Index: autom4te.cache/output.0 ================================================================== --- autom4te.cache/output.0 +++ autom4te.cache/output.0 @@ -3971,10 +3971,11 @@ $as_echo "@%:@define HAVE_NFQUEUE /**/" >>confdefs.h LIBS="$LIBS -lnetfilter_queue" + INCLUDES="$INCLUDES -I/usr/include/libnetfilter_queue" have_nfqueue='yes' fi Index: autom4te.cache/requests ================================================================== --- autom4te.cache/requests +++ autom4te.cache/requests @@ -13,29 +13,29 @@ '/usr/share/autoconf/autoconf/autoconf.m4f', 'aclocal.m4', 'configure.in' ], { - 'AM_PROG_F77_C_O' => 1, '_LT_AC_TAGCONFIG' => 1, - 'm4_pattern_forbid' => 1, + 'AM_PROG_F77_C_O' => 1, 'AC_INIT' => 1, - '_AM_COND_IF' => 1, + 'm4_pattern_forbid' => 1, 'AC_CANONICAL_TARGET' => 1, - 'AC_CONFIG_LIBOBJ_DIR' => 1, + '_AM_COND_IF' => 1, 'AC_SUBST' => 1, - 'AC_CANONICAL_HOST' => 1, + 'AC_CONFIG_LIBOBJ_DIR' => 1, 'AC_FC_SRCEXT' => 1, + 'AC_CANONICAL_HOST' => 1, 'AC_PROG_LIBTOOL' => 1, 'AM_INIT_AUTOMAKE' => 1, 'AC_CONFIG_SUBDIRS' => 1, 'AM_AUTOMAKE_VERSION' => 1, 'LT_CONFIG_LTDL_DIR' => 1, - 'AC_REQUIRE_AUX_FILE' => 1, 'AC_CONFIG_LINKS' => 1, - 'LT_SUPPORTED_TAG' => 1, + 'AC_REQUIRE_AUX_FILE' => 1, 'm4_sinclude' => 1, + 'LT_SUPPORTED_TAG' => 1, 'AM_MAINTAINER_MODE' => 1, 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1, '_m4_warn' => 1, 'AM_PROG_CXX_C_O' => 1, '_AM_COND_ENDIF' => 1, @@ -44,25 +44,25 @@ 'AC_CONFIG_FILES' => 1, 'include' => 1, 'LT_INIT' => 1, 'AM_GNU_GETTEXT' => 1, 'AC_LIBSOURCE' => 1, - 'AM_PROG_FC_C_O' => 1, 'AC_CANONICAL_BUILD' => 1, + 'AM_PROG_FC_C_O' => 1, 'AC_FC_FREEFORM' => 1, 'AH_OUTPUT' => 1, - '_AM_SUBST_NOTMAKE' => 1, 'AC_CONFIG_AUX_DIR' => 1, - 'AM_PROG_CC_C_O' => 1, + '_AM_SUBST_NOTMAKE' => 1, + 'sinclude' => 1, 'm4_pattern_allow' => 1, - 'sinclude' => 1, - 'AM_CONDITIONAL' => 1, + 'AM_PROG_CC_C_O' => 1, 'AC_CANONICAL_SYSTEM' => 1, + 'AM_CONDITIONAL' => 1, 'AC_CONFIG_HEADERS' => 1, 'AC_DEFINE_TRACE_LITERAL' => 1, 'm4_include' => 1, '_AM_COND_ELSE' => 1, 'AC_SUBST_TRACE' => 1 } ], 'Autom4te::Request' ) ); Index: autom4te.cache/traces.0 ================================================================== --- autom4te.cache/traces.0 +++ autom4te.cache/traces.0 @@ -394,35 +394,35 @@ @%:@undef HAVE_LIBCONFIG]) m4trace:configure.in:56: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NFQUEUE]) m4trace:configure.in:56: -1- m4_pattern_allow([^HAVE_NFQUEUE$]) m4trace:configure.in:56: -1- AH_OUTPUT([HAVE_NFQUEUE], [/* Enable if you have nfqueue */ @%:@undef HAVE_NFQUEUE]) -m4trace:configure.in:66: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NFNETLINK]) -m4trace:configure.in:66: -1- m4_pattern_allow([^HAVE_NFNETLINK$]) -m4trace:configure.in:66: -1- AH_OUTPUT([HAVE_NFNETLINK], [/* Enable if netlink exists */ +m4trace:configure.in:67: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NFNETLINK]) +m4trace:configure.in:67: -1- m4_pattern_allow([^HAVE_NFNETLINK$]) +m4trace:configure.in:67: -1- AH_OUTPUT([HAVE_NFNETLINK], [/* Enable if netlink exists */ @%:@undef HAVE_NFNETLINK]) -m4trace:configure.in:79: -1- AC_DEFINE_TRACE_LITERAL([HAVE_FIREDNS]) -m4trace:configure.in:79: -1- m4_pattern_allow([^HAVE_FIREDNS$]) -m4trace:configure.in:79: -1- AH_OUTPUT([HAVE_FIREDNS], [/* Enable if you have the optional firedns library */ +m4trace:configure.in:80: -1- AC_DEFINE_TRACE_LITERAL([HAVE_FIREDNS]) +m4trace:configure.in:80: -1- m4_pattern_allow([^HAVE_FIREDNS$]) +m4trace:configure.in:80: -1- AH_OUTPUT([HAVE_FIREDNS], [/* Enable if you have the optional firedns library */ @%:@undef HAVE_FIREDNS]) -m4trace:configure.in:92: -1- AC_DEFINE_TRACE_LITERAL([USE_CACHE]) -m4trace:configure.in:92: -1- m4_pattern_allow([^USE_CACHE$]) -m4trace:configure.in:92: -1- AH_OUTPUT([USE_CACHE], [/* Enable if you want to use a caching mechanism. */ +m4trace:configure.in:93: -1- AC_DEFINE_TRACE_LITERAL([USE_CACHE]) +m4trace:configure.in:93: -1- m4_pattern_allow([^USE_CACHE$]) +m4trace:configure.in:93: -1- AH_OUTPUT([USE_CACHE], [/* Enable if you want to use a caching mechanism. */ @%:@undef USE_CACHE]) -m4trace:configure.in:97: -1- AC_CONFIG_FILES([Makefile]) -m4trace:configure.in:98: -1- AC_CONFIG_HEADERS([config.h]) -m4trace:configure.in:99: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([LIB@&t@OBJS]) -m4trace:configure.in:99: -1- m4_pattern_allow([^LIB@&t@OBJS$]) -m4trace:configure.in:99: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([LTLIBOBJS]) -m4trace:configure.in:99: -1- m4_pattern_allow([^LTLIBOBJS$]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([top_builddir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([top_build_prefix]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([srcdir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([abs_srcdir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([top_srcdir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([abs_top_srcdir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([builddir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([abs_builddir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([abs_top_builddir]) -m4trace:configure.in:99: -1- AC_SUBST_TRACE([INSTALL]) +m4trace:configure.in:98: -1- AC_CONFIG_FILES([Makefile]) +m4trace:configure.in:99: -1- AC_CONFIG_HEADERS([config.h]) +m4trace:configure.in:100: -1- AC_SUBST([LIB@&t@OBJS], [$ac_libobjs]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([LIB@&t@OBJS]) +m4trace:configure.in:100: -1- m4_pattern_allow([^LIB@&t@OBJS$]) +m4trace:configure.in:100: -1- AC_SUBST([LTLIBOBJS], [$ac_ltlibobjs]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([LTLIBOBJS]) +m4trace:configure.in:100: -1- m4_pattern_allow([^LTLIBOBJS$]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([top_builddir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([top_build_prefix]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([srcdir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([abs_srcdir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([top_srcdir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([abs_top_srcdir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([builddir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([abs_builddir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([abs_top_builddir]) +m4trace:configure.in:100: -1- AC_SUBST_TRACE([INSTALL]) Index: configure ================================================================== --- configure +++ configure @@ -3971,10 +3971,11 @@ $as_echo "#define HAVE_NFQUEUE /**/" >>confdefs.h LIBS="$LIBS -lnetfilter_queue" + INCLUDES="$INCLUDES -I/usr/include/libnetfilter_queue" have_nfqueue='yes' fi Index: configure.in ================================================================== --- configure.in +++ configure.in @@ -54,10 +54,11 @@ ]) AC_CHECK_LIB(netfilter_queue, nfq_set_verdict, [ AC_DEFINE(HAVE_NFQUEUE, [], [Enable if you have nfqueue]) LIBS="$LIBS -lnetfilter_queue" + INCLUDES="$INCLUDES -I/usr/include/libnetfilter_queue" have_nfqueue='yes' ]) if test "$have_nfqueue" != 'yes'; then AC_MSG_FAILURE([nfqueue was not found.]) Index: packetbl.c ================================================================== --- packetbl.c +++ packetbl.c @@ -14,187 +14,10 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "packetbl.