From 3086ff599e6a3c7d68c34259d20e911e79c7637e Mon Sep 17 00:00:00 2001 From: brian Date: Mon, 28 Aug 2000 23:24:52 +0000 Subject: [PATCH] Add LogFILTER logging to log packets allowed by the dial filter and dropped by any filter. Submitted by: Mark Hannon with some small tweaks by me. --- usr.sbin/ppp/ip.c | 73 ++++++++++++++++++++++++++++++++++++------- usr.sbin/ppp/log.c | 1 + usr.sbin/ppp/log.h | 33 +++++++++---------- usr.sbin/ppp/ppp.8 | 2 ++ usr.sbin/ppp/ppp.8.m4 | 2 ++ 5 files changed, 83 insertions(+), 28 deletions(-) diff --git a/usr.sbin/ppp/ip.c b/usr.sbin/ppp/ip.c index ca87cc9348e4..0a90bac79f73 100644 --- a/usr.sbin/ppp/ip.c +++ b/usr.sbin/ppp/ip.c @@ -169,7 +169,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) int didname; /* true if filter header printed */ int match; /* true if condition matched */ const struct filterent *fp = filter->rule; - char dbuff[100]; + char dbuff[100], dstip[16]; if (fp->f_action == A_NONE) return 0; /* No rule is given. Permit this packet */ @@ -184,10 +184,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) */ len = ntohs(pip->ip_off) & IP_OFFMASK; /* fragment offset */ if (len > 0) { /* Not first fragment within datagram */ - if (len < (24 >> 3)) /* don't allow fragment to over-write header */ + if (len < (24 >> 3)) { /* don't allow fragment to over-write header */ + log_Printf(LogFILTER, " error: illegal header\n"); return 1; + } /* permit fragments on in and out filter */ - return !filter->fragok; + if (!filter->fragok) { + log_Printf(LogFILTER, " error: illegal fragmentation\n"); + return 1; + } else + return 0; } cproto = gotinfo = estab = syn = finrst = didname = 0; @@ -221,8 +227,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) switch (pip->ip_p) { case IPPROTO_ICMP: cproto = P_ICMP; - if (datalen < 8) /* ICMP must be at least 8 octets */ + if (datalen < 8) { /* ICMP must be at least 8 octets */ + log_Printf(LogFILTER, " error: ICMP must be at least 8 octets\n"); return 1; + } + ih = (const struct icmp *) ptop; sport = ih->icmp_type; estab = syn = finrst = -1; @@ -231,16 +240,20 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) break; case IPPROTO_IGMP: cproto = P_IGMP; - if (datalen < 8) /* IGMP uses 8-octet messages */ + if (datalen < 8) { /* IGMP uses 8-octet messages */ + log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n"); return 1; + } estab = syn = finrst = -1; sport = ntohs(0); break; #ifdef IPPROTO_GRE case IPPROTO_GRE: cproto = P_GRE; - if (datalen < 2) /* GRE uses 2-octet+ messages */ + if (datalen < 2) { /* GRE uses 2-octet+ messages */ + log_Printf(LogFILTER, " error: GRE must be at least 2 octets\n"); return 1; + } estab = syn = finrst = -1; sport = ntohs(0); break; @@ -248,8 +261,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) #ifdef IPPROTO_OSPFIGP case IPPROTO_OSPFIGP: cproto = P_OSPF; - if (datalen < 8) /* IGMP uses 8-octet messages */ + if (datalen < 8) { /* IGMP uses 8-octet messages */ + log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n"); return 1; + } estab = syn = finrst = -1; sport = ntohs(0); break; @@ -257,8 +272,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) case IPPROTO_UDP: case IPPROTO_IPIP: cproto = P_UDP; - if (datalen < 8) /* UDP header is 8 octets */ + if (datalen < 8) { /* UDP header is 8 octets */ + log_Printf(LogFILTER, " error: UDP must be at least 8 octets\n"); return 1; + } + uh = (const struct udphdr *) ptop; sport = ntohs(uh->uh_sport); dport = ntohs(uh->uh_dport); @@ -274,8 +292,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) * ensures that the TCP header length isn't de-referenced if * the datagram is too short */ - if (datalen < 20 || datalen < (th->th_off << 2)) + if (datalen < 20 || datalen < (th->th_off << 2)) { + log_Printf(LogFILTER, " error: TCP header incorrect\n"); return 1; + } sport = ntohs(th->th_sport); dport = ntohs(th->th_dport); estab = (th->th_flags & TH_ACK); @@ -291,6 +311,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) } break; default: + log_Printf(LogFILTER, " error: unknown protocol\n"); return 1; /* We'll