>Synopsis: unsafe macro in tcpdump/print-ike.c and /etc/tcpdump.conf
>Category: user
>Environment:
System : OpenBSD 7.2
Details : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022
r...@syspatch-72-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64
Machine : arm64
>Description:
The macro TCHECK() is undef'ed in print-ike.c and a worse macro that
didn't see repeated fixes is added. I saw this while "fixing" tcpdump with
policies on what can print and what can't. I'm gonna dump a big patch on
you guys for review, it adds a /etc/tcpdump.conf with yacc parsing (taken from
a modified lpd(8)), the -Y: flag allows someone to specify a different policy
other than "default" which is defined to be rudamentary ether,llc,arp,ip/ip6
and udp/tcp/domain. Someone who has to do work specifically for other
protocols would need to add those themselves either to the default or a new
policy. Check it out, I think it was worth doing, and it's sorta a passlist
or pledge for protocols in tcpdump.
The policy names are from print-NAME.c in tcpdump so this will also get people
to familiarize themselves with the way tcpdump works.
>How-To-Repeat:
Code reading/frustrations.
>Fix:
Index: Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/Makefile,v
retrieving revision 1.67
diff -u -p -u -r1.67 Makefile
--- Makefile 4 Dec 2020 11:36:13 -0000 1.67
+++ Makefile 7 Mar 2023 06:47:37 -0000
@@ -50,7 +50,7 @@ SRCS= tcpdump.c addrtoname.c privsep.c p
print-pfsync.c pf_print_state.c print-ofp.c ofp_map.c \
print-udpencap.c print-carp.c print-nhrp.c print-wg.c \
print-802_11.c print-iapp.c print-mpls.c print-slow.c print-usbpcap.c \
- gmt2local.c savestr.c setsignal.c in_cksum.c
+ gmt2local.c savestr.c setsignal.c in_cksum.c parse.y
# TCP OS Fingerprinting
.PATH: ${.CURDIR}/../../sys/net
Index: parse.y
===================================================================
RCS file: parse.y
diff -N parse.y
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ parse.y 7 Mar 2023 06:47:38 -0000
@@ -0,0 +1,1248 @@
+/* $OpenBSD$ */
+
+/*
+ * Copyright (c) 2008 Gilles Chehade <gil...@poolp.org>
+ * Copyright (c) 2008 Pierre-Yves Ritschard <p...@openbsd.org>
+ * Copyright (c) 2002, 2003, 2004 Henning Brauer <henn...@openbsd.org>
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2001 Daniel Hartmeier. All rights reserved.
+ * Copyright (c) 2001 Theo de Raadt. All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+%{
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/queue.h>
+
+#include <ctype.h>
+#include <err.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+
+TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
+static struct file {
+ TAILQ_ENTRY(file) entry;
+ FILE *stream;
+ char *name;
+ int lineno;
+ int errors;
+} *file, *topfile;
+
+struct tcpdump_conf * tcpd_parse_config(int);
+struct file *pushfile(int);
+int popfile(void);
+int check_file_secrecy(int, const char *);
+int yyparse(void);
+int yylex(void);
+int kw_cmp(const void *, const void *);
+int lookup(char *);
+int lgetc(int);
+int lungetc(int);
+int findeol(void);
+int yyerror(const char *, ...)
+ __attribute__((__format__ (printf, 1, 2)))
+ __attribute__((__nonnull__ (1)));
+
+int check_policy(char *filename);
+
+TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead);
+struct sym {
+ TAILQ_ENTRY(sym) entry;
+ int used;
+ int persist;
+ char *nam;
+ char *val;
+};
+int symset(const char *, const char *, int);
+char *symget(const char *);
+
+static int errors = 0;
+
+extern char *policyname;
+extern int priv_open_conf(void);
+
+struct policy {
+ TAILQ_ENTRY(policy) entry;
+ char *filename;
+};
+
+struct tcpdump_conf {
+ TAILQ_HEAD(, policy) policies;
+};
+
+struct tcpdump_conf *conf = NULL;
+
+struct printer_opts {
+ uint8_t po_ieee80211;
+ uint8_t po_arp;
+ uint8_t po_atalk;
+ uint8_t po_atm;
+ uint8_t po_bgp;
+ uint8_t po_bootp;
+ uint8_t po_carp;
+ uint8_t po_cdp;
+ uint8_t po_cnfp;
+ uint8_t po_decnet;
+ uint8_t po_dhcp6;
+ uint8_t po_domain;
+ uint8_t po_dvmrp;
+ uint8_t po_enc;
+ uint8_t po_ether;
+ uint8_t po_etherip;
+ uint8_t po_fddi;
+ uint8_t po_frag6;
+ uint8_t po_gre;
+ uint8_t po_gtp;
+ uint8_t po_hsrp;
+ uint8_t po_iapp;
+ uint8_t po_icmp;
+ uint8_t po_icmp6;
+ uint8_t po_igrp;
+ uint8_t po_ike;
+ uint8_t po_ip;
+ uint8_t po_ip6;
+ uint8_t po_ip6opts;
+ uint8_t po_ipsec;
+ uint8_t po_ipx;
+ uint8_t po_isoclns;
+ uint8_t po_krb;
+ uint8_t po_l2tp;
+ uint8_t po_llc;
+ uint8_t po_lldp;
+ uint8_t po_lwres;
+ uint8_t po_mobile;
+ uint8_t po_mpls;
+ uint8_t po_netbios;
+ uint8_t po_nfs;
+ uint8_t po_nhrp;
+ uint8_t po_nsh;
+ uint8_t po_ntp;
+ uint8_t po_null;
+ uint8_t po_ofp;
+ uint8_t po_ospf;
+ uint8_t po_ospf6;
+ uint8_t po_pflog;
+ uint8_t po_pfsync;
+ uint8_t po_pim;
+ uint8_t po_ppp;
+ uint8_t po_radius;
+ uint8_t po_raw;
+ uint8_t po_rip;
+ uint8_t po_ripng;
+ uint8_t po_rt6;
+ uint8_t po_sl;
+ uint8_t po_slow;
+ uint8_t po_smb;
+ uint8_t po_snmp;
+ uint8_t po_stp;
+ uint8_t po_sunrpc;
+ uint8_t po_tcp;
+ uint8_t po_tftp;
+ uint8_t po_timed;
+ uint8_t po_udp;
+ uint8_t po_udpencap;
+ uint8_t po_usbpcap;
+ uint8_t po_vqp;
+ uint8_t po_vrrp;
+ uint8_t po_wb;
+ uint8_t po_wg;
+} printer_opts;
+
+static void add_policy(struct printer_opts *);
+static void add_policy2(char *);
+static void config_free(struct tcpdump_conf *);
+static void config_policy(struct policy *);
+
+typedef struct {
+ union {
+ int64_t number;
+ char *string;
+ struct host *host;
+ struct printer_opts printer_opts;
+ } v;
+ int lineno;
+} YYSTYPE;
+
+%}
+
+%token ERROR ARROW LBRACE RBRACE
+%token POLICY COMMA
+%token TOK_802_11 TOK_ARP TOK_ATALK TOK_ATM TOK_BGP TOK_BOOTP
+%token TOK_CARP TOK_CDP TOK_CNFP TOK_DECNET TOK_DHCP6 TOK_DOMAIN
+%token TOK_DVMRP TOK_ENC TOK_ETHER TOK_ETHERIP TOK_FDDI TOK_FRAG6
+%token TOK_GRE TOK_GTP TOK_HSRP TOK_IAPP TOK_ICMP TOK_ICMP6 TOK_IGRP
+%token TOK_IKE TOK_IP TOK_IP6 TOK_IP6OPTS TOK_IPSEC TOK_IPX TOK_ISOCLNS
+%token TOK_KRB TOK_L2TP TOK_LLC TOK_LLDP TOK_LWRES TOK_MOBILE TOK_MPLS
+%token TOK_NETBIOS TOK_NFS TOK_NHRP TOK_NSH TOK_NTP TOK_NULL TOK_OFP
+%token TOK_OSPF TOK_OSPF6 TOK_PFLOG TOK_PFSYNC TOK_PIM TOK_PPP TOK_RADIUS
+%token TOK_RAW TOK_RIP TOK_RIPNG TOK_RT6 TOK_SL TOK_SLOW TOK_SMB TOK_SNMP
+%token TOK_STP TOK_SUNRPC TOK_TCP TOK_TFTP TOK_TIMED TOK_UDP TOK_UDPENCAP
+%token TOK_USBPCAP TOK_VQP TOK_VRRP TOK_WB TOK_WG
+
+%token <v.string> STRING
+%token <v.number> NUMBER
+
+%type <v.printer_opts> printer_opts printer_opt printers_l
+
+%%
+
+grammar : /* empty */
+ | grammar '\n'
+ | grammar varset '\n'
+ | grammar main '\n'
+ | grammar error '\n' { file->errors++; }
+ ;
+
+varset : STRING '=' STRING {
+ char *s = $1;
+ while (*s++) {
+ if (isspace((unsigned char)*s)) {
+ yyerror("macro name cannot contain "
+ "whitespace");
+ free($1);
+ free($3);
+ YYERROR;
+ }
+ }
+ if (symset($1, $3, 0) == -1) {
+ fprintf(stderr, "cannot store variable\n");
+ exit(1);
+ }
+ free($1);
+ free($3);
+ }
+ ;
+
+printer_opts : { bzero(&printer_opts, sizeof(printer_opts)); }
+ printers_l
+ { $$ = printer_opts; }
+ ;
+
+printers_l : printers_l COMMA printer_opt
+ | printer_opt
+ ;
+
+printer_opt :TOK_ARP {
+ printer_opts.po_arp = 1;
+ }
+ |TOK_ATALK {
+ printer_opts.po_atalk = 1;
+ }
+ |TOK_ATM {
+ printer_opts.po_atm = 1;
+ }
+ |TOK_BGP {
+ printer_opts.po_bgp = 1;
+ }
+ |TOK_BOOTP {
+ printer_opts.po_bootp = 1;
+ }
+ |TOK_CARP {
+ printer_opts.po_carp = 1;
+ }
+ |TOK_CDP {
+ printer_opts.po_cdp = 1;
+ }
+ |TOK_CNFP {
+ printer_opts.po_cnfp = 1;
+ }
+ |TOK_DECNET {
+ printer_opts.po_decnet = 1;
+ }
+ |TOK_DHCP6 {
+ printer_opts.po_dhcp6 = 1;
+ }
+ |TOK_DOMAIN {
+ printer_opts.po_domain = 1;
+ }
+ |TOK_DVMRP {
+ printer_opts.po_dvmrp = 1;
+ }
+ |TOK_ENC {
+ printer_opts.po_enc = 1;
+ }
+ |TOK_ETHER {
+ printer_opts.po_ether = 1;
+ }
+ |TOK_ETHERIP {
+ printer_opts.po_etherip = 1;
+ }
+ |TOK_FDDI {
+ printer_opts.po_fddi = 1;
+ }
+ |TOK_FRAG6 {
+ printer_opts.po_frag6 = 1;
+ }
+ |TOK_GRE {
+ printer_opts.po_gre = 1;
+ }
+ |TOK_GTP {
+ printer_opts.po_gtp = 1;
+ }
+ |TOK_HSRP {
+ printer_opts.po_hsrp = 1;
+ }
+ |TOK_IAPP {
+ printer_opts.po_iapp = 1;
+ }
+ |TOK_ICMP {
+ printer_opts.po_icmp = 1;
+ }
+ |TOK_ICMP6 {
+ printer_opts.po_icmp6 = 1;
+ }
+ |TOK_IGRP {
+ printer_opts.po_igrp = 1;
+ }
+ |TOK_IKE {
+ printer_opts.po_ike = 1;
+ }
+ |TOK_IP {
+ printer_opts.po_ip = 1;
+ }
+ |TOK_IP6 {
+ printer_opts.po_ip6 = 1;
+ }
+ |TOK_IP6OPTS {
+ printer_opts.po_ip6opts = 1;
+ }
+ |TOK_IPSEC {
+ printer_opts.po_ipsec = 1;
+ }
+ |TOK_IPX {
+ printer_opts.po_ipx = 1;
+ }
+ |TOK_ISOCLNS {
+ printer_opts.po_isoclns = 1;
+ }
+ |TOK_KRB {
+ printer_opts.po_krb = 1;
+ }
+ |TOK_L2TP {
+ printer_opts.po_l2tp = 1;
+ }
+ |TOK_LLC {
+ printer_opts.po_llc = 1;
+ }
+ |TOK_LLDP {
+ printer_opts.po_lldp = 1;
+ }
+ |TOK_LWRES {
+ printer_opts.po_lwres = 1;
+ }
+ |TOK_MOBILE {
+ printer_opts.po_mobile = 1;
+ }
+ |TOK_MPLS {
+ printer_opts.po_mpls = 1;
+ }
+ |TOK_NETBIOS {
+ printer_opts.po_netbios = 1;
+ }
+ |TOK_NFS {
+ printer_opts.po_nfs = 1;
