head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2 pkgsrc-2011Q1:1.1.1.1.0.4 pkgsrc-2011Q1-base:1.1.1.1 pkgsrc-2010Q4:1.1.1.1.0.2 pkgsrc-2010Q4-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.2 date 2011.05.02.10.11.34; author adam; state dead; branches; next 1.1; 1.1 date 2010.11.30.12.35.12; author adam; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2010.11.30.12.35.12; author adam; state Exp; branches; next ; desc @@ 1.2 log @Changes rev.1: * Re-open log file on SIGHUP. * Install knockd man page into section 8 instead of section 1. @ text @$NetBSD: patch-aa,v 1.1 2010/11/30 12:35:12 adam Exp $ --- src/knockd.c.orig 2005-06-27 05:11:34.000000000 +0000 +++ src/knockd.c @@@@ -28,18 +28,20 @@@@ #include #include #include +#include +#include +#include +#include +#include +#include +#include #include +#include #include #include #include #include #include -#include -#include -#include -#include -#include -#include #include #include #include @@@@ -193,7 +195,7 @@@@ int main(int argc, char **argv) } } - cap = pcap_open_live(o_int, 65535, 0, 0, pcapErr); + cap = pcap_open_live(o_int, 65535, 0, 1000, pcapErr); if(strlen(pcapErr)) { fprintf(stderr, "could not open %s: %s\n", o_int, pcapErr); } @@@@ -1161,8 +1163,8 @@@@ int exec_cmd(char* command, char* name){ void sniff(u_char* arg, const struct pcap_pkthdr* hdr, const u_char* packet) { /* packet structs */ - struct ethhdr* eth = NULL; - struct iphdr* ip = NULL; + struct ether_header* eth = NULL; + struct ip* ip = NULL; struct tcphdr* tcp = NULL; struct udphdr* udp = NULL; char proto[8]; @@@@ -1179,23 +1181,23 @@@@ void sniff(u_char* arg, const struct pca knocker_t *attempt = NULL; if(lltype == DLT_EN10MB) { - eth = (struct ethhdr*)packet; - if(ntohs(eth->h_proto) != ETH_P_IP) { + eth = (struct ether_header*)packet; + if(ntohs(eth->ether_type) != ETHERTYPE_IP) { return; } - ip = (struct iphdr*)(packet + sizeof(struct ethhdr)); + ip = (struct ip*)(packet + sizeof(struct ether_header)); } else if(lltype == DLT_LINUX_SLL) { - ip = (struct iphdr*)((u_char*)packet + 16); + ip = (struct ip*)((u_char*)packet + 16); } else if(lltype == DLT_RAW) { - ip = (struct iphdr*)((u_char*)packet); + ip = (struct ip*)((u_char*)packet); } - if(ip->version != 4) { + if(ip->ip_v != 4) { /* no IPv6 yet */ dprint("packet is not IPv4, ignoring...\n"); return; } - if(ip->protocol == IPPROTO_ICMP) { + if(ip->ip_p == IPPROTO_ICMP) { /* we don't do ICMP */ return; } @@@@ -1207,23 +1209,23 @@@@ void sniff(u_char* arg, const struct pca fprintf(stderr, "error: could not understand IP address: %s\n", myip); return; } - if(ip->daddr != inaddr.s_addr) { + if(ip->ip_dst.s_addr != inaddr.s_addr) { dprint("packet destined for another host, ignoring...\n"); return; } sport = dport = 0; - if(ip->protocol == IPPROTO_TCP) { + if(ip->ip_p == IPPROTO_TCP) { strncpy(proto, "tcp", sizeof(proto)); - tcp = (struct tcphdr*)((u_char*)ip + (ip->ihl * 4)); - sport = ntohs(tcp->source); - dport = ntohs(tcp->dest); + tcp = (struct tcphdr*)((u_char*)ip + (ip->ip_hl * 4)); + sport = ntohs(tcp->th_sport); + dport = ntohs(tcp->th_dport); } - if(ip->protocol == IPPROTO_UDP) { + if(ip->ip_p == IPPROTO_UDP) { strncpy(proto, "udp", sizeof(proto)); - udp = (struct udphdr*)((u_char*)ip + (ip->ihl * 4)); - sport = ntohs(udp->source); - dport = ntohs(udp->dest); + udp = (struct udphdr*)((u_char*)ip + (ip->ip_hl * 4)); + sport = ntohs(udp->uh_sport); + dport = ntohs(udp->uh_dport); } /* get the date/time */ @@@@ -1234,10 +1236,10 @@@@ void sniff(u_char* arg, const struct pca pkt_tm->tm_sec); /* convert IPs from binary to string */ - inaddr.s_addr = ip->saddr; + inaddr.s_addr = ip->ip_src.s_addr; strncpy(srcIP, inet_ntoa(inaddr), sizeof(srcIP)-1); srcIP[sizeof(srcIP)-1] = '\0'; - inaddr.s_addr = ip->daddr; + inaddr.s_addr = ip->ip_dst.s_addr; strncpy(dstIP, inet_ntoa(inaddr), sizeof(dstIP)-1); dstIP[sizeof(dstIP)-1] = '\0'; @@@@ -1297,69 +1299,69 @@@@ void sniff(u_char* arg, const struct pca /* if tcp, check the flags to ignore the packets we don't want * (don't even use it to cancel sequences) */ - if(ip->protocol == IPPROTO_TCP) { + if(ip->ip_p == IPPROTO_TCP) { if(attempt->door->flag_fin != DONT_CARE) { - if(attempt->door->flag_fin == SET && tcp->fin != 1) { + if(attempt->door->flag_fin == SET && !(tcp->th_flags & TH_FIN)) { dprint("packet is not FIN, ignoring...\n"); flagsmatch = 0; } - if(attempt->door->flag_fin == NOT_SET && tcp->fin == 1) { + if(attempt->door->flag_fin == NOT_SET && (tcp->th_flags & TH_FIN)) { dprint("packet is not !FIN, ignoring...\n"); flagsmatch = 0; } } if(attempt->door->flag_syn != DONT_CARE) { - if(attempt->door->flag_syn == SET && tcp->syn != 1) { + if(attempt->door->flag_syn == SET && !(tcp->th_flags & TH_SYN)) { dprint("packet is not SYN, ignoring...\n"); flagsmatch = 0; } - if(attempt->door->flag_syn == NOT_SET && tcp->syn == 1) { + if(attempt->door->flag_syn == NOT_SET && (tcp->th_flags & TH_SYN)) { dprint("packet is not !SYN, ignoring...\n"); flagsmatch = 0; } } if(attempt->door->flag_rst != DONT_CARE) { - if(attempt->door->flag_rst == SET && tcp->rst != 1) { + if(attempt->door->flag_rst == SET && !(tcp->th_flags & TH_RST)) { dprint("packet is not RST, ignoring...\n"); flagsmatch = 0; } - if(attempt->door->flag_rst == NOT_SET && tcp->rst == 1) { + if(attempt->door->flag_rst == NOT_SET && (tcp->th_flags & TH_RST)) { dprint("packet is not !RST, ignoring...\n"); flagsmatch = 0; } } if(attempt->door->flag_psh != DONT_CARE) { - if(attempt->door->flag_psh == SET && tcp->psh != 1) { + if(attempt->door->flag_psh == SET && !(tcp->th_flags & TH_PUSH)) { dprint("packet is not PSH, ignoring...\n"); flagsmatch = 0; } - if(attempt->door->flag_psh == NOT_SET && tcp->psh == 1) { + if(attempt->door->flag_psh == NOT_SET && (tcp->th_flags & TH_PUSH)) { dprint("packet is not !PSH, ignoring...\n"); flagsmatch = 0; } } if(attempt->door->flag_ack != DONT_CARE) { - if(attempt->door->flag_ack == SET && tcp->ack != 1) { + if(attempt->door->flag_ack == SET && !(tcp->th_flags & TH_ACK)) { dprint("packet is not ACK, ignoring...\n"); flagsmatch = 0; } - if(attempt->door->flag_ack == NOT_SET && tcp->ack == 1) { + if(attempt->door->flag_ack == NOT_SET && (tcp->th_flags & TH_ACK)) { dprint("packet is not !ACK, ignoring...\n"); flagsmatch = 0; } } if(attempt->door->flag_urg != DONT_CARE) { - if(attempt->door->flag_urg == SET && tcp->urg != 1) { + if(attempt->door->flag_urg == SET && !(tcp->th_flags & TH_URG)) { dprint("packet is not URG, ignoring...\n"); flagsmatch = 0; } - if(attempt->door->flag_urg == NOT_SET && tcp->urg == 1) { + if(attempt->door->flag_urg == NOT_SET && (tcp->th_flags & TH_URG)) { dprint("packet is not !URG, ignoring...\n"); flagsmatch = 0; } } } - if(flagsmatch && ip->protocol == attempt->door->protocol[attempt->stage] && + if(flagsmatch && ip->ip_p == attempt->door->protocol[attempt->stage] && dport == attempt->door->sequence[attempt->stage]) { /* level up! */ attempt->stage++; @@@@ -1451,34 +1453,34 @@@@ void sniff(u_char* arg, const struct pca for(lp = doors; lp; lp = lp->next) { opendoor_t *door = (opendoor_t*)lp->data; /* if we're working with TCP, try to match the flags */ - if(ip->protocol == IPPROTO_TCP){ + if(ip->ip_p == IPPROTO_TCP){ if(door->flag_fin != DONT_CARE) { - if(door->flag_fin == SET && tcp->fin != 1) {dprint("packet is not FIN, ignoring...