]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | Copyright (c) 2000 | |
3 | International Computer Science Institute | |
4 | All rights reserved. | |
5 | ||
6 | This file may contain software code originally developed for the | |
7 | Sting project. The Sting software carries the following copyright: | |
8 | ||
9 | Copyright (c) 1998, 1999 | |
10 | Stefan Savage and the University of Washington. | |
11 | All rights reserved. | |
12 | ||
13 | Redistribution and use in source and binary forms, with or without | |
14 | modification, are permitted provided that the following conditions | |
15 | are met: | |
16 | 1. Redistributions of source code must retain the above copyright | |
17 | notice, this list of conditions and the following disclaimer. | |
18 | 2. Redistributions in binary form must reproduce the above copyright | |
19 | notice, this list of conditions and the following disclaimer in the | |
20 | documentation and/or other materials provided with the distribution. | |
21 | 3. All advertising materials mentioning features or use of this software | |
22 | must display the following acknowledgment: | |
23 | This product includes software developed by ACIRI, the AT&T | |
24 | Center for Internet Research at ICSI (the International Computer | |
25 | Science Institute). This product may also include software developed | |
26 | by Stefan Savage at the University of Washington. | |
27 | 4. The names of ACIRI, ICSI, Stefan Savage and University of Washington | |
28 | may not be used to endorse or promote products derived from this software | |
29 | without specific prior written permission. | |
30 | ||
31 | THIS SOFTWARE IS PROVIDED BY ICSI AND CONTRIBUTORS ``AS IS'' AND | |
32 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
33 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
34 | ARE DISCLAIMED. IN NO EVENT SHALL ICSI OR CONTRIBUTORS BE LIABLE | |
35 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
36 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
37 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
38 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
39 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
40 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
41 | SUCH DAMAGE. | |
42 | */ | |
43 | ||
44 | #include <sys/types.h> | |
45 | #include <sys/param.h> | |
46 | #include <sys/time.h> | |
47 | #include <string.h> | |
48 | #include <stdio.h> | |
49 | #include <unistd.h> | |
50 | #include <sys/socket.h> | |
51 | #include <stdlib.h> | |
52 | #include <netdb.h> | |
53 | #include <fcntl.h> | |
54 | #include <arpa/inet.h> | |
55 | #include <spawn.h> | |
56 | #include <ifaddrs.h> | |
57 | #include "inet.h" | |
58 | #include "capture.h" | |
59 | #include "support.h" | |
60 | #include "session.h" | |
61 | #include "ecn.h" | |
62 | #include "history.h" | |
63 | ||
64 | extern struct TcpSession session; | |
65 | ||
66 | void usage (char *name); | |
67 | int GetCannonicalInfo(char *string, size_t str_size, u_int32_t *address); | |
68 | int BindTcpPort(int sockfd) ; | |
69 | ||
70 | void usage(char *name) | |
71 | { | |
72 | printf("%s [options]\n", name); | |
73 | printf("\t-n <target hostname | ipaddress>\n"); | |
