PacketBL
Check-in [697a450bd4]
Login
HomeTimelineFilesBranchesTagsTicketsWiki
Overview
Comment:This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 697a450bd42d279beab51606e6e0f3169d0117b9
User & Date: rmiller on 2011-03-06 17:18:26
Other Links: manifest | tags
Context
2011-03-06
17:33
move include stuff to the include file. add new include file for packetbl_getstat check-in: 2dad03cf84 user: rmiller tags: trunk
17:18
This has been verified to work, at least on a quick test. Need to test more thoroughly. Good for a beta release, anyway. check-in: 697a450bd4 user: rmiller tags: trunk
02:10
This fixes a few segfaults with an empty config file. It's, of course, *useless* with an empty config file, but that's for testing at a later time. check-in: 5396b2b79c user: rmiller tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified config from [acf0fe0a90] to [0d25dcff77]. 

1
2
3
4

5
6
7
8
9
10

11
12
13

14
15
16
17
18

19
20
21
22

23
24
25
26

27
28
29

30
31
32
33
34

35
36
37

1



2






3



4





5




6




7



8


9


10





-
-
-
+
-
-
-
-
-
-
+
-
-
-
+
-
-
-
-
-
+
-
-
-
-
+
-
-
-
-
+
-
-
-
+
-
-

-
-
+
-
-
-


# blacklistbl/whitelistbl blacklist
# whitelist/blacklist cidr

options: {
<host>
	blacklistbl	dnsbl.sorbs.net
	blacklistbl	relay.ordb.org
	whitelist	127.0.0.0/8
</host>

	allow_nonport25 = false;
# uncomment this if you wish the fallthrough action to be to reject.
#FallthroughAccept	no

	dryrun = false;
# uncomment this if you wish to handle other destination ports than SMTP.
# this is here so that you don't do something really stupid without reading
# the wiki and understanding all of the ramifications.
#AllowNonPort25		no

	queueno = 2;
# uncomment this if you want to allow packets that don't have the SYN
# flag set.
#AllowNonSyn		no

	quiet = false;
# uncomment this to accept unconditionally while still logging as if you've
# done the rejecting.
#DryRun			no

	debug = 2;
# uncomment this to set the size of the cache to use.
#CacheSize		8192

};
# uncomment this to set the time-to-live for cached entries (in seconds)
#CacheTTL		3600

#LogFacility		daemon

blacklist = [ "127.0.0.1" ];
# Set this to true to cause PacketBL to *NOT* write to syslog() every time a
# packet is processed.
#Quiet			no

Modified packetbl.c from [9a2b349279] to [939b1038a8]. 

79
80
81
82
83
84
85
86
87


88
89
90
91
92
93
94

79
80
81
82
83
84
85


86
87
88
89
90
91
92
93
94








-
-
+
+








struct packet_info {

	uint8_t b1;
	uint8_t b2;
	uint8_t b3;
	uint8_t b4;

	int s_port;
	int d_port;
	unsigned int s_port;
	unsigned int d_port;

	int flags;
};

struct cidr {

	uint32_t ip;

119
120
121
122
123
124
125
126

127
128
129
130
131
132
133

119
120
121
122
123
124
125

126
127
128
129
130
131
132
133








-
+








	int	debug;
	struct config_entry *blacklistbl;
	struct config_entry *whitelistbl;
	struct config_entry *blacklist;
	struct config_entry *whitelist;
};

static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 0, 0, 0, NULL, NULL, NULL, NULL };
static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL };

struct pbl_stat_info {
	uint32_t	cacheaccept;
	uint32_t	cachereject;
	uint32_t	whitelistblhits;
	uint32_t	blacklistblhits;
	uint32_t	whitelisthits;

417
418
419
420
421
422
423
424

425
426
427
428

429
430
431
432
433
434
435

417
418
419
420
421
422
423

424
425
426
427

428
429
430
431
432
433
434
435








-
+



-
+








		retval=NF_ACCEPT;
	} else
	if (check_packet_list(&ip, conf.blacklist) == 1) {
		get_ip_string(&ip);
		if (!conf.quiet) {
			if (conf.debug == 0) {
				syslog(LOG_INFO,
					"[reject blacklist] [%s]",
					"[reject blacklist] [%s]\n",
						msgbuf);
			} else {
				fprintf(stderr,
					"[reject blacklist] [%s]",
					"[reject blacklist] [%s]\n",
						msgbuf);
			}
				
