1 /* $OpenBSD: pflogd.c,v 1.27 2004/02/13 19:01:57 otto Exp $ */
2 /* $DragonFly: src/usr.sbin/pflogd/pflogd.c,v 1.2 2004/12/18 22:48:04 swildner Exp $ */
5 * Copyright (c) 2001 Theo de Raadt
6 * Copyright (c) 2001 Can Erkin Acar
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
34 #include <sys/types.h>
35 #include <sys/ioctl.h>
38 #include <machine/inttypes.h>
60 static int snaplen = DEF_SNAPLEN;
61 static int cur_snaplen = DEF_SNAPLEN;
63 volatile sig_atomic_t gotsig_close, gotsig_alrm, gotsig_hup;
65 const char *filename = PFLOGD_LOG_FILE;
66 const char *interface = PFLOGD_DEFAULT_IF;
69 char errbuf[PCAP_ERRBUF_SIZE];
72 unsigned int delay = FLUSH_DELAY;
74 char *copy_argv(char * const *);
75 void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
76 void dump_packet_nobuf(u_char *, const struct pcap_pkthdr *, const u_char *);
77 int flush_buffer(FILE *);
79 void purge_buffer(void);
81 int scan_dump(FILE *, off_t);
83 void set_suspended(int);
89 /* buffer must always be greater than snaplen */
90 static int bufpkt = 0; /* number of packets in buffer */
91 static size_t buflen = 0; /* allocated size of buffer */
92 static char *buffer = NULL; /* packet buffer */
93 static char *bufpos = NULL; /* position in buffer */
94 static size_t bufleft = 0; /* bytes left in buffer */
96 /* if error, stop logging but count dropped packets */
97 static int suspended = -1;
98 static long packets_dropped = 0;
107 setproctitle("[%s] -s %d -f %s",
108 suspended ? "suspended" : "running", cur_snaplen, filename);
112 copy_argv(char * const *argv)
120 for (n = 0; argv[n]; n++)
121 len += strlen(argv[n])+1;
129 strlcpy(buf, argv[0], len);
130 for (n = 1; argv[n]; n++) {
131 strlcat(buf, " ", len);
132 strlcat(buf, argv[n], len);
138 logmsg(int pri, const char *message, ...)
141 va_start(ap, message);
144 vfprintf(stderr, message, ap);
145 fprintf(stderr, "\n");
147 vsyslog(pri, message, ap);
154 fprintf(stderr, "usage: pflogd [-Dx] [-d delay] [-f filename] ");
155 fprintf(stderr, "[-s snaplen] [expression]\n");
160 sig_close(int sig __unused)
166 sig_hup(int sig __unused)
172 sig_alrm(int sig __unused)
178 set_pcap_filter(void)
180 struct bpf_program bprog;
182 if (pcap_compile(hpcap, &bprog, filter, PCAP_OPT_FIL, 0) < 0)
183 logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
185 if (pcap_setfilter(hpcap, &bprog) < 0)
186 logmsg(LOG_WARNING, "%s", pcap_geterr(hpcap));
187 pcap_freecode(&bprog);
194 hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
196 logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
200 if (pcap_datalink(hpcap) != DLT_PFLOG) {
201 logmsg(LOG_ERR, "Invalid datalink type");
209 cur_snaplen = snaplen = pcap_snapshot(hpcap);
211 /* From contrib/pf/pflogd.c 1.5 FreeBSD: BPF locking is not
214 #ifndef __DragonFly__
216 if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
217 logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
226 set_snaplen(int snap)
228 if (priv_set_snaplen(snap))
231 if (cur_snaplen > snap)
242 struct pcap_file_header hdr;
257 * Basically reimplement pcap_dump_open() because it truncates
258 * files and duplicates headers and such.
260 fd = priv_open_log();
264 fp = fdopen(fd, "a+");
267 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
270 if (fstat(fileno(fp), &st) == -1) {
271 logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
275 /* set FILE unbuffered, we do our own buffering */
276 if (setvbuf(fp, NULL, _IONBF, 0)) {
277 logmsg(LOG_ERR, "Failed to set output buffers");
281 #define TCPDUMP_MAGIC 0xa1b2c3d4
283 if (st.st_size == 0) {
284 if (snaplen != cur_snaplen) {
285 logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
286 if (set_snaplen(snaplen)) {
288 "Failed, using old settings");
291 hdr.magic = TCPDUMP_MAGIC;
292 hdr.version_major = PCAP_VERSION_MAJOR;
293 hdr.version_minor = PCAP_VERSION_MINOR;
294 hdr.thiszone = hpcap->tzoff;
295 hdr.snaplen = hpcap->snapshot;
297 hdr.linktype = hpcap->linktype;
299 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
303 } else if (scan_dump(fp, st.st_size)) {
304 /* XXX move file and continue? */
318 scan_dump(FILE *fp, off_t size)
320 struct pcap_file_header hdr;
321 struct pcap_pkthdr ph;
325 * Must read the file, compare the header against our new
326 * options (in particular, snaplen) and adjust our options so
327 * that we generate a correct file. Furthermore, check the file
328 * for consistency so that we can append safely.
330 * XXX this may take a long time for large logs.
