#!/usr/bin/env python

import nfqueue
from scapy.all import *
import os
import socket
import re
import urllib
os.system('ip6tables -A FORWARD -d 2604:5f00:ffff:fe00::5353 -p udp --dport 53 -j NFQUEUE --queue-num 1 ')
os.system('ip6tables -A INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1 ')

# needed for dns-resp-v6.py: 
os.system('ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1/4 -j DROP')

# see comment in nfq-pass-all if you see TypeError regarding 2 arguments passed to callback;
#  change signature to callback(i, payload)
def callback(payload):
    data = payload.get_data()
    pkt = IPv6(data)
    print pkt.summary()

    badname = re.compile(".*awesome")

    if pkt.haslayer(DNSQR):
        qname = pkt[DNS].qd.qname
        print "Qname: " + qname
        if badname.match( pkt[DNS].qd.qname ):
            payload.set_verdict(nfqueue.NF_DROP)
            print "Dropped dnsqr for " + qname 
        else:
            payload.set_verdict(nfqueue.NF_ACCEPT)
    elif pkt.haslayer(TCP) and pkt.haslayer(Raw):
        url = urllib.unquote(pkt[Raw].load)
        if badname.match( url ):
            payload.set_verdict(nfqueue.NF_DROP)
            print "Dropped http req for " + url
        else:
            payload.set_verdict(nfqueue.NF_ACCEPT)
    else:
        payload.set_verdict(nfqueue.NF_ACCEPT)


def main():
    q = nfqueue.queue()
    q.open()
    q.unbind(socket.AF_INET)
    q.bind(socket.AF_INET)   # callback won't be called without this
    q.set_callback(callback)
    q.create_queue(1)
    try:
        q.try_run() # Main loop
    except KeyboardInterrupt:
        q.unbind(socket.AF_INET)
        q.close()
        print "Cleaning up iptables" # this removes ALL rules, excessive
        os.system('ip6tables -F')
        os.system('ip6tables -X')

main()