This commit has been accessed 7 times via Git panel.
commit 1229ef93b92abd28420162846c3bc3e042ac9272
tree a1e8b2baa1af0428a2ca90dd38bf30639e2bec29
parent f29f18423e444d680508ee208dfb1c42e1cd02b6
author Engels Antonio <engels@kalasag.org> 1782530396 +0800
committer Engels Antonio <engels@kalasag.org> 1782532366 +0800
Modernize project: fix type safety, harden build, clean dead code, split systemd service
Code fixes:
- Use socklen_t for accept()/recvfrom() address length (POSIX required)
- Fix strncat bounds on BLOCKED_FILE extension
- Handle unused write() and chdir() return values
- Fix signedness comparisons in advanced stealth mode
- Change int loop counters to size_t for strlen() comparisons
- Cast away unused BindSocket() client parameter
Dead code removal:
- Remove -DDEBIAN (defined but never checked)
- Remove glibc-specific <features.h>; add portable __BEGIN_DECLS fallback
- Remove NeXTSTEP #ifdef and HAS_NO_SNPRINTF fallback
- Remove libc5-era _LINUX_C_LIB_VERSION workaround
- Remove duplicate IPMAXBUF define from kalasag_util.h
Build system:
- Split CFLAGS into BASE_CFLAGS, LINUX_CFLAGS, BSD_CFLAGS per platform
- Remove -w suppression; add -Wextra -Werror for strict compilation
- Add -flto, -Wl,-z,noexecstack hardening
- Remove C++-only flags (-D_GLIBCXX_ASSERTIONS, -fexceptions,
-fasynchronous-unwind-tables) and redundant -fstack-protector
Systemd service:
- Replace single kalasag.service (Type=oneshot, two ExecStart lines)
with kalasag-tcp.service and kalasag-udp.service
- Use Type=forking (matching DaemonSeed() double-fork pattern)
- Add Restart=always for crash recovery
- Add PID file creation in DaemonSeed() and cleanup in Exit()
- Add PIDFile= to both service files for reliable process tracking
diff --git a/Makefile b/Makefile
index abf7634..cd989e0 100644
--- a/Makefile
+++ b/Makefile
@@ -22,16 +22,26 @@ CC = cc
# GNU..
#CC = gcc
-# Normal systems flags
-CFLAGS = -O3 -funroll-loops -fomit-frame-pointer -Wall -w -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fasynchronous-unwind-tables -fexceptions -fpie -Wl,-pie -fstack-clash-protection -fstack-protector -fstack-protector-strong -fcf-protection -pipe -Werror=format-security -Werror=implicit-function-declaration -Wl,-z,defs -Wl,-z,now -Wl,-z,relro
+# Base flags (portable across all platforms)
+BASE_CFLAGS = -O3 -Wall -Wextra -pipe -flto
+
+# Linux hardening flags (GCC/Linux specific)
+LINUX_CFLAGS = -funroll-loops -fomit-frame-pointer $(BASE_CFLAGS) \
+ -D_FORTIFY_SOURCE=2 -fpie -Wl,-pie -fstack-clash-protection \
+ -fstack-protector-strong -fcf-protection \
+ -Werror=format-security -Werror=implicit-function-declaration \
+ -Wl,-z,defs -Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack
+
+# BSD/macOS hardening flags (compatible with clang and BSD linkers)
+BSD_CFLAGS = $(BASE_CFLAGS) -fPIE -Wl,-pie -fstack-protector-strong
# Debug mode for kalasag
-#CFLAGS = -Wall -g -DNODAEMON -DDEBUG
-#CFLAGS = -Wall -g -DNODAEMON
-#CFLAGS = -Wall -g -DDEBUG
+#BASE_CFLAGS = -Wall -g -DNODAEMON -DDEBUG
+#BASE_CFLAGS = -Wall -g -DNODAEMON
+#BASE_CFLAGS = -Wall -g -DDEBUG
# Profiler mode for kalasag
-#CFLAGS = -pg -O -Wall -DNODAEMON
+#BASE_CFLAGS = -pg -O -Wall -DNODAEMON
#LIBS = /usr/lib/libefence.a
INSTALLDIR = /opt
@@ -61,7 +71,13 @@ clean:
/bin/rm ./kalasag
uninstall:
- @if [ -f /usr/lib/systemd/system/kalasag.service ]; then systemctl stop kalasag.service; systemctl disable kalasag.service; rm -f /usr/lib/systemd/system/kalasag.service; fi
+ @for svc in kalasag-tcp kalasag-udp; do \
+ if [ -f /usr/lib/systemd/system/$$svc.service ]; then \
+ systemctl stop $$svc.service; \
+ systemctl disable $$svc.service; \
+ rm -f /usr/lib/systemd/system/$$svc.service; \
+ fi; \
+ done
@if [ -d $(INSTALLDIR)$(CHILDDIR) ]; then rm -rf $(INSTALLDIR)$(CHILDDIR)/*; fi
install:
@@ -70,69 +86,74 @@ install:
@cp ./kalasag.conf $(INSTALLDIR)$(CHILDDIR)
@cp ./kalasag.ignore $(INSTALLDIR)$(CHILDDIR)
@cp ./kalasag $(INSTALLDIR)$(CHILDDIR)
- @if [ -d /usr/lib/systemd/system ]; then cp ./kalasag.service /usr/lib/systemd/system/; systemctl enable kalasag.service; fi
+ @if [ -d /usr/lib/systemd/system ]; then \
+ cp ./kalasag-tcp.service /usr/lib/systemd/system/; \
+ cp ./kalasag-udp.service /usr/lib/systemd/system/; \
+ systemctl enable kalasag-tcp.service; \
+ systemctl enable kalasag-udp.service; \
+ fi
@chmod 600 $(INSTALLDIR)$(CHILDDIR)/kalasag.ignore
@chmod 600 $(INSTALLDIR)$(CHILDDIR)/kalasag.conf
@chmod 700 $(INSTALLDIR)$(CHILDDIR)/kalasag
@echo ""
- @echo 'Issue "systemctl restart kalasag.service" after editing $(INSTALLDIR)$(CHILDDIR)/kalasag.conf.'
