Date: Sun, 22 May 2005 20:10:10 GMT From: Aaron Dalton <acdalton@ucalgary.ca> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/81367: Update Port: mark as BROKEN Message-ID: <200505222010.j4MKAA5j048940@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/81367; it has been noted by GNATS. From: Aaron Dalton <acdalton@ucalgary.ca> To: Lupe Christoph <lupe@lupe-christoph.de> Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: ports/81367: Update Port: mark as BROKEN Date: Sun, 22 May 2005 14:04:05 -0600 This is a multi-part message in MIME format. --------------030806050202030404030103 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Lupe Christoph wrote: > > As I've already invested some time in making the daemon run on FreeBSD, I > would be willing to take the port. I also had problems getting replies > from both the original developer, Bruce Ward (one reply), and the > port maintainer, aaron@daltons.ca (none). Before I take on the port, > I would rather check back with Bruce to see if doorman is still in > active development. > > Lupe Christoph Hello, Lupe. This is Aaron Dalton, the current maintainer. I certainly didn't mean to ignore you. I sent replies to Pav (and I thought I sent some to you, but apparently not). I have attached the email I just sent to Bruce, including all of the emails you have sent me in the past. I wish I could be more help. I'm not a C programmer and that's a disadvantage when a port goes awry. Maybe I'll stick to my perl module ports from now on =) You are welcome to take over if you wish. Sure appreciate your time and understanding! Aaron --------------030806050202030404030103 Content-Type: message/rfc822; name="Attached Message.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message.eml" Message-ID: <4290D417.4080502@daltons.ca> Disposition-Notification-To: Aaron Dalton <aaron@daltons.ca> Date: Sun, 22 May 2005 12:48:55 -0600 From: Aaron Dalton <aaron@daltons.ca> User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: bward2@users.sourceforge.net Subject: FreeBSD Doorman Port Content-Type: multipart/mixed; boundary="------------070108030706090105010700" This is a multi-part message in MIME format. --------------070108030706090105010700 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello again, Bruce. Attached are the emails I have received regarding Doorman and various FreeBSD issues to date. I am submitting them to you for your consideration. Feel free to contact Lupe directly. I am not a C programmer, so I'm not quite sure what else to do with this information. I sent this stuff a while ago and haven't heard back, so for now I'm going to mark the FreeBSD port as broken. Cheers! Aaron --------------070108030706090105010700 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Return-Path: <lupe@lupe-christoph.de> Received: from mail.finch.st ([unix socket]) by mail.finch.st (Cyrus v2.2.5) with LMTPA; Sun, 13 Mar 2005 05:35:16 -0700 X-Sieve: CMU Sieve 2.2 Received: from [84.19.0.30] (helo=buexe.b-5.de) by mail.finch.st with esmtp (Exim 4.50 (FreeBSD)) id 1DASJP-0003fs-Pv for aaron@daltons.ca; Sun, 13 Mar 2005 05:35:16 -0700 Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2DCaGkA030968; Sun, 13 Mar 2005 13:36:17 +0100 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id BDD27344F3; Sun, 13 Mar 2005 13:36:11 +0100 (CET) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29872-01-5; Sun, 13 Mar 2005 13:36:06 +0100 (CET) Received: from firewally.lupe-christoph.de (firewally.lupe-christoph.de [172.17.0.7]) by antalya.lupe-christoph.de (Postfix) with ESMTP id A63C2344F4; Sun, 13 Mar 2005 13:36:03 +0100 (CET) Received: by firewally.lupe-christoph.de (Postfix, from userid 100) id 6FC75A812; Sun, 13 Mar 2005 13:36:03 +0100 (CET) To: FreeBSD-gnats-submit@freebsd.org Subject: Lexer collision with pcap library From: Lupe Christoph <lupe@lupe-christoph.de> Reply-To: Lupe Christoph <lupe@lupe-christoph.de> Cc: aaron@daltons.ca, bward2@users.sourceforge.net X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20050313123603.6FC75A812@firewally.lupe-christoph.de> Date: Sun, 13 Mar 2005 13:36:03 +0100 (CET) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de >Submitter-Id: current-users >Originator: Lupe Christoph >Organization: >Confidential: no >Synopsis: Lexer collision with pcap library >Severity: serious >Priority: medium >Category: ports >Class: sw-bug >Release: FreeBSD 4.10-RELEASE-p5 i386 >Environment: System: FreeBSD firewally.lupe-christoph.de 4.10-RELEASE-p5 FreeBSD 4.10-RELEASE-p5 #2: