PacketBL
Check-in [697a450bd4]
Login
HomeTimelineFilesBranchesTagsTicketsWiki
Overview
Comment:This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 697a450bd42d279beab51606e6e0f3169d0117b9
User & Date: rmiller on 2011-03-06 17:18:26.000
Other Links: manifest | tags
Context
2011-03-06
17:33
move include stuff to the include file. add new include file for packetbl_getstat check-in: 2dad03cf84 user: rmiller tags: trunk
17:18
This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway. check-in: 697a450bd4 user: rmiller tags: trunk
02:10
This fixes a few segfaults with an empty config file. It's, of course, *useless* with an empty config file, but that's for testing at a later time. check-in: 5396b2b79c user: rmiller tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Modified config from [acf0fe0a90] to [0d25dcff77]. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37


# blacklistbl/whitelistbl blacklist
# whitelist/blacklist cidr

<host>
	blacklistbl	dnsbl.sorbs.net
	blacklistbl	relay.ordb.org
	whitelist	127.0.0.0/8
</host>

# uncomment this if you wish the fallthrough action to be to reject.
#FallthroughAccept	no

# uncomment this if you wish to handle other destination ports than SMTP.
# this is here so that you don't do something really stupid without reading
# the wiki and understanding all of the ramifications.
#AllowNonPort25		no

# uncomment this if you want to allow packets that don't have the SYN
# flag set.
#AllowNonSyn		no

# uncomment this to accept unconditionally while still logging as if you've
# done the rejecting.
#DryRun			no

# uncomment this to set the size of the cache to use.
#CacheSize		8192

# uncomment this to set the time-to-live for cached entries (in seconds)
#CacheTTL		3600

#LogFacility		daemon

# Set this to true to cause PacketBL to *NOT* write to syslog() every time a
# packet is processed.
#Quiet			no


<
<
|
<
<
<
<
<
|
<
<
|
<
<
<
<
|
<
<
<
|
<
<
<
|
<
<
|
<
<

<
|
<
<
<

1


2





3


4




5



6



7


8


9

10







options: {





	allow_nonport25 = false;


	dryrun = false;




	queueno = 2;



	quiet = false;



	debug = 2;


};




blacklist = [ "127.0.0.1" ];
Modified packetbl.c from [9a2b349279] to [939b1038a8]. 
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

struct packet_info {

	uint8_t b1;
	uint8_t b2;
	uint8_t b3;
	uint8_t b4;

	int s_port;
	int d_port;

	int flags;
};

struct cidr {

	uint32_t ip;








|
|








79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

struct packet_info {

	uint8_t b1;
	uint8_t b2;
	uint8_t b3;
	uint8_t b4;

	unsigned int s_port;
	unsigned int d_port;

	int flags;
};

struct cidr {

	uint32_t ip;

119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

	int	debug;
	struct config_entry *blacklistbl;
	struct config_entry *whitelistbl;
	struct config_entry *blacklist;
	struct config_entry *whitelist;
};

static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 0, 0, 0, NULL, NULL, NULL, NULL };

struct pbl_stat_info {
	uint32_t	cacheaccept;
	uint32_t	cachereject;
	uint32_t	whitelistblhits;
	uint32_t	blacklistblhits;
	uint32_t	whitelisthits;








|








119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

	int	debug;
	struct config_entry *blacklistbl;
	struct config_entry *whitelistbl;
	struct config_entry *blacklist;
	struct config_entry *whitelist;
};

static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL };

struct pbl_stat_info {
	uint32_t	cacheaccept;
	uint32_t	cachereject;
	uint32_t	whitelistblhits;
	uint32_t	blacklistblhits;
	uint32_t	whitelisthits;

417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435

		retval=NF_ACCEPT;
	} else
	if (check_packet_list(&ip, conf.blacklist) == 1) {
		get_ip_string(&ip);
		if (!conf.quiet) {
			if (conf.debug == 0) {
				syslog(LOG_INFO,
					"[reject blacklist] [%s]",
						msgbuf);
			} else {
				fprintf(stderr,
					"[reject blacklist] [%s]",
						msgbuf);
			}
				
		}
		statistics.blacklisthits++;
		retval=NF_DROP;
	} else








|



|








417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435

		retval=NF_ACCEPT;
	} else
	if (check_packet_list(&ip, conf.blacklist) == 1) {
		get_ip_string(&ip);
		if (!conf.quiet) {
			if (conf.debug == 0) {
				syslog(LOG_INFO,
					"[reject blacklist] [%s]\n",
						msgbuf);
			} else {
				fprintf(stderr,
					"[reject blacklist] [%s]\n",
						msgbuf);
			}
				
		}
		statistics.blacklisthits++;
		retval=NF_DROP;
	} else

840
841
842
843
844
845
846

847
848
849
850
851
852
853

	/* there are default, so I'm not checking return values.  If it fails,
	 * then we'll just stay with the default, whatever that might be. */
	config_lookup_bool(config, "options.fallthroughaccept", &conf.default_accept);
	config_lookup_bool(config, "options.allownonport25", &conf.allow_non25);
	config_lookup_bool(config, "options.dryrun", &conf.dryrun);
	config_lookup_bool(config, "options.allownonsyn", &conf.allow_nonsyn);
	config_lookup_bool(config, "options.quiet", &conf.quiet);


#ifdef USE_CACHE
	config_lookup_int(config, "cache.ttl", &packet_cache_ttl);

	if (packet_cache_ttl < 0) {
		packet_cache_ttl = USE_CACHE_DEF_TTL;
		fprintf(stderr, "config cache TTL negative - using default");








