[yaid] / linux.c

/* -*-c-*-
 *
 * Discover the owner of a connection (Linux version)
 *
 * (c) 2012 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Yet Another Ident Daemon (YAID).
 *
 * YAID is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * YAID is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with YAID; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "yaid.h"

#include <linux/netlink.h>
#include <linux/rtnetlink.h>

/*----- Static variables --------------------------------------------------*/

static FILE *natfp;			/* File handle for NAT table */

/*----- Address-type operations -------------------------------------------*/

struct addrops_sys {
  const char *procfile;
  const char *nfl3name;
  int (*parseaddr)(char **, union addr *);
};

#define PROCFILE_IPV4 "/proc/net/tcp"
#define NFL3NAME_IPV4 "ipv4"

static int parseaddr_ipv4(char **pp, union addr *a)
  { a->ipv4.s_addr = strtoul(*pp, pp, 16); return (0); }

#define PROCFILE_IPV6 "/proc/net/tcp6"
#define NFL3NAME_IPV6 "ipv6"

static int parseaddr_ipv6(char **pp, union addr *a)
{
  int i, j;
  unsigned long y;
  char *p = *pp;
  unsigned x;

  /* The format is byteswapped in a really annoying way. */
  for (i = 0; i < 4; i++) {
    y = 0;
    for (j = 0; j < 8; j++) {
      if ('0' <= *p && *p <= '9') x = *p - '0';
      else if ('a' <= *p && *p <= 'f') x = *p - 'a'+ 10;
      else if ('A' <= *p && *p <= 'F') x = *p - 'A'+ 10;
      else return (-1);
      y = (y << 4) | x;
      p++;
    }
    a->ipv6.s6_addr32[i] = y;
  }
  *pp = p;
  return (0);
}

#define DEFOPSYS(ty, TY)						\
  const struct addrops_sys addrops_sys_##ty = {				\
    PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty			\
  };
ADDRTYPES(DEFOPSYS)
#undef DEFOPSYS

/*----- Main code ---------------------------------------------------------*/

/* Store in A the default gateway address for the given address family.
 * Return zero on success, or nonzero on error.
 */
static int get_default_gw(int af, union addr *a)
{
  int fd;
  char buf[32768];
  struct nlmsghdr *nlmsg;
  struct rtgenmsg *rtgen;
  const struct rtattr *rta;
  const struct rtmsg *rtm;
  ssize_t n, nn;
  int rc = 0;
  static unsigned long seq = 0x48b4aec4;

  /* Open a netlink socket for interrogating the kernel. */
  if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
    die(1, "failed to create netlink socket: %s", strerror(errno));

  /* We want to read the routing table.  There doesn't seem to be a good way
   * to do this without just crawling through the whole thing.
   */
  nlmsg = (struct nlmsghdr *)buf;
  assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
  nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
  nlmsg->nlmsg_type = RTM_GETROUTE;
  nlmsg->nlmsg_flags = NLM_F_REQUEST | NLM_F_ROOT;
  nlmsg->nlmsg_seq = ++seq;
  nlmsg->nlmsg_pid = 0;

  rtgen = (struct rtgenmsg *)NLMSG_DATA(nlmsg);
  rtgen->rtgen_family = af;

  if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
    die(1, "failed to send RTM_GETROUTE request: %s", strerror(errno));

  /* Now we try to parse the answer. */
  for (;;) {

    /* Not finished yet, so read another chunk of answer. */
    if ((n = read(fd, buf, sizeof(buf))) < 0)
      die(1, "failed to read RTM_GETROUTE response: %s", strerror(errno));

    /* Start at the beginning of the response. */
    nlmsg = (struct nlmsghdr *)buf;

    /* Make sure this looks plausible.  The precise rules don't appear to be
     * documented, so it seems advisable to fail messily if my understanding
     * is wrong.
     */
    if (nlmsg->nlmsg_seq != seq) continue;
    assert(nlmsg->nlmsg_flags & NLM_F_MULTI);

    /* Work through all of the individual routes. */
    for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
      if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
      if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
      rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);

      /* If this record doesn't look interesting then skip it. */
      if (rtm->rtm_family != af ||	/* wrong address family */
	  rtm->rtm_dst_len > 0 ||	/* specific destination */
	  rtm->rtm_src_len > 0 ||	/* specific source  */
	  rtm->rtm_type != RTN_UNICAST || /* not for unicast */
	  rtm->rtm_scope != RT_SCOPE_UNIVERSE || /* wrong scope */
	  rtm->rtm_tos != 0)		/* specific type of service */
	continue;

