Menu
▾
▴
Re: [Sshguard-users] Patch to fix blacklist loading with ipfw
|
From: Greg P. <gr...@n0...> - 2015-05-27 02:20:14
|
Hi Kevin,
I gave it a shot, but it failed to build. Did make a minor mod
to the diff. The file paths had a/ & b/, so removed those.
The output from the make:
===> License BSD2CLAUSE accepted by the user
===> sshguard-ipfw-1.6.0_1 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by sshguard-ipfw-1.6.0_1 for building
===> Extracting for sshguard-ipfw-1.6.0_1
=> SHA256 Checksum OK for sshguard-1.6.0.tar.xz.
===> Patching for sshguard-ipfw-1.6.0_1
===> Applying FreeBSD patches for sshguard-ipfw-1.6.0_1
===> sshguard-ipfw-1.6.0_1 depends on executable: autoconf-2.69 - found
===> sshguard-ipfw-1.6.0_1 depends on executable: autoheader-2.69 - found
===> sshguard-ipfw-1.6.0_1 depends on executable: autoreconf-2.69 - found
===> sshguard-ipfw-1.6.0_1 depends on executable: aclocal-1.15 - found
===> sshguard-ipfw-1.6.0_1 depends on executable: automake-1.15 - found
===> Configuring for sshguard-ipfw-1.6.0_1
configure: loading site script /usr/ports/Templates/config.site
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... (cached) /bin/mkdir -p
checking for gawk... (cached) /usr/bin/awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for ipfw... /sbin
checking for ip6fw... no
configure: ip6fw program not found. Assuming ipfw supports IPv6 rules on its own.
## -------------- ##
## Program Checks ##
## -------------- ##
checking for gawk... (cached) /usr/bin/awk
checking for gcc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking whether cc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of cc... gcc3
checking for cc option to accept ISO C99... none needed
checking for grep that handles long lines and -e... (cached) /usr/bin/grep
checking for egrep... (cached) /usr/bin/egrep
checking for ranlib... ranlib
checking for bison... bison -y
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
## -------------- ##
## Library Checks ##
## -------------- ##
checking for pthread_create in -lpthread... yes
checking how to run the C preprocessor... cpp
checking for ANSI C header files... (cached) yes
checking for sys/wait.h that is POSIX.1 compatible... (cached) yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for memory.h... (cached) yes
checking for strings.h... (cached) yes
checking for inttypes.h... (cached) yes
checking for stdint.h... (cached) yes
checking for unistd.h... (cached) yes
checking for arpa/inet.h... (cached) yes
checking for malloc.h... (cached) no
checking for netdb.h... (cached) yes
checking for netinet/in.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for sys/socket.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for getopt.h... (cached) yes
checking for off_t... (cached) yes
checking for pid_t... (cached) yes
checking for size_t... (cached) yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for C/C++ restrict keyword... __restrict
checking build system type... amd64-portbld-freebsd10.1
checking whether __SUNPRO_C is declared... no
## ----------------- ##
## Library Functions ##
## ----------------- ##
checking for vfork.h... (cached) no
checking for fork... (cached) yes
checking for vfork... (cached) yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... (cached) yes
checking for gethostbyname... (cached) yes
checking for inet_ntoa... (cached) yes
checking for strerror... (cached) yes
checking for strstr... yes
checking for strtol... (cached) yes
checking for library containing socket... none required
checking for library containing gethostbyname... none required
configure: Using /sbin as location for ipfw
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating man/Makefile
config.status: creating src/Makefile
config.status: creating src/parser/Makefile
config.status: creating src/fwalls/Makefile
config.status: creating src/config.h
config.status: executing depfiles commands
===> Building for sshguard-ipfw-1.6.0_1
Making all in src
/usr/bin/make all-recursive
Making all in parser
/usr/bin/make all-am
LEX attack_scanner.c
CC attack_parser.o
CC attack_scanner.o
attack_scanner.c:27857:16: warning: function 'input' is not needed and will not be emitted [-Wunneeded-internal-declaration]
static int input (void)
^
1 warning generated.
