From 3b8f8e656a90ecf6c3df7d58c4a81ecd13ff5a59 Mon Sep 17 00:00:00 2001 From: adam Date: Sun, 16 Jul 2017 21:25:06 +0000 Subject: 0.7: - Document the 'target' configuration directive. - Merging OS-specific networking code to reduce LOCs and the sea of #ifdefs. - Added 50ms timeout to pcap_open_live() to reduce CPU usage on network-heavy hosts. Pcap recommends we not use zero. 0.6: - Cleanup: Don't null-check before free - Cleanup: Consolidate flag-check logic - Accept single-knock sequences - Introduce a 'target' configuration directive, enabling knockd to react to connect attempts to a target host. Useful in cases where knockd is on a router and you want to send a target a wakeup packet. --- net/knock/Makefile | 10 +- net/knock/PLIST | 6 +- net/knock/distinfo | 12 +- net/knock/patches/patch-Makefile.in | 31 ---- net/knock/patches/patch-src_knockd.c | 292 ----------------------------------- 5 files changed, 16 insertions(+), 335 deletions(-) delete mode 100644 net/knock/patches/patch-Makefile.in delete mode 100644 net/knock/patches/patch-src_knockd.c diff --git a/net/knock/Makefile b/net/knock/Makefile index 3f1002fff97..4a5939e230c 100644 --- a/net/knock/Makefile +++ b/net/knock/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.7 2013/02/06 19:30:58 jperkin Exp $ +# $NetBSD: Makefile,v 1.8 2017/07/16 21:25:06 adam Exp $ -DISTNAME= knock-0.5 -PKGREVISION= 2 +DISTNAME= knock-0.7 CATEGORIES= net MASTER_SITES= http://www.zeroflux.org/proj/knock/files/ @@ -13,7 +12,7 @@ LICENSE= gnu-gpl-v2 USE_LANGUAGES= c USE_TOOLS+= gmake GNU_CONFIGURE= yes -CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} +CONFIGURE_ARGS+= --sysconfdir=${EGDIR} BUILD_DEFS+= VARBASE @@ -29,5 +28,8 @@ SUBST_FILES.paths= src/knockd.c SUBST_SED.paths= -e 's,"/etc,"${PKG_SYSCONFDIR},g' SUBST_SED.paths+= -e 's,"/var,"${VARBASE},g' +post-install: + cd ${DESTDIR}${PREFIX}/${PKGMANDIR} && ${MV} man1/knockd.1 man8/knockd.8 || ${TRUE} + .include "../../net/libpcap/buildlink3.mk" .include "../../mk/bsd.pkg.mk" diff --git a/net/knock/PLIST b/net/knock/PLIST index 6f567b46cb2..6a45b25feb5 100644 --- a/net/knock/PLIST +++ b/net/knock/PLIST @@ -1,6 +1,10 @@ -@comment $NetBSD: PLIST,v 1.2 2011/05/02 10:11:34 adam Exp $ +@comment $NetBSD: PLIST,v 1.3 2017/07/16 21:25:06 adam Exp $ bin/knock man/man1/knock.1 man/man8/knockd.8 sbin/knockd +share/doc/knock/COPYING +share/doc/knock/ChangeLog +share/doc/knock/README.md +share/doc/knock/TODO share/examples/knock/knockd.conf diff --git a/net/knock/distinfo b/net/knock/distinfo index 6679f61c58d..d4faa20787d 100644 --- a/net/knock/distinfo +++ b/net/knock/distinfo @@ -1,9 +1,7 @@ -$NetBSD: distinfo,v 1.3 2015/11/04 00:35:07 agc Exp $ +$NetBSD: distinfo,v 1.4 2017/07/16 21:25:06 adam Exp $ -SHA1 (knock-0.5.tar.gz) = 26f3b2f2d698bc6978390ef6e93c628361605059 -RMD160 (knock-0.5.tar.gz) = 089ea289a51478a89945c46469b378c3b33fff6d -SHA512 (knock-0.5.tar.gz) = c5f7f3320d4d9a41847dba0cda4d66852f983db419b23d3bf9c83d44a41ba437379bf6cee47a096c600841e321740849dac26d5c3afff9b3ae0178a2fcb6c35e -Size (knock-0.5.tar.gz) = 83990 bytes -SHA1 (patch-Makefile.in) = c42b1ec9ef1eb91402a078fd6a93938d197eebce +SHA1 (knock-0.7.tar.gz) = 186a687c9db11733cf23a7423884a863873ebb27 +RMD160 (knock-0.7.tar.gz) = 09a85c7cc7e4eacf1b144a3cfe06737a0308759c +SHA512 (knock-0.7.tar.gz) = eab5d855f7111d9411e84a56a15e8ea74f41c5bd9dee27ab49f0d8d509eeeb96a60c508928c92916dc0ec9b737c447ca8ca5ed4db6479b389549d60e76a85aa7 +Size (knock-0.7.tar.gz) = 110791 bytes SHA1 (patch-doc_knockd.1.in) = 88a7f4a1fd632c4928820858da71f7e39d3b1f43 -SHA1 (patch-src_knockd.c) = b8602ac54f6e05dabe6054907712a4269f87ee12 diff --git a/net/knock/patches/patch-Makefile.in b/net/knock/patches/patch-Makefile.in deleted file mode 100644 index dac4ac2a92d..00000000000 --- a/net/knock/patches/patch-Makefile.in +++ /dev/null @@ -1,31 +0,0 @@ -$NetBSD: patch-Makefile.in,v 1.1 2011/05/02 10:11:34 adam Exp $ - -Fix installation. - ---- Makefile.in.orig 2010-11-30 10:30:02.000000000 +0000 -+++ Makefile.in -@@ -28,6 +28,7 @@ VERSION = 0.5 - BINDIR = @bindir@ - SBINDIR = @sbindir@ - MANDIR = @mandir@ -+DATADIR = @datadir@ - - INSTALL = @INSTALL@ - INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS) -@@ -68,11 +68,11 @@ dist: distclean - (cd ..; tar czvf knock-$(VERSION).tar.gz knock-$(VERSION)) - - install: all -- $(INSTALL) -D -m0755 knockd $(DESTDIR)$(SBINDIR)/knockd -- $(INSTALL) -D -m0755 knock $(DESTDIR)$(BINDIR)/knock -- $(INSTALL) -D -m0644 $(MANSRC)knockd.1 $(DESTDIR)$(MANDIR)/man1/knockd.1 -- $(INSTALL) -D -m0644 $(MANSRC)knock.1 $(DESTDIR)$(MANDIR)/man1/knock.1 -- $(INSTALL) -D -m0644 knockd.conf $(DESTDIR)/etc/knockd.conf -+ ${BSD_INSTALL_PROGRAM} knockd $(DESTDIR)$(SBINDIR)/knockd -+ ${BSD_INSTALL_PROGRAM} knock $(DESTDIR)$(BINDIR)/knock -+ ${BSD_INSTALL_MAN} $(MANSRC)knockd.1 $(DESTDIR)$(MANDIR)/man8/knockd.8 -+ ${BSD_INSTALL_MAN} $(MANSRC)knock.1 $(DESTDIR)$(MANDIR)/man1/knock.1 -+ ${BSD_INSTALL_DATA} knockd.conf $(DESTDIR)$(DATADIR)/examples/knock/knockd.conf - - clean: - rm -f *~ $(OBJDIR)*.o $(MANSRC)*.1 diff --git a/net/knock/patches/patch-src_knockd.c b/net/knock/patches/patch-src_knockd.c deleted file mode 100644 index ce5f2c3af6d..00000000000 --- a/net/knock/patches/patch-src_knockd.c +++ /dev/null @@ -1,292 +0,0 @@ -$NetBSD: patch-src_knockd.c,v 1.1 2011/05/02 10:11:34 adam Exp $ - -Use correct network structures. -Re-open log file on SIGHUP. - ---- src/knockd.c.orig 2005-06-27 05:11:34.000000000 +0000 -+++ src/knockd.c -@@ -28,18 +28,20 @@ - #include - #include - #include -+#include -+#include -+#include -+#include -+#include -+#include -+#include - #include -+#include - #include - #include - #include - #include - #include --#include --#include --#include --#include --#include --#include - #include - #include - #include -@@ -193,7 +195,7 @@ int main(int argc, char **argv) - } - } - -- cap = pcap_open_live(o_int, 65535, 0, 0, pcapErr); -+ cap = pcap_open_live(o_int, 65535, 0, 1000, pcapErr); - if(strlen(pcapErr)) { - fprintf(stderr, "could not open %s: %s\n", o_int, pcapErr); - } -@@ -371,7 +373,18 @@ void read_cfg(int signum) - } - list_free(doors); - -+ if(logfd) { -+ fclose(logfd); -+ logfd = NULL; -+ } - parseconfig(o_cfg); -+ if(strlen(o_logfile)) { -+ /* open the log file */ -+ logfd = fopen(o_logfile, "a"); -+ if(logfd == NULL) { -+ perror("warning: cannot open logfile"); -+ } -+ } - return; - } - -@@ -1161,8 +1174,8 @@ int exec_cmd(char* command, char* name){ - void sniff(u_char* arg, const struct pcap_pkthdr* hdr, const u_char* packet) - { - /* packet structs */ -- struct ethhdr* eth = NULL; -- struct iphdr* ip = NULL; -+ struct ether_header* eth = NULL; -+ struct ip* ip = NULL; - struct tcphdr* tcp = NULL; - struct udphdr* udp = NULL; - char proto[8]; -@@ -1179,23 +1192,23 @@ void sniff(u_char* arg, const struct pca - knocker_t *attempt = NULL; - - if(lltype == DLT_EN10MB) { -- eth = (struct ethhdr*)packet; -- if(ntohs(eth->h_proto) != ETH_P_IP) { -+ eth = (struct ether_header*)packet; -+ if(ntohs(eth->ether_type) != ETHERTYPE_IP) { - return; - } -- ip = (struct iphdr*)(packet + sizeof(struct ethhdr)); -+ ip = (struct ip*)(packet + sizeof(struct ether_header)); - } else if(lltype == DLT_LINUX_SLL) { -- ip = (struct iphdr*)((u_char*)packet + 16); -+ ip = (struct ip*)((u_char*)packet + 16); - } else if(lltype == DLT_RAW) { -- ip = (struct iphdr*)((u_char*)packet); -+ ip = (struct ip*)((u_char*)packet); - } - -- if(ip->version != 4) { -+ if(ip->ip_v != 4) { - /* no IPv6 yet */ - dprint("packet is not IPv4, ignoring...\n"); - return; - } -- if(ip->protocol == IPPROTO_ICMP) { -+ if(ip->ip_p == IPPROTO_ICMP) { - /* we don't do ICMP */ - return; - } -@@ -1207,23 +1220,23 @@ void sniff(u_char* arg, const struct pca - fprintf(stderr, "error: could not understand IP address: %s\n", myip); - return; - } -- if(ip->daddr != inaddr.s_addr) { -+ if(ip->ip_dst.s_addr != inaddr.s_addr) { - dprint("packet destined for another host, ignoring...\n"); - return; - } - - sport = dport = 0; -- if(ip->protocol == IPPROTO_TCP) { -+ if(ip->ip_p == IPPROTO_TCP) { - strncpy(proto, "tcp", sizeof(proto)); -- tcp = (struct tcphdr*)((u_char*)ip + (ip->ihl * 4)); -- sport = ntohs(tcp->source); -- dport = ntohs(tcp->dest); -+ tcp = (struct tcphdr*)((u_char*)ip + (ip->ip_hl * 4)); -+ sport = ntohs(tcp->th_sport); -+ dport = ntohs(tcp->th_dport); - } -- if(ip->protocol == IPPROTO_UDP) { -+ if(ip->ip_p == IPPROTO_UDP) { - strncpy(proto, "udp", sizeof(proto)); -- udp = (struct udphdr*)((u_char*)ip + (ip->ihl * 4)); -- sport = ntohs(udp->source); -- dport = ntohs(udp->dest); -+ udp = (struct udphdr*)((u_char*)ip + (ip->ip_hl * 4)); -+ sport = ntohs(udp->uh_sport); -+ dport = ntohs(udp->uh_dport); - } - - /* get the date/time */ -@@ -1234,10 +1247,10 @@ void sniff(u_char* arg, const struct pca - pkt_tm->tm_sec); - - /* convert IPs from binary to string */ -- inaddr.s_addr = ip->saddr; -+ inaddr.s_addr = ip->ip_src.s_addr; - strncpy(srcIP, inet_ntoa(inaddr), sizeof(srcIP)-1); - srcIP[sizeof(srcIP)-1] = '\0'; -- inaddr.s_addr = ip->daddr; -+ inaddr.s_addr = ip->ip_dst.s_addr; - strncpy(dstIP, inet_ntoa(inaddr), sizeof(dstIP)-1); - dstIP[sizeof(dstIP)-1] = '\0'; - -@@ -1297,69 +1310,69 @@ void sniff(u_char* arg, const struct pca - /* if tcp, check the flags to ignore the packets we don't want - * (don't even use it to cancel sequences) - */ -- if(ip->protocol == IPPROTO_TCP) { -+ if(ip->ip_p == IPPROTO_TCP) { - if(attempt->door->flag_fin != DONT_CARE) { -- if(attempt->door->flag_fin == SET && tcp->fin != 1) { -+ if(attempt->door->flag_fin == SET && !(tcp->th_flags & TH_FIN)) { - dprint("packet is not FIN, ignoring...