mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-03 09:00:21 +00:00
Add LogFILTER logging to log packets allowed by the dial filter and
dropped by any filter. Submitted by: Mark Hannon <markhannon@one.net.au> with some small tweaks by me.
This commit is contained in:
parent
08945429b9
commit
06a43ce058
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=65181
@ -169,7 +169,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
int didname; /* true if filter header printed */
|
||||
int match; /* true if condition matched */
|
||||
const struct filterent *fp = filter->rule;
|
||||
char dbuff[100];
|
||||
char dbuff[100], dstip[16];
|
||||
|
||||
if (fp->f_action == A_NONE)
|
||||
return 0; /* No rule is given. Permit this packet */
|
||||
@ -184,10 +184,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
*/
|
||||
len = ntohs(pip->ip_off) & IP_OFFMASK; /* fragment offset */
|
||||
if (len > 0) { /* Not first fragment within datagram */
|
||||
if (len < (24 >> 3)) /* don't allow fragment to over-write header */
|
||||
if (len < (24 >> 3)) { /* don't allow fragment to over-write header */
|
||||
log_Printf(LogFILTER, " error: illegal header\n");
|
||||
return 1;
|
||||
}
|
||||
/* permit fragments on in and out filter */
|
||||
return !filter->fragok;
|
||||
if (!filter->fragok) {
|
||||
log_Printf(LogFILTER, " error: illegal fragmentation\n");
|
||||
return 1;
|
||||
} else
|
||||
return 0;
|
||||
}
|
||||
|
||||
cproto = gotinfo = estab = syn = finrst = didname = 0;
|
||||
@ -221,8 +227,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
switch (pip->ip_p) {
|
||||
case IPPROTO_ICMP:
|
||||
cproto = P_ICMP;
|
||||
if (datalen < 8) /* ICMP must be at least 8 octets */
|
||||
if (datalen < 8) { /* ICMP must be at least 8 octets */
|
||||
log_Printf(LogFILTER, " error: ICMP must be at least 8 octets\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
ih = (const struct icmp *) ptop;
|
||||
sport = ih->icmp_type;
|
||||
estab = syn = finrst = -1;
|
||||
@ -231,16 +240,20 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
break;
|
||||
case IPPROTO_IGMP:
|
||||
cproto = P_IGMP;
|
||||
if (datalen < 8) /* IGMP uses 8-octet messages */
|
||||
if (datalen < 8) { /* IGMP uses 8-octet messages */
|
||||
log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n");
|
||||
return 1;
|
||||
}
|
||||
estab = syn = finrst = -1;
|
||||
sport = ntohs(0);
|
||||
break;
|
||||
#ifdef IPPROTO_GRE
|
||||
case IPPROTO_GRE:
|
||||
cproto = P_GRE;
|
||||
if (datalen < 2) /* GRE uses 2-octet+ messages */
|
||||
if (datalen < 2) { /* GRE uses 2-octet+ messages */
|
||||
log_Printf(LogFILTER, " error: GRE must be at least 2 octets\n");
|
||||
return 1;
|
||||
}
|
||||
estab = syn = finrst = -1;
|
||||
sport = ntohs(0);
|
||||
break;
|
||||
@ -248,8 +261,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
#ifdef IPPROTO_OSPFIGP
|
||||
case IPPROTO_OSPFIGP:
|
||||
cproto = P_OSPF;
|
||||
if (datalen < 8) /* IGMP uses 8-octet messages */
|
||||
if (datalen < 8) { /* IGMP uses 8-octet messages */
|
||||
log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n");
|
||||
return 1;
|
||||
}
|
||||
estab = syn = finrst = -1;
|
||||
sport = ntohs(0);
|
||||
break;
|
||||
@ -257,8 +272,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
case IPPROTO_UDP:
|
||||
case IPPROTO_IPIP:
|
||||
cproto = P_UDP;
|
||||
if (datalen < 8) /* UDP header is 8 octets */
|
||||
if (datalen < 8) { /* UDP header is 8 octets */
|
||||
log_Printf(LogFILTER, " error: UDP must be at least 8 octets\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
uh = (const struct udphdr *) ptop;
|
||||
sport = ntohs(uh->uh_sport);
|
||||
dport = ntohs(uh->uh_dport);
|
||||
@ -274,8 +292,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
* ensures that the TCP header length isn't de-referenced if
|
||||
* the datagram is too short
|
||||
*/
|
||||
if (datalen < 20 || datalen < (th->th_off << 2))
|
||||
if (datalen < 20 || datalen < (th->th_off << 2)) {
|
||||
log_Printf(LogFILTER, " error: TCP header incorrect\n");
|
||||
return 1;
|
||||
}
|
||||
sport = ntohs(th->th_sport);
|
||||
dport = ntohs(th->th_dport);
|
||||
estab = (th->th_flags & TH_ACK);
|
||||
@ -291,6 +311,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
}
|
||||
break;
|
||||
default:
|
||||