+ }
+ |TOK_NHRP {
+ printer_opts.po_nhrp = 1;
+ }
+ |TOK_NSH {
+ printer_opts.po_nsh = 1;
+ }
+ |TOK_NTP {
+ printer_opts.po_ntp = 1;
+ }
+ |TOK_NULL {
+ printer_opts.po_null = 1;
+ }
+ |TOK_OFP {
+ printer_opts.po_ofp = 1;
+ }
+ |TOK_OSPF {
+ printer_opts.po_ospf = 1;
+ }
+ |TOK_OSPF6 {
+ printer_opts.po_ospf6 = 1;
+ }
+ |TOK_PFLOG {
+ printer_opts.po_pflog = 1;
+ }
+ |TOK_PFSYNC {
+ printer_opts.po_pfsync = 1;
+ }
+ |TOK_PIM {
+ printer_opts.po_pim = 1;
+ }
+ |TOK_PPP {
+ printer_opts.po_ppp = 1;
+ }
+ |TOK_RADIUS {
+ printer_opts.po_radius = 1;
+ }
+ |TOK_RAW {
+ printer_opts.po_raw = 1;
+ }
+ |TOK_RIP {
+ printer_opts.po_rip = 1;
+ }
+ |TOK_RIPNG {
+ printer_opts.po_ripng = 1;
+ }
+ |TOK_RT6 {
+ printer_opts.po_rt6 = 1;
+ }
+ |TOK_SL {
+ printer_opts.po_sl = 1;
+ }
+ |TOK_SLOW {
+ printer_opts.po_slow = 1;
+ }
+ |TOK_SMB {
+ printer_opts.po_smb = 1;
+ }
+ |TOK_SNMP {
+ printer_opts.po_snmp = 1;
+ }
+ |TOK_STP {
+ printer_opts.po_stp = 1;
+ }
+ |TOK_SUNRPC {
+ printer_opts.po_sunrpc = 1;
+ }
+ |TOK_TCP {
+ printer_opts.po_tcp = 1;
+ }
+ |TOK_TFTP {
+ printer_opts.po_tftp = 1;
+ }
+ |TOK_TIMED {
+ printer_opts.po_timed = 1;
+ }
+ |TOK_UDP {
+ printer_opts.po_udp = 1;
+ }
+ |TOK_UDPENCAP {
+ printer_opts.po_udpencap = 1;
+ }
+ |TOK_USBPCAP {
+ printer_opts.po_usbpcap = 1;
+ }
+ |TOK_VQP {
+ printer_opts.po_vqp = 1;
+ }
+ |TOK_VRRP {
+ printer_opts.po_vrrp = 1;
+ }
+ |TOK_WB {
+ printer_opts.po_wb = 1;
+ }
+ |TOK_WG {
+ printer_opts.po_wg = 1;
+ }
+ ;
+
+main : POLICY STRING LBRACE printer_opts RBRACE
+ {
+ if (strcmp(policyname, $2) == 0) {
+ add_policy(&$4);
+ }
+
+ free($2);
+ }
+ ;
+%%
+
+struct keywords {
+ const char *k_name;
+ int k_val;
+};
+
+int
+yyerror(const char *fmt, ...)
+{
+ va_list ap;
+ char *msg;
+
+ file->errors++;
+ va_start(ap, fmt);
+ if (vasprintf(&msg, fmt, ap) == -1) {
+ fprintf(stderr, "yyerror vasprintf\n");
+ exit(1);
+ }
+ va_end(ap);
+ fprintf(stderr, "%s:%d: %s\n", file->name, yylval.lineno, msg);
+ free(msg);
+ return (0);
+}
+
+int
+kw_cmp(const void *k, const void *e)
+{
+ return (strcmp(k, ((const struct keywords *)e)->k_name));
+}
+
+int
+lookup(char *s)
+{
+ /* this has to be sorted always */
+ static const struct keywords keywords[] = {
+ {"802_11", TOK_802_11 },
+ {"arp", TOK_ARP },
+ {"atalk", TOK_ATALK },
+ {"atm", TOK_ATM },
+ {"bgp", TOK_BGP },
+ {"bootp", TOK_BOOTP },
+ {"carp", TOK_CARP },
+ {"cdp", TOK_CDP },
+ {"cnfp", TOK_CNFP },
+ {"decnet", TOK_DECNET },
+ {"dhcp6", TOK_DHCP6 },
+ {"domain", TOK_DOMAIN },
+ {"dvmrp", TOK_DVMRP },
+ {"enc", TOK_ENC },
+ {"ether", TOK_ETHER },
+ {"etherip", TOK_ETHERIP },
+ {"fddi", TOK_FDDI },
+ {"frag6", TOK_FRAG6 },
+ {"gre", TOK_GRE },
+ {"gtp", TOK_GTP },
+ {"hsrp", TOK_HSRP },
+ {"iapp", TOK_IAPP },
+ {"icmp", TOK_ICMP },
+ {"icmp6", TOK_ICMP6 },
+ {"igrp", TOK_IGRP },
+ {"ike", TOK_IKE },
+ {"ip", TOK_IP },
+ {"ip6", TOK_IP6 },
+ {"ip6opts", TOK_IP6OPTS },
+ {"ipsec", TOK_IPSEC },
+ {"ipx", TOK_IPX },
+ {"isoclns", TOK_ISOCLNS },
+ {"krb", TOK_KRB },
+ {"l2tp", TOK_L2TP },
+ {"llc", TOK_LLC },
+ {"lldp", TOK_LLDP },
+ {"lwres", TOK_LWRES },
+ {"mobile", TOK_MOBILE },
+ {"mpls", TOK_MPLS },
+ {"netbios", TOK_NETBIOS },
+ {"nfs", TOK_NFS },
+ {"nhrp", TOK_NHRP },
+ {"nsh", TOK_NSH },
+ {"ntp", TOK_NTP },
+ {"null", TOK_NULL },
+ {"ofp", TOK_OFP },
+ {"ospf", TOK_OSPF },
+ {"ospf6", TOK_OSPF6 },
+ {"pflog", TOK_PFLOG },
+ {"pfsync", TOK_PFSYNC },
+ {"pim", TOK_PIM },
+ {"policy", POLICY },
+ {"ppp", TOK_PPP },
+ {"radius", TOK_RADIUS },
+ {"raw", TOK_RAW },
+ {"rip", TOK_RIP },
+ {"ripng", TOK_RIPNG },
+ {"rt6", TOK_RT6 },
+ {"sl", TOK_SL },
+ {"slow", TOK_SLOW },
+ {"smb", TOK_SMB },
+ {"snmp", TOK_SNMP },
+ {"stp", TOK_STP },
+ {"sunrpc", TOK_SUNRPC },
+ {"tcp", TOK_TCP },
+ {"tftp", TOK_TFTP },
+ {"timed", TOK_TIMED },
+ {"udp", TOK_UDP },
+ {"udpencap", TOK_UDPENCAP },
+ {"usbpcap", TOK_USBPCAP },
+ {"vqp", TOK_VQP },
+ {"vrrp", TOK_VRRP },
+ {"wb", TOK_WB },
+ {"wg", TOK_WG }
+ };
+ const struct keywords *p;
+
+ p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
+ sizeof(keywords[0]), kw_cmp);
+
+ if (p)
+ return (p->k_val);
+ else
+ return (STRING);
+}
+
+#define MAXPUSHBACK 128
+
+char *parsebuf;
+int parseindex;
+char pushback_buffer[MAXPUSHBACK];
+int pushback_index = 0;
+
+int
+lgetc(int quotec)
+{
+ int c, next;
+
+ if (parsebuf) {
+ /* Read character from the parsebuffer instead of input. */
+ if (parseindex >= 0) {
+ c = (unsigned char)parsebuf[parseindex++];
+ if (c != '\0')
+ return (c);
+ parsebuf = NULL;
+ } else
+ parseindex++;
+ }
+
+ if (pushback_index)
+ return ((unsigned char)pushback_buffer[--pushback_index]);
+
+ if (quotec) {
+ if ((c = getc(file->stream)) == EOF) {
+ yyerror("reached end of file while parsing "
+ "quoted string");
+ if (file == topfile || popfile() == EOF)
+ return (EOF);
+ return (quotec);
+ }
+ return (c);
+ }
+
+ while ((c = getc(file->stream)) == '\\') {
+ next = getc(file->stream);
+ if (next != '\n') {
+ c = next;
+ break;
+ }
+ yylval.lineno = file->lineno;
+ file->lineno++;
+ }
+
+ while (c == EOF) {
+ if (file == topfile || popfile() == EOF)
+ return (EOF);
+ c = getc(file->stream);
+ }
+ return (c);
+}
+
+int
+lungetc(int c)
+{
+ if (c == EOF)
+ return (EOF);
+ if (parsebuf) {
+ parseindex--;
+ if (parseindex >= 0)
+ return (c);
+ }
+ if (pushback_index + 1 >= MAXPUSHBACK)
+ return (EOF);
+ pushback_buffer[pushback_index++] = c;
+ return (c);
+}
+
+int
+findeol(void)
+{
+ int c;
+
+ parsebuf = NULL;
+ pushback_index = 0;
+
+ /* skip to either EOF or the first real EOL */
+ while (1) {
+ c = lgetc(0);
+ if (c == '\n') {
+ file->lineno++;
+ break;
+ }
+ if (c == EOF)
+ break;
+ }
+ return (ERROR);
+}
+
+int
+yylex(void)
+{
+ char buf[8096];
+ char *p, *val;
+ int quotec, next, c;
+ int token;
+
+top:
+ p = buf;
+ while ((c = lgetc(0)) == ' ' || c == '\t')
+ ; /* nothing */
+
+ yylval.lineno = file->lineno;
+ if (c == '#')
+ while ((c = lgetc(0)) != '\n' && c != EOF)
+ ; /* nothing */
+ if (c == '{')
+ return (LBRACE);
+
+ if (c == '}')
+ return (RBRACE);
+
+ if (c == ',')
+ return (COMMA);
+
+ if (c == '$' && parsebuf == NULL) {
+ while (1) {
+ if ((c = lgetc(0)) == EOF)
+ return (0);
+
+ if (p + 1 >= buf + sizeof(buf) - 1) {
+ yyerror("string too long");
+ return (findeol());
+ }
+ if (isalnum(c) || c == '_') {
+ *p++ = c;
+ continue;
+ }
+ *p = '\0';
+ lungetc(c);
+ break;
+ }
+ val = symget(buf);
+ if (val == NULL) {
+ yyerror("macro '%s' not defined", buf);
+ return (findeol());
+ }
+ parsebuf = val;
+ parseindex = 0;
+ goto top;
+ }
+
+ switch (c) {
+ case '\'':
+ case '"':
+ quotec = c;
+ while (1) {
+ if ((c = lgetc(quotec)) == EOF)
+ return (0);
+ if (c == '\n') {
+ file->lineno++;
+ continue;
+ } else if (c == '\\') {
+ if ((next = lgetc(quotec)) == EOF)
+ return (0);
+ if (next == quotec || next == ' ' ||
+ next == '\t')
+ c = next;
+ else if (next == '\n') {
+ file->lineno++;
+ continue;
+ } else
+ lungetc(next);
+ } else if (c == quotec) {
+ *p = '\0';
+ break;
+ } else if (c == '\0') {
+ yyerror("syntax error");
+ return (findeol());
+ }
+ if (p + 1 >= buf + sizeof(buf) - 1) {
+ yyerror("string too long");
+ return (findeol());
+ }
+ *p++ = c;
+ }
+ yylval.v.string = strdup(buf);
+ if (yylval.v.string == NULL)
+ err(1, "%s", __func__);
+ return (STRING);
+ }
+
+#define allowed_to_end_number(x) \
+ (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')
+
+ if (c == '-' || isdigit(c)) {
+ do {
+ *p++ = c;
+ if ((size_t)(p-buf) >= sizeof(buf)) {
+ yyerror("string too long");
+ return (findeol());
+ }
+ } while ((c = lgetc(0)) != EOF && isdigit(c));
+ lungetc(c);
+ if (p == buf + 1 && buf[0] == '-')
+ goto nodigits;
+ if (c == EOF || allowed_to_end_number(c)) {
+ const char *errstr = NULL;
+
+ *p = '\0';
+ yylval.v.number = strtonum(buf, LLONG_MIN,
+ LLONG_MAX, &errstr);
+ if (errstr) {
+ yyerror("\"%s\" invalid number: %s",
+ buf, errstr);
+ return (findeol());
+ }
+ return (NUMBER);
+ } else {
+nodigits:
+ while (p > buf + 1)
+ lungetc((unsigned char)*--p);
+ c = (unsigned char)*--p;
+ if (c == '-')
+ return (c);
+ }
+ }
+
+ if (c == '=') {
+ if ((c = lgetc(0)) != EOF && c == '>')
+ return (ARROW);
+ lungetc(c);
+ c = '=';
+ }
+
+#define allowed_in_string(x) \
+ (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
+ x != '{' && x != '}' && x != '<' && x != '>' && \
+ x != '!' && x != '=' && x != '#' && \
+ x != ','))
+
+ if (isalnum(c) || c == ':' || c == '_') {
+ do {
+ *p++ = c;
+ if ((size_t)(p-buf) >= sizeof(buf)) {
+ yyerror("string too long");
+ return (findeol());
+ }
+ } while ((c = lgetc(0)) != EOF && (allowed_in_string(c)));
+ lungetc(c);
+ *p = '\0';
+ if ((token = lookup(buf)) == STRING)
+ if ((yylval.v.string = strdup(buf)) == NULL)
+ err(1, "%s", __func__);
+ return (token);
+ }
+ if (c == '\n') {
+ yylval.lineno = file->lineno;
+ file->lineno++;
+ }
+
+ if (c == EOF)
+ return (0);
+ return (c);
+}
+
+int
+check_file_secrecy(int fd, const char *fname)
+{
+ struct stat st;
+
