Re: tcpdump: drop atalk support

2017-06-13 Thread Michal Mazurek
Let's not support loading addresses from /etc/appletalk.names.

There are two points to consider:
* tcpdump uses just one file now (/etc/pf.os) which means we can probably
simplify priv_getlines(), but let's not right now.
* there is some lookup code left, but let's remove it later.
removing is not as simple, as the hnametable[] array is used even
when printing a numerical address.

Comments? OK?

Index: usr.sbin/tcpdump/print-atalk.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-atalk.c,v
retrieving revision 1.31
diff -u -p -r1.31 print-atalk.c
--- usr.sbin/tcpdump/print-atalk.c  28 Oct 2016 12:54:05 -  1.31
+++ usr.sbin/tcpdump/print-atalk.c  13 Jun 2017 19:32:10 -
@@ -554,51 +554,13 @@ struct hnamemem {
 
 static struct hnamemem hnametable[HASHNAMESIZE];
 
-/*
- * see if there's an AppleTalk number to name map file.
- */
-static void
-init_atalk(void)
-{
-   struct hnamemem *tp;
-   char nambuf[HOST_NAME_MAX+1 + 20];
-   char line[BUFSIZ];
-   int i1, i2, i3;
-
-   priv_getlines(FTAB_APPLETALK);
-   while (priv_getline(line, sizeof(line)) > 0) {
-   if (line[0] == '\n' || line[0] == 0 || line[0] == '#')
-   continue;
-   if (sscanf(line, "%d.%d.%d %255s", &i1, &i2, &i3, nambuf) == 4)
-   /* got a hostname. */
-   i3 |= ((i1 << 8) | i2) << 8;
-   else if (sscanf(line, "%d.%d %255s", &i1, &i2, nambuf) == 3)
-   /* got a net name */
-   i3 = (((i1 << 8) | i2) << 8) | 255;
-   else
-   continue;
-   
-   for (tp = &hnametable[i3 & (HASHNAMESIZE-1)];
-tp->nxt; tp = tp->nxt)
-   ;
-   tp->addr = i3;
-   tp->nxt = newhnamemem();
-   tp->name = savestr(nambuf);
-   }
-}
-
 static const char *
 ataddr_string(u_short atnet, u_char athost)
 {
struct hnamemem *tp, *tp2;
int i = (atnet << 8) | athost;
char nambuf[HOST_NAME_MAX+1 + 20];
-   static int first = 1;
 
-   if (first) {
-   first = 0;
-   init_atalk();
-   }
for (tp = &hnametable[i & (HASHNAMESIZE-1)]; tp->nxt; tp = tp->nxt)
if (tp->addr == i)
return (tp->name);
Index: usr.sbin/tcpdump/privsep.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v
retrieving revision 1.44
diff -u -p -r1.44 privsep.c
--- usr.sbin/tcpdump/privsep.c  23 Jan 2017 04:25:05 -  1.44
+++ usr.sbin/tcpdump/privsep.c  13 Jun 2017 19:32:10 -
@@ -101,8 +101,7 @@ struct ftab {
int count;
 };
 
-static struct ftab file_table[] = {{"/etc/appletalk.names", 1, 0},
-  {PF_OSFP_FILE, 1, 0}};
+static struct ftab file_table[] = {{PF_OSFP_FILE, 1, 0}};
 
 #define NUM_FILETAB (sizeof(file_table) / sizeof(struct ftab))
 
Index: usr.sbin/tcpdump/privsep.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.h,v
retrieving revision 1.8
diff -u -p -r1.8 privsep.h
--- usr.sbin/tcpdump/privsep.h  14 Jul 2015 20:23:40 -  1.8
+++ usr.sbin/tcpdump/privsep.h  13 Jun 2017 19:32:10 -
@@ -22,8 +22,7 @@
 #define TCPDUMP_MAGIC 0xa1b2c3d4
 
 /* file ids used by priv_getlines */
-#define FTAB_APPLETALK 0
-#define FTAB_PFOSFP1
+#define FTAB_PFOSFP0
 
 enum cmd_types {
PRIV_OPEN_BPF,  /* open a bpf descriptor */


-- 
Michal Mazurek



Re: tcpdump: drop atalk support

2017-06-11 Thread Theo de Raadt
> On Thu, Jun 08, 2017 at 09:42:44PM +0200, Michal Mazurek wrote:
> > Let's start by ignoring the existence of AppleTalk in the manpage,
> > reducing it by 10%. This leaves mention of atalk in the syntax of libpcap.
> > 
> > A second diff will remove /etc/atalk.names support reducing the amount
> > of appletalk code significantly.
> > 
> > Comments? OK?
> 
> OK claudio@

ok deraadt, also



Re: tcpdump: drop atalk support

2017-06-08 Thread Jason McIntyre
On Thu, Jun 08, 2017 at 09:42:44PM +0200, Michal Mazurek wrote:
> Let's start by ignoring the existence of AppleTalk in the manpage,
> reducing it by 10%. This leaves mention of atalk in the syntax of libpcap.
> 
> A second diff will remove /etc/atalk.names support reducing the amount
> of appletalk code significantly.
> 
> Comments? OK?
> 

no objection. aside from pcap, there is mention of atalk in gre(4),
which you might want to look at.

