2
* Implementation of network-related stuff.
4
* File begun on 2007-07-20 by RGerhards (extracted from syslogd.c)
5
* This file is under development and has not yet arrived at being fully
6
* self-contained and a real object. So far, it is mostly an excerpt
7
* of the "old" message code without any modifications. However, it
8
* helps to have things at the right place one we go to the meat of it.
10
* Copyright 2007 Rainer Gerhards and Adiscon GmbH.
12
* This program is free software; you can redistribute it and/or
13
* modify it under the terms of the GNU General Public License
14
* as published by the Free Software Foundation; either version 2
15
* of the License, or (at your option) any later version.
17
* This program is distributed in the hope that it will be useful,
18
* but WITHOUT ANY WARRANTY; without even the implied warranty of
19
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20
* GNU General Public License for more details.
22
* You should have received a copy of the GNU General Public License
23
* along with this program; if not, write to the Free Software
24
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26
* A copy of the GPL can be found in the file "COPYING" in this distribution.
44
#include "syslogd-types.h"
47
/* The following #ifdef sequence is a small compatibility
48
* layer. It tries to work around the different availality
49
* levels of SO_BSDCOMPAT on linuxes...
50
* I borrowed this code from
51
* http://www.erlang.org/ml-archive/erlang-questions/200307/msg00037.html
52
* It still needs to be a bit better adapted to rsyslog.
53
* rgerhards 2005-09-19
56
#include <sys/utsname.h>
57
int should_use_so_bsdcompat(void)
60
static int so_bsdcompat_is_obsolete;
63
struct utsname utsname;
64
unsigned int version, patchlevel;
67
if (uname(&utsname) < 0) {
69
dbgprintf("uname: %s\r\n", strerror_r(errno, errStr, sizeof(errStr)));
72
/* Format is <version>.<patchlevel>.<sublevel><extraversion>
73
where the first three are unsigned integers and the last
74
is an arbitrary string. We only care about the first two. */
75
if (sscanf(utsname.release, "%u.%u", &version, &patchlevel) != 2) {
76
dbgprintf("uname: unexpected release '%s'\r\n",
80
/* SO_BSCOMPAT is deprecated and triggers warnings in 2.5
81
kernels. It is a no-op in 2.4 but not in 2.2 kernels. */
82
if (version > 2 || (version == 2 && patchlevel >= 5))
83
so_bsdcompat_is_obsolete = 1;
85
return !so_bsdcompat_is_obsolete;
87
#else /* #ifndef BSD */
88
#define should_use_so_bsdcompat() 1
89
#endif /* #ifndef BSD */
91
/* this shall prevent compiler errors due to undfined name */
92
#define SO_BSDCOMPAT 0
96
/* get the hostname of the message source. This was originally in cvthname()
97
* but has been moved out of it because of clarity and fuctional separation.
98
* It must be provided by the socket we received the message on as well as
99
* a NI_MAXHOST size large character buffer for the FQDN.
101
* Please see http://www.hmug.org/man/3/getnameinfo.php (under Caveats)
102
* for some explanation of the code found below. We do by default not
103
* discard message where we detected malicouos DNS PTR records. However,
104
* there is a user-configurabel option that will tell us if
105
* we should abort. For this, the return value tells the caller if the
106
* message should be processed (1) or discarded (0).
108
/* TODO: after the bughunt, make this function static - rgerhards, 2007-09-18 */
109
rsRetVal gethname(struct sockaddr_storage *f, uchar *pszHostFQDN)
113
sigset_t omask, nmask;
115
struct addrinfo hints, *res;
118
assert(pszHostFQDN != NULL);
120
error = getnameinfo((struct sockaddr *)f, SALEN((struct sockaddr *)f),
121
ip, sizeof ip, NULL, 0, NI_NUMERICHOST);
124
dbgprintf("Malformed from address %s\n", gai_strerror(error));
125
strcpy((char*) pszHostFQDN, "???");
126
ABORT_FINALIZE(RS_RET_INVALID_SOURCE);
131
sigaddset(&nmask, SIGHUP);
132
pthread_sigmask(SIG_BLOCK, &nmask, &omask);
134
error = getnameinfo((struct sockaddr *)f, SALEN((struct sockaddr *) f),
135
(char*)pszHostFQDN, NI_MAXHOST, NULL, 0, NI_NAMEREQD);
138
memset (&hints, 0, sizeof (struct addrinfo));
139
hints.ai_flags = AI_NUMERICHOST;
140
hints.ai_socktype = SOCK_DGRAM;
142
/* we now do a lookup once again. This one should fail,
143
* because we should not have obtained a non-numeric address. If
144
* we got a numeric one, someone messed with DNS!
146
if (getaddrinfo ((char*)pszHostFQDN, NULL, &hints, &res) == 0) {
147
uchar szErrMsg[1024];
149
/* OK, we know we have evil. The question now is what to do about
150
* it. One the one hand, the message might probably be intended
151
* to harm us. On the other hand, losing the message may also harm us.