+ if (fstat(fd, &st)) {
+ fprintf(stderr, "warn: cannot stat %s\n", fname);
+ return (-1);
+ }
+ if (st.st_uid != 0 && st.st_uid != getuid()) {
+ fprintf(stderr, "warn: %s: owner not root or current user\n",
fname);
+ return (-1);
+ }
+ if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
+ fprintf(stderr, "warn: %s: group/world readable/writeable\n",
fname);
+ return (-1);
+ }
+ return (0);
+}
+
+struct file *
+pushfile(int secret)
+{
+ int fd;
+ struct file *nfile;
+
+ if ((nfile = calloc(1, sizeof(struct file))) == NULL) {
+ fprintf(stderr, "%s\n", __func__);
+ return (NULL);
+ }
+ if ((nfile->name = strdup("/etc/tcpdump.conf")) == NULL) {
+ fprintf(stderr, "%s\n", __func__);
+ free(nfile);
+ return (NULL);
+ }
+ if ((fd = priv_open_conf()) == -1) {
+ fprintf(stderr, "%s: %s\n", __func__, nfile->name);
+ free(nfile->name);
+ free(nfile);
+ return (NULL);
+ }
+
+ if ((nfile->stream = fdopen(fd, "r")) == NULL) {
+ fprintf(stderr, "%s: %s\n", __func__, nfile->name);
+ free(nfile->name);
+ free(nfile);
+ return (NULL);
+ }
+
+ if (secret && check_file_secrecy(fd, nfile->name)) {
+ fclose(nfile->stream);
+ free(nfile->name);
+ free(nfile);
+ return (NULL);
+ }
+ nfile->lineno = 1;
+ TAILQ_INSERT_TAIL(&files, nfile, entry);
+ return (nfile);
+}
+
+int
+popfile(void)
+{
+ struct file *prev;
+
+ if ((prev = TAILQ_PREV(file, files, entry)) != NULL)
+ prev->errors += file->errors;
+
+ TAILQ_REMOVE(&files, file, entry);
+ fclose(file->stream);
+ free(file->name);
+ free(file);
+ file = prev;
+ return (file ? 0 : EOF);
+}
+
+struct tcpdump_conf *
+tcpd_parse_config(int verbose)
+{
+ struct sym *sym, *next;
+
+ conf = calloc(1, sizeof(*conf));
+ if (conf == NULL)
+ return NULL;
+
+ TAILQ_INIT(&conf->policies);
+
+ errors = 0;
+
+ if ((file = pushfile(0)) == NULL) {
+ config_free(conf);
+ return NULL;
+ }
+ topfile = file;
+
+ /*
+ * parse configuration
+ */
+ yyparse();
+ errors = file->errors;
+ popfile();
+
+ /* Free macros and check which have not been used. */
+ TAILQ_FOREACH_SAFE(sym, &symhead, entry, next) {
+ if ((verbose) && !sym->used)
+ fprintf(stderr, "warning: macro '%s' not used\n",
sym->nam);
+ if (!sym->persist) {
+ free(sym->nam);
+ free(sym->val);
+ TAILQ_REMOVE(&symhead, sym, entry);
+ free(sym);
+ }
+ }
+
+ //fclose(file->stream); /* close tcpdump.conf */
+
+ if (errors) {
+ config_free(conf);
+ return NULL;
+ }
+
+
+ return conf;
+}
+
+int
+symset(const char *nam, const char *val, int persist)
+{
+ struct sym *sym;
+
+ TAILQ_FOREACH(sym, &symhead, entry) {
+ if (strcmp(nam, sym->nam) == 0)
+ break;
+ }
+
+ if (sym != NULL) {
+ if (sym->persist == 1)
+ return (0);
+ else {
+ free(sym->nam);
+ free(sym->val);
+ TAILQ_REMOVE(&symhead, sym, entry);
+ free(sym);
+ }
+ }
+ if ((sym = calloc(1, sizeof(*sym))) == NULL)
+ return (-1);
+
+ sym->nam = strdup(nam);
+ if (sym->nam == NULL) {
+ free(sym);
+ return (-1);
+ }
+ sym->val = strdup(val);
+ if (sym->val == NULL) {
+ free(sym->nam);
+ free(sym);
+ return (-1);
+ }
+ sym->used = 0;
+ sym->persist = persist;
+ TAILQ_INSERT_TAIL(&symhead, sym, entry);
+ return (0);
+}
+
+int
+cmdline_symset(char *s)
+{
+ char *sym, *val;
+ int ret;
+
+ if ((val = strrchr(s, '=')) == NULL)
+ return (-1);
+ sym = strndup(s, val - s);
+ if (sym == NULL)
+ errx(1, "%s: strndup", __func__);
+ ret = symset(sym, val + 1, 1);
+ free(sym);
+
+ return (ret);
+}
+
+char *
+symget(const char *nam)
+{
+ struct sym *sym;
+
+ TAILQ_FOREACH(sym, &symhead, entry) {
+ if (strcmp(nam, sym->nam) == 0) {
+ sym->used = 1;
+ return (sym->val);
+ }
+ }
+ return (NULL);
+}
+
+static void
+config_free(struct tcpdump_conf *c)
+{
+ struct policy *p;
+
+ while ((p = TAILQ_FIRST(&c->policies))) {
+ TAILQ_REMOVE(&c->policies, p, entry);
+ free(p);
+ }
+ free(c);
+}
+
+static void
+config_policy(struct policy *p)
+{
+ TAILQ_INSERT_TAIL(&conf->policies, p, entry);
+}
+
+static void
+add_policy(struct printer_opts *popts)
+{
+ if (popts->po_arp)
+ add_policy2("arp");
+ if (popts->po_atalk)
+ add_policy2("atalk");
+ if (popts->po_atm)
+ add_policy2("atm");
+ if (popts->po_bgp)
+ add_policy2("bgp");
+ if (popts->po_bootp)
+ add_policy2("bootp");
+ if (popts->po_carp)
+ add_policy2("carp");
+ if (popts->po_cdp)
+ add_policy2("cdp");
+ if (popts->po_cnfp)
+ add_policy2("cnfp");
+ if (popts->po_decnet)
+ add_policy2("decnet");
+ if (popts->po_dhcp6)
+ add_policy2("dhcp6");
+ if (popts->po_domain)
+ add_policy2("domain");
+ if (popts->po_dvmrp)
+ add_policy2("dvmrp");
+ if (popts->po_enc)
+ add_policy2("enc");
+ if (popts->po_ether)
+ add_policy2("ether");
+ if (popts->po_etherip)
+ add_policy2("etherip");
+ if (popts->po_fddi)
+ add_policy2("fddi");
+ if (popts->po_frag6)
+ add_policy2("frag6");
+ if (popts->po_gre)
+ add_policy2("gre");
+ if (popts->po_gtp)
+ add_policy2("gtp");
+ if (popts->po_hsrp)
+ add_policy2("hsrp");
+ if (popts->po_iapp)
+ add_policy2("iapp");
+ if (popts->po_icmp)
+ add_policy2("icmp");
+ if (popts->po_icmp6)
+ add_policy2("icmp6");
+ if (popts->po_igrp)
+ add_policy2("igrp");
+ if (popts->po_ike)
+ add_policy2("ike");
+ if (popts->po_ip)
+ add_policy2("ip");
+ if (popts->po_ip6)
+ add_policy2("ip6");
+ if (popts->po_ipsec)
+ add_policy2("ipsec");
+ if (popts->po_ipx)
+ add_policy2("ipx");
+ if (popts->po_isoclns)
+ add_policy2("isoclns");
+ if (popts->po_krb)
+ add_policy2("krb");
+ if (popts->po_l2tp)
+ add_policy2("l2tp");
+ if (popts->po_llc)
+ add_policy2("llc");
+ if (popts->po_lldp)
+ add_policy2("lldp");
+ if (popts->po_lwres)
+ add_policy2("lwres");
+ if (popts->po_mobile)
+ add_policy2("mobile");
+ if (popts->po_mpls)
+ add_policy2("mpls");
+ if (popts->po_netbios)
+ add_policy2("netbios");
+ if (popts->po_nfs)
+ add_policy2("nfs");
+ if (popts->po_nhrp)
+ add_policy2("nhrp");
+ if (popts->po_nsh)
+ add_policy2("nsh");
+ if (popts->po_ntp)
+ add_policy2("ntp");
+ if (popts->po_null)
+ add_policy2("null");
+ if (popts->po_ofp)
+ add_policy2("ofp");
+ if (popts->po_ospf)
+ add_policy2("ospf");
+ if (popts->po_ospf6)
+ add_policy2("ospf6");
+ if (popts->po_pflog)
+ add_policy2("pflog");
+ if (popts->po_pfsync)
+ add_policy2("pfsync");
+ if (popts->po_pim)
+ add_policy2("pim");
+ if (popts->po_ppp)
+ add_policy2("ppp");
+ if (popts->po_radius)
+ add_policy2("radius");
+ if (popts->po_raw)
+ add_policy2("raw");
+ if (popts->po_rip)
+ add_policy2("rip");
+ if (popts->po_ripng);
+ add_policy2("ripng");
+ if (popts->po_sl)
+ add_policy2("sl");
+ if (popts->po_slow)
+ add_policy2("slow");
+ if (popts->po_snmp)
+ add_policy2("snmp");
+ if (popts->po_stp)
+ add_policy2("stp");
+ if (popts->po_sunrpc)
+ add_policy2("sunrpc");
+ if (popts->po_tcp)
+ add_policy2("tcp");
+ if (popts->po_tftp)
+ add_policy2("tftp");
+ if (popts->po_timed)
+ add_policy2("timed");
+ if (popts->po_udp)
+ add_policy2("udp");
+ if (popts->po_udpencap)
+ add_policy2("udpencap");
+ if (popts->po_usbpcap)
+ add_policy2("usbpcap");
+ if (popts->po_vqp)
+ add_policy2("vqp");
+ if (popts->po_vrrp)
+ add_policy2("vrrp");
+ if (popts->po_wb)
+ add_policy2("wb");
+ if (popts->po_wg)
+ add_policy2("wg");
+}
+
+static void
+add_policy2(char *filechunk)
+{
+ struct policy *p;
+ char filename[PATH_MAX];
+
+ snprintf(filename, sizeof(filename), "print-%s.c", filechunk);
+
+ p = (struct policy *)calloc(sizeof(*p), 1);
+ if (p == NULL)
+ err(1, "calloc");
+
+ p->filename = strdup(filename);
+ if (p->filename == NULL)
+ err(1, "strdup");
+
+ config_policy(p);
+}
+
+int
+check_policy(char *filename)
+{
+ struct tcpdump_conf *env = conf;
+ char *split;
+ struct policy *p;
+
+ split = strrchr(filename, '/');
+ if (split == NULL)
+ split = filename;
+ else
+ split++;
+
+ TAILQ_FOREACH(p, &env->policies, entry) {
+ if (strcmp(split, p->filename) == 0) {
+ return 0;
+ }
+ }
+
+ return (1);
+}
Index: print-arp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-arp.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 print-arp.c
--- print-arp.c 1 Dec 2021 18:28:45 -0000 1.17
+++ print-arp.c 7 Mar 2023 06:47:38 -0000
@@ -37,6 +37,9 @@
#include "ethertype.h"
#include "extract.h" /* must come after interface.h */
+
+extern int check_policy(char *filename);
+
/* Compatibility */
#ifndef REVARP_REQUEST
#define REVARP_REQUEST 3
@@ -54,6 +57,11 @@ arp_print(const u_char *bp, u_int length
const struct ether_header *eh;
u_short pro, hrd, op;
+ if (check_policy(__FILE__)) {
+ printf("[|arp policy violation] ");
+ return;
+ }
+
ap = (struct ether_arp *)bp;
if ((u_char *)(ap + 1) > snapend) {
printf("[|arp]");
Index: print-atalk.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-atalk.c,v
retrieving revision 1.35
diff -u -p -u -r1.35 print-atalk.c
--- print-atalk.c 1 Dec 2021 18:28:45 -0000 1.35
+++ print-atalk.c 7 Mar 2023 06:47:38 -0000
@@ -50,6 +50,8 @@
#include "savestr.h"
#include "privsep.h"
+extern int check_policy(char *filename);
+
static struct tok type2str[] = {
{ ddpRTMP, "rtmp" },
{ ddpRTMPrequest, "rtmpReq" },
@@ -95,6 +97,11 @@ atalk_print(const u_char *bp, u_int leng
{
