1/* $OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $ */
2
3/*
4 * Copyright (c) 2001 Theo de Raadt
5 * Copyright (c) 2001 Can Erkin Acar
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
--- 16 unchanged lines hidden (view full) ---
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__FBSDID("$FreeBSD: head/contrib/pf/pflogd/pflogd.c 171172 2007-07-03 12:30:03Z mlaier $");
35
36#include <sys/types.h>
37#include <sys/ioctl.h>
38#include <sys/file.h>
39#include <sys/stat.h>
40#include <stdio.h>
41#include <stdlib.h>
42#include <string.h>
--- 33 unchanged lines hidden (view full) ---
76
77char *copy_argv(char * const *);
78void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
79void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
80int flush_buffer(FILE *);
81int init_pcap(void);
82void logmsg(int, const char *, ...);
83void purge_buffer(void);
84int reset_dump(int);
85int scan_dump(FILE *, off_t);
86int set_snaplen(int);
87void set_suspended(int);
88void sig_alrm(int);
89void sig_close(int);
90void sig_hup(int);
91void usage(void);
92
93static int try_reset_dump(int);
94
95/* buffer must always be greater than snaplen */
96static int bufpkt = 0; /* number of packets in buffer */
97static int buflen = 0; /* allocated size of buffer */
98static char *buffer = NULL; /* packet buffer */
99static char *bufpos = NULL; /* position in buffer */
100static int bufleft = 0; /* bytes left in buffer */
101
102/* if error, stop logging but count dropped packets */
103static int suspended = -1;
104static long packets_dropped = 0;
105
106void
107set_suspended(int s)
108{
109 if (suspended == s)
110 return;
111
112 suspended = s;
113 setproctitle("[%s] -s %d -i %s -f %s",
114 suspended ? "suspended" : "running",
115 cur_snaplen, interface, filename);
116}
117
118char *
119copy_argv(char * const *argv)
120{
121 size_t len = 0, n;
122 char *buf;
123
--- 33 unchanged lines hidden (view full) ---
157
158#ifdef __FreeBSD__
159__dead2 void
160#else
161__dead void
162#endif
163usage(void)
164{
165 fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
166 fprintf(stderr, " [-i interface] [-s snaplen]\n");
167 fprintf(stderr, " [expression]\n");
168 exit(1);
169}
170
171void
172sig_close(int sig)
173{
174 gotsig_close = 1;
175}
--- 63 unchanged lines hidden (view full) ---
239 purge_buffer();
240
241 cur_snaplen = snap;
242
243 return (0);
244}
245
246int
247reset_dump(int nomove)
248{
249 int ret;
250
251 for (;;) {
252 ret = try_reset_dump(nomove);
253 if (ret <= 0)
254 break;
255 }
256
257 return (ret);
258}
259
260/*
261 * tries to (re)open log file, nomove flag is used with -x switch
262 * returns 0: success, 1: retry (log moved), -1: error
263 */
264int
265try_reset_dump(int nomove)
266{
267 struct pcap_file_header hdr;
268 struct stat st;
269 int fd;
270 FILE *fp;
271
272 if (hpcap == NULL)
273 return (-1);
274
--- 4 unchanged lines hidden (view full) ---
279 }
280
281 /*
282 * Basically reimplement pcap_dump_open() because it truncates
283 * files and duplicates headers and such.
