rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-16 09:50:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
rsyslog/runtime/net.c
Rainer Gerhards f886d1f1b2
core bugfix: rsyslog messages may not always have FQDN 
Even if hostname FQDN is configured, rsyslog internal messages generated
after rsyslog startup and before the first HUP will not necessarily have
FQDN but instead only the shortname of the local host. This commit
fixes the situation.

Special thanks to github user eciii for doing a great bug analysis
and helping us considerably to fix the issue.

closes https://github.com/rsyslog/rsyslog/issues/5218
2023-12-06 17:11:20 +01:00

1742 lines
51 KiB
C
Raw Blame History

/* net.c
* Implementation of network-related stuff.
*
* File begun on 2007-07-20 by RGerhards (extracted from syslogd.c)
* This file is under development and has not yet arrived at being fully
* self-contained and a real object. So far, it is mostly an excerpt
* of the "old" networking code without any modifications. However, it
* helps to have things at the right place one we go to the meat of it.
*
* Starting 2007-12-24, I have begun to shuffle more network-related code
* from syslogd.c to over here. I am not sure if it will stay here in the
* long term, but it is good to have it out of syslogd.c. Maybe this here is
* an interim location ;)
*
* Copyright 2007-2018 Rainer Gerhards and Adiscon GmbH.
*
* This file is part of rsyslog.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* -or-
* see COPYING.ASL20 in the source distribution
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "config.h"
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <assert.h>
#include <errno.h>
#include <string.h>
#include <signal.h>
#include <ctype.h>
#include <netdb.h>
#include <fnmatch.h>
#include <fcntl.h>
#include <unistd.h>
#ifdef HAVE_GETIFADDRS
#include <ifaddrs.h>
#else
#include "compat/ifaddrs.h"
#endif /* HAVE_GETIFADDRS */
#include <sys/types.h>
#include <arpa/inet.h>
#include "rsyslog.h"
#include "syslogd-types.h"
#include "module-template.h"
#include "parse.h"
#include "srUtils.h"
#include "obj.h"
#include "errmsg.h"
#include "net.h"
#include "dnscache.h"
#include "prop.h"
#include "rsconf.h"
#ifdef OS_SOLARIS
#include <arpa/nameser_compat.h>
# define s6_addr32 _S6_un._S6_u32
typedef unsigned int u_int32_t;
#endif
MODULE_TYPE_LIB
MODULE_TYPE_NOKEEP
/* static data */
DEFobjStaticHelpers
DEFobjCurrIf(glbl)
DEFobjCurrIf(prop)
#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
extern size_t SALEN(struct sockaddr *sa);
#endif
/* support for defining allowed TCP and UDP senders. We use the same
* structure to implement this (a linked list), but we define two different
* list roots, one for UDP and one for TCP.
* rgerhards, 2005-09-26
*/
/* All of the five below are read-only after startup */
struct AllowedSenders *pAllowedSenders_UDP = NULL; /* the roots of the allowed sender */
struct AllowedSenders *pAllowedSenders_TCP = NULL; /* lists. If NULL, all senders are ok! */
static struct AllowedSenders *pLastAllowedSenders_UDP = NULL; /* and now the pointers to the last */
static struct AllowedSenders *pLastAllowedSenders_TCP = NULL; /* element in the respective list */
#ifdef USE_GSSAPI
struct AllowedSenders *pAllowedSenders_GSS = NULL;
static struct AllowedSenders *pLastAllowedSenders_GSS = NULL;
#endif
/* ------------------------------ begin permitted peers code ------------------------------ */
/* sets the correct allow root pointer based on provided type
* rgerhards, 2008-12-01
*/
static rsRetVal
setAllowRoot(struct AllowedSenders **ppAllowRoot, uchar *pszType)
{
DEFiRet;
if(!strcmp((char*)pszType, "UDP"))
*ppAllowRoot = pAllowedSenders_UDP;
else if(!strcmp((char*)pszType, "TCP"))
*ppAllowRoot = pAllowedSenders_TCP;
#ifdef USE_GSSAPI
else if(!strcmp((char*)pszType, "GSS"))
*ppAllowRoot = pAllowedSenders_GSS;
#endif
else {
dbgprintf("program error: invalid allowed sender ID '%s', denying...\n", pszType);
ABORT_FINALIZE(RS_RET_CODE_ERR); /* everything is invalid for an invalid type */
}
finalize_it:
RETiRet;
}
/* re-initializes (sets to NULL) the correct allow root pointer
* rgerhards, 2009-01-12
*/
static rsRetVal
reinitAllowRoot(uchar *pszType)
{
DEFiRet;
if(!strcmp((char*)pszType, "UDP"))
pAllowedSenders_UDP = NULL;
else if(!strcmp((char*)pszType, "TCP"))
pAllowedSenders_TCP = NULL;
#ifdef USE_GSSAPI
else if(!strcmp((char*)pszType, "GSS"))
pAllowedSenders_GSS = NULL;
#endif
else {
dbgprintf("program error: invalid allowed sender ID '%s', denying...\n", pszType);
ABORT_FINALIZE(RS_RET_CODE_ERR); /* everything is invalid for an invalid type */
}
finalize_it:
RETiRet;
}
/* add a wildcard entry to this permitted peer. Entries are always
* added at the tail of the list. pszStr and lenStr identify the wildcard
* entry to be added. Note that the string is NOT \0 terminated, so
* we must rely on lenStr for when it is finished.
