ec4fe4e7f0ae5eb5fdc0e0283031c89276d2ff70
3 * Discover the owner of a connection (Linux version)
5 * (c) 2012 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Yet Another Ident Daemon (YAID).
12 * YAID is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * YAID is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with YAID; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 #include <linux/netlink.h>
32 #include <linux/rtnetlink.h>
34 /*----- Static variables --------------------------------------------------*/
36 static FILE *natfp
; /* File handle for NAT table */
37 static int randfd
; /* File descriptor for random data */
39 /*----- Miscellaneous system services -------------------------------------*/
41 /* Fill the buffer at P with SZ random bytes. The buffer will be moderately
42 * large: this is intended to be a low-level interface, not a general-purpose
45 void fill_random(void *p
, size_t sz
)
49 n
= read(randfd
, p
, sz
);
50 if (n
< 0) fatal("error reading `/dev/urandom': %s", strerror(errno
));
51 else if (n
< sz
) fatal("unexpected short read from `/dev/urandom'");
54 /*----- Address-type operations -------------------------------------------*/
59 int (*parseaddr
)(char **, union addr
*);
62 #define PROCFILE_IPV4 "/proc/net/tcp"
63 #define NFL3NAME_IPV4 "ipv4"
65 static int parseaddr_ipv4(char **pp
, union addr
*a
)
66 { a
->ipv4
.s_addr
= strtoul(*pp
, pp
, 16); return (0); }
68 #define PROCFILE_IPV6 "/proc/net/tcp6"
69 #define NFL3NAME_IPV6 "ipv6"
71 static int parseaddr_ipv6(char **pp
, union addr
*a
)
78 /* The format is byteswapped in a really annoying way. */
79 for (i
= 0; i
< 4; i
++) {
81 for (j
= 0; j
< 8; j
++) {
82 if ('0' <= *p
&& *p
<= '9') x
= *p
- '0';
83 else if ('a' <= *p
&& *p
<= 'f') x
= *p
- 'a' + 10;
84 else if ('A' <= *p
&& *p
<= 'F') x
= *p
- 'A' + 10;
89 a
->ipv6
.s6_addr32
[i
] = y
;
95 #define DEFOPSYS(ty, TY) \
96 const struct addrops_sys addrops_sys_##ty = { \
97 PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty \
102 /*----- Main code ---------------------------------------------------------*/
104 /* Store in A the default gateway address for the given address family.
105 * Return zero on success, or nonzero on error.
107 static int get_default_gw(int af
, union addr
*a
)
111 struct nlmsghdr
*nlmsg
;
112 struct rtgenmsg
*rtgen
;
113 const struct rtattr
*rta
;
114 const struct rtmsg
*rtm
;
117 static unsigned long seq
= 0x48b4aec4;
119 /* Open a netlink socket for interrogating the kernel. */
120 if ((fd
= socket(AF_NETLINK
, SOCK_DGRAM
, NETLINK_ROUTE
)) < 0)
121 fatal("failed to create netlink socket: %s", strerror(errno
));
123 /* We want to read the routing table. There doesn't seem to be a good way
124 * to do this without just crawling through the whole thing.
