pflogd.c revision 145840
1/* $OpenBSD: pflogd.c,v 1.33 2005/02/09 12:09:30 henning Exp $ */ 2 3/* 4 * Copyright (c) 2001 Theo de Raadt 5 * Copyright (c) 2001 Can Erkin Acar 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * - Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * - Redistributions in binary form must reproduce the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer in the documentation and/or other materials provided 17 * with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/contrib/pf/pflogd/pflogd.c 145840 2005-05-03 16:55:20Z mlaier $"); 35 36#include <sys/types.h> 37#include <sys/ioctl.h> 38#include <sys/file.h> 39#include <sys/stat.h> 40#include <stdio.h> 41#include <stdlib.h> 42#include <string.h> 43#include <unistd.h> 44#include <pcap-int.h> 45#include <pcap.h> 46#include <syslog.h> 47#include <signal.h> 48#include <errno.h> 49#include <stdarg.h> 50#include <fcntl.h> 51#ifdef __FreeBSD__ 52#include "pidfile.h" 53#else 54#include <util.h> 55#endif 56 57#include "pflogd.h" 58 59pcap_t *hpcap; 60static FILE *dpcap; 61 62int Debug = 0; 63static int snaplen = DEF_SNAPLEN; 64static int cur_snaplen = DEF_SNAPLEN; 65 66volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup; 67 68char *filename = PFLOGD_LOG_FILE; 69char *interface = PFLOGD_DEFAULT_IF; 70char *filter = NULL; 71 72char errbuf[PCAP_ERRBUF_SIZE]; 73 74int log_debug = 0; 75unsigned int delay = FLUSH_DELAY; 76 77char *copy_argv(char * const *); 78void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 79void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *); 80int flush_buffer(FILE *); 81int init_pcap(void); 82void logmsg(int, const char *, ...); 83void purge_buffer(void); 84int reset_dump(void); 85int scan_dump(FILE *, off_t); 86int set_snaplen(int); 87void set_suspended(int); 88void sig_alrm(int); 89void sig_close(int); 90void sig_hup(int); 91void usage(void); 92 93/* buffer must always be greater than snaplen */ 94static int bufpkt = 0; /* number of packets in buffer */ 95static int buflen = 0; /* allocated size of buffer */ 96static char *buffer = NULL; /* packet buffer */ 97static char *bufpos = NULL; /* position in buffer */ 98static int bufleft = 0; /* bytes left in buffer */ 99 100/* if error, stop logging but count dropped packets */ 101static int suspended = -1; 102static long packets_dropped = 0; 103 104void 105set_suspended(int s) 106{ 107 if (suspended == s) 108 return; 109 110 suspended = s; 111 setproctitle("[%s] -s %d -f %s", 112 suspended ? "suspended" : "running", cur_snaplen, filename); 113} 114 115char * 116copy_argv(char * const *argv) 117{ 118 size_t len = 0, n; 119 char *buf; 120 121 if (argv == NULL) 122 return (NULL); 123 124 for (n = 0; argv[n]; n++) 125 len += strlen(argv[n])+1; 126 if (len == 0) 127 return (NULL); 128 129 buf = malloc(len); 130 if (buf == NULL) 131 return (NULL); 132 133 strlcpy(buf, argv[0], len); 134 for (n = 1; argv[n]; n++) { 135 strlcat(buf, " ", len); 136 strlcat(buf, argv[n], len); 137 } 138 return (buf); 139} 140 141void 142logmsg(int pri, const char *message, ...) 