3 Copyright (C) 2014 Proxmox Server Solutions GmbH
5 This software is written by Proxmox Server Solutions GmbH <support@proxmox.com>
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU Affero General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU Affero General Public License for more details.
17 You should have received a copy of the GNU Affero General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 Author: Dietmar Maurer <dietmar@proxmox.com>
32 #include <sys/signalfd.h>
33 #include <sys/types.h>
37 #include <arpa/inet.h>
38 #include <sys/socket.h>
40 #include <linux/netlink.h>
41 #include <libnfnetlink/libnfnetlink.h>
42 #include <libnetfilter_log/libnetfilter_log.h>
43 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
44 #include <netinet/ip.h>
45 #include <netinet/ip_icmp.h>
46 #include <netinet/ip6.h>
47 #include <netinet/icmp6.h>
48 #include <netinet/udp.h>
49 #include <netinet/tcp.h>
50 #include <netinet/if_ether.h>
55 static struct nflog_handle
*logh
= NULL
;
56 static struct nlif_handle
*nlifh
= NULL
;
57 static struct nfct_handle
*nfcth
= NULL
;
60 gboolean foreground
= FALSE
;
61 gboolean debug
= FALSE
;
62 gboolean conntrack
= FALSE
;
68 Special care was taken to allow fast parsing (and filer messages for a singl VM).
70 <VMID> <LOGLEVEL> <CHAIN> <TIME> <TIMEZONE> <MSG>
74 117 6 tap117i0-IN 14/Mar/2014:12:47:07 +0100 policy REJECT: IN=vmbr1 ...
78 #define LOGFILE "/var/log/pve-firewall.log"
80 #define LOCKFILE "/var/lock/pvefw-logger.lck"
81 #define PIDFILE "/var/run/pvefw-logger.pid"
82 #define LOG_CONNTRACK_FILE "/var/lib/pve-firewall/log_nf_conntrack"
85 #define LE_MAX (512 - 4) // try to fit into 512 bytes
87 #define MAX_CHAIN_LEN 28
90 guint32 len
; // max LE_MAX chars
94 #define STATIC_ASSERT(cond) \
95 extern void pve_static_assert(int test[(cond) ? 1 : -1])
97 STATIC_ASSERT(sizeof(struct log_entry
) == 512);
101 gboolean terminate_threads
= FALSE
;
103 static gboolean
write_pidfile(pid_t pid
)
107 char *strpid
= g_strdup_printf("%d\n", pid
);
108 res
= g_file_set_contents(PIDFILE
, strpid
, strlen(strpid
), NULL
);
114 static GAsyncQueue
*queue
;
117 safe_write(int fd
, char *buf
, size_t count
)
122 n
= write(fd
, buf
, count
);
123 } while (n
< 0 && errno
== EINTR
);
129 log_writer_thread(gpointer data
)
132 struct log_entry
*le
= (struct log_entry
*)g_async_queue_timeout_pop(queue
, 250000);
134 if (terminate_threads
) {
140 if (debug
) fputs(le
->buf
, stdout
);
142 int res
= safe_write(outfd
, le
->buf
, le
->len
);
147 syslog(3, "writing log failed, stopping daemon - %s", strerror (errno
));
148 g_main_loop_quit(main_loop
);
156 static int skipped_logs
= 0;
158 static void log_status_message(guint loglevel
, const char *fmt
, ...);
161 queue_log_entry(struct log_entry
*le
)
163 gint len
= g_async_queue_length(queue
);
165 if (skipped_logs
> 0) {
166 if (len
>= (LQ_LEN
- 1)) {
169 int skip_tmp
= skipped_logs
;
170 skipped_logs
= 0; // clear before calling log_status_message()
171 log_status_message(3, "skipped %d log entries (queue full)", skip_tmp
);
172 g_async_queue_push(queue
, le
);
178 g_async_queue_push(queue
, le
);
184 #define LEPRINTF(format, ...) \
186 if (le->len < LE_MAX) \
187 le->len += snprintf(le->buf + le->len, LE_MAX - le->len, format, ##__VA_ARGS__); \
189 #define LEPRINTTIME(sec) \
191 time_t tmp_sec = sec; \
192 if (le->len < (LE_MAX - 30)) \
193 le->len += strftime(le->buf + le->len, LE_MAX - le->len, "%d/%b/%Y:%H:%M:%S %z ", localtime(&tmp_sec)); \
197 log_status_message(guint loglevel
, const char *fmt
, ...)
