[PATCH xtables-addons 0/3] pknlusr improvements

[PATCH xtables-addons 0/3] pknlusr improvements

[Jeremy Sowden]

Since pknlusr is now installed, here are a few improvements.

Jeremy Sowden (3):
  pknock: pknlusr: fix formatting.
  pknock: pknlusr: fix hard-coded netlink multicast group ID.
  pknock: pknlusr: add man-page.

 extensions/pknock/Makefile.am |  2 ++
 extensions/pknock/pknlusr.8   | 23 +++++++++++++++++++++++
 extensions/pknock/pknlusr.c   | 35 +++++++++++++++++++++++++++++++++--
 3 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 extensions/pknock/pknlusr.8

-- 
2.28.0

[PATCH xtables-addons 1/3] pknock: pknlusr: fix formatting.

[Jeremy Sowden]

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/pknock/pknlusr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/pknock/pknlusr.c b/extensions/pknock/pknlusr.c
index 6153bf6de099..161a9610a018 100644
--- a/extensions/pknock/pknlusr.c
+++ b/extensions/pknock/pknlusr.c
@@ -76,7 +76,7 @@ int main(void)
 			return 1;
 		}
 
-	nlmsg = (struct xt_pknock_nl_msg *) (buf + sizeof(struct cn_msg) + sizeof(struct nlmsghdr));
+		nlmsg = (struct xt_pknock_nl_msg *) (buf + sizeof(struct cn_msg) + sizeof(struct nlmsghdr));
 
 		ip = inet_ntop(AF_INET, &nlmsg->peer_ip, ipbuf, sizeof(ipbuf));
 		printf("rule_name: %s - ip %s\n", nlmsg->rule_name, ip);
-- 
2.28.0

[PATCH xtables-addons 2/3] pknock: pknlusr: fix hard-coded netlink multicast group ID.

[Jeremy Sowden]

The group ID used by xt_pknock is configurable, but pknlusr hard-codes
it to 1.  Modify pknlusr to accept an optional ID from the command-line.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/pknock/pknlusr.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/extensions/pknock/pknlusr.c b/extensions/pknock/pknlusr.c
index 161a9610a018..ca3af835c9a8 100644
--- a/extensions/pknock/pknlusr.c
+++ b/extensions/pknock/pknlusr.c
@@ -7,6 +7,8 @@
 #include <arpa/inet.h>
 #include <linux/netlink.h>
 #include <linux/connector.h>
+#include <libgen.h>
+#include <limits.h>
 
 #include "xt_pknock.h"
 
@@ -19,7 +21,19 @@ static unsigned char *buf;
 
 static struct xt_pknock_nl_msg *nlmsg;
 
-int main(void)
+static void
+usage(const char *argv0)
+{
+	char *prog;
+	if (!(prog = strdup (argv0))) {
+		perror("strdup()");
+	} else {
+		fprintf(stderr, "%s [ group-id ]\n", basename(prog));
+		free(prog);
+	}
+}
+
+int main(int argc, char **argv)
 {
 	socklen_t addrlen;
 	int status;
@@ -30,6 +44,23 @@ int main(void)
 	const char *ip;
 	char ipbuf[48];
 
+	if (argc > 2) {
+		usage(argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+	if (argc == 2) {
+		long n;
+		char *end;
+
+		n = strtol(argv[1], &end, 10);
+		if (*end || n < INT_MIN || n > INT_MAX) {
+			usage(argv[0]);
+			exit(EXIT_FAILURE);
+		}
+		group = n;
+	}
+
 	sock_fd = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
 
 	if (sock_fd == -1) {
-- 
2.28.0

Re: [PATCH xtables-addons 2/3] pknock: pknlusr: fix hard-coded netlink multicast group ID.

[Jan Engelhardt]

On Thursday 2020-10-22 19:30, Jeremy Sowden wrote:

>The group ID used by xt_pknock is configurable, but pknlusr hard-codes
>it to 1.  Modify pknlusr to accept an optional ID from the command-line.

