diff options
Diffstat (limited to 'contrib/pf/pflogd')
| -rw-r--r-- | contrib/pf/pflogd/pflogd.8 | 5 | ||||
| -rw-r--r-- | contrib/pf/pflogd/pflogd.c | 24 | ||||
| -rw-r--r-- | contrib/pf/pflogd/privsep.c | 18 | ||||
| -rw-r--r-- | contrib/pf/pflogd/privsep_fdpass.c | 6 |
4 files changed, 35 insertions, 18 deletions
diff --git a/contrib/pf/pflogd/pflogd.8 b/contrib/pf/pflogd/pflogd.8 index ac8fe78..d13b772 100644 --- a/contrib/pf/pflogd/pflogd.8 +++ b/contrib/pf/pflogd/pflogd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pflogd.8,v 1.24 2004/01/16 10:45:49 jmc Exp $ +.\" $OpenBSD: pflogd.8,v 1.25 2005/01/02 18:15:02 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. .\" @@ -161,7 +161,8 @@ Interface name equals "kue0". Rule number equals 10. .It reason match Reason equals match. -Also accepts "bad-offset", "fragment", "short", "normalize" and "memory". +Also accepts "bad-offset", "fragment", "bad-timestamp", "short", +"normalize" and "memory". .It action pass Action equals pass. Also accepts "block". diff --git a/contrib/pf/pflogd/pflogd.c b/contrib/pf/pflogd/pflogd.c index 7e19ae6..cc474e3 100644 --- a/contrib/pf/pflogd/pflogd.c +++ b/contrib/pf/pflogd/pflogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pflogd.c,v 1.27 2004/02/13 19:01:57 otto Exp $ */ +/* $OpenBSD: pflogd.c,v 1.33 2005/02/09 12:09:30 henning Exp $ */ /* * Copyright (c) 2001 Theo de Raadt @@ -255,16 +255,19 @@ reset_dump(void) fp = fdopen(fd, "a+"); if (fp == NULL) { + close(fd); logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno)); return (1); } if (fstat(fileno(fp), &st) == -1) { + fclose(fp); logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno)); return (1); } /* set FILE unbuffered, we do our own buffering */ if (setvbuf(fp, NULL, _IONBF, 0)) { + fclose(fp); logmsg(LOG_ERR, "Failed to set output buffers"); return (1); } @@ -275,6 +278,7 @@ reset_dump(void) if (snaplen != cur_snaplen) { logmsg(LOG_NOTICE, "Using snaplen %d", snaplen); if (set_snaplen(snaplen)) { + fclose(fp); logmsg(LOG_WARNING, "Failed, using old settings"); } @@ -386,8 +390,9 @@ dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) } if (fwrite((char *)h, sizeof(*h), 1, f) != 1) { - /* try to undo header to prevent corruption */ off_t pos = ftello(f); + + /* try to undo header to prevent corruption */ if (pos < sizeof(*h) || ftruncate(fileno(f), pos - sizeof(*h))) { logmsg(LOG_ERR, "Write failed, corrupted logfile!"); @@ -485,7 +490,7 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) return; } - append: + append: memcpy(bufpos, h, sizeof(*h)); memcpy(bufpos + sizeof(*h), sp, h->caplen); @@ -502,6 +507,7 @@ main(int argc, char **argv) struct pcap_stat pstat; int ch, np, Xflag = 0; pcap_handler phandler = dump_packet; + const char *errstr = NULL; closefrom(STDERR_FILENO + 1); @@ -511,18 +517,19 @@ main(int argc, char **argv) Debug = 1; break; case 'd': - delay = atoi(optarg); - if (delay < 5 || delay > 60*60) + delay = strtonum(optarg, 5, 60*60, &errstr); + if (errstr) usage(); break; case 'f': filename = optarg; break; case 's': - snaplen = atoi(optarg); + snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN, + &errstr); if (snaplen <= 0) snaplen = DEF_SNAPLEN; - if (snaplen > PFLOGD_MAXSNAPLEN) + if (errstr) snaplen = PFLOGD_MAXSNAPLEN; break; case 'x': @@ -547,6 +554,7 @@ main(int argc, char **argv) pidfile(NULL); } + tzset(); (void)umask(S_IRWXG | S_IRWXO); /* filter will be used by the privileged process */ @@ -599,7 +607,7 @@ main(int argc, char **argv) while (1) { np = pcap_dispatch(hpcap, PCAP_NUM_PKTS, - dump_packet, (u_char *)dpcap); + phandler, (u_char *)dpcap); if (np < 0) logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap)); diff --git a/contrib/pf/pflogd/privsep.c b/contrib/pf/pflogd/privsep.c index 50807ad..33d6b9c 100644 --- a/contrib/pf/pflogd/privsep.c +++ b/contrib/pf/pflogd/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.8 2004/03/14 19:17:05 otto Exp $ */ +/* $OpenBSD: privsep.c,v 1.13 2004/12/22 09:21:02 otto Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -67,7 +67,7 @@ int priv_init(void) { int i, fd, socks[2], cmd; - int snaplen, ret; + int snaplen, ret, olderrno; struct passwd *pw; for (i = 1; i < _NSIG; i++) @@ -112,10 +112,12 @@ priv_init(void) } /* Father */ - /* Pass ALRM/TERM/HUP through to child, and accept CHLD */ + /* Pass ALRM/TERM/HUP/INT/QUIT through to child, and accept CHLD */ signal(SIGALRM, sig_pass_to_chld); signal(SIGTERM, sig_pass_to_chld); signal(SIGHUP, sig_pass_to_chld); + signal(SIGINT, sig_pass_to_chld); + signal(SIGQUIT, sig_pass_to_chld); signal(SIGCHLD, sig_chld); setproctitle("[priv]"); @@ -147,12 +149,14 @@ priv_init(void) fd = open(filename, O_RDWR|O_CREAT|O_APPEND|O_NONBLOCK|O_NOFOLLOW, 0600); + olderrno = errno; + send_fd(socks[0], fd); if (fd < 0) logmsg(LOG_NOTICE, "[priv]: failed to open %s: %s", - filename, strerror(errno)); - send_fd(socks[0], fd); - close(fd); + filename, strerror(olderrno)); + else + close(fd); break; default: @@ -211,7 +215,7 @@ priv_open_log(void) int cmd, fd; if (priv_fd < 0) - errx(1, "%s: called from privileged portion\n", __func__); + errx(1, "%s: called from privileged portion", __func__); cmd = PRIV_OPEN_LOG; must_write(priv_fd, &cmd, sizeof(int)); diff --git a/contrib/pf/pflogd/privsep_fdpass.c b/contrib/pf/pflogd/privsep_fdpass.c index 166b693..50afdfc 100644 --- a/contrib/pf/pflogd/privsep_fdpass.c +++ b/contrib/pf/pflogd/privsep_fdpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep_fdpass.c,v 1.1 2003/10/22 18:51:55 canacar Exp $ */ +/* $OpenBSD: privsep_fdpass.c,v 1.2 2004/08/13 02:51:48 djm Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -108,6 +108,10 @@ receive_fd(int sock) __func__, (long)n); if (result == 0) { cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg == NULL) { + warnx("%s: no message header", __func__); + return -1; + } if (cmsg->cmsg_type != SCM_RIGHTS) warnx("%s: expected type %d got %d", __func__, SCM_RIGHTS, cmsg->cmsg_type); |