const struct atDDP *dp;
u_short snet;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ddp policy violation] ");
+ return;
+ }
if (length < ddpSize) {
printf(" [|ddp %d]", length);
Index: print-atm.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-atm.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 print-atm.c
--- print-atm.c 1 Dec 2021 18:28:45 -0000 1.15
+++ print-atm.c 7 Mar 2023 06:47:38 -0000
@@ -41,6 +41,8 @@
#include "addrtoname.h"
#include "ethertype.h"
+extern int check_policy(char *filename);
+
/*
* This is the top level routine of the printer. 'p' is the points
* to the LLC/SNAP header of the packet, 'tvp' is the timestamp,
@@ -55,6 +57,11 @@ atm_if_print(u_char *user, const struct
u_short ethertype;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|atm policy violation] ");
+ return;
+ }
if (caplen < 8) {
printf("[|atm]");
Index: print-bgp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-bgp.c,v
retrieving revision 1.32
diff -u -p -u -r1.32 print-bgp.c
--- print-bgp.c 25 May 2022 16:21:11 -0000 1.32
+++ print-bgp.c 7 Mar 2023 06:47:38 -0000
@@ -46,6 +46,8 @@
#include "extract.h"
#include "afnum.h"
+extern int check_policy(char *filename);
+
struct bgp {
u_int8_t bgp_marker[16];
u_int16_t bgp_len;
@@ -1153,6 +1155,12 @@ bgp_print(const u_char *dat, int length)
struct bgp bgp;
u_int16_t hlen;
int newline;
+
+
+ if (check_policy(__FILE__)) {
+ printf("[|BGP policy violation]");
+ return;
+ }
ep = dat + length;
if (snapend < dat + length)
Index: print-bootp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-bootp.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 print-bootp.c
--- print-bootp.c 1 Dec 2021 18:28:45 -0000 1.25
+++ print-bootp.c 7 Mar 2023 06:47:38 -0000
@@ -38,6 +38,7 @@
#include "addrtoname.h"
#include "bootp.h"
+extern int check_policy(char *filename);
static void rfc1048_print(const u_char *, u_int);
static void cmu_print(const u_char *, u_int);
@@ -53,6 +54,11 @@ bootp_print(const u_char *cp, u_int leng
const struct bootp *bp;
static u_char vm_cmu[4] = VM_CMU;
static u_char vm_rfc1048[4] = VM_RFC1048;
+
+ if (check_policy(__FILE__)) {
+ printf("[|bootp policy violation] ");
+ return;
+ }
bp = (struct bootp *)cp;
TCHECK(bp->bp_op);
Index: print-carp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-carp.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 print-carp.c
--- print-carp.c 15 Nov 2015 20:35:36 -0000 1.7
+++ print-carp.c 7 Mar 2023 06:47:38 -0000
@@ -42,11 +42,18 @@
#include "extract.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
void
carp_print(const u_char *bp, u_int len, int ttl)
{
int version, type;
char *type_s;
+
+ if (check_policy(__FILE__)) {
+ printf("[|carp policy violation] ");
+ return;
+ }
TCHECK(bp[0]);
version = (bp[0] & 0xf0) >> 4;
Index: print-cdp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-cdp.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 print-cdp.c
--- print-cdp.c 11 Sep 2019 15:20:30 -0000 1.8
+++ print-cdp.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,7 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
int cdp_print_addr(const u_char * p, int l);
void cdp_print_prefixes(const u_char * p, int l);
@@ -51,6 +52,10 @@ cdp_print(const u_char *p, u_int length,
int type, len;
/* Cisco Discovery Protocol */
+ if (check_policy(__FILE__)) {
+ printf("[|cdp policy violation] ");
+ return;
+ }
if (caplen < i + 4) {
printf("[|cdp]");
Index: print-cnfp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-cnfp.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 print-cnfp.c
--- print-cnfp.c 5 Jan 2022 05:41:25 -0000 1.11
+++ print-cnfp.c 7 Mar 2023 06:47:38 -0000
@@ -42,6 +42,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
struct nfhdr {
u_int32_t ver_cnt; /* version [15], and # of records */
u_int32_t msys_uptime;
@@ -73,6 +75,11 @@ cnfp_print(const u_char *cp, u_int len)
const struct nfhdr *nh;
const struct nfrec *nr;
int nrecs, ver, proto;
+
+ if (check_policy(__FILE__)) {
+ printf("[|cnfp policy violation] ");
+ return;
+ }
nh = (struct nfhdr *)cp;
Index: print-decnet.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-decnet.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 print-decnet.c
--- print-decnet.c 1 Dec 2021 18:28:45 -0000 1.19
+++ print-decnet.c 7 Mar 2023 06:47:38 -0000
@@ -41,6 +41,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/* Forwards */
static int print_decnet_ctlmsg(const union routehdr *, u_int, u_int);
static void print_t_info(int);
@@ -67,6 +69,11 @@ decnet_print(const u_char *ap, u_int len
int dst, src, hops;
u_int rhlen, nsplen, pktlen;
const u_char *nspp;
+
+ if (check_policy(__FILE__)) {
+ printf("[|decnet policy violation] ");
+ return;
+ }
if (length < sizeof(struct shorthdr)) {
printf("[|decnet]");
Index: print-dhcp6.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-dhcp6.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 print-dhcp6.c
--- print-dhcp6.c 1 Dec 2021 18:28:45 -0000 1.13
+++ print-dhcp6.c 7 Mar 2023 06:47:38 -0000
@@ -32,6 +32,8 @@
#include "extract.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/* Message type */
#define DH6_SOLICIT 1
#define DH6_ADVERTISE 2
@@ -128,6 +130,11 @@ dhcp6_print(const u_char *cp, u_int leng
uint32_t hdr;
int l = snapend - cp;
const char *msgname;
+
+ if (check_policy(__FILE__)) {
+ printf("[|dhcp6 policy violation] ");
+ return;
+ }
printf("DHCPv6");
Index: print-domain.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-domain.c,v
retrieving revision 1.28
diff -u -p -u -r1.28 print-domain.c
--- print-domain.c 1 Mar 2023 08:15:58 -0000 1.28
+++ print-domain.c 7 Mar 2023 06:47:38 -0000
@@ -49,6 +49,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
static const char *ns_ops[] = {
"", " inv_q", " stat", " op3", " notify", " update", " op6", " op7",
" op8", " updataA", " updateD", " updateDA",
@@ -576,6 +578,11 @@ ns_print(const u_char *bp, u_int length,
int qdcount, ancount, nscount, arcount;
const u_char *cp;
u_int16_t b2;
+
+ if (check_policy(__FILE__)) {
+ printf("[|domain policy violation] ");
+ return;
+ }
np = (const HEADER *)bp;
TCHECK(*np);
Index: print-dvmrp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-dvmrp.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 print-dvmrp.c
--- print-dvmrp.c 16 Nov 2015 00:16:39 -0000 1.9
+++ print-dvmrp.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/*
* DVMRP message types and flag values shamelessly stolen from
* mrouted/dvmrp.h.
@@ -81,6 +83,11 @@ dvmrp_print(const u_char *bp, u_int len)
const u_char *ep;
u_char type;
+ if (check_policy(__FILE__)) {
+ printf("[|dvmrp policy violation] ");
+ return;
+ }
+
ep = (const u_char *)snapend;
if (bp >= ep)
return;
Index: print-enc.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-enc.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 print-enc.c
--- print-enc.c 1 Dec 2021 18:28:45 -0000 1.17
+++ print-enc.c 7 Mar 2023 06:47:38 -0000
@@ -46,6 +46,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
#define ENC_PRINT_TYPE(wh, xf, nam) \
if ((wh) & (xf)) { \
printf("%s%s", nam, (wh) == (xf) ? "): " : ","); \
@@ -60,6 +62,11 @@ enc_if_print(u_char *user, const struct
int flags;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|enc policy violation] ");
+ goto out;
+ }
if (caplen < ENC_HDRLEN) {
printf("[|enc]");
Index: print-ether.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
retrieving revision 1.42
diff -u -p -u -r1.42 print-ether.c
--- print-ether.c 9 Jun 2022 12:56:14 -0000 1.42
+++ print-ether.c 7 Mar 2023 06:47:38 -0000
@@ -45,6 +45,8 @@
#include "ethertype.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
const u_char *packetp;
const u_char *snapend;
@@ -106,6 +108,11 @@ ether_tryprint(const u_char *p, u_int le
struct ether_header *ep;
u_int caplen = snapend - p;
u_short ether_type;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ether policy violation] ");
+ goto out;
+ }
if (caplen < sizeof(struct ether_header)) {
printf("[|ether]");
Index: print-etherip.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-etherip.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 print-etherip.c
--- print-etherip.c 10 Feb 2018 10:00:32 -0000 1.10
+++ print-etherip.c 7 Mar 2023 06:47:38 -0000
@@ -53,6 +53,8 @@
#include "interface.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
extern u_short extracted_ethertype;
void
@@ -62,6 +64,11 @@ etherip_print(const u_char *bp, u_int ca
const u_char *pbuf = bp;
u_int plen = caplen, hlen;
u_int16_t etype;
+
+ if (check_policy(__FILE__)) {
+ printf("[|etherip policy violation] ");
+ return;
+ }
printf("etherip ");
Index: print-fddi.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-fddi.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 print-fddi.c
--- print-fddi.c 1 Dec 2021 18:28:46 -0000 1.19
+++ print-fddi.c 7 Mar 2023 06:47:38 -0000
@@ -45,6 +45,8 @@
#include "fddi.h"
+extern int check_policy(char *filename);
+
/*
* Some FDDI interfaces use bit-swapped addresses.
