From 473e12bcfd4953f014328e48f9b3ac6085a1469e Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Tue, 1 May 2018 14:31:23 -0700 Subject: [PATCH 01/10] added interface restriction logic for linux --- fakenet/configs/default.ini | 9 +++++++++ fakenet/diverters/diverterbase.py | 24 ++++++++++++++++++++++++ fakenet/diverters/fnpacket.py | 4 ++++ fakenet/diverters/linux.py | 6 +++--- 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/fakenet/configs/default.ini b/fakenet/configs/default.ini index 33b1a11..03112f2 100644 --- a/fakenet/configs/default.ini +++ b/fakenet/configs/default.ini @@ -57,6 +57,15 @@ DebugLevel: Off # should be applied to all interfaces. Comment out to leave unconfigured. LinuxRedirectNonlocal: * +# Specify which interfaces Fakenet-NG will ignore. Disposition can be +# set to "Drop" or "Pass". "Drop" will drop the packet and "Pass" will ignore +# it and allow it to pass through to any listening application or Fakenet-NG +# Listener. Enter BlacklistedInterfaces as a list of IP addresses separated by +# space (example 127.0.0.1 192.0.0.1). +LinuxBlacklistInterfaces: No +LinuxBlacklistInterfacesDisposition: Drop +LinuxBlacklistedInterfaces: 127.0.0.1 + # Set LinuxFlushIptables to Yes to have the Linux Diverter flush all iptables # rules before adding its FakeNet-NG-specific rules to iptables. FakeNet-NG # will restore all old rules when it exits, unless its termination is diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index c2919ca..f295f2a 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1075,6 +1075,18 @@ def parse_diverter_config(self): self.logger.debug('Blacklisted UDP ports: %s', ', '.join( [str(p) for p in self.getconfigval('BlackListPortsUDP')])) + # Ignore or drop packets to/from blacklisted interfaces + # Currently Linux-only + self.blacklist_ifaces = None + if self.is_set('linuxblacklistinterfaces'): + self.blacklist_ifaces_disp = \ + self.getconfigval('linuxblacklistinterfacesdisposition', 'drop') + self.blacklist_ifaces = \ + self.getconfigval('linuxblacklistedinterfaces', None) + print("logging level: %d" % (self.logger.getEffectiveLevel())) + self.logger.debug('Blacklisted interfaces: %s. Disposition: %s' % + (self.blacklist_ifaces, self.blacklist_ifaces_disp)) + def write_pcap(self, pkt): """Writes a packet to the pcap. @@ -1141,6 +1153,18 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): crit = DivertParms(self, pkt) + if (self.blacklist_ifaces and + (pkt.src_ip in self.blacklist_ifaces or + pkt.dst_ip in self.blacklist_ifaces)): + self.logger.debug("Blacklisted Interface. src: %s dst: %s" % + (pkt.src_ip, pkt.dst_ip)) + if self.blacklist_ifaces_disp == 'Drop': + self.logger.debug("Dropping blacklist interface packet") + pkt.drop = True + else: + self.logger.debug("Ignoring blacklist interface packet") + no_further_processing = True + # fnpacket has parsed all that can be parsed, so pid, comm = self.get_pid_comm(pkt) if self.pdebug_level & DGENPKTV: diff --git a/fakenet/diverters/fnpacket.py b/fakenet/diverters/fnpacket.py index 91355c1..a0f6de3 100644 --- a/fakenet/diverters/fnpacket.py +++ b/fakenet/diverters/fnpacket.py @@ -39,6 +39,10 @@ def __init__(self, label, raw): self._is_ip = False self._is_icmp = False + # Packet handler logic can check if a drop condition has been met. + # Currenty used for blacklisting interfaces + self.drop = False + # Some packet attributes are cached in duplicate members below for code # simplicity and uniformity rather than having to query which packet # headers were or were not parsed. diff --git a/fakenet/diverters/linux.py b/fakenet/diverters/linux.py index b3695c6..8794373 100644 --- a/fakenet/diverters/linux.py +++ b/fakenet/diverters/linux.py @@ -242,7 +242,7 @@ def handle_nonlocal(self, nfqpkt): self.logger.error('Exception: %s' % (traceback.format_exc())) raise - nfqpkt.accept() + nfqpkt.accept() if not pkt.drop else nfqpkt.drop() def handle_incoming(self, nfqpkt): """Incoming packet hook. @@ -266,7 +266,7 @@ def handle_incoming(self, nfqpkt): self.logger.error('Exception: %s' % (traceback.format_exc())) raise - nfqpkt.accept() + nfqpkt.accept() if not pkt.drop else nfqpkt.drop() def handle_outgoing(self, nfqpkt): """Outgoing packet hook. @@ -293,7 +293,7 @@ def handle_outgoing(self, nfqpkt): self.logger.error('Exception: %s' % (traceback.format_exc())) raise - nfqpkt.accept() + nfqpkt.accept() if not pkt.drop else nfqpkt.drop() def check_log_nonlocal(self, crit, pkt): """Conditionally log packets having a foreign destination. From 4eba1d474972274ce65f949f106b27f5a74fd3d5 Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Wed, 2 May 2018 10:00:48 -0700 Subject: [PATCH 02/10] fixed indent error --- fakenet/diverters/diverterbase.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index f295f2a..3d8ea96 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1153,17 +1153,17 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): crit = DivertParms(self, pkt) - if (self.blacklist_ifaces and + if (self.blacklist_ifaces and (pkt.src_ip in self.blacklist_ifaces or pkt.dst_ip in self.blacklist_ifaces)): - self.logger.debug("Blacklisted Interface. src: %s dst: %s" % - (pkt.src_ip, pkt.dst_ip)) - if self.blacklist_ifaces_disp == 'Drop': - self.logger.debug("Dropping blacklist interface packet") - pkt.drop = True - else: - self.logger.debug("Ignoring blacklist interface packet") - no_further_processing = True + self.logger.debug("Blacklisted Interface. src: %s dst: %s" % + (pkt.src_ip, pkt.dst_ip)) + if self.blacklist_ifaces_disp == 'Drop': + self.logger.debug("Dropping blacklist interface packet") + pkt.drop = True + else: + self.logger.debug("Ignoring blacklist interface packet") + no_further_processing = True # fnpacket has parsed all that can be parsed, so pid, comm = self.get_pid_comm(pkt) From cf35fd091b527365e3ee169201643cd8b80dd4db Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Thu, 3 May 2018 05:26:30 -0700 Subject: [PATCH 03/10] Testing complete --- fakenet/diverters/diverterbase.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index 3d8ea96..224631f 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1153,11 +1153,12 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): crit = DivertParms(self, pkt) + # check for blacklisted interface and drop if needed if (self.blacklist_ifaces and - (pkt.src_ip in self.blacklist_ifaces or - pkt.dst_ip in self.blacklist_ifaces)): + (pkt.src_ip in self.blacklist_ifaces or + pkt.dst_ip in self.blacklist_ifaces)): self.logger.debug("Blacklisted Interface. src: %s dst: %s" % - (pkt.src_ip, pkt.dst_ip)) + (pkt.src_ip, pkt.dst_ip)) if self.blacklist_ifaces_disp == 'Drop': self.logger.debug("Dropping blacklist interface packet") pkt.drop = True From 3c3dd3436c0650c23ddb2d944bd107ed35b6d8f6 Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Thu, 3 May 2018 05:31:06 -0700 Subject: [PATCH 04/10] removed extra logging statement --- fakenet/diverters/diverterbase.py | 1 - 1 file changed, 1 deletion(-) diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index 224631f..f93b311 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1083,7 +1083,6 @@ def parse_diverter_config(self): self.getconfigval('linuxblacklistinterfacesdisposition', 'drop') self.blacklist_ifaces = \ self.getconfigval('linuxblacklistedinterfaces', None) - print("logging level: %d" % (self.logger.getEffectiveLevel())) self.logger.debug('Blacklisted interfaces: %s. Disposition: %s' % (self.blacklist_ifaces, self.blacklist_ifaces_disp)) From 9f498d9794de1e71d16b09d7df572b185a03f283 Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Fri, 4 May 2018 07:58:48 -0700 Subject: [PATCH 05/10] stopped packet details from printing when interface is blacklisted --- fakenet/diverters/diverterbase.