pflogd.c revision 171172 
1/*	$OpenBSD: pflogd.c,v 1.37 2006/10/26 13:34:47 jmc Exp $	*/
2
3/*
4 * Copyright (c) 2001 Theo de Raadt
5 * Copyright (c) 2001 Can Erkin Acar
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 *    - Redistributions of source code must retain the above copyright
13 *      notice, this list of conditions and the following disclaimer.
14 *    - Redistributions in binary form must reproduce the above
15 *      copyright notice, this list of conditions and the following
16 *      disclaimer in the documentation and/or other materials provided
17 *      with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__FBSDID("$FreeBSD: head/contrib/pf/pflogd/pflogd.c 171172 2007-07-03 12:30:03Z mlaier $");
35
36#include <sys/types.h>
37#include <sys/ioctl.h>
38#include <sys/file.h>
39#include <sys/stat.h>
40#include <stdio.h>
41#include <stdlib.h>
42#include <string.h>
43#include <unistd.h>
44#include <pcap-int.h>
45#include <pcap.h>
46#include <syslog.h>
47#include <signal.h>
48#include <errno.h>
49#include <stdarg.h>
50#include <fcntl.h>
51#ifdef __FreeBSD__
52#include "pidfile.h"
53#else
54#include <util.h>
55#endif
56
57#include "pflogd.h"
58
59pcap_t *hpcap;
60static FILE *dpcap;
61
62int Debug = 0;
63static int snaplen = DEF_SNAPLEN;
64static int cur_snaplen = DEF_SNAPLEN;
65
66volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup;
67
68char *filename = PFLOGD_LOG_FILE;
69char *interface = PFLOGD_DEFAULT_IF;
70char *filter = NULL;
71
72char errbuf[PCAP_ERRBUF_SIZE];
73
74int log_debug = 0;
75unsigned int delay = FLUSH_DELAY;
76
77char *copy_argv(char * const *);
78void  dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
79void  dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
80int   flush_buffer(FILE *);
81int   init_pcap(void);
82void  logmsg(int, const char *, ...);
83void  purge_buffer(void);
84int   reset_dump(int);
85int   scan_dump(FILE *, off_t);
86int   set_snaplen(int);
87void  set_suspended(int);
88void  sig_alrm(int);
89void  sig_close(int);
90void  sig_hup(int);
91void  usage(void);
92
93static int try_reset_dump(int);
94
95/* buffer must always be greater than snaplen */
96static int    bufpkt = 0;	/* number of packets in buffer */
97static int    buflen = 0;	/* allocated size of buffer */
98static char  *buffer = NULL;	/* packet buffer */
99static char  *bufpos = NULL;	/* position in buffer */
100static int    bufleft = 0;	/* bytes left in buffer */
101
102/* if error, stop logging but count dropped packets */
103static int suspended = -1;
104static long packets_dropped = 0;
105
106void
107set_suspended(int s)
108{
109	if (suspended == s)
110		return;
111
112	suspended = s;
113	setproctitle("[%s] -s %d -i %s -f %s",
114	    suspended ? "suspended" : "running",
115	    cur_snaplen, interface, filename);
116}
117
118char *
119copy_argv(char * const *argv)
120{
121	size_t len = 0, n;
122	char *buf;
123
124	if (argv == NULL)
125		return (NULL);
126
127	for (n = 0; argv[n]; n++)
128		len += strlen(argv[n])+1;
129	if (len == 0)
130		return (NULL);
131
132	buf = malloc(len);
133	if (buf == NULL)
134		return (NULL);
135
136	strlcpy(buf, argv[0], len);
137	for (n = 1; argv[n]; n++) {
138		strlcat(buf, " ", len);
139		strlcat(buf, argv[n], len);
140	}
141	return (buf);
142}
143
144void
145logmsg(int pri, const char *message, ...)