284 */
285 fd = priv_open_log();
286 if (fd < 0)
287 return (-1);
288
289 fp = fdopen(fd, "a+");
290
291 if (fp == NULL) {
292 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
293 close(fd);
294 return (-1);
295 }
296 if (fstat(fileno(fp), &st) == -1) {
297 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
298 fclose(fp);
299 return (-1);
300 }
301
302 /* set FILE unbuffered, we do our own buffering */
303 if (setvbuf(fp, NULL, _IONBF, 0)) {
304 logmsg(LOG_ERR, "Failed to set output buffers");
305 fclose(fp);
306 return (-1);
307 }
308
309#define TCPDUMP_MAGIC 0xa1b2c3d4
310
311 if (st.st_size == 0) {
312 if (snaplen != cur_snaplen) {
313 logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
314 if (set_snaplen(snaplen))
315 logmsg(LOG_WARNING,
316 "Failed, using old settings");
317 }
318 hdr.magic = TCPDUMP_MAGIC;
319 hdr.version_major = PCAP_VERSION_MAJOR;
320 hdr.version_minor = PCAP_VERSION_MINOR;
321 hdr.thiszone = hpcap->tzoff;
322 hdr.snaplen = hpcap->snapshot;
323 hdr.sigfigs = 0;
324 hdr.linktype = hpcap->linktype;
325
326 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
327 fclose(fp);
328 return (-1);
329 }
330 } else if (scan_dump(fp, st.st_size)) {
331 fclose(fp);
332 if (nomove || priv_move_log()) {
333 logmsg(LOG_ERR,
334 "Invalid/incompatible log file, move it away");
335 return (-1);
336 }
337 return (1);
338 }
339
340 dpcap = fp;
341
342 set_suspended(0);
343 flush_buffer(fp);
344
--- 26 unchanged lines hidden (view full) ---
371 return (1);
372 }
373
374 if (hdr.magic != TCPDUMP_MAGIC ||
375 hdr.version_major != PCAP_VERSION_MAJOR ||
376 hdr.version_minor != PCAP_VERSION_MINOR ||
377 hdr.linktype != hpcap->linktype ||
378 hdr.snaplen > PFLOGD_MAXSNAPLEN) {
379 return (1);
380 }
381
382 pos = sizeof(hdr);
383
384 while (!feof(fp)) {
385 off_t len = fread((char *)&ph, 1, sizeof(ph), fp);
386 if (len == 0)
--- 194 unchanged lines hidden (view full) ---
581 const char *errstr = NULL;
582
583#ifdef __FreeBSD__
584 /* another ?paranoid? safety measure we do not have */
585#else
586 closefrom(STDERR_FILENO + 1);
587#endif
588
589 while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
590 switch (ch) {
591 case 'D':
592 Debug = 1;
593 break;
594 case 'd':
595 delay = strtonum(optarg, 5, 60*60, &errstr);
596 if (errstr)
597 usage();
598 break;
599 case 'f':
600 filename = optarg;
601 break;
602 case 'i':
603 interface = optarg;
604 break;
605 case 's':
606 snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
607 &errstr);
608 if (snaplen <= 0)
609 snaplen = DEF_SNAPLEN;
610 if (errstr)
611 snaplen = PFLOGD_MAXSNAPLEN;
612 break;
--- 56 unchanged lines hidden (view full) ---
669 logmsg(LOG_WARNING, "Failed to allocate output buffer");
670 phandler = dump_packet_nobuf;
671 } else {
672 bufleft = buflen = PFLOGD_BUFSIZE;
673 bufpos = buffer;
674 bufpkt = 0;
675 }
676
677 if (reset_dump(Xflag) < 0) {
678 if (Xflag)
679 return (1);
680
681 logmsg(LOG_ERR, "Logging suspended: open error");
682 set_suspended(1);
683 } else if (Xflag)
684 return (0);
685
--- 9 unchanged lines hidden (view full) ---
695 }
696#endif
697 logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
698 }
699
700 if (gotsig_close)
701 break;
702 if (gotsig_hup) {
703 if (reset_dump(0)) {
704 logmsg(LOG_ERR,
705 "Logging suspended: open error");