*/
@@ -223,6 +225,12 @@ fddi_print(const struct fddi_header *fdd
{
char *srcname, *dstname;
+
+ if (check_policy(__FILE__)) {
+ printf("[|fddi policy violation] ");
+ return;
+ }
+
srcname = etheraddr_string(fsrc);
dstname = etheraddr_string(fdst);
@@ -262,6 +270,11 @@ fddi_if_print(u_char *pcap, const struct
struct ether_header ehdr;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|fddi policy violation]");
+ goto out;
+ }
if (caplen < FDDI_HDRLEN) {
printf("[|fddi]");
Index: print-gre.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-gre.c,v
retrieving revision 1.34
diff -u -p -u -r1.34 print-gre.c
--- print-gre.c 17 Aug 2020 07:09:25 -0000 1.34
+++ print-gre.c 7 Mar 2023 06:47:38 -0000
@@ -48,6 +48,8 @@
#include "addrtoname.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
#define GRE_CP 0x8000 /* checksum present */
#define GRE_RP 0x4000 /* routing present */
#define GRE_KP 0x2000 /* key present */
@@ -94,6 +96,11 @@ gre_print(const u_char *p, u_int length)
{
uint16_t vers;
int l;
+
+ if (check_policy(__FILE__)) {
+ printf("[|gre policy violation] ");
+ return;
+ }
l = snapend - p;
Index: print-gtp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-gtp.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 print-gtp.c
--- print-gtp.c 26 Oct 2020 23:19:18 -0000 1.13
+++ print-gtp.c 7 Mar 2023 06:47:38 -0000
@@ -57,6 +57,8 @@
#include "interface.h"
#include "gtp.h"
+extern int check_policy(char *filename);
+
#ifndef nitems
#define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
#endif
@@ -298,6 +300,11 @@ void
gtp_print(const u_char *cp, u_int length, u_short sport, u_short dport)
{
int version;
+
+ if (check_policy(__FILE__)) {
+ printf("[|gtp policy violation] ");
+ return;
+ }
/* Decode GTP version. */
TCHECK(cp[0]);
Index: print-hsrp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-hsrp.c,v
retrieving revision 1.5
diff -u -p -u -r1.5 print-hsrp.c
--- print-hsrp.c 16 Nov 2015 00:16:39 -0000 1.5
+++ print-hsrp.c 7 Mar 2023 06:47:38 -0000
@@ -43,6 +43,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/* HSRP op code types. */
static const char *op_code_str[] = {
"hello",
@@ -99,6 +101,11 @@ void
hsrp_print(const u_char *bp, u_int len)
{
struct hsrp *hp = (struct hsrp *) bp;
+
+ if (check_policy(__FILE__)) {
+ printf("[|hsrp policy violation] ");
+ return;
+ }
TCHECK(hp->hsrp_version);
printf("HSRPv%d", hp->hsrp_version);
Index: print-iapp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-iapp.c,v
retrieving revision 1.6
diff -u -p -u -r1.6 print-iapp.c
--- print-iapp.c 6 Jul 2018 05:47:22 -0000 1.6
+++ print-iapp.c 7 Mar 2023 06:47:38 -0000
@@ -40,6 +40,7 @@ const char *ieee80211_iapp_frame_type_na
IEEE80211_IAPP_FRAME_TYPE_NAME;
extern int ieee80211_encap;
+extern int check_policy(char *filename);
void
iapp_print(const u_char *p, u_int len)
@@ -48,6 +49,11 @@ iapp_print(const u_char *p, u_int len)
struct ieee80211_iapp_add_notify *add;
struct pcap_pkthdr fakeh;
const u_char *data;
+
+ if (check_policy(__FILE__)) {
+ printf("[|iapp policy violation] ");
+ return;
+ }
TCHECK2(*wf, sizeof(struct ieee80211_iapp_frame));
Index: print-icmp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-icmp.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 print-icmp.c
--- print-icmp.c 1 Dec 2021 18:28:46 -0000 1.27
+++ print-icmp.c 7 Mar 2023 06:47:38 -0000
@@ -43,6 +43,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
/* rfc1700 */
#ifndef ICMP_UNREACH_NET_UNKNOWN
#define ICMP_UNREACH_NET_UNKNOWN 6 /* destination net unknown */
@@ -171,6 +173,11 @@ icmp_print(const u_char *bp, u_int lengt
u_int hlen, dport, mtu;
char buf[HOST_NAME_MAX+1+256];
char buf2[HOST_NAME_MAX+1+256];
+
+ if (check_policy(__FILE__)) {
+ printf("[|icmp policy violation] ");
+ return;
+ }
dp = (struct icmp *)bp;
ip = (struct ip *)bp2;
Index: print-icmp6.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-icmp6.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 print-icmp6.c
--- print-icmp6.c 28 Dec 2022 21:30:19 -0000 1.25
+++ print-icmp6.c 7 Mar 2023 06:47:38 -0000
@@ -52,6 +52,8 @@
#include "addrtoname.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
void icmp6_opt_print(const u_char *, int);
void mld6_print(const u_char *);
void mldv2_query_print(const u_char *, u_int);
@@ -135,6 +137,11 @@ icmp6_print(const u_char *bp, u_int leng
#if 0
#define TCHECK(var) if ((u_char *)&(var) > ep - sizeof(var)) goto trunc
#endif
+
+ if (check_policy(__FILE__)) {
+ printf("[|icmp6 policy violation] ");
+ return;
+ }
dp = (struct icmp6_hdr *)bp;
ip = (struct ip6_hdr *)bp2;
Index: print-igrp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-igrp.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 print-igrp.c
--- print-igrp.c 24 Jan 2020 22:46:36 -0000 1.9
+++ print-igrp.c 7 Mar 2023 06:47:38 -0000
@@ -40,6 +40,8 @@
#include "igrp.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
static void
igrp_entry_print(struct igrprte *igr, int is_interior, int is_exterior)
{
@@ -82,6 +84,12 @@ igrp_print(const u_char *bp, u_int lengt
struct ip *ip;
u_char *cp;
u_int nint, nsys, next;
+
+
+ if (check_policy(__FILE__)) {
+ printf("[|igrp policy violation] ");
+ return;
+ }
hdr = (struct igrphdr *)bp;
ip = (struct ip *)bp2;
Index: print-ike.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ike.c,v
retrieving revision 1.41
diff -u -p -u -r1.41 print-ike.c
--- print-ike.c 28 Dec 2022 21:30:19 -0000 1.41
+++ print-ike.c 7 Mar 2023 06:47:38 -0000
@@ -42,6 +42,8 @@
#include "addrtoname.h"
#include "ike.h"
+extern int check_policy(char *filename);
+
struct isakmp_header {
u_int8_t init_cookie[8];
u_int8_t resp_cookie[8];
@@ -185,6 +187,11 @@ ike_print (const u_int8_t *cp, u_int len
u_int8_t *payload, next_payload;
int encrypted;
static const char *exgtypes[] = IKE_EXCHANGE_TYPES_INITIALIZER;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ike policy violation] ");
+ return;
+ }
encrypted = 0;
Index: print-ip.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ip.c,v
retrieving revision 1.53
diff -u -p -u -r1.53 print-ip.c
--- print-ip.c 24 Jan 2020 22:46:36 -0000 1.53
+++ print-ip.c 7 Mar 2023 06:47:38 -0000
@@ -41,6 +41,8 @@
#include "interface.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
/* Compatibility */
#ifndef IPPROTO_ND
#define IPPROTO_ND 77
@@ -322,6 +324,11 @@ ip_print(const u_char *bp, u_int length)
const u_char *cp;
const u_char *pktp = packetp;
const u_char *send = snapend;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ip policy violation] ");
+ return;
+ }
TCHECK2(bp[0], 1);
ip = (const struct ip *)bp;
Index: print-ip6.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ip6.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 print-ip6.c
--- print-ip6.c 24 Jan 2020 22:46:37 -0000 1.30
+++ print-ip6.c 7 Mar 2023 06:47:38 -0000
@@ -43,6 +43,8 @@
#include <netinet/ip6.h>
+extern int check_policy(char *filename);
+
/*
* print an IP6 datagram.
*/
@@ -57,6 +59,11 @@ ip6_print(const u_char *bp, u_int length
const u_char *send = snapend;
int nh;
u_int flow;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ip6 policy violation] ");
+ return;
+ }
ip6 = (const struct ip6_hdr *)bp;
if ((u_char *)(ip6 + 1) > snapend) {
Index: print-ipsec.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ipsec.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 print-ipsec.c
--- print-ipsec.c 29 Nov 2021 18:50:16 -0000 1.27
+++ print-ipsec.c 7 Mar 2023 06:47:38 -0000
@@ -49,6 +49,9 @@
#include <openssl/evp.h>
#include <ctype.h>
+extern int check_policy(char *filename);
+
+
/*
* IPsec/ESP header
*/
@@ -207,6 +210,11 @@ esp_print (const u_char *bp, u_int len,
{
const struct esp_hdr *esp;
+ if (check_policy(__FILE__)) {
+ printf("[|esp/ipsec policy violation] ");
+ return;
+ }
+
if (len < sizeof(struct esp_hdr)) {
printf("[|esp]");
return;
@@ -238,6 +246,11 @@ ah_print (const u_char *bp, u_int len, c
const struct ah_hdr *ah;
u_int pl_len = len;
const struct ip6_hdr *ip6;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ah/ipsec policy violation] ");
+ return;
+ }
ip = (const struct ip *)bp2;
if (ip->ip_v == 6) {
@@ -326,6 +339,11 @@ ipcomp_print (const u_char *bp, u_int le
const struct ipcomp_hdr *ipc;
u_int plen = len;
+ if (check_policy(__FILE__)) {
+ printf("[|ipcomp/ipsec policy violation] ");
+ return;
+ }
+
ip = (const struct ip *)bp2;
printf("ipcomp %s > %s",
Index: print-ipx.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ipx.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 print-ipx.c
--- print-ipx.c 24 Jan 2020 22:46:37 -0000 1.16
+++ print-ipx.c 7 Mar 2023 06:47:38 -0000
@@ -43,6 +43,7 @@
#include "ipx.h"
#include "extract.h"
+extern int check_policy(char *filename);
static const char *ipxaddr_string(u_int32_t, const u_char *);
void ipx_decode(const struct ipxHdr *, const u_char *, u_int);
@@ -56,6 +57,11 @@ void
ipx_print(const u_char *p, u_int length)
{
const struct ipxHdr *ipx = (const struct ipxHdr *)p;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ipx policy violation] ");
+ return;
+ }
TCHECK(ipx->srcSkt);
printf("%s.%x > ",
Index: print-isoclns.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-isoclns.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 print-isoclns.c
--- print-isoclns.c 28 Feb 2023 10:04:50 -0000 1.16
+++ print-isoclns.c 7 Mar 2023 06:47:38 -0000
@@ -38,6 +38,8 @@
#include "addrtoname.h"
#include "ethertype.h"
+extern int check_policy(char *filename);
+
#define CLNS 129
#define ESIS 130
#define ISIS 131
@@ -50,6 +52,12 @@ void
isoclns_print(const u_char *p, u_int length, u_int caplen,
const u_char *esrc, const u_char *edst)
{
+
+ if (check_policy(__FILE__)) {
+ printf("|iso-clns policy violation] ");
+ return;
+ }
+
if (caplen < 1) {
printf("[|iso-clns] ");
if (!eflag)
Index: print-krb.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-krb.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 print-krb.c
--- print-krb.c 24 Jan 2020 22:46:37 -0000 1.13
+++ print-krb.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
const u_char *c_print(const u_char *, const u_char *);
const u_char *krb4_print_hdr(const u_char *);
void krb4_print(const u_char *);
@@ -183,6 +185,11 @@ krb4_print(const u_char *cp)
/* True if struct krb is little endian */
#define IS_LENDIAN(kp) (((kp)->type & 0x01) != 0)
#define KTOHSP(kp, cp) (IS_LENDIAN(kp) ? vtohsp(cp) : ntohsp(cp))
+
+ if (check_policy(__FILE__)) {
+ printf("|krb policy violation] ");
+ return;
+ }
kp = (struct krb *)cp;
Index: print-l2tp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-l2tp.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 print-l2tp.c
--- print-l2tp.c 5 Jan 2022 05:46:18 -0000 1.11
+++ print-l2tp.c 7 Mar 2023 06:47:38 -0000
@@ -30,6 +30,7 @@