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifdef USE_SOCKSTAT -#include -#include -#include -#endif - -#ifdef HAVE_FIREDNS -#include -#endif - -#ifndef BUFFERSIZE -#define BUFFERSIZE 65536 -#endif -#ifdef USE_CACHE -# ifndef USE_CACHE_DEF_LEN -# define USE_CACHE_DEF_LEN 8192 -# endif -# ifndef USE_CACHE_DEF_TTL -# define USE_CACHE_DEF_TTL 3600 -# endif -#endif - -# define TH_FIN 0x01 -# define TH_SYN 0x02 -# define TH_RST 0x04 -# define TH_PUSH 0x08 -# define TH_ACK 0x10 -# define TH_URG 0x20 - -# include -# define SET_VERDICT nfq_set_verdict -# define PBL_HANDLE nfq_q_handle -# define PBL_SET_MODE nfq_set_mode -# define PBL_COPY_PACKET NFQNL_COPY_PACKET -# define PBL_ID_T u_int32_t -# define PBL_ERRSTR "" - -#define DEBUG(x, y) if (conf.debug >= x) { printf(y "\n"); } -#define INVALID_OCTET(x) x < 0 || x > 255 - -struct packet_info { - - uint8_t b1; - uint8_t b2; - uint8_t b3; - uint8_t b4; - - unsigned int s_port; - unsigned int d_port; - - int flags; -}; - -struct cidr { - - uint32_t ip; - uint32_t network; - uint32_t processed; /* network, but as a bitmask */ - -}; - -struct config_entry { - - char *string; - struct config_entry *next; - struct packet_info ip; - struct cidr cidr; - -}; - -char msgbuf[BUFFERSIZE]; - -struct config { - int allow_non25; - int allow_nonsyn; - int default_accept; - int dryrun; - int log_facility; - int queueno; - int quiet; - int debug; - struct config_entry *blacklistbl; - struct config_entry *whitelistbl; - struct config_entry *blacklist; - struct config_entry *whitelist; -}; - -static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL }; - -struct pbl_stat_info { - uint32_t cacheaccept; - uint32_t cachereject; - uint32_t whitelistblhits; - uint32_t blacklistblhits; - uint32_t whitelisthits; - uint32_t blacklisthits; - uint32_t fallthroughhits; - uint32_t totalpackets; -}; -static struct pbl_stat_info statistics = { 0, 0, 0, 0, 0, 0, 0 }; - -#ifdef USE_CACHE -struct packet_cache_t { - uint32_t ipaddr; - time_t expires; - int action; -}; -struct packet_cache_t *packet_cache = NULL; -uint32_t packet_cache_len = USE_CACHE_DEF_LEN; -uint16_t packet_cache_ttl = USE_CACHE_DEF_TTL; -#endif - -struct config_entry *hostlistcache = NULL; - -int get_packet_info(char *payload, struct packet_info *ip); - -int check_packet_list(const struct packet_info *ip, struct config_entry *list); -int check_packet_dnsbl(const struct packet_info *ip, struct config_entry *list); -int parse_cidr(struct config_entry *ce); -/* int validate_blacklist(char *); */ -void parse_config(void); -void parse_arguments(int argc, char **argv); -void pbl_init_sockstat(void); -static void get_ip_string(const struct packet_info *ip); -static void pbl_set_verdict(struct PBL_HANDLE *h, PBL_ID_T id, - unsigned int verdict); - -static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, - struct nfq_data *nfa, void *data); - -typedef struct facility { - char *string; - int num; -} facility; - -static struct facility facenum[] = { - {"auth", LOG_AUTH}, - {"authpriv", LOG_AUTHPRIV}, - {"cron", LOG_CRON}, - {"daemon", LOG_DAEMON}, - {"kern", LOG_KERN}, - {"lpr", LOG_LPR}, - {"mail", LOG_MAIL}, - {"news", LOG_NEWS}, - {"syslog", LOG_SYSLOG}, - {"user", LOG_USER}, - {"uucp", LOG_UUCP}, - {"local0", LOG_LOCAL0}, - {"local1", LOG_LOCAL1}, - {"local2", LOG_LOCAL2}, - {"local3", LOG_LOCAL3}, - {"local4", LOG_LOCAL4}, - {"local5", LOG_LOCAL5}, - {"local6", LOG_LOCAL6}, - {"local7", LOG_LOCAL7}, - NULL -}; /* * SYNOPSIS: * void daemonize(void); * Index: packetbl.h ================================================================== --- packetbl.h +++ packetbl.h @@ -1,8 +1,29 @@ #ifndef LOCAL_PACKETBL_H # define LOCAL_PACKETBL_H +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + # ifdef HAVE_CONFIG_H # include "config.h" # endif # ifdef USE_SOCKSTAT @@ -9,6 +30,164 @@ # ifndef SOCKSTAT_PATH # define SOCKSTAT_PATH "/tmp/.packetbl.sock" # endif # endif + +#ifdef USE_SOCKSTAT +#include +#include +#include +#endif + +#ifdef HAVE_FIREDNS +#include +#endif + +#ifndef BUFFERSIZE +#define BUFFERSIZE 65536 +#endif +#ifdef USE_CACHE +# ifndef USE_CACHE_DEF_LEN +# define USE_CACHE_DEF_LEN 8192 +# endif +# ifndef