143{ 144 va_list ap; 145 va_start(ap, message); 146 147 if (log_debug) { 148 vfprintf(stderr, message, ap); 149 fprintf(stderr, "\n"); 150 } else 151 vsyslog(pri, message, ap); 152 va_end(ap); 153} 154 155#ifdef __FreeBSD__ 156__dead2 void 157#else 158__dead void 159#endif 160usage(void) 161{ 162 fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename] "); 163 fprintf(stderr, "[-s snaplen] [expression]\n"); 164 exit(1); 165} 166 167void 168sig_close(int sig) 169{ 170 gotsig_close = 1; 171} 172 173void 174sig_hup(int sig) 175{ 176 gotsig_hup = 1; 177} 178 179void 180sig_alrm(int sig) 181{ 182 gotsig_alrm = 1; 183} 184 185void 186set_pcap_filter(void) 187{ 188 struct bpf_program bprog; 189 190 if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0) 191 logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap)); 192 else { 193 if (pcap_setfilter(hpcap, &bprog) < 0) 194 logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap)); 195 pcap_freecode(&bprog); 196 } 197} 198 199int 200init_pcap(void) 201{ 202 hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf); 203 if (hpcap == NULL) { 204 logmsg(LOG_ERR, "Failed to initialize: %s", errbuf); 205 return (-1); 206 } 207 208 if (pcap_datalink(hpcap) != DLT_PFLOG) { 209 logmsg(LOG_ERR, "Invalid datalink type"); 210 pcap_close(hpcap); 211 hpcap = NULL; 212 return (-1); 213 } 214 215 set_pcap_filter(); 216 217 cur_snaplen = snaplen = pcap_snapshot(hpcap); 218 219#ifdef __FreeBSD__ 220 /* We can not lock bpf devices ... yet */ 221#else 222 /* lock */ 223 if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) { 224 logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno)); 225 return (-1); 226 } 227#endif 228 229 return (0); 230} 231 232int 233set_snaplen(int snap) 234{ 235 if (priv_set_snaplen(snap)) 236 return (1); 237 238 if (cur_snaplen > snap) 239 purge_buffer(); 240 241 cur_snaplen = snap; 242 243 return (0); 244} 245 246int 247reset_dump(void) 248{ 249 struct pcap_file_header hdr; 250 struct stat st; 251 int fd; 252 FILE *fp; 253 254 if (hpcap == NULL) 255 return (-1); 256 257 if (dpcap) { 258 flush_buffer(dpcap); 259 fclose(dpcap); 260 dpcap = NULL; 261 } 262 263 /* 264 * Basically reimplement pcap_dump_open() because it truncates 265 * files and duplicates headers and such. 266 */ 267 fd = priv_open_log(); 268 if (fd < 0) 269 return (1); 270 271 fp = fdopen(fd, "a+"); 272 273 if (fp == NULL) { 274 close(fd); 275 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno)); 276 return (1); 277 } 278 if (fstat(fileno(fp), &st) == -1) { 279 fclose(fp); 280 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno)); 281 return (1); 282 } 283 284 /* set FILE unbuffered, we do our own buffering */ 285 if (setvbuf(fp, NULL, _IONBF, 0)) { 286 fclose(fp); 287 logmsg(LOG_ERR, "Failed to set output buffers"); 288 return (1); 289 } 290 291#define TCPDUMP_MAGIC 0xa1b2c3d4 292 293 if (st.st_size == 0) { 294 if (snaplen != cur_snaplen) { 295 logmsg(LOG_NOTICE, "Using snaplen %d", snaplen); 296 if (set_snaplen(snaplen)) { 297 fclose(fp); 298 logmsg(LOG_WARNING, 299 "Failed, using old settings"); 300 } 301 } 302 hdr.magic = TCPDUMP_MAGIC; 303 hdr.version_major = PCAP_VERSION_MAJOR; 304 hdr.version_minor = PCAP_VERSION_MINOR; 