Commit graph

5036 commits

Author SHA1 Message Date
Ahmet Ozturk
de92f63ec1 Revert "check certificates first, before the return code of curl_easy_perform"
This reverts commit 7c2fd30a1e.
2026-03-02 15:09:11 +01:00
Ahmet Ozturk
7c2fd30a1e check certificates first, before the return code of curl_easy_perform 2026-03-02 14:57:27 +01:00
Ahmet Oeztuerk
11abba8347 fix the -ssl better, now does not segfault on empty --ssl argument as well. 2026-02-19 14:52:43 +01:00
Ahmet Oeztuerk
d95c31a013 Revert "prevent segfault on --ssl=VERSION argument by saving the string value."
This reverts commit 687fe995d5.
2026-02-19 14:43:38 +01:00
Ahmet Oeztuerk
d039da1eac add a newline before dying in handle_curl_option_return_code 2026-02-19 14:29:31 +01:00
Ahmet Oeztuerk
687fe995d5 prevent segfault on --ssl=VERSION argument by saving the string value.
was getting a segfault when -ssl=1 was used, do not know why exactly.
2026-02-19 14:28:43 +01:00
inqrphl
3cc7090cb7
Merge branch 'master' into check-curl-add-proxy-argument-and-improvements 2026-02-18 10:59:03 +01:00
Ahmet Oeztuerk
49a74079bb move docker apache subdomain setup files to /tools/subdomain1 2026-02-18 10:37:12 +01:00
Ahmet Oeztuerk
492cde149c corrected some annotations 2026-02-17 16:09:24 +01:00
Ahmet Oeztuerk
0cb20e8335 removed duplicate tests, corrected wrong comments 2026-02-17 16:05:30 +01:00
Ahmet Oeztuerk
d1520b6465 handle case where proxy is set as empty string 2026-02-17 15:54:12 +01:00
Ahmet Oeztuerk
4d8c3c1e46 fix failing tests 2026-02-17 15:53:35 +01:00
Ahmet Oeztuerk
c37878508a move function comments to header 2026-02-17 14:57:53 +01:00
Ahmet Oeztuerk
0193e4eeb3 revert NP_HOST_TLS_CERT to its default value 2026-02-17 14:51:05 +01:00
Ahmet Oeztuerk
1f1e615217 typo in comment 2026-02-17 14:49:02 +01:00
Ahmet Oeztuerk
a7e904d92c specify localhost acl and allow it through the proxy. used in check_curl tests 2026-02-17 14:44:56 +01:00
Ahmet Oeztuerk
7c07ff53d4 Adapt tests for the squid sever, disable checking return code for socks 4/5 proxies. Squid does not support it, and we do not install a capable proxy for these schemes. 2026-02-17 14:44:13 +01:00
Ahmet Oeztuerk
d8556bb8c0 rewrite ip_addr_inside_cidr, split ipv4 and ipv6 parsing path and copy them to a shared buffer later on for prefix check 2026-02-17 14:43:12 +01:00
Ahmet Oeztuerk
9d66720817 remove squid certificate 2026-02-17 14:39:25 +01:00
Ahmet Oeztuerk
2dd51c56c7 make apache2 listen on [::1] for ipv6 tests 2026-02-17 14:38:49 +01:00
Ahmet Oeztuerk
0b72650fb3 fix subnet definition 2026-02-17 14:36:58 +01:00
Ahmet Ozturk
22b947bca2 wip tests that work on the live debian image 2026-02-17 10:44:53 +01:00
Dirk Mueller
15b9a39b60
Make replacing of mismatching single quotes work (#2232)
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Spellcheck / codespell (push) Has been cancelled
Tests / Running unit and integrationt tests (push) Has been cancelled
Tests / Running rpm build test on almalinux:9 (push) Has been cancelled
Tests / Running rpm build test on fedora:latest (push) Has been cancelled
Tests / Running rpm build test on rockylinux:8 (push) Has been cancelled
Fixes a logic error in the string handling that led to dead code before.
2026-02-16 11:27:49 +01:00
Dirk Mueller
07a249a5d7
Fix typo in enum MP_PARSING_SUCCES(S) (#2233) 2026-02-16 11:22:39 +01:00
Dirk Mueller
423d0c5267
Fix a few typos (#2231) 2026-02-16 11:21:21 +01:00
Ahmet Oeztuerk
303d3a8a7a wip tests that work on local perl http/https server 2026-02-13 18:24:49 +01:00
Ahmet Oeztuerk
43409d4834 add subdomain checks for each item in the no_proxy, if the target host is a subdomain proxy wont resolve it
add function ip_addr_inside_cidr, use it for checking possible cidr ranges  given in the no_proxy
2026-02-13 16:53:07 +01:00
Ahmet Oeztuerk
96b2c90cf6 add disclaimer about uppercase HTTP_PROXY 2026-02-13 16:50:21 +01:00
Ahmet Oeztuerk
c376b3ab4c use strdup where destination working_state.curlopt_proxy may be NULL 2026-02-13 16:49:52 +01:00
Ahmet Oeztuerk
5180bfd096 check if host name is a subdomain of an noproxy item 2026-02-12 18:53:16 +01:00
Ahmet Oeztuerk
73d6c8b660 switch argument from --no-proxy to --noproxy like curl cli 2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
e41b74c96b check curlopt_noproxy before accessing it 2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
5e618a31a0 document proxy cli arguments
clarify and add more examples of proxy environment variables and their
behavior when multiple are specified, overriden etc.

