Add LogFILTER logging to log packets allowed by the dial filter and

dropped by any filter.

Submitted by: Mark Hannon <markhannon@one.net.au>

with some small tweaks by me.

5 files changed, 83 insertions, 28 deletions

diff --git a/usr.sbin/ppp/ip.c b/usr.sbin/ppp/ip.c
index ca87cc9..0a90bac 100644
--- a/usr.sbin/ppp/ip.c
+++ b/usr.sbin/ppp/ip.c
@@ -169,7 +169,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
   int didname;			/* true if filter header printed */
   int match;			/* true if condition matched */
   const struct filterent *fp = filter->rule;
-  char dbuff[100];
+  char dbuff[100], dstip[16];
 
   if (fp->f_action == A_NONE)
     return 0;		/* No rule is given. Permit this packet */
@@ -184,10 +184,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
    */
   len = ntohs(pip->ip_off) & IP_OFFMASK;	/* fragment offset */ 
   if (len > 0) {		/* Not first fragment within datagram */
-    if (len < (24 >> 3))	/* don't allow fragment to over-write header */
+    if (len < (24 >> 3)) {	/* don't allow fragment to over-write header */
+      log_Printf(LogFILTER, " error: illegal header\n");
       return 1;
+    }
     /* permit fragments on in and out filter */
-    return !filter->fragok;
+    if (!filter->fragok) {
+      log_Printf(LogFILTER, " error: illegal fragmentation\n");
+      return 1;
+    } else
+      return 0;
   }
   
   cproto = gotinfo = estab = syn = finrst = didname = 0;
@@ -221,8 +227,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
           switch (pip->ip_p) {
           case IPPROTO_ICMP:
             cproto = P_ICMP;
-            if (datalen < 8)	/* ICMP must be at least 8 octets */
+            if (datalen < 8) {	/* ICMP must be at least 8 octets */
+              log_Printf(LogFILTER, " error: ICMP must be at least 8 octets\n");
               return 1;
+            }
+
             ih = (const struct icmp *) ptop;
             sport = ih->icmp_type;
             estab = syn = finrst = -1;
@@ -231,16 +240,20 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
             break;
           case IPPROTO_IGMP:
             cproto = P_IGMP;
-            if (datalen < 8)	/* IGMP uses 8-octet messages */
+            if (datalen < 8) {	/* IGMP uses 8-octet messages */
+              log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n");
               return 1;
+            }
             estab = syn = finrst = -1;
             sport = ntohs(0);
             break;
 #ifdef IPPROTO_GRE
           case IPPROTO_GRE:
             cproto = P_GRE;
-            if (datalen < 2)    /* GRE uses 2-octet+ messages */
+            if (datalen < 2) {    /* GRE uses 2-octet+ messages */
+              log_Printf(LogFILTER, " error: GRE must be at least 2 octets\n");
               return 1;
+            }
             estab = syn = finrst = -1;
             sport = ntohs(0);
             break;
@@ -248,8 +261,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
 #ifdef IPPROTO_OSPFIGP
           case IPPROTO_OSPFIGP:
             cproto = P_OSPF;
-            if (datalen < 8)	/* IGMP uses 8-octet messages */
+            if (datalen < 8) {	/* IGMP uses 8-octet messages */
+              log_Printf(LogFILTER, " error: IGMP must be at least 8 octets\n");
               return 1;
+            }
             estab = syn = finrst = -1;
             sport = ntohs(0);
             break;
@@ -257,8 +272,11 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
           case IPPROTO_UDP:
           case IPPROTO_IPIP:
             cproto = P_UDP;
-            if (datalen < 8)	/* UDP header is 8 octets */
+            if (datalen < 8) {	/* UDP header is 8 octets */
+              log_Printf(LogFILTER, " error: UDP must be at least 8 octets\n");
               return 1;
+            }
+
             uh = (const struct udphdr *) ptop;
             sport = ntohs(uh->uh_sport);
             dport = ntohs(uh->uh_dport);
@@ -274,8 +292,10 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
              * ensures that the TCP header length isn't de-referenced if
              * the datagram is too short
              */
-            if (datalen < 20 || datalen < (th->th_off << 2))
+            if (datalen < 20 || datalen < (th->th_off << 2)) {
+              log_Printf(LogFILTER, " error: TCP header incorrect\n");
               return 1;
+            }
             sport = ntohs(th->th_sport);
             dport = ntohs(th->th_dport);
             estab = (th->th_flags & TH_ACK);
@@ -291,6 +311,7 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
             }
             break;
           default:
+            log_Printf(LogFILTER, " error: unknown protocol\n");
             return 1;		/* We'll block unknown type of packet */
           }
 