AR libparser.a
Making all in fwalls
CC ipfw.o
ipfw.c:51:15: error: use of undeclared identifier 'ADDRLEN'
char addr[ADDRLEN];
^
ipfw.c:109:5: warning: implicitly declaring library function 'strlcpy' with type 'unsigned long (char *, const char *, unsigned long)'
strlcpy(addendum.addr, addr, sizeof(addendum.addr));
^
ipfw.c:109:5: note: please include the header <string.h> or explicitly provide a declaration for 'strlcpy'
ipfw.c:171:14: error: use of undeclared identifier 'ADDRKIND_IPv4'
case ADDRKIND_IPv4:
^
ipfw.c:175:14: error: use of undeclared identifier 'ADDRKIND_IPv6'
case ADDRKIND_IPv6:
^
ipfw.c:216:18: error: use of undeclared identifier 'ADDRKIND_IPv4'
case ADDRKIND_IPv4:
^
ipfw.c:219:18: error: use of undeclared identifier 'ADDRKIND_IPv6'
case ADDRKIND_IPv6:
^
ipfw.c:307:14: error: use of undeclared identifier 'ADDRKIND_IPv4'
case ADDRKIND_IPv4:
^
ipfw.c:313:14: error: use of undeclared identifier 'ADDRKIND_IPv6'
case ADDRKIND_IPv6:
^
ipfw.c:329:5: warning: implicitly declaring library function 'strlcat' with type 'unsigned long (char *, const char *, unsigned long)'
strlcat(args, " from ", sizeof(args));
^
ipfw.c:329:5: note: please include the header <string.h> or explicitly provide a declaration for 'strlcat'
2 warnings and 7 errors generated.
*** [ipfw.o] Error code 1
make[4]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src/fwalls
1 error
make[4]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src/fwalls
*** [all-recursive] Error code 1
make[3]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
1 error
make[3]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
*** [all] Error code 2
make[2]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
1 error
make[2]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
*** [all-recursive] Error code 1
make[1]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0
1 error
make[1]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1
Stop.
make: stopped in /usr/ports/security/sshguard-ipfw
Greg
Kevin Zheng said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi there,
>
> A patch that fixes blacklist loading when using the `ipfw` backend is
> available and attached here. It is mostly of interest to FreeBSD.
>
> This patch has not been committed because it relies on the
> non-portable functions `strlcpy` and `strlcat`. While I work on
> bringing these to SSHGuard, FreeBSD users can enjoy a working
> blacklist now.
>
> I've done rudimentary testing and this patch appears to work; before
> this hits the ports tree someone should really test it.
>
> Thanks,
> Kevin Zheng
>
> - --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVZRxRAAoJEOrPD3bCLhCQN2MIAJOMmgslZPV5aYsYEnX1quC+
> IXMc6t/rpFDybZPKz4LC4YI+WcsQ+fykKQ3mFZfJ2HITqqyBorNUe8JKzR8p59tX
> sX5ePTq4Jld+LOFklKOSS3NSZauMi6zS8tcCpz5gVdQ0iBizDssW/f70ZTD927lB
> 44VgAdv8FrHXsPpgEgcrZCsNm3uK8j48eh3aAo3elThM4BAIhoMYobLZl1Jgnq59
> hjWVk49Z1njypiP2SYASXVdy5x8AINQDY4R8Wqa0/mNGfzFKT2y5HPw/70YbAm3M
> E1o/V9apCH3p1Trq/NshZwvP9sFxfV0oJtATRXUvJxuI0BDHIM5F+/w72TJCVU4=
> =SKWp
> -----END PGP SIGNATURE-----
> diff --git a/src/fwalls/ipfw.c b/src/fwalls/ipfw.c
> index 29045b0..9bee0ad 100644
> --- a/src/fwalls/ipfw.c
> +++ b/src/fwalls/ipfw.c
> @@ -20,6 +20,7 @@
>
> #include <assert.h>
> #include <errno.h>
> +#include <limits.h>
> #include <time.h>
> #include <time.h>
> #include <string.h>
> @@ -37,8 +38,6 @@
>
> #define IPFWMOD_ADDRESS_BULK_REPRESENTATIVE "FF:FF:FF:FF:FF:FF:FF:FF"
>
> -#define MAXIPFWCMDLEN 90
> -
> #ifndef IPFW_RULERANGE_MIN
> #define IPFW_RULERANGE_MIN 55000
> #endif
> @@ -56,14 +55,14 @@ struct addr_ruleno_s {
> };
>
> static list_t addrrulenumbers;
> -static char command[MAXIPFWCMDLEN], args[MAXIPFWCMDLEN];