Sat Dec 11 17:38:51 CET 2004 lupe@firewally.lupe-christoph.de:/usr/obj/usr/src/sys/FIREWALLY i386 FreeBSD 4.10-RELEASE-p5 >Description: doormand fails with the message emerg: Bad service name "port" on line 17 of guest list phase 3; portnumber or secret 9876 This message is generated in pcap_compile which seems to use doorman's guestfile lexer to scan "udp and port 9876 and dst 172.17.0.7" >How-To-Repeat: Install doorman, copy EXAMPLE files to the real files, run "doormand -D" >Fix: Hide the doorman lexer. This can be done with the flex "-P" option, but that changes yywrap(), too. Flex allows one to work around this by adding %option noyywrap. Note that e.g. Solaris' lex does not have -P. In the long run I believe the pcap library should implement this rather than every program using it. --------------070108030706090105010700 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Return-Path: <lupe@lupe-christoph.de> Received: from mail.finch.st ([unix socket]) by mail.finch.st (Cyrus v2.2.5) with LMTPA; Sun, 13 Mar 2005 05:45:07 -0700 X-Sieve: CMU Sieve 2.2 Received: from [84.19.0.30] (helo=buexe.b-5.de) by mail.finch.st with esmtp (Exim 4.50 (FreeBSD)) id 1DASSw-0003gT-40 for aaron@daltons.ca; Sun, 13 Mar 2005 05:45:06 -0700 Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2DCk8kA031098; Sun, 13 Mar 2005 13:46:08 +0100 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id 90BDB344F2; Sun, 13 Mar 2005 13:46:03 +0100 (CET) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 30807-02; Sun, 13 Mar 2005 13:45:59 +0100 (CET) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 76D28344F3; Sun, 13 Mar 2005 13:45:59 +0100 (CET) Date: Sun, 13 Mar 2005 13:45:59 +0100 To: aaron@daltons.ca, bward2@users.sourceforge.net Subject: Further problems with doorman on FreeBSD Message-ID: <20050313124559.GO25969@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i From: lupe@lupe-christoph.de (Lupe Christoph) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de Hi! I'm sorry to report that even after solving some problems with doorman on FreeBSD, I did not get it to run. It starts up OK, and I traced it with gdb until pcap_next() is called. There it hangs and does not get the packets I send from another machine on my local net. I have run tcpdump on the same interface with the same filter expression ("udp and port 9876 and dst 172.17.0.7") and it sees the packet: 13:44:51.012326 172.17.0.9.56416 > 172.17.0.7.9876: udp 53 (DF) I've never used the pcap library, and everything looks plausible to me. Please advise, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | --------------070108030706090105010700 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Return-Path: <lupe@lupe-christoph.de> Received: from mail.finch.st ([unix socket]) by mail.finch.st (Cyrus v2.2.5) with LMTPA; Wed, 16 Mar 2005 06:59:23 -0700 X-Sieve: CMU Sieve 2.2 Received: from [84.19.0.30] (helo=buexe.b-5.de) by mail.finch.st with esmtp (Exim 4.50 (FreeBSD)) id 1DBZ3S-000HGx-3X for aaron@daltons.ca; Wed, 16 Mar 2005 06:59:22 -0700 Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2GE0nkA005498; Wed, 16 Mar 2005 15:00:50 +0100 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id 72FA8344F2; Wed, 16 Mar 2005 15:00:44 +0100 (CET) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 17055-01-2; Wed, 16 Mar 2005 15:00:31 +0100 (CET) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id CE04F344F3; Wed, 16 Mar 2005 15:00:31 +0100 (CET) Date: Wed, 16 Mar 2005 15:00:31 +0100 From: Lupe Christoph <lupe@lupe-christoph.de> To: Bruce Ward <bward@nbnet.nb.ca> Cc: Aaron Dalton <aaron@daltons.ca> Subject: Re: Further problems with doorman on FreeBSD Message-ID: <20050316140031.GF26010@lupe-christoph.de> References: <20050313124559.GO25969@lupe-christoph.de> <200503152013.47257.bward@nbnet.nb.ca> <20050316065357.GV25969@lupe-christoph.