From d72f6e2210fc861d02ef452d1ad88563444e7b00 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 4 Dec 2025 11:39:29 +0000
Subject: [PATCH] graphs: Add a graph to show port scans

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 Makefile.am                           |  2 +
 src/daemon/colors.h                   |  6 ++
 src/daemon/graphs.c                   |  2 +
 src/daemon/graphs/legacy-port-scans.c | 89 +++++++++++++++++++++++++++
 src/daemon/graphs/legacy-port-scans.h | 28 +++++++++
 5 files changed, 127 insertions(+)
 create mode 100644 src/daemon/graphs/legacy-port-scans.c
 create mode 100644 src/daemon/graphs/legacy-port-scans.h

diff --git a/Makefile.am b/Makefile.am
index 9fd9120..bf53475 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -132,6 +132,8 @@ dist_telemetryd_SOURCES = \
 	src/daemon/graphs/interface-packets.h \
 	src/daemon/graphs/legacy-gateway-latency4.c \
 	src/daemon/graphs/legacy-gateway-latency4.h \
+	src/daemon/graphs/legacy-port-scans.c \
+	src/daemon/graphs/legacy-port-scans.h \
 	src/daemon/graphs/legacy-suricata.c \
 	src/daemon/graphs/legacy-suricata.h \
 	src/daemon/graphs/loadavg.c \
diff --git a/src/daemon/colors.h b/src/daemon/colors.h
index 8a855fb..c699c87 100644
--- a/src/daemon/colors.h
+++ b/src/daemon/colors.h
@@ -89,6 +89,12 @@
 // Temperature
 #define COLOR_TEMPERATURE		COLOR_RED
 
+// Networking
+#define COLOR_TCP				COLOR_GREEN
+#define COLOR_UDP				COLOR_ORANGE
+#define COLOR_ICMP				COLOR_RED
+#define COLOR_IP_FRAG			COLOR_BLACK
+
 // DNS
 #define COLOR_DNS_KEYS			COLOR_RED
 #define COLOR_DNS_INFRA			COLOR_GREY
diff --git a/src/daemon/graphs.c b/src/daemon/graphs.c
index b13bfd5..4c49686 100644
--- a/src/daemon/graphs.c
+++ b/src/daemon/graphs.c
@@ -49,6 +49,7 @@
 
 // Legacy graphs
 #include "graphs/legacy-gateway-latency4.h"
+#include "graphs/legacy-port-scans.h"
 #include "graphs/legacy-suricata.h"
 
 // Register all graphs
@@ -85,6 +86,7 @@ static const td_graph_impl* graph_impls[] = {
 
 	// Legacy
 	&legacy_gateway_latency4_graph,
+	&legacy_port_scans_graph,
 	&legacy_suricata_graph,
 
 	NULL,
diff --git a/src/daemon/graphs/legacy-port-scans.c b/src/daemon/graphs/legacy-port-scans.c
new file mode 100644
index 0000000..4cb8e12
--- /dev/null
+++ b/src/daemon/graphs/legacy-port-scans.c
@@ -0,0 +1,89 @@
+/*#############################################################################
+#                                                                             #
+# telemetryd - The IPFire Telemetry Collection Service                        #
+# Copyright (C) 2025 IPFire Development Team                                  #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+#############################################################################*/
+
+#include <limits.h>
+
+#include "graph.h"
+#include "legacy-port-scans.h"
+
+static int legacy_port_scans_title(td_ctx* ctx, td_graph* graph,
+		const char* object, char* title, size_t length) {
+	return __td_string_set(title, length, _("Port Scans"));
+}
+
+static int legacy_port_scans_render(td_ctx* ctx, td_graph* graph,
+		const td_graph_render_options* options, td_args* args, const char* object) {
+	int r;
+
+	const char* sources[] = {
+		"DROP_PSCAN",
+		"DROP_PSCAN_ICMP",
+		"DROP_PSCAN_TCP",
+		"DROP_PSCAN_UDP",
+		"DROP_PSCAN_FRAG",
+		NULL,
+	};
+
+	// Load all sources
+	r = td_graph_require_sources(graph, args, "iptables", sources);
+	if (r < 0)
+		return r;
+
+	// Draw the area backgrouns
+	DRAW_AREA_BACKGROUND(args, "packets", "DROP_PSCAN_FRAG", COLOR_IP_FRAG, 0);
+	DRAW_AREA_BACKGROUND(args, "packets", "DROP_PSCAN_ICMP", COLOR_ICMP, STACKED);
+	DRAW_AREA_BACKGROUND(args, "packets", "DROP_PSCAN_UDP", COLOR_UDP, STACKED);
+	DRAW_AREA_BACKGROUND(args, "packets", "DROP_PSCAN_TCP", COLOR_TCP, STACKED);
+
+	DRAW_AREA_OUTLINE_WITH_LABEL(args, "packets", "DROP_PSCAN_FRAG",
+			COLOR_IP_FRAG, 0, _("Fragmented Packets"));
+	PRINT_CAMM(args, "packets", "DROP_PSCAN_FRAG", PPS);
+
+	DRAW_AREA_OUTLINE_WITH_LABEL(args, "packets", "DROP_PSCAN_ICMP",
+			COLOR_ICMP, STACKED, _("ICMP"));
+	PRINT_CAMM(args, "packets", "DROP_PSCAN_ICMP", PPS);
+
+	DRAW_AREA_OUTLINE_WITH_LABEL(args, "packets", "DROP_PSCAN_UDP",
+			COLOR_UDP, STACKED, _("UDP"));
+	PRINT_CAMM(args, "packets", "DROP_PSCAN_UDP", PPS);
+
+	DRAW_AREA_OUTLINE_WITH_LABEL(args, "packets", "DROP_PSCAN_TCP",
+			COLOR_TCP, STACKED, _("TCP"));
+	PRINT_CAMM(args, "packets", "DROP_PSCAN_TCP", PPS);
+
+	// Header
+	PRINT_HEADER4(args, _("Current"), _("Average"), _("Minimum"), _("Maximum"));
+
+	return 0;
+}
+
+const td_graph_impl legacy_port_scans_graph = {
+	.name    = "LegacyPortScans",
+	.render  = legacy_port_scans_render,
+	.title   = legacy_port_scans_title,
+	.vlabel  = td_graph_vlabel_pps,
+
+	// Flags
+	.flags   = TELEMETRY_GRAPH_REVERSE,
+
+	// Limits
+	.lower_limit = 0,
+	.upper_limit = LONG_MAX,
+};
diff --git a/src/daemon/graphs/legacy-port-scans.h b/src/daemon/graphs/legacy-port-scans.h
new file mode 100644
index 0000000..4228d09
--- /dev/null
+++ b/src/daemon/graphs/legacy-port-scans.h
@@ -0,0 +1,28 @@
+/*#############################################################################
+#                                                                             #
+# telemetryd - The IPFire Telemetry Collection Service                        #
+# Copyright (C) 2025 IPFire Development Team                                  #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+#############################################################################*/
+
+#ifndef TELEMETRY_GRAPH_LEGACY_PORT_SCANS_H
+#define TELEMETRY_GRAPH_LEGACY_PORT_SCANS_H
+
+#include "../graph.h"
+
+extern const td_graph_impl legacy_port_scans_graph;
+
+#endif /* TELEMETRY_GRAPH_LEGACY_PORT_SCANS_H */
-- 
2.47.3