202 if (loglevel
> 7 ) loglevel
= 7; // syslog defines level 0-7
204 struct log_entry
*le
= g_new0(struct log_entry
, 1);
206 LEPRINTF("0 %d - ", loglevel
);
208 LEPRINTTIME(time(NULL
));
210 le
->len
+= vsnprintf(le
->buf
+ le
->len
, LE_MAX
- le
->len
, fmt
, ap
);
216 // also log to syslog
218 vsyslog(loglevel
, fmt
, ap
);
222 print_tcp(struct log_entry
*le
, struct tcphdr
*h
, int payload_len
)
224 LEPRINTF("PROTO=TCP ");
226 if (payload_len
< sizeof(struct tcphdr
)) {
227 LEPRINTF("LEN=%d ", payload_len
);
228 LEPRINTF("INVALID=LEN ");
232 LEPRINTF("SPT=%u DPT=%u ", ntohs(h
->source
), ntohs(h
->dest
));
233 LEPRINTF("SEQ=%u ACK=%u ", ntohl(h
->seq
), ntohl(h
->ack_seq
));
234 LEPRINTF("WINDOW=%u ", ntohs(h
->window
));
236 if (h
->urg
) LEPRINTF("URG ");
237 if (h
->ack
) LEPRINTF("ACK ");
238 if (h
->psh
) LEPRINTF("PSH ");
239 if (h
->rst
) LEPRINTF("RST ");
240 if (h
->syn
) LEPRINTF("SYN ");
241 if (h
->fin
) LEPRINTF("FIN ");
243 if (h
->urg
) LEPRINTF("URGP=%u ",ntohs(h
->urg_ptr
));
249 print_udp(struct log_entry
*le
, struct udphdr
*h
, int payload_len
)
251 LEPRINTF("PROTO=UDP ");
253 if (payload_len
< sizeof(struct udphdr
)) {
254 LEPRINTF("LEN=%d ", payload_len
);
255 LEPRINTF("INVALID=LEN ");
259 LEPRINTF("SPT=%u DPT=%u LEN=%u", ntohs(h
->source
), ntohs(h
->dest
), ntohs(h
->len
));
265 print_icmp(struct log_entry
*le
, struct icmphdr
*h
, int payload_len
)
267 char tmp
[INET_ADDRSTRLEN
];
270 LEPRINTF("PROTO=ICMP ");
272 if (payload_len
< sizeof(struct icmphdr
)) {
273 LEPRINTF("LEN=%d ", payload_len
);
274 LEPRINTF("INVALID=LEN ");
278 LEPRINTF("TYPE=%u CODE=%u ", h
->type
, h
->code
);
283 LEPRINTF("ID=%u SEQ=%u ", ntohs(h
->un
.echo
.id
), ntohs(h
->un
.echo
.sequence
));
285 case ICMP_PARAMETERPROB
:
286 LEPRINTF("PARAMETER=%u ", ntohl(h
->un
.gateway
) >> 24);
289 gateway
= ntohl(h
->un
.gateway
);
290 inet_ntop(AF_INET
, &gateway
, tmp
, sizeof(tmp
));
291 LEPRINTF("GATEWAY=%s ", tmp
);
293 case ICMP_DEST_UNREACH
:
294 if (h
->code
== ICMP_FRAG_NEEDED
) {
295 LEPRINTF("MTU=%u ", ntohs(h
->un
.frag
.mtu
));
303 /* Section 3.1. SCTP Common Header Format */
304 typedef struct sctphdr
{
309 } __attribute__((packed
)) sctp_sctphdr_t
;
312 print_sctp(struct log_entry
*le
, struct sctphdr
*h
, int payload_len
)
314 LEPRINTF("PROTO=SCTP ");
316 if (payload_len
< sizeof(struct sctphdr
)) {
317 LEPRINTF("LEN=%d ", payload_len
);
318 LEPRINTF("INVALID=LEN ");
322 LEPRINTF("SPT=%u DPT=%u ", ntohs(h
->source
), ntohs(h
->dest
));
328 print_ipproto(struct log_entry
*le
, char * nexthdr
, int payload_len
, u_int8_t proto
)
332 print_tcp(le
, (struct tcphdr
*)nexthdr
, payload_len
);
335 print_udp(le
, (struct udphdr
*)nexthdr
, payload_len
);
338 print_icmp(le
, (struct icmphdr
*)nexthdr
, payload_len
);
341 print_sctp(le
, (struct sctphdr
*)nexthdr
, payload_len
);
344 LEPRINTF("PROTO=AH ");
347 LEPRINTF("PROTO=ESP ");