74 | printf("\t-p <target port>\n"); | |
75 | printf("\t-m <mss>\n"); | |
76 | printf("\t-M <mtu>\n"); | |
77 | printf("\t-w <sourcePort>\n"); | |
78 | printf("\t-s <source hostname or ip address>\n"); | |
79 | printf("\t-f <file-name to get>\n"); | |
80 | printf("\t-d <interface name>\n"); | |
81 | printf("\t-C for CE path check\n"); | |
82 | printf("\t-S [A|R|X] SYN followed by ACK or RST or nothing\n"); | |
83 | printf("\t-F [set|clear|skip] how to handle firewall rules\n"); | |
84 | return; | |
85 | } | |
86 | ||
87 | void SetupFirewall(u_int32_t targetIP, u_int16_t port, char *dev) | |
88 | { | |
89 | char pfcmd[512]; | |
90 | char *pf_file_name = "/tmp/pf.conf"; | |
91 | int pf_fd = 0, rc; | |
92 | ssize_t bytes; | |
93 | char *args[4]; | |
94 | ||
95 | bzero(pfcmd, sizeof(pfcmd)); | |
96 | ||
97 | bzero(args, sizeof(args)); | |
98 | sprintf(pfcmd, "block in quick on %s inet proto tcp from %s port %u\n", | |
99 | dev, InetAddress(targetIP), port); | |
100 | if (session.debug >= SESSION_DEBUG_LOW) | |
101 | printf("PF rule: %s\n", pfcmd); | |
102 | ||
103 | pf_fd = open(pf_file_name, O_RDWR|O_TRUNC|O_CREAT); | |
104 | if (pf_fd < 0) { | |
105 | perror("failed to open pf file"); | |
106 | exit(1); | |
107 | } | |
108 | bytes = write(pf_fd, pfcmd, strlen(pfcmd) + 1); | |
109 | close(pf_fd); | |
110 | args[0] = "pfctl"; | |
111 | args[1] = "-d"; | |
112 | args[2] = NULL; | |
113 | rc = posix_spawn(NULL, "/sbin/pfctl", NULL, NULL, args, NULL); | |
114 | if (rc != 0) { | |
115 | printf("Failed to exec: pfctl -d: %d\n", rc); | |
116 | Quit(FAIL); | |
117 | } | |
118 | ||
119 | args[1] = "-f"; | |
120 | args[2] = pf_file_name; | |
121 | args[3] = NULL; | |
122 | rc = posix_spawn(NULL, "/sbin/pfctl", NULL, NULL, args, NULL); | |
123 | if (rc != 0) { | |
124 | printf("Failed to exec: pfctl -f /tmp/pf.conf: %d\n", rc); | |
125 | Quit(FAIL); | |
126 | } | |
127 | ||
128 | args[1] = "-e"; | |
129 | args[2] = NULL; | |
130 | rc = posix_spawn(NULL, "/sbin/pfctl", NULL, NULL, args, NULL); | |
131 | if (rc != 0) { | |
132 | printf("Failed to exec: pfctl -e: %d\n", rc); | |
133 | Quit(FAIL); | |
134 | } | |
135 | } | |
136 | ||
137 | void CleanupFirewall() | |
138 | { | |
139 | char * args[3]; | |
140 | int rc; | |
141 | ||
142 | args[0] = "pfctl"; | |
143 | args[1] = "-d"; | |
144 | args[2] = NULL; | |
145 | rc = posix_spawn(NULL, "/sbin/pfctl", NULL, NULL, args, NULL); | |
146 | if (rc != 0) { | |
147 | printf("Failed to exec: pfctl -d: %d\n", rc); | |
148 | Quit(FAIL); | |
149 | } | |
150 | } | |
151 | ||
152 | void Cleanup() | |
153 | { | |
154 | if (session.initSession > 0) { | |
155 | shutdown(session.socket, 2); | |
156 | } | |
157 | if (session.initCapture > 0) { | |
158 | CaptureEnd(); | |
159 | } | |
160 | if (session.initFirewall > 0) { | |
161 | CleanupFirewall(); | |
162 | } | |
163 | } | |
164 | ||
165 | void Quit(int how) | |
166 | { | |
167 | SendReset(); | |
168 | Cleanup(); | |
169 | fflush(stdout); | |
170 | fflush(stderr); | |
171 | exit(how); | |
172 | } | |
173 | ||
174 | void SigHandle(int signo) | |
175 | { | |
176 | Cleanup(); | |
177 | fflush(stdout); | |
178 | fflush(stderr); | |
179 | exit(-1); | |
180 | } | |
