Check-in [697a450bd4]
Overview
SHA1:697a450bd42d279beab51606e6e0f3169d0117b9
Date: 2011-03-06 17:18:26
User: rmiller
Comment:This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway.
Timelines: family | ancestors | descendants | both | trunk
Downloads: Tarball | ZIP archive
Other Links: files | file ages | folders | manifest
Tags And Properties
Context
2011-03-06
17:33
[2dad03cf84] move include stuff to the include file. add new include file for packetbl_getstat (user: rmiller, tags: trunk)
17:18
[697a450bd4] This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway. (user: rmiller, tags: trunk)
02:10
[5396b2b79c] This fixes a few segfaults with an empty config file. It's, of course, *useless* with an empty config file, but that's for testing at a later time. (user: rmiller, tags: trunk)
Changes

Modified config from [acf0fe0a90] to [0d25dcff77].

     1      1   
     2         -# blacklistbl/whitelistbl blacklist
     3         -# whitelist/blacklist cidr
     4         -
     5         -<host>
     6         -	blacklistbl	dnsbl.sorbs.net
     7         -	blacklistbl	relay.ordb.org
     8         -	whitelist	127.0.0.0/8
     9         -</host>
            2  +options: {
            3  +	allow_nonport25 = false;
            4  +	dryrun = false;
            5  +	queueno = 2;
            6  +	quiet = false;
            7  +	debug = 2;
            8  +};
    10      9   
    11         -# uncomment this if you wish the fallthrough action to be to reject.
    12         -#FallthroughAccept	no
    13         -
    14         -# uncomment this if you wish to handle other destination ports than SMTP.
    15         -# this is here so that you don't do something really stupid without reading
    16         -# the wiki and understanding all of the ramifications.
    17         -#AllowNonPort25		no
    18         -
    19         -# uncomment this if you want to allow packets that don't have the SYN
    20         -# flag set.
    21         -#AllowNonSyn		no
    22         -
    23         -# uncomment this to accept unconditionally while still logging as if you've
    24         -# done the rejecting.
    25         -#DryRun			no
    26         -
    27         -# uncomment this to set the size of the cache to use.
    28         -#CacheSize		8192
    29         -
    30         -# uncomment this to set the time-to-live for cached entries (in seconds)
    31         -#CacheTTL		3600
    32         -
    33         -#LogFacility		daemon
    34         -
    35         -# Set this to true to cause PacketBL to *NOT* write to syslog() every time a
    36         -# packet is processed.
    37         -#Quiet			no
           10  +blacklist = [ "127.0.0.1" ];

Modified packetbl.c from [9a2b349279] to [939b1038a8].