* rgerhards, 2008-05-27
*/
static rsRetVal
AddPermittedPeerWildcard(permittedPeers_t *pPeer, uchar* pszStr, size_t lenStr)
{
permittedPeerWildcard_t *pNew = NULL;
size_t iSrc;
size_t iDst;
DEFiRet;
assert(pPeer != NULL);
assert(pszStr != NULL);
CHKmalloc(pNew = calloc(1, sizeof(*pNew)));
if(lenStr == 0) { /* empty domain components are permitted */
pNew->wildcardType = PEER_WILDCARD_EMPTY_COMPONENT;
FINALIZE;
} else {
/* alloc memory for the domain component. We may waste a byte or
* two, but that's ok.
*/
CHKmalloc(pNew->pszDomainPart = malloc(lenStr +1 ));
}
if(pszStr[0] == '*') {
pNew->wildcardType = PEER_WILDCARD_AT_START;
iSrc = 1; /* skip '*' */
} else {
iSrc = 0;
}
for(iDst = 0 ; iSrc < lenStr && pszStr[iSrc] != '*' ; ++iSrc, ++iDst) {
pNew->pszDomainPart[iDst] = pszStr[iSrc];
}
if(iSrc < lenStr) {
if(iSrc + 1 == lenStr && pszStr[iSrc] == '*') {
if(pNew->wildcardType == PEER_WILDCARD_AT_START) {
ABORT_FINALIZE(RS_RET_INVALID_WILDCARD);
} else {
pNew->wildcardType = PEER_WILDCARD_AT_END;
}
} else {
/* we have an invalid wildcard, something follows the asterisk! */
ABORT_FINALIZE(RS_RET_INVALID_WILDCARD);
}
}
if(lenStr == 1 && pNew->wildcardType == PEER_WILDCARD_AT_START) {
pNew->wildcardType = PEER_WILDCARD_MATCH_ALL;
}
/* if we reach this point, we had a valid wildcard. We now need to
* properly terminate the domain component string.
*/
pNew->pszDomainPart[iDst] = '\0';
pNew->lenDomainPart = strlen((char*)pNew->pszDomainPart);
finalize_it:
if(iRet != RS_RET_OK) {
if(pNew != NULL) {
if(pNew->pszDomainPart != NULL)
free(pNew->pszDomainPart);
free(pNew);
}
} else {
/* enqueue the element */
if(pPeer->pWildcardRoot == NULL) {
pPeer->pWildcardRoot = pNew;
pPeer->pWildcardLast = pNew;
} else {
pPeer->pWildcardLast->pNext = pNew;
}
pPeer->pWildcardLast = pNew;
}
RETiRet;
}
/* Destruct a permitted peer's wildcard list -- rgerhards, 2008-05-27 */
static rsRetVal
DestructPermittedPeerWildcards(permittedPeers_t *pPeer)
{
permittedPeerWildcard_t *pCurr;
permittedPeerWildcard_t *pDel;
DEFiRet;
assert(pPeer != NULL);
for(pCurr = pPeer->pWildcardRoot ; pCurr != NULL ; /*EMPTY*/) {
pDel = pCurr;
pCurr = pCurr->pNext;
free(pDel->pszDomainPart);
free(pDel);
}
pPeer->pWildcardRoot = NULL;
pPeer->pWildcardLast = NULL;
RETiRet;
}
/* add a permitted peer. PermittedPeers is an interim solution until we can provide
* access control via enhanced RainerScript methods.
* Note: the provided string is handed over to this function, caller must
* no longer access it. -- rgerhards, 2008-05-19
*/
static rsRetVal
AddPermittedPeer(permittedPeers_t **ppRootPeer, uchar* pszID)
{
permittedPeers_t *pNew = NULL;
DEFiRet;
assert(ppRootPeer != NULL);
assert(pszID != NULL);
CHKmalloc(pNew = calloc(1, sizeof(permittedPeers_t))); /* we use calloc() for consistency with "real" objects */
CHKmalloc(pNew->pszID = (uchar*)strdup((char*)pszID));
if(*ppRootPeer != NULL) {
pNew->pNext = *ppRootPeer;
}
*ppRootPeer = pNew;
finalize_it:
if(iRet != RS_RET_OK) {
if(pNew != NULL)
free(pNew);
}
RETiRet;
}
/* Destruct a permitted peers list -- rgerhards, 2008-05-19 */
static rsRetVal
DestructPermittedPeers(permittedPeers_t **ppRootPeer)
{
permittedPeers_t *pCurr;
permittedPeers_t *pDel;
DEFiRet;
assert(ppRootPeer != NULL);
for(pCurr = *ppRootPeer ; pCurr != NULL ; /*EMPTY*/) {
pDel = pCurr;
pCurr = pCurr->pNext;
DestructPermittedPeerWildcards(pDel);
free(pDel->pszID);
free(pDel);
}
*ppRootPeer = NULL;
RETiRet;
}
/* Compile a wildcard. The function first checks if there is a wildcard
* present and compiles it only if so ;) It sets the etryType status
* accordingly.