305 hdr.thiszone = hpcap->tzoff; 306 hdr.snaplen = hpcap->snapshot; 307 hdr.sigfigs = 0; 308 hdr.linktype = hpcap->linktype; 309 310 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) { 311 fclose(fp); 312 return (1); 313 } 314 } else if (scan_dump(fp, st.st_size)) { 315 /* XXX move file and continue? */ 316 fclose(fp); 317 return (1); 318 } 319 320 dpcap = fp; 321 322 set_suspended(0); 323 flush_buffer(fp); 324 325 return (0); 326} 327 328int 329scan_dump(FILE *fp, off_t size) 330{ 331 struct pcap_file_header hdr; 332#ifdef __FreeBSD__ 333 struct pcap_sf_pkthdr ph; 334#else 335 struct pcap_pkthdr ph; 336#endif 337 off_t pos; 338 339 /* 340 * Must read the file, compare the header against our new 341 * options (in particular, snaplen) and adjust our options so 342 * that we generate a correct file. Furthermore, check the file 343 * for consistency so that we can append safely. 344 * 345 * XXX this may take a long time for large logs. 346 */ 347 (void) fseek(fp, 0L, SEEK_SET); 348 349 if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) { 350 logmsg(LOG_ERR, "Short file header"); 351 return (1); 352 } 353 354 if (hdr.magic != TCPDUMP_MAGIC || 355 hdr.version_major != PCAP_VERSION_MAJOR || 356 hdr.version_minor != PCAP_VERSION_MINOR || 357 hdr.linktype != hpcap->linktype || 358 hdr.snaplen > PFLOGD_MAXSNAPLEN) { 359 logmsg(LOG_ERR, "Invalid/incompatible log file, move it away"); 360 return (1); 361 } 362 363 pos = sizeof(hdr); 364 365 while (!feof(fp)) { 366 off_t len = fread((char *)&ph, 1, sizeof(ph), fp); 367 if (len == 0) 368 break; 369 370 if (len != sizeof(ph)) 371 goto error; 372 if (ph.caplen > hdr.snaplen || ph.caplen > PFLOGD_MAXSNAPLEN) 373 goto error; 374 pos += sizeof(ph) + ph.caplen; 375 if (pos > size) 376 goto error; 377 fseek(fp, ph.caplen, SEEK_CUR); 378 } 379 380 if (pos != size) 381 goto error; 382 383 if (hdr.snaplen != cur_snaplen) { 384 logmsg(LOG_WARNING, 385 "Existing file has different snaplen %u, using it", 386 hdr.snaplen); 387 if (set_snaplen(hdr.snaplen)) { 388 logmsg(LOG_WARNING, 389 "Failed, using old settings, offset %llu", 390 (unsigned long long) size); 391 } 392 } 393 394 return (0); 395 396 error: 397 logmsg(LOG_ERR, "Corrupted log file."); 398 return (1); 399} 400 401/* dump a packet directly to the stream, which is unbuffered */ 402void 403dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 404{ 405 FILE *f = (FILE *)user; 406#ifdef __FreeBSD__ 407 struct pcap_sf_pkthdr sh; 408#endif 409 410 if (suspended) { 411 packets_dropped++; 412 return; 413 } 414 415#ifdef __FreeBSD__ 416 sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec; 417 sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec; 418 sh.caplen = h->caplen; 419 sh.len = h->len; 420 421 if (fwrite((char *)&sh, sizeof(sh), 1, f) != 1) { 422#else 423 if (fwrite((char *)h, sizeof(*h), 1, f) != 1) { 424#endif 425 off_t pos = ftello(f); 426 427 /* try to undo header to prevent corruption */ 428#ifdef __FreeBSD__ 429 if (pos < sizeof(sh) || 430 ftruncate(fileno(f), pos - sizeof(sh))) { 431#else 432 if (pos < sizeof(*h) || 433 ftruncate(fileno(f), pos - sizeof(*h))) { 434#endif 435 