[yaid] / linux.c

/* -*-c-*-
 *
 * Discover the owner of a connection (Linux version)
 *
 * (c) 2012 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Yet Another Ident Daemon (YAID).
 *
 * YAID is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * YAID is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with YAID; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "yaid.h"

#include <linux/netlink.h>
#include <linux/rtnetlink.h>

/*----- Static variables --------------------------------------------------*/

static FILE *natfp;			/* File handle for NAT table */
static int randfd;			/* File descriptor for random data */

/*----- Miscellaneous system services -------------------------------------*/

/* Fill the buffer at P with SZ random bytes.  The buffer will be moderately
 * large: this is intended to be a low-level interface, not a general-purpose
 * utility.
 */
void fill_random(void *p, size_t sz)
{
  ssize_t n;

  n = read(randfd, p, sz);
  if (n < 0) fatal("error reading `/dev/urandom': %s", strerror(errno));
  else if (n < sz) fatal("unexpected short read from `/dev/urandom'");
}

/*----- Address-type operations -------------------------------------------*/

struct addrops_sys {
  const char *procfile;
  const char *nfl3name;
  int (*parseaddr)(char **, union addr *);
};

#define PROCFILE_IPV4 "/proc/net/tcp"
#define NFL3NAME_IPV4 "ipv4"

static int parseaddr_ipv4(char **pp, union addr *a)
  { a->ipv4.s_addr = strtoul(*pp, pp, 16); return (0); }

#define PROCFILE_IPV6 "/proc/net/tcp6"
#define NFL3NAME_IPV6 "ipv6"

static int parseaddr_ipv6(char **pp, union addr *a)
{
  int i, j;
  unsigned long y;
  char *p = *pp;
  unsigned x;

  /* The format is byteswapped in a really annoying way. */
  for (i = 0; i < 4; i++) {
    y = 0;
    for (j = 0; j < 8; j++) {
      if ('0' <= *p && *p <= '9') x = *p - '0';
      else if ('a' <= *p && *p <= 'f') x = *p - 'a' + 10;
      else if ('A' <= *p && *p <= 'F') x = *p - 'A' + 10;
      else return (-1);
      y = (y << 4) | x;
      p++;
    }
    a->ipv6.s6_addr32[i] = y;
  }
  *pp = p;
  return (0);
}

#define DEFOPSYS(ty, TY)						\
  const struct addrops_sys addrops_sys_##ty = {				\
    PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty			\
  };
ADDRTYPES(DEFOPSYS)
#undef DEFOPSYS

/*----- Main code ---------------------------------------------------------*/

/* Store in A the default gateway address for the given address family.
 * Return zero on success, or nonzero on error.
 */
static int get_default_gw(int af, union addr *a)
{
  int fd;
  char buf[32768];
  struct nlmsghdr *nlmsg;
  struct rtgenmsg *rtgen;
  const struct rtattr *rta;
  const struct rtmsg *rtm;
  ssize_t n, nn;
  int rc = -1;
  static unsigned long seq = 0x48b4aec4;

  /* Open a netlink socket for interrogating the kernel. */
  if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
    fatal("failed to create netlink socket: %s", strerror(errno));

  /* We want to read the routing table.  There doesn't seem to be a good way
   * to do this without just crawling through the whole thing.
   */
  nlmsg = (struct nlmsghdr *)buf;
  assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
  nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
  nlmsg->nlmsg_type = RTM_GETROUTE;
  nlmsg->nlmsg_flags = NLM_F_REQUEST | NLM_F_ROOT;
  nlmsg->nlmsg_seq = ++seq;
  nlmsg->nlmsg_pid = 0;

  rtgen = (struct rtgenmsg *)NLMSG_DATA(nlmsg);
  rtgen->rtgen_family = af;

  if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
    fatal("failed to send RTM_GETROUTE request: %s", strerror(errno));

  /* Now we try to parse the answer. */
  for (;;) {

    /* Not finished yet, so read another chunk of answer. */
    if ((n = read(fd, buf, sizeof(buf))) < 0)
      fatal("failed to read RTM_GETROUTE response: %s", strerror(errno));

    /* Start at the beginning of the response. */
    nlmsg = (struct nlmsghdr *)buf;

    /* Make sure this looks plausible.  The precise rules don't appear to be
     * documented, so it seems advisable to fail messily if my understanding
     * is wrong.
     */
    if (nlmsg->nlmsg_seq != seq) continue;
    assert(nlmsg->nlmsg_flags & NLM_F_MULTI);

    /* Work through all of the individual routes. */
    for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
      if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
      if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
      rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);

      /* If this record doesn't look interesting then skip it. */
      if (rtm->rtm_family != af ||	/* wrong address family */
	  rtm->rtm_dst_len > 0 ||	/* specific destination */
	  rtm->rtm_src_len > 0 ||	/* specific source  */
	  rtm->rtm_type != RTN_UNICAST || /* not for unicast */
	  rtm->rtm_scope != RT_SCOPE_UNIVERSE || /* wrong scope */
	  rtm->rtm_tos != 0)		/* specific type of service */
	continue;