		}
		statistics.blacklisthits++;
		retval=NF_DROP;
	} else

840
841
842
843
844
845
846

847
848
849
850
851
852
853

840
841
842
843
844
845
846
847
848
849
850
851
852
853
854








+








	/* there are default, so I'm not checking return values.  If it fails,
	 * then we'll just stay with the default, whatever that might be. */
	config_lookup_bool(config, "options.fallthroughaccept", &conf.default_accept);
	config_lookup_bool(config, "options.allownonport25", &conf.allow_non25);
	config_lookup_bool(config, "options.dryrun", &conf.dryrun);
	config_lookup_bool(config, "options.allownonsyn", &conf.allow_nonsyn);
	config_lookup_bool(config, "options.quiet", &conf.quiet);
	config_lookup_int(config, "options.debug", &conf.debug);

#ifdef USE_CACHE
	config_lookup_int(config, "cache.ttl", &packet_cache_ttl);

	if (packet_cache_ttl < 0) {
		packet_cache_ttl = USE_CACHE_DEF_TTL;
		fprintf(stderr, "config cache TTL negative - using default");

870
871
872
873
874
875
876
877

878
879
880
881
882
883
884

871
872
873
874
875
876
877

878
879
880
881
882
883
884
885








-
+








				break;
			} else {
				i++;
			}
		}
	}
	
	config_lookup_int(config, "config.queueno", &conf.queueno);
	config_lookup_int(config, "options.queueno", &conf.queueno);
	
	if (conf.queueno < 0) {
		conf.queueno = 1;
		fprintf(stderr, "queueno negative - using default");
	}

	config_setting = config_lookup(config, "blacklistbl");

905
906
907
908
909
910
911
912

913



914
915
916
917
918
919
920
921
922
923
924
925
926
927
928


929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946

947
948
949
950
951
952
953

906
907
908
909
910
911
912

913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960








-
+

+
+
+















+
+


















+








	int i = 0, len = 0;
	char *setting;
#ifdef HAVE_FIREDNS
	size_t blacklistlen = 0;
#endif

	len = config_setting_length(c);
	while (i++ < len) {
	while (i < len) {
		setting = config_setting_get_string_elem(c, i);
		if (setting == NULL) {
			break;
		}
		ce = malloc(sizeof(struct config_entry));
		if (ce == NULL) {
			/* shouldn't happen... */
			fprintf(stderr, "Failed to allocate memory for ce struct\n");
			exit(EXIT_FAILURE);
		}

		ce->string = (char *)strdup(setting);
		ce->next = NULL;
#ifdef HAVE_FIREDNS
		blacklistlen = strlen(ce->string);
		if (ce->string[blacklistlen - 1] == '.') {
			ce->string[blacklistlen - 1] = '\0';
		}
#endif

		i++;

		switch (type) {
			case 1:
				if (conf.blacklistbl == NULL) {
					conf.blacklistbl = ce;
					continue;
				} else {
					tmp = conf.blacklistbl;
				}
				break;
			case 2:
				if (conf.whitelistbl == NULL) {
					conf.whitelistbl = ce;
					continue;
				} else {
					tmp = conf.whitelistbl;
				}
			case 3:
				fprintf(stderr, "got %s for blacklist\n", ce->string);
				if (parse_cidr(ce) == -1) {
					fprintf(stderr, "Error parsing CIDR in %s, ignoring\n", ce->string);
					free(ce->string);
					free(ce);
					continue;
				}
				if (conf.blacklist == NULL) {

1329
1330
1331
1332
1333
1334
1335
1336

1337
1338
1339
1340
1341
1342
1343

1336
1337
1338
1339
1340
1341
1342

1343
1344
1345
1346
1347
1348
1349
1350








-
+








			syslog(LOG_ERR, "sprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}
		return;
	}

	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%d.%d", 
	rv = snprintf(msgbuf, sizeof(msgbuf), "%hhu.%hhu.%hhu.%hhu:%hu.%hu", 
			ip->b1, ip->b2, ip->b3, ip->b4,
			ip->s_port,ip->d_port);
		if (rv < 0) {
			syslog(LOG_ERR, "snprintf failed in line %d: %s",
				__LINE__, strerror(errno));
			exit(1);
		}

Powered by Fossil · RSS