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index f93b311..e647e4a 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1170,7 +1170,8 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): if self.pdebug_level & DGENPKTV: logline = self.formatPkt(pkt, pid, comm) self.pdebug(DGENPKTV, logline) - elif pid and (pid != self.pid) and crit.first_packet_new_session: + elif pid and (pid != self.pid) and crit.first_packet_new_session & \ + no_further_processing is not True: self.logger.info(' pid: %d name: %s' % (pid, comm if comm else 'Unknown')) From e4d2845b3063aa67cfba36092d651ebcc2e48df3 Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Fri, 4 May 2018 08:34:54 -0700 Subject: [PATCH 06/10] fixed comments and style --- fakenet/configs/default.ini | 2 +- fakenet/diverters/diverterbase.py | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/fakenet/configs/default.ini b/fakenet/configs/default.ini index 03112f2..517b592 100644 --- a/fakenet/configs/default.ini +++ b/fakenet/configs/default.ini @@ -61,7 +61,7 @@ LinuxRedirectNonlocal: * # set to "Drop" or "Pass". "Drop" will drop the packet and "Pass" will ignore # it and allow it to pass through to any listening application or Fakenet-NG # Listener. Enter BlacklistedInterfaces as a list of IP addresses separated by -# space (example 127.0.0.1 192.0.0.1). +# comma or space (example 127.0.0.1 192.0.0.1). LinuxBlacklistInterfaces: No LinuxBlacklistInterfacesDisposition: Drop LinuxBlacklistedInterfaces: 127.0.0.1 diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index e647e4a..372bd97 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1079,10 +1079,10 @@ def parse_diverter_config(self): # Currently Linux-only self.blacklist_ifaces = None if self.is_set('linuxblacklistinterfaces'): - self.blacklist_ifaces_disp = \ - self.getconfigval('linuxblacklistinterfacesdisposition', 'drop') - self.blacklist_ifaces = \ - self.getconfigval('linuxblacklistedinterfaces', None) + self.blacklist_ifaces_disp = ( + self.getconfigval('linuxblacklistinterfacesdisposition', 'drop')) + self.blacklist_ifaces = ( + self.getconfigval('linuxblacklistedinterfaces', None)) self.logger.debug('Blacklisted interfaces: %s. Disposition: %s' % (self.blacklist_ifaces, self.blacklist_ifaces_disp)) @@ -1170,8 +1170,15 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): if self.pdebug_level & DGENPKTV: logline = self.formatPkt(pkt, pid, comm) self.pdebug(DGENPKTV, logline) - elif pid and (pid != self.pid) and crit.first_packet_new_session & \ - no_further_processing is not True: + + # check for no_further_processing here in order to filter out + # packets that are being ignored already due to a blacklisted + # interface. If a user is using ssh over a blacklisted interface + # there needs to be no per-packet output by default. If there is + # output for each packet, an infinite loop is generated where each + # packet produces output which produces a packet, etc. + elif (pid and (pid != self.pid) and crit.first_packet_new_session & + no_further_processing is not True): self.logger.info(' pid: %d name: %s' % (pid, comm if comm else 'Unknown')) From fd3d9bcf434073cebaed7234702910c826834ae0 Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Fri, 24 Aug 2018 12:57:30 -0700 Subject: [PATCH 07/10] pull request changes for 62 restrict interfaces --- fakenet/diverters/diverterbase.py | 34 ++++++++++++++++++------------- fakenet/diverters/linux.py | 17 ++++++++++++---- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index 372bd97..f1a9cfc 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1080,9 +1080,9 @@ def parse_diverter_config(self): self.blacklist_ifaces = None if self.is_set('linuxblacklistinterfaces'): self.blacklist_ifaces_disp = ( - self.getconfigval('linuxblacklistinterfacesdisposition', 'drop')) + self.getconfigval('linuxblacklistinterfacesdisposition', 'drop').lower()) self.blacklist_ifaces = ( - self.getconfigval('linuxblacklistedinterfaces', None)) + set([ip.strip() for ip in self.getconfigval('linuxblacklistedinterfaces').split(',')])) self.logger.debug('Blacklisted interfaces: %s. Disposition: %s' % (self.blacklist_ifaces, self.blacklist_ifaces_disp)) @@ -1153,17 +1153,21 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): crit = DivertParms(self, pkt) # check for blacklisted interface and drop if needed - if (self.blacklist_ifaces and - (pkt.src_ip in self.blacklist_ifaces or - pkt.dst_ip in self.blacklist_ifaces)): - self.logger.debug("Blacklisted Interface. src: %s dst: %s" % - (pkt.src_ip, pkt.dst_ip)) - if self.blacklist_ifaces_disp == 'Drop': - self.logger.debug("Dropping blacklist interface packet") - pkt.drop = True + #print "blacklist_ifaces: %s:%s" % (self.blacklist_ifaces, type(self.blacklist_ifaces)) + if self.blacklist_ifaces: + #print 'ips: %s:%s' % (self.blacklist_ifaces, type(self.blacklist_ifaces)) + if not set([pkt.src_ip, pkt.dst_ip]).isdisjoint(self.blacklist_ifaces): + #print 'not disjoint' + self.logger.debug("Blacklisted Interface. src: %s dst: %s" % + (pkt.src_ip, pkt.dst_ip)) + if self.blacklist_ifaces_disp == 'drop': + self.logger.debug("Dropping blacklist interface packet") + pkt.drop = True + else: + self.logger.debug("Ignoring blacklist interface packet") + no_further_processing = True else: - self.logger.debug("Ignoring blacklist interface packet") - no_further_processing = True + print 'disjoint' # fnpacket has parsed all that can be parsed, so pid, comm = self.get_pid_comm(pkt) @@ -1177,10 +1181,12 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): # there needs to be no per-packet output by default. If there is # output for each packet, an infinite loop is generated where each # packet produces output which produces a packet, etc. - elif (pid and (pid != self.pid) and crit.first_packet_new_session & - no_further_processing is not True): + elif (pid and (pid != self.pid) and crit.first_packet_new_session and + (not no_further_processing)): self.logger.info(' pid: %d name: %s' % (pid, comm if comm else 'Unknown')) + self.logger.info(' no_further_processing: %s' % + (no_further_processing)) # 2: Call layer 3 (network) callbacks for cb in callbacks3: diff --git a/fakenet/diverters/linux.py b/fakenet/diverters/linux.py index 8794373..7bf27ae 100644 --- a/fakenet/diverters/linux.py +++ b/fakenet/diverters/linux.py @@ -241,8 +241,11 @@ def handle_nonlocal(self, nfqpkt): except Exception: self.logger.error('Exception: %s' % (traceback.format_exc())) raise - - nfqpkt.accept() if not pkt.drop else nfqpkt.drop() + + if pkt.drop: + nfqpkt.drop() + else: + nfqpkt.accept() def handle_incoming(self, nfqpkt): """Incoming packet hook. @@ -266,7 +269,10 @@ def handle_incoming(self, nfqpkt): self.logger.error('Exception: %s' % (traceback.format_exc())) raise - nfqpkt.accept() if not pkt.drop else nfqpkt.drop() + if pkt.drop: + nfqpkt.drop() + else: + nfqpkt.accept() def handle_outgoing(self, nfqpkt): """Outgoing packet hook. @@ -293,7 +299,10 @@ def handle_outgoing(self, nfqpkt): self.logger.error('Exception: %s' % (traceback.format_exc())) raise - nfqpkt.accept() if not pkt.drop else nfqpkt.drop() + if pkt.drop: + nfqpkt.drop() + else: + nfqpkt.accept() def check_log_nonlocal(self, crit, pkt): """Conditionally log packets having a foreign destination. From 14f931fe3569ee1f3db0fad1454f5ed1b4178e3e Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Fri, 24 Aug 2018 13:34:25 -0700 Subject: [PATCH 08/10] restrict interfaces feature only available in multihost mode --- fakenet/diverters/diverterbase.