706 set_suspended(1);
707 }
708 gotsig_hup = 0;
709 }
710
711 if (gotsig_alrm) {
712 if (dpcap)
713 flush_buffer(dpcap);
714 else
715 gotsig_hup = 1;
716 gotsig_alrm = 0;
717 alarm(delay);
718 }
719 }
720
721 logmsg(LOG_NOTICE, "Exiting");
722 if (dpcap) {
723 flush_buffer(dpcap);
--- 16 unchanged lines hidden ---
2
3/*
4 * Copyright (c) 2001 Theo de Raadt
5 * Copyright (c) 2001 Can Erkin Acar
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
--- 16 unchanged lines hidden (view full) ---
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__FBSDID("$FreeBSD: head/contrib/pf/pflogd/pflogd.c 171172 2007-07-03 12:30:03Z mlaier $");
35
36#include <sys/types.h>
37#include <sys/ioctl.h>
38#include <sys/file.h>
39#include <sys/stat.h>
40#include <stdio.h>
41#include <stdlib.h>
42#include <string.h>
--- 33 unchanged lines hidden (view full) ---
76
77char *copy_argv(char * const *);
78void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
79void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
80int flush_buffer(FILE *);
81int init_pcap(void);
82void logmsg(int, const char *, ...);
83void purge_buffer(void);
84int reset_dump(int);
85int scan_dump(FILE *, off_t);
86int set_snaplen(int);
87void set_suspended(int);
88void sig_alrm(int);
89void sig_close(int);
90void sig_hup(int);
91void usage(void);
92
93static int try_reset_dump(int);
94
95/* buffer must always be greater than snaplen */
96static int bufpkt = 0; /* number of packets in buffer */
97static int buflen = 0; /* allocated size of buffer */
98static char *buffer = NULL; /* packet buffer */
99static char *bufpos = NULL; /* position in buffer */
100static int bufleft = 0; /* bytes left in buffer */
101
102/* if error, stop logging but count dropped packets */
103static int suspended = -1;
104static long packets_dropped = 0;
105
106void
107set_suspended(int s)
108{
109 if (suspended == s)
110 return;
111
112 suspended = s;
113 setproctitle("[%s] -s %d -i %s -f %s",
114 suspended ? "suspended" : "running",
115 cur_snaplen, interface, filename);
116}
117
118char *
119copy_argv(char * const *argv)
120{
121 size_t len = 0, n;
122 char *buf;
123
--- 33 unchanged lines hidden (view full) ---
157
158#ifdef __FreeBSD__
159__dead2 void
160#else
161__dead void
162#endif
163usage(void)
164{
165 fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
166 fprintf(stderr, " [-i interface] [-s snaplen]\n");
167 fprintf(stderr, " [expression]\n");
168 exit(1);
169}
170
171void
172sig_close(int sig)
173{
174 gotsig_close = 1;
175}
--- 63 unchanged lines hidden (view full) ---
239 purge_buffer();
240
241 cur_snaplen = snap;
242
243 return (0);
244}
245
246int
247reset_dump(int nomove)
248{
249 int ret;
250
251 for (;;) {
252 ret = try_reset_dump(nomove);
253 if (ret <= 0)
254 break;
255 }
256
257 return (ret);
258}
259
260/*
261 * tries to (re)open log file, nomove flag is used with -x switch
262 * returns 0: success, 1: retry (log moved), -1: error
263 */
264int
265try_reset_dump(int nomove)
266{
267 struct pcap_file_header hdr;
268 struct stat st;
269 int fd;
270 FILE *fp;
271
272 if (hpcap == NULL)
273 return (-1);
274
--- 4 unchanged lines hidden (view full) ---
279 }
280
281 /*
282 * Basically reimplement pcap_dump_open() because it truncates
283 * files and duplicates headers and such.