      /* Trundle through the attributes and find the gateway address. */
      for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
	   RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {

	/* Got one.  We're all done.  Except that we should carry on reading
	 * to the end, or something bad will happen.
	 */
	if (rta->rta_type == RTA_GATEWAY) {
	  assert(RTA_PAYLOAD(rta) <= sizeof(*a));
	  memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
	  rc = 1;
	}
      }
    }
  }

done:
  close(fd);
  return (rc);
}

/* Find out who is responsible for the connection described in the query Q.
 * Write the answer to Q.  Errors are logged and reported via the query
 * structure.
 */
void identify(struct query *q)
{
  FILE *fp = 0;
  dstr d = DSTR_INIT;
  char *p, *pp;
  struct socket s[4];
  int i;
  int gwp = 0;
  unsigned fl;
#define F_SADDR 1u
#define F_SPORT 2u
#define F_DADDR 4u
#define F_DPORT 8u
#define F_ALL (F_SADDR | F_SPORT | F_DADDR | F_DPORT)
#define F_ESTAB 16u
  uid_t uid;
  enum { LOC, REM, ST, UID, NFIELD };
  int f, ff[NFIELD];

  /* If we have a default gateway, and it matches the remote address then
   * this may be a proxy connection from our NAT, so remember this, and don't
   * inspect the remote addresses in the TCP tables.
   */
  if (get_default_gw(q->ao->af, &s[0].addr) &&
      q->ao->addreq(&s[0].addr, &q->s[R].addr))
    gwp = 1;

  /* Open the relevant TCP connection table. */
  if ((fp = fopen(q->ao->sys->procfile, "r")) == 0) {
    logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
	   q->ao->sys->procfile, strerror(errno));
    goto err_unk;
  }

  /* Initially, PP points into a string containing whitespace-separated
   * fields.  Point P to the next field, null-terminate it, and advance PP
   * so that we can read the next field in the next call.
   */
#define NEXTFIELD do {							\
  for (p = pp; isspace((unsigned char)*p); p++);			\
  for (pp = p; *pp && !isspace((unsigned char)*pp); pp++);		\
  if (*pp) *pp++ = 0;							\
} while (0)

  /* Read the header line from the file. */
  if (dstr_putline(&d, fp) == EOF) {
    logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
	   q->ao->sys->procfile,
	   ferror(fp) ? strerror(errno) : "unexpected EOF");
    goto err_unk;
  }

  /* Now scan the header line to identify which columns the various
   * interesting fields are in.  Store these in the map `ff'.  Problems:
   * `tx_queue rx_queue' and `tr tm->when' are both really single columns in
   * disguise; and the remote address column has a different heading
   * depending on which address family we're using.  Rather than dispatch,
   * just recognize both of them.
   */
  for (i = 0; i < NFIELD; i++) ff[i] = -1;
  pp = d.buf;
  for (f = 0;; f++) {
    NEXTFIELD; if (!*p) break;
    if (strcmp(p, "local_address") == 0)
      ff[LOC] = f;
    else if (strcmp(p, "rem_address") == 0 ||
	     strcmp(p, "remote_address") == 0)
      ff[REM] = f;
    else if (strcmp(p, "uid") == 0)
      ff[UID] = f;
    else if (strcmp(p, "st") == 0)
      ff[ST] = f;
    else if (strcmp(p, "rx_queue") == 0 ||
	     strcmp(p, "tm->when") == 0)
      f--;
  }

  /* Make sure that we found all of the fields we actually want. */
  for (i = 0; i < NFIELD; i++) {
    if (ff[i] < 0) {
      logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
	     q->ao->sys->procfile);
      goto err_unk;
    }
  }

  /* Work through the lines in the file. */
  for (;;) {

    /* Read a line, and prepare to scan the fields. */
    DRESET(&d);
    if (dstr_putline(&d, fp) == EOF) break;
    pp = d.buf;
    uid = -1;

