~mdw / yaid / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Makefile.am: Tweak `silent-rules' machinery.
[yaid] / linux.c
1 /* -*-c-*-
2 *
3 * Discover the owner of a connection (Linux version)
4 *
5 * (c) 2012 Straylight/Edgeware
6 */
7
8 /*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Yet Another Ident Daemon (YAID).
11 *
12 * YAID is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * YAID is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with YAID; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
27 /*----- Header files ------------------------------------------------------*/
28
29 #include "yaid.h"
30
31 #include <linux/netlink.h>
32 #include <linux/rtnetlink.h>
33
34 /*----- Static variables --------------------------------------------------*/
35
36 static FILE *natfp; /* File handle for NAT table */
37 static int randfd; /* File descriptor for random data */
38
39 /*----- Miscellaneous system services -------------------------------------*/
40
41 /* Fill the buffer at P with SZ random bytes. The buffer will be moderately
42 * large: this is intended to be a low-level interface, not a general-purpose
43 * utility.
44 */
45 void fill_random(void *p, size_t sz)
46 {
47 ssize_t n;
48
49 n = read(randfd, p, sz);
50 if (n < 0) fatal("error reading `/dev/urandom': %s", strerror(errno));
51 else if (n < sz) fatal("unexpected short read from `/dev/urandom'");
52 }
53
54 /*----- Address-type operations -------------------------------------------*/
55
56 struct addrops_sys {
57 const char *procfile;
58 const char *nfl3name;
59 int (*parseaddr)(char **, union addr *);
60 };
61
62 #define PROCFILE_IPV4 "/proc/net/tcp"
63 #define NFL3NAME_IPV4 "ipv4"
64
65 static int parseaddr_ipv4(char **pp, union addr *a)
66 { a->ipv4.s_addr = strtoul(*pp, pp, 16); return (0); }
67
68 #define PROCFILE_IPV6 "/proc/net/tcp6"
69 #define NFL3NAME_IPV6 "ipv6"
70
71 static int parseaddr_ipv6(char **pp, union addr *a)
72 {
73 int i, j;
74 unsigned long y;
75 char *p = *pp;
76 unsigned x;
77
78 /* The format is byteswapped in a really annoying way. */
79 for (i = 0; i < 4; i++) {
80 y = 0;
81 for (j = 0; j < 8; j++) {
82 if ('0' <= *p && *p <= '9') x = *p - '0';
83 else if ('a' <= *p && *p <= 'f') x = *p - 'a' + 10;
84 else if ('A' <= *p && *p <= 'F') x = *p - 'A' + 10;
85 else return (-1);
86 y = (y << 4) | x;
87 p++;
88 }
89 a->ipv6.s6_addr32[i] = y;
90 }
91 *pp = p;
92 return (0);
93 }
94
95 #define DEFOPSYS(ty, TY) \
96 const struct addrops_sys addrops_sys_##ty = { \
97 PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty \
98 };
99 ADDRTYPES(DEFOPSYS)
100 #undef DEFOPSYS
101
102 /*----- Main code ---------------------------------------------------------*/
103
104 /* Store in A the default gateway address for the given address family.
105 * Return zero on success, or nonzero on error.
106 */
107 static int get_default_gw(int af, union addr *a)
108 {
109 int fd;
110 char buf[32768];
111 struct nlmsghdr *nlmsg;
112 struct rtgenmsg *rtgen;
113 const struct rtattr *rta;
114 const struct rtmsg *rtm;
115 ssize_t n, nn;
116 int rc = -1;
117 static unsigned long seq = 0x48b4aec4;
118
119 /* Open a netlink socket for interrogating the kernel. */
120 if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
121 fatal("failed to create netlink socket: %s", strerror(errno));
122
123 /* We want to read the routing table. There doesn't seem to be a good way
124 * to do this without just crawling through the whole thing.