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index f1a9cfc..1a975d6 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -1078,7 +1078,7 @@ def parse_diverter_config(self): # Ignore or drop packets to/from blacklisted interfaces # Currently Linux-only self.blacklist_ifaces = None - if self.is_set('linuxblacklistinterfaces'): + if self.is_set('linuxblacklistinterfaces') and not self.single_host_mode: self.blacklist_ifaces_disp = ( self.getconfigval('linuxblacklistinterfacesdisposition', 'drop').lower()) self.blacklist_ifaces = ( @@ -1185,8 +1185,6 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): (not no_further_processing)): self.logger.info(' pid: %d name: %s' % (pid, comm if comm else 'Unknown')) - self.logger.info(' no_further_processing: %s' % - (no_further_processing)) # 2: Call layer 3 (network) callbacks for cb in callbacks3: From c3198f6e83fbda9de444604664e6afcd375ab29b Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Fri, 24 Aug 2018 14:21:05 -0700 Subject: [PATCH 09/10] added blacklist interface config to test config template --- test/template.ini | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/test/template.ini b/test/template.ini index 286524c..ca7119b 100644 --- a/test/template.ini +++ b/test/template.ini @@ -40,8 +40,17 @@ DebugLevel: NFQUEUE,IPTALBS,NONLOC,GENPKTV,PCAP # should be applied to all interfaces. Comment out to leave unconfigured. LinuxRedirectNonlocal: * +# Specify which interfaces Fakenet-NG will ignore. Disposition can be +# set to "Drop" or "Pass". "Drop" will drop the packet and "Pass" will ignore +# it and allow it to pass through to any listening application or Fakenet-NG +# Listener. Enter BlacklistedInterfaces as a list of IP addresses separated by +# comma or space (example 127.0.0.1 192.0.0.1). +LinuxBlacklistInterfaces: No +LinuxBlacklistInterfacesDisposition: Drop +LinuxBlacklistedInterfaces: 127.0.0.1 + # Set LinuxFlushIptables to Yes to have the Linux Diverter flush all iptables -# rules before adding its FakeNet-NG-specific rules to iptables. FakeNet-NG +# rules before adding its FakeNet-NG-specific rules to iptables. FakeNet # will restore all old rules when it exits, unless its termination is # interrupted. If you disable this setting, and you accidentally interrupt the # termination of FakeNet-NG (such as by hitting Ctrl+C more than once), then be From 4151e8bb0a9fadcb197acf6050d77f6b720905c8 Mon Sep 17 00:00:00 2001 From: Matthew Haigh Date: Fri, 31 Aug 2018 14:24:18 -0700 Subject: [PATCH 10/10] cleaned up minor issues with blacklist interfaces feature --- fakenet/configs/default.ini | 2 +- fakenet/diverters/diverterbase.py | 57 ++++++++++++++++++++----------- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/fakenet/configs/default.ini b/fakenet/configs/default.ini index 517b592..3aec35e 100644 --- a/fakenet/configs/default.ini +++ b/fakenet/configs/default.ini @@ -61,7 +61,7 @@ LinuxRedirectNonlocal: * # set to "Drop" or "Pass". "Drop" will drop the packet and "Pass" will ignore # it and allow it to pass through to any listening application or Fakenet-NG # Listener. Enter BlacklistedInterfaces as a list of IP addresses separated by -# comma or space (example 127.0.0.1 192.0.0.1). +# comma (example 127.0.0.1,192.0.0.1). LinuxBlacklistInterfaces: No LinuxBlacklistInterfacesDisposition: Drop LinuxBlacklistedInterfaces: 127.0.0.1 diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py index 1a975d6..5e36aac 100644 --- a/fakenet/diverters/diverterbase.py +++ b/fakenet/diverters/diverterbase.py @@ -727,6 +727,18 @@ def check_privileged(self): return privileged + def involves_blacklisted_iface(self, pkt): + """Check packet endpoints against blacklisted ifaces config + + Args: + pkt: a PacketCtx object + + Returns: + bool: True if either endpoint is a blacklisted iface + """ + return not set([pkt.src_ip, pkt.dst_ip]).isdisjoint( + self.blacklist_ifaces) + def parse_listeners_config(self, listeners_config): """Parse listener config sections. @@ -1078,13 +1090,22 @@ def parse_diverter_config(self): # Ignore or drop packets to/from blacklisted interfaces # Currently Linux-only self.blacklist_ifaces = None - if self.is_set('linuxblacklistinterfaces') and not self.single_host_mode: + if (self.is_set('linuxblacklistinterfaces') and + not self.single_host_mode): + available_dispositions = ['drop', 'pass'] self.blacklist_ifaces_disp = ( - self.getconfigval('linuxblacklistinterfacesdisposition', 'drop').lower()) + self.getconfigval( + 'linuxblacklistinterfacesdisposition', 'drop').lower()) + if self.blacklist_ifaces_disp not in available_dispositions: + self.logger.error('linuxblacklistinterfacedisposition must ' + + 'be one of %s' % available_dispositions) + sys.exit(1) self.blacklist_ifaces = ( - set([ip.strip() for ip in self.getconfigval('linuxblacklistedinterfaces').split(',')])) - self.logger.debug('Blacklisted interfaces: %s. Disposition: %s' % - (self.blacklist_ifaces, self.blacklist_ifaces_disp)) + set([ip.strip() for ip in self.getconfigval( + 'linuxblacklistedinterfaces').split(',')])) + self.logger.debug('Blacklisted interfaces: %s. Disposition: %s' % + (self.blacklist_ifaces, + self.blacklist_ifaces_disp)) def write_pcap(self, pkt): """Writes a packet to the pcap. @@ -1153,21 +1174,17 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): crit = DivertParms(self, pkt) # check for blacklisted interface and drop if needed - #print "blacklist_ifaces: %s:%s" % (self.blacklist_ifaces, type(self.blacklist_ifaces)) if self.blacklist_ifaces: - #print 'ips: %s:%s' % (self.blacklist_ifaces, type(self.blacklist_ifaces)) - if not set([pkt.src_ip, pkt.dst_ip]).isdisjoint(self.blacklist_ifaces): - #print 'not disjoint' - self.logger.debug("Blacklisted Interface. src: %s dst: %s" % - (pkt.src_ip, pkt.dst_ip)) + if self.involves_blacklisted_iface(pkt): + self.logger.debug('Blacklisted Interface. src:%s dst:%s' % + (pkt.src_ip, pkt.dst_ip)) if self.blacklist_ifaces_disp == 'drop': - self.logger.debug("Dropping blacklist interface packet") + self.logger.debug("Dropping blacklist iface packet") pkt.drop = True else: - self.logger.debug("Ignoring blacklist interface packet") + self.logger.debug("Ignoring blacklist iface packet") + no_further_processing = True - else: - print 'disjoint' # fnpacket has parsed all that can be parsed, so pid, comm = self.get_pid_comm(pkt) @@ -1175,15 +1192,15 @@ def handle_pkt(self, pkt, callbacks3, callbacks4): logline = self.formatPkt(pkt, pid, comm) self.pdebug(DGENPKTV, logline) - # check for no_further_processing here in order to filter out - # packets that are being ignored already due to a blacklisted + # check for no_further_processing here in order to filter out + # packets that are being ignored already due to a blacklisted # interface. If a user is using ssh over a blacklisted interface # there needs to be no per-packet output by default. If there is # output for each packet, an infinite loop is generated where each # packet produces output which produces a packet, etc. - elif (pid and (pid != self.pid) and crit.first_packet_new_session and - (not no_further_processing)): - self.logger.info(' pid: %d name: %s' % + elif (pid and (pid != self.pid) and crit.first_packet_new_session + and (not no_further_processing)): + self.logger.info(' pid:%d name: %s' % (pid, comm if comm else 'Unknown')) # 2: Call layer 3 (network) callbacks