146{
147	va_list ap;
148	va_start(ap, message);
149
150	if (log_debug) {
151		vfprintf(stderr, message, ap);
152		fprintf(stderr, "\n");
153	} else
154		vsyslog(pri, message, ap);
155	va_end(ap);
156}
157
158#ifdef __FreeBSD__
159__dead2 void
160#else
161__dead void
162#endif
163usage(void)
164{
165	fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
166	fprintf(stderr, " [-i interface] [-s snaplen]\n");
167	fprintf(stderr, "              [expression]\n");
168	exit(1);
169}
170
171void
172sig_close(int sig)
173{
174	gotsig_close = 1;
175}
176
177void
178sig_hup(int sig)
179{
180	gotsig_hup = 1;
181}
182
183void
184sig_alrm(int sig)
185{
186	gotsig_alrm = 1;
187}
188
189void
190set_pcap_filter(void)
191{
192	struct bpf_program bprog;
193
194	if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0)
195		logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
196	else {
197		if (pcap_setfilter(hpcap, &bprog) < 0)
198			logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
199		pcap_freecode(&bprog);
200	}
201}
202
203int
204init_pcap(void)
205{
206	hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
207	if (hpcap == NULL) {
208		logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
209		return (-1);
210	}
211
212	if (pcap_datalink(hpcap) != DLT_PFLOG) {
213		logmsg(LOG_ERR, "Invalid datalink type");
214		pcap_close(hpcap);
215		hpcap = NULL;
216		return (-1);
217	}
218
219	set_pcap_filter();
220
221	cur_snaplen = snaplen = pcap_snapshot(hpcap);
222
223	/* lock */
224	if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
225		logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
226		return (-1);
227	}
228
229	return (0);
230}
231
232int
233set_snaplen(int snap)
234{
235	if (priv_set_snaplen(snap))
236		return (1);
237
238	if (cur_snaplen > snap)
239		purge_buffer();
240
241	cur_snaplen = snap;
242
243	return (0);
244}
245
246int
247reset_dump(int nomove)
248{
249	int ret;
250
251	for (;;) {
252		ret = try_reset_dump(nomove);
253		if (ret <= 0)
254			break;
255	}
256
257	return (ret);
258}
259
260/*
261 * tries to (re)open log file, nomove flag is used with -x switch
262 * returns 0: success, 1: retry (log moved), -1: error
263 */
264int
265try_reset_dump(int nomove)
266{
267	struct pcap_file_header hdr;
268	struct stat st;
269	int fd;
270	FILE *fp;
271
272	if (hpcap == NULL)
273		return (-1);
274
275	if (dpcap) {
276		flush_buffer(dpcap);
277		fclose(dpcap);
278		dpcap = NULL;
279	}
280
281	/*
282	 * Basically reimplement pcap_dump_open() because it truncates
283	 * files and duplicates headers and such.