+ @echo 'Issue "systemctl start kalasag-tcp kalasag-udp" after editing $(INSTALLDIR)$(CHILDDIR)/kalasag.conf.'
@echo ""
linux:
SYSTYPE=linux
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
+ $(CC) $(LINUX_CFLAGS) -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
linux-x86_64:
SYSTYPE=linux
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -m64 -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
+ $(CC) $(LINUX_CFLAGS) -m64 -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
debian-linux:
SYSTYPE=debian-linux
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DLINUX -DDEBIAN -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
+ $(CC) $(LINUX_CFLAGS) -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
bsd:
SYSTYPE=bsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
openbsd:
SYSTYPE=openbsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
freebsd:
SYSTYPE=freebsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
osx:
SYSTYPE=osx
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
netbsd:
SYSTYPE=netbsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
bsdi:
SYSTYPE=bsdi
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
generic:
SYSTYPE=generic
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
hpux:
@@ -144,7 +165,7 @@ hpux:
hpux-gcc:
SYSTYPE=hpux-gcc
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DHPUX -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -DHPUX -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
solaris:
@@ -156,19 +177,19 @@ solaris:
aix:
SYSTYPE=aix
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
osf:
SYSTYPE=osf
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -taso -ldb -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -taso -ldb -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
irix:
SYSTYPE=irix
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -O -n32 -mips3 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -O -n32 -mips3 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
# NeXTSTEP Users. NeXT used to work, but we changed the log function and
diff --git a/kalasag.service b/kalasag-tcp.service
similarity index 57%
rename from kalasag.service
rename to kalasag-tcp.service
index 1d6715b..c6a0a4d 100644
--- a/kalasag.service
+++ b/kalasag-tcp.service
@@ -1,12 +1,12 @@
[Unit]
-Description=Kalasag
+Description=Kalasag Port Scan Detector (TCP)
After=syslog.target network.target auditd.service
[Service]
-Type=oneshot
-RemainAfterExit=yes
+Type=forking
+PIDFile=/var/run/kalasag-atcp.pid
ExecStart=/opt/kalasag/kalasag -atcp
-ExecStart=/opt/kalasag/kalasag -sudp
+Restart=always
[Install]
WantedBy=multi-user.target
diff --git a/kalasag-udp.service b/kalasag-udp.service
new file mode 100644
index 0000000..3e47ccc
--- /dev/null
+++ b/kalasag-udp.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Kalasag Port Scan Detector (UDP)
+After=syslog.target network.target auditd.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/kalasag-sudp.pid
+ExecStart=/opt/kalasag/kalasag -sudp
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/kalasag.c b/kalasag.c
index 2145b43..a40ae09 100644
--- a/kalasag.c
+++ b/kalasag.c
@@ -65,7 +65,7 @@ int main(int argc, char *argv[])
Exit(ERROR);
}
#ifndef NODAEMON
- else if (DaemonSeed() == ERROR) {
+ else if (DaemonSeed(gblDetectionType) == ERROR) {
Log("adminalert: ERROR: could not go into daemon mode. Shutting down.\n");
printf
("ERROR: could not go into daemon mode. Shutting down.\n");
@@ -181,8 +181,10 @@ int InitConfig(void)
if ((ConfigTokenRetrieve("BLOCKED_FILE", gblBlockedFile)) == TRUE) {