      /* Trundle through the attributes and find the gateway address. */
      for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
	   RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {

	/* Got one.  We're all done.  Except that we should carry on reading
	 * to the end, or something bad will happen.
	 */
	if (rta->rta_type == RTA_GATEWAY) {
	  assert(RTA_PAYLOAD(rta) <= sizeof(*a));
	  memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
	  rc = 0;
	}
      }
    }
  }

done:
  close(fd);
  return (rc);
}

/* Initially, PP points into a string containing whitespace-separated fields.
 * Point P to the next field, null-terminate it, and advance PP so that we
 * can read the next field in the next call.
 */
#define NEXTFIELD do {							\
  for (p = pp; isspace((unsigned char)*p); p++);			\
  for (pp = p; *pp && !isspace((unsigned char)*pp); pp++);		\
  if (*pp) *pp++ = 0;							\
} while (0)

/* Search the `tcp' connection table for the address family AO, looking for a
 * connection between the addresses in QS.  GWP is nonzero if the query's
 * remote address is our gateway and we shouldn't expect the remote address
 * in the system table to actually match it because of NAT.  Return nonzero
 * if we have filled in Q conclusively; return zero if the caller should try
 * a different approach.
 */
static int search_tcp_file(struct query *q, int gwp,
			   const struct addrops *ao,
			   struct socket qs[NDIR])
{
  FILE *fp = 0;
  dstr d = DSTR_INIT;
  char *p, *pp;
  struct socket s[NDIR];
  int i;
  uid_t uid;
  enum { LOC, REM, ST, UID, NFIELD };
  int f, ff[NFIELD];
  int rc = 1;

  /* Open the relevant TCP connection table. */
  if ((fp = fopen(ao->sys->procfile, "r")) == 0) {
    logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
	   ao->sys->procfile, strerror(errno));
    goto err_unk;
  }

  /* Read the header line from the file. */
  if (dstr_putline(&d, fp) == EOF) {
    logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
	   ao->sys->procfile,
	   ferror(fp) ? strerror(errno) : "unexpected EOF");
    goto err_unk;
  }

  /* Now scan the header line to identify which columns the various
   * interesting fields are in.  Store these in the map `ff'.  Problems:
   * `tx_queue rx_queue' and `tr tm->when' are both really single columns in
   * disguise; and the remote address column has a different heading
   * depending on which address family we're using.  Rather than dispatch,
   * just recognize both of them.
   */
  for (i = 0; i < NFIELD; i++) ff[i] = -1;
  pp = d.buf;
  for (f = 0;; f++) {
    NEXTFIELD; if (!*p) break;
    if (strcmp(p, "local_address") == 0)
      ff[LOC] = f;
    else if (strcmp(p, "rem_address") == 0 ||
	     strcmp(p, "remote_address") == 0)
      ff[REM] = f;
    else if (strcmp(p, "uid") == 0)
      ff[UID] = f;
    else if (strcmp(p, "st") == 0)
      ff[ST] = f;
    else if (strcmp(p, "rx_queue") == 0 ||
	     strcmp(p, "tm->when") == 0)
      f--;
  }

  /* Make sure that we found all of the fields we actually want. */
  for (i = 0; i < NFIELD; i++) {
    if (ff[i] < 0) {
      logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
	     ao->sys->procfile);
      goto err_unk;
    }
  }

  /* Work through the lines in the file. */
  for (;;) {

    /* Read a line, and prepare to scan the fields. */
    DRESET(&d);
    if (dstr_putline(&d, fp) == EOF) break;
    pp = d.buf;
    uid = -1;

    /* Work through the fields.  If an address field fails to match then we
     * skip this record.  If the state field isn't 1 (`ESTABLISHED') then
     * skip the record.  If it's the UID, then remember it: if we get all the
     * way to the end then we've won.
     */
    for (f = 0;; f++) {
      NEXTFIELD; if (!*p) break;
      if (f == ff[LOC]) { i = L; goto compare; }
      else if (f == ff[REM]) { i = R; goto compare; }
      else if (f == ff[UID]) uid = atoi(p);
      else if (f == ff[ST]) {
	if (strtol(p, 0, 16) != 1) goto next_row;
      }
      continue;

    compare:
      /* Compare an address (in the current field) with the local or remote
       * address in the query, as indicated by `i'.  The address field looks
       * like `ADDR:PORT', where the ADDR is in some mad format which
       * `sys->parseaddr' knows how to unpick.  If the remote address in the
       * query is our gateway then don't check the remote address in the
       * field (but do check the port number).
       */
      if (ao->sys->parseaddr(&p, &s[i].addr)) goto next_row;
      if (*p != ':') break;
      p++;
      s[i].port = strtoul(p, 0, 16);
      if ((i == R && gwp) ?
	    qs[R].port != s[i].port :
	    !sockeq(ao, &qs[i], &s[i]))
	goto next_row;
    }

    /* We got to the end, and everything matched.  If we found a UID then
     * we're done.  If the apparent remote address is our gateway then copy
     * the true one into the query structure.
     */
    if (uid != -1) {
      q->resp = R_UID;
      q->u.uid = uid;
      if (gwp) qs[R].addr = s[i].addr;
      goto done;
    }
  next_row:;
  }

