4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
18 static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
19 static const char rcsid[] = "@(#)$Id$";
23 #if defined(sun) && !defined(SOLARIS2)
24 #define STRERROR(x) sys_errlist[x]
25 extern char *sys_errlist[];
27 #define STRERROR(x) strerror(x)
33 extern ipmon_saver_t executesaver;
34 extern ipmon_saver_t filesaver;
35 extern ipmon_saver_t nothingsaver;
36 extern ipmon_saver_t snmpv1saver;
37 extern ipmon_saver_t snmpv2saver;
38 extern ipmon_saver_t syslogsaver;
46 typedef struct logsource {
54 typedef struct config {
57 logsource_t logsrc[3];
66 typedef struct icmp_subtype {
71 typedef struct icmp_type {
73 struct icmp_subtype *it_subtable;
79 #define IST_SZ(x) (sizeof(x)/sizeof(icmp_subtype_t))
82 struct flags tcpfl[] = {
117 static char *pidfile = "/etc/opt/ipf/ipmon.pid";
120 static char *pidfile = "/var/run/ipmon.pid";
122 static char *pidfile = "/etc/ipmon.pid";
126 static char line[2048];
127 static int donehup = 0;
128 static void usage __P((char *));
129 static void handlehup __P((int));
130 static void flushlogs __P((char *, FILE *));
131 static void print_log __P((config_t *, logsource_t *, char *, int));
132 static void print_ipflog __P((config_t *, char *, int));
133 static void print_natlog __P((config_t *, char *, int));
134 static void print_statelog __P((config_t *, char *, int));
135 static int read_log __P((int, int *, char *, int));
136 static void write_pid __P((char *));
137 static char *icmpname __P((u_int, u_int));
138 static char *icmpname6 __P((u_int, u_int));
139 static icmp_type_t *find_icmptype __P((int, icmp_type_t *, size_t));
140 static icmp_subtype_t *find_icmpsubtype __P((int, icmp_subtype_t *, size_t));
142 static struct tm *get_tm __P((u_32_t));
144 static struct tm *get_tm __P((time_t));
147 char *portlocalname __P((int, char *, u_int));
148 int main __P((int, char *[]));
150 static void logopts __P((int, char *));
151 static void init_tabs __P((void));
152 static char *getlocalproto __P((u_int));
153 static void openlogs __P((config_t *conf));
154 static int read_loginfo __P((config_t *conf));
155 static void initconfig __P((config_t *conf));
157 static char **protocols = NULL;
158 static char **udp_ports = NULL;
159 static char **tcp_ports = NULL;
162 #define HOSTNAMEV4(b) hostname(AF_INET, (u_32_t *)&(b))
165 #define LOGFAC LOG_LOCAL0
169 int opts = OPT_NORESOLVE;
173 static icmp_subtype_t icmpunreachnames[] = {
174 { ICMP_UNREACH_NET, "net" },
175 { ICMP_UNREACH_HOST, "host" },
176 { ICMP_UNREACH_PROTOCOL, "protocol" },
177 { ICMP_UNREACH_PORT, "port" },
178 { ICMP_UNREACH_NEEDFRAG, "needfrag" },
179 { ICMP_UNREACH_SRCFAIL, "srcfail" },
180 { ICMP_UNREACH_NET_UNKNOWN, "net_unknown" },
181 { ICMP_UNREACH_HOST_UNKNOWN, "host_unknown" },
182 { ICMP_UNREACH_NET, "isolated" },
183 { ICMP_UNREACH_NET_PROHIB, "net_prohib" },
184 { ICMP_UNREACH_NET_PROHIB, "host_prohib" },
185 { ICMP_UNREACH_TOSNET, "tosnet" },
186 { ICMP_UNREACH_TOSHOST, "toshost" },
187 { ICMP_UNREACH_ADMIN_PROHIBIT, "admin_prohibit" },
191 static icmp_subtype_t redirectnames[] = {
192 { ICMP_REDIRECT_NET, "net" },
193 { ICMP_REDIRECT_HOST, "host" },
194 { ICMP_REDIRECT_TOSNET, "tosnet" },
195 { ICMP_REDIRECT_TOSHOST, "toshost" },
199 static icmp_subtype_t timxceednames[] = {
200 { ICMP_TIMXCEED_INTRANS, "transit" },
201 { ICMP_TIMXCEED_REASS, "reassem" },
205 static icmp_subtype_t paramnames[] = {
206 { ICMP_PARAMPROB_ERRATPTR, "errata_pointer" },
207 { ICMP_PARAMPROB_OPTABSENT, "optmissing" },
208 { ICMP_PARAMPROB_LENGTH, "length" },
212 static icmp_type_t icmptypes4[] = {
213 { ICMP_ECHOREPLY, NULL, 0, "echoreply" },
214 { -1, NULL, 0, NULL },
215 { -1, NULL, 0, NULL },
216 { ICMP_UNREACH, icmpunreachnames,
217 IST_SZ(icmpunreachnames),"unreach" },
218 { ICMP_SOURCEQUENCH, NULL, 0, "sourcequench" },
219 { ICMP_REDIRECT, redirectnames,