if (strlen(gblBlockedFile) < MAXBUF - 5) {
- strncat(gblBlockedFile, ".", 1);
- strncat(gblBlockedFile, gblDetectionType, 4);
+ size_t len = strlen(gblBlockedFile);
+ gblBlockedFile[len] = '.';
+ SafeStrncpy(gblBlockedFile + len + 1, gblDetectionType,
+ MAXBUF - len - 1);
} else {
Log("adminalert: ERROR: Blocked filename is too long to append detection type file extension: %s.\n", gblBlockedFile);
return (FALSE);
@@ -523,8 +525,8 @@ int KalasagAdvancedStealthModeTCP(void)
if ((tcp.ack != 1) && (tcp.rst != 1)) {
/* check if we should ignore this connection to this port */
for (count = 0; count < portCount; count++) {
- if ((incomingPort == inUsePorts[count])
- || (incomingPort >= advancedPorts)) {
+ if ((incomingPort == (int)inUsePorts[count])
+ || (incomingPort >= (int)advancedPorts)) {
hotPort = FALSE;
break;
} else
@@ -816,8 +818,8 @@ int KalasagAdvancedStealthModeUDP(void)
/* check if we should ignore this connection to this port */
for (count = 0; count < portCount; count++) {
- if ((incomingPort == inUsePorts[count])
- || (incomingPort >= advancedPorts)) {
+ if ((incomingPort == (int)inUsePorts[count])
+ || (incomingPort >= (int)advancedPorts)) {
hotPort = FALSE;
break;
} else
@@ -899,7 +901,8 @@ int KalasagModeTCP(void)
{
struct sockaddr_in client, server;
- int length, portCount = 0, ports[MAXSOCKS];
+ socklen_t length;
+ int portCount = 0, ports[MAXSOCKS];
int openSockfd[MAXSOCKS], incomingSockfd, result = TRUE;
int count = 0, scanDetectTrigger = TRUE, showBanner =
FALSE, boundPortCount = 0;
@@ -1015,9 +1018,13 @@ int KalasagModeTCP(void)
if (scanDetectTrigger == TRUE) {
/* show the banner if one was selected */
- if (showBanner == TRUE)
- write(incomingSockfd, bannerBuffer,
- strlen(bannerBuffer));
+ if (showBanner == TRUE) {
+ ssize_t unused
+ __attribute__((unused));
+ unused =
+ write(incomingSockfd, bannerBuffer,
+ strlen(bannerBuffer));
+ }
/* we don't need the bonehead anymore */
close(incomingSockfd);
if (gblResolveHost) { /* Do they want DNS resolution? */
@@ -1075,7 +1082,8 @@ int KalasagModeTCP(void)
int KalasagModeUDP(void)
{
struct sockaddr_in client, server;
- int length, ports[MAXSOCKS], openSockfd[MAXSOCKS], result = TRUE;
+ socklen_t length;
+ int ports[MAXSOCKS], openSockfd[MAXSOCKS], result = TRUE;
int count = 0, portCount = 0, selectResult = 0, scanDetectTrigger = 0;
int boundPortCount = 0, showBanner = FALSE;
char *temp, target[IPMAXBUF], bannerBuffer[MAXBUF],
diff --git a/kalasag.h b/kalasag.h
index 99abca2..c9671b8 100644
--- a/kalasag.h
+++ b/kalasag.h
@@ -14,11 +14,9 @@
#include <assert.h>
#include <sys/param.h>
#include <sys/types.h>
-#ifndef _LINUX_C_LIB_VERSION
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>
-#endif
#include <arpa/inet.h>
#include "kalasag_config.h"
@@ -35,10 +33,6 @@
#define UDPPACKETLEN 68
#endif /* SUPPORT_STEALTH */
-#ifdef NEXT
-#include <ansi.h>
-#endif
-
#define ERROR -1
#define TRUE 1
#define FALSE 0
diff --git a/kalasag_config.h b/kalasag_config.h
index 6d5c418..03d6611 100644
--- a/kalasag_config.h
+++ b/kalasag_config.h
@@ -13,3 +13,5 @@
/* the maximum number of hosts to keep in a "previous connect" state engine*/
#define MAXSTATE 50
+
+
diff --git a/kalasag_io.c b/kalasag_io.c
index f181bc4..e274c93 100644
--- a/kalasag_io.c
+++ b/kalasag_io.c
@@ -2,6 +2,9 @@
#include "kalasag_io.h"
#include "kalasag_util.h"
+/* Stored PID file path for cleanup on exit */
+static char gblPidFile[MAXBUF] = "";
+
/* Main logging function to surrogate syslog */
void Log(char *logentry, ...)
{
@@ -22,6 +25,8 @@ void Log(char *logentry, ...)