\n"); - flagsmatch = 0; - } -- if(attempt->door->flag_fin == NOT_SET && tcp->fin == 1) { -+ if(attempt->door->flag_fin == NOT_SET && (tcp->th_flags & TH_FIN)) { - dprint("packet is not !FIN, ignoring...\n"); - flagsmatch = 0; - } - } - if(attempt->door->flag_syn != DONT_CARE) { -- if(attempt->door->flag_syn == SET && tcp->syn != 1) { -+ if(attempt->door->flag_syn == SET && !(tcp->th_flags & TH_SYN)) { - dprint("packet is not SYN, ignoring...\n"); - flagsmatch = 0; - } -- if(attempt->door->flag_syn == NOT_SET && tcp->syn == 1) { -+ if(attempt->door->flag_syn == NOT_SET && (tcp->th_flags & TH_SYN)) { - dprint("packet is not !SYN, ignoring...\n"); - flagsmatch = 0; - } - } - if(attempt->door->flag_rst != DONT_CARE) { -- if(attempt->door->flag_rst == SET && tcp->rst != 1) { -+ if(attempt->door->flag_rst == SET && !(tcp->th_flags & TH_RST)) { - dprint("packet is not RST, ignoring...\n"); - flagsmatch = 0; - } -- if(attempt->door->flag_rst == NOT_SET && tcp->rst == 1) { -+ if(attempt->door->flag_rst == NOT_SET && (tcp->th_flags & TH_RST)) { - dprint("packet is not !RST, ignoring...\n"); - flagsmatch = 0; - } - } - if(attempt->door->flag_psh != DONT_CARE) { -- if(attempt->door->flag_psh == SET && tcp->psh != 1) { -+ if(attempt->door->flag_psh == SET && !(tcp->th_flags & TH_PUSH)) { - dprint("packet is not PSH, ignoring...\n"); - flagsmatch = 0; - } -- if(attempt->door->flag_psh == NOT_SET && tcp->psh == 1) { -+ if(attempt->door->flag_psh == NOT_SET && (tcp->th_flags & TH_PUSH)) { - dprint("packet is not !PSH, ignoring...\n"); - flagsmatch = 0; - } - } - if(attempt->door->flag_ack != DONT_CARE) { -- if(attempt->door->flag_ack == SET && tcp->ack != 1) { -+ if(attempt->door->flag_ack == SET && !(tcp->th_flags & TH_ACK)) { - dprint("packet is not ACK, ignoring...\n"); - flagsmatch = 0; - } -- if(attempt->door->flag_ack == NOT_SET && tcp->ack == 1) { -+ if(attempt->door->flag_ack == NOT_SET && (tcp->th_flags & TH_ACK)) { - dprint("packet is not !ACK, ignoring...\n"); - flagsmatch = 0; - } - } - if(attempt->door->flag_urg != DONT_CARE) { -- if(attempt->door->flag_urg == SET && tcp->urg != 1) { -+ if(attempt->door->flag_urg == SET && !(tcp->th_flags & TH_URG)) { - dprint("packet is not URG, ignoring...\n"); - flagsmatch = 0; - } -- if(attempt->door->flag_urg == NOT_SET && tcp->urg == 1) { -+ if(attempt->door->flag_urg == NOT_SET && (tcp->th_flags & TH_URG)) { - dprint("packet is not !URG, ignoring...\n"); - flagsmatch = 0; - } - } - } -- if(flagsmatch && ip->protocol == attempt->door->protocol[attempt->stage] && -+ if(flagsmatch && ip->ip_p == attempt->door->protocol[attempt->stage] && - dport == attempt->door->sequence[attempt->stage]) { - /* level up! */ - attempt->stage++; -@@ -1451,34 +1464,34 @@ void sniff(u_char* arg, const struct pca - for(lp = doors; lp; lp = lp->next) { - opendoor_t *door = (opendoor_t*)lp->data; - /* if we're working with TCP, try to match the flags */ -- if(ip->protocol == IPPROTO_TCP){ -+ if(ip->ip_p == IPPROTO_TCP){ - if(door->flag_fin != DONT_CARE) { -- if(door->flag_fin == SET && tcp->fin != 1) {dprint("packet is not FIN, ignoring...\n");continue;} -- if(door->flag_fin == NOT_SET && tcp->fin == 1) {dprint("packet is not !FIN, ignoring...