220 IST_SZ(redirectnames), "redirect" },
221 { -1, NULL, 0, NULL },
222 { -1, NULL, 0, NULL },
223 { ICMP_ECHO, NULL, 0, "echo" },
224 { ICMP_ROUTERADVERT, NULL, 0, "routeradvert" },
225 { ICMP_ROUTERSOLICIT, NULL, 0, "routersolicit" },
226 { ICMP_TIMXCEED, timxceednames,
227 IST_SZ(timxceednames), "timxceed" },
228 { ICMP_PARAMPROB, paramnames,
229 IST_SZ(paramnames), "paramprob" },
230 { ICMP_TSTAMP, NULL, 0, "timestamp" },
231 { ICMP_TSTAMPREPLY, NULL, 0, "timestampreply" },
232 { ICMP_IREQ, NULL, 0, "inforeq" },
233 { ICMP_IREQREPLY, NULL, 0, "inforeply" },
234 { ICMP_MASKREQ, NULL, 0, "maskreq" },
235 { ICMP_MASKREPLY, NULL, 0, "maskreply" },
236 { -2, NULL, 0, NULL }
239 static icmp_subtype_t icmpredirect6[] = {
240 { ICMP6_DST_UNREACH_NOROUTE, "noroute" },
241 { ICMP6_DST_UNREACH_ADMIN, "admin" },
242 { ICMP6_DST_UNREACH_NOTNEIGHBOR, "neighbour" },
243 { ICMP6_DST_UNREACH_ADDR, "address" },
244 { ICMP6_DST_UNREACH_NOPORT, "noport" },
248 static icmp_subtype_t icmptimexceed6[] = {
249 { ICMP6_TIME_EXCEED_TRANSIT, "intransit" },
250 { ICMP6_TIME_EXCEED_REASSEMBLY, "reassem" },
254 static icmp_subtype_t icmpparamprob6[] = {
255 { ICMP6_PARAMPROB_HEADER, "header" },
256 { ICMP6_PARAMPROB_NEXTHEADER, "nextheader" },
257 { ICMP6_PARAMPROB_OPTION, "option" },
261 static icmp_subtype_t icmpquerysubject6[] = {
262 { ICMP6_NI_SUBJ_IPV6, "ipv6" },
263 { ICMP6_NI_SUBJ_FQDN, "fqdn" },
264 { ICMP6_NI_SUBJ_IPV4, "ipv4" },
268 static icmp_subtype_t icmpnodeinfo6[] = {
269 { ICMP6_NI_SUCCESS, "success" },
270 { ICMP6_NI_REFUSED, "refused" },
271 { ICMP6_NI_UNKNOWN, "unknown" },
275 static icmp_subtype_t icmprenumber6[] = {
276 { ICMP6_ROUTER_RENUMBERING_COMMAND, "command" },
277 { ICMP6_ROUTER_RENUMBERING_RESULT, "result" },
278 { ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET, "seqnum_reset" },
282 static icmp_type_t icmptypes6[] = {
283 { 0, NULL, 0, NULL },
284 { ICMP6_DST_UNREACH, icmpredirect6,
285 IST_SZ(icmpredirect6), "unreach" },
286 { ICMP6_PACKET_TOO_BIG, NULL, 0, "toobig" },
287 { ICMP6_TIME_EXCEEDED, icmptimexceed6,
288 IST_SZ(icmptimexceed6), "timxceed" },
289 { ICMP6_PARAM_PROB, icmpparamprob6,
290 IST_SZ(icmpparamprob6), "paramprob" },
291 { ICMP6_ECHO_REQUEST, NULL, 0, "echo" },
292 { ICMP6_ECHO_REPLY, NULL, 0, "echoreply" },
293 { ICMP6_MEMBERSHIP_QUERY, icmpquerysubject6,
294 IST_SZ(icmpquerysubject6), "groupmemberquery" },
295 { ICMP6_MEMBERSHIP_REPORT,NULL, 0, "groupmemberreport" },
296 { ICMP6_MEMBERSHIP_REDUCTION,NULL, 0, "groupmemberterm" },
297 { ND_ROUTER_SOLICIT, NULL, 0, "routersolicit" },
298 { ND_ROUTER_ADVERT, NULL, 0, "routeradvert" },
299 { ND_NEIGHBOR_SOLICIT, NULL, 0, "neighborsolicit" },
300 { ND_NEIGHBOR_ADVERT, NULL, 0, "neighboradvert" },
301 { ND_REDIRECT, NULL, 0, "redirect" },
302 { ICMP6_ROUTER_RENUMBERING, icmprenumber6,
303 IST_SZ(icmprenumber6), "routerrenumber" },
304 { ICMP6_WRUREQUEST, NULL, 0, "whoareyourequest" },
305 { ICMP6_WRUREPLY, NULL, 0, "whoareyoureply" },
306 { ICMP6_FQDN_QUERY, NULL, 0, "fqdnquery" },
307 { ICMP6_FQDN_REPLY, NULL, 0, "fqdnreply" },
308 { ICMP6_NI_QUERY, icmpnodeinfo6,
309 IST_SZ(icmpnodeinfo6), "nodeinforequest" },
310 { ICMP6_NI_REPLY, NULL, 0, "nodeinforeply" },
311 { MLD6_MTRACE_RESP, NULL, 0, "mtraceresponse" },
312 { MLD6_MTRACE, NULL, 0, "mtracerequest" },
313 { -2, NULL, 0, NULL }
316 static icmp_subtype_t *find_icmpsubtype(type, table, tablesz)
318 icmp_subtype_t *table;
327 if ((type < 0) || (type > table[tablesz - 2].ist_val))
331 if (table[type].ist_val == type)
334 for (i = 0, ist = table; ist->ist_val != -2; i++, ist++)
335 if (ist->ist_val == type)
341 static icmp_type_t *find_icmptype(type, table, tablesz)
352 if ((type < 0) || (type > table[tablesz - 2].it_val))
356 if (table[type].it_val == type)
359 for (i = 0, it = table; it->it_val != -2; i++, it++)
360 if (it->it_val == type)
366 static void handlehup(sig)