125 */
126 nlmsg = (struct nlmsghdr *)buf;
127 assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
128 nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
129 nlmsg->nlmsg_type = RTM_GETROUTE;
130 nlmsg->nlmsg_flags = NLM_F_REQUEST | NLM_F_ROOT;
131 nlmsg->nlmsg_seq = ++seq;
132 nlmsg->nlmsg_pid = 0;
133
134 rtgen = (struct rtgenmsg *)NLMSG_DATA(nlmsg);
135 rtgen->rtgen_family = af;
136
137 if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
138 fatal("failed to send RTM_GETROUTE request: %s", strerror(errno));
139
140 /* Now we try to parse the answer. */
141 for (;;) {
142
143 /* Not finished yet, so read another chunk of answer. */
144 if ((n = read(fd, buf, sizeof(buf))) < 0)
145 fatal("failed to read RTM_GETROUTE response: %s", strerror(errno));
146
147 /* Start at the beginning of the response. */
148 nlmsg = (struct nlmsghdr *)buf;
149
150 /* Make sure this looks plausible. The precise rules don't appear to be
151 * documented, so it seems advisable to fail messily if my understanding
152 * is wrong.
153 */
154 if (nlmsg->nlmsg_seq != seq) continue;
155 assert(nlmsg->nlmsg_flags & NLM_F_MULTI);
156
157 /* Work through all of the individual routes. */
158 for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
159 if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
160 if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
161 rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);
162
163 /* If this record doesn't look interesting then skip it. */
164 if (rtm->rtm_family != af || /* wrong address family */
165 rtm->rtm_dst_len > 0 || /* specific destination */
166 rtm->rtm_src_len > 0 || /* specific source */
167 rtm->rtm_type != RTN_UNICAST || /* not for unicast */
168 rtm->rtm_scope != RT_SCOPE_UNIVERSE || /* wrong scope */
169 rtm->rtm_tos != 0) /* specific type of service */
170 continue;
171
172 /* Trundle through the attributes and find the gateway address. */
173 for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
174 RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {
175
176 /* Got one. We're all done. Except that we should carry on reading
177 * to the end, or something bad will happen.
178 */
179 if (rta->rta_type == RTA_GATEWAY) {
180 assert(RTA_PAYLOAD(rta) <= sizeof(*a));
181 memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
182 rc = 0;
183 }
184 }
185 }
186 }
187
188 done:
189 close(fd);
190 return (rc);
191 }
192
193 /* Initially, PP points into a string containing whitespace-separated fields.
194 * Point P to the next field, null-terminate it, and advance PP so that we
195 * can read the next field in the next call.
196 */
197 #define NEXTFIELD do { \
198 for (p = pp; isspace((unsigned char)*p); p++); \
199 for (pp = p; *pp && !isspace((unsigned char)*pp); pp++); \
200 if (*pp) *pp++ = 0; \
201 } while (0)
202
203 /* Search the `tcp' connection table for the address family AO, looking for a
204 * connection between the addresses in QS. GWP is nonzero if the query's
205 * remote address is our gateway and we shouldn't expect the remote address
206 * in the system table to actually match it because of NAT. Return nonzero
207 * if we have filled in Q conclusively; return zero if the caller should try
208 * a different approach.
209 */
210 static int search_tcp_file(struct query *q, int gwp,
211 const struct addrops *ao,
212 struct socket qs[NDIR])
213 {
214 FILE *fp = 0;
215 dstr d = DSTR_INIT;
216 char *p, *pp;
217 struct socket s[NDIR];
218 int i;
219 uid_t uid;
220 enum { LOC, REM, ST, UID, NFIELD };
221 int f, ff[NFIELD];
222 int rc = 1;
223
224 /* Open the relevant TCP connection table. */
225 if ((fp = fopen(ao->sys->procfile, "r")) == 0) {
226 logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
227 ao->sys->procfile, strerror(errno));
228 goto err_unk;
229 }
230
231 /* Read the header line from the file. */
232 if (dstr_putline(&d, fp) == EOF) {
233 logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
234 ao->sys->procfile,
235 ferror(fp) ? strerror(errno) : "unexpected EOF");
236 goto err_unk;
237 }
238
239 /* Now scan the header line to identify which columns the various
240 * interesting fields are in. Store these in the map `ff'. Problems:
241 * `tx_queue rx_queue' and `tr tm->when' are both really single columns in
242 * disguise; and the remote address column has a different heading
243 * depending on which address family we're using. Rather than dispatch,
244 * just recognize both of them.