  /* We got to the end of the file and didn't find anything. */
  if (ferror(fp)) {
    logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
	   ao->sys->procfile, strerror(errno));
    goto err_unk;
  }
  rc = 0;

err_unk:
  /* Something went wrong and the protocol can't express what.  We should
   * have logged what the problem actually was.
   */
  q->resp = R_ERROR;
  q->u.error = E_UNKNOWN;

done:
  /* All done. */
  dstr_destroy(&d);
  if (fp) fclose(fp);
  return (rc);
}

/* Find out who is responsible for the connection described in the query Q.
 * Write the answer to Q.  Errors are logged and reported via the query
 * structure.
 */
void identify(struct query *q)
{
  FILE *fp = 0;
  dstr d = DSTR_INIT;
  char *p, *pp;
  struct socket s[4];
  int i;
  int gwp = 0;
  unsigned fl;
#define F_SADDR 1u
#define F_SPORT 2u
#define F_DADDR 4u
#define F_DPORT 8u
#define F_ALL (F_SADDR | F_SPORT | F_DADDR | F_DPORT)
#define F_ESTAB 16u

  /* If we have a default gateway, and it matches the remote address then
   * this may be a proxy connection from our NAT, so remember this, and don't
   * inspect the remote addresses in the TCP tables.
   */
  if (!get_default_gw(q->ao->af, &s[0].addr) &&
      q->ao->addreq(&s[0].addr, &q->s[R].addr))
    gwp = 1;

  /* Search the main `tcp' table. */
  if (search_tcp_file(q, gwp, q->ao, q->s)) goto done;

  /* If we opened the NAT table file, and we're using IPv4, then check to see
   * whether we should proxy the connection.  At least the addresses in this
   * file aren't crazy.
   */
  if (natfp) {

    /* Start again from the beginning. */
    rewind(natfp);

    /* Read a line at a time. */
    for (;;) {

      /* Read the line. */
      DRESET(&d);
      if (dstr_putline(&d, natfp) == EOF) break;
      pp = d.buf;

      /* Check that this is for the right protocol. */
      NEXTFIELD; if (!*p) break;
      if (strcmp(p, q->ao->sys->nfl3name)) continue;
      NEXTFIELD; if (!*p) break;
      NEXTFIELD; if (!*p) break;
      if (strcmp(p, "tcp") != 0) continue;

      /* Parse the other fields.  Each line has two src/dst pairs, for the
       * outgoing and incoming directions.  Depending on exactly what kind of
       * NAT is in use, either the outgoing source or the incoming
       * destination might be the client we're after.  Collect all of the
       * addresses and sort out the mess later.
       */
      i = 0;
      fl = 0;
      for (;;) {
	NEXTFIELD; if (!*p) break;
	if (strcmp(p, "ESTABLISHED") == 0)
	  fl |= F_ESTAB;
	else if (strncmp(p, "src=", 4) == 0) {
	  inet_pton(q->ao->af, p + 4, &s[i].addr);
	  fl |= F_SADDR;
	} else if (strncmp(p, "dst=", 4) == 0) {
	  inet_pton(q->ao->af, p + 4, &s[i + 1].addr);
	  fl |= F_DADDR;
	} else if (strncmp(p, "sport=", 6) == 0) {
	  s[i].port = atoi(p + 6);
	  fl |= F_SPORT;
	} else if (strncmp(p, "dport=", 6) == 0) {
	  s[i + 1].port = atoi(p + 6);
	  fl |= F_DPORT;
	}
	if ((fl & F_ALL) == F_ALL) {
	  fl &= ~F_ALL;
	  if (i < 4) i += 2;
	  else break;
	}
      }

#ifdef DEBUG
      {
	/* Print the record we found. */
	dstr dd = DSTR_INIT;
	dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
	dputsock(&dd, q->ao, &s[0]);
	dstr_puts(&dd, "<->");
	dputsock(&dd, q->ao, &s[1]);
	dstr_puts(&dd, " | ");
	dputsock(&dd, q->ao, &s[2]);
	dstr_puts(&dd, "<->");
	dputsock(&dd, q->ao, &s[3]);
	printf("parsed: %s\n", dd.buf);
	dstr_destroy(&dd);
      }
#endif

      /* If the connection isn't ESTABLISHED then skip it. */
      if (!(fl & F_ESTAB)) continue;

      /* Now we try to piece together what's going on.  One of these
       * addresses will be us.  So let's just try to find it.
       */
      for (i = 0; i < 4; i++)
	if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
      continue;

    found_local:
      /* So address `i' is us.  In that case, we expect the other address in
       * the same direction, and the same address in the opposite direction,
       * to match each other and be the remote address in the query.
       */
      if (!sockeq(q->ao, &s[i^1], &s[i^2]) ||
	  !sockeq(q->ao, &s[i^1], &q->s[R]))
	continue;