181 | ||
182 | int GetCannonicalInfo(char *string, size_t str_size, u_int32_t *address) | |
183 | { | |
184 | struct hostent *hp; | |
185 | /* Is string in dotted decimal format? */ | |
186 | if ((*address = inet_addr(string)) == INADDR_NONE) { | |
187 | /* No, then lookup IP address */ | |
188 | if ((hp = gethostbyname(string)) == NULL) { | |
189 | /* Can't find IP address */ | |
190 | printf("ERROR: Couldn't obtain address for %s\n" | |
191 | "RETURN CODE: %d\n", string, FAIL); | |
192 | return(-1); | |
193 | } else { | |
194 | strlcpy(string, hp->h_name, str_size); | |
195 | memcpy((void *)address, (void *)hp->h_addr, | |
196 | hp->h_length); | |
197 | } | |
198 | } else { | |
199 | if ((hp = gethostbyaddr((char *)address, sizeof(*address), | |
200 | AF_INET)) == NULL) { | |
201 | /* | |
202 | * Can't get cannonical hostname, so just use | |
203 | * input string | |
204 | */ | |
205 | if (session.debug) { | |
206 | printf("WARNING: Couldn't obtain cannonical" | |
207 | " name for %s\nRETURN CODE: %d", | |
208 | string, NO_SRC_CANON_INFO); | |
209 | } | |
210 | /* strlcpy(name, string, MAXHOSTNAMELEN);*/ | |
211 | } else { | |
212 | /* strlcpy(name, hp->h_name, MAXHOSTNAMELEN);*/ | |
213 | } | |
214 | } | |
215 | return(0); | |
216 | } | |
217 | ||
218 | int BindTcpPort(int sockfd) | |
219 | { | |
220 | struct sockaddr_in sockName; | |
221 | int port, result; | |
222 | int randomOffset; | |
223 | ||
224 | #define START_PORT (50*1024) | |
225 | #define END_PORT (0xFFFF) | |
226 | ||
227 | /* | |
228 | * Choose random offset to reduce likelihood of | |
229 | * collision with last run | |
230 | */ | |
231 | randomOffset = (int)(1000.0*drand48()); | |
232 | ||
233 | /* Try to find a free port in the range START_PORT+1..END_PORT */ | |
234 | port = START_PORT+randomOffset; | |
235 | do { | |
236 | ++port; | |
237 | sockName.sin_addr.s_addr = INADDR_ANY; | |
238 | sockName.sin_family = AF_INET; | |
239 | sockName.sin_port = 0; //htons(port); | |
240 | result = bind(sockfd, (struct sockaddr *)&sockName, | |
241 | sizeof(sockName)); | |
242 | } while ((result < 0) && (port < END_PORT)); | |
243 | ||
244 | ||
245 | if (result < 0) { | |
246 | /* No free ports */ | |
247 | perror("bind"); | |
248 | port = 0; | |
249 | } else { | |
250 | socklen_t len = sizeof(sockName); | |
251 | result = getsockname(sockfd, (struct sockaddr *)&sockName, &len); | |
252 | if (result < 0) { | |
253 | perror("getsockname"); | |
254 | port = 0; | |
255 | } else { | |
256 | port = ntohs(sockName.sin_port); | |
257 | } | |
258 | } | |
259 | return port; | |
260 | ||
261 | } | |
262 | ||
263 | #define FIREWALL_DEFAULT 0 | |
264 | #define FIREWALL_SET_ONLY 1 | |
265 | #define FIREWALL_CLEAR_ONLY 2 | |
266 | #define FIREWALL_SKIP 3 | |
267 | ||
268 | int main(int argc, char **argv) | |
269 | { | |
270 | u_int32_t targetIpAddress = 0; | |
271 | u_int16_t targetPort = DEFAULT_TARGETPORT; | |
272 | u_int16_t sourcePort = 0; | |
273 | u_int32_t sourceIpAddress = 0; | |
274 | int mss = DEFAULT_MSS; | |
275 | int mtu = DEFAULT_MTU; | |
276 | int fd, opt, usedev = 0, rc = 0, path_check = 0; | |
277 | int syn_test = 0, syn_reply = 0; | |
278 | struct sockaddr_in saddr; | |
