Changeset 1272

Show
Ignore:
Timestamp:
05/21/07 11:01:10 (1 year ago)
Author:
till
Message:

damn nfq_set_verdict() - hope I got it right now

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • honeytrap/trunk/src/dynsrv.c

    r1271 r1272  
    143143            exit(EXIT_FAILURE); 
    144144        } 
     145        logmsg(LOG_DEBUG, 1, "IPQ - Successfully set verdict on packet.\n"); 
    145146 
    146147        /* don't need root privs any more */ 
     
    149150#endif 
    150151#ifdef USE_NFQ_MON 
    151         /* hand packet processing back to the kernel 
    152          * 
    153          * cannot set verdict here - it won't work for unknown reasons 
    154          * Just do it in the stream monitor 
    155          */ 
    156         nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);  
     152        /* hand packet processing back to the kernel */ 
     153        /* nfq_set_verdict()'s return value is undocumented, 
     154         * but digging the source of libnetfilter_queue and libnfnetlink reveals 
     155         * that itis just the passed-through value of a sendmsg() */ 
     156        if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) == -1) { 
     157            logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet: %s.\n", strerror(errno)); 
     158            nfq_destroy_queue(qh); 
     159            exit(EXIT_FAILURE); 
     160        } 
     161        logmsg(LOG_DEBUG, 1, "NFQ - Successfully set verdict on packet.\n"); 
    157162 
    158163        /* don't need root privs any more */ 

  • honeytrap/trunk/src/nfqmon.c

    r1271 r1272  
    7878        case PORTCONF_IGNORE: 
    7979                logmsg(LOG_DEBUG, 1, "Port %u/%s is configured to be ignored.\n", dport, PROTO(ip->ip_p)); 
    80                 if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) != 0) { 
     80                /* nfq_set_verdict()'s return value is undocumented, 
     81                 * but digging the source of libnetfilter_queue and libnfnetlink reveals 
     82                 * that itis just the passed-through value of a sendmsg() */ 
     83                if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) == -1) { 
    8184                        logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet.\n"); 
    8285                        nfq_destroy_queue(qh); 
    8386                        exit(EXIT_FAILURE); 
    8487                } 
    85                 logmsg(LOG_DEBUG, 1, "IPQ - Successfully set verdict on packet.\n"); 
     88                logmsg(LOG_DEBUG, 1, "NFQ - Successfully set verdict on packet.\n"); 
    8689                return(0); 
    8790        case PORTCONF_NORMAL: 
     
    9699        default: 
    97100                logmsg(LOG_ERR, 1, "Error - Invalid explicit configuration for port %u/%s.\n", dport, PROTO(ip->ip_p)); 
    98                 if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) != 0) { 
     101                /* nfq_set_verdict()'s return value is undocumented, 
     102                 * but digging the source of libnetfilter_queue and libnfnetlink reveals 
     103                 * that itis just the passed-through value of a sendmsg() */ 
     104                if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) == -1) { 
    99105                        logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet.\n"); 
    100106                        nfq_destroy_queue(qh); 
    101107                        exit(EXIT_FAILURE); 
    102108                } 
    103                 logmsg(LOG_DEBUG, 1, "IPQ - Successfully set verdict on packet.\n"); 
     109                logmsg(LOG_DEBUG, 1, "NFQ - Successfully set verdict on packet.\n"); 
    104110                return(0); 
    105111        } 

  • honeytrap/trunk/src/tcp.c

    r1271 r1272  
    7272#ifdef USE_NFQ_MON 
    7373            /* hand packet processing back to the kernel */ 
    74             if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) != 0) { 
     74            /* nfq_set_verdict()'s return value is undocumented, 
     75             * but digging the source of libnetfilter_queue and libnfnetlink reveals 
     76             * that itis just the passed-through value of a sendmsg() */ 
     77            if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) == -1) { 
    7578                logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet.\n"); 
    7679                nfq_destroy_queue(qh); 
    7780                exit(EXIT_FAILURE); 
    7881            } 
    79             logmsg(LOG_DEBUG, 1, "IPQ - Successfully set verdict on packet.\n"); 
     82            logmsg(LOG_DEBUG, 1, "NFQ - Successfully set verdict on packet.\n"); 
    8083            return(-1); 
    8184#else 

  • honeytrap/trunk/src/udp.c

    r1270 r1272  
    6464                exit(EXIT_FAILURE); 
    6565            } 
     66            logmsg(LOG_DEBUG, 1, "IPQ - Successfully set verdict on packet.\n"); 
    6667            return(-1); 
    6768#else 
    6869#ifdef USE_NFQ_MON 
    6970            /* hand packet processing back to the kernel */ 
    70             nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);  
     71            /* nfq_set_verdict()'s return value is undocumented, 
     72             * but digging the source of libnetfilter_queue and libnfnetlink reveals 
     73             * that itis just the passed-through value of a sendmsg() */ 
     74            if (nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL) == -1) { 
     75                logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet.\n"); 
     76                nfq_destroy_queue(qh); 
     77                exit(EXIT_FAILURE); 
     78            } 
     79            logmsg(LOG_DEBUG, 1, "NFQ - Successfully set verdict on packet.\n"); 
    7180            return(-1); 
    7281#else