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Qbvjkv9qwOGw/5Fx" Content-Disposition: inline In-Reply-To: <20050316065357.GV25969@lupe-christoph.de> User-Agent: Mutt/1.5.6+20040907i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de --Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wednesday, 2005-03-16 at 07:53:57 +0100, Lupe Christoph wrote: > I will send you a fixed doormand.c and my fixed IPFilter scripts later > today, along with some comments. I still need to write an rc script to > control doormand. Attached you will find a patch for doormand.c, IPFilter scripts that insert rules into the standard ruleset and remove from it, and a start script. Please note that it has been written for rcNG, so it needs the sysutils/rc_subr port on FreeBSD 4. On FreeBSD 5, the port is not needed. I think it should only go in the doorman port, not the distribution. Aaraon, can you please integrate it? doorman requires a newer version of libpcap than the one that is in /usr/lib on FreeBSD 4, so I would like to ask Aaron to add a dependency for /usr/local/lib/libpcap.a on FreeBSD 4. This also fixes the problem that the pcap lexer collides with doorman's. I would like to comment on a couple of my changes to doormand. All of them are idef'ed for __FreeBSD__. Most of the changes are genuine portability changes. A few things need explanations, I believe. 1) Please remove all C++-style comment delimiters. A non-gcc compiler will probably complain about them. 2) Please use a regular expression to parse the lsof output, or even better, don't use lsof at all but netstat. 3) I had to change the timeout value from the default 0 which means an indefinite wait on FreeBSD to a non-zero value. This changes the behaviour of doorman to polling. Not very nice. And I'm beginning to think that the value of 1000 (1 second) is too high. 100 is probably better. Changing doorman to use pcap_dispatch() or pcap_loop() would probably be better. I wanted to avoid a large change in the program logic like this. 4) I wanted to use statefull filtering with IPFilter but didn't get it to work with the scripts. It works when I twiddle the rules manually. I may try again to rewrite the scripts to support this, but only if you think this is a good idea. After all this means that doorman does not need to watch the established connection. It can remove the rule just after the connection has been established. And finally, a question. I did not implement locking in the scripts. The doorman daemon does not seem to do anything concurrently, but what if you have two or more daemons running on different interfaces or ports? Do you think locking should go into doormand or into the scripts? Thanks for the doorman, it will allow me to make access to a few machines safer or possible at all! Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | --Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="doormand.patch" --- Work/doorman-0.8.orig/doormand.c Thu Jul 29 21:24:02 2004 +++ work/doorman-0.8/doormand.c Tue Mar 15 17:18:09 2005 @@ -397,7 +397,11 @@ int datalink_header_lengths[] = { // hdr len code data link type // ------- --- --------------------------- +#ifdef __FreeBSD__ + 4, // 0 no link-layer encapsulation +#else 0, // 0 no link-layer encapsulation +#endif 14, // 1 Ethernet (10Mb) -1, // 2 Experimental Ethernet (3Mb) -1, // 3 Amateur Radio AX.25 @@ -557,6 +561,14 @@ // more readable. // +/* +// lsof on FreeBSD produces one more field. +// This should be rewritten to use a regular expression, anyway. +// +// And who said using C++ style comments in C was good for portability?!? +*/ + +#ifdef __FreeBSD__ #define LSOF()\ sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ \ @@ -578,6 +590,7 @@ if ((p1 = token (&p2, " ")) == NULL) continue ;\ if ((p1 = token (&p2, " ")) == NULL) continue ;\ if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ if ((p1 = token (&p2, " :")) == NULL) continue ;\ local_ip = inet_addr(p1) ;\ if ((p1 = token (&p2, "-")) == NULL) continue ;\ @@ -602,7 +615,53 @@ }\ }\ pclose(f) ; - +#else +#define LSOF()\ +sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ +\ +f = popen (cmd, "r") ;\ +if (f == NULL) {\ + croak (errno, "Can't execute '%s'; exiting.", cmd) ;\ +}\ +\ +fgets(buffer, 254, f) ; /* throw away the first line. */ \ +while (fgets(buffer, 254, f)) {\ + p2 = buffer ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + dname = p1 ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + pid = p1 ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + uname = p1 ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " :")) == NULL) continue ;\ + local_ip = inet_addr(p1) ;\ + if ((p1 = token (&p2, "-")) == NULL) continue ;\ + local_port = atoi(p1) ;\ + if ((p1 = token (&p2, "->:")) == NULL) continue ;\ + aptr = p1 ;\ + remote_ip = inet_addr(p1) ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + pptr = p1 ;\ + remote_port = atoi(p1) ;\ + if ((p1 = token (&p2, " ()")) == NULL) continue ;\ + status = p1 ;\ +\ + if ((saddr == remote_ip) &&\ + (daddr == local_ip) &&\ + (sport == remote_port) &&\ + (dport == local_port) && \ + (strcmp(status, "ESTABLISHED") == 0))\ + {\ + connected = TRUE ;\ + break ;\ + }\ +}\ +pclose(f) ; +#endif @@ -647,7 +706,11 @@ snprintf (cmd, 254, "tcp and dst port %s and src %s and dst %s", dport_string, src_addr, interface_ip_str) ; DEBUG "open a secondary pcap: '%s'", cmd) ; +#ifdef __FreeBSD__ + hdr_len = open_a_pcap (device, 1000, &cap, cmd) ; +#else hdr_len = open_a_pcap (device, 0, &cap, cmd) ; +#endif // set broad firewall rule sprintf (G_fw_broad_rule, " %s %s 0 %s %s", @@ -659,7 +722,22 @@ for (;;) { +#ifdef __FreeBSD__ + { + int ret = 0; + struct pcap_pkthdr * packet_hdr_p; + + while (ret == 0) { + ret = pcap_next_ex (cap, &packet_hdr_p, (const u_char **)&p) ; + packet_hdr = *packet_hdr_p; + if (ret < 0) { + p = NULL; + } + } + } +#else p = (unsigned char*)pcap_next (cap, &packet_hdr) ; +#endif if (p == NULL) { WARNX "manage_firewall got null from 'pcap_next'. Exiting.") ; exit (1) ; @@ -1222,9 +1300,13 @@ croak (errno, "Can't get interface address of %s", device) ; } +#ifdef __FreeBSD__ + hdr_len = open_a_pcap (device, 1000, &G_cap, "udp and port %d and dst %s", + port, interface_ip) ; +#else hdr_len = open_a_pcap (device, 0, &G_cap, "udp and port %d and dst %s", port, interface_ip) ; - +#endif if (G_reconfigure) { G_reconfigure = FALSE ; NOTICE "reconfigured.") ; @@ -1252,7 +1334,22 @@ char src_addr_buff[16] ; errno = 0 ; +#ifdef __FreeBSD__ + { + int ret = 0; + struct pcap_pkthdr * packet_hdr_p; + + while (ret == 0) { + ret = pcap_next_ex (G_cap, &packet_hdr_p, (const u_char **)&p) ; + packet_hdr = *packet_hdr_p; + if (ret < 0) { + p = NULL; + } + } + } +#else p = (unsigned char *)pcap_next (G_cap, &packet_hdr) ; +#endif if (G_reconfigure) { if (daemonize) err_closelog() ; goto reconfigure ; --Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipf_add.insert" #!/bin/sh # # ********************************************************************* # This script is used with IPFilter if the ruleset (/etc/ipf.rules) # contains a drop rule that interferes with doorman because rules can # only be added at the end, i.e. after the drop rule. # # The script will insert it's rule before a line containing the string # @@@Insert doorman rule here@@@ # # Note that it does not use locking, so concurrent accesses may # interfere with each other. # ********************************************************************* # # file "ipf_add" # IPFilter add script, called by "doormand". # This adds a "pass in quick" rule to the firewall. # # Called with five arguments: # # $1 : name of the interface (e.g. ne0) # $2 : source IP; i.e. dotted-decimal address of the 'knock' client # $3 : source port; when this script is called for the first time # for a connection (man 8 doormand), this argument will be set # to a single "0" (0x30) character. This means that the source # port is not yet known, and a broad rule allowing any source # port is required. # $4 : destination IP; that is, the IP address of the interface # in argument 1. # $5 : The port number of the requested service (e.g. 22 for ssh, etc.) # BEGINTAG='@@@doorman rules begin@@@' ENDTAG='@@@doorman rules end@@@' # We use kept state for this, so we ignore the invocation with # a specific source port. if [ $3 = 0 ]; then inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2" else inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3" fi # # acquire lock (not implemented) # if [ -f /etc/ipf.rules.doorman ]; then # Add another rule mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old cat /etc/ipf.rules.doorman.old | sed -e "/@@@doorman rules end@@@/i\\ $inrule\\ $outrule" > /etc/ipf.rules.doorman rm /etc/ipf.rules.doorman.old else # Create /etc/ipf.rules.doorman cat /etc/ipf.rules | sed -e "/@@@Insert doorman rule here@@@/c\\ # $BEGINTAG\\ $inrule\\ $outrule\\ # $ENDTAG" > /etc/ipf.rules.doorman fi # Activate the edited ruleset ret=`/sbin/ipf -Fa -I -f /etc/ipf.rules.doorman 2>&1` # # release lock (not implemented) # if [ -z "$ret" ]; then /sbin/ipf -s > /dev/null 2>&1 echo 0 else echo -1 3 $ret fi --Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipf_delete.remove" #!