nfq_q_handle *find_qh(struct nfq_handle *h, uint16_t id)

{

	struct nfq_q_handle *qh;

	for (qh = h->qh_list; qh; qh = qh->next) {

		if (qh->id == id)

			return qh;

	}

	return NULL;

}

/* build a NFQNL_MSG_CONFIG message */

	static int

__build_send_cfg_msg(struct nfq_handle *h, uint8_t command,

		uint16_t queuenum, uint16_t pf)

{

	union {

		char buf[NFNL_HEADER_LEN

			+NFA_LENGTH(sizeof(struct nfqnl_msg_config_cmd))];

		struct nlmsghdr nmh;

	} u;

	struct nfqnl_msg_config_cmd cmd;

	nfnl_fill_hdr(h->nfnlssh, &u.nmh, 0, AF_UNSPEC, queuenum,

			NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);

	cmd._pad = 0;

	cmd.command = command;

	cmd.pf = htons(pf);

	nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_CMD, &cmd, sizeof(cmd));

	return nfnl_query(h->nfnlh, &u.nmh);

}

static int __nfq_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[],

		void *data)

{

	struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);

	struct nfq_handle *h = data;

	uint16_t queue_num = ntohs(nfmsg->res_id);

	struct nfq_q_handle *qh = find_qh(h, queue_num);

	struct nfq_data nfqa;

	if (!qh)

		return -ENODEV;

	if (!qh->cb)

		return -ENODEV;

	nfqa.data = nfa;

	return qh->cb(qh, nfmsg, &nfqa, qh->data);

}

/* public interface */

EXPORT_SYMBOL

struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h)

{

	return h->nfnlh;

}

/**

 *

 * \defgroup Queue Queue handling [DEPRECATED]

 *

 * Once libnetfilter_queue library has been initialised (See

 * \link LibrarySetup \endlink), it is possible to bind the program to a

 * specific queue. This can be done by using nfq_create_queue().

 *

 * The queue can then be tuned via nfq_set_mode() or nfq_set_queue_maxlen().

 *

 * Here's a little code snippet that create queue numbered 0:

 * \verbatim

	printf("binding this socket to queue '0'\n");

	qh = nfq_create_queue(h,  0, &cb, NULL);

	if (!qh) {

		fprintf(stderr, "error during nfq_create_queue()\n");

		exit(1);

	}

	printf("setting copy_packet mode\n");

	if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {

		fprintf(stderr, "can't set packet_copy mode\n");

		exit(1);

	}

\endverbatim

 *

 * Next step is the handling of incoming packets which can be done via a loop:

 *

 * \verbatim

	fd = nfq_fd(h);

	while ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {

		printf("pkt received\n");

		nfq_handle_packet(h, buf, rv);

	}

\endverbatim

 * When the decision on a packet has been choosed, the verdict has to be given

 * by calling nfq_set_verdict() or nfq_set_verdict2(). The verdict

 * determines the destiny of the packet as follows:

 *

 *   - NF_DROP discarded the packet

 *   - NF_ACCEPT the packet passes, continue iterations

 *   - NF_QUEUE inject the packet into a different queue

 *     (the target queue number is in the high 16 bits of the verdict)

 *   - NF_REPEAT iterate the same cycle once more

 *   - NF_STOP accept, but don't continue iterations

 *

 * The verdict NF_STOLEN must not be used, as it has special meaning in the

 * kernel.

 * When using NF_REPEAT, one way to prevent re-queueing of the same packet

 * is to also set an nfmark using nfq_set_verdict2, and set up the nefilter

 * rules to only queue a packet when the mark is not (yet) set.

 *

 * Data and information about the packet can be fetch by using message parsing

 * functions (See \link Parsing \endlink).

 * @{

 */

/**

 * nfq_fd - get the file descriptor associated with the nfqueue handler

 * \param h Netfilter queue connection handle obtained via call to nfq_open()

 *

 * \return a file descriptor for the netlink connection associated with the

 * given queue connection handle. The file descriptor can then be used for

 * receiving the queued packets for processing.

 *

  * This function returns a file descriptor that can be used for communication

 * over the netlink connection associated with the given queue connection

 * handle.

 */

EXPORT_SYMBOL

int nfq_fd(struct nfq_handle *h)

{

	return nfnl_fd(nfq_nfnlh(h));

}

/**

 * @}

 */

/**

 * \defgroup LibrarySetup Library setup [DEPRECATED]

 *

 * Library initialisation is made in two steps.

 *

 * First step is to call nfq_open() to open a NFQUEUE handler.