245 */
246 for (i = 0; i < NFIELD; i++) ff[i] = -1;
247 pp = d.buf;
248 for (f = 0;; f++) {
249 NEXTFIELD; if (!*p) break;
250 if (strcmp(p, "local_address") == 0)
251 ff[LOC] = f;
252 else if (strcmp(p, "rem_address") == 0 ||
253 strcmp(p, "remote_address") == 0)
254 ff[REM] = f;
255 else if (strcmp(p, "uid") == 0)
256 ff[UID] = f;
257 else if (strcmp(p, "st") == 0)
258 ff[ST] = f;
259 else if (strcmp(p, "rx_queue") == 0 ||
260 strcmp(p, "tm->when") == 0)
261 f--;
262 }
263
264 /* Make sure that we found all of the fields we actually want. */
265 for (i = 0; i < NFIELD; i++) {
266 if (ff[i] < 0) {
267 logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
268 ao->sys->procfile);
269 goto err_unk;
270 }
271 }
272
273 /* Work through the lines in the file. */
274 for (;;) {
275
276 /* Read a line, and prepare to scan the fields. */
277 DRESET(&d);
278 if (dstr_putline(&d, fp) == EOF) break;
279 pp = d.buf;
280 uid = -1;
281
282 /* Work through the fields. If an address field fails to match then we
283 * skip this record. If the state field isn't 1 (`ESTABLISHED') then
284 * skip the record. If it's the UID, then remember it: if we get all the
285 * way to the end then we've won.
286 */
287 for (f = 0;; f++) {
288 NEXTFIELD; if (!*p) break;
289 if (f == ff[LOC]) { i = L; goto compare; }
290 else if (f == ff[REM]) { i = R; goto compare; }
291 else if (f == ff[UID]) uid = atoi(p);
292 else if (f == ff[ST]) {
293 if (strtol(p, 0, 16) != 1) goto next_row;
294 }
295 continue;
296
297 compare:
298 /* Compare an address (in the current field) with the local or remote
299 * address in the query, as indicated by `i'. The address field looks
300 * like `ADDR:PORT', where the ADDR is in some mad format which
301 * `sys->parseaddr' knows how to unpick. If the remote address in the
302 * query is our gateway then don't check the remote address in the
303 * field (but do check the port number).
304 */
305 if (ao->sys->parseaddr(&p, &s[i].addr)) goto next_row;
306 if (*p != ':') break;
307 p++;
308 s[i].port = strtoul(p, 0, 16);
309 if ((i == R && gwp) ?
310 qs[R].port != s[i].port :
311 !sockeq(ao, &qs[i], &s[i]))
312 goto next_row;
313 }
314
315 /* We got to the end, and everything matched. If we found a UID then
316 * we're done. If the apparent remote address is our gateway then copy
317 * the true one into the query structure.
318 */
319 if (uid != -1) {
320 q->resp = R_UID;
321 q->u.uid = uid;
322 if (gwp) qs[R].addr = s[i].addr;
323 goto done;
324 }
325 next_row:;
326 }
327
328 /* We got to the end of the file and didn't find anything. */
329 if (ferror(fp)) {
330 logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
331 ao->sys->procfile, strerror(errno));
332 goto err_unk;
333 }
334 rc = 0;
335
336 err_unk:
337 /* Something went wrong and the protocol can't express what. We should
338 * have logged what the problem actually was.
339 */
340 q->resp = R_ERROR;
341 q->u.error = E_UNKNOWN;
342
343 done:
344 /* All done. */
345 dstr_destroy(&d);
346 if (fp) fclose(fp);
347 return (rc);
348 }
349
350 /* Convert the IPv4 socket address IN into the equivalent IPv4-mapped IPv6
351 * address OUT.