284 */
285 fd = priv_open_log();
286 if (fd < 0)
287 return (-1);
288
289 fp = fdopen(fd, "a+");
290
291 if (fp == NULL) {
292 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
293 close(fd);
294 return (-1);
295 }
296 if (fstat(fileno(fp), &st) == -1) {
297 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
298 fclose(fp);
299 return (-1);
300 }
301
302 /* set FILE unbuffered, we do our own buffering */
303 if (setvbuf(fp, NULL, _IONBF, 0)) {
304 logmsg(LOG_ERR, "Failed to set output buffers");
305 fclose(fp);
306 return (-1);
307 }
308
309#define TCPDUMP_MAGIC 0xa1b2c3d4
310
311 if (st.st_size == 0) {
312 if (snaplen != cur_snaplen) {
313 logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
314 if (set_snaplen(snaplen))
315 logmsg(LOG_WARNING,
316 "Failed, using old settings");
317 }
318 hdr.magic = TCPDUMP_MAGIC;
319 hdr.version_major = PCAP_VERSION_MAJOR;
320 hdr.version_minor = PCAP_VERSION_MINOR;
321 hdr.thiszone = hpcap->tzoff;
322 hdr.snaplen = hpcap->snapshot;
323 hdr.sigfigs = 0;
324 hdr.linktype = hpcap->linktype;
325
326 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
327 fclose(fp);
328 return (-1);
329 }
330 } else if (scan_dump(fp, st.st_size)) {
331 fclose(fp);
332 if (nomove || priv_move_log()) {
333 logmsg(LOG_ERR,
334 "Invalid/incompatible log file, move it away");
335 return (-1);
336 }
337 return (1);
338 }
339
340 dpcap = fp;
341
342 set_suspended(0);
343 flush_buffer(fp);
344
--- 26 unchanged lines hidden (view full) ---
371 return (1);
372 }
373
374 if (hdr.magic != TCPDUMP_MAGIC ||
375 hdr.version_major != PCAP_VERSION_MAJOR ||
376 hdr.version_minor != PCAP_VERSION_MINOR ||
377 hdr.linktype != hpcap->linktype ||
378 hdr.snaplen > PFLOGD_MAXSNAPLEN) {
379 return (1);
380 }
381
382 pos = sizeof(hdr);
383
384 while (!feof(fp)) {
385 off_t len = fread((char *)&ph, 1, sizeof(ph), fp);
386 if (len == 0)
--- 194 unchanged lines hidden (view full) ---
581 const char *errstr = NULL;
582
583#ifdef __FreeBSD__
584 /* another ?paranoid? safety measure we do not have */
585#else
586 closefrom(STDERR_FILENO + 1);
587#endif
588
589 while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
590 switch (ch) {
591 case 'D':
592 Debug = 1;
593 break;
594 case 'd':
595 delay = strtonum(optarg, 5, 60*60, &errstr);
596 if (errstr)
597 usage();
598 break;
599 case 'f':
600 filename = optarg;
601 break;
602 case 'i':
603 interface = optarg;
604 break;
605 case 's':
606 snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
607 &errstr);
608 if (snaplen <= 0)
609 snaplen = DEF_SNAPLEN;
610 if (errstr)
611 snaplen = PFLOGD_MAXSNAPLEN;
612 break;
--- 56 unchanged lines hidden (view full) ---
669 logmsg(LOG_WARNING, "Failed to allocate output buffer");
670 phandler = dump_packet_nobuf;
671 } else {
672 bufleft = buflen = PFLOGD_BUFSIZE;
673 bufpos = buffer;
674 bufpkt = 0;
675 }
676
677 if (reset_dump(Xflag) < 0) {
678 if (Xflag)
679 return (1);
680
681 logmsg(LOG_ERR, "Logging suspended: open error");
682 set_suspended(1);
683 } else if (Xflag)
684 return (0);
685
--- 9 unchanged lines hidden (view full) ---
695 }
696#endif
697 logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
698 }
699
700 if (gotsig_close)
701 break;
702 if (gotsig_hup) {
703 if (reset_dump(0)) {
704 logmsg(LOG_ERR,
705 "Logging suspended: open error");
706 set_suspended(1);
707 }
708 gotsig_hup = 0;
709 }
710
711 if (gotsig_alrm) {
712 if (dpcap)
713 flush_buffer(dpcap);
714 else
715 gotsig_hup = 1;
716 gotsig_alrm = 0;
717 alarm(delay);
718 }
719 }
720
721 logmsg(LOG_NOTICE, "Exiting");
722 if (dpcap) {
723 flush_buffer(dpcap);
--- 16 unchanged lines hidden ---