* rgerhards, 2008-05-27
*/
static rsRetVal
PermittedPeerWildcardCompile(permittedPeers_t *pPeer)
{
uchar *pC;
uchar *pStart;
DEFiRet;
assert(pPeer != NULL);
assert(pPeer->pszID != NULL);
/* first check if we have a wildcard */
for(pC = pPeer->pszID ; *pC != '\0' && *pC != '*' ; ++pC)
/*EMPTY, just skip*/;
if(*pC == '\0') {
/* no wildcard found, we are mostly done */
pPeer->etryType = PERM_PEER_TYPE_PLAIN;
FINALIZE;
}
/* if we reach this point, the string contains wildcards. So let's
* compile the structure. To do so, we must parse from dot to dot
* and create a wildcard entry for each domain component we find.
* We must also flag problems if we have an asterisk in the middle
* of the text (it is supported at the start or end only).
*/
pPeer->etryType = PERM_PEER_TYPE_WILDCARD;
pC = pPeer->pszID;
while(*pC != '\0') {
pStart = pC;
/* find end of domain component */
for( ; *pC != '\0' && *pC != '.' ; ++pC)
/*EMPTY, just skip*/;
CHKiRet(AddPermittedPeerWildcard(pPeer, pStart, pC - pStart));
/* now check if we have an empty component at end of string */
if(*pC == '.' && *(pC + 1) == '\0') {
/* pStart is a dummy, it is not used if length is 0 */
CHKiRet(AddPermittedPeerWildcard(pPeer, pStart, 0));
}
if(*pC != '\0')
++pC;
}
finalize_it:
if(iRet != RS_RET_OK) {
LogError(0, iRet, "error compiling wildcard expression '%s'",
pPeer->pszID);
}
RETiRet;
}
/* Do a (potential) wildcard match. The function first checks if the wildcard
* has already been compiled and, if not, compiles it. If the peer entry in
* question does NOT contain a wildcard, a simple strcmp() is done.
* *pbIsMatching is set to 0 if there is no match and something else otherwise.
* rgerhards, 2008-05-27 */
static rsRetVal
PermittedPeerWildcardMatch(permittedPeers_t *const pPeer,
const uchar *pszNameToMatch,
int *const pbIsMatching)
{
const permittedPeerWildcard_t *pWildcard;
const uchar *pC;
size_t iWildcard, iName; /* work indexes for backward comparisons */
DEFiRet;
assert(pPeer != NULL);
assert(pszNameToMatch != NULL);
assert(pbIsMatching != NULL);
if(pPeer->etryType == PERM_PEER_TYPE_UNDECIDED) {
PermittedPeerWildcardCompile(pPeer);
}
if(pPeer->etryType == PERM_PEER_TYPE_PLAIN) {
*pbIsMatching = !strcmp((char*)pPeer->pszID, (char*)pszNameToMatch);
FINALIZE;
}
/* we have a wildcard, so we need to extract the domain components and
* check then against the provided wildcards.
*/
pWildcard = pPeer->pWildcardRoot;
pC = pszNameToMatch;
while(*pC != '\0') {
if(pWildcard == NULL) {
/* we have more domain components than we have wildcards --> no match */
*pbIsMatching = 0;
FINALIZE;
}
const uchar *const pStart = pC; /* start of current domain component */
while(*pC != '\0' && *pC != '.') {
++pC;
}
/* got the component, now do the match */
switch(pWildcard->wildcardType) {
case PEER_WILDCARD_NONE:
if( pWildcard->lenDomainPart != (size_t) (pC - pStart)
|| strncmp((char*)pStart, (char*)pWildcard->pszDomainPart, pC - pStart)) {
*pbIsMatching = 0;
FINALIZE;
}
break;
case PEER_WILDCARD_AT_START:
/* we need to do the backwards-matching manually */
if(pWildcard->lenDomainPart > (size_t) (pC - pStart)) {
*pbIsMatching = 0;
FINALIZE;
}
iName = (size_t) (pC - pStart) - pWildcard->lenDomainPart;
iWildcard = 0;
while(iWildcard < pWildcard->lenDomainPart) {
// I give up, I see now way to remove false positive -- rgerhards, 2017-10-23
#ifndef __clang_analyzer__
if(pWildcard->pszDomainPart[iWildcard] != pStart[iName]) {
*pbIsMatching = 0;
FINALIZE;
}
#endif
++iName;
++iWildcard;
}
break;
case PEER_WILDCARD_AT_END:
if( pWildcard->lenDomainPart > (size_t) (pC - pStart)
|| strncmp((char*)pStart, (char*)pWildcard->pszDomainPart,
pWildcard->lenDomainPart)) {
*pbIsMatching = 0;
FINALIZE;
}
break;
case PEER_WILDCARD_MATCH_ALL:
/* everything is OK, just continue */
break;
case PEER_WILDCARD_EMPTY_COMPONENT:
if(pC - pStart > 0) {
/* if it is not empty, it is no match... */
*pbIsMatching = 0;
FINALIZE;
}
break;
}
pWildcard = pWildcard->pNext; /* we processed this entry */
/* skip '.' if we had it and so prepare for next iteration */
if(*pC == '.')
++pC;
}
if(pWildcard != NULL) {
/* we have more domain components than in the name to be
* checked. So this is no match.