>








840
841
842
843
844
845
846
847
848
849
850
851
852
853
854

	/* there are default, so I'm not checking return values.  If it fails,
	 * then we'll just stay with the default, whatever that might be. */
	config_lookup_bool(config, "options.fallthroughaccept", &conf.default_accept);
	config_lookup_bool(config, "options.allownonport25", &conf.allow_non25);
	config_lookup_bool(config, "options.dryrun", &conf.dryrun);
	config_lookup_bool(config, "options.allownonsyn", &conf.allow_nonsyn);
	config_lookup_bool(config, "options.quiet", &conf.quiet);
	config_lookup_int(config, "options.debug", &conf.debug);

#ifdef USE_CACHE
	config_lookup_int(config, "cache.ttl", &packet_cache_ttl);

	if (packet_cache_ttl < 0) {
		packet_cache_ttl = USE_CACHE_DEF_TTL;
		fprintf(stderr, "config cache TTL negative - using default");

870
871
872
873
874
875
876
877
878
879
880
881
882
883
884

				break;
			} else {
				i++;
			}
		}
	}
	
	config_lookup_int(config, "config.queueno", &conf.queueno);
	
	if (conf.queueno < 0) {
		conf.queueno = 1;
		fprintf(stderr, "queueno negative - using default");
	}

	config_setting = config_lookup(config, "blacklistbl");








|








871
872
873
874
875
876
877
878
879
880
881
882
883
884
885

				break;
			} else {
				i++;
			}
		}
	}
	
	config_lookup_int(config, "options.queueno", &conf.queueno);
	
	if (conf.queueno < 0) {
		conf.queueno = 1;
		fprintf(stderr, "queueno negative - using default");
	}

	config_setting = config_lookup(config, "blacklistbl");

905
906
907
908
909
910
911
912
913



914
915
916
917
918
919
920
921
922
923
924
925
926
927
928


929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946

947
948
949
950
951
952
953

	int i = 0, len = 0;
	char *setting;
#ifdef HAVE_FIREDNS
	size_t blacklistlen = 0;
#endif

	len = config_setting_length(c);
	while (i++ < len) {
		setting = config_setting_get_string_elem(c, i);



		ce = malloc(sizeof(struct config_entry));
		if (ce == NULL) {
			/* shouldn't happen... */
			fprintf(stderr, "Failed to allocate memory for ce struct\n");
			exit(EXIT_FAILURE);
		}

		ce->string = (char *)strdup(setting);
		ce->next = NULL;
#ifdef HAVE_FIREDNS
		blacklistlen = strlen(ce->string);
		if (ce->string[blacklistlen - 1] == '.') {
			ce->string[blacklistlen - 1] = '\0';
		}
#endif



		switch (type) {
			case 1:
				if (conf.blacklistbl == NULL) {
					conf.blacklistbl = ce;
					continue;
				} else {
					tmp = conf.blacklistbl;
				}
				break;
			case 2:
				if (conf.whitelistbl == NULL) {
					conf.whitelistbl = ce;
					continue;
				} else {
					tmp = conf.whitelistbl;
				}
			case 3:

				if (parse_cidr(ce) == -1) {
					fprintf(stderr, "Error parsing CIDR in %s, ignoring\n", ce->string);
					free(ce->string);
					free(ce);
					continue;
				}
				if (conf.blacklist == NULL) {








|

>
>
>















>
>


















>








906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960

	int i = 0, len = 0;
	char *setting;
#ifdef HAVE_FIREDNS
	size_t blacklistlen = 0;
#endif

	len = config_setting_length(c);
	while (i < len) {
		setting = config_setting_get_string_elem(c, i);
		if (setting == NULL) {
			break;
		}
		ce = malloc(sizeof(struct config_entry));
		if (ce == NULL) {
			/* shouldn't happen... */
			fprintf(stderr, "Failed to allocate memory for ce struct\n");
			exit(EXIT_FAILURE);
		}

		ce->string = (char *)strdup(setting);
		ce->next = NULL;
#ifdef HAVE_FIREDNS
		blacklistlen = strlen(ce->string);
		if (ce->string[blacklistlen - 1] == '.') {
			ce->string[blacklistlen - 1] = '\0';
		}
#endif

		i++;

		switch (type) {
			case 1:
				if (conf.blacklistbl == NULL) {
					conf.blacklistbl = ce;
					continue;
				} else {
					tmp = conf.blacklistbl;
				}
				break;
			case 2:
				if (conf.whitelistbl == NULL) {
					conf.whitelistbl = ce;
					continue;
				} else {
					tmp = conf.whitelistbl;
				}
			case 3:
				fprintf(stderr, "got %s for blacklist\n", ce->string);
				if (parse_cidr(ce) == -1) {
					fprintf(stderr, "Error parsing CIDR in %s, ignoring\n", ce->string);
					free(ce->string);
					free(ce);
					continue;
				}
				if (conf.blacklist == NULL) {

1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343

			syslog(LOG_ERR, "sprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}
		return;
	}

	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%d.%d", 
			ip->b1, ip->b2, ip->b3, ip->b4,
			ip->s_port,ip->d_port);
		if (rv < 0) {
			syslog(LOG_ERR, "snprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}








|








1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350

			syslog(LOG_ERR, "sprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}
		return;
	}

	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
			ip->b1, ip->b2, ip->b3, ip->b4,
			ip->s_port,ip->d_port);
		if (rv < 0) {
			syslog(LOG_ERR, "snprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}
Powered by Fossil · RSS