284	 */
285	fd = priv_open_log();
286	if (fd < 0)
287		return (-1);
288
289	fp = fdopen(fd, "a+");
290
291	if (fp == NULL) {
292		logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
293		close(fd);
294		return (-1);
295	}
296	if (fstat(fileno(fp), &st) == -1) {
297		logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
298		fclose(fp);
299		return (-1);
300	}
301
302	/* set FILE unbuffered, we do our own buffering */
303	if (setvbuf(fp, NULL, _IONBF, 0)) {
304		logmsg(LOG_ERR, "Failed to set output buffers");
305		fclose(fp);
306		return (-1);
307	}
308
309#define TCPDUMP_MAGIC 0xa1b2c3d4
310
311	if (st.st_size == 0) {
312		if (snaplen != cur_snaplen) {
313			logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
314			if (set_snaplen(snaplen))
315				logmsg(LOG_WARNING,
316				    "Failed, using old settings");
317		}
318		hdr.magic = TCPDUMP_MAGIC;
319		hdr.version_major = PCAP_VERSION_MAJOR;
320		hdr.version_minor = PCAP_VERSION_MINOR;
321		hdr.thiszone = hpcap->tzoff;
322		hdr.snaplen = hpcap->snapshot;
323		hdr.sigfigs = 0;
324		hdr.linktype = hpcap->linktype;
325
326		if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
327			fclose(fp);
328			return (-1);
329		}
330	} else if (scan_dump(fp, st.st_size)) {
331		fclose(fp);
332		if (nomove || priv_move_log()) {
333			logmsg(LOG_ERR,
334			    "Invalid/incompatible log file, move it away");
335			return (-1);
336		}
337		return (1);
338	}
339
340	dpcap = fp;
341
342	set_suspended(0);
343	flush_buffer(fp);
344
345	return (0);
346}
347
348int
349scan_dump(FILE *fp, off_t size)
350{
351	struct pcap_file_header hdr;
352#ifdef __FreeBSD__
353	struct pcap_sf_pkthdr ph;
354#else
355	struct pcap_pkthdr ph;
356#endif
357	off_t pos;
358
359	/*
360	 * Must read the file, compare the header against our new
361	 * options (in particular, snaplen) and adjust our options so
362	 * that we generate a correct file. Furthermore, check the file
363	 * for consistency so that we can append safely.
364	 *
365	 * XXX this may take a long time for large logs.
366	 */
367	(void) fseek(fp, 0L, SEEK_SET);
368
369	if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
370		logmsg(LOG_ERR, "Short file header");
371		return (1);
372	}
373
374	if (hdr.magic != TCPDUMP_MAGIC ||
375	    hdr.version_major != PCAP_VERSION_MAJOR ||
376	    hdr.version_minor != PCAP_VERSION_MINOR ||
377	    hdr.linktype != hpcap->linktype ||
378	    hdr.snaplen > PFLOGD_MAXSNAPLEN) {
379		return (1);
380	}
381
382	pos = sizeof(hdr);
383
384	while (!feof(fp)) {
385		off_t len = fread((char *)&ph, 1, sizeof(ph), fp);
386		if (len == 0)
387			break;
388
389		if (len != sizeof(ph))
390			goto error;
391		if (ph.caplen > hdr.snaplen || ph.caplen > PFLOGD_MAXSNAPLEN)
392			goto error;
393		pos += sizeof(ph) + ph.caplen;
394		if (pos > size)
395			goto error;
396		fseek(fp, ph.caplen, SEEK_CUR);
397	}
398
399	if (pos != size)
400		goto error;
401
402	if (hdr.snaplen != cur_snaplen) {
403		logmsg(LOG_WARNING,
404		       "Existing file has different snaplen %u, using it",
405		       hdr.snaplen);
406		if (set_snaplen(hdr.snaplen)) {
407			logmsg(LOG_WARNING,
408			       "Failed, using old settings, offset %llu",
409			       (unsigned long long) size);
410		}
411	}
412
413	return (0);
414
415 error:
416	logmsg(LOG_ERR, "Corrupted log file.");
417	return (1);
418}
419
420/* dump a packet directly to the stream, which is unbuffered */
421void
422dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
423{
