Check-in [371d474ebc]
Overview
SHA1:371d474ebc7f4ae2e14f7b6ee92151dde19a4aee
Date: 2011-03-06 23:20:20
User: rmiller
Comment:some bugs related to use_cache, etc. also a lot of cleanup.
Timelines: family | ancestors | descendants | both | trunk
Downloads: Tarball | ZIP archive
Other Links: files | file ages | folders | manifest
Tags And Properties
Context
2011-03-06
23:30
[49947c3157] remove pbl_set_verdict. It was a waste of code lines. (user: rmiller, tags: trunk)
23:20
[371d474ebc] some bugs related to use_cache, etc. also a lot of cleanup. (user: rmiller, tags: trunk)
17:47
[d59c5b24a3] update readme (user: rmiller, tags: trunk)
Changes

Modified packetbl.c from [c4e4dc8395] to [ac69747424].

     1      1   
     2         -/* Copyright 2004 Russell Miller
            2  +/* Copyright 2004-2011 Russell Miller
     3      3       This program is free software; you can redistribute it and/or modify
     4      4       it under the terms of the GNU General Public License as published by
     5      5       the Free Software Foundation; either version 2 of the License, or
     6      6       (at your option) any later version.
     7      7   
     8      8       This program is distributed in the hope that it will be useful,
     9      9       but WITHOUT ANY WARRANTY; without even the implied warranty of
................................................................................
    41     41   
    42     42   	pid = fork();
    43     43   
    44     44   	if (pid > 0) {
    45     45   		exit(EXIT_SUCCESS);
    46     46   	}
    47     47   	if (pid < 0) {
    48         -		if (conf.debug == 0) {
    49         -			syslog(LOG_ERR, "Fork failed while daemonizing: %s",
    50         -				strerror(errno));
    51         -		} else {
    52         -			fprintf(stderr, "Fork failed while daemonizing: %s",
    53         -				strerror(errno));
    54         -		}
           48  +		DPRINT("Fork failed while damonizing: %s", strerror(errno));
    55     49   		exit(EXIT_FAILURE);
    56     50   	}
    57     51   
    58     52   }
    59     53   
    60     54   #ifdef USE_CACHE
    61     55   /*
................................................................................
   174    168   int packet_check_ip(const struct packet_info ip) {
   175    169   	int retval;
   176    170   
   177    171   #ifdef USE_CACHE
   178    172   	uint32_t ipaddr_check;
   179    173   	uint32_t cache_hash = 0;
   180    174   	time_t currtime;
   181         -	char *actionstr;
          175  +	char *actionstr = NULL, *buf = NULL;
   182    176   
   183    177   	currtime = time(NULL);
   184    178   
   185    179   	ipaddr_check = packet_info_to_ip(ip);
   186    180   	if (packet_cache_len > 0) {
   187    181   		cache_hash = packet_cache_hash(ip) % packet_cache_len;
   188    182   	}
   189         -
          183  +	buf = get_ip_string(&ip);
   190    184   	if (cache_hash>0 && cache_hash<packet_cache_len && packet_cache != NULL) {
   191    185   		if (packet_cache[cache_hash].ipaddr==ipaddr_check 
   192    186   				&& packet_cache[cache_hash].expires>currtime) {
   193         -			get_ip_string(&ip);
   194    187   			retval = packet_cache[cache_hash].action;
   195    188   			switch (retval) {
   196    189   				case NF_DROP:
   197    190   					actionstr="reject";
   198    191   					statistics.cachereject++;
   199    192   					break;
   200    193   				case NF_ACCEPT:
................................................................................