void Exit(int status)
{
+ if (gblPidFile[0])
+ unlink(gblPidFile);
Log("securityalert: Kalasag is shutting down\n");
Log("adminalert: Kalasag is shutting down\n");
exit(status);
@@ -40,7 +45,7 @@ void Start(void)
/* The daemonizing code copied from Advanced Programming */
/* in the UNIX Environment by W. Richard Stevens with minor changes */
-int DaemonSeed(void)
+int DaemonSeed(char *detectionType)
{
int childpid;
@@ -58,9 +63,17 @@ int DaemonSeed(void)
exit(0);
setsid();
- chdir("/");
+ { int unused __attribute__((unused)) = chdir("/"); }
umask(077);
+ /* Write PID file for systemd tracking */
+ snprintf(gblPidFile, MAXBUF, "/var/run/kalasag-%s.pid", detectionType);
+ FILE *pidFile = fopen(gblPidFile, "w");
+ if (pidFile) {
+ fprintf(pidFile, "%d\n", getpid());
+ fclose(pidFile);
+ }
+
/* close stdout, stdin, stderr */
close(0);
close(1);
@@ -106,7 +119,8 @@ int NeverBlock(char *target, char *filename)
FILE *input;
char buffer[MAXBUF], tempBuffer[MAXBUF], netmaskBuffer[MAXBUF];
char *slashPos;
- int count = 0, dest = 0, netmaskBits = 0;
+ size_t count = 0;
+ int dest = 0, netmaskBits = 0;
#ifdef DEBUG
Log("debug: NeverBlock: Opening ignore file: %s \n", filename);
@@ -277,10 +291,10 @@ int ConfigTokenRetrieve(char *token, char *configToken)
#endif
/* search for the token and make sure the trailing character */
/* is a " " or "=" to make sure the entire token was found */
- if ((strstr(buffer, token) != (char) NULL) &&
+ if ((strstr(buffer, token) != NULL) &&
((buffer[strlen(token)] == '=')
|| (buffer[strlen(token)] == ' '))) { /* cut off the '=' and send it back */
- if (strstr(buffer, "\"") == (char) NULL) {
+ if (strstr(buffer, "\"") == NULL) {
Log("adminalert: Quotes missing from %s token. Option skipped\n", token);
fclose(config);
return (FALSE);
@@ -326,6 +340,7 @@ int
BindSocket(int sockfd, struct sockaddr_in client,
struct sockaddr_in server, int port)
{
+ (void)client;
#ifdef DEBUG
Log("debug: BindSocket: Binding to port: %d\n", port);
#endif
@@ -594,7 +609,7 @@ int IsBlocked(char *target, char *filename)
FILE *input;
char buffer[MAXBUF], tempBuffer[MAXBUF];
char *ipOffset;
- int count;
+ size_t count;
#ifdef DEBUG
@@ -606,7 +621,7 @@ int IsBlocked(char *target, char *filename)
}
while (fgets(buffer, MAXBUF, input) != NULL) {
- if ((ipOffset = strstr(buffer, target)) != (char) NULL) {
+ if ((ipOffset = strstr(buffer, target)) != NULL) {
for (count = 0; count < strlen(ipOffset); count++) {
if ((isdigit(ipOffset[count])) || (ipOffset[count] == '.')) {
tempBuffer[count] = ipOffset[count];
@@ -649,7 +664,8 @@ int
SubstString(const char *replace, const char *find, const char *target,
char *result)
{
- int replaceCount = 0, count = 0, findCount = 0, findLen =
+ size_t replaceCount = 0;
+ int count = 0, findCount = 0, findLen =
0, numberOfSubst = 0;
char tempString[MAXBUF], *tempStringPtr;
@@ -663,7 +679,7 @@ SubstString(const char *replace, const char *find, const char *target,
#endif
/* string not found in target */
- if (strstr(target, find) == (char) NULL) {
+ if (strstr(target, find) == NULL) {
strncpy(result, target, MAXBUF);
#ifdef DEBUG
Log("debug: SubstString: Result string: %s", result);
@@ -724,29 +740,4 @@ int CheckFlag(char *flagName)
}
-/* snprintf for NEXTSTEP (others??) */
-/* I don't know where this code came from and I don't */
-/* warrant its effectiveness. CHR */
-
-#ifdef HAS_NO_SNPRINTF
-int snprintf(char *str, size_t n, char const *fmt, ...)
-{
- va_list ap;
- FILE f;
- if (n > MAXBUF) {
- n = MAXBUF;
- }
- va_start(ap, fmt);
- f._file = EOF;
- f._flag = _IOWRT | _IOSTRG;
- f._base = f._ptr = str;
- f._bufsiz = f._cnt = n ? n - 1 : 0;
- (void) vfprintf(&f, fmt, ap);
- va_end(ap);
- if (n) {
- *f._ptr = '\0';
- }
- return (f._ptr - str);
-}
-#endif
diff --git a/kalasag_io.h b/kalasag_io.h
index bb83ec8..9f9fa4d 100644
--- a/kalasag_io.h
+++ b/kalasag_io.h
@@ -3,7 +3,7 @@ int WriteBlocked(char *, char *, int, char *, char *, char *);
void Log(char *, ...);
void Exit(int);
void Start(void);
-int DaemonSeed(void);
+int DaemonSeed(char *);
int NeverBlock(char *, char *);
int CheckConfig(void);
int OpenTCPSocket(void);
diff --git a/kalasag_tcpip.h b/kalasag_tcpip.h
index b697b1f..e337b2b 100644
--- a/kalasag_tcpip.h
+++ b/kalasag_tcpip.h
@@ -42,7 +42,15 @@
#ifndef _NETINET_TCP_H
#define _NETINET_TCP_H 1
-#include <features.h>
+#ifndef __BEGIN_DECLS
+# ifdef __cplusplus
+# define __BEGIN_DECLS extern "C" {
+# define __END_DECLS }
+# else
+# define __BEGIN_DECLS
+# define __END_DECLS
+# endif
+#endif
__BEGIN_DECLS struct tcphdr {
u_int16_t source;
diff --git a/kalasag_util.h b/kalasag_util.h
index 5f95e2f..52863ad 100644
--- a/kalasag_util.h
+++ b/kalasag_util.h