369 signal(SIGHUP, handlehup);
374 static void init_tabs()
381 if (protocols != NULL) {
382 for (i = 0; i < 256; i++)
383 if (protocols[i] != NULL) {
390 protocols = (char **)malloc(256 * sizeof(*protocols));
391 if (protocols != NULL) {
392 bzero((char *)protocols, 256 * sizeof(*protocols));
395 while ((p = getprotoent()) != NULL)
396 if (p->p_proto >= 0 && p->p_proto <= 255 &&
397 p->p_name != NULL && protocols[p->p_proto] == NULL)
398 protocols[p->p_proto] = strdup(p->p_name);
402 protocols[0] = strdup("ip");
405 free(protocols[252]);
406 protocols[252] = NULL;
410 if (udp_ports != NULL) {
411 for (i = 0; i < 65536; i++)
412 if (udp_ports[i] != NULL) {
419 udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
420 if (udp_ports != NULL)
421 bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
423 if (tcp_ports != NULL) {
424 for (i = 0; i < 65536; i++)
425 if (tcp_ports[i] != NULL) {
432 tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
433 if (tcp_ports != NULL)
434 bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
437 while ((s = getservent()) != NULL) {
438 if (s->s_proto == NULL)
440 else if (!strcmp(s->s_proto, "tcp")) {
441 port = ntohs(s->s_port);
444 } else if (!strcmp(s->s_proto, "udp")) {
445 port = ntohs(s->s_port);
450 if ((port < 0 || port > 65535) || (name == NULL))
453 tab[port] = strdup(name);
459 static char *getlocalproto(p)
466 s = protocols ? protocols[p] : NULL;
468 sprintf(pnum, "%u", p);
475 static int read_log(fd, lenp, buf, bufsize)
476 int fd, bufsize, *lenp;
481 if (bufsize > IPFILTER_LOGSIZE)
482 bufsize = IPFILTER_LOGSIZE;
484 nr = read(fd, buf, bufsize);
487 if ((nr < 0) && (errno != EINTR))
494 char *portlocalname(res, proto, port)
499 static char pname[8];
504 sprintf(pname, "%u", port);
505 if (!res || (ipmonopts & IPMON_PORTNUM))
508 if (!strcmp(proto, "tcp"))
510 else if (!strcmp(proto, "udp"))
518 static char *icmpname(type, code)
522 static char name[80];
528 it = find_icmptype(type, icmptypes4, sizeof(icmptypes4) / sizeof(*it));
533 sprintf(name, "icmptype(%d)/", type);
535 sprintf(name, "%s/", s);
538 if (it != NULL && it->it_subtable != NULL)
539 ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
541 if (ist != NULL && ist->ist_name != NULL)
542 strcat(name, ist->ist_name);
544 sprintf(name + strlen(name), "%d", code);
549 static char *icmpname6(type, code)
553 static char name[80];
559 it = find_icmptype(type, icmptypes6, sizeof(icmptypes6) / sizeof(*it));
564 sprintf(name, "icmpv6type(%d)/", type);
566 sprintf(name, "%s/", s);
569 if (it != NULL && it->it_subtable != NULL)
570 ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
572 if (ist != NULL && ist->ist_name != NULL)
573 strcat(name, ist->ist_name);
575 sprintf(name + strlen(name), "%d", code);
581 void dumphex(log, dopts, buf, len)
589 u_char *s = (u_char *)buf, *t = (u_char *)hline;
591 if (buf == NULL || len == 0)
596 for (i = len, j = 0; i; i--, j++, s++) {
597 if (j && !(j & 0xf)) {
600 if ((dopts & IPMON_SYSLOG))
601 syslog(LOG_INFO, "%s", hline);
602 else if (log != NULL)
607 sprintf((char *)t, "%02x", *s & 0xff);
609 if (!((j + 1) & 0xf)) {
611 sprintf((char *)t, " ");
613 for (k = 16; k; k--, s++)
614 *t++ = (isprint(*s) ? *s : '.');
623 for (k = 16 - (j & 0xf); k; k--) {
628 sprintf((char *)t, " ");
631 for (k = j & 0xf; k; k--, s++)
632 *t++ = (isprint(*s) ? *s : '.');
636 if ((dopts & IPMON_SYSLOG) != 0)
637 syslog(LOG_INFO, "%s", hline);
638 else if (log != NULL) {
645 static struct tm *get_tm(sec)
660 static void print_natlog(conf, buf, blen)
665 static u_32_t seqnum = 0;
666 int res, i, len, family;
676 ipl = (iplog_t *)buf;
677 if (ipl->ipl_seqnum != seqnum) {
678 if ((ipmonopts & IPMON_SYSLOG) != 0) {
680 "missed %u NAT log entries: %u %u",
681 ipl->ipl_seqnum - seqnum, seqnum,
684 (void) fprintf(conf->log,
685 "missed %u NAT log entries: %u %u\n",
686 ipl->ipl_seqnum - seqnum, seqnum,
