diff options
author | brian <brian@cvs.openbsd.org> | 2000-08-28 23:25:29 +0000 |
---|---|---|
committer | brian <brian@cvs.openbsd.org> | 2000-08-28 23:25:29 +0000 |
commit | 40e1d5a14d774c8d5f3fa4875a8d5df258019740 (patch) | |
tree | 5fdd4706a32626d3d77f854dc7547def578cbd38 | |
parent | a4a072a4beb970aedee86cc9122d1e197297c0b3 (diff) |
Add LogFILTER logging to log packets allowed by the dial filter and
dropped by any filter.
Submitted by: Mark Hannon <markhannon@one.net.au>
with some small tweaks by me.
-rw-r--r-- | usr.sbin/ppp/ppp/ip.c | 75 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp/log.c | 3 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp/log.h | 35 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp/ppp.8 | 4 |
4 files changed, 85 insertions, 32 deletions
diff --git a/usr.sbin/ppp/ppp/ip.c b/usr.sbin/ppp/ppp/ip.c index 30efdce85fe..733ecaa899e 100644 --- a/usr.sbin/ppp/ppp/ip.c +++ b/usr.sbin/ppp/ppp/ip.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $OpenBSD: ip.c,v 1.25 2000/07/11 22:13:03 brian Exp $ + * $OpenBSD: ip.c,v 1.26 2000/08/28 23:25:28 brian Exp $ * * TODO: * o Return ICMP message for filterd packet @@ -169,7 +169,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) int didname; /* true if filter header printed */ int match; /* true if condition matched */ const struct filterent *fp = filter->rule; - char dbuff[100]; + char dbuff[100], dstip[16]; if (fp->f_action == A_NONE) return 0; /* No rule is given. Permit this packet */ @@ -184,10 +184,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) */ len = ntohs(pip->ip_off) & IP_OFFMASK; /* fragment offset */ if (len > 0) { /* Not first fragment within datagram */ - if (len < (24 >> 3)) /* don't allow fragment to over-write header */ + if (len < (24 >> 3)) { /* don't allow fragment to over-write header */ + log_Printf(LogFILTER, " error: illegal header\n"); return 1; + } /* permit fragments on in and out filter */ - return !filter->fragok; + if (!filter->fragok) { + log_Printf(LogFILTER, " error: illegal fragmentation\n"); + return 1; + } else + return 0; } cproto = gotinfo = estab = syn = finrst = didname = 0; @@ -221,8 +227,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) switch (pip->ip_p) { case IPPROTO_ICMP: cproto = P_ICMP; - if (datalen < 8) /* ICMP must be at least 8 octets */ + if (datalen < 8) { /* ICMP must be at least 8 octets */ + log_Printf(LogFILTER, " error: ICMP must be at least 8 octets\n"); return 1; + } + ih = (const struct icmp *) ptop; sport = ih->icmp_type; estab = syn = finrst = -1; @@ -231,16 +240,20 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) break; case IPPROTO_IGMP: cproto = P_IGMP; - if (datalen < 8) /* IGMP uses 8-octet messages */ + if (datalen < 8) { /* IGMP uses 8-octet messages */ + log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n"); return 1; + } estab = syn = finrst = -1; sport = ntohs(0); break; #ifdef IPPROTO_GRE case IPPROTO_GRE: cproto = P_GRE; - if (datalen < 2) /* GRE uses 2-octet+ messages */ + if (datalen < 2) { /* GRE uses 2-octet+ messages */ + log_Printf(LogFILTER, " error: GRE must be at least 2 octets\n"); return 1; + } estab = syn = finrst = -1; sport = ntohs(0); break; @@ -248,8 +261,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) #ifdef IPPROTO_OSPFIGP case IPPROTO_OSPFIGP: cproto = P_OSPF; - if (datalen < 8) /* IGMP uses 8-octet messages */ + if (datalen < 8) { /* IGMP uses 8-octet messages */ + log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n"); return 1; + } estab = syn = finrst = -1; sport = ntohs(0); break; @@ -257,8 +272,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) case IPPROTO_UDP: case IPPROTO_IPIP: cproto = P_UDP; - if (datalen < 8) /* UDP header is 8 octets */ + if (datalen < 8) { /* UDP header is 8 octets */ + log_Printf(LogFILTER, " error: UDP must be at least 8 octets\n"); return 1; + } + uh = (const struct udphdr *) ptop; sport = ntohs(uh->uh_sport); dport = ntohs(uh->uh_dport); @@ -274,8 +292,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) * ensures that the TCP header length isn't de-referenced if * the datagram is too short */ - if (datalen < 20 || datalen < (th->th_off << 2)) + if (datalen < 20 || datalen < (th->th_off << 2)) { + log_Printf(LogFILTER, " error: TCP header incorrect\n"); return 1; + } sport = ntohs(th->th_sport); dport = ntohs(th->th_dport); estab = (th->th_flags & TH_ACK); @@ -291,6 +311,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) } break; default: + log_Printf(LogFILTER, " error: unknown protocol\n"); return 1; /* We'll block unknown type of packet */ } @@ -350,18 +371,46 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) /* Take specified action */ if (fp->f_action < A_NONE) fp = &filter->rule[n = fp->f_action]; - else + else { if (fp->f_action == A_PERMIT) { if (psecs != NULL) *psecs = fp->timeout; + if (strcmp(filter->name, "DIAL") == 0) { + /* If dial filter then even print out accept packets */ + if (log_IsKept(LogFILTER)) { + snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst)); + log_Printf(LogFILTER, "%sbound rule = %d accept %s " + "src = %s/%d dst = %s/%d\n", + filter->name, n, filter_Proto2Nam(cproto), + inet_ntoa(pip->ip_src), sport, dstip, dport); + } + } return 0; - } else - return 1; + } else { + if (log_IsKept(LogFILTER)) { + snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst)); + log_Printf(LogFILTER, + "%sbound rule = %d deny %s src = %s/%d dst = %s/%d\n", + filter->name, n, filter_Proto2Nam(cproto), + inet_ntoa(pip->ip_src), sport, dstip, dport); + } + return 1; + } /* Explict math. Deny this packet */ + } } else { n++; fp++; } } + + if (log_IsKept(LogFILTER)) { + snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst)); + log_Printf(LogFILTER, + "%sbound rule = implicit deny %s src = %s/%d dst = %s/%d\n", + filter->name, filter_Proto2Nam(cproto), + inet_ntoa(pip->ip_src), sport, dstip, dport); + } + return 1; /* No rule is mached. Deny this packet */ } diff --git a/usr.sbin/ppp/ppp/log.c b/usr.sbin/ppp/ppp/log.c index 8a29468ace3..6b3c75e9669 100644 --- a/usr.sbin/ppp/ppp/log.c +++ b/usr.sbin/ppp/ppp/log.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: log.c,v 1.10 2000/02/27 01:38:27 brian Exp $ + * $OpenBSD: log.c,v 1.11 2000/08/28 23:25:28 brian Exp $ */ #include <sys/types.h> @@ -51,6 +51,7 @@ static const char * const LogNames[] = { "Connect", "Debug", "DNS", + "Filter", /* Log discarded packets */ "HDLC", "ID0", "IPCP", diff --git a/usr.sbin/ppp/ppp/log.h b/usr.sbin/ppp/ppp/log.h index 06301321b7c..0a6b8a75a8b 100644 --- a/usr.sbin/ppp/ppp/log.h +++ b/usr.sbin/ppp/ppp/log.h @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: log.h,v 1.6 2000/02/27 01:38:27 brian Exp $ + * $OpenBSD: log.h,v 1.7 2000/08/28 23:25:28 brian Exp $ */ #define LogMIN (1) @@ -35,23 +35,24 @@ #define LogCONNECT (6) #define LogDEBUG (7) /* syslog(LOG_DEBUG, ....) */ #define LogDNS (8) -#define LogHDLC (9) -#define LogID0 (10) -#define LogIPCP (11) -#define LogLCP (12) -#define LogLQM (13) -#define LogPHASE (14) -#define LogPHYSICAL (15) /* syslog(LOG_INFO, ....) */ -#define LogSYNC (16) /* syslog(LOG_INFO, ....) */ -#define LogTCPIP (17) -#define LogTIMER (18) /* syslog(LOG_DEBUG, ....) */ -#define LogTUN (19) /* If set, tun%d is output with each message */ -#define LogWARN (20) /* Sent to VarTerm else syslog(LOG_WARNING, ) */ -#define LogERROR (21) /* syslog(LOG_ERR, ....), + sent to VarTerm */ -#define LogALERT (22) /* syslog(LOG_ALERT, ....) */ +#define LogFILTER (9) +#define LogHDLC (10) +#define LogID0 (11) +#define LogIPCP (12) +#define LogLCP (13) +#define LogLQM (14) +#define LogPHASE (15) +#define LogPHYSICAL (16) /* syslog(LOG_INFO, ....) */ +#define LogSYNC (17) /* syslog(LOG_INFO, ....) */ +#define LogTCPIP (18) +#define LogTIMER (19) /* syslog(LOG_DEBUG, ....) */ +#define LogTUN (20) /* If set, tun%d is output with each message */ +#define LogWARN (21) /* Sent to VarTerm else syslog(LOG_WARNING, ) */ +#define LogERROR (22) /* syslog(LOG_ERR, ....), + sent to VarTerm */ +#define LogALERT (23) /* syslog(LOG_ALERT, ....) */ -#define LogMAXCONF (19) -#define LogMAX (22) +#define LogMAXCONF (20) +#define LogMAX (24) struct mbuf; struct cmdargs; diff --git a/usr.sbin/ppp/ppp/ppp.8 b/usr.sbin/ppp/ppp/ppp.8 index 14c32e6b632..f5f7289c073 100644 --- a/usr.sbin/ppp/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp/ppp.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ppp.8,v 1.93 2000/08/15 10:26:37 brian Exp $ +.\" $OpenBSD: ppp.8,v 1.94 2000/08/28 23:25:28 brian Exp $ .Dd 20 September 1995 .nr XX \w'\fC00' .Dt PPP 8 @@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT". Log debug information. .It Li DNS Log DNS QUERY packets. +.It Li Filter +Log packets permitted by the dial filter and denied by any filter. .It Li HDLC Dump HDLC packet in hex. .It Li ID0 |