#include "yaid.h"
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+
/*----- Static variables --------------------------------------------------*/
-static FILE *natfp;
+static FILE *natfp; /* File handle for NAT table */
/*----- Address-type operations -------------------------------------------*/
char *p = *pp;
unsigned x;
+ /* The format is byteswapped in a really annoying way. */
for (i = 0; i < 4; i++) {
y = 0;
for (j = 0; j < 8; j++) {
/*----- Main code ---------------------------------------------------------*/
+/* Store in A the default gateway address for the given address family.
+ * Return zero on success, or nonzero on error.
+ */
static int get_default_gw(int af, union addr *a)
{
int fd;
int rc = 0;
static unsigned long seq = 0x48b4aec4;
+ /* Open a netlink socket for interrogating the kernel. */
if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
die(1, "failed to create netlink socket: %s", strerror(errno));
+ /* We want to read the routing table. There doesn't seem to be a good way
+ * to do this without just crawling through the whole thing.
+ */
nlmsg = (struct nlmsghdr *)buf;
assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
die(1, "failed to send RTM_GETROUTE request: %s", strerror(errno));
+ /* Now we try to parse the answer. */
for (;;) {
+
+ /* Not finished yet, so read another chunk of answer. */
if ((n = read(fd, buf, sizeof(buf))) < 0)
die(1, "failed to read RTM_GETROUTE response: %s", strerror(errno));
+
+ /* Start at the beginning of the response. */
nlmsg = (struct nlmsghdr *)buf;
+
+ /* Make sure this looks plausible. The precise rules don't appear to be
+ * documented, so it seems advisable to fail messily if my understanding
+ * is wrong.
+ */
if (nlmsg->nlmsg_seq != seq) continue;
assert(nlmsg->nlmsg_flags & NLM_F_MULTI);
+ /* Work through all of the individual routes. */
for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);
- if (rtm->rtm_family != af ||
- rtm->rtm_dst_len > 0 ||
- rtm->rtm_src_len > 0 ||
- rtm->rtm_type != RTN_UNICAST ||
- rtm->rtm_scope != RT_SCOPE_UNIVERSE ||
- rtm->rtm_tos != 0)
+ /* If this record doesn't look interesting then skip it. */
+ if (rtm->rtm_family != af || /* wrong address family */
+ rtm->rtm_dst_len > 0 || /* specific destination */
+ rtm->rtm_src_len > 0 || /* specific source */
+ rtm->rtm_type != RTN_UNICAST || /* not for unicast */
+ rtm->rtm_scope != RT_SCOPE_UNIVERSE || /* wrong scope */
+ rtm->rtm_tos != 0) /* specific type of service */
continue;
+ /* Trundle through the attributes and find the gateway address. */
for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {
+
+ /* Got one. We're all done. Except that we should carry on reading
+ * to the end, or something bad will happen.
+ */
if (rta->rta_type == RTA_GATEWAY) {
assert(RTA_PAYLOAD(rta) <= sizeof(*a));
memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
return (rc);
}
+/* Find out who is responsible for the connection described in the query Q.
+ * Write the answer to Q. Errors are logged and reported via the query
+ * structure.
+ */
void identify(struct query *q)
{
FILE *fp = 0;
enum { LOC, REM, ST, UID, NFIELD };
int f, ff[NFIELD];
+ /* If we have a default gateway, and it matches the remote address then
+ * this may be a proxy connection from our NAT, so remember this, and don't
+ * inspect the remote addresses in the TCP tables.
+ */
if (get_default_gw(q->ao->af, &s[0].addr) &&
q->ao->addreq(&s[0].addr, &q->s[R].addr))
gwp = 1;
+ /* Open the relevant TCP connection table. */
if ((fp = fopen(q->ao->sys->procfile, "r")) == 0) {
logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
q->ao->sys->procfile, strerror(errno));
goto err_unk;
}
+ /* Initially, PP points into a string containing whitespace-separated
+ * fields. Point P to the next field, null-terminate it, and advance PP
+ * so that we can read the next field in the next call.
+ */
#define NEXTFIELD do { \
for (p = pp; isspace((unsigned char)*p); p++); \
for (pp = p; *pp && !isspace((unsigned char)*pp); pp++); \
if (*pp) *pp++ = 0; \
} while (0)
+ /* Read the header line from the file. */
if (dstr_putline(&d, fp) == EOF) {
logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
q->ao->sys->procfile,
goto err_unk;
}
+ /* Now scan the header line to identify which columns the various
+ * interesting fields are in. Store these in the map `ff'. Problems:
+ * `tx_queue rx_queue' and `tr tm->when' are both really single columns in
+ * disguise; and the remote address column has a different heading
+ * depending on which address family we're using. Rather than dispatch,
+ * just recognize both of them.