#include "l2tp.h"
#include "interface.h"
+extern int check_policy(char *filename);
static char tstr[] = " [|l2tp]";
#ifndef TRUE
@@ -618,6 +619,11 @@ l2tp_print(const u_char *dat, u_int leng
u_int cnt = 0; /* total octets consumed */
u_short pad, val;
int flag_t, flag_l, flag_s, flag_o, flag_p;
+
+ if (check_policy(__FILE__)) {
+ printf("|l2tp policy violation] ");
+ return;
+ }
flag_t = flag_l = flag_s = flag_o = flag_p = FALSE;
Index: print-llc.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-llc.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 print-llc.c
--- print-llc.c 28 Feb 2023 10:04:50 -0000 1.23
+++ print-llc.c 7 Mar 2023 06:47:38 -0000
@@ -41,6 +41,8 @@
#include "llc.h"
+extern int check_policy(char *filename);
+
static struct tok cmd2str[] = {
{ LLC_UI, "ui" },
{ LLC_TEST, "test" },
@@ -66,6 +68,11 @@ llc_print(const u_char *p, u_int length,
u_short control;
#endif
int ret;
+
+ if (check_policy(__FILE__)) {
+ printf("[|llc policy violation] ");
+ return (1);
+ }
if (caplen < 3) {
printf("[|llc]");
Index: print-lldp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-lldp.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 print-lldp.c
--- print-lldp.c 28 Nov 2016 17:47:15 -0000 1.9
+++ print-lldp.c 7 Mar 2023 06:47:38 -0000
@@ -34,6 +34,8 @@
#include "interface.h"
#include "afnum.h"
+extern int check_policy(char *filename);
+
enum {
LLDP_TLV_END = 0,
LLDP_TLV_CHASSIS_ID = 1,
@@ -191,6 +193,12 @@ lldp_print(const u_char *p, u_int len)
u_int16_t tlv;
u_int8_t *ptr = (u_int8_t *)p, v = 0;
int n, type, vlen, alen;
+
+
+ if (check_policy(__FILE__)) {
+ printf("[|LLDP policy violation] ");
+ return;
+ }
printf("LLDP");
Index: print-lwres.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-lwres.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 print-lwres.c
--- print-lwres.c 28 Dec 2022 21:30:19 -0000 1.12
+++ print-lwres.c 7 Mar 2023 06:47:38 -0000
@@ -52,6 +52,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
/* BIND9 lib/lwres/include/lwres */
typedef u_int32_t lwres_uint32_t;
typedef u_int16_t lwres_uint16_t;
@@ -348,6 +350,11 @@ lwres_print(const u_char *bp, u_int leng
int response;
int advance;
int unsupported = 0;
+
+ if (check_policy(__FILE__)) {
+ printf("[|lwres policy violation] ");
+ return;
+ }
np = (const struct lwres_lwpacket *)bp;
TCHECK(np->authlength);
Index: print-mobile.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-mobile.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 print-mobile.c
--- print-mobile.c 5 Jan 2022 05:46:18 -0000 1.7
+++ print-mobile.c 7 Mar 2023 06:47:38 -0000
@@ -44,6 +44,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
#define MOBILE_SIZE (8)
struct mobile_ip {
@@ -66,6 +68,11 @@ mobile_print(const u_char *bp, u_int len
const struct mobile_ip *mob;
u_short proto,crc;
u_char osp =0; /* old source address present */
+
+ if (check_policy(__FILE__)) {
+ printf("[|mobile policy violation] ");
+ return;
+ }
mob = (const struct mobile_ip *)bp;
Index: print-mpls.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-mpls.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 print-mpls.c
--- print-mpls.c 6 Jul 2018 07:00:49 -0000 1.4
+++ print-mpls.c 7 Mar 2023 06:47:38 -0000
@@ -35,6 +35,8 @@
#include "interface.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
#define CW_SEQUENCE_MASK (0x0000ffffU)
int controlword_tryprint(const u_char **, u_int *);
@@ -44,6 +46,11 @@ mpls_print(const u_char *bp, u_int len)
{
u_int32_t tag, label, exp, bottom, ttl;
int has_cw;
+
+ if (check_policy(__FILE__)) {
+ printf("[|mpls policy violation] ");
+ return;
+ }
do {
if (bp + sizeof(tag) > snapend)
Index: print-netbios.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-netbios.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 print-netbios.c
--- print-netbios.c 16 Jan 2015 06:40:21 -0000 1.10
+++ print-netbios.c 7 Mar 2023 06:47:38 -0000
@@ -42,12 +42,19 @@
#include "netbios.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
/*
* Print NETBIOS packets.
*/
void
netbios_print(struct p8022Hdr *nb, u_int length)
{
+ if (check_policy(__FILE__)) {
+ printf("[|netbios policy violation] ");
+ return;
+ }
+
if (length < p8022Size) {
printf(" truncated-netbios %d", length);
return;
Index: print-nfs.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-nfs.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 print-nfs.c
--- print-nfs.c 1 Dec 2021 18:28:46 -0000 1.25
+++ print-nfs.c 7 Mar 2023 06:47:38 -0000
@@ -45,6 +45,8 @@
#include "nfs.h"
#include "nfsfh.h"
+extern int check_policy(char *filename);
+
static void nfs_printfh(const u_int32_t *, const u_int);
static void xid_map_enter(const struct rpc_msg *, const u_char *);
static int32_t xid_map_find(const struct rpc_msg *, const u_char *,
@@ -412,6 +414,11 @@ nfsreq_print(const u_char *bp, u_int len
int v3 = 0;
u_int32_t proc;
struct nfsv3_sattr sa3;
+
+ if (check_policy(__FILE__)) {
+ printf("[|nfs policy violation] ");
+ return;
+ }
nfserr = 0; /* assume no error */
rp = (const struct rpc_msg *)bp;
Index: print-nhrp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-nhrp.c,v
retrieving revision 1.2
diff -u -p -u -r1.2 print-nhrp.c
--- print-nhrp.c 28 Dec 2022 21:30:19 -0000 1.2
+++ print-nhrp.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,8 @@
#include "interface.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
#define NHRP_VER_RFC2332 1
#define NHRP_PKG_RESOLUTION_REQUEST 1
@@ -99,6 +101,11 @@ nhrp_print(const u_char *p, u_int length
{
struct nhrp_header *hdr;
const u_char *nhrpext, *nhrpend;
+
+ if (check_policy(__FILE__)) {
+ printf("[|nhrp policy violation] ");
+ return;
+ }
printf("NHRP: ");
Index: print-nsh.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-nsh.c,v
retrieving revision 1.2
diff -u -p -u -r1.2 print-nsh.c
--- print-nsh.c 28 Feb 2023 10:04:50 -0000 1.2
+++ print-nsh.c 7 Mar 2023 06:47:38 -0000
@@ -36,6 +36,8 @@
#include "addrtoname.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
#ifndef roundup
#define roundup(x, y) ((((x)+((y)-1))/(y))*(y))
#endif
@@ -104,6 +106,11 @@ nsh_print(const u_char *p, u_int length)
struct nsh_header nsh;
uint32_t field, len, proto;
int l = snapend - p;
+
+ if (check_policy(__FILE__)) {
+ printf("[|nsh policy violation] ");
+ return;
+ }
printf("NSH");
Index: print-ntp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ntp.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 print-ntp.c
--- print-ntp.c 1 Dec 2021 18:28:46 -0000 1.20
+++ print-ntp.c 7 Mar 2023 06:47:38 -0000
@@ -44,6 +44,8 @@
#endif
#include "ntp.h"
+extern int check_policy(char *filename);
+
static void p_sfix(const struct s_fixedpt *);
static void p_ntp_time(const struct l_fixedpt *);
static void p_ntp_delta(const struct l_fixedpt *, const struct l_fixedpt *);
@@ -56,6 +58,11 @@ ntp_print(const u_char *cp, u_int length
{
const struct ntpdata *bp;
int mode, version, leapind;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ntp policy violation] ");
+ return;
+ }
bp = (struct ntpdata *)cp;
/* Note funny sized packets */
Index: print-null.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-null.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 print-null.c
--- print-null.c 1 Dec 2021 18:28:46 -0000 1.25
+++ print-null.c 7 Mar 2023 06:47:38 -0000
@@ -44,6 +44,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
#ifndef AF_NS
#define AF_NS 6 /* XEROX NS protocols */
#endif
@@ -58,6 +60,11 @@ static void
null_print(const u_char *p, const struct ip *ip, u_int length)
{
u_int family;
+
+ if (check_policy(__FILE__)) {
+ printf("[|null policy violation] ");
+ return;
+ }
memcpy((char *)&family, (char *)p, sizeof(family));
Index: print-ofp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ofp.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 print-ofp.c
--- print-ofp.c 27 Nov 2019 17:37:32 -0000 1.12
+++ print-ofp.c 7 Mar 2023 06:47:38 -0000
@@ -29,6 +29,8 @@
#include "interface.h"
#include "ofp_map.h"
+extern int check_policy(char *filename);
+
/* Size of action header without the padding. */
#define AH_UNPADDED (offsetof(struct ofp_action_header, ah_pad))
@@ -560,6 +562,11 @@ ofp_print(const u_char *bp, u_int length
{
struct ofp_header *oh;
unsigned int ohlen, snaplen;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ofp policy violation] ");
+ return;
+ }
/* The captured data might be smaller than indicated */
snaplen = snapend - bp;
Index: print-ospf.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ospf.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 print-ospf.c
--- print-ospf.c 24 Jan 2020 22:46:37 -0000 1.22
+++ print-ospf.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,8 @@
#include "ospf.h"
+extern int check_policy(char *filename);
+
struct bits {
u_int32_t bit;
const char *str;
@@ -497,6 +499,11 @@ ospf_print(const u_char *bp, u_int lengt
const struct ip *ip;
const u_char *dataend;
const char *cp;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ospf policy violation] ");
+ return;
+ }
op = (struct ospfhdr *)bp;
ip = (struct ip *)bp2;
Index: print-ospf6.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ospf6.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 print-ospf6.c
--- print-ospf6.c 24 Jan 2020 22:46:37 -0000 1.11
+++ print-ospf6.c 7 Mar 2023 06:47:38 -0000
@@ -40,6 +40,8 @@
#include "ospf6.h"
+extern int check_policy(char *filename);
+
struct bits {
u_int32_t bit;
const char *str;
@@ -607,6 +609,11 @@ ospf6_print(const u_char *bp, u_int leng
const struct ospf6hdr *op;
const u_char *dataend;
const char *cp;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ospf policy violation] ");
+ return;
+ }
op = (struct ospf6hdr *)bp;
Index: print-pflog.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-pflog.c,v
retrieving revision 1.35
diff -u -p -u -r1.35 print-pflog.c
--- print-pflog.c 22 Feb 2022 17:35:01 -0000 1.35
+++ print-pflog.c 7 Mar 2023 06:47:38 -0000
@@ -49,6 +49,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
char *pf_reasons[PFRES_MAX+2] = PFRES_NAMES;
void
@@ -63,6 +65,11 @@ pflog_if_print(u_char *user, const struc
const struct pfloghdr *hdr;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|pflog policy violation] ");
+ goto out;
+ }
/* check length */
if (caplen < sizeof(u_int8_t)) {
Index: print-pfsync.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-pfsync.c,v
retrieving revision 1.44
diff -u -p -u -r1.44 print-pfsync.c
--- print-pfsync.c 1 Dec 2021 18:28:46 -0000 1.44
+++ print-pfsync.c 7 Mar 2023 06:47:38 -0000
@@ -53,6 +53,8 @@
#include "pfctl_parser.h"
#include "pfctl.h"
+extern int check_policy(char *filename);
+
void pfsync_print(struct pfsync_header *, const u_char *, int);
void