350 LEPRINTF("PROTO=IGMP ");
359 print_iphdr(struct log_entry
*le
, char * payload
, int payload_len
)
361 if (payload_len
< sizeof(struct iphdr
)) {
362 LEPRINTF("LEN=%d ", payload_len
);
363 LEPRINTF("INVALID=LEN ");
367 struct iphdr
*h
= (struct iphdr
*)payload
;
369 if (payload_len
<= (u_int32_t
)(h
->ihl
* 4)) {
370 LEPRINTF("INVALID=IHL ");
374 char tmp
[INET_ADDRSTRLEN
];
376 inet_ntop(AF_INET
, &h
->saddr
, tmp
, sizeof(tmp
));
377 LEPRINTF("SRC=%s ", tmp
);
378 inet_ntop(AF_INET
, &h
->daddr
, tmp
, sizeof(tmp
));
379 LEPRINTF("DST=%s ", tmp
);
381 LEPRINTF("LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
382 ntohs(h
->tot_len
), h
->tos
& IPTOS_TOS_MASK
,
383 h
->tos
& IPTOS_PREC_MASK
, h
->ttl
, ntohs(h
->id
));
385 short ip_off
= ntohs(h
->frag_off
);
386 if (ip_off
& IP_OFFMASK
)
387 LEPRINTF("FRAG=%u ", ip_off
& IP_OFFMASK
);
389 if (ip_off
& IP_DF
) LEPRINTF("DF ");
390 if (ip_off
& IP_MF
) LEPRINTF("MF ");
392 void *nexthdr
= (u_int32_t
*)h
+ h
->ihl
;
393 payload_len
-= h
->ihl
* 4;
395 if (print_ipproto(le
, nexthdr
, payload_len
, h
->protocol
) < 0) {
396 LEPRINTF("PROTO=%u ", h
->protocol
);
403 print_routing(struct log_entry
*le
, struct ip6_rthdr
*rthdr
, int payload_len
)
405 char tmp
[INET6_ADDRSTRLEN
];
406 LEPRINTF("TYPE=%u SEGMENTS=%u", rthdr
->ip6r_type
, rthdr
->ip6r_segleft
);
408 if (payload_len
< sizeof(*rthdr
) || payload_len
< rthdr
->ip6r_len
*8) {
409 LEPRINTF("LEN=%d ", payload_len
);
410 LEPRINTF("INVALID=LEN ");
414 if (rthdr
->ip6r_type
== 0) {
415 /* Route via waypoints (deprecated), this contains a list of waypoints
416 * to visit. (RFC2460 (4.4))
418 struct ip6_rthdr0
*h
= (struct ip6_rthdr0
*)rthdr
;
419 if (rthdr
->ip6r_len
*8 < sizeof(*h
) + rthdr
->ip6r_segleft
* sizeof(struct in6_addr
)) {
420 LEPRINTF("INVALID=SEGMENTS ");
424 } else if (rthdr
->ip6r_type
== 1) {
425 /* nimrod routing (RFC1992) */
427 } else if (rthdr
->ip6r_type
== 2) {
428 /* RFC3375 (6.4), the layout is like type-0 but with exactly 1 address */
429 struct ip6_rthdr0
*h
= (struct ip6_rthdr0
*)rthdr
;
430 if (rthdr
->ip6r_len
*8 < sizeof(*h
) + sizeof(struct in6_addr
)) {
431 LEPRINTF("LEN=%d ", payload_len
);
432 LEPRINTF("INVALID=LEN ");
435 inet_ntop(AF_INET6
, &h
->ip6r0_addr
[0], tmp
, sizeof(tmp
));
436 LEPRINTF("HOME=%s ", tmp
);
444 print_fragment(struct log_entry
*le
, struct ip6_frag
*frag
, int payload_len
)
448 if (payload_len
< sizeof(*frag
)) {
449 LEPRINTF("LEN=%d ", payload_len
);
450 LEPRINTF("INVALID=LEN ");
454 offlg
= ntohs(frag
->ip6f_offlg
);
455 LEPRINTF("FRAG=%d ID=%d ", (offlg
&0x2FFF), ntohl(frag
->ip6f_ident
));
463 print_icmp6(struct log_entry
*le
, struct icmp6_hdr
*h
, int payload_len
)
465 struct nd_router_advert
*ra
;
466 struct nd_neighbor_advert
*na
;
467 struct nd_redirect
*re
;
468 char tmp
[INET6_ADDRSTRLEN
];
470 if (payload_len
< sizeof(struct icmp6_hdr
)) {