+ */
for (i = 0; i < NFIELD; i++) ff[i] = -1;
pp = d.buf;
for (f = 0;; f++) {
strcmp(p, "tm->when") == 0)
f--;
}
+
+ /* Make sure that we found all of the fields we actually want. */
for (i = 0; i < NFIELD; i++) {
if (ff[i] < 0) {
logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
}
}
+ /* Work through the lines in the file. */
for (;;) {
+
+ /* Read a line, and prepare to scan the fields. */
DRESET(&d);
if (dstr_putline(&d, fp) == EOF) break;
pp = d.buf;
uid = -1;
+
+ /* Work through the fields. If an address field fails to match then we
+ * skip this record. If the state field isn't 1 (`ESTABLISHED') then
+ * skip the record. If it's the UID, then remember it: if we get all the
+ * way to the end then we've won.
+ */
for (f = 0;; f++) {
NEXTFIELD; if (!*p) break;
if (f == ff[LOC]) { i = L; goto compare; }
continue;
compare:
+ /* Compare an address (in the current field) with the local or remote
+ * address in the query, as indicated by `i'. The address field looks
+ * like `ADDR:PORT', where the ADDR is in some mad format which
+ * `sys->parseaddr' knows how to unpick. If the remote address in the
+ * query is our gateway then don't check the remote address in the
+ * field (but do check the port number).
+ */
if (q->ao->sys->parseaddr(&p, &s[0].addr)) goto next_row;
if (*p != ':') break; p++;
s[0].port = strtoul(p, 0, 16);
- if (!sockeq(q->ao, &q->s[i], &s[0]) &&
- (i != R || !gwp || q->s[R].port != s[0].port))
+ if ((i == R && gwp) ?
+ q->s[R].port != s[0].port :
+ !sockeq(q->ao, &q->s[i], &s[0]))
goto next_row;
}
+
+ /* We got to the end, and everything matched. If we found a UID then
+ * we're done.
+ */
if (uid != -1) {
q->resp = R_UID;
q->u.uid = uid;
next_row:;
}
+ /* We got to the end of the file and didn't find anything. */
if (ferror(fp)) {
logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
q->ao->sys->procfile, strerror(errno));
goto err_unk;
}
+ /* If we opened the NAT table file, and we're using IPv4, then check to see
+ * whether we should proxy the connection. At least the addresses in this
+ * file aren't crazy.
+ */
if (natfp) {
+
+ /* Start again from the beginning. */
rewind(natfp);
+ /* Read a line at a time. */
for (;;) {
+
+ /* Read the line. */
DRESET(&d);
if (dstr_putline(&d, natfp) == EOF) break;
pp = d.buf;
+ /* Check that this is for the right protocol. */
NEXTFIELD; if (!*p) break;
if (strcmp(p, q->ao->sys->nfl3name)) continue;
NEXTFIELD; if (!*p) break;
NEXTFIELD; if (!*p) break;
if (strcmp(p, "tcp") != 0) continue;
+
+ /* Parse the other fields. Each line has two src/dst pairs, for the
+ * outgoing and incoming directions. Depending on exactly what kind of
+ * NAT is in use, either the outgoing source or the incoming
+ * destination might be the client we're after. Collect all of the
+ * addresses and sort out the mess later.
+ */
i = 0;
fl = 0;
for (;;) {
#ifdef notdef
{
+ /* Print the record we found. */
dstr dd = DSTR_INIT;
dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
dputsock(&dd, q->ao, &s[0]);
}
#endif
+ /* If the connection isn't ESTABLISHED then skip it. */
if (!(fl & F_ESTAB)) continue;
+ /* Now we try to piece together what's going on. One of these
+ * addresses will be us. So let's just try to find it.
+ */
for (i = 0; i < 4; i++)
if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
continue;
+
found_local:
+ /* So address `i' is us. In that case, we expect the other address in
+ * the same direction, and the same address in the opposite direction,
+ * to match each other and be the remote address in the query.
+ */
if (!sockeq(q->ao, &s[i^1], &s[i^2]) ||
!sockeq(q->ao, &s[i^1], &q->s[R]))
continue;
+
+ /* We win. The remaining address must be the client host. We should
+ * proxy this query.
+ */
q->resp = R_NAT;
q->u.nat = s[i^3];
goto done;
#undef NEXTFIELD
+ /* We didn't find a match anywhere. How unfortunate. */
logmsg(q, LOG_NOTICE, "connection not found");
q->resp = R_ERROR;
q->u.error = E_NOUSER;
goto done;
+
err_unk:
+ /* Something went wrong and the protocol can't express what. We should
+ * have logged what the problem actually was.
+ */
q->resp = R_ERROR;
q->u.error = E_UNKNOWN;
+
done:
+ /* All done. */
dstr_destroy(&d);
if (fp) fclose(fp);
}
+/* Initialize the system-specific code. */
void init_sys(void)
{
if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&