    /* Work through the fields.  If an address field fails to match then we
     * skip this record.  If the state field isn't 1 (`ESTABLISHED') then
     * skip the record.  If it's the UID, then remember it: if we get all the
     * way to the end then we've won.
     */
    for (f = 0;; f++) {
      NEXTFIELD; if (!*p) break;
      if (f == ff[LOC]) { i = L; goto compare; }
      else if (f == ff[REM]) { i = R; goto compare; }
      else if (f == ff[UID]) uid = atoi(p);
      else if (f == ff[ST]) {
	if (strtol(p, 0, 16) != 1) goto next_row;
      }
      continue;

    compare:
      /* Compare an address (in the current field) with the local or remote
       * address in the query, as indicated by `i'.  The address field looks
       * like `ADDR:PORT', where the ADDR is in some mad format which
       * `sys->parseaddr' knows how to unpick.  If the remote address in the
       * query is our gateway then don't check the remote address in the
       * field (but do check the port number).
       */
      if (q->ao->sys->parseaddr(&p, &s[0].addr)) goto next_row;
      if (*p != ':') break; p++;
      s[0].port = strtoul(p, 0, 16);
      if ((i == R && gwp) ?
	    q->s[R].port != s[0].port :
	    !sockeq(q->ao, &q->s[i], &s[0]))
	goto next_row;
    }

    /* We got to the end, and everything matched.  If we found a UID then
     * we're done.
     */
    if (uid != -1) {
      q->resp = R_UID;
      q->u.uid = uid;
      goto done;
    }
  next_row:;
  }

  /* We got to the end of the file and didn't find anything. */
  if (ferror(fp)) {
    logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
	   q->ao->sys->procfile, strerror(errno));
    goto err_unk;
  }

  /* If we opened the NAT table file, and we're using IPv4, then check to see
   * whether we should proxy the connection.  At least the addresses in this
   * file aren't crazy.
   */
  if (natfp) {

    /* Start again from the beginning. */
    rewind(natfp);

    /* Read a line at a time. */
    for (;;) {

      /* Read the line. */
      DRESET(&d);
      if (dstr_putline(&d, natfp) == EOF) break;
      pp = d.buf;

      /* Check that this is for the right protocol. */
      NEXTFIELD; if (!*p) break;
      if (strcmp(p, q->ao->sys->nfl3name)) continue;
      NEXTFIELD; if (!*p) break;
      NEXTFIELD; if (!*p) break;
      if (strcmp(p, "tcp") != 0) continue;

      /* Parse the other fields.  Each line has two src/dst pairs, for the
       * outgoing and incoming directions.  Depending on exactly what kind of
       * NAT is in use, either the outgoing source or the incoming
       * destination might be the client we're after.  Collect all of the
       * addresses and sort out the mess later.
       */
      i = 0;
      fl = 0;
      for (;;) {
	NEXTFIELD; if (!*p) break;
	if (strcmp(p, "ESTABLISHED") == 0)
	  fl |= F_ESTAB;
	else if (strncmp(p, "src=", 4) == 0) {
	  inet_pton(q->ao->af, p + 4, &s[i].addr);
	  fl |= F_SADDR;
	} else if (strncmp(p, "dst=", 4) == 0) {
	  inet_pton(q->ao->af, p + 4, &s[i + 1].addr);
	  fl |= F_DADDR;
	} else if (strncmp(p, "sport=", 6) == 0) {
	  s[i].port = atoi(p + 6);
	  fl |= F_SPORT;
	} else if (strncmp(p, "dport=", 6) == 0) {
	  s[i + 1].port = atoi(p + 6);
	  fl |= F_DPORT;
	}
	if ((fl & F_ALL) == F_ALL) {
	  fl &= ~F_ALL;
	  if (i < 4) i += 2;
	  else break;
	}
      }

#ifdef notdef
      {
	/* Print the record we found. */
	dstr dd = DSTR_INIT;
	dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
	dputsock(&dd, q->ao, &s[0]);
	dstr_puts(&dd, "<->");
	dputsock(&dd, q->ao, &s[1]);
	dstr_puts(&dd, " | ");
	dputsock(&dd, q->ao, &s[2]);
	dstr_puts(&dd, "<->");
	dputsock(&dd, q->ao, &s[3]);
	printf("parsed: %s\n", dd.buf);
	dstr_destroy(&dd);
      }
#endif

      /* If the connection isn't ESTABLISHED then skip it. */
      if (!(fl & F_ESTAB)) continue;

      /* Now we try to piece together what's going on.  One of these
       * addresses will be us.  So let's just try to find it.
       */
      for (i = 0; i < 4; i++)
	if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
      continue;

    found_local:
      /* So address `i' is us.  In that case, we expect the other address in
       * the same direction, and the same address in the opposite direction,
       * to match each other and be the remote address in the query.
       */
      if (!sockeq(q->ao, &s[i^1], &s[i^2]) ||
	  !sockeq(q->ao, &s[i^1], &q->s[R]))
	continue;