@@ -1,6 +1,3 @@
-/* IP address length plus null */
-#define IPMAXBUF 16
-
char *SafeStrncpy(char *, const char *, size_t);
char *CleanIpAddr(char *, const char *);
int CleanAndResolve(char *, const char *);
tree a1e8b2baa1af0428a2ca90dd38bf30639e2bec29
parent f29f18423e444d680508ee208dfb1c42e1cd02b6
author Engels Antonio <engels@kalasag.org> 1782530396 +0800
committer Engels Antonio <engels@kalasag.org> 1782532366 +0800
Modernize project: fix type safety, harden build, clean dead code, split systemd service
Code fixes:
- Use socklen_t for accept()/recvfrom() address length (POSIX required)
- Fix strncat bounds on BLOCKED_FILE extension
- Handle unused write() and chdir() return values
- Fix signedness comparisons in advanced stealth mode
- Change int loop counters to size_t for strlen() comparisons
- Cast away unused BindSocket() client parameter
Dead code removal:
- Remove -DDEBIAN (defined but never checked)
- Remove glibc-specific <features.h>; add portable __BEGIN_DECLS fallback
- Remove NeXTSTEP #ifdef and HAS_NO_SNPRINTF fallback
- Remove libc5-era _LINUX_C_LIB_VERSION workaround
- Remove duplicate IPMAXBUF define from kalasag_util.h
Build system:
- Split CFLAGS into BASE_CFLAGS, LINUX_CFLAGS, BSD_CFLAGS per platform
- Remove -w suppression; add -Wextra -Werror for strict compilation
- Add -flto, -Wl,-z,noexecstack hardening
- Remove C++-only flags (-D_GLIBCXX_ASSERTIONS, -fexceptions,
-fasynchronous-unwind-tables) and redundant -fstack-protector
Systemd service:
- Replace single kalasag.service (Type=oneshot, two ExecStart lines)
with kalasag-tcp.service and kalasag-udp.service
- Use Type=forking (matching DaemonSeed() double-fork pattern)
- Add Restart=always for crash recovery
- Add PID file creation in DaemonSeed() and cleanup in Exit()
- Add PIDFile= to both service files for reliable process tracking
diff --git a/Makefile b/Makefile
index abf7634..cd989e0 100644
--- a/Makefile
+++ b/Makefile
@@ -22,16 +22,26 @@ CC = cc
# GNU..
#CC = gcc
-# Normal systems flags
-CFLAGS = -O3 -funroll-loops -fomit-frame-pointer -Wall -w -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fasynchronous-unwind-tables -fexceptions -fpie -Wl,-pie -fstack-clash-protection -fstack-protector -fstack-protector-strong -fcf-protection -pipe -Werror=format-security -Werror=implicit-function-declaration -Wl,-z,defs -Wl,-z,now -Wl,-z,relro
+# Base flags (portable across all platforms)
+BASE_CFLAGS = -O3 -Wall -Wextra -pipe -flto
+
+# Linux hardening flags (GCC/Linux specific)
+LINUX_CFLAGS = -funroll-loops -fomit-frame-pointer $(BASE_CFLAGS) \
+ -D_FORTIFY_SOURCE=2 -fpie -Wl,-pie -fstack-clash-protection \
+ -fstack-protector-strong -fcf-protection \
+ -Werror=format-security -Werror=implicit-function-declaration \
+ -Wl,-z,defs -Wl,-z,now -Wl,-z,relro -Wl,-z,noexecstack
+
+# BSD/macOS hardening flags (compatible with clang and BSD linkers)
+BSD_CFLAGS = $(BASE_CFLAGS) -fPIE -Wl,-pie -fstack-protector-strong
# Debug mode for kalasag
-#CFLAGS = -Wall -g -DNODAEMON -DDEBUG
-#CFLAGS = -Wall -g -DNODAEMON
-#CFLAGS = -Wall -g -DDEBUG
+#BASE_CFLAGS = -Wall -g -DNODAEMON -DDEBUG
+#BASE_CFLAGS = -Wall -g -DNODAEMON
+#BASE_CFLAGS = -Wall -g -DDEBUG
# Profiler mode for kalasag
-#CFLAGS = -pg -O -Wall -DNODAEMON
+#BASE_CFLAGS = -pg -O -Wall -DNODAEMON
#LIBS = /usr/lib/libefence.a
INSTALLDIR = /opt
@@ -61,7 +71,13 @@ clean:
/bin/rm ./kalasag
uninstall:
- @if [ -f /usr/lib/systemd/system/kalasag.service ]; then systemctl stop kalasag.service; systemctl disable kalasag.service; rm -f /usr/lib/systemd/system/kalasag.service; fi
+ @for svc in kalasag-tcp kalasag-udp; do \
+ if [ -f /usr/lib/systemd/system/$$svc.service ]; then \
+ systemctl stop $$svc.service; \
+ systemctl disable $$svc.service; \
+ rm -f /usr/lib/systemd/system/$$svc.service; \
+ fi; \
+ done
@if [ -d $(INSTALLDIR)$(CHILDDIR) ]; then rm -rf $(INSTALLDIR)$(CHILDDIR)/*; fi
install:
@@ -70,69 +86,74 @@ install:
@cp ./kalasag.conf $(INSTALLDIR)$(CHILDDIR)
@cp ./kalasag.ignore $(INSTALLDIR)$(CHILDDIR)
@cp ./kalasag $(INSTALLDIR)$(CHILDDIR)
- @if [ -d /usr/lib/systemd/system ]; then cp ./kalasag.service /usr/lib/systemd/system/; systemctl enable kalasag.service; fi
+ @if [ -d /usr/lib/systemd/system ]; then \
+ cp ./kalasag-tcp.service /usr/lib/systemd/system/; \
+ cp ./kalasag-udp.service /usr/lib/systemd/system/; \
+ systemctl enable kalasag-tcp.service; \
+ systemctl enable kalasag-udp.service; \
+ fi
@chmod 600 $(INSTALLDIR)$(CHILDDIR)/kalasag.ignore
@chmod 600 $(INSTALLDIR)$(CHILDDIR)/kalasag.conf
@chmod 700 $(INSTALLDIR)$(CHILDDIR)/kalasag
@echo ""
- @echo 'Issue "systemctl restart kalasag.service" after editing $(INSTALLDIR)$(CHILDDIR)/kalasag.conf.'
