1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
|
patch by Marc Haber <mh+debian-packages@zugschlus.de>
--- a/Docs/ippl.conf.man
+++ b/Docs/ippl.conf.man
@@ -92,6 +92,13 @@
.PP
By default, IP address resolution is disabled for all the protocols.
+Ippl by default resolves tcp/udp port numbers to their respective
+service names. If you pass a protocol to the noportresolve option,
+ippl logs the port number instead. This is a Debian specific extension.
+
+By default service resolving is enabled, since this is the behaviour
+of the upstream program.
+
.SH LOGGING FORMAT
.BR ippl
@@ -198,6 +205,12 @@
.I noresolve
disable IP address resolution.
.PP
+.I portresolve
+enable IP service resolution.
+.PP
+.I noportresolve
+disable IP service resolution.
+.PP
.I ident
use ident logging (only for TCP).
.PP
--- a/Source/configuration.c
+++ b/Source/configuration.c
@@ -60,6 +60,7 @@
extern unsigned int dns_expire;
extern unsigned short log_protocols;
extern unsigned short resolve_protocols;
+ extern unsigned short portresolve_protocols;
extern unsigned short icmp_format;
extern unsigned short tcp_format;
extern unsigned short udp_format;
@@ -71,6 +72,7 @@
dns_expire = DNS_EXPIRE;
log_protocols = NONE;
resolve_protocols = 0; /* Do not resolve by default */
+ portresolve_protocols = RUN_TCP | RUN_UDP | RUN_ICMP; /* Resolve by default */
icmp_format = LOGFORMAT_NORMAL;
tcp_format = LOGFORMAT_NORMAL;
udp_format = LOGFORMAT_NORMAL;
--- a/Source/filter.c
+++ b/Source/filter.c
@@ -46,6 +46,7 @@
extern unsigned short use_ident;
extern unsigned short resolve_protocols;
+extern unsigned short portresolve_protocols;
extern unsigned short icmp_format;
extern unsigned short tcp_format;
extern unsigned short udp_format;
@@ -66,7 +67,7 @@
#ifdef FILTER_DEBUG
void display_info(struct log_info *info, int entries) {
- log.log(log.level_or_fd, "DBG: (e:%d) log:%d ident:%d resolve:%d closing:%d format:%d", entries, info->log, info->ident, info->resolve, info->logclosing, info->logformat);
+ log.log(log.level_or_fd, "DBG: (e:%d) log:%d ident:%d resolve:%d portresolve: %d, closing:%d format:%d", entries, info->log, info->ident, info->resolve, info->portresolve, info->logclosing, info->logformat);
}
#endif
@@ -200,6 +201,19 @@
break;
}
}
+ if (info->portresolve == -1) {
+ switch (protocol) {
+ case IPPROTO_ICMP:
+ info->portresolve = portresolve_protocols & RUN_ICMP;
+ break;
+ case IPPROTO_TCP:
+ info->portresolve = portresolve_protocols & RUN_TCP;
+ break;
+ case IPPROTO_UDP:
+ info->portresolve = portresolve_protocols & RUN_UDP;
+ break;
+ }
+ }
}
struct log_info do_log(const __u32 from, const __u32 to, const __u16 type, const __u16 srctype, const short protocol) {
@@ -244,6 +258,7 @@
info.log = p->log;
info.ident = p->ident;
info.resolve = p->resolve;
+ info.portresolve = p->portresolve;
info.logformat = p->logformat;
info.logclosing = p->logclosing;
set_defaults(protocol, &info);
@@ -265,6 +280,7 @@
info.log = p->log;
info.ident = p->ident;
info.resolve = p->resolve;
+ info.portresolve = p->portresolve;
info.logformat = p->logformat;
set_defaults(protocol, &info);
#ifdef FILTER_DEBUG
@@ -280,7 +296,7 @@
info.log = TRUE;
info.ident = use_ident;
info.logclosing = log_closing;