jmc

> Index: usr.sbin/tcpdump/tcpdump.8
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v
> retrieving revision 1.92
> diff -u -p -r1.92 tcpdump.8
> --- usr.sbin/tcpdump/tcpdump.819 Apr 2017 05:36:13 -  1.92
> +++ usr.sbin/tcpdump/tcpdump.88 Jun 2017 19:36:14 -
> @@ -1604,142 +1604,6 @@ requests, and matches them to the replie
>  .Pq transaction ID .
>  If a reply does not closely follow the corresponding request,
>  it might not be parsable.
> -.Ss KIP AppleTalk (DDP in UDP)
> -AppleTalk DDP packets encapsulated in UDP datagrams
> -are de-encapsulated and dumped as DDP packets
> -.Pq i.e., all the UDP header information is discarded .
> -The file
> -.Pa /etc/atalk.names
> -is used to translate AppleTalk net and node numbers to names.
> -Lines in this file have the form
> -.Bl -column "number" "name" -offset indent
> -.It Sy "number" Ta Ta Sy "name"
> -.It "1.254" Ta Ta "ether"
> -.It "16.1" Ta Ta "icsd-net"
> -.It "1.254.110" Ta Ta "ace"
> -.El
> -.Pp
> -The first two lines give the names of AppleTalk networks.
> -The third line gives the name of a particular host
> -(a host is distinguished from a net by the 3rd octet in the number;
> -a net number
> -.Em must
> -have two octets and a host number
> -.Em must
> -have three octets).
> -The number and name should be separated by whitespace (blanks or tabs).
> -The
> -.Pa /etc/atalk.names
> -file may contain blank lines or comment lines
> -(lines starting with a
> -.Ql # ) .
> -.Pp
> -AppleTalk addresses are printed in the form
> -.Pp
> -.D1 Ar net . Ns Ar host . Ns Ar port
> -.Pp
> -For example:
> -.Bd -unfilled -offset indent
> -144.1.209.2 > icsd-net.112.220
> -office.2 > icsd-net.112.220
> -jssmag.149.235 > icsd-net.2
> -.Ed
> -.Pp
> -If
> -.Pa /etc/atalk.names
> -doesn't exist or doesn't contain an entry for some AppleTalk
> -host/net number, addresses are printed in numeric form.
> -In the first example, NBP
> -.Pq DDP port 2
> -on net 144.1 node 209
> -is sending to whatever is listening on port 220 of net icsd-net node 112.
> -The second line is the same except the full name of the source node is known
> -.Pq Dq office .
> -The third line is a send from port 235 on
> -net jssmag node 149 to broadcast on the icsd-net NBP port.
> -The broadcast address
> -.Pq 255
> -is indicated by a net name with no host number;
> -for this reason it is a good idea to keep node names and net names distinct 
> in
> -.Pa /etc/atalk.names .
> -.Pp
> -NBP
> -.Pq name binding protocol
> -and ATP
> -.Pq AppleTalk transaction protocol
> -packets have their contents interpreted.
> -Other protocols just dump the protocol name
> -.Po
> -or number if no name is registered for the protocol
> -.Pc
> -and packet size.
> -.Pp
> -NBP packets are formatted like the following examples:
> -.Bd -unfilled
> -icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
> -jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
> -techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
> -.Ed
> -.Pp
> -The first line is a name lookup request for laserwriters sent by
> -net icsdi-net host
> -112 and broadcast on net jssmag.
> -The nbp ID for the lookup is 190.
> -The second line shows a reply for this request
> -.Pq note that it has the same ID
> -from host jssmag.209 saying that it has a laserwriter
> -resource named RM1140 registered on port 250.
> -The third line is another reply to the same request
> -saying host techpit has laserwriter techpit registered on port 186.
> -.Pp
> -ATP packet formatting is demonstrated by the following example:
> -.Bd -unfilled -offset indent
> -jssmag.209.165 > helios.132: atp-req  12266<0-7> 0xae030001
> -helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae04
> -jssmag.209.165 > helios.132: atp-req  12266<3,5> 0xae030001
> -helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae04
> -jssmag.209.165 > helios.132: atp-rel  12266<0-7> 0xae030001
> -jssmag.209

Re: tcpdump: drop atalk support

2017-06-08 Thread Claudio Jeker
On Thu, Jun 08, 2017 at 09:42:44PM +0200, Michal Mazurek wrote:
> Let's start by ignoring the existence of AppleTalk in the manpage,
> reducing it by 10%. This leaves mention of atalk in the syntax of libpcap.
> 
> A second diff will remove /etc/atalk.names support reducing the amount
> of appletalk code significantly.
> 
> Comments? OK?