add single wildcard '*' checking for no_proxy to
determine_hostname_resolver, special case per curlopt_noproxy
documentation
2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
cfeaf28338 improve proxy environment parsing
add another argument: --no-proxy , which is used when setting
CURL_NOPROXY

additionally parse all_proxy, ALL_PROXY, no_proxy and NO_PROXY
environment variables in the correct order.

set the curlopt_proxy and curlopt_noproxy of libcurl, and additionally
save them in check_curl_working_state.

add function determine_hostname_resolver, uses the working state and
static config. it can tokenize the no_proxy variable and check for exact
matches, but cannot determine subnet matches for ip addresses yet.
2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
1c0134a994 fix typo with proxy scheme socks5a->socks5h 2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
8e095bfc73 fix typo in the proxy argument 2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
ff9f5a5bc1 remove unused handle_curl_easyoption and format_curl_easyoption functions 2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
b9555bcab3 add proxy_resolves_hostname, determined by proxy scheme
leave the functions that print out an curl_easyoption, but dont use it. organize the code slightly, print out the final CURLOPT_PROXY and proxy_resolves_hostname flag on verbose mode, add comments
2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
ed1d54d562 add curl version and ssl enabelement macro checks
might fix rocky linux 8 compilation issues.
2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
e7a55d1f0c codespell, clang-format and hints fixes 2026-02-10 13:15:35 +01:00
Ahmet Oeztuerk
d5a5a3de6f add proxy argument and improve dns cache usage
add proxy argument that useing the -x and --proxy argument. add it to
the static curl config struct, command usage and help outputs of the
cli.

parse these argument together with the environment variables like
http_proxy before setting the CURLOPT_PROXY in the curl configuration
option. this is required, as there is no easy way to ascertain/get what
the CURLOPT_PROXY that libcurl will use. by the point it is set by
libcurl, we have no control over it anymore, and need it for the other
steps in the configuration.

if the CURLOPT_PROXY is set, skip the DNS cache population which would
set the CURLOPT_RESOLVE. this is currently not perfect however. if a
proxy is set with socks4 or socks5 scheme, the host should be resolving
the hostname.
2026-02-10 13:15:35 +01:00
Lorenz Kästle
0f0865c910
Make IPv6 unconditional (#2219)
Some checks failed
Tests Debian:Testing and Fedora:Rawhide / Running unit and integrationt tests (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running rpm build test on fedora:rawhide (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
Spellcheck / codespell (push) Has been cancelled
Tests / Running unit and integrationt tests (push) Has been cancelled
Tests / Running rpm build test on almalinux:9 (push) Has been cancelled
Tests / Running rpm build test on fedora:latest (push) Has been cancelled
Tests / Running rpm build test on rockylinux:8 (push) Has been cancelled
This commits removes the detection of IPv6 availability.
The IPv6 code in the plugins is used unconditionally now.
2026-02-06 12:59:58 +01:00
Alvar
cef40299a9
OpenBSD: pledge(2) some network-facing checks (#2225)
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.

This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.

My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.

Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.

For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
2026-02-06 12:58:38 +01:00
Lorenz Kästle
fe4c82ea6f
Remove dep files which were checked in unintentionally (#2228)
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Spellcheck / codespell (push) Has been cancelled
Tests / Running unit and integrationt tests (push) Has been cancelled
Tests / Running rpm build test on almalinux:9 (push) Has been cancelled
Tests / Running rpm build test on fedora:latest (push) Has been cancelled
Tests / Running rpm build test on rockylinux:8 (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running unit and integrationt tests (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running rpm build test on fedora:rawhide (push) Has been cancelled
2026-01-23 11:07:06 +01:00
Alvar
bccb38dc9d
check_icmp: Populate progname before np_extra_opts call (#2226)
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Spellcheck / codespell (push) Has been cancelled
Tests / Running unit and integrationt tests (push) Has been cancelled
Tests / Running rpm build test on almalinux:9 (push) Has been cancelled
Tests / Running rpm build test on fedora:latest (push) Has been cancelled
Tests / Running rpm build test on rockylinux:8 (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running unit and integrationt tests (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running rpm build test on fedora:rawhide (push) Has been cancelled
Within np_extra_opts, the ini parser expects a valid progname as the
default section to select a configuration section in the ini file.
However, within the check_icmp codebase, the progname is being populated
directly after the np_extra_opts call, being a null pointer before.

