1 /* $OpenBSD: pflogd.c,v 1.45 2007/06/06 14:11:26 henning Exp $ */
4 * Copyright (c) 2001 Theo de Raadt
5 * Copyright (c) 2001 Can Erkin Acar
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
33 #include <sys/types.h>
34 #include <sys/ioctl.h>
37 #include <sys/socket.h>
40 #include <machine/inttypes.h>
63 static int snaplen = DEF_SNAPLEN;
64 static int cur_snaplen = DEF_SNAPLEN;
66 volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup, gotsig_usr1;
68 const char *filename = PFLOGD_LOG_FILE;
69 const char *interface = PFLOGD_DEFAULT_IF;
72 char errbuf[PCAP_ERRBUF_SIZE];
75 unsigned int delay = FLUSH_DELAY;
77 char *copy_argv(char * const *);
78 void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
79 void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
80 void log_pcap_stats(void);
81 int flush_buffer(FILE *);
82 int if_exists(char *);
84 void logmsg(int, const char *, ...) __printflike(2, 3);
85 void purge_buffer(void);
87 int scan_dump(FILE *, off_t);
89 void set_suspended(int);
94 void usage(void) __dead2;
96 static int try_reset_dump(int);
98 /* buffer must always be greater than snaplen */
99 static int bufpkt = 0; /* number of packets in buffer */
100 static size_t buflen = 0; /* allocated size of buffer */
101 static char *buffer = NULL; /* packet buffer */
102 static char *bufpos = NULL; /* position in buffer */
103 static size_t bufleft = 0; /* bytes left in buffer */
105 /* if error, stop logging but count dropped packets */
106 static int suspended = -1;
107 static long packets_dropped = 0;
116 setproctitle("[%s] -s %d -i %s -f %s",
117 suspended ? "suspended" : "running",
118 cur_snaplen, interface, filename);
122 copy_argv(char * const *argv)
130 for (n = 0; argv[n]; n++)
131 len += strlen(argv[n])+1;
139 strlcpy(buf, argv[0], len);
140 for (n = 1; argv[n]; n++) {
141 strlcat(buf, " ", len);
142 strlcat(buf, argv[n], len);
148 logmsg(int pri, const char *message, ...)
151 va_start(ap, message);
154 vfprintf(stderr, message, ap);
155 fprintf(stderr, "\n");
157 vsyslog(pri, message, ap);
164 fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename]");
165 fprintf(stderr, " [-i interface] [-p pidfile]\n");
166 fprintf(stderr, " [-s snaplen] [expression]\n");
171 sig_close(int sig __unused)
177 sig_hup(int sig __unused)
183 sig_alrm(int sig __unused)
189 sig_usr1(int sig __unused)
195 set_pcap_filter(void)
197 struct bpf_program bprog;
199 if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0)
200 logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
202 if (pcap_setfilter(hpcap, &bprog) < 0)
203 logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
204 pcap_freecode(&bprog);
209 if_exists(char *ifname)
213 struct if_data ifrdat;
215 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
217 bzero(&ifr, sizeof(ifr));
218 if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >=
219 sizeof(ifr.ifr_name))
220 errx(1, "main ifr_name: strlcpy");
221 ifr.ifr_data = (caddr_t)&ifrdat;
222 if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
233 hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
235 logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
239 if (pcap_datalink(hpcap) != DLT_PFLOG) {
240 logmsg(LOG_ERR, "Invalid datalink type");
248 cur_snaplen = snaplen = pcap_snapshot(hpcap);
250 /* From contrib/pf/pflogd.c 1.5 FreeBSD: BPF locking is not
253 #ifndef __DragonFly__
255 if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
256 logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
265 set_snaplen(int snap)
267 if (priv_set_snaplen(snap))
270 if (cur_snaplen > snap)
279 reset_dump(int nomove)
284 ret = try_reset_dump(nomove);
293 * tries to (re)open log file, nomove flag is used with -x switch
294 * returns 0: success, 1: retry (log moved), -1: error
297 try_reset_dump(int nomove)
299 struct pcap_file_header hdr;
314 * Basically reimplement pcap_dump_open() because it truncates
315 * files and duplicates headers and such.