471 LEPRINTF("LEN=%d ", payload_len
);
472 LEPRINTF("INVALID=LEN ");
476 LEPRINTF("TYPE=%u CODE=%u ", h
->icmp6_type
, h
->icmp6_code
);
478 switch (h
->icmp6_type
) {
479 case ICMP6_ECHO_REQUEST
:
480 case ICMP6_ECHO_REPLY
:
481 LEPRINTF("ID=%u SEQ=%u ", ntohs(h
->icmp6_id
), ntohs(h
->icmp6_seq
));
484 case ND_ROUTER_SOLICIT
:
485 /* can be followed by options, otherwise nothing to print */
488 case ND_ROUTER_ADVERT
:
489 ra
= (struct nd_router_advert
*)h
;
490 LEPRINTF("HOPLIMIT=%d ", ra
->nd_ra_curhoplimit
);
491 /* nd_ra_flags_reserved is only 8 bit, so no swapping here as
492 * opposed to the neighbor advertisement flags (see below).
494 LEPRINTF("RA=%02x LIFETIME=%d REACHABLE=%d RETRANSMIT=%d ",
495 ra
->nd_ra_flags_reserved
,
496 ntohs(ra
->nd_ra_router_lifetime
),
497 ntohl(ra
->nd_ra_reachable
),
498 ntohl(ra
->nd_ra_retransmit
));
499 /* can be followed by options */
502 case ND_NEIGHBOR_SOLICIT
:
503 /* can be followed by options */
506 case ND_NEIGHBOR_ADVERT
:
507 na
= (struct nd_neighbor_advert
*)h
;
508 LEPRINTF("NA=%08x ", ntohl(na
->nd_na_flags_reserved
));
509 /* can be followed by options */
513 re
= (struct nd_redirect
*)h
;
514 inet_ntop(AF_INET6
, &re
->nd_rd_target
, tmp
, sizeof(tmp
));
515 LEPRINTF("TARGET=%s ", tmp
);
516 inet_ntop(AF_INET6
, &re
->nd_rd_dst
, tmp
, sizeof(tmp
));
517 LEPRINTF("GATEWAY=%s ", tmp
);
518 /* can be followed by options */
521 case ICMP6_DST_UNREACH
:
522 /* CODE shows the type, no extra parameters available in ipv6 */
525 case ICMP6_PACKET_TOO_BIG
:
526 LEPRINTF("MTU=%u ", ntohl(h
->icmp6_mtu
));
529 case ICMP6_TIME_EXCEEDED
:
530 /* CODE shows the type (0 = hop limit, 1 = reassembly timed out) */
533 case ICMP6_PARAM_PROB
:
534 switch (ntohl(h
->icmp6_pptr
)) {
535 case ICMP6_PARAMPROB_HEADER
:
536 LEPRINTF("PARAMETER=HEADER "); /* erroneous header */
538 case ICMP6_PARAMPROB_NEXTHEADER
:
539 LEPRINTF("PARAMETER=NEXTHEADER "); /* bad next-header field */
541 case ICMP6_PARAMPROB_OPTION
:
542 LEPRINTF("PARAMETER=OPTION "); /* bad ipv6 option (hop/dst header?) */
545 LEPRINTF("PARAMETER=%u ", ntohl(h
->icmp6_pptr
)); /* unknown */
555 check_ip6ext(struct log_entry
*le
, struct ip6_ext
*exthdr
, int payload_len
)
557 if (payload_len
< sizeof(*exthdr
) ||
558 payload_len
< exthdr
->ip6e_len
)
560 LEPRINTF("LEN=%d ", payload_len
);
561 LEPRINTF("INVALID=LEN ");
568 print_nexthdr(struct log_entry
*le
, char *hdr
, int payload_len
, u_int8_t proto
)
571 if (print_ipproto(le
, hdr
, payload_len
, proto
) == 0)
574 struct ip6_ext
*exthdr
= (struct ip6_ext
*)hdr
;
577 /* protocols (these return) */
579 LEPRINTF("PROTO=ICMPV6 ");
580 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
582 if (print_icmp6(le
, (struct icmp6_hdr
*)(hdr
+ exthdr
->ip6e_len
),
583 payload_len
- exthdr
->ip6e_len
) < 0)
589 /* extension headers (these break to keep iterating) */
590 case IPPROTO_ROUTING
:
591 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
593 if (print_routing(le
, (struct ip6_rthdr
*)hdr
, payload_len
) < 0)
596 case IPPROTO_FRAGMENT
:
597 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
599 if (print_fragment(le
, (struct ip6_frag
*)hdr
, payload_len
) < 0)
602 case IPPROTO_HOPOPTS
:
603 LEPRINTF("NEXTHDR=HOPOPTS ");
604 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
606 /* do we want to print these? */
608 case IPPROTO_DSTOPTS
:
609 LEPRINTF("NEXTHDR=DSTOPTS ");
610 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
612 /* do we want to print these? */
615 LEPRINTF("NEXTHDR=MH ");
616 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
620 /* unknown protocol */
622 LEPRINTF("PROTO=%u ", proto
);
626 if (check_ip6ext(le
, exthdr
, payload_len
) < 0)
628 hdr
+= exthdr
->ip6e_len
;
629 payload_len
-= exthdr
->ip6e_len
;
634 print_ip6hdr(struct log_entry
*le
, char * payload
, int payload_len
)
636 if (payload_len
< sizeof(struct ip6_hdr
)) {
637 LEPRINTF("LEN=%d ", payload_len
);
638 LEPRINTF("INVALID=LEN ");
642 struct ip6_hdr
*h
= (struct ip6_hdr
*)payload
;
644 char tmp
[INET6_ADDRSTRLEN
];
645 inet_ntop(AF_INET6
, &h
->ip6_src
, tmp
, sizeof(tmp
));
646 LEPRINTF("SRC=%s ", tmp
);
647 inet_ntop(AF_INET6
, &h
->ip6_dst
, tmp
, sizeof(tmp
));
648 LEPRINTF("DST=%s ", tmp
);
650 LEPRINTF("LEN=%u ", ntohs(h
->ip6_plen
));
652 u_int32_t flow
= ntohl(h
->ip6_flow
);
653 LEPRINTF("TC=%d FLOWLBL=%d ", (flow
>>20)&0xFF, flow
&0xFFFFF);
655 LEPRINTF("HOPLIMIT=%d ", h
->ip6_hlim
);
657 return print_nexthdr(le
, (char *)(h
+1), payload_len
- sizeof(*h
), h
->ip6_nxt
);
660 // ebtables -I FORWARD --nflog --nflog-group 0
662 print_arp(struct log_entry
*le
, struct ether_arp
*h
, int payload_len
)
664 if (payload_len
< sizeof(struct ether_arp
)) {
665 LEPRINTF("LEN=%d ", payload_len
);
666 LEPRINTF("INVALID=LEN ");
670 LEPRINTF("SRC=%u.%u.%u.%u ", h
->arp_spa
[0], h
->arp_spa
[1],
671 h
->arp_spa
[2], h
->arp_spa
[3]);
673 LEPRINTF("DST=%u.%u.%u.%u ", h
->arp_tpa
[0], h
->arp_tpa
[1],
674 h
->arp_tpa
[2], h
->arp_tpa
[3]);
676 LEPRINTF("PROTO=ARP ");
678 unsigned short code
= ntohs(h
->arp_op
);
681 LEPRINTF("REQUEST ");
684 LEPRINTF("REPLY MAC=%02x:%02x:%02x:%02x:%02x:%02x ",
685 h
->arp_sha
[0], h
->arp_sha
[1], h
->arp_sha
[2],
686 h
->arp_sha
[3], h
->arp_sha
[4], h
->arp_sha
[5]);
692 LEPRINTF("CODE=%u ", code
);
696 // LEPRINTF("HTYPE=%u ", ntohs(h->arp_hrd));
698 // LEPRINTF("PTYPE=%u ", ntohs(h->arp_pro));
704 static int print_pkt(struct log_entry
*le
, struct nflog_data
*ldata
, u_int8_t family
)
706 u_int32_t mark
= nflog_get_nfmark(ldata
);
707 u_int32_t indev
= nflog_get_indev(ldata
);
708 u_int32_t outdev
= nflog_get_outdev(ldata
);
709 u_int32_t physindev
= nflog_get_physindev(ldata
);
710 u_int32_t physoutdev
= nflog_get_physoutdev(ldata
);
712 char *prefix
= nflog_get_prefix(ldata
);
