[yaid] / linux.c

/* -*-c-*-
 *
 * Discover the owner of a connection (Linux version)
 *
 * (c) 2012 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Yet Another Ident Daemon (YAID).
 *
 * YAID is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * YAID is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with YAID; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "yaid.h"

#include <linux/netlink.h>
#include <linux/rtnetlink.h>

/*----- Static variables --------------------------------------------------*/

static FILE *natfp;                     /* File handle for NAT table */
static int randfd;                      /* File descriptor for random data */

/*----- Miscellaneous system services -------------------------------------*/

/* Fill the buffer at P with SZ random bytes.  The buffer will be moderately
 * large: this is intended to be a low-level interface, not a general-purpose
 * utility.
 */
void fill_random(void *p, size_t sz)
{
  ssize_t n;

  n = read(randfd, p, sz);
  if (n < 0) fatal("error reading `/dev/urandom': %s", strerror(errno));
  else if (n < sz) fatal("unexpected short read from `/dev/urandom'");
}

/*----- Address-type operations -------------------------------------------*/

struct addrops_sys {
  const char *procfile;
  const char *nfl3name;
  int (*parseaddr)(char **, union addr *);
};

#define PROCFILE_IPV4 "/proc/net/tcp"
#define NFL3NAME_IPV4 "ipv4"

static int parseaddr_ipv4(char **pp, union addr *a)
  { a->ipv4.s_addr = strtoul(*pp, pp, 16); return (0); }

#define PROCFILE_IPV6 "/proc/net/tcp6"
#define NFL3NAME_IPV6 "ipv6"

static int parseaddr_ipv6(char **pp, union addr *a)
{
  int i, j;
  unsigned long y;
  char *p = *pp;
  unsigned x;

  /* The format is byteswapped in a really annoying way. */
  for (i = 0; i < 4; i++) {
    y = 0;
    for (j = 0; j < 8; j++) {
      if ('0' <= *p && *p <= '9') x = *p - '0';
      else if ('a' <= *p && *p <= 'f') x = *p - 'a' + 10;
      else if ('A' <= *p && *p <= 'F') x = *p - 'A' + 10;
      else return (-1);
      y = (y << 4) | x;
      p++;
    }
    a->ipv6.s6_addr32[i] = y;
  }
  *pp = p;
  return (0);
}

#define DEFOPSYS(ty, TY)                                                \
  const struct addrops_sys addrops_sys_##ty = {                         \
    PROCFILE_##TY, NFL3NAME_##TY, parseaddr_##ty                        \
  };
ADDRTYPES(DEFOPSYS)
#undef DEFOPSYS

/*----- Main code ---------------------------------------------------------*/

/* Store in A the default gateway address for the given address family.
 * Return zero on success, or nonzero on error.
 */
static int get_default_gw(int af, union addr *a)
{
  int fd;
  char buf[32768];
  struct nlmsghdr *nlmsg;
  struct rtgenmsg *rtgen;
  const struct rtattr *rta;
  const struct rtmsg *rtm;
  ssize_t n, nn;
  int rc = -1;
  static unsigned long seq = 0x48b4aec4;

  /* Open a netlink socket for interrogating the kernel. */
  if ((fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
    fatal("failed to create netlink socket: %s", strerror(errno));

  /* We want to read the routing table.  There doesn't seem to be a good way
   * to do this without just crawling through the whole thing.
   */
  nlmsg = (struct nlmsghdr *)buf;
  assert(NLMSG_SPACE(sizeof(*rtgen)) < sizeof(buf));
  nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtgen));
  nlmsg->nlmsg_type = RTM_GETROUTE;
  nlmsg->nlmsg_flags = NLM_F_REQUEST | NLM_F_ROOT;
  nlmsg->nlmsg_seq = ++seq;
  nlmsg->nlmsg_pid = 0;

  rtgen = (struct rtgenmsg *)NLMSG_DATA(nlmsg);
  rtgen->rtgen_family = af;

  if (write(fd, nlmsg, nlmsg->nlmsg_len) < 0)
    fatal("failed to send RTM_GETROUTE request: %s", strerror(errno));

  /* Now we try to parse the answer. */
  for (;;) {

    /* Not finished yet, so read another chunk of answer. */
    if ((n = read(fd, buf, sizeof(buf))) < 0)
      fatal("failed to read RTM_GETROUTE response: %s", strerror(errno));