+ @echo 'Issue "systemctl start kalasag-tcp kalasag-udp" after editing $(INSTALLDIR)$(CHILDDIR)/kalasag.conf.'
@echo ""
linux:
SYSTYPE=linux
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
+ $(CC) $(LINUX_CFLAGS) -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
linux-x86_64:
SYSTYPE=linux
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -m64 -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
+ $(CC) $(LINUX_CFLAGS) -m64 -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
debian-linux:
SYSTYPE=debian-linux
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DLINUX -DDEBIAN -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
+ $(CC) $(LINUX_CFLAGS) -DLINUX -DSUPPORT_STEALTH -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c $(LIBS)
bsd:
SYSTYPE=bsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
openbsd:
SYSTYPE=openbsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
freebsd:
SYSTYPE=freebsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
osx:
SYSTYPE=osx
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
netbsd:
SYSTYPE=netbsd
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
bsdi:
SYSTYPE=bsdi
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BSD_CFLAGS) -DBSD44 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
generic:
SYSTYPE=generic
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
hpux:
@@ -144,7 +165,7 @@ hpux:
hpux-gcc:
SYSTYPE=hpux-gcc
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -DHPUX -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -DHPUX -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
solaris:
@@ -156,19 +177,19 @@ solaris:
aix:
SYSTYPE=aix
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
osf:
SYSTYPE=osf
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -taso -ldb -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -taso -ldb -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
irix:
SYSTYPE=irix
@echo "Making $(SYSTYPE)"
- $(CC) $(CFLAGS) -O -n32 -mips3 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
+ $(CC) $(BASE_CFLAGS) -O -n32 -mips3 -o ./kalasag ./kalasag.c ./kalasag_io.c ./kalasag_util.c
# NeXTSTEP Users. NeXT used to work, but we changed the log function and
diff --git a/kalasag.service b/kalasag-tcp.service
similarity index 57%
rename from kalasag.service
rename to kalasag-tcp.service
index 1d6715b..c6a0a4d 100644
--- a/kalasag.service
+++ b/kalasag-tcp.service
@@ -1,12 +1,12 @@
[Unit]
-Description=Kalasag
+Description=Kalasag Port Scan Detector (TCP)
After=syslog.target network.target auditd.service
[Service]
-Type=oneshot
-RemainAfterExit=yes
+Type=forking
+PIDFile=/var/run/kalasag-atcp.pid
ExecStart=/opt/kalasag/kalasag -atcp
-ExecStart=/opt/kalasag/kalasag -sudp
+Restart=always
[Install]
WantedBy=multi-user.target
diff --git a/kalasag-udp.service b/kalasag-udp.service
new file mode 100644
index 0000000..3e47ccc
--- /dev/null
+++ b/kalasag-udp.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Kalasag Port Scan Detector (UDP)
+After=syslog.target network.target auditd.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/kalasag-sudp.pid
+ExecStart=/opt/kalasag/kalasag -sudp
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/kalasag.c b/kalasag.c
index 2145b43..a40ae09 100644
--- a/kalasag.c
+++ b/kalasag.c
@@ -65,7 +65,7 @@ int main(int argc, char *argv[])
Exit(ERROR);
}
#ifndef NODAEMON
- else if (DaemonSeed() == ERROR) {
+ else if (DaemonSeed(gblDetectionType) == ERROR) {
Log("adminalert: ERROR: could not go into daemon mode. Shutting down.\n");
printf
("ERROR: could not go into daemon mode. Shutting down.\n");
@@ -181,8 +181,10 @@ int InitConfig(void)