*/
*pbIsMatching = 0;
FINALIZE;
}
*pbIsMatching = 1; /* finally... it matches ;) */
finalize_it:
RETiRet;
}
/* ------------------------------ end permitted peers code ------------------------------ */
/* Code for handling allowed/disallowed senders
*/
static void MaskIP6 (struct in6_addr *addr, uint8_t bits) {
register uint8_t i;
assert (addr != NULL);
assert (bits <= 128);
i = bits/32;
if (bits%32)
addr->s6_addr32[i++] &= htonl(0xffffffff << (32 - (bits % 32)));
for (; i < (sizeof addr->s6_addr32)/4; i++)
addr->s6_addr32[i] = 0;
}
static void MaskIP4 (struct in_addr *addr, uint8_t bits) {
assert (addr != NULL);
assert (bits <=32 );
addr->s_addr &= htonl(0xffffffff << (32 - bits));
}
#define SIN(sa) ((struct sockaddr_in *)(void*)(sa))
#define SIN6(sa) ((struct sockaddr_in6 *)(void*)(sa))
/* This is a cancel-safe getnameinfo() version, because we learned
* (via drd/valgrind) that getnameinfo() seems to have some issues
* when being cancelled, at least if the module was dlloaded.
* rgerhards, 2008-09-30
*/
static int
mygetnameinfo(const struct sockaddr *sa, socklen_t salen,
char *host, size_t hostlen,
char *serv, size_t servlen, int flags)
{
int iCancelStateSave;
int i;
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &iCancelStateSave);
i = getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
pthread_setcancelstate(iCancelStateSave, NULL);
return i;
}
/* This function adds an allowed sender entry to the ACL linked list.
* In any case, a single entry is added. If an error occurs, the
* function does its error reporting itself. All validity checks
* must already have been done by the caller.
* This is a helper to AddAllowedSender().
* rgerhards, 2007-07-17
*/
static rsRetVal AddAllowedSenderEntry(struct AllowedSenders **ppRoot, struct AllowedSenders **ppLast,
struct NetAddr *iAllow, uint8_t iSignificantBits)
{
struct AllowedSenders *pEntry = NULL;
assert(ppRoot != NULL);
assert(ppLast != NULL);
assert(iAllow != NULL);
if((pEntry = (struct AllowedSenders*) calloc(1, sizeof(struct AllowedSenders))) == NULL) {
return RS_RET_OUT_OF_MEMORY; /* no options left :( */
}
memcpy(&(pEntry->allowedSender), iAllow, sizeof (struct NetAddr));
pEntry->pNext = NULL;
pEntry->SignificantBits = iSignificantBits;
/* enqueue */
if(*ppRoot == NULL) {
*ppRoot = pEntry;
} else {
(*ppLast)->pNext = pEntry;
}
*ppLast = pEntry;
return RS_RET_OK;
}
/* function to clear the allowed sender structure in cases where
* it must be freed (occurs most often when HUPed).
* rgerhards, 2008-12-02: revamped this code when we fixed the interface
* definition. Now an iterative algorithm is used.
*/
static void
clearAllowedSenders(uchar *pszType)
{
struct AllowedSenders *pPrev;
struct AllowedSenders *pCurr = NULL;
if(setAllowRoot(&pCurr, pszType) != RS_RET_OK)
return; /* if something went wrong, so let's leave */
while(pCurr != NULL) {
pPrev = pCurr;
pCurr = pCurr->pNext;
/* now delete the entry we are right now processing */
if(F_ISSET(pPrev->allowedSender.flags, ADDR_NAME))
free(pPrev->allowedSender.addr.HostWildcard);
else
free(pPrev->allowedSender.addr.NetAddr);
free(pPrev);
}
/* indicate root pointer is de-init (was forgotten previously, resulting in
* all kinds of interesting things) -- rgerhards, 2009-01-12
*/
reinitAllowRoot(pszType);
}
/* function to add an allowed sender to the allowed sender list. The
* root of the list is caller-provided, so it can be used for all
* supported lists. The caller must provide a pointer to the root,
* as it eventually needs to be updated. Also, a pointer to the
* pointer to the last element must be provided (to speed up adding
* list elements).
* rgerhards, 2005-09-26
* If a hostname is given there are possible multiple entries
* added (all addresses from that host).
*/
static rsRetVal AddAllowedSender(struct AllowedSenders **ppRoot, struct AllowedSenders **ppLast,
struct NetAddr *iAllow, uint8_t iSignificantBits)
{
struct addrinfo *restmp = NULL;
DEFiRet;
assert(ppRoot != NULL);
assert(ppLast != NULL);
assert(iAllow != NULL);
if (!F_ISSET(iAllow->flags, ADDR_NAME)) {
if(iSignificantBits == 0)
/* we handle this seperatly just to provide a better
* error message.
*/
LogError(0, NO_ERRCODE, "You can not specify 0 bits of the netmask, this would "
"match ALL systems. If you really intend to do that, "
"remove all $AllowedSender directives.");
switch (iAllow->addr.NetAddr->sa_family) {
case AF_INET:
if((iSignificantBits < 1) || (iSignificantBits > 32)) {
LogError(0, NO_ERRCODE, "Invalid number of bits (%d) in IPv4 address - adjusted to 32",
(int)iSignificantBits);
iSignificantBits = 32;
}
MaskIP4 (&(SIN(iAllow->addr.NetAddr)->sin_addr), iSignificantBits);
break;
case AF_INET6:
if((iSignificantBits < 1) || (iSignificantBits > 128)) {
LogError(0, NO_ERRCODE, "Invalid number of bits (%d) in IPv6 address - adjusted to 128",
iSignificantBits);
iSignificantBits = 128;
}
MaskIP6 (&(SIN6(iAllow->addr.NetAddr)->sin6_addr), iSignificantBits);
break;
default:
/* rgerhards, 2007-07-16: We have an internal program error in this
* case. However, there is not much we can do against it right now. Of
* course, we could abort, but that would probably cause more harm
* than good. So we continue to run. We simply do not add this line - the
* worst thing that happens is that one host will not be allowed to
* log.