log_Printf(LogFILTER, " error: unknown protocol\n");
|
||||
return 1; /* We'll block unknown type of packet */
|
||||
}
|
||||
|
||||
@ -350,18 +371,46 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
|
||||
/* Take specified action */
|
||||
if (fp->f_action < A_NONE)
|
||||
fp = &filter->rule[n = fp->f_action];
|
||||
else
|
||||
else {
|
||||
if (fp->f_action == A_PERMIT) {
|
||||
if (psecs != NULL)
|
||||
*psecs = fp->timeout;
|
||||
if (strcmp(filter->name, "DIAL") == 0) {
|
||||
/* If dial filter then even print out accept packets */
|
||||
if (log_IsKept(LogFILTER)) {
|
||||
snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
|
||||
log_Printf(LogFILTER, "%sbound rule = %d accept %s "
|
||||
"src = %s/%d dst = %s/%d\n",
|
||||
filter->name, n, filter_Proto2Nam(cproto),
|
||||
inet_ntoa(pip->ip_src), sport, dstip, dport);
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
} else
|
||||
return 1;
|
||||
} else {
|
||||
if (log_IsKept(LogFILTER)) {
|
||||
snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
|
||||
log_Printf(LogFILTER,
|
||||
"%sbound rule = %d deny %s src = %s/%d dst = %s/%d\n",
|
||||
filter->name, n, filter_Proto2Nam(cproto),
|
||||
inet_ntoa(pip->ip_src), sport, dstip, dport);
|
||||
}
|
||||
return 1;
|
||||
} /* Explict math. Deny this packet */
|
||||
}
|
||||
} else {
|
||||
n++;
|
||||
fp++;
|
||||
}
|
||||
}
|
||||
|
||||
if (log_IsKept(LogFILTER)) {
|
||||
snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
|
||||
log_Printf(LogFILTER,
|
||||
"%sbound rule = implicit deny %s src = %s/%d dst = %s/%d\n",
|
||||
filter->name, filter_Proto2Nam(cproto),
|
||||
inet_ntoa(pip->ip_src), sport, dstip, dport);
|
||||
}
|
||||
|
||||
return 1; /* No rule is mached. Deny this packet */
|
||||
}
|
||||
|
||||
|
@ -51,6 +51,7 @@ static const char * const LogNames[] = {
|
||||
"Connect",
|
||||
"Debug",
|
||||
"DNS",
|
||||
"Filter", /* Log discarded packets */
|
||||
"HDLC",
|
||||
"ID0",
|
||||
"IPCP",
|
||||
|
@ -35,23 +35,24 @@
|
||||
#define LogCONNECT (6)
|
||||
#define LogDEBUG (7) /* syslog(LOG_DEBUG, ....) */
|
||||
#define LogDNS (8)
|
||||
#define LogHDLC (9)
|
||||
#define LogID0 (10)
|
||||
#define LogIPCP (11)
|
||||
#define LogLCP (12)
|
||||
#define LogLQM (13)
|
||||
#define LogPHASE (14)
|
||||
#define LogPHYSICAL (15) /* syslog(LOG_INFO, ....) */
|
||||
#define LogSYNC (16) /* syslog(LOG_INFO, ....) */
|
||||
#define LogTCPIP (17)
|
||||
#define LogTIMER (18) /* syslog(LOG_DEBUG, ....) */
|
||||
#define LogTUN (19) /* If set, tun%d is output with each message */
|
||||
#define LogWARN (20) /* Sent to VarTerm else syslog(LOG_WARNING, ) */
|
||||
#define LogERROR (21) /* syslog(LOG_ERR, ....), + sent to VarTerm */
|
||||
#define LogALERT (22) /* syslog(LOG_ALERT, ....) */
|
||||
#define LogFILTER (9)
|
||||
#define LogHDLC (10)
|
||||
#define LogID0 (11)
|
||||
#define LogIPCP (12)
|
||||
#define LogLCP (13)
|
||||
#define LogLQM (14)
|
||||
#define LogPHASE (15)
|
||||
#define LogPHYSICAL (16) /* syslog(LOG_INFO, ....) */
|
||||
#define LogSYNC (17) /* syslog(LOG_INFO, ....) */
|
||||
#define LogTCPIP (18)
|
||||
#define LogTIMER (19) /* syslog(LOG_DEBUG, ....) */
|
||||
#define LogTUN (20) /* If set, tun%d is output with each message */
|
||||
#define LogWARN (21) /* Sent to VarTerm else syslog(LOG_WARNING, ) */
|
||||
#define LogERROR (22) /* syslog(LOG_ERR, ....), + sent to VarTerm */
|
||||
#define LogALERT (23) /* syslog(LOG_ALERT, ....) */
|
||||
|
||||
#define LogMAXCONF (19)
|
||||
#define LogMAX (22)
|
||||
#define LogMAXCONF (20)
|
||||
#define LogMAX (24)
|
||||
|
||||
struct mbuf;
|
||||
struct cmdargs;
|
||||
|
@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT".
|
||||
Log debug information.
|
||||
.It Li DNS
|
||||
Log DNS QUERY packets.
|
||||
.It Li Filter
|
||||
Log packets permitted by the dial filter and denied by any filter.
|
||||
.It Li HDLC
|
||||
Dump HDLC packet in hex.
|
||||
.It Li ID0
|
||||
|
@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT".
|
||||
Log debug information.
|
||||
.It Li DNS
|
||||
Log DNS QUERY packets.
|
||||
.It Li Filter
|
||||
Log packets permitted by the dial filter and denied by any filter.
|
||||
.It Li HDLC
|
||||
Dump HDLC packet in hex.
|
||||
.It Li ID0
|
||||
|
Loading…
Reference in New Issue
Block a user