 *

 * Second step is to tell the kernel that userspace queueing is handle by

 * NFQUEUE for the selected protocol. This is made by calling nfq_unbind_pf()

 * and nfq_bind_pf() with protocol information. The idea behind this is to

 * enable simultaneously loaded modules to be used for queuing.

 *

 * Here's a little code snippet that bind with AF_INET:

 * \verbatim

	h = nfq_open();

	if (!h) {

		fprintf(stderr, "error during nfq_open()\n");

		exit(1);

	}

	printf("unbinding existing nf_queue handler for AF_INET (if any)\n");

	if (nfq_unbind_pf(h, AF_INET) < 0) {

		fprintf(stderr, "error during nfq_unbind_pf()\n");

		exit(1);

	}

	printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");

	if (nfq_bind_pf(h, AF_INET) < 0) {

		fprintf(stderr, "error during nfq_bind_pf()\n");

		exit(1);

	}

\endverbatim

 * Once this is done, you can setup and use a \link Queue \endlink.

 * @{

 */

/**

 * nfq_open - open a nfqueue handler

 *

 * This function obtains a netfilter queue connection handle. When you are

 * finished with the handle returned by this function, you should destroy

 * it by calling nfq_close(). A new netlink connection is obtained internally

 * and associated with the queue connection handle returned.

 *

 * \return a pointer to a new queue handle or NULL on failure.

 */

EXPORT_SYMBOL

struct nfq_handle *nfq_open(void)

{

	struct nfnl_handle *nfnlh = nfnl_open();

	struct nfq_handle *qh;

	if (!nfnlh)

		return NULL;

	/* unset netlink sequence tracking by default */

	nfnl_unset_sequence_tracking(nfnlh);

	qh = nfq_open_nfnl(nfnlh);

	if (!qh)

		nfnl_close(nfnlh);

	return qh;

}

/**

 * @}

 */

/**

 * nfq_open_nfnl - open a nfqueue handler from a existing nfnetlink handler

 * \param nfnlh Netfilter netlink connection handle obtained by calling nfnl_open()

 *

 * This function obtains a netfilter queue connection handle using an existing

 * netlink connection. This function is used internally to implement

 * nfq_open(), and should typically not be called directly.

 *

 * \return a pointer to a new queue handle or NULL on failure.

 */

EXPORT_SYMBOL

struct nfq_handle *nfq_open_nfnl(struct nfnl_handle *nfnlh)

{

	struct nfnl_callback pkt_cb = {

		.call		= __nfq_rcv_pkt,

		.attr_count	= NFQA_MAX,

	};

	struct nfq_handle *h;

	int err;

	h = malloc(sizeof(*h));

	if (!h)

		return NULL;

	memset(h, 0, sizeof(*h));

	h->nfnlh = nfnlh;

	h->nfnlssh = nfnl_subsys_open(h->nfnlh, NFNL_SUBSYS_QUEUE,

				      NFQNL_MSG_MAX, 0);

	if (!h->nfnlssh) {

		/* FIXME: nfq_errno */

		goto out_free;

	}

	pkt_cb.data = h;

	err = nfnl_callback_register(h->nfnlssh, NFQNL_MSG_PACKET, &pkt_cb);

	if (err < 0) {

		nfq_errno = err;

		goto out_close;

	}

	return h;

out_close:

	nfnl_subsys_close(h->nfnlssh);

out_free:

	free(h);

	return NULL;

}

/**

 * \addtogroup LibrarySetup

 *

 * When the program has finished with libnetfilter_queue, it has to call

 * the nfq_close() function to free all associated resources.

 *

 * @{

 */

/**

 * nfq_close - close a nfqueue handler

 * \param h Netfilter queue connection handle obtained via call to nfq_open()

 *

 * This function closes the nfqueue handler and free associated resources.

 *

 * \return 0 on success, non-zero on failure.

 */

EXPORT_SYMBOL

int nfq_close(struct nfq_handle *h)

{

	int ret;

	ret = nfnl_close(h->nfnlh);

	if (ret == 0)

		free(h);

	return ret;

}

/**

 * nfq_bind_pf - bind a nfqueue handler to a given protocol family

 * \param h Netfilter queue connection handle obtained via call to nfq_open()

 * \param pf protocol family to bind to nfqueue handler obtained from nfq_open()

 *

 * Binds the given queue connection handle to process packets belonging to

 * the given protocol family (ie. PF_INET, PF_INET6, etc).

 * This call is obsolete, Linux kernels from 3.8 onwards ignore it.