   201    194   					actionstr="accept";
   202    195   					statistics.cacheaccept++;
   203    196   					break;
   204    197   				default:
   205    198   					actionstr="???";
   206    199   					break;
   207    200   			}
   208         -			if (!conf.quiet) {
   209         -				if (conf.debug == 0) {
   210         -					syslog(LOG_INFO, "[Found in cache (%s)] [%s]",
   211         -						actionstr, msgbuf);
   212         -				} else {
   213         -					fprintf(stderr, "[Found in cache (%s)] [%s]",
   214         -						actionstr, msgbuf);
   215         -				}
   216         -			}
          201  +			DPRINTQ("[Found in cache (%s)] [%s]",
          202  +					actionstr, buf);
          203  +			free(buf);
   217    204   			return retval;
   218    205   		}
   219    206   	}
          207  +#else
          208  +	int rv;
          209  +	char *buf;
          210  +
          211  +	buf = get_ip_string(&ip);
   220    212   #endif
   221    213   
   222         -	/* the get_ip_string is set AFTER the check_packet_*
   223         -	 * calls because of the possibility they could screw with
   224         -	 * msgbuf.  They shouldn't, really, but better safe than
   225         -	 * sorry, at least for now. */
   226         -	if (check_packet_list(&ip, conf.whitelist) == 1) {
   227         -		get_ip_string(&ip);
   228         -		if (!conf.quiet) {
   229         -			if (conf.debug == 0) {
   230         -				syslog(LOG_INFO,
   231         -					"[accept whitelist] [%s]",
   232         -						msgbuf);
   233         -			} else {
   234         -				fprintf(stderr,
   235         -					"[accept whitelist] [%s]",
   236         -						msgbuf);
   237         -			}
   238         -		}
          214  +	if (retval = check_packet_list(&ip, conf.whitelist) > 0) {
          215  +		DPRINTQ("[accept whitelist] [%s] [%d]\n", buf, retval);
   239    216   		statistics.whitelisthits++;
   240    217   		retval=NF_ACCEPT;
   241         -	} else
   242         -	if (check_packet_list(&ip, conf.blacklist) == 1) {
   243         -		get_ip_string(&ip);
   244         -		if (!conf.quiet) {
   245         -			if (conf.debug == 0) {
   246         -				syslog(LOG_INFO,
   247         -					"[reject blacklist] [%s]\n",
   248         -						msgbuf);
   249         -			} else {
   250         -				fprintf(stderr,
   251         -					"[reject blacklist] [%s]\n",
   252         -						msgbuf);
   253         -			}
   254         -				
   255         -		}
          218  +	} else if (retval = check_packet_list(&ip, conf.blacklist) > 0) {
          219  +		DPRINTQ("[reject blacklist] [%s] [%d]\n", buf, retval);
   256    220   		statistics.blacklisthits++;
   257    221   		retval=NF_DROP;
   258         -	} else
   259         -	if (check_packet_dnsbl(&ip, conf.whitelistbl) == 1) {
   260         -		get_ip_string(&ip);
   261         -		if (!conf.quiet) {
   262         -			if (conf.debug == 0) {
   263         -				syslog(LOG_INFO,
   264         -					"[accept dnsbl] [%s]",
   265         -						msgbuf);
   266         -			} else {
   267         -				fprintf(stderr,
   268         -					"[accept dnsbl] [%s]",
   269         -						msgbuf);
   270         -			}
   271         -		}
          222  +	} else if (retval = check_packet_dnsbl(&ip, conf.whitelistbl) > 0) {
          223  +		DPRINTQ("[accept dnsbl] [%s] [%d]", buf, retval);
   272    224   		statistics.whitelistblhits++;
   273    225   		retval=NF_ACCEPT;
   274         -	} else
   275         -	if (check_packet_dnsbl(&ip, conf.blacklistbl) == 1) {
   276         -		get_ip_string(&ip);
   277         -		if (!conf.quiet) {
   278         -			if (conf.debug == 0) {
   279         -				syslog(LOG_INFO,
   280         -					"[reject dnsbl] [%s]",
   281         -						msgbuf);
   282         -			} else {
   283         -				fprintf(stderr,
   284         -					"[reject dnsbl] [%s]",
   285         -						msgbuf);
   286         -			}
   287         -		}
          226  +	} else if (retval = check_packet_dnsbl(&ip, conf.blacklistbl) > 0) {
          227  +		DPRINTQ("[reject dnsbl] [%s] [%d]", buf, retval);
   288    228   		statistics.blacklistblhits++;
   289    229   		retval=NF_DROP;
   290    230   	} else {
   291         -		get_ip_string(&ip);
   292    231   		if (conf.default_accept == 1) {
   293         -			if (!conf.quiet) {
   294         -				if (conf.debug == 0) {
   295         -					syslog(LOG_INFO,
   296         -						"[accept fallthrough] [%s]",
   297         -							msgbuf);
   298         -				} else {
   299         -					fprintf(stderr,
   300         -						"[accept fallthrough] [%s]",
   301         -							msgbuf);
   302         -				}
   303         -			}
          232  +			DPRINTQ("[accept fallthrough] [%s]", buf);
   304    233   			retval=NF_ACCEPT;
   305    234   		} else {
   306         -			if (!conf.quiet) {
   307         -				if (conf.debug == 0) {
   308         -					syslog(LOG_INFO,
   309         -						"[reject fallthrough] [%s]",
   310         -							msgbuf);
   311         -				} else {
   312         -					fprintf(stderr,
   313         -						"[reject fallthrough] [%s]",
   314         -							msgbuf);
   315         -				}
   316         -
   317         -			}
          235  +			DPRINTQ("[reject fallthrough] [%s]", buf);
   318    236   			retval=NF_DROP;
   319    237   		}
   320    238   		statistics.fallthroughhits++;
   321    239   	}
   322    240   
   323    241   #ifdef USE_CACHE
   324    242   	/* Put current action into the cache. */
................................................................................
