diff options
-rw-r--r-- | plugins-root/check_dhcp.c | 44 |
1 files changed, 34 insertions, 10 deletions
diff --git a/plugins-root/check_dhcp.c b/plugins-root/check_dhcp.c index 0ddace5b..8b8bb985 100644 --- a/plugins-root/check_dhcp.c +++ b/plugins-root/check_dhcp.c | |||
@@ -150,6 +150,7 @@ typedef struct dhcp_offer_struct{ | |||
150 | uint32_t lease_time; /* lease time in seconds */ | 150 | uint32_t lease_time; /* lease time in seconds */ |
151 | uint32_t renewal_time; /* renewal time in seconds */ | 151 | uint32_t renewal_time; /* renewal time in seconds */ |
152 | uint32_t rebinding_time; /* rebinding time in seconds */ | 152 | uint32_t rebinding_time; /* rebinding time in seconds */ |
153 | u_int8_t desired; /* is this offer desired (necessary in exclusive mode) */ | ||
153 | struct dhcp_offer_struct *next; | 154 | struct dhcp_offer_struct *next; |
154 | }dhcp_offer; | 155 | }dhcp_offer; |
155 | 156 | ||
@@ -193,6 +194,7 @@ typedef struct requested_server_struct{ | |||
193 | #define ETHERNET_HARDWARE_ADDRESS_LENGTH 6 /* length of Ethernet hardware addresses */ | 194 | #define ETHERNET_HARDWARE_ADDRESS_LENGTH 6 /* length of Ethernet hardware addresses */ |
194 | 195 | ||
195 | uint8_t unicast = 0; /* unicast mode: mimic a DHCP relay */ | 196 | uint8_t unicast = 0; /* unicast mode: mimic a DHCP relay */ |
197 | u_int8_t exclusive = 0; /* exclusive mode aka "rogue DHCP server detection" */ | ||
196 | struct in_addr my_ip; /* our address (required for relay) */ | 198 | struct in_addr my_ip; /* our address (required for relay) */ |
197 | struct in_addr dhcp_ip; /* server to query (if in unicast mode) */ | 199 | struct in_addr dhcp_ip; /* server to query (if in unicast mode) */ |
198 | unsigned char client_hardware_address[MAX_DHCP_CHADDR_LENGTH]=""; | 200 | unsigned char client_hardware_address[MAX_DHCP_CHADDR_LENGTH]=""; |
@@ -894,6 +896,7 @@ int add_dhcp_offer(struct in_addr source,dhcp_packet *offer_packet){ | |||
894 | new_offer->lease_time=dhcp_lease_time; | 896 | new_offer->lease_time=dhcp_lease_time; |
895 | new_offer->renewal_time=dhcp_renewal_time; | 897 | new_offer->renewal_time=dhcp_renewal_time; |
896 | new_offer->rebinding_time=dhcp_rebinding_time; | 898 | new_offer->rebinding_time=dhcp_rebinding_time; |
899 | new_offer->desired=FALSE; /* exclusive mode: we'll check that in get_results */ | ||
897 | 900 | ||
898 | 901 | ||
899 | if(verbose){ | 902 | if(verbose){ |
@@ -939,7 +942,7 @@ int free_requested_server_list(void){ | |||
939 | 942 | ||
940 | /* gets state and plugin output to return */ | 943 | /* gets state and plugin output to return */ |
941 | int get_results(void){ | 944 | int get_results(void){ |
942 | dhcp_offer *temp_offer; | 945 | dhcp_offer *temp_offer, *undesired_offer=NULL; |
943 | requested_server *temp_server; | 946 | requested_server *temp_server; |
944 | int result; | 947 | int result; |
945 | uint32_t max_lease_time=0; | 948 | uint32_t max_lease_time=0; |
@@ -979,6 +982,13 @@ int get_results(void){ | |||
979 | } | 982 | } |
980 | } | 983 | } |
981 | 984 | ||
985 | /* exclusive mode: check for undesired offers */ | ||
986 | for(temp_offer=dhcp_offer_list;temp_offer!=NULL;temp_offer=temp_offer->next) { | ||
987 | if (temp_offer->desired == FALSE) { | ||
988 | undesired_offer=temp_offer; /* Checks only for the first undesired offer */ | ||
989 | break; /* no further checks needed */ | ||
990 | } | ||
991 | } | ||
982 | } | 992 | } |
983 | 993 | ||
984 | /* else check and see if we got our requested address from any server */ | 994 | /* else check and see if we got our requested address from any server */ |
@@ -1006,6 +1016,9 @@ int get_results(void){ | |||
1006 | else if(request_specific_address && !received_requested_address) | 1016 | else if(request_specific_address && !received_requested_address) |
1007 | result=STATE_WARNING; | 1017 | result=STATE_WARNING; |
1008 | 1018 | ||
1019 | if(exclusive && undesired_offer) | ||
1020 | result=STATE_CRITICAL; | ||
1021 | |||
1009 | if(result==0) /* garrett honeycutt 2005 */ | 1022 | if(result==0) /* garrett honeycutt 2005 */ |
1010 | printf("OK: "); | 1023 | printf("OK: "); |
1011 | else if(result==1) | 1024 | else if(result==1) |
@@ -1023,6 +1036,13 @@ int get_results(void){ | |||