    /* Start at the beginning of the response. */
    nlmsg = (struct nlmsghdr *)buf;

    /* Make sure this looks plausible.  The precise rules don't appear to be
     * documented, so it seems advisable to fail messily if my understanding
     * is wrong.
     */
    if (nlmsg->nlmsg_seq != seq) continue;
    assert(nlmsg->nlmsg_flags & NLM_F_MULTI);

    /* Work through all of the individual routes. */
    for (; NLMSG_OK(nlmsg, n); nlmsg = NLMSG_NEXT(nlmsg, n)) {
      if (nlmsg->nlmsg_type == NLMSG_DONE) goto done;
      if (nlmsg->nlmsg_type != RTM_NEWROUTE) continue;
      rtm = (const struct rtmsg *)NLMSG_DATA(nlmsg);

      /* If this record doesn't look interesting then skip it. */
      if (rtm->rtm_family != af ||      /* wrong address family */
          rtm->rtm_dst_len > 0 ||       /* specific destination */
          rtm->rtm_src_len > 0 ||       /* specific source  */
          rtm->rtm_type != RTN_UNICAST || /* not for unicast */
          rtm->rtm_scope != RT_SCOPE_UNIVERSE || /* wrong scope */
          rtm->rtm_tos != 0)            /* specific type of service */
        continue;

      /* Trundle through the attributes and find the gateway address. */
      for (rta = RTM_RTA(rtm), nn = RTM_PAYLOAD(nlmsg);
           RTA_OK(rta, nn); rta = RTA_NEXT(rta, nn)) {

        /* Got one.  We're all done.  Except that we should carry on reading
         * to the end, or something bad will happen.
         */
        if (rta->rta_type == RTA_GATEWAY) {
          assert(RTA_PAYLOAD(rta) <= sizeof(*a));
          memcpy(a, RTA_DATA(rta), RTA_PAYLOAD(rta));
          rc = 0;
        }
      }
    }
  }

done:
  close(fd);
  return (rc);
}

/* Find out who is responsible for the connection described in the query Q.
 * Write the answer to Q.  Errors are logged and reported via the query
 * structure.
 */
void identify(struct query *q)
{
  FILE *fp = 0;
  dstr d = DSTR_INIT;
  char *p, *pp;
  struct socket s[4];
  int i;
  int gwp = 0;
  unsigned fl;
#define F_SADDR 1u
#define F_SPORT 2u
#define F_DADDR 4u
#define F_DPORT 8u
#define F_ALL (F_SADDR | F_SPORT | F_DADDR | F_DPORT)
#define F_ESTAB 16u
  uid_t uid;
  enum { LOC, REM, ST, UID, NFIELD };
  int f, ff[NFIELD];

  /* If we have a default gateway, and it matches the remote address then
   * this may be a proxy connection from our NAT, so remember this, and don't
   * inspect the remote addresses in the TCP tables.
   */
  if (!get_default_gw(q->ao->af, &s[0].addr) &&
      q->ao->addreq(&s[0].addr, &q->s[R].addr))
    gwp = 1;

  /* Open the relevant TCP connection table. */
  if ((fp = fopen(q->ao->sys->procfile, "r")) == 0) {
    logmsg(q, LOG_ERR, "failed to open `%s' for reading: %s",
           q->ao->sys->procfile, strerror(errno));
    goto err_unk;
  }

  /* Initially, PP points into a string containing whitespace-separated
   * fields.  Point P to the next field, null-terminate it, and advance PP
   * so that we can read the next field in the next call.
   */
#define NEXTFIELD do {                                                  \
  for (p = pp; isspace((unsigned char)*p); p++);                        \
  for (pp = p; *pp && !isspace((unsigned char)*pp); pp++);              \
  if (*pp) *pp++ = 0;                                                   \
} while (0)

  /* Read the header line from the file. */
  if (dstr_putline(&d, fp) == EOF) {
    logmsg(q, LOG_ERR, "failed to read header line from `%s': %s",
           q->ao->sys->procfile,
           ferror(fp) ? strerror(errno) : "unexpected EOF");
    goto err_unk;
  }