/bin/sh # # ********************************************************************* # This script is used with IPFilter if the ruleset (/etc/ipf.rules) # contains a drop rule that interferes with doorman because rules can # only be added at the end, i.e. after the drop rule. # # The script will delete it's rule from the intermediate file # /etc/ipf.rules.doorman. If no lines are left between the markers # @@@doorman rules begin@@@ and @@@doorman rules end@@@, the # intermediate file is deleted and the original rulesset is reloaded. # # Note that it does not use locking, so concurrent accesses may # interfere with each other. # ********************************************************************* # # file "ipf_delete" # IPFilter delete script, called by "doormand". # This deletes a "pass in quick" rule from the firewall. # # Called with five arguments: # # $1 : name of the interface (e.g. ne0) # $2 : source IP; i.e. dotted-decimal address of the 'knock' client # $3 : source port; when this script is called for the first time # for a connection (man 8 doormand), this argument will be set # to a single "0" (0x30) character. This means that the source # port is not yet known, and a broad rule allowing any source # port is required. # $4 : destination IP; that is, the IP address of the interface # in argument 1. # $5 : The port number of the requested service (e.g. 22 for ssh, etc.) # BEGINTAG='@@@doorman rules begin@@@' ENDTAG='@@@doorman rules end@@@' # We use kept state for this, so we ignore the invocation with # a specific source port. if [ $3 = 0 ]; then inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2" else inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3" fi # # acquire lock (not implemented) # if [ ! -f /etc/ipf.rules.doorman ]; then # Huh? How come? echo -1 3 /etc/ipf.rules.doorman missing exit fi mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old cat /etc/ipf.rules.doorman.old | sed -e "/^$inrule\$/d" -e "/^$outrule\$/d" > /etc/ipf.rules.doorman rm /etc/ipf.rules.doorman.old if [ `sed -n -e "/$BEGINTAG/,/$ENDTAG/p" /etc/ipf.rules.doorman |\ wc -l` -le 2 ]; then # No rules left rm /etc/ipf.rules.doorman FILE=/etc/ipf.rules else FILE=/etc/ipf.rules.doorman fi # Activate the edited ruleset ret=`/sbin/ipf -Fa -I -f $FILE 2>&1` # # release lock (not implemented) # if [ -z "$ret" ]; then /sbin/ipf -s > /dev/null 2>&1 echo 0 else echo -1 3 $ret fi --Qbvjkv9qwOGw/5Fx Content-Type: application/x-sh Content-Disposition: attachment; filename="doorman.sh" Content-Transfer-Encoding: quoted-printable #!/bin/sh=0A#=0A=0A# PROVIDE: doorman=0A# REQUIRE: LOGIN=0A# KEYWORD: FreeB= SD=0A=0A#=0A# Add the following lines to /etc/rc.conf to enable doorman:=0A= # doorman_enable (bool): Set to "NO" by default.=0A# = Set it to "YES" to enable doorman=0A# doorman_config (path): = Set to "/usr/local/etc/doormand/doormand.cf" by default.=0A#=0A=0Aif [ -f= /etc/rc.subr ]; then=0A . /etc/rc.subr=0Aelif [ -f /usr/local/etc/rc.subr= ]; then=0A . /usr/local/etc/rc.subr=0Aelse=0A exit 1=0Afi=0A=0Aname=3D"d= oorman"=0Arcvar=3D`set_rcvar`=0A=0A[ -z "$doorman_enable" ] && doorman_enab= le=3D"NO"=0A[ -z "$doorman_config" ] && doorman_config=3D"/usr/local/etc/do= ormand/doormand.cf"=0A=0Acommand=3D/usr/local/sbin/doormand=0Apidfile=3D/va= r/run/doormand.pid=0Acommand_args=3D"-p $pidfile -f $doorman_config"=0A=0Al= oad_rc_config $name=0Arun_rc_command "$1"=0A --Qbvjkv9qwOGw/5Fx-- --------------070108030706090105010700 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Return-Path: <pav@FreeBSD.org> Received: from mail.finch.st ([unix socket]) by mail.finch.st (Cyrus v2.2.5) with LMTPA; Wed, 16 Mar 2005 14:44:21 -0700 X-Sieve: CMU Sieve 2.2 Received: from [212.27.205.50] (helo=hood.oook.cz) by mail.finch.st with esmtp (Exim 4.50 (FreeBSD)) id 1DBgJQ-000HlX-ER for aaron@daltons.ca; Wed, 16 Mar 2005 14:44:21 -0700 Received: from hood.oook.cz (localhost.oook.cz [127.0.0.1]) by hood.oook.cz (8.13.3/8.13.3) with ESMTP id j2GLjpO2087871 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Mar 2005 22:45:51 +0100 (CET) (envelope-from pav@FreeBSD.org) Received: (from pav@localhost) by hood.oook.cz (8.13.3/8.13.3/Submit) id j2GLjpwV087870; Wed, 16 Mar 2005 22:45:51 +0100 (CET) (envelope-from pav@FreeBSD.org) X-Authentication-Warning: hood.oook.cz: pav set sender to pav@FreeBSD.org using -f Subject: Re: ports/78777: security/doorman: lexer collision with pcap library From: Pav Lucistnik <pav@FreeBSD.org> Reply-To: pav@FreeBSD.org To: aaron@daltons.ca, freebsd-gnats-submit@FreeBSD.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 16 Mar 2005 22:45:51 +0100 Message-Id: <1111009551.4377.6.camel@hood.oook.