      /* As a trap for the unwary, this file contains unhelpful entries which
       * just mirror the source/destination addresses.  If this is one of
       * those, we'll be stuck in a cycle talking to ourselves.
       */
      if (sockeq(q->ao, &s[i], &s[i^3]))
	continue;

      /* We win.  The remaining address must be the client host.  We should
       * proxy this query.
       */
      q->resp = R_NAT;
      q->u.nat = s[i^3];
      goto done;
    }

    /* Reached the end of the NAT file. */
    if (ferror(natfp)) {
      logmsg(q, LOG_ERR, "failed to read `/proc/net/nf_conntrack': %s",
	     strerror(errno));
      goto err_unk;
    }
  }

  /* We didn't find a match anywhere.  How unfortunate. */
  logmsg(q, LOG_NOTICE, "connection not found");
  q->resp = R_ERROR;
  q->u.error = E_NOUSER;
  goto done;

err_unk:
  /* Something went wrong and the protocol can't express what.  We should
   * have logged what the problem actually was.
   */
  q->resp = R_ERROR;
  q->u.error = E_UNKNOWN;

done:
  /* All done. */
  dstr_destroy(&d);
  if (fp) fclose(fp);
}

#undef NEXTFIELD

/* Initialize the system-specific code. */
void init_sys(void)
{
  /* Open the NAT connection map. */
  if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&
      errno != ENOENT) {
    die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
	strerror(errno));
  }