126 nlmsg
= (struct nlmsghdr
*)buf
;
127 assert(NLMSG_SPACE(sizeof(*rtgen
)) < sizeof(buf
));
128 nlmsg
->nlmsg_len
= NLMSG_LENGTH(sizeof(*rtgen
));
129 nlmsg
->nlmsg_type
= RTM_GETROUTE
;
130 nlmsg
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ROOT
;
131 nlmsg
->nlmsg_seq
= ++seq
;
132 nlmsg
->nlmsg_pid
= 0;
134 rtgen
= (struct rtgenmsg
*)NLMSG_DATA(nlmsg
);
135 rtgen
->rtgen_family
= af
;
137 if (write(fd
, nlmsg
, nlmsg
->nlmsg_len
) < 0)
138 fatal("failed to send RTM_GETROUTE request: %s", strerror(errno
));
140 /* Now we try to parse the answer. */
143 /* Not finished yet, so read another chunk of answer. */
144 if ((n
= read(fd
, buf
, sizeof(buf
))) < 0)
145 fatal("failed to read RTM_GETROUTE response: %s", strerror(errno
));
147 /* Start at the beginning of the response. */
148 nlmsg
= (struct nlmsghdr
*)buf
;
150 /* Make sure this looks plausible. The precise rules don't appear to be
151 * documented, so it seems advisable to fail messily if my understanding
154 if (nlmsg
->nlmsg_seq
!= seq
) continue;
155 assert(nlmsg
->nlmsg_flags
& NLM_F_MULTI
);
157 /* Work through all of the individual routes. */
158 for (; NLMSG_OK(nlmsg
, n
); nlmsg
= NLMSG_NEXT(nlmsg
, n
)) {
159 if (nlmsg
->nlmsg_type
== NLMSG_DONE
) goto done
;
160 if (nlmsg
->nlmsg_type
!= RTM_NEWROUTE
) continue;
161 rtm
= (const struct rtmsg
*)NLMSG_DATA(nlmsg
);
163 /* If this record doesn't look interesting then skip it. */
164 if (rtm
->rtm_family
!= af
|| /* wrong address family */
165 rtm
->rtm_dst_len
> 0 || /* specific destination */
166 rtm
->rtm_src_len
> 0 || /* specific source */
167 rtm
->rtm_type
!= RTN_UNICAST
|| /* not for unicast */
168 rtm
->rtm_scope
!= RT_SCOPE_UNIVERSE
|| /* wrong scope */
169 rtm
->rtm_tos
!= 0) /* specific type of service */
172 /* Trundle through the attributes and find the gateway address. */
173 for (rta
= RTM_RTA(rtm
), nn
= RTM_PAYLOAD(nlmsg
);
174 RTA_OK(rta
, nn
); rta
= RTA_NEXT(rta
, nn
)) {
176 /* Got one. We're all done. Except that we should carry on reading
177 * to the end, or something bad will happen.
179 if (rta
->rta_type
== RTA_GATEWAY
) {
180 assert(RTA_PAYLOAD(rta
) <= sizeof(*a
));
181 memcpy(a
, RTA_DATA(rta
), RTA_PAYLOAD(rta
));
193 /* Find out who is responsible for the connection described in the query Q.
194 * Write the answer to Q. Errors are logged and reported via the query
197 void identify(struct query
*q
)
210 #define F_ALL (F_SADDR | F_SPORT | F_DADDR | F_DPORT)
213 enum { LOC
, REM
, ST
, UID
, NFIELD
};
216 /* If we have a default gateway, and it matches the remote address then
217 * this may be a proxy connection from our NAT, so remember this, and don't
218 * inspect the remote addresses in the TCP tables.
220 if (!get_default_gw(q
->ao
->af
, &s
[0].addr
) &&
221 q
->ao
->addreq(&s
[0].addr
, &q
->s
[R
].addr
))
224 /* Open the relevant TCP connection table. */
225 if ((fp
= fopen(q
->ao
->sys
->procfile
, "r")) == 0) {
226 logmsg(q
, LOG_ERR
, "failed to open `%s' for reading: %s",
227 q
->ao
->sys
->procfile
, strerror(errno
));
231 /* Initially, PP points into a string containing whitespace-separated
232 * fields. Point P to the next field, null-terminate it, and advance PP
233 * so that we can read the next field in the next call.