logmsg(LOG_ERR, "Write failed, corrupted logfile!"); 436 set_suspended(1); 437 gotsig_close = 1; 438 return; 439 } 440 goto error; 441 } 442 443 if (fwrite((char *)sp, h->caplen, 1, f) != 1) 444 goto error; 445 446 return; 447 448error: 449 set_suspended(1); 450 packets_dropped ++; 451 logmsg(LOG_ERR, "Logging suspended: fwrite: %s", strerror(errno)); 452} 453 454int 455flush_buffer(FILE *f) 456{ 457 off_t offset; 458 int len = bufpos - buffer; 459 460 if (len <= 0) 461 return (0); 462 463 offset = ftello(f); 464 if (offset == (off_t)-1) { 465 set_suspended(1); 466 logmsg(LOG_ERR, "Logging suspended: ftello: %s", 467 strerror(errno)); 468 return (1); 469 } 470 471 if (fwrite(buffer, len, 1, f) != 1) { 472 set_suspended(1); 473 logmsg(LOG_ERR, "Logging suspended: fwrite: %s", 474 strerror(errno)); 475 ftruncate(fileno(f), offset); 476 return (1); 477 } 478 479 set_suspended(0); 480 bufpos = buffer; 481 bufleft = buflen; 482 bufpkt = 0; 483 484 return (0); 485} 486 487void 488purge_buffer(void) 489{ 490 packets_dropped += bufpkt; 491 492 set_suspended(0); 493 bufpos = buffer; 494 bufleft = buflen; 495 bufpkt = 0; 496} 497 498/* append packet to the buffer, flushing if necessary */ 499void 500dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 501{ 502 FILE *f = (FILE *)user; 503#ifdef __FreeBSD__ 504 struct pcap_sf_pkthdr sh; 505 size_t len = sizeof(sh) + h->caplen; 506#else 507 size_t len = sizeof(*h) + h->caplen; 508#endif 509 510 if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen) { 511 logmsg(LOG_NOTICE, "invalid size %u (%u/%u), packet dropped", 512 len, cur_snaplen, snaplen); 513 packets_dropped++; 514 return; 515 } 516 517 if (len <= bufleft) 518 goto append; 519 520 if (suspended) { 521 packets_dropped++; 522 return; 523 } 524 525 if (flush_buffer(f)) { 526 packets_dropped++; 527 return; 528 } 529 530 if (len > bufleft) { 531 dump_packet_nobuf(user, h, sp); 532 return; 533 } 534 535 append: 536#ifdef __FreeBSD__ 537 sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec; 538 sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec; 539 sh.caplen = h->caplen; 540 sh.len = h->len; 541 542 memcpy(bufpos, &sh, sizeof(sh)); 543 memcpy(bufpos + sizeof(sh), sp, h->caplen); 544#else 545 memcpy(bufpos, h, sizeof(*h)); 546 memcpy(bufpos + sizeof(*h), sp, h->caplen); 547#endif 548 549 bufpos += len; 550 bufleft -= len; 551 bufpkt++; 552 553 return; 554} 555 556int 557main(int argc, char **argv) 558{ 559 struct pcap_stat pstat; 560 int ch, np, Xflag = 0; 561 pcap_handler phandler = dump_packet; 562 char *errstr = NULL; 563 564#ifdef __FreeBSD__ 565 /* another ?paranoid? safety measure we do not have */ 566#else 567 closefrom(STDERR_FILENO + 1); 568#endif 569 570 while ((ch = getopt(argc, argv, "Dxd:s:f:")) != -1) { 571 switch (ch) { 572 case 'D': 573 Debug = 1; 574 break; 575 case 'd': 576#ifdef __OpenBSD__ 577 delay = strtonum(optarg, 5, 60*60, &errstr); 578 if (errstr) 579#else 580 delay = strtol(optarg, &errstr, 10); 581 if ((delay < 5) || (delay > 60*60) || 582 ((errstr != NULL) && (*errstr != '\0'))) 583#endif 584 usage(); 585 break; 586 case 'f': 587 filename = optarg; 588 break; 