Menu
▾
▴
Re: [Sshguard-users] Patch to fix blacklist loading with ipfw
|
From: Greg P. <gr...@n0...> - 2015-05-27 02:20:15
|
Looks like this was due to ipfw.c missing:
#include <parser/address.h>
I've added that and it now compiles with only a couple of warnings:
Making all in fwalls
CC ipfw.o
ipfw.c:110:5: warning: implicitly declaring library function 'strlcpy' with type 'unsigned long (char *, const char *, unsigned long)'
strlcpy(addendum.addr, addr, sizeof(addendum.addr));
^
ipfw.c:110:5: note: please include the header <string.h> or explicitly provide a declaration for 'strlcpy'
ipfw.c:330:5: warning: implicitly declaring library function 'strlcat' with type 'unsigned long (char *, const char *, unsigned long)'
strlcat(args, " from ", sizeof(args));
^
ipfw.c:330:5: note: please include the header <string.h> or explicitly provide a declaration for 'strlcat'
2 warnings generated.
AR libfwall.a
CC sshguard_log.o
CC sshg_parser.o
CCLD sshg-parser
CC sshguard.o
CC seekers.o
CC sshguard_whitelist.o
CC sshguard_procauth.o
CC sshguard_blacklist.o
CC sshguard_options.o
CC sshguard_logsuck.o
CC simclist.o
CC hash_32a.o
CCLD sshguard
Greg
To ssh...@li... said:
> Hi Kevin,
>
> I gave it a shot, but it failed to build. Did make a minor mod
> to the diff. The file paths had a/ & b/, so removed those.
>
>
> The output from the make:
>
> ===> License BSD2CLAUSE accepted by the user
> ===> sshguard-ipfw-1.6.0_1 depends on file: /usr/local/sbin/pkg - found
> ===> Fetching all distfiles required by sshguard-ipfw-1.6.0_1 for building
> ===> Extracting for sshguard-ipfw-1.6.0_1
> => SHA256 Checksum OK for sshguard-1.6.0.tar.xz.
> ===> Patching for sshguard-ipfw-1.6.0_1
> ===> Applying FreeBSD patches for sshguard-ipfw-1.6.0_1
> ===> sshguard-ipfw-1.6.0_1 depends on executable: autoconf-2.69 - found
> ===> sshguard-ipfw-1.6.0_1 depends on executable: autoheader-2.69 - found
> ===> sshguard-ipfw-1.6.0_1 depends on executable: autoreconf-2.69 - found
> ===> sshguard-ipfw-1.6.0_1 depends on executable: aclocal-1.15 - found
> ===> sshguard-ipfw-1.6.0_1 depends on executable: automake-1.15 - found
> ===> Configuring for sshguard-ipfw-1.6.0_1
> configure: loading site script /usr/ports/Templates/config.site
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... (cached) /bin/mkdir -p
> checking for gawk... (cached) /usr/bin/awk
> checking whether make sets $(MAKE)... yes
> checking whether make supports nested variables... yes
> checking whether make supports nested variables... (cached) yes
> checking for ipfw... /sbin
> checking for ip6fw... no
> configure: ip6fw program not found. Assuming ipfw supports IPv6 rules on its own.
