[Snort-inline-users] [PATCH] Add netfilter_reinject_mask option.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This patch adds a netfilter_reinject_mask option which can be
used to only modify the packet mark with respect to the selected
mask. Let's say you can use mark 1 and mask 1 (thus reserve one
bit to the reinjection process). To send all traffic to snort-inline,
you can just add at the top of your ruleset:
         iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE

Signed-off-by: Eric Leblond <er...@in...>
---
 src/inline.c |   10 +++++++---
 src/parser.c |   20 ++++++++++++++++++++
 src/snort.h  |    1 +
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/inline.c b/src/inline.c
index 2f3b6f0..a5f8766 100644
--- a/src/inline.c
+++ b/src/inline.c
@@ -242,7 +242,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
    //ipq_pkt.packet_id = glid;
    //ipq_pkt.hw_protocol = ntohs(ph->hw_protocol);
    //ipq_pkt.hook = ph->hook;
-   //ipq_pkt.mark = nfq_get_nfmark(nfa);
+   ipq_pkt.mark = nfq_get_nfmark(nfa);
    
    /* TODO: we only use this for rejects, so we might move
     * this to the reject code */
@@ -998,7 +998,9 @@ void HandlePacket()
 #ifdef NFNETLINKQ
 	if (pv.netfilter_reinject_mark)
 	{
-	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
+					  htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
+					  0, NULL);
 	} else {
 	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
 	}
@@ -1018,7 +1020,9 @@ void HandlePacket()
     {
 #ifdef NFNETLINKQ
 	if (pv.netfilter_reinject_mark) {
-	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
+					  htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
+					  m->data_len, m->payload);
 	} else {
 	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
 	}
diff --git a/src/parser.c b/src/parser.c
index 991a8f7..b0ac525 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -6861,6 +6861,26 @@ void ParseConfig(char *rule)
         return;
         
     }
+    else if(!strcasecmp(config, "netfilter_reinject_mask"))
+    {   
+        if(args)
+        {
+            toks = mSplit(args, " ", 1, &num_toks, 0);
+#ifdef GIDS
+#ifdef NFNETLINKQ
+            pv.netfilter_reinject_mask = atoi(toks[0]);
+#endif
+#endif
+
+            mSplitFree( &toks, num_toks );
+        }
+
+        mSplitFree(&rule_toks,num_rule_toks);
+        mSplitFree(&config_decl,num_config_decl_toks);
+
+        return;
+        
+    }
     else if(!strcasecmp(config, "asn1"))
     {
         toks = mSplit(args, ", ", 20, &num_toks, 0);
diff --git a/src/snort.h b/src/snort.h
index a9ea3a4..d0f1542 100644
--- a/src/snort.h
+++ b/src/snort.h
@@ -300,6 +300,7 @@ typedef struct _progvars
 #endif /* USE IPFW DIVERT socket instead of IPtables */
 #ifdef NFNETLINKQ
     int netfilter_reinject_mark;
+    int netfilter_reinject_mask;
 #endif
 #endif /* GIDS */
 #ifdef WIN32
-- 
1.5.6.5