690 seqnum = ipl->ipl_seqnum + ipl->ipl_count;
692 nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
693 res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0;
694 tm = get_tm(ipl->ipl_sec);
697 if (!(ipmonopts & IPMON_SYSLOG)) {
698 (void) strftime(t, len, "%d/%m/%Y ", tm);
703 (void) strftime(t, len, "%T", tm);
705 sprintf(t, ".%-.6ld @%hd ", (long)ipl->ipl_usec, nl->nl_rule + 1);
708 switch (nl->nl_action)
711 strcpy(t, "NAT:NEW");
715 strcpy(t, "NAT:FLUSH");
719 strcpy(t, "NAT:CLONE");
723 strcpy(t, "NAT:EXPIRE");
727 strcpy(t, "NAT:DESTROY");
731 strcpy(t, "NAT:PURGE");
735 sprintf(t, "NAT:Action(%d)", nl->nl_action);
754 strcpy(t, "-BIMAP ");
759 strcpy(t, "-MAPBLOCK ");
763 case NAT_REWRITE|NAT_MAP :
764 strcpy(t, "-RWR_MAP ");
767 case NAT_REWRITE|NAT_REDIRECT :
768 strcpy(t, "-RWR_RDR ");
771 case NAT_ENCAP|NAT_MAP :
772 strcpy(t, "-ENC_MAP ");
775 case NAT_ENCAP|NAT_REDIRECT :
776 strcpy(t, "-ENC_RDR ");
779 case NAT_DIVERTUDP|NAT_MAP :
780 strcpy(t, "-DIV_MAP ");
783 case NAT_DIVERTUDP|NAT_REDIRECT :
784 strcpy(t, "-DIV_RDR ");
788 sprintf(t, "-Type(%d) ", nl->nl_type);
793 proto = getlocalproto(nl->nl_p[0]);
795 family = vtof(nl->nl_v[0]);
798 sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_osrcip.i6),
799 portlocalname(res, proto, (u_int)nl->nl_osrcport));
801 sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
802 portlocalname(res, proto, (u_int)nl->nl_nsrcport));
804 sprintf(t, "[%s,%s] ", hostname(family, nl->nl_odstip.i6),
805 portlocalname(res, proto, (u_int)nl->nl_odstport));
807 sprintf(t, "%s,%s ", hostname(family, nl->nl_osrcip.i6),
808 portlocalname(res, proto, (u_int)nl->nl_osrcport));
810 sprintf(t, "%s,%s <- -> ", hostname(family, nl->nl_odstip.i6),
811 portlocalname(res, proto, (u_int)nl->nl_odstport));
813 sprintf(t, "%s,%s ", hostname(family, nl->nl_nsrcip.i6),
814 portlocalname(res, proto, (u_int)nl->nl_nsrcport));
816 sprintf(t, "%s,%s ", hostname(family, nl->nl_ndstip.i6),
817 portlocalname(res, proto, (u_int)nl->nl_ndstport));
821 strcpy(t, getlocalproto(nl->nl_p[0]));
824 if (nl->nl_action == NL_EXPIRE || nl->nl_action == NL_FLUSH) {
827 sprintf(t, " Pkts %" PRId64 "/%" PRId64 " Bytes %" PRId64 "/%"
830 sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd",
833 sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld",
835 nl->nl_pkts[0], nl->nl_pkts[1],
836 nl->nl_bytes[0], nl->nl_bytes[1]);
842 if (ipmonopts & IPMON_SYSLOG)
843 syslog(LOG_INFO, "%s", line);
844 else if (conf->log != NULL)
845 (void) fprintf(conf->log, "%s", line);
849 static void print_statelog(conf, buf, blen)
854 static u_32_t seqnum = 0;
855 int res, i, len, family;
862 ipl = (iplog_t *)buf;
863 if (ipl->ipl_seqnum != seqnum) {
864 if ((ipmonopts & IPMON_SYSLOG) != 0) {
866 "missed %u state log entries: %u %u",
867 ipl->ipl_seqnum - seqnum, seqnum,
870 (void) fprintf(conf->log,
871 "missed %u state log entries: %u %u\n",
872 ipl->ipl_seqnum - seqnum, seqnum,
876 seqnum = ipl->ipl_seqnum + ipl->ipl_count;
878 sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
879 res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0;
880 tm = get_tm(ipl->ipl_sec);
882 if (!(ipmonopts & IPMON_SYSLOG)) {
883 (void) strftime(t, len, "%d/%m/%Y ", tm);
888 (void) strftime(t, len, "%T", tm);
890 sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
893 family = vtof(sl->isl_v);
895 switch (sl->isl_type)
898 strcpy(t, "STATE:NEW ");
902 strcpy(t, "STATE:CLONED ");
906 if ((sl->isl_p == IPPROTO_TCP) &&
907 (sl->isl_state[0] > IPF_TCPS_ESTABLISHED ||
908 sl->isl_state[1] > IPF_TCPS_ESTABLISHED))
909 strcpy(t, "STATE:CLOSE ");
911 strcpy(t, "STATE:EXPIRE ");
915 strcpy(t, "STATE:FLUSH ");
918 case ISL_INTERMEDIATE :
919 strcpy(t, "STATE:INTERMEDIATE ");
923 strcpy(t, "STATE:REMOVE ");
927 strcpy(t, "STATE:KILLED ");
931 strcpy(t, "STATE:UNLOAD ");
935 sprintf(t, "Type: %d ", sl->isl_type);