589 case 's': 590#ifdef __OpenBSD__ 591 snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN, 592 &errstr); 593 if (snaplen <= 0) 594 snaplen = DEF_SNAPLEN; 595 if (errstr) 596 snaplen = PFLOGD_MAXSNAPLEN; 597#else 598 snaplen = strtol(optarg, &errstr, 10); 599 if (snaplen <= 0) 600 snaplen = DEF_SNAPLEN; 601 if ((snaplen > PFLOGD_MAXSNAPLEN) || 602 ((errstr != NULL) && (*errstr != '\0'))) 603 snaplen = PFLOGD_MAXSNAPLEN; 604#endif 605 break; 606 case 'x': 607 Xflag++; 608 break; 609 default: 610 usage(); 611 } 612 613 } 614 615 log_debug = Debug; 616 argc -= optind; 617 argv += optind; 618 619 if (!Debug) { 620 openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON); 621 if (daemon(0, 0)) { 622 logmsg(LOG_WARNING, "Failed to become daemon: %s", 623 strerror(errno)); 624 } 625 pidfile(NULL); 626 } 627 628 tzset(); 629 (void)umask(S_IRWXG | S_IRWXO); 630 631 /* filter will be used by the privileged process */ 632 if (argc) { 633 filter = copy_argv(argv); 634 if (filter == NULL) 635 logmsg(LOG_NOTICE, "Failed to form filter expression"); 636 } 637 638 /* initialize pcap before dropping privileges */ 639 if (init_pcap()) { 640 logmsg(LOG_ERR, "Exiting, init failure"); 641 exit(1); 642 } 643 644 /* Privilege separation begins here */ 645 if (priv_init()) { 646 logmsg(LOG_ERR, "unable to privsep"); 647 exit(1); 648 } 649 650 setproctitle("[initializing]"); 651 /* Process is now unprivileged and inside a chroot */ 652 signal(SIGTERM, sig_close); 653 signal(SIGINT, sig_close); 654 signal(SIGQUIT, sig_close); 655 signal(SIGALRM, sig_alrm); 656 signal(SIGHUP, sig_hup); 657 alarm(delay); 658 659 buffer = malloc(PFLOGD_BUFSIZE); 660 661 if (buffer == NULL) { 662 logmsg(LOG_WARNING, "Failed to allocate output buffer"); 663 phandler = dump_packet_nobuf; 664 } else { 665 bufleft = buflen = PFLOGD_BUFSIZE; 666 bufpos = buffer; 667 bufpkt = 0; 668 } 669 670 if (reset_dump()) { 671 if (Xflag) 672 return (1); 673 674 logmsg(LOG_ERR, "Logging suspended: open error"); 675 set_suspended(1); 676 } else if (Xflag) 677 return (0); 678 679 while (1) { 680 np = pcap_dispatch(hpcap, PCAP_NUM_PKTS, 681 phandler, (u_char *)dpcap); 682 if (np < 0) { 683#ifdef __FreeBSD__ 684 if (errno == ENXIO) { 685 logmsg(LOG_ERR, 686 "Device not/no longer configured"); 687 break; 688 } 689#endif 690 logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap)); 691 } 692 693 if (gotsig_close) 694 break; 695 if (gotsig_hup) { 696 if (reset_dump()) { 697 logmsg(LOG_ERR, 698 "Logging suspended: open error"); 699 set_suspended(1); 700 } 701 gotsig_hup = 0; 702 } 703 704 if (gotsig_alrm) { 705 if (dpcap) 706 flush_buffer(dpcap); 707 gotsig_alrm = 0; 708 alarm(delay); 709 } 710 } 711 712 logmsg(LOG_NOTICE, "Exiting"); 713 if (dpcap) { 714 flush_buffer(dpcap); 715 fclose(dpcap); 716 } 717 purge_buffer(); 718 719 if (pcap_stats(hpcap, &pstat) < 0) 720 logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap)); 721 else 722 logmsg(LOG_NOTICE, 723 "%u packets received, %u/%u dropped (kernel/pflogd)", 724 pstat.ps_recv, pstat.ps_drop, packets_dropped); 725 726 pcap_close(hpcap); 727 if (!Debug) 728 closelog(); 729 return (0); 730} 731