想转发包到用户空间，但是nfq_unbind_pf()失败

wantaugust

注意，main()在root帐号下能够正常编译和运行，但是在非root帐号下，能正常编译但是不能正常运行，具体返回信息见下面
int main(int argc, char *argv)
{
         struct nfq_handle *h;
         struct nfq_q_handle *qh;
         struct nfnl_handle *nh;
         int fd;
         int rv;
         char buf[4096] __attribute__ ((aligned));

         printf("opening library handle\n");
         h = nfq_open();
         if (!h) {
                 fprintf(stderr, "error during nfq_open()\n");
                 exit(1);
         }

         printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
---->  if (nfq_unbind_pf(h, AF_INET) < 0) {
                 fprintf(stderr, "error during nfq_unbind_pf()\n");
                 exit(1);
         }

         printf("binding nfnetlink_queue as nf_queue handler for AF_INET\n");
         if (nfq_bind_pf(h, AF_INET) < 0) {
                 fprintf(stderr, "error during nfq_bind_pf()\n");
                 exit(1);
         }

         printf("binding this socket to queue '0'\n");
         qh = nfq_create_queue(h,  0, &cb, NULL);
         if (!qh) {
                 fprintf(stderr, "error during nfq_create_queue()\n");
                 exit(1);
         }

         printf("setting copy_packet mode\n");
         if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
                 fprintf(stderr, "can't set packet_copy mode\n");
                 exit(1);
         }

          fd = nfq_fd(h);


终端输出是：
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
error during nfq_unbind_pf()

然后查看资料：
int nfq_unbind_pf(struct nfq_handle *h, u_int16_t pf)
{
         return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf);
}
从这开始就不会了！！！！！！！！！！！！！！！！！
__build_send_cfg_msg(struct nfq_handle *h, u_int8_t command,
  u_int16_t queuenum, u_int16_t pf)
{
char buf[NFNL_HEADER_LEN
  +NFA_LENGTH(sizeof(struct nfqnl_msg_config_cmd))];
struct nfqnl_msg_config_cmd cmd;
struct nlmsghdr *nmh = (struct nlmsghdr *) buf;
nfnl_fill_hdr(h->nfnlssh, nmh, 0, AF_UNSPEC, queuenum,
   NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK);
cmd.command = command;
cmd.pf = htons(pf);
nfnl_addattr_l(nmh, sizeof(buf), NFQA_CFG_CMD, &cmd, sizeof(cmd));
return nfnl_talk(h->nfnlh, nmh, 0, 0, NULL, NULL, NULL);
}

到底为什么在非管理员的帐号下nfq_unbind_pf(h, AF_INET) < 0，请各位大神帮忙

wantaugust

那么多人在看，就没人回复吗

Tinnal

1. 出错的时候perror一下。
2. strace <你的程序>  跟踪一下。

wantaugust

回复 3# Tinnal


         printf("unbinding existing nf_queue handler for AF_INET (if any)\n");
         if (nfq_unbind_pf(h, AF_INET) < 0) {
加了他------->perror("错误错误：\n");
                 fprintf(stderr, "error during nfq_unbind_pf()\n");
                 exit(1);
         }
终端输出：
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
错误错误：
: Operation not permitted
error during nfq_unbind_pf()


   