940 proto = getlocalproto(sl->isl_p);
942 if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
943 sprintf(t, "%s,%s -> ",
944 hostname(family, (u_32_t *)&sl->isl_src),
945 portlocalname(res, proto, (u_int)sl->isl_sport));
947 sprintf(t, "%s,%s PR %s",
948 hostname(family, (u_32_t *)&sl->isl_dst),
949 portlocalname(res, proto, (u_int)sl->isl_dport), proto);
950 } else if (sl->isl_p == IPPROTO_ICMP) {
951 sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
953 sprintf(t, "%s PR icmp %d",
954 hostname(family, (u_32_t *)&sl->isl_dst),
956 } else if (sl->isl_p == IPPROTO_ICMPV6) {
957 sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
959 sprintf(t, "%s PR icmpv6 %d",
960 hostname(family, (u_32_t *)&sl->isl_dst),
963 sprintf(t, "%s -> ", hostname(family, (u_32_t *)&sl->isl_src));
965 sprintf(t, "%s PR %s",
966 hostname(family, (u_32_t *)&sl->isl_dst), proto);
969 if (sl->isl_tag != FR_NOLOGTAG) {
970 sprintf(t, " tag %u", sl->isl_tag);
973 if (sl->isl_type != ISL_NEW) {
977 " Forward: Pkts in %" PRId64 " Bytes in %" PRId64
978 " Pkts out %" PRId64 " Bytes out %" PRId64
979 " Backward: Pkts in %" PRId64 " Bytes in %" PRId64
980 " Pkts out %" PRId64 " Bytes out %" PRId64,
982 " Forward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd Backward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd",
985 " Forward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld Backward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld",
987 sl->isl_pkts[0], sl->isl_bytes[0],
988 sl->isl_pkts[1], sl->isl_bytes[1],
989 sl->isl_pkts[2], sl->isl_bytes[2],
990 sl->isl_pkts[3], sl->isl_bytes[3]);
997 if (ipmonopts & IPMON_SYSLOG)
998 syslog(LOG_INFO, "%s", line);
999 else if (conf->log != NULL)
1000 (void) fprintf(conf->log, "%s", line);
1004 static void print_log(conf, log, buf, blen)
1018 ipl = (iplog_t *)buf;
1019 if ((u_long)ipl & (sizeof(long)-1)) {
1022 bp = (char *)malloc(blen);
1023 bcopy((char *)ipl, bp, blen);
1032 psize = ipl->ipl_dsize;
1036 if (conf->blog != NULL) {
1037 fwrite(buf, psize, 1, conf->blog);
1041 if (log->logtype == IPL_LOGIPF) {
1042 if (ipl->ipl_magic == IPL_MAGIC)
1043 print_ipflog(conf, buf, psize);
1045 } else if (log->logtype == IPL_LOGNAT) {
1046 if (ipl->ipl_magic == IPL_MAGIC_NAT)
1047 print_natlog(conf, buf, psize);
1049 } else if (log->logtype == IPL_LOGSTATE) {
1050 if (ipl->ipl_magic == IPL_MAGIC_STATE)
1051 print_statelog(conf, buf, psize);
1063 static void print_ipflog(conf, buf, blen)
1068 static u_32_t seqnum = 0;
1069 int i, f, lvl, res, len, off, plen, ipoff, defaction;
1081 struct ip6_ext *ehp;
1087 ipl = (iplog_t *)buf;
1088 if (ipl->ipl_seqnum != seqnum) {
1089 if ((ipmonopts & IPMON_SYSLOG) != 0) {
1091 "missed %u ipf log entries: %u %u",
1092 ipl->ipl_seqnum - seqnum, seqnum,
1095 (void) fprintf(conf->log,
1096 "missed %u ipf log entries: %u %u\n",
1097 ipl->ipl_seqnum - seqnum, seqnum,
1101 seqnum = ipl->ipl_seqnum + ipl->ipl_count;
1103 ipf = (ipflog_t *)((char *)buf + sizeof(*ipl));
1104 ip = (ip_t *)((char *)ipf + sizeof(*ipf));
1106 res = (ipmonopts & IPMON_RESOLVE) ? 1 : 0;
1109 tm = get_tm(ipl->ipl_sec);
1112 if (!(ipmonopts & IPMON_SYSLOG)) {
1113 (void) strftime(t, len, "%d/%m/%Y ", tm);
1118 (void) strftime(t, len, "%T", tm);
1120 sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
1122 if (ipl->ipl_count > 1) {
1123 sprintf(t, "%dx ", ipl->ipl_count);
1126 #if (defined(MENTAT) || \
1127 (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
1128 (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
1129 (defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
1131 char ifname[sizeof(ipf->fl_ifname) + 1];
1133 strncpy(ifname, ipf->fl_ifname, sizeof(ipf->fl_ifname));
1134 ifname[sizeof(ipf->fl_ifname)] = '\0';
1135 sprintf(t, "%s", ifname);
1137 # if defined(MENTAT) || defined(linux)
1140 * On Linux, the loopback interface is just "lo", not "lo0".