OK claudio@
 
> Index: usr.sbin/tcpdump/tcpdump.8
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v
> retrieving revision 1.92
> diff -u -p -r1.92 tcpdump.8
> --- usr.sbin/tcpdump/tcpdump.819 Apr 2017 05:36:13 -  1.92
> +++ usr.sbin/tcpdump/tcpdump.88 Jun 2017 19:36:14 -
> @@ -1604,142 +1604,6 @@ requests, and matches them to the replie
>  .Pq transaction ID .
>  If a reply does not closely follow the corresponding request,
>  it might not be parsable.
> -.Ss KIP AppleTalk (DDP in UDP)
> -AppleTalk DDP packets encapsulated in UDP datagrams
> -are de-encapsulated and dumped as DDP packets
> -.Pq i.e., all the UDP header information is discarded .
> -The file
> -.Pa /etc/atalk.names
> -is used to translate AppleTalk net and node numbers to names.
> -Lines in this file have the form
> -.Bl -column "number" "name" -offset indent
> -.It Sy "number" Ta Ta Sy "name"
> -.It "1.254" Ta Ta "ether"
> -.It "16.1" Ta Ta "icsd-net"
> -.It "1.254.110" Ta Ta "ace"
> -.El
> -.Pp
> -The first two lines give the names of AppleTalk networks.
> -The third line gives the name of a particular host
> -(a host is distinguished from a net by the 3rd octet in the number;
> -a net number
> -.Em must
> -have two octets and a host number
> -.Em must
> -have three octets).
> -The number and name should be separated by whitespace (blanks or tabs).
> -The
> -.Pa /etc/atalk.names
> -file may contain blank lines or comment lines
> -(lines starting with a
> -.Ql # ) .
> -.Pp
> -AppleTalk addresses are printed in the form
> -.Pp
> -.D1 Ar net . Ns Ar host . Ns Ar port
> -.Pp
> -For example:
> -.Bd -unfilled -offset indent
> -144.1.209.2 > icsd-net.112.220
> -office.2 > icsd-net.112.220
> -jssmag.149.235 > icsd-net.2
> -.Ed
> -.Pp
> -If
> -.Pa /etc/atalk.names
> -doesn't exist or doesn't contain an entry for some AppleTalk
> -host/net number, addresses are printed in numeric form.
> -In the first example, NBP
> -.Pq DDP port 2
> -on net 144.1 node 209
> -is sending to whatever is listening on port 220 of net icsd-net node 112.
> -The second line is the same except the full name of the source node is known
> -.Pq Dq office .
> -The third line is a send from port 235 on
> -net jssmag node 149 to broadcast on the icsd-net NBP port.
> -The broadcast address
> -.Pq 255
> -is indicated by a net name with no host number;
> -for this reason it is a good idea to keep node names and net names distinct 
> in
> -.Pa /etc/atalk.names .
> -.Pp
> -NBP
> -.Pq name binding protocol
> -and ATP
> -.Pq AppleTalk transaction protocol
> -packets have their contents interpreted.
> -Other protocols just dump the protocol name
> -.Po
> -or number if no name is registered for the protocol
> -.Pc
> -and packet size.
> -.Pp
> -NBP packets are formatted like the following examples:
> -.Bd -unfilled
> -icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
> -jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
> -techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
> -.Ed
> -.Pp
> -The first line is a name lookup request for laserwriters sent by
> -net icsdi-net host
> -112 and broadcast on net jssmag.
> -The nbp ID for the lookup is 190.
> -The second line shows a reply for this request
> -.Pq note that it has the same ID
> -from host jssmag.209 saying that it has a laserwriter
> -resource named RM1140 registered on port 250.
> -The third line is another reply to the same request
> -saying host techpit has laserwriter techpit registered on port 186.
> -.Pp
> -ATP packet formatting is demonstrated by the following example:
> -.Bd -unfilled -offset indent
> -jssmag.209.165 > helios.132: atp-req  12266<0-7> 0xae030001
> -helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae04
> -jssmag.209.165 > helios.132: atp-req  12266<3,5> 0xae030001
> -helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae04
> -helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae04
> -jssmag.209.165 > helios.132: atp-rel  12266<0-7> 0xae030001
> -jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002
> -.Ed
> -.Pp
> -Jssmag.209 initiates transact

Re: tcpdump: drop atalk support

2017-06-08 Thread Michal Mazurek
Let's start by ignoring the existence of AppleTalk in the manpage,
reducing it by 10%. This leaves mention of atalk in the syntax of libpcap.

A second diff will remove /etc/atalk.names support reducing the amount
of appletalk code significantly.

Comments? OK?