718 guint8 log_level
= 6; // info
720 char *chain_name
= "-";
722 if (prefix
!= NULL
) {
723 // Note: parse ":$vmid:$loglevel:$chain: $msg"
724 if (prefix
[0] == ':') {
725 char *p
= prefix
+ 1;
727 while(*p
>= '0' && *p
<= '9') { tmpid
*= 10; tmpid
+= *p
- '0'; p
++; }
730 (p
[1] >= '0' && p
[1] <= '7') &&
733 guint8 tmp_level
= p
[1] - '0'; // store for later use
734 char *chain_start
= p
+ 3; // store for later use
736 while (*p
&& *p
!= ':' && *p
!= ' ') p
++;
737 int len
= p
- chain_start
;
739 if (*p
== ':' && p
[1] == ' ' && len
&& (len
<= MAX_CHAIN_LEN
)) {
740 // parsing successful
742 *p
= 0; // terminate string
745 log_level
= tmp_level
;
746 chain_name
= chain_start
;
747 prefix
= p
+ 2; // the rest
753 LEPRINTF("%d ", vmid
);
755 LEPRINTF("%d ", log_level
);
757 LEPRINTF("%s ", chain_name
);
760 if (nflog_get_timestamp(ldata
, &ts
) == 0) {
761 LEPRINTTIME(ts
.tv_sec
);
763 LEPRINTTIME(time(NULL
));
766 if (prefix
!= NULL
) {
767 LEPRINTF("%s", prefix
);
771 if (nlif_index2name(nlifh
, indev
, devname
) != -1) {
772 LEPRINTF("IN=%s ", devname
);
774 LEPRINTF("IN=%u ", indev
);
779 if (nlif_index2name(nlifh
, outdev
, devname
) != -1) {
780 LEPRINTF("OUT=%s ", devname
);
782 LEPRINTF("OUT=%u ", outdev
);
787 if (nlif_index2name(nlifh
, physindev
, devname
) != -1) {
788 LEPRINTF("PHYSIN=%s ", devname
);
790 LEPRINTF("PHYSIN=%u ", physindev
);
794 if (physoutdev
> 0) {
795 if (nlif_index2name(nlifh
, physoutdev
, devname
) != -1) {
796 LEPRINTF("PHYSOUT=%s ", devname
);
798 LEPRINTF("PHYSOUT=%u ", physoutdev
);
802 int payload_len
= nflog_get_payload(ldata
, &payload
);
804 int hwhdrlen
= nflog_get_msg_packet_hwhdrlen(ldata
);
806 unsigned char *hwhdr
= (unsigned char *)nflog_get_msg_packet_hwhdr(ldata
);
810 for (i
= 0; i
< hwhdrlen
; i
++) {
811 LEPRINTF("%02x", hwhdr
[i
]);
812 if (i
< (hwhdrlen
-1 )) LEPRINTF(":");
818 u_int16_t hw_protocol
= 0;
819 struct nfulnl_msg_packet_hdr
*ph
= NULL
;
823 print_iphdr(le
, payload
, payload_len
);
826 print_ip6hdr(le
, payload
, payload_len
);
829 ph
= nflog_get_msg_packet_hdr(ldata
);
830 if (ph
) hw_protocol
= ntohs(ph
->hw_protocol
);
832 switch (hw_protocol
) {
834 print_iphdr(le
, payload
, payload_len
);
837 print_ip6hdr(le
, payload
, payload_len
);
840 print_arp(le
, (struct ether_arp
*)payload
, payload_len
);
846 if (mark
) LEPRINTF("mark=%u ", mark
);
854 nflog_cb(struct nflog_g_handle
*gh
, struct nfgenmsg
*nfmsg
,
855 struct nflog_data
*nfa
, void *data
)
857 struct log_entry
*le
= g_new0(struct log_entry
, 1);
859 print_pkt(le
, nfa
, nfmsg
->nfgen_family
);
861 LEPRINTF("\n"); // add newline
869 nflog_read_cb(GIOChannel
*source
,
870 GIOCondition condition
,
876 int fd
= g_io_channel_unix_get_fd(source
);
878 if ((rv
= recv(fd
, buf
, sizeof(buf
), 0)) && rv
>= 0) {
879 nflog_handle_packet(logh
, buf
, rv
);
886 nlif_read_cb(GIOChannel
*source
,
887 GIOCondition condition