424	FILE *f = (FILE *)user;
425#ifdef __FreeBSD__
426	struct pcap_sf_pkthdr sh;
427#endif
428
429	if (suspended) {
430		packets_dropped++;
431		return;
432	}
433
434#ifdef __FreeBSD__
435	sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec;
436	sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec;
437	sh.caplen = h->caplen;
438	sh.len = h->len;
439
440	if (fwrite((char *)&sh, sizeof(sh), 1, f) != 1) {
441#else
442	if (fwrite((char *)h, sizeof(*h), 1, f) != 1) {
443#endif
444		off_t pos = ftello(f);
445
446		/* try to undo header to prevent corruption */
447#ifdef __FreeBSD__
448		if (pos < sizeof(sh) ||
449		    ftruncate(fileno(f), pos - sizeof(sh))) {
450#else
451		if (pos < sizeof(*h) ||
452		    ftruncate(fileno(f), pos - sizeof(*h))) {
453#endif
454			logmsg(LOG_ERR, "Write failed, corrupted logfile!");
455			set_suspended(1);
456			gotsig_close = 1;
457			return;
458		}
459		goto error;
460	}
461
462	if (fwrite((char *)sp, h->caplen, 1, f) != 1)
463		goto error;
464
465	return;
466
467error:
468	set_suspended(1);
469	packets_dropped ++;
470	logmsg(LOG_ERR, "Logging suspended: fwrite: %s", strerror(errno));
471}
472
473int
474flush_buffer(FILE *f)
475{
476	off_t offset;
477	int len = bufpos - buffer;
478
479	if (len <= 0)
480		return (0);
481
482	offset = ftello(f);
483	if (offset == (off_t)-1) {
484		set_suspended(1);
485		logmsg(LOG_ERR, "Logging suspended: ftello: %s",
486		    strerror(errno));
487		return (1);
488	}
489
490	if (fwrite(buffer, len, 1, f) != 1) {
491		set_suspended(1);
492		logmsg(LOG_ERR, "Logging suspended: fwrite: %s",
493		    strerror(errno));
494		ftruncate(fileno(f), offset);
495		return (1);
496	}
497
498	set_suspended(0);
499	bufpos = buffer;
500	bufleft = buflen;
501	bufpkt = 0;
502
503	return (0);
504}
505
506void
507purge_buffer(void)
508{
509	packets_dropped += bufpkt;
510
511	set_suspended(0);
512	bufpos = buffer;
513	bufleft = buflen;
514	bufpkt = 0;
515}
516
517/* append packet to the buffer, flushing if necessary */
518void
519dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
520{
521	FILE *f = (FILE *)user;
522#ifdef __FreeBSD__
523	struct pcap_sf_pkthdr sh;
524	size_t len = sizeof(sh) + h->caplen;
525#else
526	size_t len = sizeof(*h) + h->caplen;
527#endif
528
529	if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen) {
530		logmsg(LOG_NOTICE, "invalid size %u (%u/%u), packet dropped",
531		       len, cur_snaplen, snaplen);
532		packets_dropped++;
533		return;
534	}
535
536	if (len <= bufleft)
537		goto append;
538
539	if (suspended) {
540		packets_dropped++;
541		return;
542	}
543
544	if (flush_buffer(f)) {
545		packets_dropped++;
546		return;
547	}
548
549	if (len > bufleft) {
550		dump_packet_nobuf(user, h, sp);
551		return;
552	}
553
554 append:
555#ifdef __FreeBSD__
556 	sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec;
557 	sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec;
558	sh.caplen = h->caplen;
559	sh.len = h->len;
560
561	memcpy(bufpos, &sh, sizeof(sh));
562	memcpy(bufpos + sizeof(sh), sp, h->caplen);
563#else
564	memcpy(bufpos, h, sizeof(*h));
565	memcpy(bufpos + sizeof(*h), sp, h->caplen);
566#endif
567
568	bufpos += len;
569	bufleft -= len;
570	bufpkt++;
571
572	return;
573}
574
575int
576main(int argc, char **argv)
577{
578	struct pcap_stat pstat;
579	int ch, np, Xflag = 0;
580	pcap_handler phandler = dump_packet;
581	const char *errstr = NULL;
582
583#ifdef __FreeBSD__
584	/* another ?paranoid? safety measure we do not have */