Index: usr.sbin/tcpdump/tcpdump.8
===
RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v
retrieving revision 1.92
diff -u -p -r1.92 tcpdump.8
--- usr.sbin/tcpdump/tcpdump.8  19 Apr 2017 05:36:13 -  1.92
+++ usr.sbin/tcpdump/tcpdump.8  8 Jun 2017 19:36:14 -
@@ -1604,142 +1604,6 @@ requests, and matches them to the replie
 .Pq transaction ID .
 If a reply does not closely follow the corresponding request,
 it might not be parsable.
-.Ss KIP AppleTalk (DDP in UDP)
-AppleTalk DDP packets encapsulated in UDP datagrams
-are de-encapsulated and dumped as DDP packets
-.Pq i.e., all the UDP header information is discarded .
-The file
-.Pa /etc/atalk.names
-is used to translate AppleTalk net and node numbers to names.
-Lines in this file have the form
-.Bl -column "number" "name" -offset indent
-.It Sy "number" Ta Ta Sy "name"
-.It "1.254" Ta Ta "ether"
-.It "16.1" Ta Ta "icsd-net"
-.It "1.254.110" Ta Ta "ace"
-.El
-.Pp
-The first two lines give the names of AppleTalk networks.
-The third line gives the name of a particular host
-(a host is distinguished from a net by the 3rd octet in the number;
-a net number
-.Em must
-have two octets and a host number
-.Em must
-have three octets).
-The number and name should be separated by whitespace (blanks or tabs).
-The
-.Pa /etc/atalk.names
-file may contain blank lines or comment lines
-(lines starting with a
-.Ql # ) .
-.Pp
-AppleTalk addresses are printed in the form
-.Pp
-.D1 Ar net . Ns Ar host . Ns Ar port
-.Pp
-For example:
-.Bd -unfilled -offset indent
-144.1.209.2 > icsd-net.112.220
-office.2 > icsd-net.112.220
-jssmag.149.235 > icsd-net.2
-.Ed
-.Pp
-If
-.Pa /etc/atalk.names
-doesn't exist or doesn't contain an entry for some AppleTalk
-host/net number, addresses are printed in numeric form.
-In the first example, NBP
-.Pq DDP port 2
-on net 144.1 node 209
-is sending to whatever is listening on port 220 of net icsd-net node 112.
-The second line is the same except the full name of the source node is known
-.Pq Dq office .
-The third line is a send from port 235 on
-net jssmag node 149 to broadcast on the icsd-net NBP port.
-The broadcast address
-.Pq 255
-is indicated by a net name with no host number;
-for this reason it is a good idea to keep node names and net names distinct in
-.Pa /etc/atalk.names .
-.Pp
-NBP
-.Pq name binding protocol
-and ATP
-.Pq AppleTalk transaction protocol
-packets have their contents interpreted.
-Other protocols just dump the protocol name
-.Po
-or number if no name is registered for the protocol
-.Pc
-and packet size.
-.Pp
-NBP packets are formatted like the following examples:
-.Bd -unfilled
-icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
-jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
-techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
-.Ed
-.Pp
-The first line is a name lookup request for laserwriters sent by
-net icsdi-net host
-112 and broadcast on net jssmag.
-The nbp ID for the lookup is 190.
-The second line shows a reply for this request
-.Pq note that it has the same ID
-from host jssmag.209 saying that it has a laserwriter
-resource named RM1140 registered on port 250.
-The third line is another reply to the same request
-saying host techpit has laserwriter techpit registered on port 186.
-.Pp
-ATP packet formatting is demonstrated by the following example:
-.Bd -unfilled -offset indent
-jssmag.209.165 > helios.132: atp-req  12266<0-7> 0xae030001
-helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae04
-jssmag.209.165 > helios.132: atp-req  12266<3,5> 0xae030001
-helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae04
-helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae04
-jssmag.209.165 > helios.132: atp-rel  12266<0-7> 0xae030001
-jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002
-.Ed
-.Pp
-Jssmag.209 initiates transaction ID 12266 with host helios by requesting
-up to 8 packets
-.Sm off
-.Pq the Dq <0\-7> .
-.Sm on
-The hex number at the end of the line is the value of the
-.Ar userdata
-field in the request.
-.Pp
-Helios responds with 8 512-byte packets.
-The
-.Dq : Ns Ar n
-following the
-transaction ID gives the packet sequence number in the transactio

Re: tcpdump: drop atalk support

2017-05-30 Thread Ian McWilliam
EtherTalk (Appletalk over Ethernet) was removed in Mac OS X v10.6 in 2009.
You never know what might be flying across your network

Ian McWilliam

From: owner-t...@openbsd.org  on behalf of Henning 
Brauer 
Sent: Tuesday, 30 May 2017 7:59:40 PM
To: tech@openbsd.org
Subject: Re: tcpdump: drop atalk support

* Theo de Raadt  [2017-05-30 10:56]:
> > How about just dropping support for /etc/appletalk.names, which as far
> > as I can tell was never used, and drop the manpage bit, reducing it by
> > 10%. Most of the text in the manpage is outdated anyway, talking about
> > /etc/atalk.names - support for which was removed in 2004 with the
> > privsep work. Something like this:
>
> Sure sure.
>
> My main objection to full removal was that you see a numbered packet
> flying over your network and don't know what catagory it is in.
> Suddenly google search is neccessary because tcpdump is going out
> of the way to not help.  So it should help, answering the minimum
> question of "what type is that packet, should I worry".

agreed.
can we limit this to just being able to identify appletalk?

note that this is ethertype appletalk, not appletalk over ip. afaik
that means pre-macosx.