> +static char command[PATH_MAX], args[ARG_MAX];
>
> /* generate an IPFW rule ID for inserting a rule */
> static ipfw_rulenumber_t ipfwmod_getrulenumber(void);
> /* execute an IPFW command */
> -static int ipfwmod_runcommand(char *command, char *args);
> +static int ipfwmod_runcommand(const char *command, const char *args);
> /* build an IPFW rule for blocking a list of addresses, all of the given kind */
> -static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind, char *restrict command, char *restrict args);
> +static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind);
>
> static size_t ipfw_rule_meter(const void *el) { return sizeof(struct addr_ruleno_s); }
> static int ipfw_rule_comparator(const void *a, const void *b) {
> @@ -95,7 +94,7 @@ int fw_block(const char *restrict addr, int addrkind, int service) {
> ruleno = ipfwmod_getrulenumber();
> addresses[0] = addr;
> addresses[1] = NULL;
> - if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind, command, args) != FWALL_OK)
> + if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind) != FWALL_OK)
> return FWALL_ERR;
>
> /* run command */
> @@ -108,7 +107,7 @@ int fw_block(const char *restrict addr, int addrkind, int service) {
> sshguard_log(LOG_DEBUG, "Command exited %d.", ret);
>
> /* success, save rule number */
> - strcpy(addendum.addr, addr);
> + strlcpy(addendum.addr, addr, sizeof(addendum.addr));
> addendum.ruleno = ruleno;
> addendum.addrkind = addrkind;
>
> @@ -134,7 +133,7 @@ int fw_block_list(const char *restrict addresses[], int addrkind, const int serv
>
> ruleno = ipfwmod_getrulenumber();
> /* insert rules under this rule number (in chunks of max_addresses_per_rule) */
> - if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind, command, args) != FWALL_OK)
> + if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind) != FWALL_OK)
> return FWALL_ERR;
>
> /* run command */
> @@ -147,7 +146,7 @@ int fw_block_list(const char *restrict addresses[], int addrkind, const int serv
> sshguard_log(LOG_DEBUG, "Command exited %d.", ret);
>
> /* insert a placeholder for the bulk */
> - strcpy(addendum.addr, IPFWMOD_ADDRESS_BULK_REPRESENTATIVE);
> + strlcpy(addendum.addr, IPFWMOD_ADDRESS_BULK_REPRESENTATIVE, sizeof(addendum.addr));
> addendum.ruleno = ruleno;
> addendum.addrkind = addrkind;
> list_append(& addrrulenumbers, & addendum);
> @@ -161,7 +160,7 @@ int fw_release(const char *restrict addr, int addrkind, int service) {
> int pos, ret = 0;
>
> /* retrieve ID of rule blocking "addr" */
> - strcpy(data.addr, addr);
> + strlcpy(data.addr, addr, sizeof(data.addr));
> data.addrkind = addrkind;
> if ((pos = list_locate(& addrrulenumbers, &data)) < 0) {
> sshguard_log(LOG_ERR, "could not get back rule ID for address %s", addr);
> @@ -172,22 +171,22 @@ int fw_release(const char *restrict addr, int addrkind, int service) {
> switch (data.addrkind) {
> case ADDRKIND_IPv4:
> /* use ipfw */
> - sprintf(command, IPFW_PATH "/ipfw");
> + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> break;
> case ADDRKIND_IPv6:
> #ifdef FWALL_HAS_IP6FW
> /* use ip6fw if found */
> - sprintf(command, IPFW_PATH "/ip6fw");
> + strlcpy(command, IPFW_PATH "/ip6fw", sizeof(command));
> #else
> /* use ipfw, assume it supports IPv6 rules as well */
> - sprintf(command, IPFW_PATH "/ipfw");
> + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> #endif
> break;
> default:
> return FWALL_UNSUPP;
> }
> /* build command arguments */
> - snprintf(args, MAXIPFWCMDLEN, "delete %u", data.ruleno);
> + snprintf(args, sizeof(args), "delete %u", data.ruleno);
>
> sshguard_log(LOG_DEBUG, "running: '%s %s'", command, args);
>
> @@ -216,19 +215,19 @@ int fw_flush(void) {