    79     79   struct packet_info {
    80     80   
    81     81   	uint8_t b1;
    82     82   	uint8_t b2;
    83     83   	uint8_t b3;
    84     84   	uint8_t b4;
    85     85   
    86         -	int s_port;
    87         -	int d_port;
           86  +	unsigned int s_port;
           87  +	unsigned int d_port;
    88     88   
    89     89   	int flags;
    90     90   };
    91     91   
    92     92   struct cidr {
    93     93   
    94     94   	uint32_t ip;
................................................................................
   119    119   	int	debug;
   120    120   	struct config_entry *blacklistbl;
   121    121   	struct config_entry *whitelistbl;
   122    122   	struct config_entry *blacklist;
   123    123   	struct config_entry *whitelist;
   124    124   };
   125    125   
   126         -static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 0, 0, 0, NULL, NULL, NULL, NULL };
          126  +static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL };
   127    127   
   128    128   struct pbl_stat_info {
   129    129   	uint32_t	cacheaccept;
   130    130   	uint32_t	cachereject;
   131    131   	uint32_t	whitelistblhits;
   132    132   	uint32_t	blacklistblhits;
   133    133   	uint32_t	whitelisthits;
................................................................................
   417    417   		retval=NF_ACCEPT;
   418    418   	} else
   419    419   	if (check_packet_list(&ip, conf.blacklist) == 1) {
   420    420   		get_ip_string(&ip);
   421    421   		if (!conf.quiet) {
   422    422   			if (conf.debug == 0) {
   423    423   				syslog(LOG_INFO,
   424         -					"[reject blacklist] [%s]",
          424  +					"[reject blacklist] [%s]\n",
   425    425   						msgbuf);
   426    426   			} else {
   427    427   				fprintf(stderr,
   428         -					"[reject blacklist] [%s]",
          428  +					"[reject blacklist] [%s]\n",
   429    429   						msgbuf);
   430    430   			}
   431    431   				
   432    432   		}
   433    433   		statistics.blacklisthits++;
   434    434   		retval=NF_DROP;
   435    435   	} else
................................................................................
   840    840   	/* there are default, so I'm not checking return values.  If it fails,
   841    841   	 * then we'll just stay with the default, whatever that might be. */
   842    842   	config_lookup_bool(config, "options.fallthroughaccept", &conf.default_accept);
   843    843   	config_lookup_bool(config, "options.allownonport25", &conf.allow_non25);
   844    844   	config_lookup_bool(config, "options.dryrun", &conf.dryrun);
   845    845   	config_lookup_bool(config, "options.allownonsyn", &conf.allow_nonsyn);
   846    846   	config_lookup_bool(config, "options.quiet", &conf.quiet);
          847  +	config_lookup_int(config, "options.debug", &conf.debug);
   847    848   
   848    849   #ifdef USE_CACHE
   849    850   	config_lookup_int(config, "cache.ttl", &packet_cache_ttl);
   850    851   
   851    852   	if (packet_cache_ttl < 0) {
   852    853   		packet_cache_ttl = USE_CACHE_DEF_TTL;
   853    854   		fprintf(stderr, "config cache TTL negative - using default");
................................................................................
   870    871   				break;
   871    872   			} else {
   872    873   				i++;
   873    874   			}
   874    875   		}
   875    876   	}
   876    877   	
   877         -	config_lookup_int(config, "config.queueno", &conf.queueno);
          878  +	config_lookup_int(config, "options.queueno", &conf.queueno);
   878    879   	
   879    880   	if (conf.queueno < 0) {
   880    881   		conf.queueno = 1;
   881    882   		fprintf(stderr, "queueno negative - using default");
   882    883   	}
   883    884   
   884    885   	config_setting = config_lookup(config, "blacklistbl");
................................................................................
   905    906   	int i = 0, len = 0;
   906    907   	char *setting;
   907    908   #ifdef HAVE_FIREDNS
   908    909   	size_t blacklistlen = 0;
   909    910   #endif
   910    911   
   911    912   	len = config_setting_length(c);
   912         -	while (i++ < len) {
          913  +	while (i < len) {
   913    914   		setting = config_setting_get_string_elem(c, i);
          915  +		if (setting == NULL) {
          916  +			break;
          917  +		}
   914    918   		ce = malloc(sizeof(struct config_entry));
   915    919   		if (ce == NULL) {
   916    920   			/* shouldn't happen... */
   917    921   			fprintf(stderr, "Failed to allocate memory for ce struct\n");
   918    922   			exit(EXIT_FAILURE);
   919    923   		}
   920    924   
................................................................................
   922    926   		ce->next = NULL;
   923    927   #ifdef HAVE_FIREDNS
   924    928   		blacklistlen = strlen(ce->string);
   925    929   		if (ce->string[blacklistlen - 1] == '.') {
   926    930   			ce->string[blacklistlen - 1] = '\0';
   927    931   		}
   928    932   #endif
          933  +
          934  +		i++;
   929    935   
   930    936   		switch (type) {
   931    937   			case 1:
   932    938   				if (conf.blacklistbl == NULL) {
   933    939   					conf.blacklistbl = ce;
   934    940   					continue;
   935    941   				} else {
................................................................................
   940    946   				if (conf.whitelistbl == NULL) {
   941    947   					conf.whitelistbl = ce;
   942    948   					continue;
   943    949   				} else {
   944    950   					tmp = conf.whitelistbl;
   945    951   				}
   946    952   			case 3:
          953  +				fprintf(stderr, "got %s for blacklist\n", ce->string);
   947    954   				if (parse_cidr(ce) == -1) {
   948    955   					fprintf(stderr, "Error parsing CIDR in %s, ignoring\n", ce->string);
   949    956   					free(ce->string);
   950    957   					free(ce);
   951    958   					continue;
   952    959   				}
   953    960   				if (conf.blacklist == NULL) {
................................................................................
  1329   1336   			syslog(LOG_ERR, "sprintf failed in line %d: %s",
  1330   1337   				__LINE__, strerror(errno));
  1331   1338   			exit(1);
  1332   1339   		}
  1333   1340   		return;
  1334   1341   	}
  1335   1342   
  1336         -	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%d.%d", 
         1343  +	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
  1337   1344   			ip->b1, ip->b2, ip->b3, ip->b4,
  1338   1345   			ip->s_port,ip->d_port);
  1339   1346   		if (rv < 0) {
  1340   1347   			syslog(LOG_ERR, "snprintf failed in line %d: %s",
  1341   1348   				__LINE__, strerror(errno));
  1342   1349   			exit(1);
  1343   1350   		}