 *

 * \return integer inferior to 0 in case of failure

 */

EXPORT_SYMBOL

int nfq_bind_pf(struct nfq_handle *h, uint16_t pf)

{

	return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_BIND, 0, pf);

}

/**

 * nfq_unbind_pf - unbind nfqueue handler from a protocol family

 * \param h Netfilter queue connection handle obtained via call to nfq_open()

 * \param pf protocol family to unbind family from

 *

 * Unbinds the given queue connection handle from processing packets belonging

 * to the given protocol family.

 *

 * This call is obsolete, Linux kernels from 3.8 onwards ignore it.

 */

EXPORT_SYMBOL

int nfq_unbind_pf(struct nfq_handle *h, uint16_t pf)

{

	return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf);

}

/**

 * @}

 */

/**

 * \addtogroup Queue

 * @{

 */

/**

 * nfq_create_queue - create a new queue handle and return it.

 *

 * \param h Netfilter queue connection handle obtained via call to nfq_open()

 * \param num the number of the queue to bind to

 * \param cb callback function to call for each queued packet

 * \param data custom data to pass to the callback function

 *

 * \return a nfq_q_handle pointing to the newly created queue

 *

 * Creates a new queue handle, and returns it.  The new queue is identified by

 * \b num, and the callback specified by \b cb will be called for each enqueued

 * packet.  The \b data argument will be passed unchanged to the callback.  If

 * a queue entry with id \b num already exists,

 * this function will return failure and the existing entry is unchanged.

 *

 * The nfq_callback type is defined in libnetfilter_queue.h as:

 * \verbatim

typedef int nfq_callback(struct nfq_q_handle *qh,

			 struct nfgenmsg *nfmsg,

			 struct nfq_data *nfad, void *data);

\endverbatim

 *

 * Parameters:

 *  - qh The queue handle returned by nfq_create_queue

 *  - nfmsg message objetc that contains the packet

 *  - nfad Netlink packet data handle

 *  - data the value passed to the data parameter of nfq_create_queue

 *

 * The callback should return < 0 to stop processing.

 */

EXPORT_SYMBOL

struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h, uint16_t num,

				      nfq_callback *cb, void *data)

{

	int ret;

	struct nfq_q_handle *qh;

	if (find_qh(h, num))

		return NULL;

	qh = malloc(sizeof(*qh));

	if (!qh)

		return NULL;

	memset(qh, 0, sizeof(*qh));

	qh->h = h;

	qh->id = num;

	qh->cb = cb;

	qh->data = data;

	ret = __build_send_cfg_msg(h, NFQNL_CFG_CMD_BIND, num, 0);

	if (ret < 0) {

		nfq_errno = ret;

		free(qh);

		return NULL;

	}

	add_qh(qh);

	return qh;

}

/**

 * @}

 */

/**

 * \addtogroup Queue

 * @{

 */

/**

 * nfq_destroy_queue - destroy a queue handle

 * \param qh queue handle that we want to destroy created via nfq_create_queue

 *

 * Removes the binding for the specified queue handle. This call also unbind

 * from the nfqueue handler, so you don't have to call nfq_unbind_pf.

 */

EXPORT_SYMBOL

int nfq_destroy_queue(struct nfq_q_handle *qh)

{

	int ret = __build_send_cfg_msg(qh->h, NFQNL_CFG_CMD_UNBIND, qh->id, 0);

	if (ret == 0) {

		del_qh(qh);

		free(qh);

	}

	return ret;

}

/**

 * nfq_handle_packet - handle a packet received from the nfqueue subsystem

 * \param h Netfilter queue connection handle obtained via call to nfq_open()

 * \param buf data to pass to the callback

 * \param len length of packet data in buffer

 *

 * Triggers an associated callback for the given packet received from the

 * queue. Packets can be read from the queue using nfq_fd() and recv(). See

 * example code for nfq_fd().

 *

 * \return 0 on success, non-zero on failure.

 */

EXPORT_SYMBOL

int nfq_handle_packet(struct nfq_handle *h, char *buf, int len)

{

	return nfnl_handle_packet(h->nfnlh, buf, len);

}

/**

 * nfq_set_mode - set the amount of packet data that nfqueue copies to userspace

 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().

 * \param mode the part of the packet that we are interested in

 * \param range size of the packet that we want to get

 *

 * Sets the amount of data to be copied to userspace for each packet queued

 * to the given queue.

 *

 * - NFQNL_COPY_NONE - noop, do not use it

 * - NFQNL_COPY_META - copy only packet metadata

 * - NFQNL_COPY_PACKET - copy entire packet

 *

 * \return -1 on error; >=0 otherwise.

