summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/ppp/ppp/ip.c75
-rw-r--r--usr.sbin/ppp/ppp/log.c3
-rw-r--r--usr.sbin/ppp/ppp/log.h35
-rw-r--r--usr.sbin/ppp/ppp/ppp.84
4 files changed, 85 insertions, 32 deletions
diff --git a/usr.sbin/ppp/ppp/ip.c b/usr.sbin/ppp/ppp/ip.c
index 30efdce85fe..733ecaa899e 100644
--- a/usr.sbin/ppp/ppp/ip.c
+++ b/usr.sbin/ppp/ppp/ip.c
@@ -17,7 +17,7 @@
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
- * $OpenBSD: ip.c,v 1.25 2000/07/11 22:13:03 brian Exp $
+ * $OpenBSD: ip.c,v 1.26 2000/08/28 23:25:28 brian Exp $
*
* TODO:
* o Return ICMP message for filterd packet
@@ -169,7 +169,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
int didname; /* true if filter header printed */
int match; /* true if condition matched */
const struct filterent *fp = filter->rule;
- char dbuff[100];
+ char dbuff[100], dstip[16];
if (fp->f_action == A_NONE)
return 0; /* No rule is given. Permit this packet */
@@ -184,10 +184,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
*/
len = ntohs(pip->ip_off) & IP_OFFMASK; /* fragment offset */
if (len > 0) { /* Not first fragment within datagram */
- if (len < (24 >> 3)) /* don't allow fragment to over-write header */
+ if (len < (24 >> 3)) { /* don't allow fragment to over-write header */
+ log_Printf(LogFILTER, " error: illegal header\n");
return 1;
+ }
/* permit fragments on in and out filter */
- return !filter->fragok;
+ if (!filter->fragok) {
+ log_Printf(LogFILTER, " error: illegal fragmentation\n");
+ return 1;
+ } else
+ return 0;
}
cproto = gotinfo = estab = syn = finrst = didname = 0;
@@ -221,8 +227,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
switch (pip->ip_p) {
case IPPROTO_ICMP:
cproto = P_ICMP;
- if (datalen < 8) /* ICMP must be at least 8 octets */
+ if (datalen < 8) { /* ICMP must be at least 8 octets */
+ log_Printf(LogFILTER, " error: ICMP must be at least 8 octets\n");
return 1;
+ }
+
ih = (const struct icmp *) ptop;
sport = ih->icmp_type;
estab = syn = finrst = -1;
@@ -231,16 +240,20 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
break;
case IPPROTO_IGMP:
cproto = P_IGMP;
- if (datalen < 8) /* IGMP uses 8-octet messages */
+ if (datalen < 8) { /* IGMP uses 8-octet messages */
+ log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n");
return 1;
+ }
estab = syn = finrst = -1;
sport = ntohs(0);
break;
#ifdef IPPROTO_GRE
case IPPROTO_GRE:
cproto = P_GRE;
- if (datalen < 2) /* GRE uses 2-octet+ messages */
+ if (datalen < 2) { /* GRE uses 2-octet+ messages */
+ log_Printf(LogFILTER, " error: GRE must be at least 2 octets\n");
return 1;
+ }
estab = syn = finrst = -1;
sport = ntohs(0);
break;
@@ -248,8 +261,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
#ifdef IPPROTO_OSPFIGP
case IPPROTO_OSPFIGP:
cproto = P_OSPF;
- if (datalen < 8) /* IGMP uses 8-octet messages */
+ if (datalen < 8) { /* IGMP uses 8-octet messages */
+ log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n");
return 1;
+ }
estab = syn = finrst = -1;
sport = ntohs(0);
break;
@@ -257,8 +272,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
case IPPROTO_UDP:
case IPPROTO_IPIP:
cproto = P_UDP;
- if (datalen < 8) /* UDP header is 8 octets */
+ if (datalen < 8) { /* UDP header is 8 octets */
+ log_Printf(LogFILTER, " error: UDP must be at least 8 octets\n");
return 1;
+ }
+
uh = (const struct udphdr *) ptop;
sport = ntohs(uh->uh_sport);
dport = ntohs(uh->uh_dport);
@@ -274,8 +292,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
* ensures that the TCP header length isn't de-referenced if
* the datagram is too short
*/
- if (datalen < 20 || datalen < (th->th_off << 2))
+ if (datalen < 20 || datalen < (th->th_off << 2)) {
+ log_Printf(LogFILTER, " error: TCP header incorrect\n");
return 1;
+ }
sport = ntohs(th->th_sport);
dport = ntohs(th->th_dport);
estab = (th->th_flags & TH_ACK);
@@ -291,6 +311,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
}
break;
default:
+ log_Printf(LogFILTER, " error: unknown protocol\n");
return 1; /* We'll block unknown type of packet */
}
@@ -350,18 +371,46 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
/* Take specified action */