According to netlink(7), that is not a group ID but a bitmask of groups.
That changes the semantic quite significantly and would make this patch faulty.

>+		n = strtol(argv[1], &end, 10);
>+		if (*end || n < INT_MIN || n > INT_MAX) {
>+			usage(argv[0]);
>+			exit(EXIT_FAILURE);
>+		}

It's a u32. It can never be less than 0, but it can very well be more than
INT_MAX.

Re: [PATCH xtables-addons 2/3] pknock: pknlusr: fix hard-coded netlink multicast group ID.

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

On 2020-10-23, at 11:13:45 +0200, Jan Engelhardt wrote:
> On Thursday 2020-10-22 19:30, Jeremy Sowden wrote:
> > The group ID used by xt_pknock is configurable, but pknlusr
> > hard-codes it to 1.  Modify pknlusr to accept an optional ID from
> > the command-line.
>
> According to netlink(7), that is not a group ID but a bitmask of
> groups.  That changes the semantic quite significantly and would make
> this patch faulty.

Yup, v2 will follow shortly.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

[PATCH xtables-addons 3/3] pknock: pknlusr: add man-page.

[Jeremy Sowden]

Since pknlusr is now being installed, let's give it a man-page.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/pknock/Makefile.am |  2 ++
 extensions/pknock/pknlusr.8   | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 extensions/pknock/pknlusr.8

diff --git a/extensions/pknock/Makefile.am b/extensions/pknock/Makefile.am
index dcb3096afd35..fb419ede0d2b 100644
--- a/extensions/pknock/Makefile.am
+++ b/extensions/pknock/Makefile.am
@@ -6,3 +6,5 @@ AM_CFLAGS   = ${regular_CFLAGS} ${libxtables_CFLAGS}
 include ../../Makefile.extra
 
 sbin_PROGRAMS = pknlusr
+
+dist_man8_MANS = pknlusr.8
diff --git a/extensions/pknock/pknlusr.8 b/extensions/pknock/pknlusr.8
new file mode 100644
index 000000000000..da8798a463db
--- /dev/null
+++ b/extensions/pknock/pknlusr.8
@@ -0,0 +1,23 @@
+.TH pknlusr 8 "2020-10-22" "xtables-addons" "xtables-addons"
+.
+.SH NAME
+pknlusr \- userspace monitor for successful xt_pknock matches
+.
+.SH SYNOPSIS
+.SY pknlusr
+.RI [ group-id ]
+.YS
+.
+.SH DESCRIPTION
+\fIxt_pknock\fP is an xtables match extension that implements so-called \fIport
+knocking\fP.  It can be configured to send information about each successful
+match via a netlink socket to userspace.  \fBpknluser\fP listens for these
+notifications.
+.
+.SH OPTIONS
+.TP 9
+.B group-id
+The ID of the netlink multicast group used by \fIxt_pknock\fP.  Defaults to \fB1\fP.
+.
+.SH SEE ALSO
+.IR xtables-addons (8)
-- 
2.28.0

Re: [PATCH xtables-addons 3/3] pknock: pknlusr: add man-page.

[Jan Engelhardt]

On Thursday 2020-10-22 19:30, Jeremy Sowden wrote:

>Since pknlusr is now being installed, let's give it a man-page.

There's a lot of.. markup I have never seen before (and thus did not feel would
be necessary).
I pushed a shortened version; if anything should be different, please send more
patches on top. Thanks!

Re: [PATCH xtables-addons 3/3] pknock: pknlusr: add man-page.

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 587 bytes --]

On 2020-10-23, at 11:24:16 +0200, Jan Engelhardt wrote:
> On Thursday 2020-10-22 19:30, Jeremy Sowden wrote:
> > Since pknlusr is now being installed, let's give it a man-page.
>
> There's a lot of.. markup I have never seen before (and thus did not
> feel would be necessary).

First man-page I've written from scratch in roff.  I used the
groff_man(7) man-page as a reference.

> I pushed a shortened version; if anything should be different, please
> send more patches on top.

No problem with the man-page itself, but the patch to Makefile.am isn't
quite right.  Will fix in v2.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]