 */

EXPORT_SYMBOL

int nfq_set_mode(struct nfq_q_handle *qh, uint8_t mode, uint32_t range)

{

	union {

		char buf[NFNL_HEADER_LEN

			+NFA_LENGTH(sizeof(struct nfqnl_msg_config_params))];

		struct nlmsghdr nmh;

	} u;

	struct nfqnl_msg_config_params params;

	nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,

			NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);

	params.copy_range = htonl(range);

	params.copy_mode = mode;

	nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_PARAMS, &params,

			sizeof(params));

	return nfnl_query(qh->h->nfnlh, &u.nmh);

}

/**

 * nfq_set_queue_flags - set flags (options) for the kernel queue

 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().

 * \param mask specifies which flag bits to modify

 * \param flags bitmask of flags

 *

 * Existing flags, that you may want to combine, are:

 *

 * - NFQA_CFG_F_FAIL_OPEN (requires Linux kernel >= 3.6): the kernel will

 *   accept the packets if the kernel queue gets full. If this flag is not

 *   set, the default action in this case is to drop packets.

 *

 * - NFQA_CFG_F_CONNTRACK (requires Linux kernel >= 3.6): the kernel will

 *   include the Connection Tracking system information.

 *

 * - NFQA_CFG_F_GSO (requires Linux kernel >= 3.10): the kernel will

 *   not normalize offload packets, i.e. your application will need to

 *   be able to handle packets larger than the mtu.

 *

 *   Normalization is expensive, so this flag should always be set.

 *   Because attributes in netlink messages are limited to 65531 bytes,

 *   you also need to check the NFQA_CAP_LEN attribute, it contains the

 *   original size of the captured packet on the kernel side.

 *   If it is set and differs  from the payload length, the packet was

 *   truncated.  This also happens when limiting capture size

 *   with the NFQNL_COPY_PACKET setting, or when e.g. a local user

 *   sends a very large packet.

 *

 *   If your application validates checksums (e.g., tcp checksum),

 *   then you must also check if the NFQA_SKB_INFO attribute is present.

 *   If it is, you need to test the NFQA_SKB_CSUMNOTREADY bit:

 * \verbatim

	if (attr[NFQA_SKB_INFO]) {

		uint32_t info = ntohl(mnl_attr_get_u32(attr[NFQA_SKB_INFO]));

		if (info & NFQA_SKB_CSUMNOTREADY)

			validate_checksums = false;

	}

\endverbatim

 *  if this bit is set, the layer 3/4 checksums of the packet appear incorrect,

 *  but are not (because they will be corrected later by the kernel).

 *  Please see example/nf-queue.c in the libnetfilter_queue source for more

 *  details.

 *

 *  - NFQA_CFG_F_UID_GID: the kernel will dump UID and GID of the socket to

 *  which each packet belongs.

 *

 * Here's a little code snippet to show how to use this API:

 * \verbatim

	uint32_t flags = NFQA_CFG_F_FAIL_OPEN;

	uint32_t mask = NFQA_CFG_F_FAIL_OPEN;

	printf("Enabling fail-open on this q\n");

	err = nfq_set_queue_flags(qh, mask, flags);

	printf("Disabling fail-open on this q\n");

	flags &= ~NFQA_CFG_F_FAIL_OPEN;

	err = nfq_set_queue_flags(qh, mask, flags);

\endverbatim

 *  - NFQA_CFG_F_SECCTX: the kernel will dump security context of the socket to

 *  which each packet belongs.

 *

 *  \warning

 *  When fragmentation occurs and NFQA_CFG_F_GSO is NOT set then the kernel

 *  dumps UID/GID and security context fields only for one fragment. To deal

 *  with this limitation always set NFQA_CFG_F_GSO.

 *

 * \return -1 on error with errno set appropriately; =0 otherwise.

 */

EXPORT_SYMBOL

int nfq_set_queue_flags(struct nfq_q_handle *qh, uint32_t mask, uint32_t flags)

{

	union {

		char buf[NFNL_HEADER_LEN

			+NFA_LENGTH(sizeof(mask)

			+NFA_LENGTH(sizeof(flags)))];

		struct nlmsghdr nmh;

	} u;

	mask = htonl(mask);

	flags = htonl(flags);

	nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,

		      NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);

	nfnl_addattr32(&u.nmh, sizeof(u), NFQA_CFG_FLAGS, flags);

	nfnl_addattr32(&u.nmh, sizeof(u), NFQA_CFG_MASK, mask);

	return nfnl_query(qh->h->nfnlh, &u.nmh);

}

/**

 * nfq_set_queue_maxlen - Set kernel queue maximum length parameter

 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().

 * \param queuelen the length of the queue

 *

 * Sets the size of the queue in kernel. This fixes the maximum number

 * of packets the kernel will store before internally before dropping

 * upcoming packets.