  /* Open the random data source. */
  if ((randfd = open("/dev/urandom", O_RDONLY)) < 0) {
    die(1, "failed to open `/dev/urandom' for reading: %s",
	strerror(errno));
  }
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
9dcdc856 MW	1	/* --c--
9dcdc856 MW	2	*
bf4d9761	3	* Discover the owner of a connection (Linux version)
9dcdc856 MW	4	*
	5	* (c) 2012 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Yet Another Ident Daemon (YAID).
	11	*
	12	* YAID is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU General Public License as published by
	14	* the Free Software Foundation; either version 2 of the License, or
	15	* (at your option) any later version.
	16	*
	17	* YAID is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU General Public License
	23	* along with YAID; if not, write to the Free Software Foundation,
	24	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25	*/
	26
	27	/----- Header files ------------------------------------------------------/
	28
9da480be	29	#include "yaid.h"
9dcdc856	30
c3794524 MW	31	#include <linux/netlink.h>
	32	#include <linux/rtnetlink.h>
	33
9dcdc856 MW	34	/----- Static variables --------------------------------------------------/
9dcdc856 MW	35
c3794524	36	static FILE natfp; / File handle for NAT table */
56e93c83 MW	37	static int randfd; /* File descriptor for random data */
	38
	39	/----- Miscellaneous system services -------------------------------------/
	40
	41	/* Fill the buffer at P with SZ random bytes. The buffer will be moderately
	42	* large: this is intended to be a low-level interface, not a general-purpose
	43	* utility.
	44	*/
	45	void fill_random(void *p, size_t sz)
	46	{
	47	ssize_t n;
	48
	49	n = read(randfd, p, sz);
429dcd8d MW	50	if (n < 0) fatal("error reading `/dev/urandom': %s", strerror(errno));
429dcd8d MW	51	else if (n < sz) fatal("unexpected short read from `/dev/urandom'");
56e93c83	52	}
b093b41d MW	53
	54	/----- Address-type operations -------------------------------------------/
	55
bf4d9761 MW	56	struct addrops_sys {
bf4d9761 MW	57	const char *procfile;
2a9b8d4a	58	const char *nfl3name;
bf4d9761	59	int (parseaddr)(char , union addr );
9dcdc856 MW	60	};
9dcdc856 MW	61
3b1bed1d	62	#define PROCFILE_IPV4 "/proc/net/tcp"
2a9b8d4a	63	#define NFL3NAME_IPV4 "ipv4"
3b1bed1d	64
bf4d9761	65	static int parseaddr_ipv4(char *pp, union addr a)
9da480be	66	{ a->ipv4.s_addr = strtoul(*pp, pp, 16); return (0); }
9dcdc856	67
3b1bed1d	68	#define PROCFILE_IPV6 "/proc/net/tcp6"
2a9b8d4a	69	#define NFL3NAME_IPV6 "ipv6"
9dcdc856	70
bf4d9761	71	static int parseaddr_ipv6(char *pp, union addr a)
9da480be MW	72	{
	73	int i, j;
	74	unsigned long y;
	75	char p = pp;
	76	unsigned x;
	77
c3794524	78	/* The format is byteswapped in a really annoying way. */
9da480be MW	79	for (i = 0; i < 4; i++) {
	80	y = 0;
	81	for (j = 0; j < 8; j++) {
	82	if ('0' <= p && p <= '9') x = *p - '0';
e9c4f66d MW	83	else if ('a' <= p && p <= 'f') x = *p - 'a' + 10;
e9c4f66d MW	84	else if ('A' <= p && p <= 'F') x = *p - 'A' + 10;
9da480be MW	85	else return (-1);
	86	y = (y << 4) \| x;
	87	p++;
	88	}
	89	a->ipv6.s6_addr32[i] = y;
	90	}
	91	*pp = p;
	92	return (0);
	93	}
	94
3b1bed1d MW	95	#define DEFOPSYS(ty, TY) \
3b1bed1d MW	96	const struct addrops_sys addrops_sys_##ty = { \
2a9b8d4a	97	PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty \
3b1bed1d MW	98	};
	99	ADDRTYPES(DEFOPSYS)
	100	#undef DEFOPSYS
9dcdc856 MW	101
	102	/----- Main code ---------------------------------------------------------/
	103
c3794524 MW	104	/* Store in A the default gateway address for the given address family.
	105	* Return zero on success, or nonzero on error.
	106	*/
77fb54ff	107	static int get_default_gw(int af, union addr *a)
9dcdc856	108	{
9da480be MW	109	int fd;
	110	char buf[32768];
	111	struct nlmsghdr *nlmsg;
	112	struct rtgenmsg *rtgen;
	113	const struct rtattr *rta;
	114	const struct rtmsg *rtm;
	115	ssize_t n, nn;
c63b1d0a	116	int rc = -1;
9da480be MW	117	static unsigned long seq = 0x48b4aec4;
9da480be MW	118
c3794524	119	/* Open a netlink socket for interrogating the kernel. */
9da480be	120	if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
429dcd8d	121	fatal("failed to create netlink socket: %s", strerror(errno));
9da480be	122
c3794524 MW	123	/* We want to read the routing table. There doesn't seem to be a good way
	124	* to do this without just crawling through the whole thing.
	125	*/
9da480be MW	126	nlmsg = (struct nlmsghdr *)buf;
	127	assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
	128	nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
	129	nlmsg->nlmsg_type = RTM_GETROUTE;
	130	nlmsg->nlmsg_flags = NLM_F_REQUEST \| NLM_F_ROOT;
	131	nlmsg->nlmsg_seq = ++seq;
	132	nlmsg->nlmsg_pid = 0;
	133
	134	rtgen = (struct rtgenmsg *)NLMSG_DATA(nlmsg);
	135	rtgen->rtgen_family = af;
	136
	137	if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