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: tcpdump: drop atalk support

2017-05-30 Thread Theo de Raadt
> * Theo de Raadt  [2017-05-30 10:56]:
> > > How about just dropping support for /etc/appletalk.names, which as far
> > > as I can tell was never used, and drop the manpage bit, reducing it by
> > > 10%. Most of the text in the manpage is outdated anyway, talking about
> > > /etc/atalk.names - support for which was removed in 2004 with the
> > > privsep work. Something like this:
> > 
> > Sure sure.
> > 
> > My main objection to full removal was that you see a numbered packet
> > flying over your network and don't know what catagory it is in.
> > Suddenly google search is neccessary because tcpdump is going out
> > of the way to not help.  So it should help, answering the minimum
> > question of "what type is that packet, should I worry".
> 
> agreed.
> can we limit this to just being able to identify appletalk?

that's precisely the minimum i think tcpdump should do.

if it never prints hex, i'd be happy.



Re: tcpdump: drop atalk support

2017-05-30 Thread Henning Brauer
* Theo de Raadt  [2017-05-30 10:56]:
> > How about just dropping support for /etc/appletalk.names, which as far
> > as I can tell was never used, and drop the manpage bit, reducing it by
> > 10%. Most of the text in the manpage is outdated anyway, talking about
> > /etc/atalk.names - support for which was removed in 2004 with the
> > privsep work. Something like this:
> 
> Sure sure.
> 
> My main objection to full removal was that you see a numbered packet
> flying over your network and don't know what catagory it is in.
> Suddenly google search is neccessary because tcpdump is going out
> of the way to not help.  So it should help, answering the minimum
> question of "what type is that packet, should I worry".

agreed.
can we limit this to just being able to identify appletalk?

note that this is ethertype appletalk, not appletalk over ip. afaik
that means pre-macosx.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



Re: tcpdump: drop atalk support

2017-05-30 Thread Theo de Raadt
> How about just dropping support for /etc/appletalk.names, which as far
> as I can tell was never used, and drop the manpage bit, reducing it by
> 10%. Most of the text in the manpage is outdated anyway, talking about
> /etc/atalk.names - support for which was removed in 2004 with the
> privsep work. Something like this:

Sure sure.

My main objection to full removal was that you see a numbered packet
flying over your network and don't know what catagory it is in.
Suddenly google search is neccessary because tcpdump is going out
of the way to not help.  So it should help, answering the minimum
question of "what type is that packet, should I worry".



Re: tcpdump: drop atalk support

2017-05-30 Thread Michal Mazurek
How about just dropping support for /etc/appletalk.names, which as far
as I can tell was never used, and drop the manpage bit, reducing it by
10%. Most of the text in the manpage is outdated anyway, talking about
/etc/atalk.names - support for which was removed in 2004 with the
privsep work. Something like this:

Index: usr.sbin/tcpdump/privsep.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v
retrieving revision 1.44
diff -u -p -r1.44 privsep.c
--- usr.sbin/tcpdump/privsep.c  23 Jan 2017 04:25:05 -  1.44
+++ usr.sbin/tcpdump/privsep.c  28 May 2017 13:46:59 -
@@ -101,8 +101,7 @@ struct ftab {
int count;
 };
 
-static struct ftab file_table[] = {{"/etc/appletalk.names", 1, 0},
-  {PF_OSFP_FILE, 1, 0}};
+static struct ftab file_table[] = {{PF_OSFP_FILE, 1, 0}};
 
 #define NUM_FILETAB (sizeof(file_table) / sizeof(struct ftab))
 
Index: usr.sbin/tcpdump/privsep.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/privsep.h,v
retrieving revision 1.8
diff -u -p -r1.8 privsep.h
--- usr.sbin/tcpdump/privsep.h  14 Jul 2015 20:23:40 -  1.8
+++ usr.sbin/tcpdump/privsep.h  28 May 2017 13:46:59 -
@@ -22,8 +22,7 @@
 #define TCPDUMP_MAGIC 0xa1b2c3d4
 
 /* file ids used by priv_getlines */
-#define FTAB_APPLETALK 0
-#define FTAB_PFOSFP1
+#define FTAB_PFOSFP0
 
