From ef8f9485b03972ff5efa6e45fa7b01f6d4256b39 Mon Sep 17 00:00:00 2001 From: laforge Date: Mon, 14 Aug 2000 08:28:23 +0000 Subject: various bugfixes (tcp interpreter), output for boolean type --- TODO | 17 ++++++++++ ulogd/Makefile | 6 ++-- ulogd/README | 2 +- ulogd/extensions/ulogd_BASE.c | 73 ++++++++++++++++++++++++++++++++++++----- ulogd/extensions/ulogd_OPRINT.c | 7 +++- ulogd/include/ulogd/ulogd.h | 11 +++++-- ulogd/ulogd.c | 10 +++--- 7 files changed, 106 insertions(+), 20 deletions(-) create mode 100644 TODO diff --git a/TODO b/TODO new file mode 100644 index 0000000..803462f --- /dev/null +++ b/TODO @@ -0,0 +1,17 @@ +libipulog: +- Error checking at netlink socket +- forward port my timeout enabled read-function from libipq to libipulog +- handle multi-part nlmsgs + +kernel: +- queue the logging in the kernel and send multiple packets in one + multipart nlmsg + +ulogd: +- commandline option for "to fork or not to fork" +- configfile +- add output target for sql server +- add interpreter plugin for ftp/pop3/etc passwords +- add a compatibility output target for syslog (really?) +- prefix ulogd.log with timestamp +- add support for capabilities to run as non-root diff --git a/ulogd/Makefile b/ulogd/Makefile index 9cb52f6..0d02917 100644 --- a/ulogd/Makefile +++ b/ulogd/Makefile @@ -1,14 +1,14 @@ # Path of libipulog (from iptables) LIBIPULOG=../libipulog +INCIPULOG=-I../libipulog/include # Names of the plugins to be compiled ULOGD_SL:=BASE OPRINT - # Normally You should not need to change anything below # CC = gcc -CFLAGS = -I. -I$(LIBIPULOG)/include -g -Wall +CFLAGS = -I. -g -Wall $(INCIPULOG) SH_CFLAGS:=$(CFLAGS) -fPIC SHARED_LIBS+=$(foreach T,$(ULOGD_SL),extensions/ulogd_$(T).so) @@ -21,7 +21,7 @@ $(SHARED_LIBS): %.so: %_sh.o %_sh.o: %.c gcc $(SH_CFLAGS) -o $@ -c $< -ulogd: ulogd.c ../libipulog/libipulog.a ulogd.h +ulogd: ulogd.c $(LIBIPULOG) ulogd.h $(CC) $(CFLAGS) -rdynamic -ldl -i ulogd.c $(LIBIPULOG)/libipulog.a -o ulogd clean: diff --git a/ulogd/README b/ulogd/README index 4d0870b..46a36ea 100644 --- a/ulogd/README +++ b/ulogd/README @@ -1,7 +1,7 @@ ===> CONECEPT I want to write a flexible, almost universal logging daemon for my netfilter -ULOG target. These are my thoughts about how the architecture which is most capable of doing that: +ULOG target. It is not optimized in any way, the goal is to keep as simple as possible. These are my thoughts about how the architecture which is most capable of doing that: 1. Interpreter lugins diff --git a/ulogd/extensions/ulogd_BASE.c b/ulogd/extensions/ulogd_BASE.c index 8506d42..e0b1e1f 100644 --- a/ulogd/extensions/ulogd_BASE.c +++ b/ulogd/extensions/ulogd_BASE.c @@ -1,11 +1,11 @@ -/* ulogd_MAC.c, Version $Revision: 1.1 $ +/* ulogd_MAC.c, Version $Revision: 1.2 $ * * ulogd logging interpreter for MAC addresses, TIME, etc. * * (C) 2000 by Harald Welte * This software is released under the terms of GNU GPL * - * $Id: ulogd_BASE.c,v 1.1 2000/08/02 08:51:15 laforge Exp laforge $ + * $Id: ulogd_BASE.c,v 1.2 2000/08/02 12:15:44 laforge Exp $ * */ @@ -16,6 +16,7 @@ #include #include #include +#include ulog_iret_t *_interp_mac(ulog_packet_msg_t *pkt) { @@ -108,7 +109,8 @@ ulog_iret_t *_interp_iphdr(ulog_packet_msg_t *pkt) ulog_iret_t *_interp_tcphdr(ulog_packet_msg_t *pkt) { struct iphdr *iph = (struct iphdr *) pkt->payload; - struct tcphdr *tcph = (struct tcphdr *) (iph + iph->ihl); + void *protoh = (u_int32_t *)iph + iph->ihl; + struct tcphdr *tcph = (struct tcphdr *) protoh; ulog_iret_t *ret, *ret2; if (iph->protocol != IPPROTO_TCP) @@ -117,14 +119,67 @@ ulog_iret_t *_interp_tcphdr(ulog_packet_msg_t *pkt) ret = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.sport"); ret->value.ui16 = ntohs(tcph->source); - ret->next = ret2 = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.sport"); - ret->value.ui16 = ntohs(tcph->dest); + ret->next = ret2 = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.dport"); + ret2->value.ui16 = ntohs(tcph->dest); ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT32, "tcp.hdr.seq"); - ret->value.ui32 = ntohl(tcph->seq); + ret2->value.ui32 = ntohl(tcph->seq); ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT32, "tcp.hdr.ack_seq"); - ret->value.ui32 = ntohl(tcph->ack_seq); + ret2->value.ui32 = ntohl(tcph->ack_seq); + + ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.window"); + ret2->value.ui16 = ntohs(tcph->window); + + if (tcph->urg) { + ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.urg"); + ret2->value.b = 1; + + ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.urgp"); + ret2->value.ui16 = ntohs(tcph->urg_ptr); + } + if (tcph->ack) { + ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.ack"); + ret2->value.b = 1; + } + if (tcph->psh) { + ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.psh"); + ret2->value.b = 1; + } + if (tcph->rst) { + ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.rst"); + ret2->value.b = 1; + } + if (tcph->syn) { + ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.syn"); + ret2->value.b = 1; + } + if (tcph->fin) { + ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.fin"); + ret2->value.b = 1; + } + + return ret; +} + +ulog_iret_t *_interp_udp(ulog_packet_msg_t *pkt) +{ + struct iphdr *iph = (struct iphdr *) pkt->payload; + void *protoh = (u_int32_t *)iph + iph->ihl; + struct udphdr *udph = protoh; + ulog_iret_t *ret, *ret2; + + if (iph->protocol != IPPROTO_UDP) + return NULL; + + ret = alloc_ret(ULOGD_RET_UINT16, "udp.hdr.sport"); + ret->value.ui16 = ntohs(udph->source); + + ret2 = ret->next = alloc_ret(ULOGD_RET_UINT16, "udp.hdr.dport"); + ret2->value.ui16 = ntohs(udph->dest); + + ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "udp.hdr.len"); + ret2->value.ui16 = ntohs(udph->len); return ret; } @@ -132,7 +187,8 @@ ulog_iret_t *_interp_tcphdr(ulog_packet_msg_t *pkt) ulog_iret_t *_interp_icmp(ulog_packet_msg_t *pkt) { struct iphdr *iph = (struct iphdr *) pkt->payload; - struct icmphdr *icmph = (struct icmphdr *) (iph + iph->ihl); + void *protoh = (u_int32_t *) (iph + iph->ihl); + struct icmphdr *icmph = protoh; ulog_iret_t *ret, *ret2; if (iph->protocol != IPPROTO_ICMP) @@ -155,6 +211,7 @@ static ulog_interpreter_t base_ip[] = { { NULL, "ip.hdr", &_interp_iphdr }, { NULL, "tcp.hdr", &_interp_tcphdr }, { NULL, "icmp.hdr", &_interp_icmp }, + { NULL, "udp.hdr", &_interp_udp }, { NULL, "", NULL }, }; void _base_reg_ip(void) diff --git a/ulogd/extensions/ulogd_OPRINT.c b/ulogd/extensions/ulogd_OPRINT.c index ea6d885..19fbd7b 100644 --- a/ulogd/extensions/ulogd_OPRINT.c +++ b/ulogd/extensions/ulogd_OPRINT.c @@ -5,7 +5,7 @@ * (C) 2000 by Harald Welte * This software is released under the terms of GNU GPL * - * $Id: ulogd_OPRINT.c,v 1.1 2000/08/02 08:51:15 laforge Exp laforge $ + * $Id: ulogd_OPRINT.c,v 1.1 2000/08/02 12:16:00 laforge Exp $ * */ @@ -42,6 +42,7 @@ int _output_print(ulog_iret_t *res) case ULOGD_RET_STRING: fprintf(of, "%s\n", (char *) ret->value.ptr); break; + case ULOGD_RET_BOOL: case ULOGD_RET_INT8: fprintf(of, "%d\n", ret->value.i8); break; @@ -89,11 +90,15 @@ void _base_reg_op(void) void _init(void) { +#ifdef DEBUG + of = stdout; +#else of = fopen(ULOGD_OPRINT_FILE, "a"); if (!of) { ulogd_error("ulogd_OPRINT: can't open PKTLOG: %s\n", strerror(errno)); exit(2); } +#endif _base_reg_op(); } diff --git a/ulogd/include/ulogd/ulogd.h b/ulogd/include/ulogd/ulogd.h index d1eb1fa..9ee0691 100644 --- a/ulogd/include/ulogd/ulogd.h +++ b/ulogd/include/ulogd/ulogd.h @@ -1,6 +1,6 @@ #ifndef _ULOGD_H #define _ULOGD_H -/* ulogd, Version $Revision: 1.2 $ +/* ulogd, Version $Revision: 1.3 $ * * first try of a logging daemon for my netfilter ULOG target * for the linux 2.4 netfilter subsystem. @@ -9,7 +9,7 @@ * * this code is released under the terms of GNU GPL * - * $Id: ulogd.h,v 1.2 2000/08/02 12:16:42 laforge Exp laforge $ + * $Id: ulogd.h,v 1.3 2000/08/02 12:20:55 laforge Exp $ */ #include @@ -30,13 +30,17 @@ #define ULOGD_RET_UINT32 0x0013 #define ULOGD_RET_UINT64 0x0014 -#define ULOGD_RET_STRING 0x8020 +#define ULOGD_RET_BOOL 0x0050 #define ULOGD_RET_IPADDR 0x0100 /* types with lenght field*/ +#define ULOGD_RET_STRING 0x8020 +#define ULODG_RET_RAW 0x8030 + #define ULOGD_RET_OTHER 0xffff + #define ULOGD_MAX_KEYLEN 32 #define ulogd_error(format, args...) fprintf(logfile, format, ## args) @@ -48,6 +52,7 @@ typedef struct ulog_iret { u_int16_t type; char key[ULOGD_MAX_KEYLEN]; union { + u_int8_t b; u_int8_t ui8; u_int16_t ui16; u_int32_t ui32; diff --git a/ulogd/ulogd.c b/ulogd/ulogd.c index abee09a..d917a3f 100644 --- a/ulogd/ulogd.c +++ b/ulogd/ulogd.c @@ -1,4 +1,4 @@ -/* ulogd, Version $Revision: 1.4 $ +/* ulogd, Version $Revision: 1.5 $ * * first try of a logging daemon for my netfilter ULOG target * for the linux 2.4 netfilter subsystem. @@ -7,7 +7,7 @@ * * this code is released under the terms of GNU GPL * - * $Id: ulogd.c,v 1.4 2000/08/09 16:26:34 root Exp $ + * $Id: ulogd.c,v 1.5 2000/08/11 09:56:48 laforge Exp $ */ #include @@ -224,13 +224,13 @@ int main(int argc, char* argv[]) exit(1); } +#ifndef DEBUG if (!fork()) { - /* fclose(stdout); fclose(stderr); - */ +#endif /* endless loop receiving packets and handling them over to * handle_packet */ @@ -246,8 +246,10 @@ int main(int argc, char* argv[]) ipulog_destroy_handle(h); free(buf); fclose(logfile); +#ifndef DEBUG } else { exit(0); } +#endif } -- cgit v1.2.3