*/
LogError(0, NO_ERRCODE, "Internal error caused AllowedSender to be ignored, AF = %d",
iAllow->addr.NetAddr->sa_family);
ABORT_FINALIZE(RS_RET_ERR);
}
/* OK, entry constructed, now lets add it to the ACL list */
iRet = AddAllowedSenderEntry(ppRoot, ppLast, iAllow, iSignificantBits);
} else {
/* we need to process a hostname ACL */
if(glbl.GetDisableDNS(loadConf)) {
LogError(0, NO_ERRCODE, "Ignoring hostname based ACLs because DNS is disabled.");
ABORT_FINALIZE(RS_RET_OK);
}
if (!strchr (iAllow->addr.HostWildcard, '*') &&
!strchr (iAllow->addr.HostWildcard, '?') &&
loadConf->globals.ACLDontResolve == 0) {
/* single host - in this case, we pull its IP addresses from DNS
* and add IP-based ACLs.
*/
struct addrinfo hints, *res;
struct NetAddr allowIP;
memset (&hints, 0, sizeof (struct addrinfo));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
# ifdef AI_ADDRCONFIG /* seems not to be present on all systems */
hints.ai_flags = AI_ADDRCONFIG;
# endif
if (getaddrinfo (iAllow->addr.HostWildcard, NULL, &hints, &res) != 0) {
LogError(0, NO_ERRCODE, "DNS error: Can't resolve \"%s\"", iAllow->addr.HostWildcard);
if (loadConf->globals.ACLAddHostnameOnFail) {
LogError(0, NO_ERRCODE, "Adding hostname \"%s\" to ACL as a wildcard "
"entry.", iAllow->addr.HostWildcard);
iRet = AddAllowedSenderEntry(ppRoot, ppLast, iAllow, iSignificantBits);
FINALIZE;
} else {
LogError(0, NO_ERRCODE, "Hostname \"%s\" WON\'T be added to ACL.",
iAllow->addr.HostWildcard);
ABORT_FINALIZE(RS_RET_NOENTRY);
}
}
restmp = res;
for ( ; res != NULL ; res = res->ai_next) {
switch (res->ai_family) {
case AF_INET: /* add IPv4 */
iSignificantBits = 32;
allowIP.flags = 0;
if((allowIP.addr.NetAddr = malloc(res->ai_addrlen)) == NULL) {
ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
}
memcpy(allowIP.addr.NetAddr, res->ai_addr, res->ai_addrlen);
if((iRet = AddAllowedSenderEntry(ppRoot, ppLast, &allowIP, iSignificantBits))
!= RS_RET_OK) {
free(allowIP.addr.NetAddr);
FINALIZE;
}
break;
case AF_INET6: /* IPv6 - but need to check if it is a v6-mapped IPv4 */
if(IN6_IS_ADDR_V4MAPPED (&SIN6(res->ai_addr)->sin6_addr)) {
/* extract & add IPv4 */
iSignificantBits = 32;
allowIP.flags = 0;
if((allowIP.addr.NetAddr = (struct sockaddr *)
malloc(sizeof(struct sockaddr))) == NULL) {
ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
}
SIN(allowIP.addr.NetAddr)->sin_family = AF_INET;
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
SIN(allowIP.addr.NetAddr)->sin_len = sizeof (struct sockaddr_in);
#endif
SIN(allowIP.addr.NetAddr)->sin_port = 0;
memcpy(&(SIN(allowIP.addr.NetAddr)->sin_addr.s_addr),
&(SIN6(res->ai_addr)->sin6_addr.s6_addr32[3]),
sizeof (in_addr_t));
if((iRet = AddAllowedSenderEntry(ppRoot, ppLast, &allowIP,
iSignificantBits))
!= RS_RET_OK) {
free(allowIP.addr.NetAddr);
FINALIZE;
}
} else {
/* finally add IPv6 */
iSignificantBits = 128;
allowIP.flags = 0;
if((allowIP.addr.NetAddr = malloc(res->ai_addrlen)) == NULL) {
ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
}
memcpy(allowIP.addr.NetAddr, res->ai_addr, res->ai_addrlen);
if((iRet = AddAllowedSenderEntry(ppRoot, ppLast, &allowIP,
iSignificantBits))
!= RS_RET_OK) {
free(allowIP.addr.NetAddr);
FINALIZE;
}
}
break;
}
}
} else {
/* wildcards in hostname - we need to add a text-based ACL.
* For this, we already have everything ready and just need
* to pass it along...
*/
iRet = AddAllowedSenderEntry(ppRoot, ppLast, iAllow, iSignificantBits);
}
}
finalize_it:
if(restmp != NULL) {
freeaddrinfo (restmp);
}
RETiRet;
}
static const char *SENDER_TEXT[4] = { "", "UDP", "TCP", "GSS" };
/* Print an allowed sender list. The caller must tell us which one.