   325    243   	if (packet_cache != NULL) {
   326    244   		packet_cache[cache_hash].ipaddr = ipaddr_check;
   327    245   		packet_cache[cache_hash].action = retval;
   328    246   		packet_cache[cache_hash].expires = currtime + packet_cache_ttl;
   329    247   	}
   330    248   #endif
   331    249   
          250  +	free(buf);
   332    251   	return retval;
   333    252   }
   334    253   
   335    254   static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
   336    255           struct nfq_data *nfa, void *data) {
   337    256   
   338    257   	int ret;
................................................................................
   741    660   		ce = malloc(sizeof(struct config_entry));
   742    661   		if (ce == NULL) {
   743    662   			/* shouldn't happen... */
   744    663   			fprintf(stderr, "Failed to allocate memory for ce struct\n");
   745    664   			exit(EXIT_FAILURE);
   746    665   		}
   747    666   
          667  +		ce->index = i;
   748    668   		ce->string = (char *)strdup(setting);
   749    669   		ce->next = NULL;
   750    670   #ifdef HAVE_FIREDNS
   751    671   		blacklistlen = strlen(ce->string);
   752    672   		if (ce->string[blacklistlen - 1] == '.') {
   753    673   			ce->string[blacklistlen - 1] = '\0';
   754    674   		}
................................................................................
  1070    990    *
  1071    991    * ARGUMENTS:
  1072    992    *   struct packet_info *ip       IP address data to check in supplied list. 
  1073    993    *   struct config_entry *list    List that contains data to check in against,
  1074    994    *                                whitelist for example.
  1075    995    *
  1076    996    * RETURN VALUE:
  1077         - *   0 is returned if the "ip" cannot be found in the given "list".  1 is
  1078         - *   returned on a successful match.
          997  + *   0 is returned if the "ip" cannot be found in the given "list". The index
          998  + *   of the matched list is returned on a successful match.
  1079    999    *
  1080   1000    * NOTES:
  1081   1001    *   "check_packet_list"  searches the given list parameter (which is a list
  1082   1002    *   CIDRs) to determine if the data passed in "ip" matches (whitelist, for
  1083   1003    *   for example).
  1084   1004    *   This function must be able to cope with NULL "ip" and "list" paramters
  1085   1005    *   without aborting.
................................................................................
  1105   1025   	while (1) {
  1106   1026   		uint32_t p = 0;
  1107   1027   
  1108   1028   		p = ip_proc;
  1109   1029   		p &= wltmp->cidr.processed;
  1110   1030   
  1111   1031   		if (p == wltmp->cidr.ip) {
  1112         -			rv = snprintf(msgbuf, sizeof(msgbuf), 
  1113         -					"%hhu.%hhu.%hhu.%hhu %x/%d",
  1114         -					ip->b1, ip->b2, ip->b3, ip->b4,
  1115         -					wltmp->cidr.ip, wltmp->cidr.network);
  1116         -			if (rv < 0) {
  1117         -				syslog(LOG_ERR, "snprintf failed at line %d: %s",
  1118         -					__LINE__, strerror(errno));
  1119         -				exit (1);
  1120         -			}
         1032  +			return wltmp->index;
  1121   1033   			return 1;
  1122   1034   		}
  1123   1035   
  1124   1036   		if (wltmp->next == NULL) {
  1125   1037   			break;
  1126   1038   		}
  1127   1039   
................................................................................
  1128   1040   		wltmp = wltmp->next;
  1129   1041   	}
  1130   1042   	return 0;
  1131   1043   }
  1132   1044   
  1133   1045   /*
  1134   1046    * SYNOPSIS:
  1135         - *   static void get_ip_string(
         1047  + *   char * get_ip_string(
  1136   1048    *                             const struct packet_info *ip
  1137   1049    *                            );
  1138   1050    *
  1139   1051    * ARGUMENTS:
  1140   1052    *   struct packet_info *ip       Structure containing IP parts to construct
  1141   1053    *                                the ASCII representation from.
  1142   1054    *
  1143   1055    * RETURN VALUE:
  1144   1056    *   (none)
  1145   1057    *
  1146   1058    * NOTES:
  1147         - *   This function takes the data in the parameter "ip" and stores an ASCII
  1148         - *   representation in the global variable "msgbuf."
         1059  + *   This function takes the data in the parameter "ip" and returns a buffer
         1060  + *   containing a string representation.  This buffer must be freed.
  1149   1061    *   It must be able to cope with "ip" being NULL.