1142 if (strcmp(ifname, "lo") != 0)
1144 if (ISALPHA(*(t - 1))) {
1145 sprintf(t, "%d", ipf->fl_unit);
1151 for (len = 0; len < 3; len++)
1152 if (ipf->fl_ifname[len] == '\0')
1154 if (ipf->fl_ifname[len])
1156 sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
1159 if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0'))
1161 else if (ipf->fl_group[0] == '\0')
1162 (void) strcpy(t, " @0:");
1164 sprintf(t, " @%s:", ipf->fl_group);
1166 if (ipf->fl_rule == 0xffffffff)
1169 sprintf(t, "%u ", ipf->fl_rule + 1);
1174 if (ipf->fl_lflags & FI_SHORT) {
1179 if (FR_ISPASS(ipf->fl_flags)) {
1180 if (ipf->fl_flags & FR_LOGP)
1184 } else if (FR_ISBLOCK(ipf->fl_flags)) {
1185 if (ipf->fl_flags & FR_LOGB)
1190 } else if ((ipf->fl_flags & FR_LOGMASK) == FR_LOG) {
1193 } else if (ipf->fl_flags & FF_LOGNOMATCH) {
1199 if (ipf->fl_loglevel != 0xffff)
1200 lvl = ipf->fl_loglevel;
1205 hl = IP_HL(ip) << 2;
1206 ipoff = ntohs(ip->ip_off);
1207 off = ipoff & IP_OFFMASK;
1208 p = (u_short)ip->ip_p;
1209 s = (u_32_t *)&ip->ip_src;
1210 d = (u_32_t *)&ip->ip_dst;
1211 plen = ntohs(ip->ip_len);
1214 if (f == AF_INET6) {
1219 p = (u_short)ip6->ip6_nxt;
1220 s = (u_32_t *)&ip6->ip6_src;
1221 d = (u_32_t *)&ip6->ip6_dst;
1222 plen = hl + ntohs(ip6->ip6_plen);
1224 ehp = (struct ip6_ext *)((char *)ip6 + hl);
1228 case IPPROTO_HOPOPTS :
1229 case IPPROTO_MOBILITY :
1230 case IPPROTO_DSTOPTS :
1231 case IPPROTO_ROUTING :
1234 ehl = 8 + (ehp->ip6e_len << 3);
1236 ehp = (struct ip6_ext *)((char *)ehp + ehl);
1238 case IPPROTO_FRAGMENT :
1239 hl += sizeof(struct ip6_frag);
1251 proto = getlocalproto(p);
1253 if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
1254 tp = (tcphdr_t *)((char *)ip + hl);
1255 if (!(ipf->fl_lflags & FI_SHORT)) {
1256 sprintf(t, "%s,%s -> ", hostname(f, s),
1257 portlocalname(res, proto, (u_int)tp->th_sport));
1259 sprintf(t, "%s,%s PR %s len %hu %hu",
1261 portlocalname(res, proto, (u_int)tp->th_dport),
1265 if (p == IPPROTO_TCP) {
1268 for (i = 0; tcpfl[i].value; i++)
1269 if (tp->th_flags & tcpfl[i].value)
1270 *t++ = tcpfl[i].flag;
1271 if (ipmonopts & IPMON_VERBOSE) {
1272 sprintf(t, " %lu %lu %hu",
1273 (u_long)(ntohl(tp->th_seq)),
1274 (u_long)(ntohl(tp->th_ack)),
1281 sprintf(t, "%s -> ", hostname(f, s));
1283 sprintf(t, "%s PR %s len %hu %hu",
1284 hostname(f, d), proto, hl, plen);
1286 #if defined(AF_INET6) && defined(IPPROTO_ICMPV6)
1287 } else if ((p == IPPROTO_ICMPV6) && !off && (f == AF_INET6)) {
1288 ic = (struct icmp *)((char *)ip + hl);
1289 sprintf(t, "%s -> ", hostname(f, s));
1291 sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
1292 hostname(f, d), hl, plen,
1293 icmpname6(ic->icmp_type, ic->icmp_code));
1295 } else if ((p == IPPROTO_ICMP) && !off && (f == AF_INET)) {
1296 ic = (struct icmp *)((char *)ip + hl);
1297 sprintf(t, "%s -> ", hostname(f, s));
1299 sprintf(t, "%s PR icmp len %hu %hu icmp %s",
1300 hostname(f, d), hl, plen,
1301 icmpname(ic->icmp_type, ic->icmp_code));
1302 if (ic->icmp_type == ICMP_UNREACH ||
1303 ic->icmp_type == ICMP_SOURCEQUENCH ||
1304 ic->icmp_type == ICMP_PARAMPROB ||
1305 ic->icmp_type == ICMP_REDIRECT ||
1306 ic->icmp_type == ICMP_TIMXCEED) {
1308 i = ntohs(ipc->ip_len);
1310 * XXX - try to guess endian of ip_len in ICMP
1315 ipoff = ntohs(ipc->ip_off);
1316 proto = getlocalproto(ipc->ip_p);
1318 if (!(ipoff & IP_OFFMASK) &&
1319 ((ipc->ip_p == IPPROTO_TCP) ||
1320 (ipc->ip_p == IPPROTO_UDP))) {
1321 tp = (tcphdr_t *)((char *)ipc + hl);
1323 sprintf(t, " for %s,%s -",
1324 HOSTNAMEV4(ipc->ip_src),
1325 portlocalname(res, proto,
1326 (u_int)tp->th_sport));
1328 sprintf(t, " %s,%s PR %s len %hu %hu",
1329 HOSTNAMEV4(ipc->ip_dst),
1330 portlocalname(res, proto,
1331 (u_int)tp->th_dport),
1332 proto, IP_HL(ipc) << 2, i);
1333 } else if (!(ipoff & IP_OFFMASK) &&
1334 (ipc->ip_p == IPPROTO_ICMP)) {
1335 icmp = (icmphdr_t *)((char *)ipc + hl);
1338 sprintf(t, " for %s -",
1339 HOSTNAMEV4(ipc->ip_src));
1342 " %s PR icmp len %hu %hu icmp %d/%d",
1343 HOSTNAMEV4(ipc->ip_dst),
1345 icmp->icmp_type, icmp->icmp_code);
1348 sprintf(t, " for %s -",
1349 HOSTNAMEV4(ipc->ip_src));
1351 sprintf(t, " %s PR %s len %hu (%hu)",