 enum cmd_types {
PRIV_OPEN_BPF,  /* open a bpf descriptor */
Index: usr.sbin/tcpdump/tcpdump.8
===
RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.8,v
retrieving revision 1.92
diff -u -p -r1.92 tcpdump.8
--- usr.sbin/tcpdump/tcpdump.8  19 Apr 2017 05:36:13 -  1.92
+++ usr.sbin/tcpdump/tcpdump.8  28 May 2017 13:47:00 -
@@ -1604,142 +1604,6 @@ requests, and matches them to the replie
 .Pq transaction ID .
 If a reply does not closely follow the corresponding request,
 it might not be parsable.
-.Ss KIP AppleTalk (DDP in UDP)
-AppleTalk DDP packets encapsulated in UDP datagrams
-are de-encapsulated and dumped as DDP packets
-.Pq i.e., all the UDP header information is discarded .
-The file
-.Pa /etc/atalk.names
-is used to translate AppleTalk net and node numbers to names.
-Lines in this file have the form
-.Bl -column "number" "name" -offset indent
-.It Sy "number" Ta Ta Sy "name"
-.It "1.254" Ta Ta "ether"
-.It "16.1" Ta Ta "icsd-net"
-.It "1.254.110" Ta Ta "ace"
-.El
-.Pp
-The first two lines give the names of AppleTalk networks.
-The third line gives the name of a particular host
-(a host is distinguished from a net by the 3rd octet in the number;
-a net number
-.Em must
-have two octets and a host number
-.Em must
-have three octets).
-The number and name should be separated by whitespace (blanks or tabs).
-The
-.Pa /etc/atalk.names
-file may contain blank lines or comment lines
-(lines starting with a
-.Ql # ) .
-.Pp
-AppleTalk addresses are printed in the form
-.Pp
-.D1 Ar net . Ns Ar host . Ns Ar port
-.Pp
-For example:
-.Bd -unfilled -offset indent
-144.1.209.2 > icsd-net.112.220
-office.2 > icsd-net.112.220
-jssmag.149.235 > icsd-net.2
-.Ed
-.Pp
-If
-.Pa /etc/atalk.names
-doesn't exist or doesn't contain an entry for some AppleTalk
-host/net number, addresses are printed in numeric form.
-In the first example, NBP
-.Pq DDP port 2
-on net 144.1 node 209
-is sending to whatever is listening on port 220 of net icsd-net node 112.
-The second line is the same except the full name of the source node is known
-.Pq Dq office .
-The third line is a send from port 235 on
-net jssmag node 149 to broadcast on the icsd-net NBP port.
-The broadcast address
-.Pq 255
-is indicated by a net name with no host number;
-for this reason it is a good idea to keep node names and net names distinct in
-.Pa /etc/atalk.names .
-.Pp
-NBP
-.Pq name binding protocol
-and ATP
-.Pq AppleTalk transaction protocol
-packets have their contents interpreted.
-Other protocols just dump the protocol name
-.Po
-or number if no name is registered for the protocol
-.Pc
-and packet size.
-.Pp
-NBP packets are formatted like the following examples:
-.Bd -unfilled
-icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
-jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
-techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
-.Ed
-.Pp
-The first line is a name lookup request for laserwriters sent by
-net icsdi-net host
-112 and broadcast on net jssmag.
-The nbp ID for the lookup is 190.
-The second line shows a reply for this request
-.Pq note that it has the same ID
-from host jssmag.209 saying that it has a laserwriter
-resource named RM1140 registered on port 250.
-The third line is another reply to the same request
-saying host techpit has laserwriter techpit registered on port 186.
-.Pp
-ATP packet formatting is demonstrated by the following example:
-.Bd -unfilled -offset 

Re: tcpdump: drop atalk support

2017-05-28 Thread Ted Unangst
Theo de Raadt wrote:
> I'm not sure the direction this goes.
> 
> Today atalk, and over the next month delete 20 protocols, then anything
> before ARP?
> 
> What's the plan here.  This code is heavily privsep, pledge, etc.  Is
> there a problem with it?
> 
> If such a packet showed up on a network I'd prefer it is *identified*
> in some minimal way, rather than a set of HEX digits that I have to
> google for to do that myself.  It seems this code provides exactly
> that service.

so if it shortens the man page, that's a plus. maybe we can just trim some of
the example. it seems a little verbose for something rarely used.


> 
> > Remove atalk support. Significantly shortens the manpage. libpcap still
> > supports it. This diff doesn't include the removal of two files:
> > appletalk.h and print-atalk.c.



Re: tcpdump: drop atalk support

2017-05-28 Thread Theo de Raadt
I'm not sure the direction this goes.

Today atalk, and over the next month delete 20 protocols, then anything
before ARP?

What's the plan here.  This code is heavily privsep, pledge, etc.  Is
there a problem with it?

If such a packet showed up on a network I'd prefer it is *identified*
in some minimal way, rather than a set of HEX digits that I have to
google for to do that myself.  It seems this code provides exactly
that service.