429dcd8d	138	fatal("failed to send RTM_GETROUTE request: %s", strerror(errno));
9dcdc856	139
c3794524	140	/* Now we try to parse the answer. */
9da480be	141	for (;;) {
c3794524 MW	142
c3794524 MW	143	/* Not finished yet, so read another chunk of answer. */
9da480be	144	if ((n = read(fd, buf, sizeof(buf))) < 0)
429dcd8d	145	fatal("failed to read RTM_GETROUTE response: %s", strerror(errno));
c3794524 MW	146
c3794524 MW	147	/* Start at the beginning of the response. */
9da480be	148	nlmsg = (struct nlmsghdr *)buf;
c3794524 MW	149
	150	/* Make sure this looks plausible. The precise rules don't appear to be
	151	* documented, so it seems advisable to fail messily if my understanding
	152	* is wrong.
	153	*/
9da480be MW	154	if (nlmsg->nlmsg_seq != seq) continue;
	155	assert(nlmsg->nlmsg_flags & NLM_F_MULTI);
	156
c3794524	157	/* Work through all of the individual routes. */
9da480be MW	158	for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
	159	if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
	160	if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
	161	rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);
	162
c3794524 MW	163	/* If this record doesn't look interesting then skip it. */
	164	if (rtm->rtm_family != af \|\| /* wrong address family */
	165	rtm->rtm_dst_len > 0 \|\| /* specific destination */
	166	rtm->rtm_src_len > 0 \|\| /* specific source */
	167	rtm->rtm_type != RTN_UNICAST \|\| /* not for unicast */
	168	rtm->rtm_scope != RT_SCOPE_UNIVERSE \|\| /* wrong scope */
	169	rtm->rtm_tos != 0) /* specific type of service */
9da480be	170	continue;
9dcdc856	171
c3794524	172	/* Trundle through the attributes and find the gateway address. */
9da480be MW	173	for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
9da480be MW	174	RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {
c3794524 MW	175
	176	/* Got one. We're all done. Except that we should carry on reading
	177	* to the end, or something bad will happen.
	178	*/
9da480be MW	179	if (rta->rta_type == RTA_GATEWAY) {
	180	assert(RTA_PAYLOAD(rta) <= sizeof(*a));
	181	memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
c63b1d0a	182	rc = 0;
9da480be MW	183	}
	184	}
	185	}
	186	}
9dcdc856	187
9da480be MW	188	done:
	189	close(fd);
	190	return (rc);
9dcdc856 MW	191	}
9dcdc856 MW	192
b2f74a8a MW	193	/* Initially, PP points into a string containing whitespace-separated fields.
	194	* Point P to the next field, null-terminate it, and advance PP so that we
	195	* can read the next field in the next call.
c3794524	196	*/
b2f74a8a MW	197	#define NEXTFIELD do { \
	198	for (p = pp; isspace((unsigned char)*p); p++); \
	199	for (pp = p; pp && !isspace((unsigned char)pp); pp++); \
	200	if (pp) pp++ = 0; \
	201	} while (0)
	202
	203	/* Search the `tcp' connection table for the address family AO, looking for a
	204	* connection between the addresses in QS. GWP is nonzero if the query's
	205	* remote address is our gateway and we shouldn't expect the remote address
	206	* in the system table to actually match it because of NAT. Return nonzero
	207	* if we have filled in Q conclusively; return zero if the caller should try
	208	* a different approach.
	209	*/
	210	static int search_tcp_file(struct query *q, int gwp,
	211	const struct addrops *ao,
	212	struct socket qs[NDIR])
9dcdc856	213	{
9dcdc856 MW	214	FILE *fp = 0;
	215	dstr d = DSTR_INIT;
	216	char p, pp;
b2f74a8a	217	struct socket s[NDIR];
9dcdc856	218	int i;
9dcdc856 MW	219	uid_t uid;
	220	enum { LOC, REM, ST, UID, NFIELD };
	221	int f, ff[NFIELD];
b2f74a8a	222	int rc = 1;
9da480be	223
c3794524	224	/* Open the relevant TCP connection table. */
b2f74a8a	225	if ((fp = fopen(ao->sys->procfile, "r")) == 0) {
9dcdc856	226	logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
b2f74a8a	227	ao->sys->procfile, strerror(errno));
9dcdc856 MW	228	goto err_unk;
	229	}
	230
c3794524	231	/* Read the header line from the file. */
9dcdc856 MW	232	if (dstr_putline(&d, fp) == EOF) {
9dcdc856 MW	233	logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
b2f74a8a	234	ao->sys->procfile,
bf4d9761	235	ferror(fp) ? strerror(errno) : "unexpected EOF");
9dcdc856 MW	236	goto err_unk;
	237	}
	238
c3794524 MW	239	/* Now scan the header line to identify which columns the various
	240	* interesting fields are in. Store these in the map `ff'. Problems:
	241	* `tx_queue rx_queue' and `tr tm->when' are both really single columns in
	242	* disguise; and the remote address column has a different heading
	243	* depending on which address family we're using. Rather than dispatch,
	244	* just recognize both of them.
	245	*/
9dcdc856 MW	246	for (i = 0; i < NFIELD; i++) ff[i] = -1;
	247	pp = d.buf;
	248	for (f = 0;; f++) {
	249	NEXTFIELD; if (!*p) break;
	250	if (strcmp(p, "local_address") == 0)
	251	ff[LOC] = f;
	252	else if (strcmp(p, "rem_address") == 0 \|\|
	253	strcmp(p, "remote_address") == 0)