> ## -------------- ##
> ## Program Checks ##
> ## -------------- ##
> checking for gawk... (cached) /usr/bin/awk
> checking for gcc... cc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether cc accepts -g... yes
> checking for cc option to accept ISO C89... none needed
> checking whether cc understands -c and -o together... yes
> checking for style of include used by make... GNU
> checking dependency style of cc... gcc3
> checking for cc option to accept ISO C99... none needed
> checking for grep that handles long lines and -e... (cached) /usr/bin/grep
> checking for egrep... (cached) /usr/bin/egrep
> checking for ranlib... ranlib
> checking for bison... bison -y
> checking for flex... flex
> checking lex output file root... lex.yy
> checking lex library... -lfl
> checking whether yytext is a pointer... yes
> ## -------------- ##
> ## Library Checks ##
> ## -------------- ##
> checking for pthread_create in -lpthread... yes
> checking how to run the C preprocessor... cpp
> checking for ANSI C header files... (cached) yes
> checking for sys/wait.h that is POSIX.1 compatible... (cached) yes
> checking for sys/types.h... (cached) yes
> checking for sys/stat.h... (cached) yes
> checking for stdlib.h... (cached) yes
> checking for string.h... (cached) yes
> checking for memory.h... (cached) yes
> checking for strings.h... (cached) yes
> checking for inttypes.h... (cached) yes
> checking for stdint.h... (cached) yes
> checking for unistd.h... (cached) yes
> checking for arpa/inet.h... (cached) yes
> checking for malloc.h... (cached) no
> checking for netdb.h... (cached) yes
> checking for netinet/in.h... (cached) yes
> checking for stdlib.h... (cached) yes
> checking for string.h... (cached) yes
> checking for sys/socket.h... (cached) yes
> checking syslog.h usability... yes
> checking syslog.h presence... yes
> checking for syslog.h... yes
> checking for unistd.h... (cached) yes
> checking for getopt.h... (cached) yes
> checking for off_t... (cached) yes
> checking for pid_t... (cached) yes
> checking for size_t... (cached) yes
> checking for an ANSI C-conforming const... yes
> checking for inline... inline
> checking for C/C++ restrict keyword... __restrict
> checking build system type... amd64-portbld-freebsd10.1
> checking whether __SUNPRO_C is declared... no
> ## ----------------- ##
> ## Library Functions ##
> ## ----------------- ##
> checking for vfork.h... (cached) no
> checking for fork... (cached) yes
> checking for vfork... (cached) yes
> checking for working fork... yes
> checking for working vfork... (cached) yes
> checking for stdlib.h... (cached) yes
> checking for GNU libc compatible malloc... (cached) yes
> checking for gethostbyname... (cached) yes
> checking for inet_ntoa... (cached) yes
> checking for strerror... (cached) yes
> checking for strstr... yes
> checking for strtol... (cached) yes
> checking for library containing socket... none required
> checking for library containing gethostbyname... none required
> configure: Using /sbin as location for ipfw
> checking that generated files are newer than configure... done
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating man/Makefile
> config.status: creating src/Makefile
> config.status: creating src/parser/Makefile
> config.status: creating src/fwalls/Makefile
> config.status: creating src/config.h
> config.status: executing depfiles commands
> ===> Building for sshguard-ipfw-1.6.0_1
> Making all in src
> /usr/bin/make all-recursive
> Making all in parser
> /usr/bin/make all-am
> LEX attack_scanner.c
> CC attack_parser.o
> CC attack_scanner.o
> attack_scanner.c:27857:16: warning: function 'input' is not needed and will not be emitted [-Wunneeded-internal-declaration]
> static int input (void)
> ^
> 1 warning generated.
> AR libparser.a
> Making all in fwalls
> CC ipfw.o
> ipfw.c:51:15: error: use of undeclared identifier 'ADDRLEN'
> char addr[ADDRLEN];
> ^
> ipfw.c:109:5: warning: implicitly declaring library function 'strlcpy' with type 'unsigned long (char *, const char *, unsigned long)'
> strlcpy(addendum.addr, addr, sizeof(addendum.addr));
> ^
> ipfw.c:109:5: note: please include the header <string.h> or explicitly provide a declaration for 'strlcpy'
> ipfw.c:171:14: error: use of undeclared identifier 'ADDRKIND_IPv4'
> case ADDRKIND_IPv4:
> ^
> ipfw.c:175:14: error: use of undeclared identifier 'ADDRKIND_IPv6'
> case ADDRKIND_IPv6:
> ^
> ipfw.c:216:18: error: use of undeclared identifier 'ADDRKIND_IPv4'
> case ADDRKIND_IPv4:
> ^
> ipfw.c:219:18: error: use of undeclared identifier 'ADDRKIND_IPv6'
> case ADDRKIND_IPv6:
> ^
> ipfw.c:307:14: error: use of undeclared identifier 'ADDRKIND_IPv4'
> case ADDRKIND_IPv4:
> ^
> ipfw.c:313:14: error: use of undeclared identifier 'ADDRKIND_IPv6'
> case ADDRKIND_IPv6:
> ^
> ipfw.c:329:5: warning: implicitly declaring library function 'strlcat' with type 'unsigned long (char *, const char *, unsigned long)'
> strlcat(args, " from ", sizeof(args));
> ^
> ipfw.c:329:5: note: please include the header <string.h> or explicitly provide a declaration for 'strlcat'
> 2 warnings and 7 errors generated.