279 | char dev[11]; /* device name for pcap init */ | |
280 | struct ifaddrs *ifap, *tmp; | |
281 | int firewall_mode = FIREWALL_DEFAULT; | |
282 | ||
283 | bzero(&session, sizeof(session)); | |
284 | while ((opt = getopt(argc, argv, "n:p:w:m:M:s:d:f:-CS:vF:")) != -1) { | |
285 | switch (opt) { | |
286 | case 'n': | |
287 | if (strlen(optarg) > (MAXHOSTNAMELEN - 1)) { | |
288 | printf("Target host name too long, max %u chars\n", MAXHOSTNAMELEN); | |
289 | Quit(FAIL); | |
290 | } | |
291 | strlcpy(session.targetHostName, optarg, | |
292 | sizeof(session.targetHostName)); | |
293 | strlcpy(session.targetName, session.targetHostName, | |
294 | sizeof(session.targetName)); | |
295 | break; | |
296 | case 'p': | |
297 | targetPort = atoi(optarg); | |
298 | break; | |
299 | case 'm': | |
300 | mss = atoi(optarg); | |
301 | break; | |
302 | case 'M': | |
303 | mtu = atoi(optarg); | |
304 | break; | |
305 | case 'w': | |
306 | sourcePort = atoi(optarg); | |
307 | break; | |
308 | case 's': | |
309 | if (strlen(optarg) > (MAXHOSTNAMELEN - 1)) { | |
310 | printf("Source host name too long, max %u chars\n", MAXHOSTNAMELEN); | |
311 | Quit(FAIL); | |
312 | } | |
313 | strlcpy(session.sourceHostName, optarg, | |
314 | MAXHOSTNAMELEN); | |
315 | break; | |
316 | case 'd': | |
317 | if (strlen(optarg) > (sizeof(dev) - 1)) { | |
318 | printf("Interface nae is too large, max %lu chars\n", (sizeof(dev) - 1)); | |
319 | Quit(FAIL); | |
320 | } | |
321 | bzero(dev, sizeof(dev)); | |
322 | strlcpy(dev, optarg, sizeof(dev)); | |
323 | usedev = 1; | |
324 | break; | |
325 | case 'f': | |
326 | if (strlen(optarg) > 0) { | |
327 | session.filename = strndup(optarg, strlen(optarg) + 1); | |
328 | } else { | |
329 | printf("Invalid file name \n"); | |
330 | } | |
331 | break; | |
332 | case 'F': | |
333 | if (strcasecmp(optarg, "default") == 0) | |
334 | firewall_mode = FIREWALL_DEFAULT; | |
335 | else if (strcasecmp(optarg, "set") == 0) | |
336 | firewall_mode = FIREWALL_SET_ONLY; | |
337 | else if (strcasecmp(optarg, "clear") == 0) | |
338 | firewall_mode = FIREWALL_CLEAR_ONLY; | |
339 | else if (strcasecmp(optarg, "skip") == 0) | |
340 | firewall_mode = FIREWALL_SKIP; | |
341 | else | |
342 | printf("firewall mode\n"); | |
343 | break; | |
344 | case 'C': | |
345 | path_check = 1; | |
346 | break; | |
347 | case 'S': | |
348 | syn_test = 1; | |
349 | if (strcasecmp(optarg, "A") == 0) | |
350 | syn_reply = TCPFLAGS_ACK; | |
351 | else if (strcasecmp(optarg, "R") == 0) | |
352 | syn_reply = TCPFLAGS_RST; | |
353 | else if (strcasecmp(optarg, "X") == 0) | |
354 | syn_reply = 0; | |
355 | else | |
356 | printf("Invalid SYN reply \n"); | |
357 | break; | |
358 | case 'v': | |
359 | session.debug++; | |
360 | break; | |
361 | default: | |
362 | usage(argv[0]); | |
363 | exit(1); | |
364 | } | |
365 | } | |
366 | signal(SIGTERM, SigHandle); | |
367 | signal(SIGINT, SigHandle); | |
368 | signal(SIGHUP, SigHandle); | |
369 | ||
370 | if (GetCannonicalInfo(session.targetHostName, sizeof(session.targetHostName), | |
371 | &targetIpAddress) < 0) | |
372 | { | |
373 | printf("Failed to convert targetIP address\n"); | |
374 | Quit(NO_TARGET_CANON_INFO); | |
375 | } | |
376 | rc = getifaddrs(&ifap); | |