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.2.0 FreeBSD GNOME Team Port Can you or the maintainer provide a patch for this issue? -- Pav Lucistnik <pav@oook.cz> <pav@FreeBSD.org> The final screw holding up a rackmount server is always possessed by demons. --------------070108030706090105010700 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Return-Path: <lupe@lupe-christoph.de> Received: from mail.finch.st ([unix socket]) by mail.finch.st (Cyrus v2.2.5) with LMTPA; Thu, 17 Mar 2005 01:32:11 -0700 X-Sieve: CMU Sieve 2.2 Received: from [84.19.0.30] (helo=buexe.b-5.de) by mail.finch.st with esmtp (Exim 4.50 (FreeBSD)) id 1DBqQM-000IMp-Cy for aaron@daltons.ca; Thu, 17 Mar 2005 01:32:10 -0700 Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2H8XjkA031457 for <aaron@daltons.ca>; Thu, 17 Mar 2005 09:33:46 +0100 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id 8E54B344F2 for <aaron@daltons.ca>; Thu, 17 Mar 2005 09:33:40 +0100 (CET) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 08982-06-4 for <aaron@daltons.ca>; Thu, 17 Mar 2005 09:33:36 +0100 (CET) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 6BC63344F3; Thu, 17 Mar 2005 09:33:36 +0100 (CET) Date: Thu, 17 Mar 2005 09:33:36 +0100 From: Lupe Christoph <lupe@lupe-christoph.de> To: aaron@daltons.ca Subject: Re: Further problems with doorman on FreeBSD Message-ID: <20050317083336.GH26010@lupe-christoph.de> References: <20050313124559.GO25969@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050313124559.GO25969@lupe-christoph.de> User-Agent: Mutt/1.5.6+20040907i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de Hi! I'm attaching the patch for doormand.c I mentioned in the mail to update the PR, the two IPFilter scripts, and an rc.d script I wrote. You may wish to include the rdc.d script with your port. It's all yours. Please note that the script uses rcNG, so you may need to depend on sysutils/rc_subr for FreeBSD 4. Please integrate my changes in your port. Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | --------------070108030706090105010700 Content-Type: message/rfc822; name="Attached Message" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Attached Message" Return-Path: <lupe@lupe-christoph.de> Received: from mail.finch.st ([unix socket]) by mail.finch.st (Cyrus v2.2.5) with LMTPA; Thu, 17 Mar 2005 02:28:30 -0700 X-Sieve: CMU Sieve 2.2 Received: from [84.19.0.30] (helo=buexe.b-5.de) by mail.finch.st with esmtp (Exim 4.50 (FreeBSD)) id 1DBrIq-000IQH-Mi for aaron@daltons.ca; Thu, 17 Mar 2005 02:28:29 -0700 Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.12.3/8.12.3/b-5/buexe-3.4) with ESMTP id j2H9U0kA000321 for <aaron@daltons.ca>; Thu, 17 Mar 2005 10:30:03 +0100 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id DACC0344F2 for <aaron@daltons.ca>; Thu, 17 Mar 2005 10:29:54 +0100 (CET) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 28446-01-3 for <aaron@daltons.ca>; Thu, 17 Mar 2005 10:29:41 +0100 (CET) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 5017F344F3; Thu, 17 Mar 2005 10:29:41 +0100 (CET) Date: Thu, 17 Mar 2005 10:29:41 +0100 From: Lupe Christoph <lupe@lupe-christoph.de> To: aaron@daltons.ca Subject: Re: Further problems with doorman on FreeBSD Message-ID: <20050317092941.GI26010@lupe-christoph.de> References: <20050313124559.GO25969@lupe-christoph.de> <20050317083336.GH26010@lupe-christoph.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="P+33d92oIH25kiaB" Content-Disposition: inline In-Reply-To: <20050317083336.GH26010@lupe-christoph.de> User-Agent: Mutt/1.5.6+20040907i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at lupe-christoph.de --P+33d92oIH25kiaB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thursday, 2005-03-17 at 09:33:36 +0100, Lupe Christoph wrote: > I'm attaching ... No, I didn't. Trying again... Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | --P+33d92oIH25kiaB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="doormand.patch" --- Work/doorman-0.8.orig/doormand.c Thu Jul 29 21:24:02 2004 +++ work/doorman-0.8/doormand.c Tue Mar 15 17:18:09 2005 @@ -397,7 +397,11 @@ int datalink_header_lengths[] = { // hdr len code data link type // ------- --- --------------------------- +#ifdef __FreeBSD__ + 4, // 0 no link-layer encapsulation +#else 0, // 0 no link-layer encapsulation +#endif 14, // 1 Ethernet (10Mb) -1, // 2 Experimental Ethernet (3Mb) -1, // 3 Amateur Radio AX.25 @@ -557,6 +561,14 @@ // more readable. // +/* +// lsof on FreeBSD produces one more field. +// This should be rewritten to use a regular expression, anyway. +// +// And who said using C++ style comments in C was good for portability?!? +*/ + +#ifdef __FreeBSD__ #define LSOF()\ sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ \ @@ -578,6 +590,7 @@ if ((p1 = token (&p2, " ")) == NULL) continue ;\ if ((p1 = token (&p2, " ")) == NULL) continue ;\ if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ if ((p1 = token (&p2, " :")) == NULL) continue ;\ local_ip = inet_addr(p1) ;\ if ((p1 = token (&p2, "-")) == NULL) continue ;\ @@ -602,7 +615,53 @@ }\ }\ pclose(f) ; - +#else +#define LSOF()\ +sprintf (cmd, "lsof -Pn -iTCP@%s:%s", interface_ip_str, dport_string) ;\ +\ +f = popen (cmd, "r") ;\ +if (f == NULL) {\ + croak (errno, "Can't execute '%s'; exiting.", cmd) ;\ +}\ +\ +fgets(buffer, 254, f) ; /* throw away the first line. */ \ +while (fgets(buffer, 254, f)) {\ + p2 = buffer ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + dname = p1 ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + pid = p1 ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + uname = p1 ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + if ((p1 = token (&p2, " :")) == NULL) continue ;\ + local_ip = inet_addr(p1) ;\ + if ((p1 = token (&p2, "-")) == NULL) continue ;\ + local_port = atoi(p1) ;\ + if ((p1 = token (&p2, "->:")) == NULL) continue ;\ + aptr = p1 ;\ + remote_ip = inet_addr(p1) ;\ + if ((p1 = token (&p2, " ")) == NULL) continue ;\ + pptr = p1 ;\ + remote_port = atoi(p1) ;\ + if ((p1 = token (&p2, " ()")) == NULL) continue ;\ + status = p1 ;\ +\ + if ((saddr == remote_ip) &&\ + (daddr == local_ip) &&\ + (sport == remote_port) &&\ + (dport == local_port) && \ + (strcmp(status, "ESTABLISHED") == 0))\ + {\ + connected = TRUE ;\ + break ;\ + }\ +}\ +pclose(f) ; +#endif @@ -647,7 +706,11 @@ snprintf (cmd, 254, "tcp and dst port %s and src %s and dst %s", dport_string, src_addr, interface_ip_str) ; DEBUG "open a secondary pcap: '%s'", cmd) ; +#ifdef __FreeBSD__ + hdr_len = open_a_pcap (device, 1000, &cap, cmd) ; +#else hdr_len = open_a_pcap (device, 0, &cap, cmd) ; +#endif // set broad firewall rule sprintf (G_fw_broad_rule, " %s %s 0 %s %s", @@ -659,7 +722,22 @@ for (;;) { +#ifdef __FreeBSD__ + { + int ret = 0; + struct pcap_pkthdr * packet_hdr_p; + + while (ret == 0) { + ret = pcap_next_ex (cap, &packet_hdr_p, (const u_char **)&p) ; + packet_hdr = *packet_hdr_p; + if (ret < 0) { + p = NULL; + } + } + } +#else p = (unsigned char*)pcap_next (cap, &packet_hdr) ; +#endif if (p == NULL) { WARNX "manage_firewall got null from 'pcap_next'. Exiting.") ; exit (1) ; @@ -1222,9 +1300,13 @@ croak (errno, "Can't get interface address of %s", device) ; } +#ifdef __FreeBSD__ + hdr_len = open_a_pcap (device, 1000, &G_cap, "udp and port %d and dst %s", + port, interface_ip) ; +#else hdr_len = open_a_pcap (device, 0, &G_cap, "udp and port %d and dst %s", port, interface_ip) ; - +#endif if (G_reconfigure) { G_reconfigure = FALSE ; NOTICE "reconfigured.") ; @@ -1252,7 +1334,22 @@ char src_addr_buff[16] ; errno = 0 ; +#ifdef __FreeBSD__ + { + int ret = 0; + struct pcap_pkthdr * packet_hdr_p; + + while (ret == 0) { + ret = pcap_next_ex (G_cap, &packet_hdr_p, (const u_char **)&p) ; + packet_hdr = *packet_hdr_p; + if (ret < 0) { + p = NULL; + } + } + } +#else p = (unsigned char *)pcap_next (G_cap, &packet_hdr) ; +#endif if (G_reconfigure) { if (daemonize) err_closelog() ; goto reconfigure ; --P+33d92oIH25kiaB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipf_add.insert" #!/bin/sh # # ********************************************************************* # This script is used with IPFilter if the ruleset (/etc/ipf.rules) # contains a drop rule that interferes with doorman because rules can # only be added at the end, i.e. after the drop rule. # # The script will insert it's rule before a line containing the string # @@@Insert doorman rule here@@@ # # Note that it does not use locking, so concurrent accesses may # interfere with each other. # ********************************************************************* # # file "ipf_add" # IPFilter add script, called by "doormand". # This adds a "pass in quick" rule to the firewall. # # Called with five arguments: # # $1 : name of the interface (e.g. ne0) # $2 : source IP; i.e. dotted-decimal address of the 'knock' client # $3 : source port; when this script is called for the first time # for a connection (man 8 doormand), this argument will be set # to a single "0" (0x30) character. This means that the source # port is not yet known, and a broad rule allowing any source # port is required. # $4 : destination IP; that is, the IP address of the interface # in argument 1. # $5 : The port number of the requested service (e.g. 22 for ssh, etc.) # BEGINTAG='@@@doorman rules begin@@@' ENDTAG='@@@doorman rules end@@@' # We use kept state for this, so we ignore the invocation with # a specific source port. if [ $3 = 0 ]; then inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2" else inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3" fi # # acquire lock (not implemented) # if [ -f /etc/ipf.rules.doorman ]; then # Add another rule mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old cat /etc/ipf.rules.doorman.old | sed -e "/@@@doorman rules end@@@/i\\ $inrule\\ $outrule" > /etc/ipf.rules.doorman rm /etc/ipf.rules.doorman.old else # Create /etc/ipf.rules.doorman cat /etc/ipf.rules | sed -e "/@@@Insert doorman rule here@@@/c\\ # $BEGINTAG\\ $inrule\\ $outrule\\ # $ENDTAG" > /etc/ipf.rules.doorman fi # Activate the edited ruleset ret=`/sbin/ipf -Fa -I -f /etc/ipf.rules.doorman 2>&1` # # release lock (not implemented) # if [ -z "$ret" ]; then /sbin/ipf -s > /dev/null 2>&1 echo 0 else echo -1 3 $ret fi --P+33d92oIH25kiaB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipf_delete.remove" #!/bin/sh # # ********************************************************************* # This script is used with IPFilter if the ruleset (/etc/ipf.rules) # contains a drop rule that interferes with doorman because rules can # only be added at the end, i.e. after the drop rule. # # The script will delete it's rule from the intermediate file # /etc/ipf.rules.doorman. If no lines are left between the markers # @@@doorman rules begin@@@ and @@@doorman rules end@@@, the # intermediate file is deleted and the original rulesset is reloaded. # # Note that it does not use locking, so concurrent accesses may # interfere with each other. # ********************************************************************* # # file "ipf_delete" # IPFilter delete script, called by "doormand". # This deletes a "pass in quick" rule from the firewall. # # Called with five arguments: # # $1 : name of the interface (e.g. ne0) # $2 : source IP; i.e. dotted-decimal address of the 'knock' client # $3 : source port; when this script is called for the first time # for a connection (man 8 doormand), this argument will be set # to a single "0" (0x30) character. This means that the source # port is not yet known, and a broad rule allowing any source # port is required. # $4 : destination IP; that is, the IP address of the interface # in argument 1. # $5 : The port number of the requested service (e.g. 22 for ssh, etc.) # BEGINTAG='@@@doorman rules begin@@@' ENDTAG='@@@doorman rules end@@@' # We use kept state for this, so we ignore the invocation with # a specific source port. if [ $3 = 0 ]; then inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2" else inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5" outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3" fi # # acquire lock (not implemented) # if [ ! -f /etc/ipf.rules.doorman ]; then # Huh? How come? echo -1 3 /etc/ipf.rules.doorman missing exit fi mv /etc/ipf.rules.doorman /etc/ipf.rules.doorman.old cat /etc/ipf.rules.doorman.old | sed -e "/^$inrule\$/d" -e "/^$outrule\$/d" > /etc/ipf.rules.doorman rm /etc/ipf.rules.doorman.old if [ `sed -n -e "/$BEGINTAG/,/$ENDTAG/p" /etc/ipf.rules.doorman |\ wc -l` -le 2 ]; then # No rules left rm /etc/ipf.rules.doorman FILE=/etc/ipf.rules else FILE=/etc/ipf.rules.doorman fi # Activate the edited ruleset ret=`/sbin/ipf -Fa -I -f $FILE 2>&1` # # release lock (not implemented) # if [ -z "$ret" ]; then /sbin/ipf -s > /dev/null 2>&1 echo 0 else echo -1 3 $ret fi --P+33d92oIH25kiaB Content-Type: application/x-sh Content-Disposition: attachment; filename="doorman.sh" Content-Transfer-Encoding: quoted-printable #!/bin/sh=0A#=0A=0A# PROVIDE: doorman=0A# REQUIRE: LOGIN=0A# KEYWORD: FreeB= SD=0A=0A#=0A# Add the following lines to /etc/rc.conf to enable doorman:=0A= # doorman_enable (bool): Set to "NO" by default.=0A# = Set it to "YES" to enable doorman=0A# doorman_config (path): = Set to "/usr/local/etc/doormand/doormand.cf" by default.=0A#=0A=0Aif [ -f= /etc/rc.subr ]; then=0A . /etc/rc.subr=0Aelif [ -f /usr/local/etc/rc.subr= ]; then=0A . /usr/local/etc/rc.subr=0Aelse=0A exit 1=0Afi=0A=0Aname=3D"d= oorman"=0Arcvar=3D`set_rcvar`=0A=0A[ -z "$doorman_enable" ] && doorman_enab= le=3D"NO"=0A[ -z "$doorman_config" ] && doorman_config=3D"/usr/local/etc/do= ormand/doormand.cf"=0A=0Acommand=3D/usr/local/sbin/doormand=0Apidfile=3D/va= r/run/doormand.pid=0Acommand_args=3D"-p $pidfile -f $doorman_config"=0A=0Al= oad_rc_config $name=0Arun_rc_command "$1"=0A --P+33d92oIH25kiaB-- --------------070108030706090105010700-- --------------030806050202030404030103--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505222010.j4MKAA5j048940>