> *** [ipfw.o] Error code 1
>
> make[4]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src/fwalls
> 1 error
>
> make[4]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src/fwalls
> *** [all-recursive] Error code 1
>
> make[3]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
> 1 error
>
> make[3]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
> *** [all] Error code 2
>
> make[2]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
> 1 error
>
> make[2]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0/src
> *** [all-recursive] Error code 1
>
> make[1]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0
> 1 error
>
> make[1]: stopped in /usr/ports/security/sshguard-ipfw/work/sshguard-1.6.0
> ===> Compilation failed unexpectedly.
> Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
> the maintainer.
> *** Error code 1
>
> Stop.
> make: stopped in /usr/ports/security/sshguard-ipfw
>
>
>
>
> Greg
>
>
>
> Kevin Zheng said:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hi there,
> >
> > A patch that fixes blacklist loading when using the `ipfw` backend is
> > available and attached here. It is mostly of interest to FreeBSD.
> >
> > This patch has not been committed because it relies on the
> > non-portable functions `strlcpy` and `strlcat`. While I work on
> > bringing these to SSHGuard, FreeBSD users can enjoy a working
> > blacklist now.
> >
> > I've done rudimentary testing and this patch appears to work; before
> > this hits the ports tree someone should really test it.
> >
> > Thanks,
> > Kevin Zheng
> >
> > - --
> > Kevin Zheng
> > kev...@gm... | ke...@kd... | PGP: 0xC22E1090
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> >
> > iQEcBAEBCAAGBQJVZRxRAAoJEOrPD3bCLhCQN2MIAJOMmgslZPV5aYsYEnX1quC+
> > IXMc6t/rpFDybZPKz4LC4YI+WcsQ+fykKQ3mFZfJ2HITqqyBorNUe8JKzR8p59tX
> > sX5ePTq4Jld+LOFklKOSS3NSZauMi6zS8tcCpz5gVdQ0iBizDssW/f70ZTD927lB
> > 44VgAdv8FrHXsPpgEgcrZCsNm3uK8j48eh3aAo3elThM4BAIhoMYobLZl1Jgnq59
> > hjWVk49Z1njypiP2SYASXVdy5x8AINQDY4R8Wqa0/mNGfzFKT2y5HPw/70YbAm3M
> > E1o/V9apCH3p1Trq/NshZwvP9sFxfV0oJtATRXUvJxuI0BDHIM5F+/w72TJCVU4=
> > =SKWp
> > -----END PGP SIGNATURE-----
>
> > diff --git a/src/fwalls/ipfw.c b/src/fwalls/ipfw.c
> > index 29045b0..9bee0ad 100644
> > --- a/src/fwalls/ipfw.c
> > +++ b/src/fwalls/ipfw.c
> > @@ -20,6 +20,7 @@
> >
> > #include <assert.h>
> > #include <errno.h>
> > +#include <limits.h>
> > #include <time.h>
> > #include <time.h>
> > #include <string.h>
> > @@ -37,8 +38,6 @@
> >
> > #define IPFWMOD_ADDRESS_BULK_REPRESENTATIVE "FF:FF:FF:FF:FF:FF:FF:FF"
> >
> > -#define MAXIPFWCMDLEN 90
> > -
> > #ifndef IPFW_RULERANGE_MIN
> > #define IPFW_RULERANGE_MIN 55000
> > #endif
> > @@ -56,14 +55,14 @@ struct addr_ruleno_s {
> > };
> >
> > static list_t addrrulenumbers;
> > -static char command[MAXIPFWCMDLEN], args[MAXIPFWCMDLEN];
> > +static char command[PATH_MAX], args[ARG_MAX];
> >
> > /* generate an IPFW rule ID for inserting a rule */
> > static ipfw_rulenumber_t ipfwmod_getrulenumber(void);
> > /* execute an IPFW command */
> > -static int ipfwmod_runcommand(char *command, char *args);
> > +static int ipfwmod_runcommand(const char *command, const char *args);
> > /* build an IPFW rule for blocking a list of addresses, all of the given kind */
> > -static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind, char *restrict command, char *restrict args);
> > +static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind);
> >
> > static size_t ipfw_rule_meter(const void *el) { return sizeof(struct addr_ruleno_s); }