$ ./check_icmp --extra-opts=@foo.ini
Segmentation fault (core dumped)

> #0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
> #1  0x000003989615d032 in _libc_strdup (str=Variable "str" is not available.) at /usr/src/lib/libc/string/strdup.c:44
> #2  0x000003966f751b74 in np_get_defaults (locator=0x73ede1e538ea "@foo.ini", default_section=0x0) at parse_ini.c:91
> #3  0x000003966f7518ce in np_extra_opts (argc=0x73ede1e5369c, argv=0x73ede1e53728, plugin_name=0x0) at extra_opts.c:98
> #4  0x000003966f74165a in main (argc=1, argv=0x0) at check_icmp.c:832

The progname variable is set within the process_arguments function,
requiring the already enriched arguments from np_extra_opts. Thus, I
moved the progname detection out of this function, directly before the
np_extra_opts call. This pattern does already exists in check_tcp.

I briefly looked for similar issues in other plugins, but found none.
2026-01-19 01:00:00 +01:00
Lorenz Kästle
f5f60f5717
check_disk: compare inode thresholds against the correct value (#2223)
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Spellcheck / codespell (push) Has been cancelled
Tests / Running unit and integrationt tests (push) Has been cancelled
Tests / Running rpm build test on almalinux:9 (push) Has been cancelled
Tests / Running rpm build test on fedora:latest (push) Has been cancelled
Tests / Running rpm build test on rockylinux:8 (push) Has been cancelled
* check_disk: compare inode thresholds against the correct value

* check_disk: Detect free inode number correctly in tests

---------

Co-authored-by: Lorenz Kästle <lorenz.kaestle@netways.de>
2026-01-16 12:16:45 +01:00
Lorenz Kästle
b58e244cc7
check_icmp: prevent segfault on OpenBSD (#2224)
Some checks are pending
CodeQL / Analyze (push) Waiting to run
Spellcheck / codespell (push) Waiting to run
Tests / Running unit and integrationt tests (push) Waiting to run
Tests / Running rpm build test on almalinux:9 (push) Waiting to run
Tests / Running rpm build test on fedora:latest (push) Waiting to run
Tests / Running rpm build test on rockylinux:8 (push) Waiting to run
* check_icmp: prevent segfault on OpenBSD

This commit adds a sanity check for sockets in
check_icmp.
Previously FD_ISSET segfaulted when a socket value was
-1 (on OpenBSD). The changes here add an explicit
check whether the socket is -1 (and therefore not
set).

---------

Co-authored-by: Lorenz Kästle <lorenz.kaestle@netways.de>
2026-01-16 02:42:01 +01:00
Lorenz Kästle
6716001002
Merge pull request #2222 from RincewindsHat/fix/summary_counts
Some checks are pending
CodeQL / Analyze (push) Waiting to run
Spellcheck / codespell (push) Waiting to run
Tests / Running unit and integrationt tests (push) Waiting to run
Tests / Running rpm build test on almalinux:9 (push) Waiting to run
Tests / Running rpm build test on fedora:latest (push) Waiting to run
Tests / Running rpm build test on rockylinux:8 (push) Waiting to run
Compute numbers in output summary correctly
2026-01-15 09:54:27 +01:00
Lorenz Kästle
3e8cef3721 Compute numbers in output summary correctly 2026-01-14 17:28:51 +01:00
Lorenz Kästle
46563cea2b
Merge pull request #2200 from RincewindsHat/modern_output/check_radius
Some checks failed
CodeQL / Analyze (push) Has been cancelled
Spellcheck / codespell (push) Has been cancelled
Tests / Running unit and integrationt tests (push) Has been cancelled
Tests / Running rpm build test on almalinux:9 (push) Has been cancelled
Tests / Running rpm build test on fedora:latest (push) Has been cancelled
Tests / Running rpm build test on rockylinux:8 (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running unit and integrationt tests (push) Has been cancelled
Tests Debian:Testing and Fedora:Rawhide / Running rpm build test on fedora:rawhide (push) Has been cancelled
check_radius: Implement modern output
2026-01-09 15:13:36 +01:00