USE_CACHE_DEF_TTL +# define USE_CACHE_DEF_TTL 3600 +# endif +#endif + +# define TH_FIN 0x01 +# define TH_SYN 0x02 +# define TH_RST 0x04 +# define TH_PUSH 0x08 +# define TH_ACK 0x10 +# define TH_URG 0x20 + +# define SET_VERDICT nfq_set_verdict +# define PBL_HANDLE nfq_q_handle +# define PBL_SET_MODE nfq_set_mode +# define PBL_COPY_PACKET NFQNL_COPY_PACKET +# define PBL_ID_T u_int32_t +# define PBL_ERRSTR "" + +#define DEBUG(x, y) if (conf.debug >= x) { printf(y "\n"); } +#define INVALID_OCTET(x) x < 0 || x > 255 + +struct packet_info { + + uint8_t b1; + uint8_t b2; + uint8_t b3; + uint8_t b4; + + unsigned int s_port; + unsigned int d_port; + + int flags; +}; + +struct cidr { + + uint32_t ip; + uint32_t network; + uint32_t processed; /* network, but as a bitmask */ + +}; + +struct config_entry { + + char *string; + struct config_entry *next; + struct packet_info ip; + struct cidr cidr; + +}; + +char msgbuf[BUFFERSIZE]; + +struct config { + int allow_non25; + int allow_nonsyn; + int default_accept; + int dryrun; + int log_facility; + int queueno; + int quiet; + int debug; + struct config_entry *blacklistbl; + struct config_entry *whitelistbl; + struct config_entry *blacklist; + struct config_entry *whitelist; +}; + +static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL }; + +struct pbl_stat_info { + uint32_t cacheaccept; + uint32_t cachereject; + uint32_t whitelistblhits; + uint32_t blacklistblhits; + uint32_t whitelisthits; + uint32_t blacklisthits; + uint32_t fallthroughhits; + uint32_t totalpackets; +}; +static struct pbl_stat_info statistics = { 0, 0, 0, 0, 0, 0, 0 }; + +#ifdef USE_CACHE +struct packet_cache_t { + uint32_t ipaddr; + time_t expires; + int action; +}; +struct packet_cache_t *packet_cache = NULL; +uint32_t packet_cache_len = USE_CACHE_DEF_LEN; +uint16_t packet_cache_ttl = USE_CACHE_DEF_TTL; +#endif + +struct config_entry *hostlistcache = NULL; + +int get_packet_info(char *payload, struct packet_info *ip); + +int check_packet_list(const struct packet_info *ip, struct config_entry *list); +int check_packet_dnsbl(const struct packet_info *ip, struct config_entry *list); +int parse_cidr(struct config_entry *ce); +/* int validate_blacklist(char *); */ +void parse_config(void); +void parse_arguments(int argc, char **argv); +void pbl_init_sockstat(void); +static void get_ip_string(const struct packet_info *ip); +static void pbl_set_verdict(struct PBL_HANDLE *h, PBL_ID_T id, + unsigned int verdict); + +static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, + struct nfq_data *nfa, void *data); + +typedef struct facility { + char *string; + int num; +} facility; + +static struct facility facenum[] = { + {"auth", LOG_AUTH}, + {"authpriv", LOG_AUTHPRIV}, + {"cron", LOG_CRON}, + {"daemon", LOG_DAEMON}, + {"kern", LOG_KERN}, + {"lpr", LOG_LPR}, + {"mail", LOG_MAIL}, + {"news", LOG_NEWS}, + {"syslog", LOG_SYSLOG}, + {"user", LOG_USER}, + {"uucp", LOG_UUCP}, + {"local0", LOG_LOCAL0}, + {"local1", LOG_LOCAL1}, + {"local2", LOG_LOCAL2}, + {"local3", LOG_LOCAL3}, + {"local4", LOG_LOCAL4}, + {"local5", LOG_LOCAL5}, + {"local6", LOG_LOCAL6}, + {"local7", LOG_LOCAL7}, + NULL +}; + #endif Index: packetbl_getstat.c ================================================================== --- packetbl_getstat.c +++ packetbl_getstat.c @@ -1,6 +1,6 @@ -#include "packetbl.h" +#include "packetbl_getstat.h" #include #include #include #include #include ADDED packetbl_getstat.h Index: packetbl_getstat.h ================================================================== --- /dev/null +++ packetbl_getstat.h @@ -0,0 +1,12 @@ +#ifndef PACKETBL_GETSTAT_H +#define PACKETBL_GETSTAT_H +# ifdef HAVE_CONFIG_H +# include "config.h" +# endif + +# ifdef USE_SOCKSTAT +# ifndef SOCKSTAT_PATH +# define SOCKSTAT_PATH "/tmp/.packetbl.sock" +# endif +# endif +#endif