352 */
353 static void map_v4(struct socket *out, const struct socket *in)
354 {
355 unsigned i;
356 in_addr_t a4 = ntohl(in->addr.ipv4.s_addr);
357
358 for (i = 0; i < 10; i++) out->addr.ipv6.s6_addr[i] = 0;
359 for (i = 10; i < 12; i++) out->addr.ipv6.s6_addr[i] = 0xff;
360 for (i = 0; i < 4; i++) out->addr.ipv6.s6_addr[15 - i] = (a4 >> 8*i)&0xff;
361 out->port = in->port;
362 }
363
364 /* Convert the IPv4-mapped IPv6 socket address IN into the equivalent IPv4
365 * address OUT; return -1 if the IN address isn't actually IPv4-mapped.
366 */
367 static int unmap_v4(struct socket *out, const struct socket *in)
368 {
369 unsigned i;
370 in_addr_t a4 = 0;
371
372 for (i = 0; i < 10; i++) if (in->addr.ipv6.s6_addr[i] != 0) return (-1);
373 for (i = 10; i < 12; i++) if (in->addr.ipv6.s6_addr[i] != 0xff) return (-1);
374 for (i = 0; i < 4; i++) a4 |= in->addr.ipv6.s6_addr[15 - i] << 8*i;
375 out->addr.ipv4.s_addr = htonl(a4);
376 out->port = in->port;
377 return (0);
378 }
379
380 /* Find out who is responsible for the connection described in the query Q.
381 * Write the answer to Q. Errors are logged and reported via the query
382 * structure.
383 */
384 void identify(struct query *q)
385 {
386 FILE *fp = 0;
387 dstr d = DSTR_INIT;
388 char *p, *pp;
389 struct socket s[4];
390 int i;
391 int gwp = 0;
392 unsigned fl;
393 #define F_SADDR 1u
394 #define F_SPORT 2u
395 #define F_DADDR 4u
396 #define F_DPORT 8u
397 #define F_ALL (F_SADDR | F_SPORT | F_DADDR | F_DPORT)
398 #define F_ESTAB 16u
399
400 /* If we have a default gateway, and it matches the remote address then
401 * this may be a proxy connection from our NAT, so remember this, and don't
402 * inspect the remote addresses in the TCP tables.
403 */
404 if (!get_default_gw(q->ao->af, &s[0].addr) &&
405 q->ao->addreq(&s[0].addr, &q->s[R].addr))
406 gwp = 1;
407
408 /* Search the main `tcp' table. */
409 if (search_tcp_file(q, gwp, q->ao, q->s)) goto done;
410
411 /* Oh, dear. If this is IPv4, then the entry might actually be in the IPv6
412 * table, with weird addresses. So we must try again.
413 */
414 if (q->ao->af == AF_INET) {
415 map_v4(&s[L], &q->s[L]); map_v4(&s[R], &q->s[R]);
416 if (search_tcp_file(q, gwp, &addroptab[ADDR_IPV6], s)) {
417 if (gwp && unmap_v4(&q->s[R], &s[R])) {
418 logmsg(q, LOG_ERR, "can't unmap NATted destination address");
419 goto err_unk;
420 }
421 goto done;
422 }
423 }
424
425 /* If we opened the NAT table file, and we're using IPv4, then check to see
426 * whether we should proxy the connection. At least the addresses in this
427 * file aren't crazy.
428 */
429 if (natfp) {
430
431 /* Start again from the beginning. */
432 rewind(natfp);
433
434 /* Read a line at a time. */
435 for (;;) {
436
437 /* Read the line. */
438 DRESET(&d);
439 if (dstr_putline(&d, natfp) == EOF) break;
440 pp = d.buf;
441
442 /* Check that this is for the right protocol. */
443 NEXTFIELD; if (!*p) break;
444 if (strcmp(p, q->ao->sys->nfl3name)) continue;
445 NEXTFIELD; if (!*p) break;
446 NEXTFIELD; if (!*p) break;
447 if (strcmp(p, "tcp") != 0) continue;
448
449 /* Parse the other fields. Each line has two src/dst pairs, for the
450 * outgoing and incoming directions. Depending on exactly what kind of
451 * NAT is in use, either the outgoing source or the incoming
452 * destination might be the client we're after. Collect all of the
453 * addresses and sort out the mess later.