- info.logformat = info.resolve = -1;
+ info.logformat = info.resolve = info.portresolve = -1;
set_defaults(protocol, &info);
#ifdef FILTER_DEBUG
--- a/Source/filter.h
+++ b/Source/filter.h
@@ -53,6 +53,7 @@
struct filter_entry {
short log; /* TRUE for "log", FALSE for "ignore" */
short ident; /* TRUE if we should use ident */
+ short portresolve; /* TRUE if we should resolve TCP/UDP services */
short resolve; /* TRUE if we should resolve IP addresses */
short logformat; /* format used to log */
short logclosing; /* TRUE to log closing TCP connections */
@@ -72,6 +73,7 @@
short log;
short ident;
short resolve;
+ short portresolve;
short logclosing;
short logformat;
};
--- a/Source/ippl.l
+++ b/Source/ippl.l
@@ -75,6 +75,9 @@
[lL][oO][gG][cC][lL][oO][sS][iI][nN][gG] return LOGCLOSING;
[nN][oO][lL][oO][gG][cC][lL][oO][sS][iI][nN][gG] return NOLOGCLOSING;
+[nN][oO][pP][oO][rR][tT][rR][eE][sS][oO][lL][vV][eE] return NOPORTRESOLVE;
+[pP][oO][rR][tT][rR][eE][sS][oO][lL][vV][eE] return PORTRESOLVE;
+
[nN][oO][rR][eE][sS][oO][lL][vV][eE] return NORESOLVE;
[rR][eE][sS][oO][lL][vV][eE] return RESOLVE;
--- a/Source/ippl.y
+++ b/Source/ippl.y
@@ -61,6 +61,7 @@
/* Should name resolving be done? */
unsigned short resolve_protocols;
+unsigned short portresolve_protocols;
/* Logging format for each protocol */
unsigned short icmp_format;
@@ -100,7 +101,7 @@
%token<stringval> IP HOSTMASK IDENTIFIER FILENAME
%token<longval> NUMBER
-%token LOGFORMAT DETAILED SHORT NORMAL RESOLVE NORESOLVE IDENT NOIDENT LOGCLOSING NOLOGCLOSING
+%token LOGFORMAT DETAILED SHORT NORMAL RESOLVE NORESOLVE IDENT NOIDENT LOGCLOSING NOLOGCLOSING PORTRESOLVE NOPORTRESOLVE
%token RUN RUNAS EXPIRE LOG_IN LOG IGNORE FROM TO TYPE PORT SRCPORT OPTION COMMA
%token ICMP TCP UDP ALL
@@ -138,6 +139,11 @@
| NORESOLVE ProtoList EOL
{ resolve_protocols &= ~$2; }
+ | PORTRESOLVE ProtoList EOL
+ { portresolve_protocols |= $2; }
+ | NOPORTRESOLVE ProtoList EOL
+ { portresolve_protocols &= ~$2; }
+
| LOGCLOSING EOL
{ log_closing = TRUE; }
| NOLOGCLOSING EOL
@@ -249,6 +255,7 @@
switches.log = -1;
switches.ident = use_ident;
switches.resolve = -1;
+ switches.portresolve = -1;
switches.logformat = -1;
switches.logclosing = log_closing;
}
@@ -259,6 +266,7 @@
$$->ident = switches.ident;
$$->logclosing = switches.logclosing;
$$->resolve = switches.resolve;
+ $$->portresolve = switches.portresolve;
$$->logformat = switches.logformat;
$$->protocol = $4.protocol;
$$->loginfo = $4.loginfoval;
@@ -287,6 +295,8 @@
| NOIDENT { switches.ident = FALSE; }
| RESOLVE { switches.resolve = RUN_ICMP | RUN_TCP | RUN_UDP; }
| NORESOLVE { switches.resolve = 0; }
+ | PORTRESOLVE { switches.portresolve = RUN_ICMP | RUN_TCP | RUN_UDP; }
+ | NOPORTRESOLVE { switches.portresolve = 0; }
| SHORT { switches.logformat = LOGFORMAT_SHORT; }
| NORMAL { switches.logformat = LOGFORMAT_NORMAL; }
| DETAILED { switches.logformat = LOGFORMAT_DETAILED; }
--- a/Source/main.c
+++ b/Source/main.c
@@ -48,6 +48,10 @@
#include "filter.h"
#include "pidfile.h"
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
/* Logging mechanism */
struct loginfo log;
--- a/Source/netutils.c
+++ b/Source/netutils.c
@@ -237,15 +237,21 @@
* Get a service name for a specified protocol
*/