      /* We win.  The remaining address must be the client host.  We should
       * proxy this query.
       */
      q->resp = R_NAT;
      q->u.nat = s[i^3];
      goto done;
    }

    /* Reached the end of the NAT file. */
    if (ferror(natfp)) {
      logmsg(q, LOG_ERR, "failed to read `/proc/net/nf_conntrack': %s",
	     strerror(errno));
      goto err_unk;
    }
  }

#undef NEXTFIELD

  /* We didn't find a match anywhere.  How unfortunate. */
  logmsg(q, LOG_NOTICE, "connection not found");
  q->resp = R_ERROR;
  q->u.error = E_NOUSER;
  goto done;

err_unk:
  /* Something went wrong and the protocol can't express what.  We should
   * have logged what the problem actually was.
   */
  q->resp = R_ERROR;
  q->u.error = E_UNKNOWN;

done:
  /* All done. */
  dstr_destroy(&d);
  if (fp) fclose(fp);
}

/* Initialize the system-specific code. */
void init_sys(void)
{
  if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&
      errno != ENOENT) {
    die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
	strerror(errno));
  }
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
9dcdc856 MW	1	/* --c--
9dcdc856 MW	2	*
bf4d9761	3	* Discover the owner of a connection (Linux version)
9dcdc856 MW	4	*
	5	* (c) 2012 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Yet Another Ident Daemon (YAID).
	11	*
	12	* YAID is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU General Public License as published by
	14	* the Free Software Foundation; either version 2 of the License, or
	15	* (at your option) any later version.
	16	*
	17	* YAID is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU General Public License
	23	* along with YAID; if not, write to the Free Software Foundation,
	24	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25	*/
	26
	27	/----- Header files ------------------------------------------------------/
	28
9da480be	29	#include "yaid.h"
9dcdc856	30
c3794524 MW	31	#include <linux/netlink.h>
	32	#include <linux/rtnetlink.h>
	33
9dcdc856 MW	34	/----- Static variables --------------------------------------------------/
9dcdc856 MW	35
c3794524	36	static FILE natfp; / File handle for NAT table */
b093b41d MW	37
	38	/----- Address-type operations -------------------------------------------/
	39
bf4d9761 MW	40	struct addrops_sys {
bf4d9761 MW	41	const char *procfile;
2a9b8d4a	42	const char *nfl3name;
bf4d9761	43	int (parseaddr)(char , union addr );
9dcdc856 MW	44	};
9dcdc856 MW	45
3b1bed1d	46	#define PROCFILE_IPV4 "/proc/net/tcp"
2a9b8d4a	47	#define NFL3NAME_IPV4 "ipv4"
3b1bed1d	48
bf4d9761	49	static int parseaddr_ipv4(char *pp, union addr a)
9da480be	50	{ a->ipv4.s_addr = strtoul(*pp, pp, 16); return (0); }
9dcdc856	51
3b1bed1d	52	#define PROCFILE_IPV6 "/proc/net/tcp6"
2a9b8d4a	53	#define NFL3NAME_IPV6 "ipv6"
9dcdc856	54
bf4d9761	55	static int parseaddr_ipv6(char *pp, union addr a)
9da480be MW	56	{
	57	int i, j;
	58	unsigned long y;
	59	char p = pp;
	60	unsigned x;
	61
c3794524	62	/* The format is byteswapped in a really annoying way. */
9da480be MW	63	for (i = 0; i < 4; i++) {
	64	y = 0;
	65	for (j = 0; j < 8; j++) {
	66	if ('0' <= p && p <= '9') x = *p - '0';
	67	else if ('a' <= p && p <= 'f') x = *p - 'a'+ 10;
	68	else if ('A' <= p && p <= 'F') x = *p - 'A'+ 10;
	69	else return (-1);
	70	y = (y << 4) \| x;
	71	p++;
	72	}
	73	a->ipv6.s6_addr32[i] = y;
	74	}
	75	*pp = p;
	76	return (0);
	77	}
	78
3b1bed1d MW	79	#define DEFOPSYS(ty, TY) \
3b1bed1d MW	80	const struct addrops_sys addrops_sys_##ty = { \
2a9b8d4a	81	PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty \
3b1bed1d MW	82	};
	83	ADDRTYPES(DEFOPSYS)
	84	#undef DEFOPSYS
9dcdc856 MW	85
	86	/----- Main code ---------------------------------------------------------/
	87
c3794524 MW	88	/* Store in A the default gateway address for the given address family.
	89	* Return zero on success, or nonzero on error.
	90	*/
77fb54ff	91	static int get_default_gw(int af, union addr *a)
9dcdc856	92	{
9da480be MW	93	int fd;
	94	char buf[32768];
	95	struct nlmsghdr *nlmsg;
	96	struct rtgenmsg *rtgen;
	97	const struct rtattr *rta;
	98	const struct rtmsg *rtm;
	99	ssize_t n, nn;
	100	int rc = 0;
	101	static unsigned long seq = 0x48b4aec4;
	102
c3794524	103	/* Open a netlink socket for interrogating the kernel. */
9da480be MW	104	if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
	105	die(1, "failed to create netlink socket: %s", strerror(errno));
	106
c3794524 MW	107	/* We want to read the routing table. There doesn't seem to be a good way
	108	* to do this without just crawling through the whole thing.
	109	*/
9da480be MW	110	nlmsg = (struct nlmsghdr *)buf;
	111	assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
	112	nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
	113	nlmsg->nlmsg_type = RTM_GETROUTE;
	114	nlmsg->nlmsg_flags = NLM_F_REQUEST \| NLM_F_ROOT;
	115	nlmsg->nlmsg_seq = ++seq;
	116	nlmsg->nlmsg_pid = 0;
	117
	118	rtgen = (struct rtgenmsg *)NLMSG_DATA(nlmsg);
	119	rtgen->rtgen_family = af;
	120
	121	if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
	122	die(1, "failed to send RTM_GETROUTE request: %s", strerror(errno));
9dcdc856	123
c3794524	124	/* Now we try to parse the answer. */
9da480be	125	for (;;) {
c3794524 MW	126
c3794524 MW	127	/* Not finished yet, so read another chunk of answer. */
9da480be MW	128	if ((n = read(fd, buf, sizeof(buf))) < 0)
9da480be MW	129	die(1, "failed to read RTM_GETROUTE response: %s", strerror(errno));
c3794524 MW	130
c3794524 MW	131	/* Start at the beginning of the response. */
9da480be	132	nlmsg = (struct nlmsghdr *)buf;
c3794524 MW	133
	134	/* Make sure this looks plausible. The precise rules don't appear to be
	135	* documented, so it seems advisable to fail messily if my understanding
	136	* is wrong.
	137	*/
9da480be MW	138	if (nlmsg->nlmsg_seq != seq) continue;
	139	assert(nlmsg->nlmsg_flags & NLM_F_MULTI);
	140
c3794524	141	/* Work through all of the individual routes. */
9da480be MW	142	for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
	143	if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
	144	if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
	145	rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);
	146
c3794524 MW	147	/* If this record doesn't look interesting then skip it. */
	148	if (rtm->rtm_family != af \|\| /* wrong address family */
	149	rtm->rtm_dst_len > 0 \|\| /* specific destination */
	150	rtm->rtm_src_len > 0 \|\| /* specific source */
	151	rtm->rtm_type != RTN_UNICAST \|\| /* not for unicast */
	152	rtm->rtm_scope != RT_SCOPE_UNIVERSE \|\| /* wrong scope */
	153	rtm->rtm_tos != 0) /* specific type of service */
9da480be	154	continue;
9dcdc856	155
c3794524	156	/* Trundle through the attributes and find the gateway address. */
9da480be MW	157	for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
9da480be MW	158	RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {
c3794524 MW	159
	160	/* Got one. We're all done. Except that we should carry on reading
	161	* to the end, or something bad will happen.
	162	*/
9da480be MW	163	if (rta->rta_type == RTA_GATEWAY) {
	164	assert(RTA_PAYLOAD(rta) <= sizeof(*a));