	254	ff[REM] = f;
	255	else if (strcmp(p, "uid") == 0)
	256	ff[UID] = f;
	257	else if (strcmp(p, "st") == 0)
	258	ff[ST] = f;
	259	else if (strcmp(p, "rx_queue") == 0 \|\|
	260	strcmp(p, "tm->when") == 0)
	261	f--;
	262	}
c3794524 MW	263
c3794524 MW	264	/* Make sure that we found all of the fields we actually want. */
9dcdc856 MW	265	for (i = 0; i < NFIELD; i++) {
	266	if (ff[i] < 0) {
	267	logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
b2f74a8a	268	ao->sys->procfile);
9dcdc856 MW	269	goto err_unk;
	270	}
	271	}
	272
c3794524	273	/* Work through the lines in the file. */
9dcdc856	274	for (;;) {
c3794524 MW	275
c3794524 MW	276	/* Read a line, and prepare to scan the fields. */
9dcdc856 MW	277	DRESET(&d);
	278	if (dstr_putline(&d, fp) == EOF) break;
	279	pp = d.buf;
	280	uid = -1;
c3794524 MW	281
	282	/* Work through the fields. If an address field fails to match then we
	283	* skip this record. If the state field isn't 1 (`ESTABLISHED') then
	284	* skip the record. If it's the UID, then remember it: if we get all the
	285	* way to the end then we've won.
	286	*/
9dcdc856 MW	287	for (f = 0;; f++) {
	288	NEXTFIELD; if (!*p) break;
	289	if (f == ff[LOC]) { i = L; goto compare; }
	290	else if (f == ff[REM]) { i = R; goto compare; }
	291	else if (f == ff[UID]) uid = atoi(p);
	292	else if (f == ff[ST]) {
	293	if (strtol(p, 0, 16) != 1) goto next_row;
	294	}
	295	continue;
	296
	297	compare:
c3794524 MW	298	/* Compare an address (in the current field) with the local or remote
	299	* address in the query, as indicated by `i'. The address field looks
	300	* like `ADDR:PORT', where the ADDR is in some mad format which
	301	* `sys->parseaddr' knows how to unpick. If the remote address in the
	302	* query is our gateway then don't check the remote address in the
	303	* field (but do check the port number).
	304	*/
b2f74a8a	305	if (ao->sys->parseaddr(&p, &s[i].addr)) goto next_row;
dd5e35da MW	306	if (*p != ':') break;
dd5e35da MW	307	p++;
223e3e2b	308	s[i].port = strtoul(p, 0, 16);
c3794524	309	if ((i == R && gwp) ?
b2f74a8a MW	310	qs[R].port != s[i].port :
b2f74a8a MW	311	!sockeq(ao, &qs[i], &s[i]))
9da480be	312	goto next_row;
9dcdc856	313	}
c3794524 MW	314
c3794524 MW	315	/* We got to the end, and everything matched. If we found a UID then
223e3e2b MW	316	* we're done. If the apparent remote address is our gateway then copy
223e3e2b MW	317	* the true one into the query structure.
c3794524	318	*/
9dcdc856	319	if (uid != -1) {
9da480be MW	320	q->resp = R_UID;
9da480be MW	321	q->u.uid = uid;
b2f74a8a	322	if (gwp) qs[R].addr = s[i].addr;
9dcdc856 MW	323	goto done;
	324	}
	325	next_row:;
	326	}
	327
c3794524	328	/* We got to the end of the file and didn't find anything. */
9dcdc856	329	if (ferror(fp)) {
b093b41d	330	logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
b2f74a8a	331	ao->sys->procfile, strerror(errno));
9dcdc856 MW	332	goto err_unk;
9dcdc856 MW	333	}
b2f74a8a MW	334	rc = 0;
	335
	336	err_unk:
	337	/* Something went wrong and the protocol can't express what. We should
	338	* have logged what the problem actually was.
	339	*/
	340	q->resp = R_ERROR;
	341	q->u.error = E_UNKNOWN;
	342
	343	done:
	344	/* All done. */
	345	dstr_destroy(&d);
	346	if (fp) fclose(fp);
	347	return (rc);
	348	}
	349
	350	/* Find out who is responsible for the connection described in the query Q.
	351	* Write the answer to Q. Errors are logged and reported via the query
	352	* structure.
	353	*/
	354	void identify(struct query *q)
	355	{
	356	FILE *fp = 0;
	357	dstr d = DSTR_INIT;
	358	char p, pp;
	359	struct socket s[4];
	360	int i;
	361	int gwp = 0;
	362	unsigned fl;
	363	#define F_SADDR 1u
	364	#define F_SPORT 2u
	365	#define F_DADDR 4u
	366	#define F_DPORT 8u
	367	#define F_ALL (F_SADDR \| F_SPORT \| F_DADDR \| F_DPORT)
	368	#define F_ESTAB 16u
	369
	370	/* If we have a default gateway, and it matches the remote address then
	371	* this may be a proxy connection from our NAT, so remember this, and don't
	372	* inspect the remote addresses in the TCP tables.
	373	*/
	374	if (!get_default_gw(q->ao->af, &s[0].addr) &&
	375	q->ao->addreq(&s[0].addr, &q->s[R].addr))
	376	gwp = 1;
	377
	378	/* Search the main `tcp' table. */
	379	if (search_tcp_file(q, gwp, q->ao, q->s)) goto done;
9dcdc856	380
c3794524 MW	381	/* If we opened the NAT table file, and we're using IPv4, then check to see
	382	* whether we should proxy the connection. At least the addresses in this
	383	* file aren't crazy.
	384	*/
2a9b8d4a	385	if (natfp) {
c3794524 MW	386
c3794524 MW	387	/* Start again from the beginning. */
b093b41d	388	rewind(natfp);
9dcdc856	389
c3794524	390	/* Read a line at a time. */
9dcdc856	391	for (;;) {
c3794524 MW	392
c3794524 MW	393	/* Read the line. */
9dcdc856	394	DRESET(&d);
b093b41d	395	if (dstr_putline(&d, natfp) == EOF) break;
9dcdc856	396	pp = d.buf;
2a9b8d4a	397
c3794524	398	/* Check that this is for the right protocol. */