332 fseek(fp, 0L, SEEK_SET);
334 if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
335 logmsg(LOG_ERR, "Short file header");
339 if (hdr.magic != TCPDUMP_MAGIC ||
340 hdr.version_major != PCAP_VERSION_MAJOR ||
341 hdr.version_minor != PCAP_VERSION_MINOR ||
342 (int)hdr.linktype != hpcap->linktype ||
343 hdr.snaplen > PFLOGD_MAXSNAPLEN) {
344 logmsg(LOG_ERR, "Invalid/incompatible log file, move it away");
351 off_t len = fread((char *)&ph, 1, sizeof(ph), fp);
355 if (len != sizeof(ph))
357 if (ph.caplen > hdr.snaplen || ph.caplen > PFLOGD_MAXSNAPLEN)
359 pos += sizeof(ph) + ph.caplen;
362 fseek(fp, ph.caplen, SEEK_CUR);
368 if ((int)hdr.snaplen != cur_snaplen) {
370 "Existing file has different snaplen %u, using it",
372 if (set_snaplen(hdr.snaplen)) {
374 "Failed, using old settings, offset %llu",
375 (unsigned long long) size);
382 logmsg(LOG_ERR, "Corrupted log file.");
386 /* dump a packet directly to the stream, which is unbuffered */
388 dump_packet_nobuf(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
390 FILE *f = (FILE *)user;
397 if (fwrite(h, sizeof(*h), 1, f) != 1) {
398 /* try to undo header to prevent corruption */
399 off_t pos = ftello(f);
400 if (pos < sizeof(*h) ||
401 ftruncate(fileno(f), pos - sizeof(*h))) {
402 logmsg(LOG_ERR, "Write failed, corrupted logfile!");
410 if (fwrite(sp, h->caplen, 1, f) != 1)
418 logmsg(LOG_ERR, "Logging suspended: fwrite: %s", strerror(errno));
422 flush_buffer(FILE *f)
425 int len = bufpos - buffer;
431 if (offset == (off_t)-1) {
433 logmsg(LOG_ERR, "Logging suspended: ftello: %s",
438 if (fwrite(buffer, len, 1, f) != 1) {
440 logmsg(LOG_ERR, "Logging suspended: fwrite: %s",
442 ftruncate(fileno(f), offset);
457 packets_dropped += bufpkt;
465 /* append packet to the buffer, flushing if necessary */
467 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
469 FILE *f = (FILE *)user;
470 size_t len = sizeof(*h) + h->caplen;
472 if (len < sizeof(*h) || h->caplen > (size_t)cur_snaplen) {
473 logmsg(LOG_NOTICE, "invalid size %u (%u/%u), packet dropped",
474 len, cur_snaplen, snaplen);
487 if (flush_buffer(f)) {
493 dump_packet_nobuf(user, h, sp);
498 memcpy(bufpos, h, sizeof(*h));
499 memcpy(bufpos + sizeof(*h), sp, h->caplen);
509 main(int argc, char **argv)
511 struct pcap_stat pstat;
512 int ch, np, Xflag = 0;
513 pcap_handler phandler = dump_packet;
515 /* Neither FreeBSD nor DFly have this; Max seems to think this may
516 * be a paranoid check. Comment it out:
517 closefrom(STDERR_FILENO + 1);
520 while ((ch = getopt(argc, argv, "Dxd:s:f:")) != -1) {
526 delay = atoi(optarg);
527 if (delay < 5 || delay > 60*60)
534 snaplen = atoi(optarg);
536 snaplen = DEF_SNAPLEN;
537 if (snaplen > PFLOGD_MAXSNAPLEN)
538 snaplen = PFLOGD_MAXSNAPLEN;
554 openlog("pflogd", LOG_PID | LOG_CONS, LOG_DAEMON);
556 logmsg(LOG_WARNING, "Failed to become daemon: %s",
562 umask(S_IRWXG | S_IRWXO);
564 /* filter will be used by the privileged process */
566 filter = copy_argv(argv);
568 logmsg(LOG_NOTICE, "Failed to form filter expression");
571 /* initialize pcap before dropping privileges */
573 logmsg(LOG_ERR, "Exiting, init failure");
577 /* Privilege separation begins here */
579 logmsg(LOG_ERR, "unable to privsep");
583 setproctitle("[initializing]");
584 /* Process is now unprivileged and inside a chroot */
585 signal(SIGTERM, sig_close);
586 signal(SIGINT, sig_close);
587 signal(SIGQUIT, sig_close);
588 signal(SIGALRM, sig_alrm);
589 signal(SIGHUP, sig_hup);
592 buffer = malloc(PFLOGD_BUFSIZE);
594 if (buffer == NULL) {
595 logmsg(LOG_WARNING, "Failed to allocate output buffer");
596 phandler = dump_packet_nobuf;
598 bufleft = buflen = PFLOGD_BUFSIZE;
607 logmsg(LOG_ERR, "Logging suspended: open error");
613 np = pcap_dispatch(hpcap, PCAP_NUM_PKTS,
614 dump_packet, (u_char *)dpcap);
616 logmsg(LOG_NOTICE, "%s", pcap_geterr(hpcap));
623 "Logging suspended: open error");
637 logmsg(LOG_NOTICE, "Exiting");
644 if (pcap_stats(hpcap, &pstat) < 0)
645 logmsg(LOG_WARNING, "Reading stats: %s", pcap_geterr(hpcap));
648 "%u packets received, %u/%u dropped (kernel/pflogd)",
649 pstat.ps_recv, pstat.ps_drop, packets_dropped);
lentferj's projects / dragonfly.git / blob