if ((ConfigTokenRetrieve("BLOCKED_FILE", gblBlockedFile)) == TRUE) {
if (strlen(gblBlockedFile) < MAXBUF - 5) {
- strncat(gblBlockedFile, ".", 1);
- strncat(gblBlockedFile, gblDetectionType, 4);
+ size_t len = strlen(gblBlockedFile);
+ gblBlockedFile[len] = '.';
+ SafeStrncpy(gblBlockedFile + len + 1, gblDetectionType,
+ MAXBUF - len - 1);
} else {
Log("adminalert: ERROR: Blocked filename is too long to append detection type file extension: %s.\n", gblBlockedFile);
return (FALSE);
@@ -523,8 +525,8 @@ int KalasagAdvancedStealthModeTCP(void)
if ((tcp.ack != 1) && (tcp.rst != 1)) {
/* check if we should ignore this connection to this port */
for (count = 0; count < portCount; count++) {
- if ((incomingPort == inUsePorts[count])
- || (incomingPort >= advancedPorts)) {
+ if ((incomingPort == (int)inUsePorts[count])
+ || (incomingPort >= (int)advancedPorts)) {
hotPort = FALSE;
break;
} else
@@ -816,8 +818,8 @@ int KalasagAdvancedStealthModeUDP(void)
/* check if we should ignore this connection to this port */
for (count = 0; count < portCount; count++) {
- if ((incomingPort == inUsePorts[count])
- || (incomingPort >= advancedPorts)) {
+ if ((incomingPort == (int)inUsePorts[count])
+ || (incomingPort >= (int)advancedPorts)) {
hotPort = FALSE;
break;
} else
@@ -899,7 +901,8 @@ int KalasagModeTCP(void)
{
struct sockaddr_in client, server;
- int length, portCount = 0, ports[MAXSOCKS];
+ socklen_t length;
+ int portCount = 0, ports[MAXSOCKS];
int openSockfd[MAXSOCKS], incomingSockfd, result = TRUE;
int count = 0, scanDetectTrigger = TRUE, showBanner =
FALSE, boundPortCount = 0;
@@ -1015,9 +1018,13 @@ int KalasagModeTCP(void)
if (scanDetectTrigger == TRUE) {
/* show the banner if one was selected */
- if (showBanner == TRUE)
- write(incomingSockfd, bannerBuffer,
- strlen(bannerBuffer));
+ if (showBanner == TRUE) {
+ ssize_t unused
+ __attribute__((unused));
+ unused =
+ write(incomingSockfd, bannerBuffer,
+ strlen(bannerBuffer));
+ }
/* we don't need the bonehead anymore */
close(incomingSockfd);
if (gblResolveHost) { /* Do they want DNS resolution? */
@@ -1075,7 +1082,8 @@ int KalasagModeTCP(void)
int KalasagModeUDP(void)
{
struct sockaddr_in client, server;
- int length, ports[MAXSOCKS], openSockfd[MAXSOCKS], result = TRUE;
+ socklen_t length;
+ int ports[MAXSOCKS], openSockfd[MAXSOCKS], result = TRUE;
int count = 0, portCount = 0, selectResult = 0, scanDetectTrigger = 0;
int boundPortCount = 0, showBanner = FALSE;
char *temp, target[IPMAXBUF], bannerBuffer[MAXBUF],
diff --git a/kalasag.h b/kalasag.h
index 99abca2..c9671b8 100644
--- a/kalasag.h
+++ b/kalasag.h
@@ -14,11 +14,9 @@
#include <assert.h>
#include <sys/param.h>
#include <sys/types.h>
-#ifndef _LINUX_C_LIB_VERSION
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>
-#endif
#include <arpa/inet.h>
#include "kalasag_config.h"
@@ -35,10 +33,6 @@
#define UDPPACKETLEN 68
#endif /* SUPPORT_STEALTH */
-#ifdef NEXT
-#include <ansi.h>
-#endif
-
#define ERROR -1
#define TRUE 1
#define FALSE 0
diff --git a/kalasag_config.h b/kalasag_config.h
index 6d5c418..03d6611 100644
--- a/kalasag_config.h
+++ b/kalasag_config.h
@@ -13,3 +13,5 @@
/* the maximum number of hosts to keep in a "previous connect" state engine*/
#define MAXSTATE 50
+
+
diff --git a/kalasag_io.c b/kalasag_io.c
index f181bc4..e274c93 100644
--- a/kalasag_io.c
+++ b/kalasag_io.c
@@ -2,6 +2,9 @@
#include "kalasag_io.h"
#include "kalasag_util.h"
+/* Stored PID file path for cleanup on exit */
+static char gblPidFile[MAXBUF] = "";
+
/* Main logging function to surrogate syslog */
void Log(char *logentry, ...)
{
@@ -22,6 +25,8 @@ void Log(char *logentry, ...)