152
* Thus, the behaviour is controlled by the $DropMsgsWithMaliciousDnsPTRRecords
153
* option. If it tells us we should discard, we do so, else we proceed,
154
* but log an error message together with it.
155
* time being, we simply drop the name we obtained and use the IP - that one
156
* is OK in any way. We do also log the error message. rgerhards, 2007-07-16
158
if(bDropMalPTRMsgs == 1) {
159
snprintf((char*)szErrMsg, sizeof(szErrMsg) / sizeof(uchar),
160
"Malicious PTR record, message dropped "
161
"IP = \"%s\" HOST = \"%s\"",
163
logerror((char*)szErrMsg);
164
pthread_sigmask(SIG_SETMASK, &omask, NULL);
165
ABORT_FINALIZE(RS_RET_MALICIOUS_ENTITY);
168
/* Please note: we deal with a malicous entry. Thus, we have crafted
169
* the snprintf() below so that all text is in front of the entry - maybe
170
* it contains characters that make the message unreadable
171
* (OK, I admit this is more or less impossible, but I am paranoid...)
172
* rgerhards, 2007-07-16
174
snprintf((char*)szErrMsg, sizeof(szErrMsg) / sizeof(uchar),
175
"Malicious PTR record (message accepted, but used IP "
176
"instead of PTR name: IP = \"%s\" HOST = \"%s\"",
178
logerror((char*)szErrMsg);
180
error = 1; /* that will trigger using IP address below. */
183
pthread_sigmask(SIG_SETMASK, &omask, NULL);
186
if (error || DisableDNS) {
187
dbgprintf("Host name for your address (%s) unknown\n", ip);
188
strcpy((char*) pszHostFQDN, ip);
189
ABORT_FINALIZE(RS_RET_ADDRESS_UNKNOWN);
197
/* Return a printable representation of a host address.
198
* Now (2007-07-16) also returns the full host name (if it could be obtained)
199
* in the second param [thanks to mildew@gmail.com for the patch].
200
* The caller must provide buffer space for pszHost and pszHostFQDN. These
201
* buffers must be of size NI_MAXHOST. This is not checked here, because
202
* there is no way to check it. We use this way of doing things because it
203
* frees us from using dynamic memory allocation where it really does not
206
rsRetVal cvthname(struct sockaddr_storage *f, uchar *pszHost, uchar *pszHostFQDN)
213
assert(pszHost != NULL);
214
assert(pszHostFQDN != NULL);
216
iRet = gethname(f, pszHostFQDN);
218
if(iRet == RS_RET_INVALID_SOURCE || iRet == RS_RET_ADDRESS_UNKNOWN) {
219
strcpy((char*) pszHost, (char*) pszHostFQDN); /* we use whatever was provided as replacement */
220
ABORT_FINALIZE(RS_RET_OK); /* this is handled, we are happy with it */
221
} else if(iRet != RS_RET_OK) {
222
FINALIZE; /* we return whatever error state we have - can not handle it */
225
/* if we reach this point, we obtained a non-numeric hostname and can now process it */
227
/* Convert to lower case, just like LocalDomain above
229
for (p = pszHostFQDN ; *p ; p++)
230
if (isupper((int) *p))
233
/* OK, the fqdn is now known. Now it is time to extract only the hostname
234
* part if we were instructed to do so.
236
/* TODO: quick and dirty right now: we need to optimize that. We simply
237
* copy over the buffer and then use the old code. In the long term, that should
238
* be placed in its own function and probably outside of the net module (at least
239
* if should no longer reley on syslogd.c's global config-setting variables).
240
* Note that the old code always removes the local domain. We may want to
241
* make this in option in the long term. (rgerhards, 2007-09-11)
243
strcpy((char*)pszHost, (char*)pszHostFQDN);
244
if ((p = (uchar*) strchr((char*)pszHost, '.'))) { /* find start of domain name "machine.example.com" */
245
if(strcmp((char*) (p + 1), LocalDomain) == 0) {
246
*p = '\0'; /* simply terminate the string */
248
/* now check if we belong to any of the domain names that were specified
249
* in the -s command line option. If so, remove and we are done.
253
while (StripDomains[count]) {
254
if (strcmp((char*)(p + 1), StripDomains[count]) == 0) {
256
FINALIZE; /* we are done */
261
/* if we reach this point, we have not found any domain we should strip. Now
262
* we try and see if the host itself is listed in the -l command line option
263
* and so should be stripped also. If so, we do it and return. Please note that
264
* -l list FQDNs, not just the hostname part. If it did just list the hostname, the
265
* door would be wide-open for all kinds of mixing up of hosts. Because of this,
266
* you'll see comparison against the full string (pszHost) below. The termination
267
* still occurs at *p, which points at the first dot after the hostname.
271
while (LocalHosts[count]) {
272
if (!strcmp((char*)pszHost, LocalHosts[count])) {
274
break; /* we are done */
286
#endif /* #ifdef SYSLOG_INET */