* iListToPrint = 1 means UDP, 2 means TCP
* rgerhards, 2005-09-27
*/
static void
PrintAllowedSenders(int iListToPrint)
{
struct AllowedSenders *pSender;
uchar szIP[64];
#ifdef USE_GSSAPI
#define iListToPrint_MAX 3
#else
#define iListToPrint_MAX 2
#endif
assert((iListToPrint > 0) && (iListToPrint <= iListToPrint_MAX));
dbgprintf("Allowed %s Senders:\n", SENDER_TEXT[iListToPrint]);
pSender = (iListToPrint == 1) ? pAllowedSenders_UDP :
#ifdef USE_GSSAPI
(iListToPrint == 3) ? pAllowedSenders_GSS :
#endif
pAllowedSenders_TCP;
if(pSender == NULL) {
dbgprintf("\tNo restrictions set.\n");
} else {
while(pSender != NULL) {
if (F_ISSET(pSender->allowedSender.flags, ADDR_NAME))
dbgprintf ("\t%s\n", pSender->allowedSender.addr.HostWildcard);
else {
if(mygetnameinfo (pSender->allowedSender.addr.NetAddr,
SALEN(pSender->allowedSender.addr.NetAddr),
(char*)szIP, 64, NULL, 0, NI_NUMERICHOST) == 0) {
dbgprintf ("\t%s/%u\n", szIP, pSender->SignificantBits);
} else {
/* getnameinfo() failed - but as this is only a
* debug function, we simply spit out an error and do
* not care much about it.
*/
dbgprintf("\tERROR in getnameinfo() - something may be wrong "
"- ignored for now\n");
}
}
pSender = pSender->pNext;
}
}
}
/* parse an allowed sender config line and add the allowed senders
* (if the line is correct).
* rgerhards, 2005-09-27
*/
static rsRetVal
addAllowedSenderLine(char* pName, uchar** ppRestOfConfLine)
{
struct AllowedSenders **ppRoot;
struct AllowedSenders **ppLast;
rsParsObj *pPars;
rsRetVal iRet;
struct NetAddr *uIP = NULL;
int iBits;
assert(pName != NULL);
assert(ppRestOfConfLine != NULL);
assert(*ppRestOfConfLine != NULL);
if(!strcasecmp(pName, "udp")) {
ppRoot = &pAllowedSenders_UDP;
ppLast = &pLastAllowedSenders_UDP;
} else if(!strcasecmp(pName, "tcp")) {
ppRoot = &pAllowedSenders_TCP;
ppLast = &pLastAllowedSenders_TCP;
#ifdef USE_GSSAPI
} else if(!strcasecmp(pName, "gss")) {
ppRoot = &pAllowedSenders_GSS;
ppLast = &pLastAllowedSenders_GSS;
#endif
} else {
LogError(0, RS_RET_ERR, "Invalid protocol '%s' in allowed sender "
"list, line ignored", pName);
return RS_RET_ERR;
}
/* OK, we now know the protocol and have valid list pointers.
* So let's process the entries. We are using the parse class
* for this.
*/
/* create parser object starting with line string without leading colon */
if((iRet = rsParsConstructFromSz(&pPars, (uchar*) *ppRestOfConfLine) != RS_RET_OK)) {
LogError(0, iRet, "Error %d constructing parser object - ignoring allowed sender list", iRet);
return(iRet);
}
while(!parsIsAtEndOfParseString(pPars)) {
if(parsPeekAtCharAtParsPtr(pPars) == '#')
break; /* a comment-sign stops processing of line */
/* now parse a single IP address */
if((iRet = parsAddrWithBits(pPars, &uIP, &iBits)) != RS_RET_OK) {
LogError(0, iRet, "Error %d parsing address in allowed sender"
"list - ignoring.", iRet);
rsParsDestruct(pPars);
return(iRet);
}
if((iRet = AddAllowedSender(ppRoot, ppLast, uIP, iBits)) != RS_RET_OK) {
if(iRet == RS_RET_NOENTRY) {
LogError(0, iRet, "Error %d adding allowed sender entry "
"- ignoring.", iRet);
} else {
LogError(0, iRet, "Error %d adding allowed sender entry "
"- terminating, nothing more will be added.", iRet);
rsParsDestruct(pPars);
free(uIP);
return(iRet);
}
}
free (uIP); /* copy stored in AllowedSenders list */
}
/* cleanup */
*ppRestOfConfLine += parsGetCurrentPosition(pPars);
return rsParsDestruct(pPars);
}
/* compares a host to an allowed sender list entry. Handles all subleties
* including IPv4/v6 as well as domain name wildcards.
* This is a helper to isAllowedSender.
* Returns 0 if they do not match, 1 if they match and 2 if a DNS name would have been required.