235 #define NEXTFIELD do { \
236 for (p = pp; isspace((unsigned char)*p); p++); \
237 for (pp = p; *pp && !isspace((unsigned char)*pp); pp++); \
238 if (*pp) *pp++ = 0; \
241 /* Read the header line from the file. */
242 if (dstr_putline(&d
, fp
) == EOF
) {
243 logmsg(q
, LOG_ERR
, "failed to read header line from `%s': %s",
244 q
->ao
->sys
->procfile
,
245 ferror(fp
) ?
strerror(errno
) : "unexpected EOF");
249 /* Now scan the header line to identify which columns the various
250 * interesting fields are in. Store these in the map `ff'. Problems:
251 * `tx_queue rx_queue' and `tr tm->when' are both really single columns in
252 * disguise; and the remote address column has a different heading
253 * depending on which address family we're using. Rather than dispatch,
254 * just recognize both of them.
256 for (i
= 0; i
< NFIELD
; i
++) ff
[i
] = -1;
259 NEXTFIELD
; if (!*p
) break;
260 if (strcmp(p
, "local_address") == 0)
262 else if (strcmp(p
, "rem_address") == 0 ||
263 strcmp(p
, "remote_address") == 0)
265 else if (strcmp(p
, "uid") == 0)
267 else if (strcmp(p
, "st") == 0)
269 else if (strcmp(p
, "rx_queue") == 0 ||
270 strcmp(p
, "tm->when") == 0)
274 /* Make sure that we found all of the fields we actually want. */
275 for (i
= 0; i
< NFIELD
; i
++) {
277 logmsg(q
, LOG_ERR
, "failed to find required fields in `%s'",
278 q
->ao
->sys
->procfile
);
283 /* Work through the lines in the file. */
286 /* Read a line, and prepare to scan the fields. */
288 if (dstr_putline(&d
, fp
) == EOF
) break;
292 /* Work through the fields. If an address field fails to match then we
293 * skip this record. If the state field isn't 1 (`ESTABLISHED') then
294 * skip the record. If it's the UID, then remember it: if we get all the
295 * way to the end then we've won.
298 NEXTFIELD
; if (!*p
) break;
299 if (f
== ff
[LOC
]) { i
= L
; goto compare
; }
300 else if (f
== ff
[REM
]) { i
= R
; goto compare
; }
301 else if (f
== ff
[UID
]) uid
= atoi(p
);
302 else if (f
== ff
[ST
]) {
303 if (strtol(p
, 0, 16) != 1) goto next_row
;
308 /* Compare an address (in the current field) with the local or remote
309 * address in the query, as indicated by `i'. The address field looks
310 * like `ADDR:PORT', where the ADDR is in some mad format which
311 * `sys->parseaddr' knows how to unpick. If the remote address in the
312 * query is our gateway then don't check the remote address in the
313 * field (but do check the port number).
315 if (q
->ao
->sys
->parseaddr(&p
, &s
[i
].addr
)) goto next_row
;
316 if (*p
!= ':') break;
318 s
[i
].port
= strtoul(p
, 0, 16);
319 if ((i
== R
&& gwp
) ?
320 q
->s
[R
].port
!= s
[i
].port
:
321 !sockeq(q
->ao
, &q
->s
[i
], &s
[i
]))
325 /* We got to the end, and everything matched. If we found a UID then
326 * we're done. If the apparent remote address is our gateway then copy
327 * the true one into the query structure.
332 if (gwp
) q
->s
[R
].addr
= s
[i
].addr
;
338 /* We got to the end of the file and didn't find anything. */
340 logmsg(q
, LOG_ERR
, "failed to read connection table `%s': %s",
341 q
->ao
->sys
->procfile
, strerror(errno
));
345 /* If we opened the NAT table file, and we're using IPv4, then check to see
346 * whether we should proxy the connection. At least the addresses in this
351 /* Start again from the beginning. */
354 /* Read a line at a time. */
359 if (dstr_putline(&d
, natfp
) == EOF
) break;
362 /* Check that this is for the right protocol. */
363 NEXTFIELD
; if (!*p
) break;
364 if (strcmp(p
, q
->ao
->sys
->nfl3name
)) continue;
365 NEXTFIELD
; if (!*p
) break;
366 NEXTFIELD
; if (!*p
) break;
367 if (strcmp(p
, "tcp") != 0) continue;
369 /* Parse the other fields. Each line has two src/dst pairs, for the
370 * outgoing and incoming directions. Depending on exactly what kind of
371 * NAT is in use, either the outgoing source or the incoming
372 * destination might be the client we're after. Collect all of the
373 * addresses and sort out the mess later.