@@ -350,18 +371,46 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
       /* Take specified action */
       if (fp->f_action < A_NONE)
         fp = &filter->rule[n = fp->f_action];
-      else
+      else {
         if (fp->f_action == A_PERMIT) {
           if (psecs != NULL)
             *psecs = fp->timeout;
+          if (strcmp(filter->name, "DIAL") == 0) {
+            /* If dial filter then even print out accept packets */
+            if (log_IsKept(LogFILTER)) {
+              snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
+              log_Printf(LogFILTER, "%sbound rule = %d accept %s "
+                         "src = %s/%d dst = %s/%d\n", 
+                         filter->name, n, filter_Proto2Nam(cproto),
+                         inet_ntoa(pip->ip_src), sport, dstip, dport);
+            }
+          }
           return 0;
-        } else
-          return 1;
+        } else {
+          if (log_IsKept(LogFILTER)) {
+            snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
+            log_Printf(LogFILTER, 
+                       "%sbound rule = %d deny %s src = %s/%d dst = %s/%d\n", 
+                       filter->name, n, filter_Proto2Nam(cproto),
+                       inet_ntoa(pip->ip_src), sport, dstip, dport);
+          }
+          return 1;	
+        }		/* Explict math.  Deny this packet */
+      }
     } else {
       n++;
       fp++;
     }
   }
+
+  if (log_IsKept(LogFILTER)) {
+    snprintf(dstip, sizeof dstip, "%s", inet_ntoa(pip->ip_dst));
+    log_Printf(LogFILTER, 
+               "%sbound rule = implicit deny %s src = %s/%d dst = %s/%d\n", 
+               filter->name, filter_Proto2Nam(cproto), 
+               inet_ntoa(pip->ip_src), sport, dstip, dport);
+  }
+
   return 1;		/* No rule is mached. Deny this packet */
 }
 
diff --git a/usr.sbin/ppp/log.c b/usr.sbin/ppp/log.c
index 97ab853..1b32941 100644
--- a/usr.sbin/ppp/log.c
+++ b/usr.sbin/ppp/log.c
@@ -51,6 +51,7 @@ static const char * const LogNames[] = {
   "Connect",
   "Debug",
   "DNS",
+  "Filter",			/* Log discarded packets */
   "HDLC",
   "ID0",
   "IPCP",
diff --git a/usr.sbin/ppp/log.h b/usr.sbin/ppp/log.h
index 35ccbbb..5093fc7 100644
--- a/usr.sbin/ppp/log.h
+++ b/usr.sbin/ppp/log.h
@@ -35,23 +35,24 @@
 #define LogCONNECT	(6)
 #define LogDEBUG	(7)	/* syslog(LOG_DEBUG, ....)	 */
 #define LogDNS		(8)
-#define LogHDLC		(9)
-#define LogID0		(10)
-#define LogIPCP		(11)
-#define LogLCP		(12)
-#define LogLQM		(13)
-#define LogPHASE	(14)
-#define LogPHYSICAL	(15)	/* syslog(LOG_INFO, ....)	 */
-#define LogSYNC		(16)	/* syslog(LOG_INFO, ....)	 */
-#define LogTCPIP	(17)
-#define LogTIMER	(18)	/* syslog(LOG_DEBUG, ....)	 */
-#define LogTUN		(19)	/* If set, tun%d is output with each message */
-#define LogWARN		(20)	/* Sent to VarTerm else syslog(LOG_WARNING, ) */
-#define LogERROR	(21)	/* syslog(LOG_ERR, ....), + sent to VarTerm */
-#define LogALERT	(22)	/* syslog(LOG_ALERT, ....)	 */
+#define LogFILTER       (9)
+#define LogHDLC		(10)
+#define LogID0		(11)
+#define LogIPCP		(12)
+#define LogLCP		(13)
+#define LogLQM		(14)
+#define LogPHASE	(15)
+#define LogPHYSICAL	(16)	/* syslog(LOG_INFO, ....)	 */
+#define LogSYNC		(17)	/* syslog(LOG_INFO, ....)	 */
+#define LogTCPIP	(18)
+#define LogTIMER	(19)	/* syslog(LOG_DEBUG, ....)	 */
+#define LogTUN		(20)	/* If set, tun%d is output with each message */
+#define LogWARN		(21)	/* Sent to VarTerm else syslog(LOG_WARNING, ) */
+#define LogERROR	(22)	/* syslog(LOG_ERR, ....), + sent to VarTerm */
+#define LogALERT	(23)	/* syslog(LOG_ALERT, ....)	 */
 
-#define LogMAXCONF	(19)
-#define LogMAX		(22)
+#define LogMAXCONF	(20)  
+#define LogMAX		(24)
 
 struct mbuf;
 struct cmdargs;
diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8
index 935f988..78c0e1f 100644
--- a/usr.sbin/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp.8
@@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT".
 Log debug information.
 .It Li DNS
 Log DNS QUERY packets.
+.It Li Filter
+Log packets permitted by the dial filter and denied by any filter.
 .It Li HDLC
 Dump HDLC packet in hex.
 .It Li ID0
diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4
index 935f988..78c0e1f 100644
--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@@ -2166,6 +2166,8 @@ Log Chat lines containing the string "CONNECT".
 Log debug information.
 .It Li DNS
 Log DNS QUERY packets.
+.It Li Filter
+Log packets permitted by the dial filter and denied by any filter.
 .It Li HDLC
 Dump HDLC packet in hex.
 .It Li ID0