> Remove atalk support. Significantly shortens the manpage. libpcap still
> supports it. This diff doesn't include the removal of two files:
> appletalk.h and print-atalk.c.
> 
> Index: usr.sbin/tcpdump/INSTALL
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/INSTALL,v
> retrieving revision 1.6
> diff -u -p -r1.6 INSTALL
> --- usr.sbin/tcpdump/INSTALL  5 Dec 2015 21:43:51 -   1.6
> +++ usr.sbin/tcpdump/INSTALL  28 May 2017 13:46:58 -
> @@ -8,7 +8,6 @@ README- description of distribution
>  VERSION  - version of this release
>  addrtoname.c - address to hostname routines
>  addrtoname.h - address to hostname definitions
> -appletalk.h  - AppleTalk definitions
>  atime.awk- TCP ack awk script
>  bootp.h  - BOOTP definitions
>  bpf_dump.c   - bpf instruction pretty-printer routine
> @@ -35,7 +34,6 @@ ospf.h  - Open Shortest Path First defin
>  packetdat.awk- TCP chunk summary awk script
>  parsenfsfh.c - Network File System file parser routines
>  print-arp.c  - Address Resolution Protocol printer routines
> -print-atalk.c- AppleTalk printer routines
>  print-atm.c  - atm printer routines
>  print-bootp.c- BOOTP printer routines
>  print-cnfp.c - Cisco NetFlow printer routines
> Index: usr.sbin/tcpdump/Makefile
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/Makefile,v
> retrieving revision 1.61
> diff -u -p -r1.61 Makefile
> --- usr.sbin/tcpdump/Makefile 18 Nov 2016 17:37:03 -  1.61
> +++ usr.sbin/tcpdump/Makefile 28 May 2017 13:46:58 -
> @@ -35,7 +35,7 @@ DPADD+= ${LIBL} ${LIBPCAP} ${LIBCRYPTO}
>  
>  SRCS=tcpdump.c addrtoname.c privsep.c privsep_fdpass.c 
> privsep_pcap.c \
>   print-ether.c print-ip.c print-arp.c print-tcp.c print-udp.c \
> - print-atalk.c print-domain.c print-tftp.c print-bootp.c print-nfs.c \
> + print-domain.c print-tftp.c print-bootp.c print-nfs.c \
>   print-icmp.c print-sl.c print-ppp.c print-rip.c print-timed.c \
>   print-snmp.c print-ntp.c print-null.c print-ospf.c print-gtp.c \
>   print-fddi.c print-llc.c print-sunrpc.c print-hsrp.c print-vqp.c \
> Index: usr.sbin/tcpdump/ethertype.h
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/ethertype.h,v
> retrieving revision 1.14
> diff -u -p -r1.14 ethertype.h
> --- usr.sbin/tcpdump/ethertype.h  5 Dec 2008 01:25:24 -   1.14
> +++ usr.sbin/tcpdump/ethertype.h  28 May 2017 13:46:58 -
> @@ -93,12 +93,6 @@
>  #ifndef ETHERTYPE_VPROD
>  #define ETHERTYPE_VPROD  0x805c
>  #endif
> -#ifndef ETHERTYPE_ATALK
> -#define ETHERTYPE_ATALK  0x809b
> -#endif
> -#ifndef ETHERTYPE_AARP
> -#define ETHERTYPE_AARP   0x80f3
> -#endif
>  #ifndef ETHERTYPE_8021Q
>  #define ETHERTYPE_8021Q  0x8100
>  #endif
> Index: usr.sbin/tcpdump/interface.h
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
> retrieving revision 1.69
> diff -u -p -r1.69 interface.h
> --- usr.sbin/tcpdump/interface.h  16 Nov 2016 13:47:27 -  1.69
> +++ usr.sbin/tcpdump/interface.h  28 May 2017 13:46:58 -
> @@ -183,10 +183,7 @@ extern int ether_encap_print(u_short, co
>  extern int llc_print(const u_char *, u_int, u_int, const u_char *,
>   const u_char *);
>  extern int pppoe_if_print(u_short, const u_char *, u_int, u_int);
> -extern void aarp_print(const u_char *, u_int);
>  extern void arp_print(const u_char *, u_int, u_int);
> -extern void atalk_print(const u_char *, u_int);
> -extern void atalk_print_llap(const u_char *, u_int);
>  extern void atm_if_print(u_char *, const struct pcap_pkthdr *, const u_char 
> *);
>  extern void bootp_print(const u_char *, u_int, u_short, u_short);
>  extern void bgp_print(const u_char *, int);
> Index: usr.sbin/tcpdump/print-ether.c
> ===
> RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
> retrieving revision 1.31
> diff -u -p -r1.31 print-ether.c
> --- usr.sbin/tcpdump/print-ether.c11 Jul 2016 00:27:50 -  1.31
> +++ usr.sbin/tcpdump/print-ether.c28 May 2017 13:46:58 -
> @@ -206,16 +206,6 @@ recurse:
>   decnet_print(p, length, caplen);
>   return (1);
>  
> - case ETHERTYPE_ATALK:
> - if (vflag)
> - fp

Re: tcpdump: drop atalk support

2017-05-28 Thread Henning Brauer
* Michal Mazurek  [2017-05-28 16:00]:
> Remove atalk support. Significantly shortens the manpage. libpcap still
> supports it. This diff doesn't include the removal of two files:
> appletalk.h and print-atalk.c.

afaict atalk is so dead that the corpse is way beyond the point of
smelling - so yeah, imo it is time to let that go.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/



tcpdump: drop atalk support

2017-05-28 Thread Michal Mazurek
Remove atalk support. Significantly shortens the manpage. libpcap still
supports it. This diff doesn't include the removal of two files:
appletalk.h and print-atalk.c.

