Check-in [697a450bd4]
Overview
SHA1:697a450bd42d279beab51606e6e0f3169d0117b9
Date: 2011-03-06 17:18:26
User: rmiller
Comment:This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway.
Timelines: family | ancestors | descendants | both | trunk
Downloads: Tarball | ZIP archive
Other Links: files | file ages | folders | manifest
Tags And Properties
Context
2011-03-06
17:33
[2dad03cf84] move include stuff to the include file. add new include file for packetbl_getstat (user: rmiller, tags: trunk)
17:18
[697a450bd4] This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway. (user: rmiller, tags: trunk)
02:10
[5396b2b79c] This fixes a few segfaults with an empty config file. It's, of course, *useless* with an empty config file, but that's for testing at a later time. (user: rmiller, tags: trunk)
Changes

Modified config from [acf0fe0a90] to [0d25dcff77].

1
2
3
4

5
6
7
8
9

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37


# blacklistbl/whitelistbl blacklist
# whitelist/blacklist cidr


<host>
	blacklistbl	dnsbl.sorbs.net
	blacklistbl	relay.ordb.org
	whitelist	127.0.0.0/8
</host>


# uncomment this if you wish the fallthrough action to be to reject.
#FallthroughAccept	no

# uncomment this if you wish to handle other destination ports than SMTP.
# this is here so that you don't do something really stupid without reading
# the wiki and understanding all of the ramifications.
#AllowNonPort25		no

# uncomment this if you want to allow packets that don't have the SYN
# flag set.
#AllowNonSyn		no

# uncomment this to accept unconditionally while still logging as if you've
# done the rejecting.
#DryRun			no

# uncomment this to set the size of the cache to use.
#CacheSize		8192

# uncomment this to set the time-to-live for cached entries (in seconds)
#CacheTTL		3600

#LogFacility		daemon

# Set this to true to cause PacketBL to *NOT* write to syslog() every time a
# packet is processed.
#Quiet			no


|
|
<
>
|
|
|
<
<
>

<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
>
1
2
3

4
5
6
7


8
9



























10

options: {
	allow_nonport25 = false;

	dryrun = false;
	queueno = 2;
	quiet = false;
	debug = 2;


};




























blacklist = [ "127.0.0.1" ];

Modified packetbl.c from [9a2b349279] to [939b1038a8].

79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
...
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
...
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
...
840
841
842
843
844
845
846

847
848
849
850
851
852
853
...
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
...
905
906
907
908
909
910
911
912
913



914
915
916
917
918
919
920
...
922
923
924
925
926
927
928


929
930
931
932
933
934
935
...
940
941
942
943
944
945
946

947
948
949
950
951
952
953
....
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
struct packet_info {

	uint8_t b1;
	uint8_t b2;
	uint8_t b3;
	uint8_t b4;

	int s_port;
	int d_port;

	int flags;
};

struct cidr {

	uint32_t ip;
................................................................................
	int	debug;
	struct config_entry *blacklistbl;
	struct config_entry *whitelistbl;
	struct config_entry *blacklist;
	struct config_entry *whitelist;
};

static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 0, 0, 0, NULL, NULL, NULL, NULL };

struct pbl_stat_info {
	uint32_t	cacheaccept;
	uint32_t	cachereject;
	uint32_t	whitelistblhits;
	uint32_t	blacklistblhits;
	uint32_t	whitelisthits;
................................................................................
		retval=NF_ACCEPT;
	} else
	if (check_packet_list(&ip, conf.blacklist) == 1) {
		get_ip_string(&ip);
		if (!conf.quiet) {
			if (conf.debug == 0) {
				syslog(LOG_INFO,
					"[reject blacklist] [%s]",
						msgbuf);
			} else {
				fprintf(stderr,
					"[reject blacklist] [%s]",
						msgbuf);
			}
				
		}
		statistics.blacklisthits++;
		retval=NF_DROP;
	} else
................................................................................
	/* there are default, so I'm not checking return values.  If it fails,
	 * then we'll just stay with the default, whatever that might be. */
	config_lookup_bool(config, "options.fallthroughaccept", &conf.default_accept);
	config_lookup_bool(config, "options.allownonport25", &conf.allow_non25);
	config_lookup_bool(config, "options.dryrun", &conf.dryrun);
	config_lookup_bool(config, "options.allownonsyn", &conf.allow_nonsyn);
	config_lookup_bool(config, "options.quiet", &conf.quiet);


#ifdef USE_CACHE
	config_lookup_int(config, "cache.ttl", &packet_cache_ttl);

	if (packet_cache_ttl < 0) {
		packet_cache_ttl = USE_CACHE_DEF_TTL;
		fprintf(stderr, "config cache TTL negative - using default");
................................................................................
				break;
			} else {
				i++;
			}
		}
	}
	
	config_lookup_int(config, "config.queueno", &conf.queueno);
	
	if (conf.queueno < 0) {
		conf.queueno = 1;
		fprintf(stderr, "queueno negative - using default");
	}

	config_setting = config_lookup(config, "blacklistbl");
................................................................................
	int i = 0, len = 0;
	char *setting;
#ifdef HAVE_FIREDNS
	size_t blacklistlen = 0;
#endif

	len = config_setting_length(c);
	while (i++ < len) {
		setting = config_setting_get_string_elem(c, i);



		ce = malloc(sizeof(struct config_entry));
		if (ce == NULL) {
			/* shouldn't happen... */
			fprintf(stderr, "Failed to allocate memory for ce struct\n");
			exit(EXIT_FAILURE);
		}

