[Snort-inline-users] [PATCH] Add netfilter_reinject_mark option.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

If set to non null, snort_inline will mark the packet with the given
value and reinject it in the hook by issuing a NF_REPEAT verdict. This
functionnality can be used to simplify the iptables ruleset. Let's say
you want to use the mark 1, then to send all traffic to snort-inline,
you can just add at the top of your ruleset:
 iptables -I FORWARD -m mark ! --mark 1 -j NFQUEUE
The cost of the modification is light as it just add a single rule
check when the packet is reinjected.

Signed-off-by: Eric Leblond <er...@in...>
---
 src/inline.c |   13 +++++++++++--
 src/parser.c |   20 ++++++++++++++++++++
 src/snort.h  |    3 +++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/src/inline.c b/src/inline.c
index e938541..2f3b6f0 100644
--- a/src/inline.c
+++ b/src/inline.c
@@ -996,7 +996,12 @@ void HandlePacket()
     else if (iv.replace == 0)
     {
 #ifdef NFNETLINKQ
-        status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
+	if (pv.netfilter_reinject_mark)
+	{
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
+	} else {
+	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
+	}
         if (status < 0)
         {
             fprintf(stderr, "NF_ACCEPT: ");
@@ -1012,7 +1017,11 @@ void HandlePacket()
     else /* implied replace */
     {
 #ifdef NFNETLINKQ
-        status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
+	if (pv.netfilter_reinject_mark) {
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
+	} else {
+	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
+	}
         if (status < 0)
         {
             fprintf(stderr,"NF_ACCEPT: ");
diff --git a/src/parser.c b/src/parser.c
index 5a53f68..991a8f7 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -6841,6 +6841,26 @@ void ParseConfig(char *rule)
         return;
         
     }
+    else if(!strcasecmp(config, "netfilter_reinject_mark"))
+    {   
+        if(args)
+        {
+            toks = mSplit(args, " ", 1, &num_toks, 0);
+#ifdef GIDS
+#ifdef NFNETLINKQ
+            pv.netfilter_reinject_mark = atoi(toks[0]);
+#endif
+#endif
+
+            mSplitFree( &toks, num_toks );
+        }
+
+        mSplitFree(&rule_toks,num_rule_toks);
+        mSplitFree(&config_decl,num_config_decl_toks);
+
+        return;
+        
+    }
     else if(!strcasecmp(config, "asn1"))
     {
         toks = mSplit(args, ", ", 20, &num_toks, 0);
diff --git a/src/snort.h b/src/snort.h
index 86b3d05..a9ea3a4 100644
--- a/src/snort.h
+++ b/src/snort.h
@@ -298,6 +298,9 @@ typedef struct _progvars
     int divert_port;
     int ipfw_reinject_rule;
 #endif /* USE IPFW DIVERT socket instead of IPtables */
+#ifdef NFNETLINKQ
+    int netfilter_reinject_mark;
+#endif
 #endif /* GIDS */
 #ifdef WIN32
     int syslog_remote_flag;
-- 
1.5.6.5