\n");continue;} - if(door->flag_fin == NOT_SET && tcp->fin == 1) {dprint("packet is not !FIN, ignoring...\n");continue;} + if(door->flag_fin == SET && !(tcp->th_flags & TH_FIN)) {dprint("packet is not FIN, ignoring...\n");continue;} + if(door->flag_fin == NOT_SET && (tcp->th_flags & TH_FIN)) {dprint("packet is not !FIN, ignoring...\n");continue;} } if(door->flag_syn != DONT_CARE) { - if(door->flag_syn == SET && tcp->syn != 1) {dprint("packet is not SYN, ignoring...\n");continue;} - if(door->flag_syn == NOT_SET && tcp->syn == 1) {dprint("packet is not !SYN, ignoring...\n");continue;} + if(door->flag_syn == SET && !(tcp->th_flags & TH_SYN)) {dprint("packet is not SYN, ignoring...\n");continue;} + if(door->flag_syn == NOT_SET && (tcp->th_flags & TH_SYN)) {dprint("packet is not !SYN, ignoring...\n");continue;} } if(door->flag_rst != DONT_CARE) { - if(door->flag_rst == SET && tcp->rst != 1) {dprint("packet is not RST, ignoring...\n");continue;} - if(door->flag_rst == NOT_SET && tcp->rst == 1) {dprint("packet is not !RST, ignoring...\n");continue;} + if(door->flag_rst == SET && !(tcp->th_flags & TH_RST)) {dprint("packet is not RST, ignoring...\n");continue;} + if(door->flag_rst == NOT_SET && (tcp->th_flags & TH_RST)) {dprint("packet is not !RST, ignoring...\n");continue;} } if(door->flag_psh != DONT_CARE) { - if(door->flag_psh == SET && tcp->psh != 1) {dprint("packet is not PSH, ignoring...\n");continue;} - if(door->flag_psh == NOT_SET && tcp->psh == 1) {dprint("packet is not !PSH, ignoring...\n");continue;} + if(door->flag_psh == SET && !(tcp->th_flags & TH_PUSH)) {dprint("packet is not PSH, ignoring...\n");continue;} + if(door->flag_psh == NOT_SET && (tcp->th_flags & TH_PUSH)) {dprint("packet is not !PSH, ignoring...\n");continue;} } if(door->flag_ack != DONT_CARE) { - if(door->flag_ack == SET && tcp->ack != 1) {dprint("packet is not ACK, ignoring...\n");continue;} - if(door->flag_ack == NOT_SET && tcp->ack == 1) {dprint("packet is not !ACK, ignoring...\n");continue;} + if(door->flag_ack == SET && !(tcp->th_flags & TH_ACK)) {dprint("packet is not ACK, ignoring...\n");continue;} + if(door->flag_ack == NOT_SET && (tcp->th_flags & TH_ACK)) {dprint("packet is not !ACK, ignoring...\n");continue;} } if(door->flag_urg != DONT_CARE) { - if(door->flag_urg == SET && tcp->urg != 1) {dprint("packet is not URG, ignoring...\n");continue;} - if(door->flag_urg == NOT_SET && tcp->urg == 1) {dprint("packet is not !URG, ignoring...\n");continue;} + if(door->flag_urg == SET && !(tcp->th_flags & TH_URG)) {dprint("packet is not URG, ignoring...\n");continue;} + if(door->flag_urg == NOT_SET && (tcp->th_flags & TH_URG)) {dprint("packet is not !URG, ignoring...\n");continue;} } } - if(ip->protocol == door->protocol[0] && dport == door->sequence[0]) { + if(ip->ip_p == door->protocol[0] && dport == door->sequence[0]) { struct hostent *he; /* create a new entry */ attempt = (knocker_t*)malloc(sizeof(knocker_t)); @@@@ -1490,7 +1492,7 @@@@ void sniff(u_char* arg, const struct pca strcpy(attempt->src, srcIP); /* try a reverse lookup if enabled */ if (o_lookup) { - inaddr.s_addr = ip->saddr; + inaddr.s_addr = ip->ip_src.s_addr; he = gethostbyaddr((void *)&inaddr, sizeof(inaddr), AF_INET); if(he) { attempt->srchost = strdup(he->h_name); @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ @ 1.1.1.1 log @knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open - since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. @ text @@