  1150   1062    *
  1151   1063    */
  1152         -static void get_ip_string(const struct packet_info *ip) {
         1064  +char *get_ip_string(const struct packet_info *ip) {
  1153   1065   
  1154   1066   	int rv;
  1155         -	
         1067  +	char *buf = NULL;
         1068  +
         1069  +	buf = malloc(BUFFERSIZE); 
         1070  +	if (buf == NULL) {
         1071  +		syslog(LOG_ERR, "could not malloc buf in get_ip_string: %s\n",
         1072  +			strerror(errno));
         1073  +		exit(EXIT_FAILURE);
         1074  +	}
         1075  +
  1156   1076   	if (ip == NULL) {
  1157         -		rv = sprintf(msgbuf, "-");
         1077  +		rv = sprintf(buf, "-");
  1158   1078   		if (rv < 0) {	
  1159   1079   			syslog(LOG_ERR, "sprintf failed in line %d: %s",
  1160   1080   				__LINE__, strerror(errno));
  1161         -			exit(1);
         1081  +			exit(EXIT_FAILURE);
  1162   1082   		}
  1163         -		return;
         1083  +		return buf;
  1164   1084   	}
  1165   1085   
  1166         -	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
         1086  +	rv = snprintf(buf, BUFFERSIZE, "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
  1167   1087   			ip->b1, ip->b2, ip->b3, ip->b4,
  1168   1088   			ip->s_port,ip->d_port);
  1169   1089   		if (rv < 0) {
  1170   1090   			syslog(LOG_ERR, "snprintf failed in line %d: %s",
  1171   1091   				__LINE__, strerror(errno));
  1172   1092   			exit(1);
  1173   1093   		}
  1174         -	return;
         1094  +	return buf;
  1175   1095   }
  1176   1096   
  1177   1097   #ifdef USE_SOCKSTAT
  1178   1098   /*
  1179   1099    * SYNOPSIS:
  1180   1100    *   void *pbl_sockstat_thread(
  1181   1101    *                             void *tdata

Modified packetbl.h from [04dd1a732b] to [0899b0d159].

    67     67   # define PBL_SET_MODE nfq_set_mode
    68     68   # define PBL_COPY_PACKET NFQNL_COPY_PACKET
    69     69   # define PBL_ID_T u_int32_t
    70     70   # define PBL_ERRSTR ""
    71     71   
    72     72   #define DEBUG(x, y) if (conf.debug >= x) { printf(y "\n"); }
    73     73   #define INVALID_OCTET(x) x < 0 || x > 255
           74  +#define DPRINT(format, args...) if (conf.debug == 0) { \
           75  +	syslog(LOG_INFO, format , ## args); \
           76  +} else { \
           77  +	fprintf(stderr, format , ## args); \
           78  +}
           79  +
           80  +#define DPRINTQ(format, args...) if (!conf.quiet) { DPRINT(format, ## args) };
    74     81   
    75     82   struct packet_info {
    76     83   
    77     84   	uint8_t b1;
    78     85   	uint8_t b2;
    79     86   	uint8_t b3;
    80     87   	uint8_t b4;
................................................................................
    95    102   
    96    103   struct config_entry {
    97    104   
    98    105   	char *string;
    99    106   	struct config_entry *next;
   100    107   	struct packet_info ip;
   101    108   	struct cidr	cidr;
          109  +	int index;
   102    110   
   103    111   };
   104    112   
   105         -char msgbuf[BUFFERSIZE];
   106         -
   107    113   struct config {
   108    114   	int	allow_non25;
   109    115   	int	allow_nonsyn;
   110    116   	int	default_accept;
   111    117   	int	dryrun;
   112    118   	int 	log_facility;
   113    119   	int	queueno;
................................................................................
   137    143   struct packet_cache_t {
   138    144   	uint32_t ipaddr;
   139    145   	time_t	expires;
   140    146   	int	action;
   141    147   };
   142    148   struct packet_cache_t *packet_cache = NULL;
   143    149   uint32_t packet_cache_len = USE_CACHE_DEF_LEN;
   144         -uint16_t packet_cache_ttl = USE_CACHE_DEF_TTL;
          150  +uint32_t packet_cache_ttl = USE_CACHE_DEF_TTL;
   145    151   #endif
   146    152   
   147    153   struct config_entry *hostlistcache = NULL;
   148    154   
   149    155   int get_packet_info(char *payload, struct packet_info *ip);
   150    156   
   151    157   int check_packet_list(const struct packet_info *ip, struct config_entry *list);
   152    158   int check_packet_dnsbl(const struct packet_info *ip, struct config_entry *list);
   153    159   int parse_cidr(struct config_entry *ce);
   154    160   /* int validate_blacklist(char *); */
   155    161   void parse_config(void);
   156    162   void parse_arguments(int argc, char **argv);
   157    163   void pbl_init_sockstat(void);
   158         -static void get_ip_string(const struct packet_info *ip);
          164  +char * get_ip_string(const struct packet_info *ip);
   159    165   static void pbl_set_verdict(struct PBL_HANDLE *h, PBL_ID_T id,
   160    166           unsigned int verdict);
   161    167   
   162    168   static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
   163    169   	struct nfq_data *nfa, void *data);
   164    170   	
   165    171   typedef struct facility {