\n");continue;} -+ if(door->flag_fin == SET && !(tcp->th_flags & TH_FIN)) {dprint("packet is not FIN, ignoring...\n");continue;} -+ if(door->flag_fin == NOT_SET && (tcp->th_flags & TH_FIN)) {dprint("packet is not !FIN, ignoring...\n");continue;} - } - if(door->flag_syn != DONT_CARE) { -- if(door->flag_syn == SET && tcp->syn != 1) {dprint("packet is not SYN, ignoring...\n");continue;} -- if(door->flag_syn == NOT_SET && tcp->syn == 1) {dprint("packet is not !SYN, ignoring...\n");continue;} -+ if(door->flag_syn == SET && !(tcp->th_flags & TH_SYN)) {dprint("packet is not SYN, ignoring...\n");continue;} -+ if(door->flag_syn == NOT_SET && (tcp->th_flags & TH_SYN)) {dprint("packet is not !SYN, ignoring...\n");continue;} - } - if(door->flag_rst != DONT_CARE) { -- if(door->flag_rst == SET && tcp->rst != 1) {dprint("packet is not RST, ignoring...\n");continue;} -- if(door->flag_rst == NOT_SET && tcp->rst == 1) {dprint("packet is not !RST, ignoring...\n");continue;} -+ if(door->flag_rst == SET && !(tcp->th_flags & TH_RST)) {dprint("packet is not RST, ignoring...\n");continue;} -+ if(door->flag_rst == NOT_SET && (tcp->th_flags & TH_RST)) {dprint("packet is not !RST, ignoring...\n");continue;} - } - if(door->flag_psh != DONT_CARE) { -- if(door->flag_psh == SET && tcp->psh != 1) {dprint("packet is not PSH, ignoring...\n");continue;} -- if(door->flag_psh == NOT_SET && tcp->psh == 1) {dprint("packet is not !PSH, ignoring...\n");continue;} -+ if(door->flag_psh == SET && !(tcp->th_flags & TH_PUSH)) {dprint("packet is not PSH, ignoring...\n");continue;} -+ if(door->flag_psh == NOT_SET && (tcp->th_flags & TH_PUSH)) {dprint("packet is not !PSH, ignoring...\n");continue;} - } - if(door->flag_ack != DONT_CARE) { -- if(door->flag_ack == SET && tcp->ack != 1) {dprint("packet is not ACK, ignoring...\n");continue;} -- if(door->flag_ack == NOT_SET && tcp->ack == 1) {dprint("packet is not !ACK, ignoring...\n");continue;} -+ if(door->flag_ack == SET && !(tcp->th_flags & TH_ACK)) {dprint("packet is not ACK, ignoring...\n");continue;} -+ if(door->flag_ack == NOT_SET && (tcp->th_flags & TH_ACK)) {dprint("packet is not !ACK, ignoring...\n");continue;} - } - if(door->flag_urg != DONT_CARE) { -- if(door->flag_urg == SET && tcp->urg != 1) {dprint("packet is not URG, ignoring...\n");continue;} -- if(door->flag_urg == NOT_SET && tcp->urg == 1) {dprint("packet is not !URG, ignoring...\n");continue;} -+ if(door->flag_urg == SET && !(tcp->th_flags & TH_URG)) {dprint("packet is not URG, ignoring...\n");continue;} -+ if(door->flag_urg == NOT_SET && (tcp->th_flags & TH_URG)) {dprint("packet is not !URG, ignoring...\n");continue;} - } - } - -- if(ip->protocol == door->protocol[0] && dport == door->sequence[0]) { -+ if(ip->ip_p == door->protocol[0] && dport == door->sequence[0]) { - struct hostent *he; - /* create a new entry */ - attempt = (knocker_t*)malloc(sizeof(knocker_t)); -@@ -1490,7 +1503,7 @@ void sniff(u_char* arg, const struct pca - strcpy(attempt->src, srcIP); - /* try a reverse lookup if enabled */ - if (o_lookup) { -- inaddr.s_addr = ip->saddr; -+ inaddr.s_addr = ip->ip_src.s_addr; - he = gethostbyaddr((void *)&inaddr, sizeof(inaddr), AF_INET); - if(he) { - attempt->srchost = strdup(he->h_name); -- cgit v1.2.3