................................................................................
		ce->next = NULL;
#ifdef HAVE_FIREDNS
		blacklistlen = strlen(ce->string);
		if (ce->string[blacklistlen - 1] == '.') {
			ce->string[blacklistlen - 1] = '\0';
		}
#endif



		switch (type) {
			case 1:
				if (conf.blacklistbl == NULL) {
					conf.blacklistbl = ce;
					continue;
				} else {
................................................................................
				if (conf.whitelistbl == NULL) {
					conf.whitelistbl = ce;
					continue;
				} else {
					tmp = conf.whitelistbl;
				}
			case 3:

				if (parse_cidr(ce) == -1) {
					fprintf(stderr, "Error parsing CIDR in %s, ignoring\n", ce->string);
					free(ce->string);
					free(ce);
					continue;
				}
				if (conf.blacklist == NULL) {
................................................................................
			syslog(LOG_ERR, "sprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}
		return;
	}

	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%d.%d", 
			ip->b1, ip->b2, ip->b3, ip->b4,
			ip->s_port,ip->d_port);
		if (rv < 0) {
			syslog(LOG_ERR, "snprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}







|
|







 







|







 







|



|







 







>







 







|







 







|

>
>
>







 







>
>







 







>







 







|







79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
...
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
...
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
...
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
...
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
...
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
...
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
...
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
....
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
struct packet_info {

	uint8_t b1;
	uint8_t b2;
	uint8_t b3;
	uint8_t b4;

	unsigned int s_port;
	unsigned int d_port;

	int flags;
};

struct cidr {

	uint32_t ip;
................................................................................
	int	debug;
	struct config_entry *blacklistbl;
	struct config_entry *whitelistbl;
	struct config_entry *blacklist;
	struct config_entry *whitelist;
};

static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL };

struct pbl_stat_info {
	uint32_t	cacheaccept;
	uint32_t	cachereject;
	uint32_t	whitelistblhits;
	uint32_t	blacklistblhits;
	uint32_t	whitelisthits;
................................................................................
		retval=NF_ACCEPT;
	} else
	if (check_packet_list(&ip, conf.blacklist) == 1) {
		get_ip_string(&ip);
		if (!conf.quiet) {
			if (conf.debug == 0) {
				syslog(LOG_INFO,
					"[reject blacklist] [%s]\n",
						msgbuf);
			} else {
				fprintf(stderr,
					"[reject blacklist] [%s]\n",
						msgbuf);
			}
				
		}
		statistics.blacklisthits++;
		retval=NF_DROP;
	} else
................................................................................
	/* there are default, so I'm not checking return values.  If it fails,
	 * then we'll just stay with the default, whatever that might be. */
	config_lookup_bool(config, "options.fallthroughaccept", &conf.default_accept);
	config_lookup_bool(config, "options.allownonport25", &conf.allow_non25);
	config_lookup_bool(config, "options.dryrun", &conf.dryrun);
	config_lookup_bool(config, "options.allownonsyn", &conf.allow_nonsyn);
	config_lookup_bool(config, "options.quiet", &conf.quiet);
	config_lookup_int(config, "options.debug", &conf.debug);

#ifdef USE_CACHE
	config_lookup_int(config, "cache.ttl", &packet_cache_ttl);

	if (packet_cache_ttl < 0) {
		packet_cache_ttl = USE_CACHE_DEF_TTL;
		fprintf(stderr, "config cache TTL negative - using default");
................................................................................
				break;
			} else {
				i++;
			}
		}
	}
	
	config_lookup_int(config, "options.queueno", &conf.queueno);
	
	if (conf.queueno < 0) {
		conf.queueno = 1;
		fprintf(stderr, "queueno negative - using default");
	}

	config_setting = config_lookup(config, "blacklistbl");
................................................................................
	int i = 0, len = 0;
	char *setting;
#ifdef HAVE_FIREDNS
	size_t blacklistlen = 0;
#endif

	len = config_setting_length(c);
	while (i < len) {
		setting = config_setting_get_string_elem(c, i);
		if (setting == NULL) {
			break;
		}
		ce = malloc(sizeof(struct config_entry));
		if (ce == NULL) {
			/* shouldn't happen... */
			fprintf(stderr, "Failed to allocate memory for ce struct\n");
			exit(EXIT_FAILURE);
		}

................................................................................
		ce->next = NULL;
#ifdef HAVE_FIREDNS
		blacklistlen = strlen(ce->string);
		if (ce->string[blacklistlen - 1] == '.') {
			ce->string[blacklistlen - 1] = '\0';
		}
#endif

		i++;

		switch (type) {
			case 1:
				if (conf.blacklistbl == NULL) {
					conf.blacklistbl = ce;
					continue;
				} else {
................................................................................
				if (conf.whitelistbl == NULL) {
					conf.whitelistbl = ce;
					continue;
				} else {
					tmp = conf.whitelistbl;
				}
			case 3:
				fprintf(stderr, "got %s for blacklist\n", ce->string);
				if (parse_cidr(ce) == -1) {
					fprintf(stderr, "Error parsing CIDR in %s, ignoring\n", ce->string);
					free(ce->string);
					free(ce);
					continue;
				}
				if (conf.blacklist == NULL) {
................................................................................
			syslog(LOG_ERR, "sprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}
		return;
	}

	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
			ip->b1, ip->b2, ip->b3, ip->b4,
			ip->s_port,ip->d_port);
		if (rv < 0) {
			syslog(LOG_ERR, "snprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}