1352 HOSTNAMEV4(ipc->ip_dst), proto,
1353 IP_HL(ipc) << 2, i);
1355 if (ipoff & IP_OFFMASK) {
1356 sprintf(t, "(frag %d:%hu@%hu%s%s)",
1358 i - (IP_HL(ipc) << 2),
1359 (ipoff & IP_OFFMASK) << 3,
1360 ipoff & IP_MF ? "+" : "",
1361 ipoff & IP_DF ? "-" : "");
1367 sprintf(t, "%s -> ", hostname(f, s));
1369 sprintf(t, "%s PR %s len %hu (%hu)",
1370 hostname(f, d), proto, hl, plen);
1372 if (off & IP_OFFMASK)
1373 sprintf(t, " (frag %d:%hu@%hu%s%s)",
1375 plen - hl, (off & IP_OFFMASK) << 3,
1376 ipoff & IP_MF ? "+" : "",
1377 ipoff & IP_DF ? "-" : "");
1382 if (ipf->fl_flags & FR_KEEPSTATE) {
1383 (void) strcpy(t, " K-S");
1387 if (ipf->fl_flags & FR_KEEPFRAG) {
1388 (void) strcpy(t, " K-F");
1392 if (ipf->fl_dir == 0)
1394 else if (ipf->fl_dir == 1)
1397 if (ipf->fl_logtag != 0) {
1398 sprintf(t, " log-tag %d", ipf->fl_logtag);
1401 if (ipf->fl_nattag.ipt_num[0] != 0) {
1402 strcpy(t, " nat-tag ");
1404 strncpy(t, ipf->fl_nattag.ipt_tag, sizeof(ipf->fl_nattag));
1407 if ((ipf->fl_lflags & FI_LOWTTL) != 0) {
1408 strcpy(t, " low-ttl");
1411 if ((ipf->fl_lflags & FI_OOW) != 0) {
1415 if ((ipf->fl_lflags & FI_BAD) != 0) {
1419 if ((ipf->fl_lflags & FI_NATED) != 0) {
1423 if ((ipf->fl_lflags & FI_BADNAT) != 0) {
1424 strcpy(t, " bad-NAT");
1427 if ((ipf->fl_lflags & FI_BADSRC) != 0) {
1428 strcpy(t, " bad-src");
1431 if ((ipf->fl_lflags & FI_MULTICAST) != 0) {
1432 strcpy(t, " multicast");
1435 if ((ipf->fl_lflags & FI_BROADCAST) != 0) {
1436 strcpy(t, " broadcast");
1439 if ((ipf->fl_lflags & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST)) ==
1441 strcpy(t, " mbcast");
1444 if (ipf->fl_breason != 0) {
1445 strcpy(t, " reason:");
1447 strcpy(t, reasons[ipf->fl_breason]);
1448 t += strlen(reasons[ipf->fl_breason]);
1453 if (conf->cfile != NULL)
1454 defaction = check_action(buf, line, ipmonopts, lvl);
1456 if (defaction == 0) {
1457 if (ipmonopts & IPMON_SYSLOG) {
1458 syslog(lvl, "%s", line);
1459 } else if (conf->log != NULL) {
1460 (void) fprintf(conf->log, "%s", line);
1463 if (ipmonopts & IPMON_HEXHDR) {
1464 dumphex(conf->log, ipmonopts, buf,
1465 sizeof(iplog_t) + sizeof(*ipf));
1467 if (ipmonopts & IPMON_HEXBODY) {
1468 dumphex(conf->log, ipmonopts, (char *)ip,
1469 ipf->fl_plen + ipf->fl_hlen);
1470 } else if ((ipmonopts & IPMON_LOGBODY) &&
1471 (ipf->fl_flags & FR_LOGBODY)) {
1472 dumphex(conf->log, ipmonopts, (char *)ip + ipf->fl_hlen,
1479 static void usage(prog)
1482 fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog);
1487 static void write_pid(file)
1493 if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0) {
1494 fp = fdopen(fd, "w");
1498 "unable to open/create pid file: %s\n", file);
1501 fprintf(fp, "%d", getpid());
1507 static void flushlogs(file, log)
1511 int fd, flushed = 0;
1513 if ((fd = open(file, O_RDWR)) == -1) {
1514 (void) fprintf(stderr, "%s: open: %s\n",
1515 file, STRERROR(errno));
1519 if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
1520 printf("%d bytes flushed from log buffer\n",
1524 ipferror(fd, "SIOCIPFFB");
1528 if (ipmonopts & IPMON_SYSLOG) {
1529 syslog(LOG_INFO, "%d bytes flushed from log\n",
1531 } else if ((log != stdout) && (log != NULL)) {
1532 fprintf(log, "%d bytes flushed from log\n", flushed);
1538 static void logopts(turnon, options)
1545 for (s = options; *s; s++)
1553 flags |= IPMON_STATE;
1556 flags |= IPMON_FILTER;
1559 fprintf(stderr, "Unknown log option %c\n", *s);
1567 ipmonopts &= ~(flags);
1570 static void initconfig(config_t *conf)
1574 memset(conf, 0, sizeof(*conf));
1579 for (i = 0; i < 3; i++) {
1580 conf->logsrc[i].fd = -1;
1581 conf->logsrc[i].logtype = -1;
1582 conf->logsrc[i].regular = -1;
1585 conf->logsrc[0].file = IPL_NAME;
1586 conf->logsrc[1].file = IPNAT_NAME;
1587 conf->logsrc[2].file = IPSTATE_NAME;
1589 add_doing(&executesaver);
1590 add_doing(&snmpv1saver);
1591 add_doing(&snmpv2saver);
1592 add_doing(&syslogsaver);
1593 add_doing(&filesaver);
1594 add_doing(¬hingsaver);
1598 int main(argc, argv)
1602 int doread, c, make_daemon = 0;
1606 prog = strrchr(argv[0], '/');
1612 initconfig(&config);
1614 while ((c = getopt(argc, argv,