377 | if (rc != 0 || ifap == NULL) { | |
378 | printf("Failed to get source addresswith getifaddrs: %d\n", rc); | |
379 | Quit(FAIL); | |
380 | } | |
381 | tmp = ifap; | |
382 | sourceIpAddress = 0; | |
383 | bzero(session.sourceHostName, MAXHOSTNAMELEN); | |
384 | for (tmp = ifap; tmp != NULL; tmp = tmp->ifa_next) { | |
385 | struct sockaddr_in *sin; | |
386 | if (tmp->ifa_addr == NULL) | |
387 | continue; | |
388 | if (tmp->ifa_addr->sa_family != PF_INET) | |
389 | continue; | |
390 | if (usedev == 1) { | |
391 | /* we know which interface to use */ | |
392 | if (strcmp(dev, tmp->ifa_name) == 0) { | |
393 | sin = (struct sockaddr_in *)tmp->ifa_addr; | |
394 | sourceIpAddress = sin->sin_addr.s_addr; | |
395 | strlcpy(session.sourceHostName, | |
396 | inet_ntoa(sin->sin_addr), | |
397 | sizeof(session.sourceHostName)); | |
398 | } else { | |
399 | continue; | |
400 | } | |
401 | } else { | |
402 | /* pick the first address */ | |
403 | bzero(dev, sizeof(dev)); | |
404 | sin = (struct sockaddr_in *)tmp->ifa_addr; | |
405 | sourceIpAddress = sin->sin_addr.s_addr; | |
406 | strlcpy(session.sourceHostName, | |
407 | inet_ntoa(sin->sin_addr), | |
408 | sizeof(session.sourceHostName)); | |
409 | strlcpy(dev, tmp->ifa_name, sizeof(dev)); | |
410 | } | |
411 | } | |
412 | freeifaddrs(ifap); | |
413 | if (sourceIpAddress == 0) { | |
414 | printf("Failed to get source Ip address\n"); | |
415 | Quit(FAIL); | |
416 | } | |
417 | ||
418 | if (sourcePort == 0) { | |
419 | bzero(&saddr, sizeof(saddr)); | |
420 | saddr.sin_family = AF_INET; | |
421 | if ((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { | |
422 | printf("Can't open socket\n"); | |
423 | return (-1); | |
424 | } | |
425 | if ((sourcePort = BindTcpPort(fd)) == 0) { | |
426 | printf("Can't bind to port\n"); | |
427 | return (-1); | |
428 | } | |
429 | } | |
430 | printf("Source: %s:%d\n", session.sourceHostName, sourcePort); | |
431 | printf("Destination: %s:%d\n", session.targetHostName, targetPort); | |
432 | ||
433 | switch (firewall_mode) { | |
434 | case FIREWALL_DEFAULT: | |
435 | SetupFirewall(targetIpAddress, targetPort, dev); | |
436 | session.initFirewall = 1; | |
437 | break; | |
438 | case FIREWALL_SET_ONLY: | |
439 | SetupFirewall(targetIpAddress, targetPort, dev); | |
440 | goto done; | |
441 | case FIREWALL_CLEAR_ONLY: | |
442 | session.initFirewall = 1; | |
443 | goto done; | |
444 | case FIREWALL_SKIP: | |
445 | break; | |
446 | } | |
447 | ||
448 | CaptureInit(sourceIpAddress, sourcePort, targetIpAddress, | |
449 | targetPort, dev); | |
450 | session.initCapture = 1; | |
451 | ||
452 | ||
453 | printf("Starting ECN test\n"); | |
454 | if (syn_test) { | |
455 | session.dont_send_reset = 1; | |
456 | SynTest(sourceIpAddress, sourcePort, targetIpAddress, | |
457 | targetPort, mss, syn_reply); | |
458 | } else if (path_check) { | |
459 | ECNPathCheckTest(sourceIpAddress, sourcePort, targetIpAddress, | |
460 | targetPort, mss); | |
461 | } else { | |
462 | ECNTest(sourceIpAddress, sourcePort, targetIpAddress, | |
463 | targetPort, mss); | |
464 | } | |
465 | done: | |
466 | Quit(SUCCESS); | |
467 | close(session.socket); | |
468 | return (0); | |
469 | } |