  /* Now scan the header line to identify which columns the various
   * interesting fields are in.  Store these in the map `ff'.  Problems:
   * `tx_queue rx_queue' and `tr tm->when' are both really single columns in
   * disguise; and the remote address column has a different heading
   * depending on which address family we're using.  Rather than dispatch,
   * just recognize both of them.
   */
  for (i = 0; i < NFIELD; i++) ff[i] = -1;
  pp = d.buf;
  for (f = 0;; f++) {
    NEXTFIELD; if (!*p) break;
    if (strcmp(p, "local_address") == 0)
      ff[LOC] = f;
    else if (strcmp(p, "rem_address") == 0 ||
             strcmp(p, "remote_address") == 0)
      ff[REM] = f;
    else if (strcmp(p, "uid") == 0)
      ff[UID] = f;
    else if (strcmp(p, "st") == 0)
      ff[ST] = f;
    else if (strcmp(p, "rx_queue") == 0 ||
             strcmp(p, "tm->when") == 0)
      f--;
  }

  /* Make sure that we found all of the fields we actually want. */
  for (i = 0; i < NFIELD; i++) {
    if (ff[i] < 0) {
      logmsg(q, LOG_ERR, "failed to find required fields in `%s'",
             q->ao->sys->procfile);
      goto err_unk;
    }
  }

  /* Work through the lines in the file. */
  for (;;) {

    /* Read a line, and prepare to scan the fields. */
    DRESET(&d);
    if (dstr_putline(&d, fp) == EOF) break;
    pp = d.buf;
    uid = -1;

    /* Work through the fields.  If an address field fails to match then we
     * skip this record.  If the state field isn't 1 (`ESTABLISHED') then
     * skip the record.  If it's the UID, then remember it: if we get all the
     * way to the end then we've won.
     */
    for (f = 0;; f++) {
      NEXTFIELD; if (!*p) break;
      if (f == ff[LOC]) { i = L; goto compare; }
      else if (f == ff[REM]) { i = R; goto compare; }
      else if (f == ff[UID]) uid = atoi(p);
      else if (f == ff[ST]) {
        if (strtol(p, 0, 16) != 1) goto next_row;
      }
      continue;

    compare:
      /* Compare an address (in the current field) with the local or remote
       * address in the query, as indicated by `i'.  The address field looks
       * like `ADDR:PORT', where the ADDR is in some mad format which
       * `sys->parseaddr' knows how to unpick.  If the remote address in the
       * query is our gateway then don't check the remote address in the
       * field (but do check the port number).
       */
      if (q->ao->sys->parseaddr(&p, &s[i].addr)) goto next_row;
      if (*p != ':') break;
      p++;
      s[i].port = strtoul(p, 0, 16);
      if ((i == R && gwp) ?
            q->s[R].port != s[i].port :
            !sockeq(q->ao, &q->s[i], &s[i]))
        goto next_row;
    }

    /* We got to the end, and everything matched.  If we found a UID then
     * we're done.  If the apparent remote address is our gateway then copy
     * the true one into the query structure.
     */
    if (uid != -1) {
      q->resp = R_UID;
      q->u.uid = uid;
      if (gwp) q->s[R].addr = s[i].addr;
      goto done;
    }
  next_row:;
  }

  /* We got to the end of the file and didn't find anything. */
  if (ferror(fp)) {
    logmsg(q, LOG_ERR, "failed to read connection table `%s': %s",
           q->ao->sys->procfile, strerror(errno));
    goto err_unk;
  }

  /* If we opened the NAT table file, and we're using IPv4, then check to see
   * whether we should proxy the connection.  At least the addresses in this
   * file aren't crazy.
   */
  if (natfp) {

    /* Start again from the beginning. */
    rewind(natfp);

    /* Read a line at a time. */
    for (;;) {

      /* Read the line. */
      DRESET(&d);
      if (dstr_putline(&d, natfp) == EOF) break;
      pp = d.buf;

      /* Check that this is for the right protocol. */
      NEXTFIELD; if (!*p) break;
      if (strcmp(p, q->ao->sys->nfl3name)) continue;
      NEXTFIELD; if (!*p) break;
      NEXTFIELD; if (!*p) break;
      if (strcmp(p, "tcp") != 0) continue;