@@ -63,6 +65,11 @@ pfsync_if_print(u_char *user, const stru
ts_print(&h->ts);
+ if (check_policy(__FILE__)) {
+ printf("[|pfsync policy violation] ");
+ goto out;
+ }
+
if (caplen < PFSYNC_HDRLEN) {
printf("[|pfsync]");
goto out;
@@ -140,6 +147,11 @@ pfsync_print(struct pfsync_header *hdr,
struct pfsync_subheader *subh;
int count, plen, alen, flags = 0;
int i;
+
+ if (check_policy(__FILE__)) {
+ printf("[|pfsync policy violation] ");
+ return;
+ }
plen = ntohs(hdr->len);
Index: print-pim.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-pim.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 print-pim.c
--- print-pim.c 24 Jan 2020 22:46:37 -0000 1.9
+++ print-pim.c 7 Mar 2023 06:47:38 -0000
@@ -38,11 +38,18 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
void
pim_print(const u_char *bp, u_int len)
{
const u_char *ep;
u_char type;
+
+ if (check_policy(__FILE__)) {
+ printf("[|pim policy violation] ");
+ return;
+ }
ep = (const u_char *)snapend;
if (bp >= ep)
Index: print-ppp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ppp.c,v
retrieving revision 1.36
diff -u -p -u -r1.36 print-ppp.c
--- print-ppp.c 1 Dec 2021 18:28:46 -0000 1.36
+++ print-ppp.c 7 Mar 2023 06:47:38 -0000
@@ -46,6 +46,8 @@
#include "addrtoname.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
#ifndef nitems
#define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
#endif
@@ -338,6 +340,11 @@ ppp_print(const u_char *p, u_int length)
uint16_t proto;
int l;
+ if (check_policy(__FILE__)) {
+ printf("[|ppp policy violation] ");
+ return;
+ }
+
l = snapend - p;
if (l < sizeof(proto)) {
@@ -1157,6 +1164,11 @@ ppp_if_print(u_char *user, const struct
ts_print(&h->ts);
+ if (check_policy(__FILE__)) {
+ printf("[|ppp policy violation] ");
+ return;
+ }
+
ppp_hdlc_print(p, length);
if (xflag)
@@ -1178,6 +1190,11 @@ ppp_ether_if_print(u_char *user, const s
ts_print(&h->ts);
+ if (check_policy(__FILE__)) {
+ printf("[|pppoe/ppp policy violation] ");
+ return;
+ }
+
if (eflag)
printf("PPPoE ");
@@ -1236,6 +1253,11 @@ int
pppoe_if_print(u_short ethertype, const u_char *p, u_int length, u_int l)
{
uint16_t pppoe_sid, pppoe_len;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ppp policy violation] ");
+ return (1);
+ }
if (ethertype == ETHERTYPE_PPPOEDISC)
printf("PPPoE-Discovery");
Index: print-radius.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-radius.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 print-radius.c
--- print-radius.c 24 Jan 2020 22:46:37 -0000 1.13
+++ print-radius.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,8 @@
#include "interface.h"
#include "radius.h"
+extern int check_policy(char *filename);
+
static void r_print_att(int code, int len, const u_char *val);
static void r_print_int(int code, int len, const u_char *val);
static void r_print_address(int code, int len, const u_char *val);
@@ -239,6 +241,11 @@ void radius_print(const u_char *data, u_
const struct radius_header *rhp;
const u_char *pp;
int first, l, ac, al;
+
+ if (check_policy(__FILE__)) {
+ printf("[|radius policy violation] ");
+ return;
+ }
if(len < sizeof(struct radius_header)) {
printf("[|radius]");
Index: print-raw.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-raw.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 print-raw.c
--- print-raw.c 1 Dec 2021 18:28:46 -0000 1.9
+++ print-raw.c 7 Mar 2023 06:47:38 -0000
@@ -43,6 +43,8 @@
#include "addrtoname.h"
#include "interface.h"
+extern int check_policy(char *filename);
+
#ifndef AF_NS
#define AF_NS 6 /* XEROX NS protocols */
#endif
@@ -58,6 +60,11 @@ raw_if_print(u_char *user, const struct
u_int caplen = h->caplen;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|raw policy violation] ");
+ return;
+ }
/*
* Some printers want to get back at the link level addresses,
Index: print-rip.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-rip.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 print-rip.c
--- print-rip.c 24 Jan 2020 22:46:37 -0000 1.18
+++ print-rip.c 7 Mar 2023 06:47:38 -0000
@@ -38,6 +38,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
struct rip {
u_char rip_cmd; /* request/response */
u_char rip_vers; /* protocol version # */
@@ -156,6 +158,11 @@ rip_print(const u_char *dat, u_int lengt
const struct rip *rp;
const struct rip_netinfo *ni;
int i, j, trunc;
+
+ if (check_policy(__FILE__)) {
+ printf("[|rip policy violation] ");
+ return;
+ }
i = min(length, snapend - dat) - sizeof(*rp);
if (i < 0) {
Index: print-ripng.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-ripng.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 print-ripng.c
--- print-ripng.c 22 Oct 2018 16:12:45 -0000 1.7
+++ print-ripng.c 7 Mar 2023 06:47:38 -0000
@@ -40,6 +40,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
static int
rip6_entry_print(const struct netinfo6 *ni, int metric)
{
@@ -62,6 +64,11 @@ ripng_print(const u_char *dat, int lengt
(sizeof(struct rip6) - sizeof(struct netinfo6));
int j;
int trunc;
+
+ if (check_policy(__FILE__)) {
+ printf("[|ripng policy violation] ");
+ return;
+ }
if (i < 0)
return;
Index: print-rt6.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-rt6.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 print-rt6.c
--- print-rt6.c 28 Dec 2022 21:30:19 -0000 1.10
+++ print-rt6.c 7 Mar 2023 06:47:38 -0000
@@ -44,6 +44,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
int
rt6_print(const u_char *bp, const u_char *bp2)
{
@@ -51,6 +53,11 @@ rt6_print(const u_char *bp, const u_char
const struct ip6_rthdr0 *dp0;
const u_char *ep;
int i, len;
+
+ if (check_policy(__FILE__)) {
+ printf("[|rt6 policy violation] ");
+ return 65535; /* XXX */
+ }
dp = (struct ip6_rthdr *)bp;
len = dp->ip6r_len;
Index: print-sl.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-sl.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 print-sl.c
--- print-sl.c 1 Dec 2021 18:28:46 -0000 1.22
+++ print-sl.c 7 Mar 2023 06:47:38 -0000
@@ -46,6 +46,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
static u_int lastlen[2][256];
static u_int lastconn = 255;
@@ -76,6 +78,11 @@ sl_if_print(u_char *user, const struct p
const struct ip *ip;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|sl policy violation] ");
+ goto out;
+ }
if (caplen < SLIP_HDRLEN || length < SLIP_HDRLEN) {
printf("[|slip]");
Index: print-slow.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-slow.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 print-slow.c
--- print-slow.c 16 Nov 2015 00:16:39 -0000 1.4
+++ print-slow.c 7 Mar 2023 06:47:38 -0000
@@ -37,6 +37,7 @@
#include "extract.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
struct slow_common_header {
u_int8_t proto_subtype;
@@ -130,6 +131,11 @@ slow_print(const u_char *pptr, u_int len
struct lacp_tlv_collector_info_t *collector_info;
struct marker_tlv_marker_info_t *marker_tlv_marker_info;
} tlv_ptr;
+
+ if (check_policy(__FILE__)) {
+ printf("[|slow policy violation] ");
+ return;
+ }
tptr = pptr;
slow_com_header = (const struct slow_common_header *)pptr;
Index: print-snmp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-snmp.c,v
retrieving revision 1.28
diff -u -p -u -r1.28 print-snmp.c
--- print-snmp.c 23 Oct 2021 10:47:50 -0000 1.28
+++ print-snmp.c 7 Mar 2023 06:47:38 -0000
@@ -64,6 +64,9 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
+
/*
* Universal ASN.1 types
* (we only care about the tag values for those allowed in the Internet SMI)
@@ -1428,6 +1431,11 @@ snmp_print(const u_char *np, u_int lengt
{
struct be elem;
int count = 0;
+
+ if (check_policy(__FILE__)) {
+ printf("[|snmp policy violation] ");
+ return;
+ }
truncated = 0;
Index: print-stp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-stp.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 print-stp.c
--- print-stp.c 1 Dec 2021 18:28:46 -0000 1.10
+++ print-stp.c 7 Mar 2023 06:47:38 -0000
@@ -55,6 +55,8 @@
#include "extract.h"
#include "llc.h"
+extern int check_policy(char *filename);
+
#define STP_MSGTYPE_CBPDU 0x00
#define STP_MSGTYPE_RSTP 0x02
#define STP_MSGTYPE_TBPDU 0x80
@@ -91,6 +93,11 @@ stp_print(p, len)
{
u_int16_t id;
int proto = STP_PROTO_STP;
+
+ if (check_policy(__FILE__)) {
+ printf("[|stp policy violation] ");
+ return;
+ }
if (len < 3)
goto truncated;
Index: print-sunrpc.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-sunrpc.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 print-sunrpc.c
--- print-sunrpc.c 5 Jan 2022 05:29:54 -0000 1.22
+++ print-sunrpc.c 7 Mar 2023 06:47:38 -0000
@@ -46,6 +46,8 @@
#include "addrtoname.h"
#include "privsep.h"
+extern int check_policy(char *filename);
+
static struct tok proc2str[] = {
{ PMAPPROC_NULL, "null" },
{ PMAPPROC_SET, "set" },
@@ -64,6 +66,11 @@ sunrpcrequest_print(const u_char *bp, u_
{
const struct rpc_msg *rp;
u_int32_t x;
+
+ if (check_policy(__FILE__)) {
+ printf("[|sunrpc policy violation] ");
+ return;
+ }
rp = (struct rpc_msg *)bp;
Index: print-tcp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-tcp.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 print-tcp.c
--- print-tcp.c 24 Jan 2020 22:46:37 -0000 1.39
+++ print-tcp.c 7 Mar 2023 06:47:38 -0000
@@ -45,6 +45,8 @@
#include "nfs.h"
+extern int check_policy(char *filename);
+
static void print_tcp_rst_data(const u_char *sp, u_int length);
#define MAX_RST_DATA_LEN 30
@@ -189,6 +191,11 @@ tcp_print(const u_char *bp, u_int length
u_int16_t sport, dport, win, urp;
tcp_seq seq, ack;
const struct ip6_hdr *ip6;
+
+ if (check_policy(__FILE__)) {
+ printf("[|tcp policy violation] ");
+ return;
+ }
tp = (struct tcphdr *)bp;
switch (((struct ip *)bp2)->ip_v) {
Index: print-tftp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-tftp.c,v
retrieving revision 1.14
diff -u -p -u -r1.14 print-tftp.c
--- print-tftp.c 24 Jan 2020 22:46:37 -0000 1.14
+++ print-tftp.c 7 Mar 2023 06:47:38 -0000
@@ -39,6 +39,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/* op code to string mapping */
static struct tok op2str[] = {
{ RRQ, "RRQ" }, /* read request */
@@ -73,6 +75,11 @@ tftp_print(const u_char *bp, u_int lengt
const u_char *p;
int opcode, i;
static char tstr[] = " [|tftp]";
+
+ if (check_policy(__FILE__)) {
+ printf("[|tftp policy violation] ");
+ return;
+ }
tp = (const struct tftphdr *)bp;
Index: print-timed.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-timed.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 print-timed.c
--- print-timed.c 24 Jan 2020 22:46:37 -0000 1.8
+++ print-timed.c 7 Mar 2023 06:47:39 -0000
@@ -42,6 +42,8 @@
#include "addrtoname.h"
#include "extract.h" /* must come after interface.h */
+extern int check_policy(char *filename);
+
static const char *tsptype[TSPTYPENUMBER] =
{ "ANY", "ADJTIME", "ACK", "MASTERREQ", "MASTERACK", "SETTIME", "MASTERUP",
