#!/usr/bin/env python

# This script passes and prints all packets that come its way (into a specific NFQUEUE)
#  An iptables command is necessary to send them there (see nfq-drop5th-icmp.py for
#  and example of rejecting packets)
# Cf. https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/

# NFQUEUE supports many queues; the iptables command takes a number matching the script's:
#  E.g.: iptables -A OUTPUT -s 8.8.8.8 -p icmp -j NFQUEUE --queue-num 1
queue = 1

from scapy.all import *
import nfqueue
_q = nfqueue.queue()

# For older binding versions, the callback signature should be
#   def cb(i, payload):
# Otherwise, the following error message occurs:
#   TypeError: callback() takes exactly 1 argument (2 given)
#   callback failure !
# If you see such errors, change the signature to the above.
#  See the first two comments to http://danmcinerney.org/reliable-dns-spoofing-with-python-scapy-nfqueue/
def cb(payload):
    data = payload.get_data()
    pkt = IP(data)
    print pkt.summary()
    payload.set_verdict(nfqueue.NF_ACCEPT)

_q.set_callback(cb)

# The "Internet IPv4" address family here is "2". This is a known fixed value,
#   found in header files such as /usr/include/bits/socket.h, but it's good
#   practice to refer to it by name. See also
#   http://stackoverflow.com/questions/1593946/what-is-af-inet-and-why-do-i-need-it, also as a side-note:
#   http://stackoverflow.com/questions/6729366/what-is-the-difference-between-af-inet-and-pf-inet-in-socket-programming
from socket import AF_INET, AF_INET6
address_family = AF_INET

# The following seems needed to clean up after any previous crashes. Present in
#  C examples in https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
_q.unbind(address_family)
_q.fast_open(queue, address_family)

_q.try_run()