378 NEXTFIELD
; if (!*p
) break;
379 if (strcmp(p
, "ESTABLISHED") == 0)
381 else if (strncmp(p
, "src=", 4) == 0) {
382 inet_pton(q
->ao
->af
, p
+ 4, &s
[i
].addr
);
384 } else if (strncmp(p
, "dst=", 4) == 0) {
385 inet_pton(q
->ao
->af
, p
+ 4, &s
[i
+ 1].addr
);
387 } else if (strncmp(p
, "sport=", 6) == 0) {
388 s
[i
].port
= atoi(p
+ 6);
390 } else if (strncmp(p
, "dport=", 6) == 0) {
391 s
[i
+ 1].port
= atoi(p
+ 6);
394 if ((fl
& F_ALL
) == F_ALL
) {
403 /* Print the record we found. */
405 dstr_putf(&dd
, "%sestab ", (fl
& F_ESTAB
) ?
" " : "!");
406 dputsock(&dd
, q
->ao
, &s
[0]);
407 dstr_puts(&dd
, "<->");
408 dputsock(&dd
, q
->ao
, &s
[1]);
409 dstr_puts(&dd
, " | ");
410 dputsock(&dd
, q
->ao
, &s
[2]);
411 dstr_puts(&dd
, "<->");
412 dputsock(&dd
, q
->ao
, &s
[3]);
413 printf("parsed: %s\n", dd
.buf
);
418 /* If the connection isn't ESTABLISHED then skip it. */
419 if (!(fl
& F_ESTAB
)) continue;
421 /* Now we try to piece together what's going on. One of these
422 * addresses will be us. So let's just try to find it.
424 for (i
= 0; i
< 4; i
++)
425 if (sockeq(q
->ao
, &s
[i
], &q
->s
[L
])) goto found_local
;
429 /* So address `i' is us. In that case, we expect the other address in
430 * the same direction, and the same address in the opposite direction,
431 * to match each other and be the remote address in the query.
433 if (!sockeq(q
->ao
, &s
[i
^1], &s
[i
^2]) ||
434 !sockeq(q
->ao
, &s
[i
^1], &q
->s
[R
]))
437 /* As a trap for the unwary, this file contains unhelpful entries which
438 * just mirror the source/destination addresses. If this is one of
439 * those, we'll be stuck in a cycle talking to ourselves.
441 if (sockeq(q
->ao
, &s
[i
], &s
[i
^3]))
444 /* We win. The remaining address must be the client host. We should
452 /* Reached the end of the NAT file. */
454 logmsg(q
, LOG_ERR
, "failed to read `/proc/net/nf_conntrack': %s",
462 /* We didn't find a match anywhere. How unfortunate. */
463 logmsg(q
, LOG_NOTICE
, "connection not found");
465 q
->u
.error
= E_NOUSER
;
469 /* Something went wrong and the protocol can't express what. We should
470 * have logged what the problem actually was.
473 q
->u
.error
= E_UNKNOWN
;
481 /* Initialize the system-specific code. */
484 /* Open the NAT connection map. */
485 if ((natfp
= fopen("/proc/net/nf_conntrack", "r")) == 0 &&
487 die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
491 /* Open the random data source. */
492 if ((randfd
= open("/dev/urandom", O_RDONLY
)) < 0) {
493 die(1, "failed to open `/dev/urandom' for reading: %s",
498 /*----- That's all, folks -------------------------------------------------*/