,
890 static int last_res
= 0;
893 if ((res
= nlif_catch(nlifh
)) < 0) {
894 if (last_res
== 0) { // only report once
895 log_status_message(3, "nlif_catch failed (res = %d)", res
);
906 signal_read_cb(GIOChannel
*source
,
907 GIOCondition condition
,
911 struct signalfd_siginfo si
;
913 int fd
= g_io_channel_unix_get_fd(source
);
915 if ((rv
= read(fd
, &si
, sizeof(si
))) && rv
>= 0) {
916 terminate_threads
= TRUE
;
917 log_status_message(5, "received terminate request (signal)");
918 g_main_loop_quit(main_loop
);
925 nfct_cb(const struct nlmsghdr
*nlh
,
926 enum nf_conntrack_msg_type type
,
927 struct nf_conntrack
*ct
,
930 struct log_entry
*le
= g_new0(struct log_entry
, 1);
931 int len
= nfct_snprintf(&le
->buf
[le
->len
], LE_MAX
- le
->len
,
932 ct
, type
, NFCT_O_DEFAULT
,
933 NFCT_OF_SHOW_LAYER3
|NFCT_OF_TIMESTAMP
);
936 if (le
->len
== LE_MAX
) {
937 le
->buf
[le
->len
-1] = '\n';
938 } else { // le->len < LE_MAX
939 le
->buf
[le
->len
++] = '\n';
948 nfct_read_cb(GIOChannel
*source
,
949 GIOCondition condition
,
953 if ((res
= nfct_catch(nfcth
)) < 0) {
954 log_status_message(3, "error catching nfct");
961 main(int argc
, char *argv
[])
966 gboolean wrote_pidfile
= FALSE
;
968 openlog("pvefw-logger", LOG_CONS
|LOG_PID
, LOG_DAEMON
);
970 GOptionContext
*context
;
972 GOptionEntry entries
[] = {
973 { "debug", 'd', 0, G_OPTION_ARG_NONE
, &debug
, "Turn on debug messages", NULL
},
974 { "foreground", 'f', 0, G_OPTION_ARG_NONE
, &foreground
, "Do not daemonize server", NULL
},
975 { "conntrack", 0, 0, G_OPTION_ARG_NONE
, &conntrack
, "Add conntrack logging", NULL
},
979 context
= g_option_context_new("");
980 g_option_context_add_main_entries (context
, entries
, NULL
);
983 if (!g_option_context_parse (context
, &argc
, &argv
, &err
)) {
984 fprintf(stderr
, "error: %s\n", err
->message
);
985 fprintf(stderr
, "%s", g_option_context_get_help(context
, FALSE
, NULL
));
991 fprintf(stderr
, "error: too many arguments\n");
992 fprintf(stderr
, "%s", g_option_context_get_help(context
, FALSE
, NULL
));
996 g_option_context_free(context
);
999 int log_nf_conntrackfd
= open(LOG_CONNTRACK_FILE
, O_RDONLY
);
1000 if (log_nf_conntrackfd
== -1) {
1001 if (errno
!= ENOENT
) {
1002 fprintf(stderr
, "error: failed to open "LOG_CONNTRACK_FILE
": %s\n", strerror(errno
));
1006 ssize_t bytes
= read(log_nf_conntrackfd
, &c
, sizeof(c
));
1008 fprintf(stderr
, "error: failed to read value in log_nf_conntrack: %s\n", strerror(errno
));
1010 conntrack
= (c
== '1');
1015 if (debug
) foreground
= TRUE
;
1017 if ((lockfd
= open(LOCKFILE
, O_RDWR
|O_CREAT
|O_APPEND
, 0644)) == -1) {
1018 fprintf(stderr
, "unable to create lock '%s': %s\n", LOCKFILE
, strerror (errno
) );
1022 for (int i
= 10; i
>= 0; i
--) {
1023 if (flock(lockfd
, LOCK_EX
|LOCK_NB
) != 0) {
1025 fprintf(stderr
, "unable to aquire lock '%s': %s\n", LOCKFILE
, strerror (errno