      /* Parse the other fields.  Each line has two src/dst pairs, for the
       * outgoing and incoming directions.  Depending on exactly what kind of
       * NAT is in use, either the outgoing source or the incoming
       * destination might be the client we're after.  Collect all of the
       * addresses and sort out the mess later.
       */
      i = 0;
      fl = 0;
      for (;;) {
        NEXTFIELD; if (!*p) break;
        if (strcmp(p, "ESTABLISHED") == 0)
          fl |= F_ESTAB;
        else if (strncmp(p, "src=", 4) == 0) {
          inet_pton(q->ao->af, p + 4, &s[i].addr);
          fl |= F_SADDR;
        } else if (strncmp(p, "dst=", 4) == 0) {
          inet_pton(q->ao->af, p + 4, &s[i + 1].addr);
          fl |= F_DADDR;
        } else if (strncmp(p, "sport=", 6) == 0) {
          s[i].port = atoi(p + 6);
          fl |= F_SPORT;
        } else if (strncmp(p, "dport=", 6) == 0) {
          s[i + 1].port = atoi(p + 6);
          fl |= F_DPORT;
        }
        if ((fl & F_ALL) == F_ALL) {
          fl &= ~F_ALL;
          if (i < 4) i += 2;
          else break;
        }
      }

#ifdef DEBUG
      {
        /* Print the record we found. */
        dstr dd = DSTR_INIT;
        dstr_putf(&dd, "%sestab ", (fl & F_ESTAB) ? " " : "!");
        dputsock(&dd, q->ao, &s[0]);
        dstr_puts(&dd, "<->");
        dputsock(&dd, q->ao, &s[1]);
        dstr_puts(&dd, " | ");
        dputsock(&dd, q->ao, &s[2]);
        dstr_puts(&dd, "<->");
        dputsock(&dd, q->ao, &s[3]);
        printf("parsed: %s\n", dd.buf);
        dstr_destroy(&dd);
      }
#endif

      /* If the connection isn't ESTABLISHED then skip it. */
      if (!(fl & F_ESTAB)) continue;

      /* Now we try to piece together what's going on.  One of these
       * addresses will be us.  So let's just try to find it.
       */
      for (i = 0; i < 4; i++)
        if (sockeq(q->ao, &s[i], &q->s[L])) goto found_local;
      continue;

    found_local:
      /* So address `i' is us.  In that case, we expect the other address in
       * the same direction, and the same address in the opposite direction,
       * to match each other and be the remote address in the query.
       */
      if (!sockeq(q->ao, &s[i^1], &s[i^2]) ||
          !sockeq(q->ao, &s[i^1], &q->s[R]))
        continue;

      /* As a trap for the unwary, this file contains unhelpful entries which
       * just mirror the source/destination addresses.  If this is one of
       * those, we'll be stuck in a cycle talking to ourselves.
       */
      if (sockeq(q->ao, &s[i], &s[i^3]))
        continue;

      /* We win.  The remaining address must be the client host.  We should
       * proxy this query.
       */
      q->resp = R_NAT;
      q->u.nat = s[i^3];
      goto done;
    }

    /* Reached the end of the NAT file. */
    if (ferror(natfp)) {
      logmsg(q, LOG_ERR, "failed to read `/proc/net/nf_conntrack': %s",
             strerror(errno));
      goto err_unk;
    }
  }

#undef NEXTFIELD

  /* We didn't find a match anywhere.  How unfortunate. */
  logmsg(q, LOG_NOTICE, "connection not found");
  q->resp = R_ERROR;
  q->u.error = E_NOUSER;
  goto done;

err_unk:
  /* Something went wrong and the protocol can't express what.  We should
   * have logged what the problem actually was.
   */
  q->resp = R_ERROR;
  q->u.error = E_UNKNOWN;

done:
  /* All done. */
  dstr_destroy(&d);
  if (fp) fclose(fp);
}

/* Initialize the system-specific code. */
void init_sys(void)
{
  /* Open the NAT connection map. */
  if ((natfp = fopen("/proc/net/nf_conntrack", "r")) == 0 &&
      errno != ENOENT) {
    die(1, "failed to open `/proc/net/nf_conntrack' for reading: %s",
        strerror(errno));
  }

  /* Open the random data source. */
  if ((randfd = open("/dev/urandom", O_RDONLY)) < 0) {
    die(1, "failed to open `/dev/urandom' for reading: %s",
        strerror(errno));
  }
}

/*----- That's all, folks -------------------------------------------------*/