-void service_lookup(char *proto, char *service, __u16 port) {
+void service_lookup(char *proto, char *service, __u16 port, int portresolve) {
struct servent *se;
pthread_mutex_lock(&service_mutex);
- se = getservbyport(port, proto);
- if (se == NULL)
+ if (portresolve)
+ {
+ se = getservbyport(port, proto);
+ if (se == NULL)
+ snprintf(service, SERVICE_LENGTH, "port %d", ntohs(port));
+ else {
+ snprintf(service, SERVICE_LENGTH, "%s", se->s_name);
+ }
+ }
+ else {
snprintf(service, SERVICE_LENGTH, "port %d", ntohs(port));
- else {
- snprintf(service, SERVICE_LENGTH, "%s", se->s_name);
}
pthread_mutex_unlock(&service_mutex);
}
--- a/Source/netutils.h
+++ b/Source/netutils.h
@@ -53,6 +53,6 @@
const __u32 src_addr, const __u16 src_port,
const __u32 dst_addr, const __u16 dst_port);
-void service_lookup(char *proto, char *service, __u16 port);
+void service_lookup(char *proto, char *service, __u16 port, int portresolve);
#endif
--- a/Source/tcp.c
+++ b/Source/tcp.c
@@ -51,6 +51,7 @@
struct loginfo tcp_log;
extern struct loginfo log;
extern unsigned short resolve_protocols;
+extern unsigned short portresolve_protocols;
/*
* Structure of a TCP packet
@@ -88,7 +89,7 @@
*details ='\0';
host_print(remote_host, IPHDR.saddr,
info.resolve);
- service_lookup("tcp", service, TCPHDR.dest);
+ service_lookup("tcp", service, TCPHDR.dest, info.portresolve);
if (info.logformat == LOGFORMAT_DETAILED) {
get_details(details,
IPHDR.saddr,
@@ -186,7 +187,7 @@
*details ='\0';
host_print(remote_host, IPHDR.saddr,
info.resolve);
- service_lookup("tcp", service, TCPHDR.dest);
+ service_lookup("tcp", service, TCPHDR.dest, info.portresolve);
if (info.logformat == LOGFORMAT_DETAILED) {
get_details(details,
IPHDR.saddr,
--- a/Source/udp.c
+++ b/Source/udp.c
@@ -81,7 +81,7 @@
*details ='\0';
host_print(remote_host, IPHDR.saddr,
info.resolve);
- service_lookup("udp", service, UDPHDR.dest);
+ service_lookup("udp", service, UDPHDR.dest, info.portresolve);
if (info.logformat == LOGFORMAT_DETAILED) {
get_details(details,
IPHDR.saddr,
--- a/ippl.conf
+++ b/ippl.conf
@@ -4,13 +4,15 @@
# User used
# ---------
# Specify the user (declared in /etc/passwd) used to run the
-# logging threads.
-#runas nobody
+# logging threads. The ippl process visible in the process table
+# is still running as root! Look in /proc/pid/task to see the threads
+# running as ippl
+runas ippl
# Resolve hostnames?
# ------------------
-# Uncomment the line below to disable DNS lookups
-#noresolve all
+# Uncomment the line below to enable DNS lookups
+#resolve all
# Use ident?
# ----------
@@ -38,9 +40,14 @@
# ----------------
run icmp tcp
# Uncomment the line below to log UDP traffic.
-# See ippl.conf(5) for recommandations.
+# See ippl.conf(5) for recommendations.
#run udp
+# Resolve tcp/udp port to service name?
+# -------------------------------------
+# portresolve icmp tcp udp
+# Set noportresolve <protocol-list> to log port numbers instead
+
# Logging format
# ----------------
# If you want to see the destination address, the ports, etc
@@ -63,6 +70,3 @@
# Do not log DNS queries
#ignore udp port domain
#ignore udp srcport domain
-
-# End of configuration
-# Copyright (C) 1998-1999 Hugo Haas - Etienne Bernard
|
GitWeb