然后strace -o bbb ./aaa
bbb内容是：

execve("./aaa", ["./aaa"], [/* 49 vars */]) = 0
brk(0)                                  = 0x933000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b582c0000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=115751, ...}) = 0
mmap(NULL, 115751, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f0b582a3000
close(3)                                = 0
open("/lib64/libnetfilter_queue.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300!\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=27416, ...}) = 0
mmap(NULL, 2122224, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0b5809c000
mprotect(0x7f0b580a2000, 2093056, PROT_NONE) = 0
mmap(0x7f0b582a1000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f0b582a1000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\36\2\3054\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2100672, ...}) = 0
mmap(0x34c5000000, 3924576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x34c5000000
mprotect(0x34c51b4000, 2097152, PROT_NONE) = 0
mmap(0x34c53b4000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b4000) = 0x34c53b4000
mmap(0x34c53ba000, 16992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x34c53ba000
close(3)                                = 0
open("/lib64/libnfnetlink.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\30@\3064\0\0\0"..., 832) = 832
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b5809b000
fstat(3, {st_mode=S_IFREG|0755, st_size=29096, ...}) = 0
mmap(0x34c6400000, 2122096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x34c6400000
mprotect(0x34c6406000, 2093056, PROT_NONE) = 0
mmap(0x34c6605000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x34c6605000
close(3)                                = 0
open("/lib64/libmnl.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \34\0\3064\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=26248, ...}) = 0
mmap(0x34c6000000, 2117960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x34c6000000
mprotect(0x34c6004000, 2097152, PROT_NONE) = 0
mmap(0x34c6204000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x34c6204000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b5809a000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b58098000
arch_prctl(ARCH_SET_FS, 0x7f0b58098740) = 0
mprotect(0x34c53b4000, 16384, PROT_READ) = 0
mprotect(0x34c6204000, 4096, PROT_READ) = 0
mprotect(0x34c6605000, 4096, PROT_READ) = 0
mprotect(0x7f0b582a1000, 4096, PROT_READ) = 0
mprotect(0x601000, 4096, PROT_READ)     = 0
mprotect(0x34c4e1f000, 4096, PROT_READ) = 0
munmap(0x7f0b582a3000, 115751)          = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b582bf000
write(1, "opening library handle\n", 23) = 23
brk(0)                                  = 0x933000
brk(0x954000)                           = 0x954000
brk(0)                                  = 0x954000
socket(PF_NETLINK, SOCK_RAW, 12)        = 3
getsockname(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 0
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=3225, groups=00000000}, [12]) = 0
bind(3, {sa_family=AF_NETLINK, pid=3225, groups=00000000}, 12) = 0
write(1, "unbinding existing nf_queue hand"..., 57) = 57
sendto(3, "\34\0\0\0\2\3\5\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\4\0\0\2", 28, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 28
recvfrom(3, "0\0\0\0\2\0\0\0\0\0\0\0\231\f\0\0\377\377\377\377\34\0\0\0\2\3\5\0\0\0\0\0"..., 8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 48
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat(4, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b582be000
lseek(4, 0, SEEK_CUR)                   = -1 ESPIPE (Illegal seek)
write(4, "\351\224\231\350\257\257\351\224\231\350\257\257\357\274\232\n", 16) = 16
write(4, ": Operation not permitted\n", 26) = 26
close(4)                                = 0
munmap(0x7f0b582be000, 4096)            = 0
write(2, "error during nfq_unbind_pf()\n", 29) = 29
exit_group(1)                           = ?
+++ exited with 1 +++
我更蒙了！！！！！！！！！！！！！！！！！！！！！
   

Tinnal

回复 4# wantaugust

从perror信息来看，就是权限不够了。应该只有root才能做。

从strace来看，没有明显的错误输出。

recvfrom(3, "0\0\0\0\2\0\0\0\0\0\0\0\231\f\0\0\377\377\377\377\34\0\0\0\2\3\5\0\0\0\0\0"..., 8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 48
接收到的这48字节应该是一个数据结构，其中包含错误的信息。

往后的信息，已经是在往错误输出打印了。
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat(4, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b582be000
lseek(4, 0, SEEK_CUR)                   = -1 ESPIPE (Illegal seek)
write(4, "\351\224\231\350\257\257\351\224\231\350\257\257\357\274\232\n", 16) = 16
write(4, ": Operation not permitted\n", 26) = 26



   

wantaugust

回复 5# Tinnal
谢谢大神，看来我的main只能root运行了

   

evilwolf125

可以setuid，给个root权限。非root用户

wantaugust

回复 7# evilwolf125

我怎么没想到，谢谢
   

wantaugust

setuid u+g aaa
okle