"SLAVEUP", "ELECTION", "ACCEPT", "REFUSE", "CONFLICT", "RESOLVE", "QUIT",
@@ -55,6 +57,11 @@ timed_print(const u_char *bp, u_int leng
struct tsp *tsp = (struct tsp *)bp;
long sec, usec;
const u_char *end;
+
+ if (check_policy(__FILE__)) {
+ printf("[|timed policy violation] ");
+ return;
+ }
TCHECK(tsp->tsp_type);
if (tsp->tsp_type < TSPTYPENUMBER)
Index: print-udp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-udp.c,v
retrieving revision 1.56
diff -u -p -u -r1.56 print-udp.c
--- print-udp.c 17 Aug 2020 06:29:29 -0000 1.56
+++ print-udp.c 7 Mar 2023 06:47:39 -0000
@@ -59,6 +59,8 @@
#include "bootp.h"
#include "iapp.h"
+extern int check_policy(char *filename);
+
struct rtcphdr {
u_short rh_flags; /* T:2 P:1 CNT:5 PT:8 */
u_short rh_len; /* length of message (in words) */
@@ -326,6 +328,11 @@ udp_print(const u_char *bp, u_int length
const char *ipsrc = NULL, *ipdst = NULL;
unsigned int ipv = 0;
uint32_t cksum = 0;
+
+ if (check_policy(__FILE__)) {
+ printf("[|udp policy violation] ");
+ return;
+ }
if (ep > snapend)
ep = snapend;
Index: print-udpencap.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-udpencap.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 print-udpencap.c
--- print-udpencap.c 24 Jan 2020 22:46:37 -0000 1.7
+++ print-udpencap.c 7 Mar 2023 06:47:39 -0000
@@ -29,10 +29,17 @@
#include "interface.h"
+extern int check_policy(char *filename);
+
void
udpencap_print(const u_char *bp, u_int len, const u_char *bp2)
{
u_int32_t *spi;
+
+ if (check_policy(__FILE__)) {
+ printf("[|udpencap policy violation] ");
+ return;
+ }
/* Recognize NAT-T Keepalive msgs. (draft-ietf-ipsec-udp-encaps-nn) */
if (len == 1 && *bp == 0xFF) {
Index: print-usbpcap.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-usbpcap.c,v
retrieving revision 1.5
diff -u -p -u -r1.5 print-usbpcap.c
--- print-usbpcap.c 23 Mar 2020 09:38:26 -0000 1.5
+++ print-usbpcap.c 7 Mar 2023 06:47:39 -0000
@@ -23,6 +23,8 @@
#include "interface.h"
+extern int check_policy(char *filename);
+
#ifndef nitems
#define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
#endif
@@ -47,6 +49,11 @@ usbpcap_if_print(u_char *user, const str
u_int16_t hdrlen;
ts_print(&h->ts);
+
+ if (check_policy(__FILE__)) {
+ printf("[|usbpcap policy violation] ");
+ return;
+ }
/* check length */
if (caplen < sizeof(uint16_t) || length < sizeof(*uph))
Index: print-vqp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-vqp.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 print-vqp.c
--- print-vqp.c 6 Jul 2018 05:47:22 -0000 1.8
+++ print-vqp.c 7 Mar 2023 06:47:39 -0000
@@ -58,6 +58,8 @@
#include "addrtoname.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
struct vqp_hdr {
u_char version;
u_char opcode;
@@ -215,6 +217,11 @@ vqp_print(const u_char *bp, u_int len)
{
struct vqp_hdr *p = (struct vqp_hdr *)bp;
u_int dcount;
+
+ if (check_policy(__FILE__)) {
+ printf("[|vqp policy violation] ");
+ return;
+ }
TCHECK(p->version);
printf("VQPv%u", p->version);
Index: print-vrrp.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-vrrp.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 print-vrrp.c
--- print-vrrp.c 16 Nov 2015 00:16:39 -0000 1.4
+++ print-vrrp.c 7 Mar 2023 06:47:39 -0000
@@ -42,6 +42,8 @@
#include "extract.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/*
* RFC 2338:
* 0 1 2 3
@@ -69,6 +71,11 @@ vrrp_print(const u_char *bp, u_int len,
{
int version, type, auth_type;
char *type_s;
+
+ if (check_policy(__FILE__)) {
+ printf("[|vrrp policy violation] ");
+ return;
+ }
TCHECK(bp[0]);
version = (bp[0] & 0xf0) >> 4;
Index: print-wb.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-wb.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 print-wb.c
--- print-wb.c 6 Jul 2018 05:47:22 -0000 1.11
+++ print-wb.c 7 Mar 2023 06:47:39 -0000
@@ -31,6 +31,8 @@
#include "interface.h"
#include "addrtoname.h"
+extern int check_policy(char *filename);
+
/* XXX need to add byte-swapping macros! */
/*
@@ -379,6 +381,11 @@ void
wb_print(const void *hdr, u_int len)
{
const struct pkt_hdr *ph;
+
+ if (check_policy(__FILE__)) {
+ printf("[|wb policy violation] ");
+ return;
+ }
ph = (const struct pkt_hdr *)hdr;
len -= sizeof(*ph);
Index: print-wg.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-wg.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 print-wg.c
--- print-wg.c 16 Sep 2021 12:35:20 -0000 1.7
+++ print-wg.c 7 Mar 2023 06:47:39 -0000
@@ -25,6 +25,8 @@
#include "interface.h"
#include "extract.h"
+extern int check_policy(char *filename);
+
#define INITIATION 1
#define RESPONSE 2
#define COOKIE 3
@@ -103,6 +105,11 @@ wg_print(const u_char *bp, u_int length)
struct wg_cookie *cookie = (void *)bp;
struct wg_data *data = (void *)bp;
u_int caplen;
+
+ if (check_policy(__FILE__)) {
+ printf("[|wg policy violation] ");
+ return;
+ }
caplen = snapend - bp;
if (caplen < sizeof(type))
Index: privsep.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v
retrieving revision 1.57
diff -u -p -u -r1.57 privsep.c
--- privsep.c 24 Oct 2021 21:24:19 -0000 1.57
+++ privsep.c 7 Mar 2023 06:47:39 -0000
@@ -71,7 +71,7 @@ enum priv_state {
*/
static const int allowed_max[] = {
/* INIT */ ALLOW(PRIV_OPEN_BPF) | ALLOW(PRIV_OPEN_DUMP) |
- ALLOW(PRIV_SETFILTER),
+ ALLOW(PRIV_SETFILTER) | ALLOW(PRIV_OPEN_CONF),
/* BPF */ ALLOW(PRIV_SETFILTER),
/* FILTER */ ALLOW(PRIV_OPEN_PFOSFP) | ALLOW(PRIV_OPEN_OUTPUT) |
ALLOW(PRIV_GETSERVENTRIES) |
@@ -88,7 +88,7 @@ static const int allowed_max[] = {
* later depending on the supplied parameters.
*/
static int allowed_ext[] = {
- /* INIT */ ALLOW(PRIV_SETFILTER),
+ /* INIT */ ALLOW(PRIV_SETFILTER) | ALLOW(PRIV_OPEN_CONF),
/* BPF */ ALLOW(PRIV_SETFILTER),
/* FILTER */ ALLOW(PRIV_GETSERVENTRIES),
/* RUN */ ALLOW(PRIV_LOCALTIME) | ALLOW(PRIV_PCAP_STATS),
@@ -106,6 +106,7 @@ static void drop_privs(int);
static void impl_open_bpf(int, int *);
static void impl_open_dump(int, const char *);
+static void impl_open_conf(int, const char *);
static void impl_open_pfosfp(int);
static void impl_open_output(int, const char *);
static void impl_setfilter(int, char *, int *);
@@ -224,7 +225,7 @@ priv_exec(int argc, char *argv[])
/* parse the arguments for required options */
opterr = 0;
while ((i = getopt(argc, argv,
- "aB:c:D:deE:fF:i:lLnNOopPqr:s:StT:vw:xXy:")) != -1) {
+ "aB:c:D:deE:fF:i:lLnNOopPqr:s:StT:vw:xXY:y:")) != -1) {
switch (i) {
case 'n':
nflag++;
@@ -250,6 +251,7 @@ priv_exec(int argc, char *argv[])
Pflag = 1;
break;
+ case 'Y':
default:
/* nothing */
break;
@@ -259,6 +261,9 @@ priv_exec(int argc, char *argv[])
if (!Pflag)
errx(1, "exec without priv");
+ /* /etc/tcpdump.conf policies file */
+ allowed_ext[STATE_INIT] |= ALLOW(PRIV_OPEN_CONF);
+
if (RFileName != NULL) {
if (strcmp(RFileName, "-") != 0)
allowed_ext[STATE_INIT] |= ALLOW(PRIV_OPEN_DUMP);
@@ -298,6 +303,10 @@ priv_exec(int argc, char *argv[])
test_state(cmd, STATE_BPF);
impl_open_dump(sock, RFileName);
break;
+ case PRIV_OPEN_CONF:
+ test_state(cmd, STATE_INIT);
+ impl_open_conf(sock, "/etc/tcpdump.conf");
+ break;
case PRIV_OPEN_PFOSFP:
test_state(cmd, STATE_FILTER);
impl_open_pfosfp(sock);
@@ -392,6 +401,29 @@ impl_open_bpf(int fd, int *bpfd)
}
static void
+impl_open_conf(int fd, const char *FileName)
+{
+ int file, err = 0;
+
+ logmsg(LOG_DEBUG, "[priv]: msg PRIV_OPEN_CONF received");
+
+ if (FileName == NULL) {
+ file = -1;
+ logmsg(LOG_ERR, "[priv]: No offline conf file specified");
+ } else {
+ file = open(FileName, O_RDONLY);
+ err = errno;
+ if (file == -1)
+ logmsg(LOG_DEBUG, "[priv]: failed to open %s: %s",
+ FileName, strerror(errno));
+ }
+ send_fd(fd, file);
+ must_write(fd, &err, sizeof(int));
+ if (file >= 0)
+ close(file);
+}
+
+static void
impl_open_dump(int fd, const char *RFileName)
{
int file, err = 0;
@@ -775,6 +807,22 @@ priv_open_pfosfp(void)
must_read(priv_fd, &err, sizeof(int));
if (fd < 0) {
warnc(err, "%s", PF_OSFP_FILE);
+ return (-1);
+ }
+
+ return (fd);
+}
+
+int
+priv_open_conf(void)
+{
+ int fd, err = 0;
+ write_command(priv_fd, PRIV_OPEN_CONF);
+
+ fd = receive_fd(priv_fd);
+ must_read(priv_fd, &err, sizeof(int));
+ if (fd < 0) {
+ warnc(err, "/etc/tcpdump.conf");
return (-1);
}
Index: privsep.h
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.h,v
retrieving revision 1.12
diff -u -p -u -r1.12 privsep.h
--- privsep.h 18 Mar 2019 00:09:22 -0000 1.12
+++ privsep.h 7 Mar 2023 06:47:39 -0000
@@ -34,7 +34,8 @@ enum cmd_types {
PRIV_GETPROTOENTRIES, /* get the ip protocol entries table */
PRIV_LOCALTIME, /* return localtime */
PRIV_INIT_DONE, /* signal that the initialization is done */
- PRIV_PCAP_STATS /* get pcap_stats() results */
+ PRIV_PCAP_STATS, /* get pcap_stats() results */
+ PRIV_OPEN_CONF /* open /etc/tcpdump.conf for policies */
};
struct ether_addr;
@@ -74,6 +75,9 @@ size_t priv_getprotoentry(char *, size_t
/* Retrieve pf.os(5) fingerprints file descriptor */
int priv_open_pfosfp();
+
+/* Retrieve /etc/tcpdump.conf */
+int priv_open_conf(void);
/* Return the pcap statistics upon completion */
int priv_pcap_stats(struct pcap_stat *);
Index: tcpdump.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.c,v
retrieving revision 1.99
diff -u -p -u -r1.99 tcpdump.c
--- tcpdump.c 3 Mar 2023 13:03:29 -0000 1.99
+++ tcpdump.c 7 Mar 2023 06:47:39 -0000
@@ -84,12 +84,14 @@ int packettype;
char *program_name;
char *device = NULL;
+char *policyname = "default";
int32_t thiszone; /* seconds offset from gmt to local time */
extern volatile pid_t child_pid;
/* Externs */
+extern struct tcpdump_conf * tcpd_parse_config(int);
extern void bpf_dump(struct bpf_program *, int);
extern int esp_init(char *);
@@ -233,7 +235,7 @@ main(int argc, char **argv)
opterr = 0;
while ((op = getopt(argc, argv,
- "AaB:c:D:deE:fF:i:IlLnNOopqr:s:StT:vw:xXy:")) != -1)
+ "AaB:c:D:deE:fF:i:IlLnNOopqr:s:StT:vw:xXY:y:")) != -1)
switch (op) {
case 'A':
@@ -393,6 +395,10 @@ main(int argc, char **argv)
WFileName = optarg;
break;
+ case 'Y':
+ policyname = optarg;
+ break;
+
case 'y':
i = pcap_datalink_name_to_val(optarg);
if (i < 0)
@@ -418,6 +424,9 @@ main(int argc, char **argv)
usage();
/* NOTREACHED */
}
+
+ if (tcpd_parse_config(0) == NULL)
+ exit(1);
if (snaplen == 0) {
switch (dlt) {
Index: tcpdump.conf
===================================================================
RCS file: tcpdump.conf
diff -N tcpdump.conf
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tcpdump.conf 7 Mar 2023 06:47:39 -0000
@@ -0,0 +1,13 @@
+# $OpenBSD$
+# /etc/tcpdump.conf policy file
+
+L2="ether, llc"
+L3="ip, ip6, arp"
+L4="icmp, tcp, udp, icmp6"
+L7="domain"
+
+# the default policy
+policy default { $L2, $L3, $L4, $L7 }
+
+# only allow ethernet
+policy ethernet { ether, llc }
dmesg:
see previous mails...