1615 "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1)
1619 ipmonopts |= IPMON_LOGALL;
1620 config.logsrc[0].logtype = IPL_LOGIPF;
1621 config.logsrc[1].logtype = IPL_LOGNAT;
1622 config.logsrc[2].logtype = IPL_LOGSTATE;
1625 ipmonopts |= IPMON_LOGBODY;
1628 config.bfile = optarg;
1629 config.blog = fopen(optarg, "a");
1632 config.cfile = optarg;
1637 case 'f' : case 'I' :
1638 ipmonopts |= IPMON_FILTER;
1639 config.logsrc[0].logtype = IPL_LOGIPF;
1640 config.logsrc[0].file = optarg;
1643 flushlogs(config.logsrc[0].file, config.log);
1644 flushlogs(config.logsrc[1].file, config.log);
1645 flushlogs(config.logsrc[2].file, config.log);
1648 logfac = fac_findname(optarg);
1651 "Unknown syslog facility '%s'\n",
1657 ipmonopts |= IPMON_RESOLVE;
1658 opts &= ~OPT_NORESOLVE;
1661 ipmonopts |= IPMON_NAT;
1662 config.logsrc[1].logtype = IPL_LOGNAT;
1663 config.logsrc[1].file = optarg;
1665 case 'o' : case 'O' :
1666 logopts(c == 'o', optarg);
1667 if (ipmonopts & IPMON_FILTER)
1668 config.logsrc[0].logtype = IPL_LOGIPF;
1669 if (ipmonopts & IPMON_NAT)
1670 config.logsrc[1].logtype = IPL_LOGNAT;
1671 if (ipmonopts & IPMON_STATE)
1672 config.logsrc[2].logtype = IPL_LOGSTATE;
1675 ipmonopts |= IPMON_PORTNUM;
1681 ipmonopts |= IPMON_SYSLOG;
1685 ipmonopts |= IPMON_STATE;
1686 config.logsrc[2].logtype = IPL_LOGSTATE;
1687 config.logsrc[2].file = optarg;
1690 ipmonopts |= IPMON_TAIL;
1693 ipmonopts |= IPMON_VERBOSE;
1696 ipmonopts |= IPMON_HEXBODY;
1699 ipmonopts |= IPMON_HEXHDR;
1707 if (ipmonopts & IPMON_SYSLOG)
1708 openlog(prog, LOG_NDELAY|LOG_PID, logfac);
1712 if (load_config(config.cfile) == -1) {
1718 * Default action is to only open the filter log file.
1720 if ((config.logsrc[0].logtype == -1) &&
1721 (config.logsrc[0].logtype == -1) &&
1722 (config.logsrc[0].logtype == -1))
1723 config.logsrc[0].logtype = IPL_LOGIPF;
1727 if (!(ipmonopts & IPMON_SYSLOG)) {
1728 config.file = argv[optind];
1729 config.log = config.file ? fopen(config.file, "a") : stdout;
1730 if (config.log == NULL) {
1731 (void) fprintf(stderr, "%s: fopen: %s\n",
1732 argv[optind], STRERROR(errno));
1736 setvbuf(config.log, NULL, _IONBF, 0);
1742 ((config.log != stdout) || (ipmonopts & IPMON_SYSLOG))) {
1744 daemon(0, !(ipmonopts & IPMON_SYSLOG));
1751 (void) fprintf(stderr, "%s: fork() failed: %s\n",
1752 argv[0], STRERROR(errno));
1762 if ((ipmonopts & IPMON_SYSLOG))
1770 signal(SIGHUP, handlehup);
1772 for (doread = 1; doread; )
1773 doread = read_loginfo(&config);
1782 static void openlogs(config_t *conf)
1788 for (i = 0; i < 3; i++) {
1789 l = &conf->logsrc[i];
1790 if (l->logtype == -1)
1792 if (!strcmp(l->file, "-"))
1795 if ((l->fd= open(l->file, O_RDONLY)) == -1) {
1796 (void) fprintf(stderr,
1797 "%s: open: %s\n", l->file,
1803 if (fstat(l->fd, &sb) == -1) {
1804 (void) fprintf(stderr, "%d: fstat: %s\n",
1805 l->fd, STRERROR(errno));
1810 l->regular = !S_ISCHR(sb.st_mode);
1812 l->size = sb.st_size;
1814 FD_SET(l->fd, &conf->fdmr);
1815 if (l->fd > conf->maxfd)
1816 conf->maxfd = l->fd;
1822 static int read_loginfo(config_t *conf)
1824 iplog_t buf[DEFAULT_IPFLOGSIZE/sizeof(iplog_t)+1];
1831 n = select(conf->maxfd + 1, &fdr, NULL, NULL, NULL);
1840 for (i = 0, nr = 0; i < 3; i++) {
1841 l = &conf->logsrc[i];
1843 if ((l->logtype == -1) || !FD_ISSET(l->fd, &fdr))
1848 tr = (lseek(l->fd, 0, SEEK_CUR) < l->size);
1849 if (!tr && !(ipmonopts & IPMON_TAIL))
1854 tr = read_log(l->fd, &n, (char *)buf, sizeof(buf));
1856 if (conf->file != NULL) {
1857 if (conf->log != NULL) {
1861 conf->log = fopen(conf->file, "a");
1864 if (conf->bfile != NULL) {
1865 if (conf->blog != NULL) {
1869 conf->blog = fopen(conf->bfile, "a");
1873 if (conf->cfile != NULL)
1874 load_config(conf->cfile);
1881 if (ipmonopts & IPMON_SYSLOG)
1882 syslog(LOG_CRIT, "read: %m\n");
1884 ipferror(l->fd, "read");
1888 if (ipmonopts & IPMON_SYSLOG)
1889 syslog(LOG_CRIT, "aborting logging\n");
1890 else if (conf->log != NULL)
1891 fprintf(conf->log, "aborting logging\n");
1898 print_log(conf, l, (char *)buf, n);
1899 if (!(ipmonopts & IPMON_SYSLOG))
1906 if (!nr && (ipmonopts & IPMON_TAIL))
projects / FreeBSD / releng / 10.0.git / blob