1023 | 1036 | ||
1024 | printf(_("Received %d DHCPOFFER(s)"),valid_responses); | 1037 | printf(_("Received %d DHCPOFFER(s)"),valid_responses); |
1025 | 1038 | ||
1039 | |||
1040 | if(exclusive && undesired_offer){ | ||
1041 | printf(_(", Rogue DHCP Server detected! Server %s"),inet_ntoa(undesired_offer->server_address)); | ||
1042 | printf(_(" offered %s \n"),inet_ntoa(undesired_offer->offered_address)); | ||
1043 | return result; | ||
1044 | } | ||
1045 | |||
1026 | if(requested_servers>0) | 1046 | if(requested_servers>0) |
1027 | printf(_(", %s%d of %d requested servers responded"),((requested_responses<requested_servers) && requested_responses>0)?"only ":"",requested_responses,requested_servers); | 1047 | printf(_(", %s%d of %d requested servers responded"),((requested_responses<requested_servers) && requested_responses>0)?"only ":"",requested_responses,requested_servers); |
1028 | 1048 | ||
@@ -1065,16 +1085,16 @@ int call_getopt(int argc, char **argv){ | |||
1065 | {"interface", required_argument,0,'i'}, | 1085 | {"interface", required_argument,0,'i'}, |
1066 | {"mac", required_argument,0,'m'}, | 1086 | {"mac", required_argument,0,'m'}, |
1067 | {"unicast", no_argument, 0,'u'}, | 1087 | {"unicast", no_argument, 0,'u'}, |
1088 | {"exclusive", no_argument, 0,'x'}, | ||
1068 | {"verbose", no_argument, 0,'v'}, | 1089 | {"verbose", no_argument, 0,'v'}, |
1069 | {"version", no_argument, 0,'V'}, | 1090 | {"version", no_argument, 0,'V'}, |
1070 | {"help", no_argument, 0,'h'}, | 1091 | {"help", no_argument, 0,'h'}, |
1071 | {0,0,0,0} | 1092 | {0,0,0,0} |
1072 | }; | 1093 | }; |
1073 | 1094 | ||
1095 | int c=0; | ||
1074 | while(1){ | 1096 | while(1){ |
1075 | int c=0; | 1097 | c=getopt_long(argc,argv,"+hVvxt:s:r:t:i:m:u",long_options,&option_index); |
1076 | |||
1077 | c=getopt_long(argc,argv,"+hVvt:s:r:t:i:m:u",long_options,&option_index); | ||
1078 | 1098 | ||
1079 | if(c==-1||c==EOF||c==1) | 1099 | if(c==-1||c==EOF||c==1) |
1080 | break; | 1100 | break; |
@@ -1120,9 +1140,12 @@ int call_getopt(int argc, char **argv){ | |||
1120 | 1140 | ||
1121 | break; | 1141 | break; |
1122 | 1142 | ||
1123 | case 'u': /* unicast testing */ | 1143 | case 'u': /* unicast testing */ |
1124 | unicast=1; | 1144 | unicast=1; |
1125 | break; | 1145 | break; |
1146 | case 'x': /* exclusive testing aka "rogue DHCP server detection" */ | ||
1147 | exclusive=1; | ||
1148 | break; | ||
1126 | 1149 | ||
1127 | case 'V': /* version */ | 1150 | case 'V': /* version */ |
1128 | print_revision(progname, NP_VERSION); | 1151 | print_revision(progname, NP_VERSION); |
@@ -1135,7 +1158,6 @@ int call_getopt(int argc, char **argv){ | |||
1135 | case 'v': /* verbose */ | 1158 | case 'v': /* verbose */ |
1136 | verbose=1; | 1159 | verbose=1; |
1137 | break; | 1160 | break; |
1138 | |||
1139 | case '?': /* help */ | 1161 | case '?': /* help */ |
1140 | usage5 (); | 1162 | usage5 (); |
1141 | break; | 1163 | break; |
@@ -1372,6 +1394,8 @@ void print_help(void){ | |||
1372 | printf (" %s\n", _("MAC address to use in the DHCP request")); | 1394 | printf (" %s\n", _("MAC address to use in the DHCP request")); |
1373 | printf (" %s\n", "-u, --unicast"); | 1395 | printf (" %s\n", "-u, --unicast"); |
1374 | printf (" %s\n", _("Unicast testing: mimic a DHCP relay, requires -s")); | 1396 | printf (" %s\n", _("Unicast testing: mimic a DHCP relay, requires -s")); |
1397 | printf (" %s\n", "-x, --exclusive"); | ||
1398 | printf (" %s\n", _("Only requested DHCP server may response (rogue DHCP server detection), requires -s")); | ||
1375 | 1399 | ||
1376 | printf (UT_SUPPORT); | 1400 | printf (UT_SUPPORT); |
1377 | return; | 1401 | return; |
@@ -1382,8 +1406,8 @@ void | |||
1382 | print_usage(void){ | 1406 | print_usage(void){ |
1383 | 1407 | ||
1384 | printf ("%s\n", _("Usage:")); | 1408 | printf ("%s\n", _("Usage:")); |
1385 | printf (" %s [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]\n",progname); | 1409 | printf (" %s [-v] [-u] [-x] [-s serverip] [-r requestedip] [-t timeout]\n",progname); |
1386 | printf (" [-i interface] [-m mac]\n"); | 1410 | printf (" [-i interface] [-m mac]\n"); |
1387 | 1411 | ||
1388 | return; | 1412 | return; |
1389 | } | 1413 | } |