diff options
| author |   dlg <dlg@openbsd.org> | 2019-03-18 00:09:22 +0000 |
|---|---|---|
| committer | dlg <dlg@openbsd.org> | 2019-03-18 00:09:22 +0000 |
| commit | e1e6f92ab214dc60d8460635b98033ed2ad497ba (patch) | |
| tree | 569b264d8539d9b996adbdbedab96c07b0ad86c0 /usr.sbin/tcpdump/tcpdump.c | |
| parent | extend BIOCSFILDROP so it can be configured to not capture packets. (diff) | |
| download | wireguard-openbsd-e1e6f92ab214dc60d8460635b98033ed2ad497ba.tar.xz wireguard-openbsd-e1e6f92ab214dc60d8460635b98033ed2ad497ba.zip | |
support configuring BIOCSFILDROP with tcpdump.
this allows tcpdump to be used a quick and dirty firewall. it also
looks like an amazing foot-gun, so be careful.
for example `tcpdump -B drop -i ix1 udp and port 7` lets you
completely drop discard packets in the hardware interrupt handler.
ok sthen@ mikeb@ claudio@ visa@
Diffstat (limited to 'usr.sbin/tcpdump/tcpdump.c')
| -rw-r--r-- | usr.sbin/tcpdump/tcpdump.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c index b4818a38491..60552c8c19c 100644 --- a/usr.sbin/tcpdump/tcpdump.c +++ b/usr.sbin/tcpdump/tcpdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcpdump.c,v 1.88 2018/11/08 14:06:09 brynet Exp $ */ +/* $OpenBSD: tcpdump.c,v 1.89 2019/03/18 00:09:22 dlg Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -61,6 +61,7 @@ int Aflag; /* dump ascii */ int aflag; /* translate network and broadcast addresses */ +int Bflag; /* BPF fildrop setting */ int dflag; /* print filter code */ int eflag; /* print ethernet header */ int fflag; /* don't translate "foreign" IP address */ @@ -231,7 +232,7 @@ main(int argc, char **argv) opterr = 0; while ((op = getopt(argc, argv, - "Aac:D:deE:fF:i:IlLnNOopqr:s:StT:vw:xXy:Y")) != -1) + "AaB:c:D:deE:fF:i:IlLnNOopqr:s:StT:vw:xXy:Y")) != -1) switch (op) { case 'A': @@ -243,6 +244,19 @@ main(int argc, char **argv) aflag = 1; break; + case 'B': + if (strcasecmp(optarg, "pass") == 0) + Bflag = BPF_FILDROP_PASS; + else if (strcasecmp(optarg, "capture") == 0) + Bflag = BPF_FILDROP_CAPTURE; + else if (strcasecmp(optarg, "drop") == 0) + Bflag = BPF_FILDROP_DROP; + else { + error("invalid BPF fildrop option: %s", + optarg); + } + break; + case 'c': cnt = strtonum(optarg, 1, INT_MAX, &errstr); if (errstr) @@ -440,7 +454,7 @@ main(int argc, char **argv) error("%s", ebuf); } pd = priv_pcap_live(device, snaplen, !pflag, 1000, ebuf, - dlt, dirfilt); + dlt, dirfilt, Bflag); if (pd == NULL) error("%s", ebuf); @@ -700,7 +714,7 @@ __dead void usage(void) { (void)fprintf(stderr, -"Usage: %s [-AadefILlNnOopqStvXx] [-c count] [-D direction]\n", +"Usage: %s [-AadefILlNnOopqStvXx] [-B fildrop] [-c count] [-D direction]\n", program_name); (void)fprintf(stderr, "\t [-E [espalg:]espkey] [-F file] [-i interface] [-r file]\n"); |