 *

 * \return -1 on error; >=0 otherwise.

 */

EXPORT_SYMBOL

int nfq_set_queue_maxlen(struct nfq_q_handle *qh, uint32_t queuelen)

{

	union {

		char buf[NFNL_HEADER_LEN

			+NFA_LENGTH(sizeof(struct nfqnl_msg_config_params))];

		struct nlmsghdr nmh;

	} u;

	uint32_t queue_maxlen = htonl(queuelen);

	nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,

			NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);

	nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_QUEUE_MAXLEN, &queue_maxlen,

			sizeof(queue_maxlen));

	return nfnl_query(qh->h->nfnlh, &u.nmh);

}

/**

 * @}

 */

static int __set_verdict(struct nfq_q_handle *qh, uint32_t id,

		uint32_t verdict, uint32_t mark, int set_mark,

		uint32_t data_len, const unsigned char *data,

		enum nfqnl_msg_types type)

{

	struct nfqnl_msg_verdict_hdr vh;

	union {

		char buf[NFNL_HEADER_LEN

			+NFA_LENGTH(sizeof(mark))

			+NFA_LENGTH(sizeof(vh))];

		struct nlmsghdr nmh;

	} u;

	struct iovec iov[3];

	int nvecs;

	/* This must be declared here (and not inside the data

	 * handling block) because the iovec points to this. */

	struct nfattr data_attr;

	memset(iov, 0, sizeof(iov));

	vh.verdict = htonl(verdict);

	vh.id = htonl(id);

	nfnl_fill_hdr(qh->h->nfnlssh, &u.nmh, 0, AF_UNSPEC, qh->id,

				type, NLM_F_REQUEST);

	/* add verdict header */

	nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_VERDICT_HDR, &vh, sizeof(vh));

	if (set_mark)

		nfnl_addattr32(&u.nmh, sizeof(u), NFQA_MARK, mark);

	iov[0].iov_base = &u.nmh;

	iov[0].iov_len = NLMSG_TAIL(&u.nmh) - (void *)&u.nmh;

	nvecs = 1;

	if (data_len) {

		/* The typecast here is to cast away data's const-ness: */

		nfnl_build_nfa_iovec(&iov[1], &data_attr, NFQA_PAYLOAD,

				data_len, (unsigned char *) data);

		nvecs += 2;

		/* Add the length of the appended data to the message

		 * header.  The size of the attribute is given in the

		 * nfa_len field and is set in the nfnl_build_nfa_iovec()

		 * function. */

		u.nmh.nlmsg_len += data_attr.nfa_len;

	}

	return nfnl_sendiov(qh->h->nfnlh, iov, nvecs, 0);

}

/**

 * \addtogroup Queue

 * @{

 */

/**

 * nfq_set_verdict - issue a verdict on a packet

 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().

 * \param id	ID assigned to packet by netfilter.

 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)

 * \param data_len number of bytes of data pointed to by \b buf

 * \param buf the buffer that contains the packet data

 *

 * Can be obtained by:

 * \verbatim

	int id;

	struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr(tb);

	if (ph)

		id = ntohl(ph->packet_id);

\endverbatim

 *

 * Notifies netfilter of the userspace verdict for the given packet.  Every

 * queued packet _must_ have a verdict specified by userspace, either by

 * calling this function, the nfq_set_verdict2() function, or the _batch

 * versions of these functions.

 *

 * \return -1 on error; >= 0 otherwise.

 */

EXPORT_SYMBOL

int nfq_set_verdict(struct nfq_q_handle *qh, uint32_t id,

		    uint32_t verdict, uint32_t data_len,

		    const unsigned char *buf)

{

	return __set_verdict(qh, id, verdict, 0, 0, data_len, buf,

						NFQNL_MSG_VERDICT);

}

/**

 * nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark.

 * \param qh Netfilter queue handle obtained by call to nfq_create_queue().

 * \param id	ID assigned to packet by netfilter.

 * \param verdict verdict to return to netfilter (NF_ACCEPT, NF_DROP)

 * \param mark mark to put on packet

 * \param data_len number of bytes of data pointed to by \b buf

 * \param buf the buffer that contains the packet data

 */

EXPORT_SYMBOL

int nfq_set_verdict2(struct nfq_q_handle *qh, uint32_t id,

		     uint32_t verdict, uint32_t mark,

		     uint32_t data_len, const unsigned char *buf)

{

	return __set_verdict(qh, id, verdict, htonl(mark), 1, data_len,

						buf, NFQNL_MSG_VERDICT);

}