if (fp->f_action < A_NONE)
fp = &filter->rule[n = fp->f_action];
- else
+ else {
if (fp->f_action == A_PERMIT) {
if (psecs != NULL)
*psecs = fp->timeout;
+ if (strcmp(filter->name, "DIAL") == 0) {
+ /* If dial filter then even print out accept packets */
+ if (log_IsKept(LogFILTER)) {
+ snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
+ log_Printf(LogFILTER, "%sbound rule = %d accept %s "
+ "src = %s/%d dst = %s/%d\n",
+ filter->name, n, filter_Proto2Nam(cproto),
+ inet_ntoa(pip->ip_src), sport, dstip, dport);
+ }
+ }
return 0;
- } else
- return 1;
+ } else {
+ if (log_IsKept(LogFILTER)) {
+ snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
+ log_Printf(LogFILTER,
+ "%sbound rule = %d deny %s src = %s/%d dst = %s/%d\n",
+ filter->name, n, filter_Proto2Nam(cproto),
+ inet_ntoa(pip->ip_src), sport, dstip, dport);
+ }
+ return 1;
+ } /* Explict math. Deny this packet */
+ }
} else {
n++;
fp++;
}
}
+
+ if (log_IsKept(LogFILTER)) {
+ snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
+ log_Printf(LogFILTER,
+ "%sbound rule = implicit deny %s src = %s/%d dst = %s/%d\n",
+ filter->name, filter_Proto2Nam(cproto),
+ inet_ntoa(pip->ip_src), sport, dstip, dport);
+ }
+
return 1; /* No rule is mached. Deny this packet */
}
diff --git a/usr.sbin/ppp/ppp/log.c b/usr.sbin/ppp/ppp/log.c
index 8a29468ace3..6b3c75e9669 100644
--- a/usr.sbin/ppp/ppp/log.c
+++ b/usr.sbin/ppp/ppp/log.c
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $OpenBSD: log.c,v 1.10 2000/02/27 01:38:27 brian Exp $
+ * $OpenBSD: log.c,v 1.11 2000/08/28 23:25:28 brian Exp $
*/
#include <sys/types.h>
@@ -51,6 +51,7 @@ static const char * const LogNames[] = {
"Connect",
"Debug",
"DNS",
+ "Filter", /* Log discarded packets */
"HDLC",
"ID0",
"IPCP",
diff --git a/usr.sbin/ppp/ppp/log.h b/usr.sbin/ppp/ppp/log.h
index 06301321b7c..0a6b8a75a8b 100644
--- a/usr.sbin/ppp/ppp/log.h
+++ b/usr.sbin/ppp/ppp/log.h
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $OpenBSD: log.h,v 1.6 2000/02/27 01:38:27 brian Exp $
+ * $OpenBSD: log.h,v 1.7 2000/08/28 23:25:28 brian Exp $
*/
#define LogMIN (1)
@@ -35,23 +35,24 @@
#define LogCONNECT (6)
#define LogDEBUG (7) /* syslog(LOG_DEBUG, ....) */
#define LogDNS (8)
-#define LogHDLC (9)
-#define LogID0 (10)
-#define LogIPCP (11)
-#define LogLCP (12)
-#define LogLQM (13)
-#define LogPHASE (14)
-#define LogPHYSICAL (15) /* syslog(LOG_INFO, ....) */
-#define LogSYNC (16) /* syslog(LOG_INFO, ....) */
-#define LogTCPIP (17)
-#define LogTIMER (18) /* syslog(LOG_DEBUG, ....) */
-#define LogTUN (19) /* If set, tun%d is output with each message */
-#define LogWARN (20) /* Sent to VarTerm else syslog(LOG_WARNING, ) */
-#define LogERROR (21) /* syslog(LOG_ERR, ....), + sent to VarTerm */
-#define LogALERT (22) /* syslog(LOG_ALERT, ....) */
+#define LogFILTER (9)
+#define LogHDLC (10)
+#define LogID0 (11)
+#define LogIPCP (12)
+#define LogLCP (13)
+#define LogLQM (14)
+#define LogPHASE (15)
+#define LogPHYSICAL (16) /* syslog(LOG_INFO, ....) */
+#define LogSYNC (17) /* syslog(LOG_INFO, ....) */
+#define LogTCPIP (18)
+#define LogTIMER (19) /* syslog(LOG_DEBUG, ....) */
+#define LogTUN (20) /* If set, tun%d is output with each message */
+#define LogWARN (21) /* Sent to VarTerm else syslog(LOG_WARNING, ) */
+#define LogERROR (22) /* syslog(LOG_ERR, ....), + sent to VarTerm */
+#define LogALERT (23) /* syslog(LOG_ALERT, ....) */
-#define LogMAXCONF (19)
-#define LogMAX (22)
+#define LogMAXCONF (20)
+#define LogMAX (24)
struct mbuf;
struct cmdargs;
diff --git a/usr.sbin/ppp/ppp/ppp.8 b/usr.sbin/ppp/ppp/ppp.8
index 14c32e6b632..f5f7289c073 100644
--- a/usr.sbin/ppp/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp/ppp.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ppp.8,v 1.93 2000/08/15 10:26:37 brian Exp $
+.\" $OpenBSD: ppp.8,v 1.94 2000/08/28 23:25:28 brian Exp $
.Dd 20 September 1995
.nr XX \w'\fC00'
.Dt PPP 8
@@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT".
Log debug information.
.It Li DNS
Log DNS QUERY packets.
+.It Li Filter
+Log packets permitted by the dial filter and denied by any filter.
.It Li HDLC
Dump HDLC packet in hex.
.It Li ID0