* contributed 2007-07-16 by mildew@gmail.com
*/
static int
MaskCmp(struct NetAddr *pAllow, uint8_t bits, struct sockaddr *pFrom, const char *pszFromHost, int bChkDNS)
{
assert(pAllow != NULL);
assert(pFrom != NULL);
if(F_ISSET(pAllow->flags, ADDR_NAME)) {
if(bChkDNS == 0)
return 2;
dbgprintf("MaskCmp: host=\"%s\"; pattern=\"%s\"\n", pszFromHost, pAllow->addr.HostWildcard);
# if !defined(FNM_CASEFOLD)
/* TODO: I don't know if that then works, seen on HP UX, what I have not in lab... ;) */
return(fnmatch(pAllow->addr.HostWildcard, pszFromHost, FNM_NOESCAPE) == 0);
# else
return(fnmatch(pAllow->addr.HostWildcard, pszFromHost, FNM_NOESCAPE|FNM_CASEFOLD) == 0);
# endif
} else {/* We need to compare an IP address */
switch (pFrom->sa_family) {
case AF_INET:
if (AF_INET == pAllow->addr.NetAddr->sa_family)
return(( SIN(pFrom)->sin_addr.s_addr & htonl(0xffffffff << (32 - bits)) )
== SIN(pAllow->addr.NetAddr)->sin_addr.s_addr);
else
return 0;
break;
case AF_INET6:
switch (pAllow->addr.NetAddr->sa_family) {
case AF_INET6: {
struct in6_addr ip, net;
register uint8_t i;
memcpy (&ip, &(SIN6(pFrom))->sin6_addr, sizeof (struct in6_addr));
memcpy (&net, &(SIN6(pAllow->addr.NetAddr))->sin6_addr, sizeof (struct in6_addr));
i = bits/32;
if (bits % 32)
ip.s6_addr32[i++] &= htonl(0xffffffff << (32 - (bits % 32)));
for (; i < (sizeof ip.s6_addr32)/4; i++)
ip.s6_addr32[i] = 0;
return (memcmp (ip.s6_addr, net.s6_addr, sizeof ip.s6_addr) == 0 &&
(SIN6(pAllow->addr.NetAddr)->sin6_scope_id != 0 ?
SIN6(pFrom)->sin6_scope_id == SIN6(pAllow->addr.NetAddr)->sin6_scope_id : 1));
}
case AF_INET: {
struct in6_addr *ip6 = &(SIN6(pFrom))->sin6_addr;
struct in_addr *net = &(SIN(pAllow->addr.NetAddr))->sin_addr;
if ((ip6->s6_addr32[3] & (u_int32_t)
htonl((0xffffffff << (32 - bits)))) == net->s_addr &&
#if BYTE_ORDER == LITTLE_ENDIAN
(ip6->s6_addr32[2] == (u_int32_t)0xffff0000) &&
#else
(ip6->s6_addr32[2] == (u_int32_t)0x0000ffff) &&
#endif
(ip6->s6_addr32[1] == 0) && (ip6->s6_addr32[0] == 0))
return 1;
else
return 0;
}
default:
/* Unsupported AF */
return 0;
}
/* fallthrough */
default:
/* Unsupported AF */
return 0;
}
}
}
/* check if a sender is allowed. The root of the the allowed sender.
* list must be proveded by the caller. As such, this function can be
* used to check both UDP and TCP allowed sender lists.
* returns 1, if the sender is allowed, 0 if not and 2 if we could not
* obtain a result because we would need a dns name, which we don't have
* (2 was added rgerhards, 2009-11-16).
* rgerhards, 2005-09-26
*/
static int isAllowedSender2(uchar *pszType, struct sockaddr *pFrom, const char *pszFromHost, int bChkDNS)
{
struct AllowedSenders *pAllow;
struct AllowedSenders *pAllowRoot = NULL;
int bNeededDNS = 0; /* partial check because we could not resolve DNS? */
int ret;
assert(pFrom != NULL);
if(setAllowRoot(&pAllowRoot, pszType) != RS_RET_OK)
return 0; /* if something went wrong, we deny access - that's the better choice... */
if(pAllowRoot == NULL)
return 1; /* checking disabled, everything is valid! */
/* now we loop through the list of allowed senders. As soon as
* we find a match, we return back (indicating allowed). We loop
* until we are out of allowed senders. If so, we fall through the
* loop and the function's terminal return statement will indicate
* that the sender is disallowed.
*/
for(pAllow = pAllowRoot ; pAllow != NULL ; pAllow = pAllow->pNext) {
ret = MaskCmp (&(pAllow->allowedSender), pAllow->SignificantBits, pFrom, pszFromHost, bChkDNS);
if(ret == 1)
return 1;
else if(ret == 2)
bNeededDNS = 2;
}
return bNeededDNS;
}
/* legacy API, not to be used any longer */
static int
isAllowedSender(uchar *pszType, struct sockaddr *pFrom, const char *pszFromHost) {
return isAllowedSender2(pszType, pFrom, pszFromHost, 1);
}
/* The following #ifdef sequence is a small compatibility
* layer. It tries to work around the different availality
* levels of SO_BSDCOMPAT on linuxes...
* I borrowed this code from
* http://www.erlang.org/ml-archive/erlang-questions/200307/msg00037.html
* It still needs to be a bit better adapted to rsyslog.
* rgerhards 2005-09-19
*/
#include <sys/utsname.h>
static int
should_use_so_bsdcompat(void)
{
#ifndef OS_BSD
static int use_so_bsdcompat = -1;
/* we guard the init code just by an atomic fetch to local variable. This still
* is racy, but the worst that can happen is that we do the very same init twice.
* This does hurt less than locking a mutex.