> data = (struct addr_ruleno_s *)list_iterator_next(& addrrulenumbers);
> switch (data->addrkind) {
> case ADDRKIND_IPv4:
> - snprintf(command, MAXIPFWCMDLEN, IPFW_PATH "/ipfw");
> + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> break;
> case ADDRKIND_IPv6:
> #ifdef FWALL_HAS_IP6FW
> /* use ip6fw if found */
> - sprintf(command, IPFW_PATH "/ip6fw");
> + strlcpy(command, IPFW_PATH "/ip6fw", sizeof(command));
> #else
> /* use ipfw, assume it supports IPv6 rules as well */
> - sprintf(command, IPFW_PATH "/ipfw");
> + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> #endif
> break;
> }
> - sprintf(args, "delete %u", data->ruleno);
> + snprintf(args, sizeof(args), "delete %u", data->ruleno);
> sshguard_log(LOG_DEBUG, "running: '%s %s'", command, args);
> ret = ipfwmod_runcommand(command, args);
> if (ret != 0) {
> @@ -250,7 +249,7 @@ static ipfw_rulenumber_t ipfwmod_getrulenumber(void) {
> return (rand() % (IPFW_RULERANGE_MAX - IPFW_RULERANGE_MIN)) + IPFW_RULERANGE_MIN;
> }
>
> -static int ipfwmod_runcommand(char *command, char *args) {
> +static int ipfwmod_runcommand(const char *command, const char *args) {
> char *argsvec[20];
> pid_t pid;
> int i, j, ret;
> @@ -258,8 +257,8 @@ static int ipfwmod_runcommand(char *command, char *args) {
>
> sshguard_log(LOG_DEBUG, "Running command: '%s %s'.", command, args);
>
> - argsvec[0] = command;
> - strcpy(locargs, args);
> + argsvec[0] = strdup(command);
> + strlcpy(locargs, args, sizeof(locargs));
>
> /* tokenize command */
> argsvec[1] = locargs;
> @@ -280,6 +279,7 @@ static int ipfwmod_runcommand(char *command, char *args) {
> sshguard_log(LOG_ERR, "Unable to run command: %s", strerror(errno));
> _Exit(1);
> }
> + free(argsvec[0]);
> free(locargs);
> waitpid(pid, &ret, 0);
> ret = WEXITSTATUS(ret);
> @@ -287,7 +287,7 @@ static int ipfwmod_runcommand(char *command, char *args) {
> return ret;
> }
>
> -static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind, char *restrict command, char *restrict args) {
> +static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind) {
> int i;
>
> assert(addresses != NULL);
> @@ -307,19 +307,19 @@ static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restr
> switch (addrkind) {
> case ADDRKIND_IPv4:
> /* use ipfw */
> - sprintf(command, IPFW_PATH "/ipfw");
> - sprintf(args, "add %u drop ip", ruleno);
> + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> + snprintf(args, sizeof(args), "add %u drop ip", ruleno);
> break;
>
> case ADDRKIND_IPv6:
> #ifdef FWALL_HAS_IP6FW
> /* use ip6fw if found */
> - sprintf(command, IPFW_PATH "/ip6fw");
> + strlcpy(command, IPFW_PATH "/ip6fw", sizeof(command));
> #else
> /* use ipfw, assume it supports IPv6 rules as well */
> - sprintf(command, IPFW_PATH "/ipfw");
> + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> #endif
> - sprintf(args, "add %u drop ipv6", ruleno);
> + snprintf(args, sizeof(args), "add %u drop ipv6", ruleno);
> break;
>
> default:
> @@ -327,13 +327,17 @@ static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restr
> }
>
> /* add the rest of the rule */
> - sprintf(args + strlen(args), " from %s", addresses[0]);
> + strlcat(args, " from ", sizeof(args));
> + strlcat(args, addresses[0], sizeof(args));
> for (i = 1; addresses[i] != NULL; ++i) {
> - sprintf(args + strlen(args), ",%s", addresses[i]);
> + strlcat(args, ",", sizeof(args));
> + strlcat(args, addresses[i], sizeof(args));
> + }
> + if (strlcat(args, " to me", sizeof(args)) >= sizeof(args)) {
> + fprintf(stderr, "Fatal: Argument buffer too small\n");
> + exit(EXIT_FAILURE);
> }
> - strcat(args, " to me");
>
> return FWALL_OK;
> }
>
> -
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