	165	memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
	166	rc = 1;
	167	}
	168	}
	169	}
	170	}
9dcdc856	171
9da480be MW	172	done:
	173	close(fd);
	174	return (rc);
9dcdc856 MW	175	}
9dcdc856 MW	176
c3794524 MW	177	/* Find out who is responsible for the connection described in the query Q.
	178	* Write the answer to Q. Errors are logged and reported via the query
	179	* structure.
	180	*/
9da480be	181	void identify(struct query *q)
9dcdc856	182	{
9dcdc856 MW	183	FILE *fp = 0;
	184	dstr d = DSTR_INIT;
	185	char p, pp;
	186	struct socket s[4];
	187	int i;
9da480be	188	int gwp = 0;
9dcdc856 MW	189	unsigned fl;
	190	#define F_SADDR 1u
	191	#define F_SPORT 2u
	192	#define F_DADDR 4u
	193	#define F_DPORT 8u
	194	#define F_ALL (F_SADDR \| F_SPORT \| F_DADDR \| F_DPORT)
	195	#define F_ESTAB 16u
	196	uid_t uid;
	197	enum { LOC, REM, ST, UID, NFIELD };
	198	int f, ff[NFIELD];
	199
c3794524 MW	200	/* If we have a default gateway, and it matches the remote address then
	201	* this may be a proxy connection from our NAT, so remember this, and don't
	202	* inspect the remote addresses in the TCP tables.
	203	*/
bf4d9761 MW	204	if (get_default_gw(q->ao->af, &s[0].addr) &&
bf4d9761 MW	205	q->ao->addreq(&s[0].addr, &q->s[R].addr))
9da480be MW	206	gwp = 1;
9da480be MW	207
c3794524	208	/* Open the relevant TCP connection table. */
bf4d9761	209	if ((fp = fopen(q->ao->sys->procfile, "r")) == 0) {
9dcdc856	210	logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
bf4d9761	211	q->ao->sys->procfile, strerror(errno));
9dcdc856 MW	212	goto err_unk;
	213	}
	214
c3794524 MW	215	/* Initially, PP points into a string containing whitespace-separated
	216	* fields. Point P to the next field, null-terminate it, and advance PP
	217	* so that we can read the next field in the next call.
	218	*/
9dcdc856 MW	219	#define NEXTFIELD do { \
	220	for (p = pp; isspace((unsigned char)*p); p++); \
	221	for (pp = p; pp && !isspace((unsigned char)pp); pp++); \
	222	if (pp) pp++ = 0; \
	223	} while (0)
	224
c3794524	225	/* Read the header line from the file. */
9dcdc856 MW	226	if (dstr_putline(&d, fp) == EOF) {
9dcdc856 MW	227	logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
bf4d9761 MW	228	q->ao->sys->procfile,
bf4d9761 MW	229	ferror(fp) ? strerror(errno) : "unexpected EOF");
9dcdc856 MW	230	goto err_unk;
	231	}
	232
c3794524 MW	233	/* Now scan the header line to identify which columns the various
	234	* interesting fields are in. Store these in the map `ff'. Problems:
	235	* `tx_queue rx_queue' and `tr tm->when' are both really single columns in
	236	* disguise; and the remote address column has a different heading
	237	* depending on which address family we're using. Rather than dispatch,
	238	* just recognize both of them.
	239	*/
9dcdc856 MW	240	for (i = 0; i < NFIELD; i++) ff[i] = -1;
	241	pp = d.buf;
	242	for (f = 0;; f++) {
	243	NEXTFIELD; if (!*p) break;
	244	if (strcmp(p, "local_address") == 0)
	245	ff[LOC] = f;
	246	else if (strcmp(p, "rem_address") == 0 \|\|
	247	strcmp(p, "remote_address") == 0)
	248	ff[REM] = f;
	249	else if (strcmp(p, "uid") == 0)
	250	ff[UID] = f;
	251	else if (strcmp(p, "st") == 0)
	252	ff[ST] = f;
	253	else if (strcmp(p, "rx_queue") == 0 \|\|
	254	strcmp(p, "tm->when") == 0)
	255	f--;
	256	}
c3794524 MW	257
c3794524 MW	258	/* Make sure that we found all of the fields we actually want. */
9dcdc856 MW	259	for (i = 0; i < NFIELD; i++) {
	260	if (ff[i] < 0) {
	261	logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
bf4d9761	262	q->ao->sys->procfile);