> > static int ipfw_rule_comparator(const void *a, const void *b) {
> > @@ -95,7 +94,7 @@ int fw_block(const char *restrict addr, int addrkind, int service) {
> > ruleno = ipfwmod_getrulenumber();
> > addresses[0] = addr;
> > addresses[1] = NULL;
> > - if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind, command, args) != FWALL_OK)
> > + if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind) != FWALL_OK)
> > return FWALL_ERR;
> >
> > /* run command */
> > @@ -108,7 +107,7 @@ int fw_block(const char *restrict addr, int addrkind, int service) {
> > sshguard_log(LOG_DEBUG, "Command exited %d.", ret);
> >
> > /* success, save rule number */
> > - strcpy(addendum.addr, addr);
> > + strlcpy(addendum.addr, addr, sizeof(addendum.addr));
> > addendum.ruleno = ruleno;
> > addendum.addrkind = addrkind;
> >
> > @@ -134,7 +133,7 @@ int fw_block_list(const char *restrict addresses[], int addrkind, const int serv
> >
> > ruleno = ipfwmod_getrulenumber();
> > /* insert rules under this rule number (in chunks of max_addresses_per_rule) */
> > - if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind, command, args) != FWALL_OK)
> > + if (ipfwmod_buildblockcommand(ruleno, addresses, addrkind) != FWALL_OK)
> > return FWALL_ERR;
> >
> > /* run command */
> > @@ -147,7 +146,7 @@ int fw_block_list(const char *restrict addresses[], int addrkind, const int serv
> > sshguard_log(LOG_DEBUG, "Command exited %d.", ret);
> >
> > /* insert a placeholder for the bulk */
> > - strcpy(addendum.addr, IPFWMOD_ADDRESS_BULK_REPRESENTATIVE);
> > + strlcpy(addendum.addr, IPFWMOD_ADDRESS_BULK_REPRESENTATIVE, sizeof(addendum.addr));
> > addendum.ruleno = ruleno;
> > addendum.addrkind = addrkind;
> > list_append(& addrrulenumbers, & addendum);
> > @@ -161,7 +160,7 @@ int fw_release(const char *restrict addr, int addrkind, int service) {
> > int pos, ret = 0;
> >
> > /* retrieve ID of rule blocking "addr" */
> > - strcpy(data.addr, addr);
> > + strlcpy(data.addr, addr, sizeof(data.addr));
> > data.addrkind = addrkind;
> > if ((pos = list_locate(& addrrulenumbers, &data)) < 0) {
> > sshguard_log(LOG_ERR, "could not get back rule ID for address %s", addr);
> > @@ -172,22 +171,22 @@ int fw_release(const char *restrict addr, int addrkind, int service) {
> > switch (data.addrkind) {
> > case ADDRKIND_IPv4:
> > /* use ipfw */
> > - sprintf(command, IPFW_PATH "/ipfw");
> > + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> > break;
> > case ADDRKIND_IPv6:
> > #ifdef FWALL_HAS_IP6FW
> > /* use ip6fw if found */
> > - sprintf(command, IPFW_PATH "/ip6fw");
> > + strlcpy(command, IPFW_PATH "/ip6fw", sizeof(command));
> > #else
> > /* use ipfw, assume it supports IPv6 rules as well */
> > - sprintf(command, IPFW_PATH "/ipfw");
> > + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> > #endif
> > break;
> > default:
> > return FWALL_UNSUPP;
> > }
> > /* build command arguments */
> > - snprintf(args, MAXIPFWCMDLEN, "delete %u", data.ruleno);
> > + snprintf(args, sizeof(args), "delete %u", data.ruleno);
> >
> > sshguard_log(LOG_DEBUG, "running: '%s %s'", command, args);
> >
> > @@ -216,19 +215,19 @@ int fw_flush(void) {
> > data = (struct addr_ruleno_s *)list_iterator_next(& addrrulenumbers);
> > switch (data->addrkind) {
> > case ADDRKIND_IPv4:
> > - snprintf(command, MAXIPFWCMDLEN, IPFW_PATH "/ipfw");
> > + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> > break;
> > case ADDRKIND_IPv6:
> > #ifdef FWALL_HAS_IP6FW
> > /* use ip6fw if found */
> > - sprintf(command, IPFW_PATH "/ip6fw");
> > + strlcpy(command, IPFW_PATH "/ip6fw", sizeof(command));
> > #else