317 fd = priv_open_log();
321 fp = fdopen(fd, "a+");
324 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
328 if (fstat(fileno(fp), &st) == -1) {
329 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
334 /* set FILE unbuffered, we do our own buffering */
335 if (setvbuf(fp, NULL, _IONBF, 0)) {
336 logmsg(LOG_ERR, "Failed to set output buffers");
341 #define TCPDUMP_MAGIC 0xa1b2c3d4
343 if (st.st_size == 0) {
344 if (snaplen != cur_snaplen) {
345 logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
346 if (set_snaplen(snaplen))
348 "Failed, using old settings");
350 hdr.magic = TCPDUMP_MAGIC;
351 hdr.version_major = PCAP_VERSION_MAJOR;
352 hdr.version_minor = PCAP_VERSION_MINOR;
353 hdr.thiszone = hpcap->tzoff;
354 hdr.snaplen = hpcap->snapshot;
356 hdr.linktype = hpcap->linktype;
358 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
362 } else if (scan_dump(fp, st.st_size)) {
364 if (nomove || priv_move_log()) {
366 "Invalid/incompatible log file, move it away");
381 scan_dump(FILE *fp, off_t size)
383 struct pcap_file_header hdr;
384 struct pcap_sf_pkthdr ph;
388 * Must read the file, compare the header against our new
389 * options (in particular, snaplen) and adjust our options so
390 * that we generate a correct file. Furthermore, check the file
391 * for consistency so that we can append safely.
393 * XXX this may take a long time for large logs.
395 fseek(fp, 0L, SEEK_SET);
397 if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
398 logmsg(LOG_ERR, "Short file header");
402 if (hdr.magic != TCPDUMP_MAGIC ||
403 hdr.version_major != PCAP_VERSION_MAJOR ||
404 hdr.version_minor != PCAP_VERSION_MINOR ||
405 (int)hdr.linktype != hpcap->linktype ||
406 hdr.snaplen > PFLOGD_MAXSNAPLEN) {
413 off_t len = fread((char *)&ph, 1, sizeof(ph), fp);
417 if (len != sizeof(ph))
419 if (ph.caplen > hdr.snaplen || ph.caplen > PFLOGD_MAXSNAPLEN)
421 pos += sizeof(ph) + ph.caplen;
424 fseek(fp, ph.caplen, SEEK_CUR);
430 if ((int)hdr.snaplen != cur_snaplen) {
432 "Existing file has different snaplen %u, using it",
434 if (set_snaplen(hdr.snaplen)) {
436 "Failed, using old settings, offset %llu",
437 (unsigned long long) size);
444 logmsg(LOG_ERR, "Corrupted log file.");
448 /* dump a packet directly to the stream, which is unbuffered */
450 dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
452 FILE *f = (FILE *)user;
453 struct pcap_sf_pkthdr sh;
460 sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec;
461 sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec;
462 sh.caplen = h->caplen;
465 if (fwrite((char *)&sh, sizeof(sh), 1, f) != 1) {
466 off_t pos = ftello(f);
468 /* try to undo header to prevent corruption */
469 if ((size_t)pos < sizeof(sh) ||
470 ftruncate(fileno(f), pos - sizeof(sh))) {
471 logmsg(LOG_ERR, "Write failed, corrupted logfile!");
479 if (fwrite(sp, h->caplen, 1, f) != 1)
487 logmsg(LOG_ERR, "Logging suspended: fwrite: %s", strerror(errno));
491 flush_buffer(FILE *f)
494 int len = bufpos - buffer;
500 if (offset == (off_t)-1) {
502 logmsg(LOG_ERR, "Logging suspended: ftello: %s",
507 if (fwrite(buffer, len, 1, f) != 1) {
509 logmsg(LOG_ERR, "Logging suspended: fwrite: %s",