9dcdc856 MW	263	goto err_unk;
	264	}
	265	}
	266
c3794524	267	/* Work through the lines in the file. */
9dcdc856	268	for (;;) {
c3794524 MW	269
c3794524 MW	270	/* Read a line, and prepare to scan the fields. */
9dcdc856 MW	271	DRESET(&d);
	272	if (dstr_putline(&d, fp) == EOF) break;
	273	pp = d.buf;
	274	uid = -1;
c3794524 MW	275
	276	/* Work through the fields. If an address field fails to match then we
	277	* skip this record. If the state field isn't 1 (`ESTABLISHED') then
	278	* skip the record. If it's the UID, then remember it: if we get all the
	279	* way to the end then we've won.
	280	*/
9dcdc856 MW	281	for (f = 0;; f++) {
	282	NEXTFIELD; if (!*p) break;
	283	if (f == ff[LOC]) { i = L; goto compare; }
	284	else if (f == ff[REM]) { i = R; goto compare; }
	285	else if (f == ff[UID]) uid = atoi(p);
	286	else if (f == ff[ST]) {
	287	if (strtol(p, 0, 16) != 1) goto next_row;
	288	}
	289	continue;
	290
	291	compare:
c3794524 MW	292	/* Compare an address (in the current field) with the local or remote
	293	* address in the query, as indicated by `i'. The address field looks
	294	* like `ADDR:PORT', where the ADDR is in some mad format which
	295	* `sys->parseaddr' knows how to unpick. If the remote address in the
	296	* query is our gateway then don't check the remote address in the
	297	* field (but do check the port number).
	298	*/
bf4d9761	299	if (q->ao->sys->parseaddr(&p, &s[0].addr)) goto next_row;
9dcdc856 MW	300	if (*p != ':') break; p++;
9dcdc856 MW	301	s[0].port = strtoul(p, 0, 16);
c3794524 MW	302	if ((i == R && gwp) ?
	303	q->s[R].port != s[0].port :
	304	!sockeq(q->ao, &q->s[i], &s[0]))
9da480be	305	goto next_row;
9dcdc856	306	}
c3794524 MW	307
	308	/* We got to the end, and everything matched. If we found a UID then
	309	* we're done.
	310	*/
9dcdc856	311	if (uid != -1) {
9da480be MW	312	q->resp = R_UID;
9da480be MW	313	q->u.uid = uid;
9dcdc856 MW	314	goto done;
	315	}
	316	next_row:;
	317	}
	318
c3794524	319	/* We got to the end of the file and didn't find anything. */
9dcdc856	320	if (ferror(fp)) {
b093b41d MW	321	logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
b093b41d MW	322	q->ao->sys->procfile, strerror(errno));
9dcdc856 MW	323	goto err_unk;
	324	}
	325
c3794524 MW	326	/* If we opened the NAT table file, and we're using IPv4, then check to see
	327	* whether we should proxy the connection. At least the addresses in this
	328	* file aren't crazy.
	329	*/
2a9b8d4a	330	if (natfp) {
c3794524 MW	331
c3794524 MW	332	/* Start again from the beginning. */
b093b41d	333	rewind(natfp);
9dcdc856	334
c3794524	335	/* Read a line at a time. */
9dcdc856	336	for (;;) {
c3794524 MW	337
c3794524 MW	338	/* Read the line. */
9dcdc856	339	DRESET(&d);
b093b41d	340	if (dstr_putline(&d, natfp) == EOF) break;
9dcdc856	341	pp = d.buf;
2a9b8d4a	342
c3794524	343	/* Check that this is for the right protocol. */
2a9b8d4a MW	344	NEXTFIELD; if (!*p) break;
	345	if (strcmp(p, q->ao->sys->nfl3name)) continue;
	346	NEXTFIELD; if (!*p) break;
9dcdc856 MW	347	NEXTFIELD; if (!*p) break;
9dcdc856 MW	348	if (strcmp(p, "tcp") != 0) continue;
c3794524 MW	349
	350	/* Parse the other fields. Each line has two src/dst pairs, for the
	351	* outgoing and incoming directions. Depending on exactly what kind of
	352	* NAT is in use, either the outgoing source or the incoming
	353	* destination might be the client we're after. Collect all of the
	354	* addresses and sort out the mess later.
	355	*/
9dcdc856 MW	356	i = 0;
	357	fl = 0;
	358	for (;;) {
	359	NEXTFIELD; if (!*p) break;
	360	if (strcmp(p, "ESTABLISHED") == 0)