Index: usr.sbin/tcpdump/INSTALL
===
RCS file: /cvs/src/usr.sbin/tcpdump/INSTALL,v
retrieving revision 1.6
diff -u -p -r1.6 INSTALL
--- usr.sbin/tcpdump/INSTALL5 Dec 2015 21:43:51 -   1.6
+++ usr.sbin/tcpdump/INSTALL28 May 2017 13:46:58 -
@@ -8,7 +8,6 @@ README  - description of distribution
 VERSION- version of this release
 addrtoname.c   - address to hostname routines
 addrtoname.h   - address to hostname definitions
-appletalk.h- AppleTalk definitions
 atime.awk  - TCP ack awk script
 bootp.h- BOOTP definitions
 bpf_dump.c - bpf instruction pretty-printer routine
@@ -35,7 +34,6 @@ ospf.h- Open Shortest Path First defin
 packetdat.awk  - TCP chunk summary awk script
 parsenfsfh.c   - Network File System file parser routines
 print-arp.c- Address Resolution Protocol printer routines
-print-atalk.c  - AppleTalk printer routines
 print-atm.c- atm printer routines
 print-bootp.c  - BOOTP printer routines
 print-cnfp.c   - Cisco NetFlow printer routines
Index: usr.sbin/tcpdump/Makefile
===
RCS file: /cvs/src/usr.sbin/tcpdump/Makefile,v
retrieving revision 1.61
diff -u -p -r1.61 Makefile
--- usr.sbin/tcpdump/Makefile   18 Nov 2016 17:37:03 -  1.61
+++ usr.sbin/tcpdump/Makefile   28 May 2017 13:46:58 -
@@ -35,7 +35,7 @@ DPADD+=   ${LIBL} ${LIBPCAP} ${LIBCRYPTO}
 
 SRCS=  tcpdump.c addrtoname.c privsep.c privsep_fdpass.c privsep_pcap.c \
print-ether.c print-ip.c print-arp.c print-tcp.c print-udp.c \
-   print-atalk.c print-domain.c print-tftp.c print-bootp.c print-nfs.c \
+   print-domain.c print-tftp.c print-bootp.c print-nfs.c \
print-icmp.c print-sl.c print-ppp.c print-rip.c print-timed.c \
print-snmp.c print-ntp.c print-null.c print-ospf.c print-gtp.c \
print-fddi.c print-llc.c print-sunrpc.c print-hsrp.c print-vqp.c \
Index: usr.sbin/tcpdump/ethertype.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/ethertype.h,v
retrieving revision 1.14
diff -u -p -r1.14 ethertype.h
--- usr.sbin/tcpdump/ethertype.h5 Dec 2008 01:25:24 -   1.14
+++ usr.sbin/tcpdump/ethertype.h28 May 2017 13:46:58 -
@@ -93,12 +93,6 @@
 #ifndef ETHERTYPE_VPROD
 #define ETHERTYPE_VPROD0x805c
 #endif
-#ifndef ETHERTYPE_ATALK
-#define ETHERTYPE_ATALK0x809b
-#endif
-#ifndef ETHERTYPE_AARP
-#define ETHERTYPE_AARP 0x80f3
-#endif
 #ifndef ETHERTYPE_8021Q
 #define ETHERTYPE_8021Q0x8100
 #endif
Index: usr.sbin/tcpdump/interface.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
retrieving revision 1.69
diff -u -p -r1.69 interface.h
--- usr.sbin/tcpdump/interface.h16 Nov 2016 13:47:27 -  1.69
+++ usr.sbin/tcpdump/interface.h28 May 2017 13:46:58 -
@@ -183,10 +183,7 @@ extern int ether_encap_print(u_short, co
 extern int llc_print(const u_char *, u_int, u_int, const u_char *,
const u_char *);
 extern int pppoe_if_print(u_short, const u_char *, u_int, u_int);
-extern void aarp_print(const u_char *, u_int);
 extern void arp_print(const u_char *, u_int, u_int);
-extern void atalk_print(const u_char *, u_int);
-extern void atalk_print_llap(const u_char *, u_int);
 extern void atm_if_print(u_char *, const struct pcap_pkthdr *, const u_char *);
 extern void bootp_print(const u_char *, u_int, u_short, u_short);
 extern void bgp_print(const u_char *, int);
Index: usr.sbin/tcpdump/print-ether.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
retrieving revision 1.31
diff -u -p -r1.31 print-ether.c
--- usr.sbin/tcpdump/print-ether.c  11 Jul 2016 00:27:50 -  1.31
+++ usr.sbin/tcpdump/print-ether.c  28 May 2017 13:46:58 -
@@ -206,16 +206,6 @@ recurse:
decnet_print(p, length, caplen);
return (1);
 
-   case ETHERTYPE_ATALK:
-   if (vflag)
-   fputs("et1 ", stdout);
-   atalk_print_llap(p, length);
-   return (1);
-
-   case ETHERTYPE_AARP:
-   aarp_print(p, length);
-   return (1);
-
case ETHERTYPE_8021Q:
printf("802.1Q ");
case ETHERTYPE_QINQ:
Index: usr.sbin/tcpdump/print-llc.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-llc.c,v
retrieving revision 1.20
diff -u -p -r1.20 print-llc.c
--- usr.sbin/tcpdump/print-llc.c16 Nov 2015 00:16:39 -  1.20
+++ usr.sbin/tcpdump/p