511 ftruncate(fileno(f), offset);
526 packets_dropped += bufpkt;
534 /* append packet to the buffer, flushing if necessary */
536 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
538 FILE *f = (FILE *)user;
539 struct pcap_sf_pkthdr sh;
540 size_t len = sizeof(sh) + h->caplen;
542 if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen) {
543 logmsg(LOG_NOTICE, "invalid size %zd (%u/%u), packet dropped",
544 len, cur_snaplen, snaplen);
557 if (flush_buffer(f)) {
563 dump_packet_nobuf(user, h, sp);
568 sh.ts.tv_sec = (bpf_int32)h->ts.tv_sec;
569 sh.ts.tv_usec = (bpf_int32)h->ts.tv_usec;
570 sh.caplen = h->caplen;
573 memcpy(bufpos, &sh, sizeof(sh));
574 memcpy(bufpos + sizeof(sh), sp, h->caplen);
586 struct pcap_stat pstat;
587 if (pcap_stats(hpcap, &pstat) < 0)
588 logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
591 "%u packets received, %u/%ld dropped (kernel/pflogd)",
592 pstat.ps_recv, pstat.ps_drop, packets_dropped);
596 main(int argc, char **argv)
598 int ch, np, ret, Xflag = 0;
599 pcap_handler phandler = dump_packet;
600 const char *errstr = NULL;
601 struct pidfh *pfh = NULL;
606 /* Neither FreeBSD nor DFly have this; Max seems to think this may
607 * be a paranoid check. Comment it out:
608 closefrom(STDERR_FILENO + 1);
611 while ((ch = getopt(argc, argv, "Dxd:f:i:p:s:")) != -1) {
617 delay = strtonum(optarg, 5, 60*60, &errstr);
631 snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
634 snaplen = DEF_SNAPLEN;
636 snaplen = PFLOGD_MAXSNAPLEN;
651 /* does interface exist */
652 if (!if_exists(__DECONST(char *, interface))) {
653 warn("Failed to initialize: %s", interface);
654 logmsg(LOG_ERR, "Failed to initialize: %s", interface);
655 logmsg(LOG_ERR, "Exiting, init failure");
660 openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
661 pfh = pidfile_open(pidf, 0600, NULL);
663 logmsg(LOG_WARNING, "Failed to become daemon: %s",
670 umask(S_IRWXG | S_IRWXO);
672 /* filter will be used by the privileged process */
674 filter = copy_argv(argv);
676 logmsg(LOG_NOTICE, "Failed to form filter expression");
679 /* initialize pcap before dropping privileges */
681 logmsg(LOG_ERR, "Exiting, init failure");
685 /* Privilege separation begins here */
687 logmsg(LOG_ERR, "unable to privsep");
691 setproctitle("[initializing]");
692 /* Process is now unprivileged and inside a chroot */
693 signal(SIGTERM, sig_close);
694 signal(SIGINT, sig_close);
695 signal(SIGQUIT, sig_close);
696 signal(SIGALRM, sig_alrm);
697 signal(SIGUSR1, sig_usr1);
698 signal(SIGHUP, sig_hup);
701 buffer = malloc(PFLOGD_BUFSIZE);
703 if (buffer == NULL) {
704 logmsg(LOG_WARNING, "Failed to allocate output buffer");
705 phandler = dump_packet_nobuf;
707 bufleft = buflen = PFLOGD_BUFSIZE;
712 if (reset_dump(Xflag) < 0) {
716 logmsg(LOG_ERR, "Logging suspended: open error");
722 np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
723 phandler, (u_char *)dpcap);
725 if (!if_exists(__DECONST(char *, interface))) {
726 logmsg(LOG_NOTICE, "interface %s went away",
731 logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
739 "Logging suspended: open error");
760 logmsg(LOG_NOTICE, "Exiting");
projects / dragonfly.git / blob