	361	fl \|= F_ESTAB;
	362	else if (strncmp(p, "src=", 4) == 0) {
2a9b8d4a	363	inet_pton(q->ao->af, p + 4, &s[i].addr);
9dcdc856 MW	364	fl \|= F_SADDR;
9dcdc856 MW	365	} else if (strncmp(p, "dst=", 4) == 0) {
2a9b8d4a	366	inet_pton(q->ao->af, p + 4, &s[i + 1].addr);
9dcdc856 MW	367	fl \|= F_DADDR;
	368	} else if (strncmp(p, "sport=", 6) == 0) {
	369	s[i].port = atoi(p + 6);
	370	fl \|= F_SPORT;
	371	} else if (strncmp(p, "dport=", 6) == 0) {
	372	s[i + 1].port = atoi(p + 6);
	373	fl \|= F_DPORT;
	374	}
	375	if ((fl & F_ALL) == F_ALL) {
	376	fl &= ~F_ALL;
	377	if (i < 4) i += 2;
	378	else break;
	379	}
	380	}
	381
	382	#ifdef notdef
	383	{
c3794524	384	/* Print the record we found. */
9dcdc856 MW	385	dstr dd = DSTR_INIT;
9dcdc856 MW	386	dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
bf4d9761	387	dputsock(&dd, q->ao, &s[0]);
9dcdc856	388	dstr_puts(&dd, "<->");
bf4d9761	389	dputsock(&dd, q->ao, &s[1]);
9dcdc856	390	dstr_puts(&dd, " \| ");
bf4d9761	391	dputsock(&dd, q->ao, &s[2]);
9dcdc856	392	dstr_puts(&dd, "<->");
bf4d9761	393	dputsock(&dd, q->ao, &s[3]);
9dcdc856 MW	394	printf("parsed: %s\n", dd.buf);
	395	dstr_destroy(&dd);
	396	}
	397	#endif
	398
c3794524	399	/* If the connection isn't ESTABLISHED then skip it. */
9dcdc856 MW	400	if (!(fl & F_ESTAB)) continue;
9dcdc856 MW	401
c3794524 MW	402	/* Now we try to piece together what's going on. One of these
	403	* addresses will be us. So let's just try to find it.
	404	*/
9dcdc856	405	for (i = 0; i < 4; i++)
bf4d9761	406	if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
9dcdc856	407	continue;
c3794524	408
9dcdc856	409	found_local:
c3794524 MW	410	/* So address `i' is us. In that case, we expect the other address in
	411	* the same direction, and the same address in the opposite direction,
	412	* to match each other and be the remote address in the query.
	413	*/
bf4d9761 MW	414	if (!sockeq(q->ao, &s[i^1], &s[i^2]) \|\|
bf4d9761 MW	415	!sockeq(q->ao, &s[i^1], &q->s[R]))
9dcdc856	416	continue;
c3794524 MW	417
	418	/* We win. The remaining address must be the client host. We should
	419	* proxy this query.
	420	*/
9da480be MW	421	q->resp = R_NAT;
9da480be MW	422	q->u.nat = s[i^3];
9dcdc856 MW	423	goto done;
	424	}
	425
2a9b8d4a	426	/* Reached the end of the NAT file. */
b093b41d	427	if (ferror(natfp)) {
2a9b8d4a	428	logmsg(q, LOG_ERR, "failed to read `/proc/net/nf_conntrack': %s",
9dcdc856 MW	429	strerror(errno));
	430	goto err_unk;
	431	}
	432	}
	433
	434	#undef NEXTFIELD
	435
c3794524	436	/* We didn't find a match anywhere. How unfortunate. */
b093b41d	437	logmsg(q, LOG_NOTICE, "connection not found");
9da480be MW	438	q->resp = R_ERROR;
9da480be MW	439	q->u.error = E_NOUSER;
9dcdc856	440	goto done;
c3794524	441
9dcdc856	442	err_unk:
c3794524 MW	443	/* Something went wrong and the protocol can't express what. We should
	444	* have logged what the problem actually was.
	445	*/
9da480be MW	446	q->resp = R_ERROR;
9da480be MW	447	q->u.error = E_UNKNOWN;
c3794524	448
9dcdc856	449	done:
c3794524	450	/* All done. */
9dcdc856	451	dstr_destroy(&d);
60150b4c	452	if (fp) fclose(fp);
9dcdc856 MW	453	}
9dcdc856 MW	454
c3794524	455	/* Initialize the system-specific code. */
b093b41d MW	456	void init_sys(void)
b093b41d MW	457	{
2a9b8d4a	458	if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&
b093b41d	459	errno != ENOENT) {
2a9b8d4a	460	die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
b093b41d MW	461	strerror(errno));
	462	}
	463	}
	464
9dcdc856	465	/----- That's all, folks -------------------------------------------------/