void Exit(int status)
{
+ if (gblPidFile[0])
+ unlink(gblPidFile);
Log("securityalert: Kalasag is shutting down\n");
Log("adminalert: Kalasag is shutting down\n");
exit(status);
@@ -40,7 +45,7 @@ void Start(void)
/* The daemonizing code copied from Advanced Programming */
/* in the UNIX Environment by W. Richard Stevens with minor changes */
-int DaemonSeed(void)
+int DaemonSeed(char *detectionType)
{
int childpid;
@@ -58,9 +63,17 @@ int DaemonSeed(void)
exit(0);
setsid();
- chdir("/");
+ { int unused __attribute__((unused)) = chdir("/"); }
umask(077);
+ /* Write PID file for systemd tracking */
+ snprintf(gblPidFile, MAXBUF, "/var/run/kalasag-%s.pid", detectionType);
+ FILE *pidFile = fopen(gblPidFile, "w");
+ if (pidFile) {
+ fprintf(pidFile, "%d\n", getpid());
+ fclose(pidFile);
+ }
+
/* close stdout, stdin, stderr */
close(0);
close(1);
@@ -106,7 +119,8 @@ int NeverBlock(char *target, char *filename)
FILE *input;
char buffer[MAXBUF], tempBuffer[MAXBUF], netmaskBuffer[MAXBUF];
char *slashPos;
- int count = 0, dest = 0, netmaskBits = 0;
+ size_t count = 0;
+ int dest = 0, netmaskBits = 0;
#ifdef DEBUG
Log("debug: NeverBlock: Opening ignore file: %s \n", filename);
@@ -277,10 +291,10 @@ int ConfigTokenRetrieve(char *token, char *configToken)
#endif
/* search for the token and make sure the trailing character */
/* is a " " or "=" to make sure the entire token was found */
- if ((strstr(buffer, token) != (char) NULL) &&
+ if ((strstr(buffer, token) != NULL) &&
((buffer[strlen(token)] == '=')
|| (buffer[strlen(token)] == ' '))) { /* cut off the '=' and send it back */
- if (strstr(buffer, "\"") == (char) NULL) {
+ if (strstr(buffer, "\"") == NULL) {
Log("adminalert: Quotes missing from %s token. Option skipped\n", token);
fclose(config);
return (FALSE);
@@ -326,6 +340,7 @@ int
BindSocket(int sockfd, struct sockaddr_in client,
struct sockaddr_in server, int port)
{
+ (void)client;
#ifdef DEBUG
Log("debug: BindSocket: Binding to port: %d\n", port);
#endif
@@ -594,7 +609,7 @@ int IsBlocked(char *target, char *filename)
FILE *input;
char buffer[MAXBUF], tempBuffer[MAXBUF];
char *ipOffset;
- int count;
+ size_t count;
#ifdef DEBUG
@@ -606,7 +621,7 @@ int IsBlocked(char *target, char *filename)
}
while (fgets(buffer, MAXBUF, input) != NULL) {
- if ((ipOffset = strstr(buffer, target)) != (char) NULL) {
+ if ((ipOffset = strstr(buffer, target)) != NULL) {
for (count = 0; count < strlen(ipOffset); count++) {
if ((isdigit(ipOffset[count])) || (ipOffset[count] == '.')) {
tempBuffer[count] = ipOffset[count];
@@ -649,7 +664,8 @@ int
SubstString(const char *replace, const char *find, const char *target,
char *result)
{
- int replaceCount = 0, count = 0, findCount = 0, findLen =
+ size_t replaceCount = 0;
+ int count = 0, findCount = 0, findLen =
0, numberOfSubst = 0;
char tempString[MAXBUF], *tempStringPtr;
@@ -663,7 +679,7 @@ SubstString(const char *replace, const char *find, const char *target,
#endif
/* string not found in target */
- if (strstr(target, find) == (char) NULL) {
+ if (strstr(target, find) == NULL) {
strncpy(result, target, MAXBUF);
#ifdef DEBUG
Log("debug: SubstString: Result string: %s", result);
@@ -724,29 +740,4 @@ int CheckFlag(char *flagName)
}
-/* snprintf for NEXTSTEP (others??) */
-/* I don't know where this code came from and I don't */
-/* warrant its effectiveness. CHR */
-
-#ifdef HAS_NO_SNPRINTF
-int snprintf(char *str, size_t n, char const *fmt, ...)
-{
- va_list ap;
- FILE f;
- if (n > MAXBUF) {
- n = MAXBUF;
- }
- va_start(ap, fmt);
- f._file = EOF;
- f._flag = _IOWRT | _IOSTRG;
- f._base = f._ptr = str;
- f._bufsiz = f._cnt = n ? n - 1 : 0;
- (void) vfprintf(&f, fmt, ap);
- va_end(ap);
- if (n) {
- *f._ptr = '\0';
- }
- return (f._ptr - str);
-}
-#endif
diff --git a/kalasag_io.h b/kalasag_io.h
index bb83ec8..9f9fa4d 100644
--- a/kalasag_io.h
+++ b/kalasag_io.h
@@ -3,7 +3,7 @@ int WriteBlocked(char *, char *, int, char *, char *, char *);
void Log(char *, ...);
void Exit(int);
void Start(void);
-int DaemonSeed(void);
+int DaemonSeed(char *);
int NeverBlock(char *, char *);
int CheckConfig(void);
int OpenTCPSocket(void);
diff --git a/kalasag_tcpip.h b/kalasag_tcpip.h
index b697b1f..e337b2b 100644
--- a/kalasag_tcpip.h
+++ b/kalasag_tcpip.h
@@ -42,7 +42,15 @@
#ifndef _NETINET_TCP_H
#define _NETINET_TCP_H 1
-#include <features.h>
+#ifndef __BEGIN_DECLS
+# ifdef __cplusplus
+# define __BEGIN_DECLS extern "C" {
+# define __END_DECLS }
+# else
+# define __BEGIN_DECLS
+# define __END_DECLS
+# endif
+#endif
__BEGIN_DECLS struct tcphdr {
u_int16_t source;
diff --git a/kalasag_util.h b/kalasag_util.h
index 5f95e2f..52863ad 100644
--- a/kalasag_util.h
+++ b/kalasag_util.h
@@ -1,6 +1,3 @@
-/* IP address length plus null */
-#define IPMAXBUF 16
-
char *SafeStrncpy(char *, const char *, size_t);
char *CleanIpAddr(char *, const char *);
int CleanAndResolve(char *, const char *);