block unknown type of packet */ } @@ -350,18 +371,46 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs) /* Take specified action */ if (fp->f_action < A_NONE) fp = &filter->rule[n = fp->f_action]; - else + else { if (fp->f_action == A_PERMIT) { if (psecs != NULL) *psecs = fp->timeout; + if (strcmp(filter->name, "DIAL") == 0) { + /* If dial filter then even print out accept packets */ + if (log_IsKept(LogFILTER)) { + snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst)); + log_Printf(LogFILTER, "%sbound rule = %d accept %s " + "src = %s/%d dst = %s/%d\n", + filter->name, n, filter_Proto2Nam(cproto), + inet_ntoa(pip->ip_src), sport, dstip, dport); + } + } return 0; - } else - return 1; + } else { + if (log_IsKept(LogFILTER)) { + snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst)); + log_Printf(LogFILTER, + "%sbound rule = %d deny %s src = %s/%d dst = %s/%d\n", + filter->name, n, filter_Proto2Nam(cproto), + inet_ntoa(pip->ip_src), sport, dstip, dport); + } + return 1; + } /* Explict math. Deny this packet */ + } } else { n++; fp++; } } + + if (log_IsKept(LogFILTER)) { + snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst)); + log_Printf(LogFILTER, + "%sbound rule = implicit deny %s src = %s/%d dst = %s/%d\n", + filter->name, filter_Proto2Nam(cproto), + inet_ntoa(pip->ip_src), sport, dstip, dport); + } + return 1; /* No rule is mached. Deny this packet */ } diff --git a/usr.sbin/ppp/log.c b/usr.sbin/ppp/log.c index 97ab8530a2a7..1b32941f367d 100644 --- a/usr.sbin/ppp/log.c +++ b/usr.sbin/ppp/log.c @@ -51,6 +51,7 @@ static const char * const LogNames[] = { "Connect", "Debug", "DNS", + "Filter", /* Log discarded packets */ "HDLC", "ID0", "IPCP", diff --git a/usr.sbin/ppp/log.h b/usr.sbin/ppp/log.h index 35ccbbb1f7e8..5093fc794c92 100644 --- a/usr.sbin/ppp/log.h +++ b/usr.sbin/ppp/log.h @@ -35,23 +35,24 @@ #define LogCONNECT (6) #define LogDEBUG (7) /* syslog(LOG_DEBUG, ....) */ #define LogDNS (8) -#define LogHDLC (9) -#define LogID0 (10) -#define LogIPCP (11) -#define LogLCP (12) -#define LogLQM (13) -#define LogPHASE (14) -#define LogPHYSICAL (15) /* syslog(LOG_INFO, ....) */ -#define LogSYNC (16) /* syslog(LOG_INFO, ....) */ -#define LogTCPIP (17) -#define LogTIMER (18) /* syslog(LOG_DEBUG, ....) */ -#define LogTUN (19) /* If set, tun%d is output with each message */ -#define LogWARN (20) /* Sent to VarTerm else syslog(LOG_WARNING, ) */ -#define LogERROR (21) /* syslog(LOG_ERR, ....), + sent to VarTerm */ -#define LogALERT (22) /* syslog(LOG_ALERT, ....) */ +#define LogFILTER (9) +#define LogHDLC (10) +#define LogID0 (11) +#define LogIPCP (12) +#define LogLCP (13) +#define LogLQM (14) +#define LogPHASE (15) +#define LogPHYSICAL (16) /* syslog(LOG_INFO, ....) */ +#define LogSYNC (17) /* syslog(LOG_INFO, ....) */ +#define LogTCPIP (18) +#define LogTIMER (19) /* syslog(LOG_DEBUG, ....) */ +#define LogTUN (20) /* If set, tun%d is output with each message */ +#define LogWARN (21) /* Sent to VarTerm else syslog(LOG_WARNING, ) */ +#define LogERROR (22) /* syslog(LOG_ERR, ....), + sent to VarTerm */ +#define LogALERT (23) /* syslog(LOG_ALERT, ....) */ -#define LogMAXCONF (19) -#define LogMAX (22) +#define LogMAXCONF (20) +#define LogMAX (24) struct mbuf; struct cmdargs; diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8 index 935f988577d9..78c0e1f31b90 100644 --- a/usr.sbin/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp.8 @@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT". Log debug information. .It Li DNS Log DNS QUERY packets. +.It Li Filter +Log packets permitted by the dial filter and denied by any filter. .It Li HDLC Dump HDLC packet in hex. .It Li ID0 diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4 index 935f988577d9..78c0e1f31b90 100644 --- a/usr.sbin/ppp/ppp.8.m4 +++ b/usr.sbin/ppp/ppp.8.m4 @@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT". Log debug information. .It Li DNS Log DNS QUERY packets. +.It Li Filter +Log packets permitted by the dial filter and denied by any filter. .It Li HDLC Dump HDLC packet in hex. .It Li ID0