585#else
586	closefrom(STDERR_FILENO + 1);
587#endif
588
589	while ((ch = getopt(argc, argv, "Dxd:f:i:s:")) != -1) {
590		switch (ch) {
591		case 'D':
592			Debug = 1;
593			break;
594		case 'd':
595			delay = strtonum(optarg, 5, 60*60, &errstr);
596			if (errstr)
597				usage();
598			break;
599		case 'f':
600			filename = optarg;
601			break;
602		case 'i':
603			interface = optarg;
604			break;
605		case 's':
606			snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
607			    &errstr);
608			if (snaplen <= 0)
609				snaplen = DEF_SNAPLEN;
610			if (errstr)
611				snaplen = PFLOGD_MAXSNAPLEN;
612			break;
613		case 'x':
614			Xflag++;
615			break;
616		default:
617			usage();
618		}
619
620	}
621
622	log_debug = Debug;
623	argc -= optind;
624	argv += optind;
625
626	if (!Debug) {
627		openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
628		if (daemon(0, 0)) {
629			logmsg(LOG_WARNING, "Failed to become daemon: %s",
630			    strerror(errno));
631		}
632		pidfile(NULL);
633	}
634
635	tzset();
636	(void)umask(S_IRWXG | S_IRWXO);
637
638	/* filter will be used by the privileged process */
639	if (argc) {
640		filter = copy_argv(argv);
641		if (filter == NULL)
642			logmsg(LOG_NOTICE, "Failed to form filter expression");
643	}
644
645	/* initialize pcap before dropping privileges */
646	if (init_pcap()) {
647		logmsg(LOG_ERR, "Exiting, init failure");
648		exit(1);
649	}
650
651	/* Privilege separation begins here */
652	if (priv_init()) {
653		logmsg(LOG_ERR, "unable to privsep");
654		exit(1);
655	}
656
657	setproctitle("[initializing]");
658	/* Process is now unprivileged and inside a chroot */
659	signal(SIGTERM, sig_close);
660	signal(SIGINT, sig_close);
661	signal(SIGQUIT, sig_close);
662	signal(SIGALRM, sig_alrm);
663	signal(SIGHUP, sig_hup);
664	alarm(delay);
665
666	buffer = malloc(PFLOGD_BUFSIZE);
667
668	if (buffer == NULL) {
669		logmsg(LOG_WARNING, "Failed to allocate output buffer");
670		phandler = dump_packet_nobuf;
671	} else {
672		bufleft = buflen = PFLOGD_BUFSIZE;
673		bufpos = buffer;
674		bufpkt = 0;
675	}
676
677	if (reset_dump(Xflag) < 0) {
678		if (Xflag)
679			return (1);
680
681		logmsg(LOG_ERR, "Logging suspended: open error");
682		set_suspended(1);
683	} else if (Xflag)
684		return (0);
685
686	while (1) {
687		np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
688		    phandler, (u_char *)dpcap);
689		if (np < 0) {
690#ifdef __FreeBSD__
691			if (errno == ENXIO) {
692				logmsg(LOG_ERR,
693				    "Device not/no longer configured");
694				break;
695			}
696#endif
697			logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
698		}
699
700		if (gotsig_close)
701			break;
702		if (gotsig_hup) {
703			if (reset_dump(0)) {
704				logmsg(LOG_ERR,
705				    "Logging suspended: open error");
706				set_suspended(1);
707			}
708			gotsig_hup = 0;
709		}
710
711		if (gotsig_alrm) {
712			if (dpcap)
713				flush_buffer(dpcap);
714			else
715				gotsig_hup = 1;
716			gotsig_alrm = 0;
717			alarm(delay);
718		}
719	}
720
721	logmsg(LOG_NOTICE, "Exiting");
722	if (dpcap) {
723		flush_buffer(dpcap);
724		fclose(dpcap);
725	}
726	purge_buffer();
727
728	if (pcap_stats(hpcap, &pstat) < 0)
729		logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
730	else
731		logmsg(LOG_NOTICE,
732		    "%u packets received, %u/%u dropped (kernel/pflogd)",
733		    pstat.ps_recv, pstat.ps_drop, packets_dropped);
734
735	pcap_close(hpcap);
736	if (!Debug)
737		closelog();
738	return (0);
739}
740