> > /* use ipfw, assume it supports IPv6 rules as well */
> > - sprintf(command, IPFW_PATH "/ipfw");
> > + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> > #endif
> > break;
> > }
> > - sprintf(args, "delete %u", data->ruleno);
> > + snprintf(args, sizeof(args), "delete %u", data->ruleno);
> > sshguard_log(LOG_DEBUG, "running: '%s %s'", command, args);
> > ret = ipfwmod_runcommand(command, args);
> > if (ret != 0) {
> > @@ -250,7 +249,7 @@ static ipfw_rulenumber_t ipfwmod_getrulenumber(void) {
> > return (rand() % (IPFW_RULERANGE_MAX - IPFW_RULERANGE_MIN)) + IPFW_RULERANGE_MIN;
> > }
> >
> > -static int ipfwmod_runcommand(char *command, char *args) {
> > +static int ipfwmod_runcommand(const char *command, const char *args) {
> > char *argsvec[20];
> > pid_t pid;
> > int i, j, ret;
> > @@ -258,8 +257,8 @@ static int ipfwmod_runcommand(char *command, char *args) {
> >
> > sshguard_log(LOG_DEBUG, "Running command: '%s %s'.", command, args);
> >
> > - argsvec[0] = command;
> > - strcpy(locargs, args);
> > + argsvec[0] = strdup(command);
> > + strlcpy(locargs, args, sizeof(locargs));
> >
> > /* tokenize command */
> > argsvec[1] = locargs;
> > @@ -280,6 +279,7 @@ static int ipfwmod_runcommand(char *command, char *args) {
> > sshguard_log(LOG_ERR, "Unable to run command: %s", strerror(errno));
> > _Exit(1);
> > }
> > + free(argsvec[0]);
> > free(locargs);
> > waitpid(pid, &ret, 0);
> > ret = WEXITSTATUS(ret);
> > @@ -287,7 +287,7 @@ static int ipfwmod_runcommand(char *command, char *args) {
> > return ret;
> > }
> >
> > -static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind, char *restrict command, char *restrict args) {
> > +static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restrict addresses[], int addrkind) {
> > int i;
> >
> > assert(addresses != NULL);
> > @@ -307,19 +307,19 @@ static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restr
> > switch (addrkind) {
> > case ADDRKIND_IPv4:
> > /* use ipfw */
> > - sprintf(command, IPFW_PATH "/ipfw");
> > - sprintf(args, "add %u drop ip", ruleno);
> > + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> > + snprintf(args, sizeof(args), "add %u drop ip", ruleno);
> > break;
> >
> > case ADDRKIND_IPv6:
> > #ifdef FWALL_HAS_IP6FW
> > /* use ip6fw if found */
> > - sprintf(command, IPFW_PATH "/ip6fw");
> > + strlcpy(command, IPFW_PATH "/ip6fw", sizeof(command));
> > #else
> > /* use ipfw, assume it supports IPv6 rules as well */
> > - sprintf(command, IPFW_PATH "/ipfw");
> > + strlcpy(command, IPFW_PATH "/ipfw", sizeof(command));
> > #endif
> > - sprintf(args, "add %u drop ipv6", ruleno);
> > + snprintf(args, sizeof(args), "add %u drop ipv6", ruleno);
> > break;
> >
> > default:
> > @@ -327,13 +327,17 @@ static int ipfwmod_buildblockcommand(ipfw_rulenumber_t ruleno, const char *restr
> > }
> >
> > /* add the rest of the rule */
> > - sprintf(args + strlen(args), " from %s", addresses[0]);
> > + strlcat(args, " from ", sizeof(args));
> > + strlcat(args, addresses[0], sizeof(args));
> > for (i = 1; addresses[i] != NULL; ++i) {
> > - sprintf(args + strlen(args), ",%s", addresses[i]);
> > + strlcat(args, ",", sizeof(args));
> > + strlcat(args, addresses[i], sizeof(args));
> > + }
> > + if (strlcat(args, " to me", sizeof(args)) >= sizeof(args)) {
> > + fprintf(stderr, "Fatal: Argument buffer too small\n");
> > + exit(EXIT_FAILURE);
> > }
> > - strcat(args, " to me");
> >
> > return FWALL_OK;
> > }
> >
> > -
>
>
> > ------------------------------------------------------------------------------
>
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