2a9b8d4a MW	399	NEXTFIELD; if (!*p) break;
	400	if (strcmp(p, q->ao->sys->nfl3name)) continue;
	401	NEXTFIELD; if (!*p) break;
9dcdc856 MW	402	NEXTFIELD; if (!*p) break;
9dcdc856 MW	403	if (strcmp(p, "tcp") != 0) continue;
c3794524 MW	404
	405	/* Parse the other fields. Each line has two src/dst pairs, for the
	406	* outgoing and incoming directions. Depending on exactly what kind of
	407	* NAT is in use, either the outgoing source or the incoming
	408	* destination might be the client we're after. Collect all of the
	409	* addresses and sort out the mess later.
	410	*/
9dcdc856 MW	411	i = 0;
	412	fl = 0;
	413	for (;;) {
	414	NEXTFIELD; if (!*p) break;
	415	if (strcmp(p, "ESTABLISHED") == 0)
	416	fl \|= F_ESTAB;
	417	else if (strncmp(p, "src=", 4) == 0) {
2a9b8d4a	418	inet_pton(q->ao->af, p + 4, &s[i].addr);
9dcdc856 MW	419	fl \|= F_SADDR;
9dcdc856 MW	420	} else if (strncmp(p, "dst=", 4) == 0) {
2a9b8d4a	421	inet_pton(q->ao->af, p + 4, &s[i + 1].addr);
9dcdc856 MW	422	fl \|= F_DADDR;
	423	} else if (strncmp(p, "sport=", 6) == 0) {
	424	s[i].port = atoi(p + 6);
	425	fl \|= F_SPORT;
	426	} else if (strncmp(p, "dport=", 6) == 0) {
	427	s[i + 1].port = atoi(p + 6);
	428	fl \|= F_DPORT;
	429	}
	430	if ((fl & F_ALL) == F_ALL) {
	431	fl &= ~F_ALL;
	432	if (i < 4) i += 2;
	433	else break;
	434	}
	435	}
	436
2abfa393	437	#ifdef DEBUG
9dcdc856	438	{
c3794524	439	/* Print the record we found. */
9dcdc856 MW	440	dstr dd = DSTR_INIT;
9dcdc856 MW	441	dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
bf4d9761	442	dputsock(&dd, q->ao, &s[0]);
9dcdc856	443	dstr_puts(&dd, "<->");
bf4d9761	444	dputsock(&dd, q->ao, &s[1]);
9dcdc856	445	dstr_puts(&dd, " \| ");
bf4d9761	446	dputsock(&dd, q->ao, &s[2]);
9dcdc856	447	dstr_puts(&dd, "<->");
bf4d9761	448	dputsock(&dd, q->ao, &s[3]);
9dcdc856 MW	449	printf("parsed: %s\n", dd.buf);
	450	dstr_destroy(&dd);
	451	}
	452	#endif
	453
c3794524	454	/* If the connection isn't ESTABLISHED then skip it. */
9dcdc856 MW	455	if (!(fl & F_ESTAB)) continue;
9dcdc856 MW	456
c3794524 MW	457	/* Now we try to piece together what's going on. One of these
	458	* addresses will be us. So let's just try to find it.
	459	*/
9dcdc856	460	for (i = 0; i < 4; i++)
bf4d9761	461	if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
9dcdc856	462	continue;
c3794524	463
9dcdc856	464	found_local:
c3794524 MW	465	/* So address `i' is us. In that case, we expect the other address in
	466	* the same direction, and the same address in the opposite direction,
	467	* to match each other and be the remote address in the query.
	468	*/
bf4d9761 MW	469	if (!sockeq(q->ao, &s[i^1], &s[i^2]) \|\|
bf4d9761 MW	470	!sockeq(q->ao, &s[i^1], &q->s[R]))
9dcdc856	471	continue;
c3794524	472
d817f2c3 MW	473	/* As a trap for the unwary, this file contains unhelpful entries which
	474	* just mirror the source/destination addresses. If this is one of
	475	* those, we'll be stuck in a cycle talking to ourselves.
	476	*/
	477	if (sockeq(q->ao, &s[i], &s[i^3]))
	478	continue;
	479
c3794524 MW	480	/* We win. The remaining address must be the client host. We should
	481	* proxy this query.
	482	*/
9da480be MW	483	q->resp = R_NAT;
9da480be MW	484	q->u.nat = s[i^3];
9dcdc856 MW	485	goto done;
	486	}
	487
2a9b8d4a	488	/* Reached the end of the NAT file. */
b093b41d	489	if (ferror(natfp)) {
2a9b8d4a	490	logmsg(q, LOG_ERR, "failed to read `/proc/net/nf_conntrack': %s",
9dcdc856 MW	491	strerror(errno));
	492	goto err_unk;
	493	}
	494	}
	495
c3794524	496	/* We didn't find a match anywhere. How unfortunate. */
b093b41d	497	logmsg(q, LOG_NOTICE, "connection not found");
9da480be MW	498	q->resp = R_ERROR;
9da480be MW	499	q->u.error = E_NOUSER;
9dcdc856	500	goto done;
c3794524	501
9dcdc856	502	err_unk:
c3794524 MW	503	/* Something went wrong and the protocol can't express what. We should
	504	* have logged what the problem actually was.
	505	*/
9da480be MW	506	q->resp = R_ERROR;
9da480be MW	507	q->u.error = E_UNKNOWN;
c3794524	508
9dcdc856	509	done:
c3794524	510	/* All done. */
9dcdc856	511	dstr_destroy(&d);
60150b4c	512	if (fp) fclose(fp);
9dcdc856 MW	513	}
9dcdc856 MW	514
b2f74a8a MW	515	#undef NEXTFIELD
b2f74a8a MW	516
c3794524	517	/* Initialize the system-specific code. */
b093b41d MW	518	void init_sys(void)
b093b41d MW	519	{
af7ed5c7	520	/* Open the NAT connection map. */
2a9b8d4a	521	if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&
b093b41d	522	errno != ENOENT) {
2a9b8d4a	523	die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
b093b41d MW	524	strerror(errno));
b093b41d MW	525	}
56e93c83 MW	526
	527	/* Open the random data source. */
	528	if ((randfd = open("/dev/urandom", O_RDONLY)) < 0) {
	529	die(1, "failed to open `/dev/urandom' for reading: %s",
	530	strerror(errno));
	531	}
b093b41d MW	532	}
b093b41d MW	533
9dcdc856	534	/----- That's all, folks -------------------------------------------------/