));
1029 fprintf(stderr
, "unable to aquire lock '%s' - trying again.\n", LOCKFILE
);
1035 if ((outfd
= open(LOGFILE
, O_WRONLY
|O_CREAT
|O_APPEND
, 0644)) == -1) {
1036 fprintf(stderr
, "unable to open file '%s': %s\n", LOGFILE
, strerror (errno
));
1040 if ((logh
= nflog_open()) == NULL
) {
1041 fprintf(stderr
, "unable to open nflog\n");
1045 if (nflog_bind_pf(logh
, AF_INET
) < 0) {
1046 fprintf(stderr
, "nflog_bind_pf AF_INET failed\n");
1051 if (!nflog_bind_pf(logh
, AF_INET6
) <= 0) {
1052 fprintf(stderr
, "nflog_bind_pf AF_INET6 failed\n");
1057 if (nflog_bind_pf(logh
, AF_BRIDGE
) < 0) {
1058 fprintf(stderr
, "nflog_bind_pf AF_BRIDGE failed\n");
1062 struct nflog_g_handle
*qh
= nflog_bind_group(logh
, 0);
1064 fprintf(stderr
, "no nflog handle for group 0\n");
1068 if (nflog_set_mode(qh
, NFULNL_COPY_PACKET
, 0xffff) < 0) {
1069 fprintf(stderr
, "can't set packet copy mode\n");
1073 if ((nlifh
= nlif_open()) == NULL
) {
1074 fprintf(stderr
, "unable to open netlink interface handle\n");
1079 if ((nfcth
= nfct_open(CONNTRACK
, NF_NETLINK_CONNTRACK_NEW
|NF_NETLINK_CONNTRACK_DESTROY
)) == NULL
) {
1080 fprintf(stderr
, "unable to open netfilter conntrack\n");
1087 sigaddset(&mask
, SIGINT
);
1088 sigaddset(&mask
, SIGTERM
);
1090 sigprocmask(SIG_BLOCK
, &mask
, NULL
);
1092 if ((sigfd
= signalfd(-1, &mask
, SFD_NONBLOCK
)) < 0) {
1093 fprintf(stderr
, "unable to open signalfd: %s\n", strerror (errno
));
1098 pid_t cpid
= fork();
1101 fprintf(stderr
, "failed to daemonize program - %s\n", strerror (errno
));
1104 write_pidfile(cpid
);
1109 if (chroot("/") != 0) fprintf(stderr
, "chroot '/' failed - %s\n", strerror (errno
));
1111 if ((nullfd
= open("/dev/null", O_RDWR
, 0)) != -1) {
1122 write_pidfile(getpid());
1125 wrote_pidfile
= TRUE
;
1127 nflog_callback_register(qh
, &nflog_cb
, logh
);
1129 queue
= g_async_queue_new_full(g_free
);
1131 log_status_message(5, "starting pvefw logger");
1135 GIOChannel
*nlif_ch
= g_io_channel_unix_new(nlif_fd(nlifh
));
1137 g_io_add_watch(nlif_ch
, G_IO_IN
, nlif_read_cb
, NULL
);
1139 int logfd
= nflog_fd(logh
);
1140 GIOChannel
*nflog_ch
= g_io_channel_unix_new(logfd
);
1142 g_io_add_watch(nflog_ch
, G_IO_IN
, nflog_read_cb
, NULL
);
1145 nfct_callback_register2(nfcth
, NFCT_T_NEW
|NFCT_T_DESTROY
, &nfct_cb
, NULL
);
1146 int nfctfd
= nfct_fd(nfcth
);
1147 GIOChannel
*nfct_ch
= g_io_channel_unix_new(nfctfd
);
1148 g_io_add_watch(nfct_ch
, G_IO_IN
, nfct_read_cb
, NULL
);
1151 GIOChannel
*sig_ch
= g_io_channel_unix_new(sigfd
);
1152 if (!g_io_add_watch(sig_ch
, G_IO_IN
, signal_read_cb
, NULL
)) {
1156 GThread
*wthread
= g_thread_new("log_writer_thread", log_writer_thread
, NULL
);
1158 main_loop
= g_main_loop_new(NULL
, TRUE
);
1160 g_main_loop_run(main_loop
);
1162 log_status_message(5, "stopping pvefw logger");
1164 g_thread_join(wthread
);
1169 nfct_callback_unregister2(nfcth
);