454 */
455 i = 0;
456 fl = 0;
457 for (;;) {
458 NEXTFIELD; if (!*p) break;
459 if (strcmp(p, "ESTABLISHED") == 0)
460 fl |= F_ESTAB;
461 else if (strncmp(p, "src=", 4) == 0) {
462 inet_pton(q->ao->af, p + 4, &s[i].addr);
463 fl |= F_SADDR;
464 } else if (strncmp(p, "dst=", 4) == 0) {
465 inet_pton(q->ao->af, p + 4, &s[i + 1].addr);
466 fl |= F_DADDR;
467 } else if (strncmp(p, "sport=", 6) == 0) {
468 s[i].port = atoi(p + 6);
469 fl |= F_SPORT;
470 } else if (strncmp(p, "dport=", 6) == 0) {
471 s[i + 1].port = atoi(p + 6);
472 fl |= F_DPORT;
473 }
474 if ((fl & F_ALL) == F_ALL) {
475 fl &= ~F_ALL;
476 if (i < 4) i += 2;
477 else break;
478 }
479 }
480
481 #ifdef DEBUG
482 {
483 /* Print the record we found. */
484 dstr dd = DSTR_INIT;
485 dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
486 dputsock(&dd, q->ao, &s[0]);
487 dstr_puts(&dd, "<->");
488 dputsock(&dd, q->ao, &s[1]);
489 dstr_puts(&dd, " | ");
490 dputsock(&dd, q->ao, &s[2]);
491 dstr_puts(&dd, "<->");
492 dputsock(&dd, q->ao, &s[3]);
493 printf("parsed: %s\n", dd.buf);
494 dstr_destroy(&dd);
495 }
496 #endif
497
498 /* If the connection isn't ESTABLISHED then skip it. */
499 if (!(fl & F_ESTAB)) continue;
500
501 /* Now we try to piece together what's going on. One of these
502 * addresses will be us. So let's just try to find it.
503 */
504 for (i = 0; i < 4; i++)
505 if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
506 continue;
507
508 found_local:
509 /* So address `i' is us. In that case, we expect the other address in
510 * the same direction, and the same address in the opposite direction,
511 * to match each other and be the remote address in the query.
512 */
513 if (!sockeq(q->ao, &s[i^1], &s[i^2]) ||
514 !sockeq(q->ao, &s[i^1], &q->s[R]))
515 continue;
516
517 /* As a trap for the unwary, this file contains unhelpful entries which
518 * just mirror the source/destination addresses. If this is one of
519 * those, we'll be stuck in a cycle talking to ourselves.
520 */
521 if (sockeq(q->ao, &s[i], &s[i^3]))
522 continue;
523
524 /* We win. The remaining address must be the client host. We should
525 * proxy this query.
526 */
527 q->resp = R_NAT;
528 q->u.nat = s[i^3];
529 goto done;
530 }
531
532 /* Reached the end of the NAT file. */
533 if (ferror(natfp)) {
534 logmsg(q, LOG_ERR, "failed to read `/proc/net/nf_conntrack': %s",
535 strerror(errno));
536 goto err_unk;
537 }
538 }
539
540 /* We didn't find a match anywhere. How unfortunate. */
541 logmsg(q, LOG_NOTICE, "connection not found");
542 q->resp = R_ERROR;
543 q->u.error = E_NOUSER;
544 goto done;
545
546 err_unk:
547 /* Something went wrong and the protocol can't express what. We should
548 * have logged what the problem actually was.
549 */
550 q->resp = R_ERROR;
551 q->u.error = E_UNKNOWN;
552
553 done:
554 /* All done. */
555 dstr_destroy(&d);
556 if (fp) fclose(fp);
557 }
558
559 #undef NEXTFIELD
560
561 /* Initialize the system-specific code. */
562 void init_sys(void)
563 {
564 /* Open the NAT connection map. */
565 if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&
566 errno != ENOENT) {
567 die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
568 strerror(errno));
569 }
570
571 /* Open the random data source. */
572 if ((randfd = open("/dev/urandom", O_RDONLY)) < 0) {
573 die(1, "failed to open `/dev/urandom' for reading: %s",
574 strerror(errno));
575 }
576 }
577
578 /*----- That's all, folks -------------------------------------------------*/
Yet Another Ident Daemon.