*/
const int local_use_so_bsdcompat = PREFER_FETCH_32BIT(use_so_bsdcompat);
if(local_use_so_bsdcompat == -1) {
struct utsname myutsname;
unsigned int version, patchlevel;
if (uname(&myutsname) < 0) {
char errStr[1024];
dbgprintf("uname: %s\r\n", rs_strerror_r(errno, errStr, sizeof(errStr)));
PREFER_STORE_1_TO_INT(&use_so_bsdcompat);
FINALIZE;
}
/* Format is <version>.<patchlevel>.<sublevel><extraversion>
* where the first three are unsigned integers and the last
* is an arbitrary string. We only care about the first two. */
if (sscanf(myutsname.release, "%u.%u", &version, &patchlevel) != 2) {
dbgprintf("uname: unexpected release '%s'\r\n",
myutsname.release);
PREFER_STORE_1_TO_INT(&use_so_bsdcompat);
FINALIZE;
}
/* SO_BSCOMPAT is deprecated and triggers warnings in 2.5
* kernels. It is a no-op in 2.4 but not in 2.2 kernels. */
if (version > 2 || (version == 2 && patchlevel >= 5)) {
PREFER_STORE_0_TO_INT(&use_so_bsdcompat);
FINALIZE;
}
}
finalize_it:
return PREFER_FETCH_32BIT(use_so_bsdcompat);
#else /* #ifndef OS_BSD */
return 1;
#endif /* #ifndef OS_BSD */
}
#ifndef SO_BSDCOMPAT
/* this shall prevent compiler errors due to undfined name */
#define SO_BSDCOMPAT 0
#endif
/* print out which socket we are listening on. This is only
* a debug aid. rgerhards, 2007-07-02
*/
static void
debugListenInfo(int fd, char *type)
{
const char *szFamily;
int port;
union {
struct sockaddr_storage sa;
struct sockaddr_in sa4;
struct sockaddr_in6 sa6;
} sockaddr;
socklen_t saLen = sizeof(sockaddr.sa);
if(getsockname(fd, (struct sockaddr *) &sockaddr.sa, &saLen) == 0) {
switch(sockaddr.sa.ss_family) {
case PF_INET:
szFamily = "IPv4";
port = ntohs(sockaddr.sa4.sin_port);
break;
case PF_INET6:
szFamily = "IPv6";
port = ntohs(sockaddr.sa6.sin6_port);
break;
default:
szFamily = "other";
port = -1;
break;
}
dbgprintf("Listening on %s syslogd socket %d (%s/port %d).\n",
type, fd, szFamily, port);
return;
}
/* we can not obtain peer info. We are just providing
* debug info, so this is no reason to break the program
* or do any serious error reporting.
*/
dbgprintf("Listening on syslogd socket %d - could not obtain peer info.\n", fd);
}
/* Return a printable representation of a host addresses. If
* a parameter is NULL, it is not set. rgerhards, 2013-01-22
*/
static rsRetVal
cvthname(struct sockaddr_storage *f, prop_t **localName, prop_t **fqdn, prop_t **ip)
{
DEFiRet;
assert(f != NULL);
iRet = dnscacheLookup(f, fqdn, NULL, localName, ip);
RETiRet;
}
/* get the name of the local host. A pointer to a character pointer is passed
* in, which on exit points to the local hostname. This buffer is dynamically
* allocated and must be free()ed by the caller. If the functions returns an
* error, the pointer is NULL.
* This function always tries to return a FQDN, even so be quering DNS. So it
* is safe to assume for the caller that when the function does not return
* a FQDN, it simply is not available. The domain part of that string is
* normalized to lower case. The hostname is kept in mixed case for historic
* reasons.
*/
#define EMPTY_HOSTNAME_REPLACEMENT "localhost-empty-hostname"
static rsRetVal
getLocalHostname(rsconf_t *const pConf, uchar **ppName)
{
DEFiRet;
char hnbuf[8192];
uchar *fqdn = NULL;
int empty_hostname = 1;
if(gethostname(hnbuf, sizeof(hnbuf)) != 0) {
strcpy(hnbuf, EMPTY_HOSTNAME_REPLACEMENT);
} else {
/* now guard against empty hostname
* see https://github.com/rsyslog/rsyslog/issues/1040
*/
if(hnbuf[0] == '\0') {
strcpy(hnbuf, EMPTY_HOSTNAME_REPLACEMENT);
} else {
empty_hostname = 0;
hnbuf[sizeof(hnbuf)-1] = '\0'; /* be on the safe side... */
}
}
char *dot = strstr(hnbuf, ".");
struct addrinfo *res = NULL;
if(!empty_hostname && dot == NULL && pConf != NULL && !glbl.GetDisableDNS(pConf)) {
/* we need to (try) to find the real name via resolver */
struct addrinfo flags;
memset(&flags, 0, sizeof(flags));
flags.ai_flags = AI_CANONNAME;
int error = getaddrinfo((char*)hnbuf, NULL, &flags, &res);
if (error != 0 &&
error != EAI_NONAME && error != EAI_AGAIN && error != EAI_FAIL) {
/* If we get one of errors above, network is probably
* not working yet, so we fall back to local hostname below
*/
LogError(0, RS_RET_ERR, "getaddrinfo failed obtaining local "
"hostname - using '%s' instead; error: %s",
hnbuf, gai_strerror(error));
}
if (res != NULL) {
/* When AI_CANONNAME is set first member of res linked-list */
/* should contain what we need */
if (res->ai_canonname != NULL && res->ai_canonname[0] != '\0') {
CHKmalloc(fqdn = (uchar*)strdup(res->ai_canonname));
dot = strstr((char*)fqdn, ".");
}
}
}
if(fqdn == NULL) {
/* already was FQDN or we could not obtain a better one */
CHKmalloc(fqdn = (uchar*) strdup(hnbuf));
}
if(dot != NULL)
for(char *p = dot+1 ; *p ; ++p)
*p = tolower(*p);
*ppName = fqdn;
finalize_it:
if (res != NULL) {
freeaddrinfo(res);
}
RETiRet;
}
/* closes the UDP listen sockets (if they exist) and frees
* all dynamically assigned memory.
*/
static void
closeUDPListenSockets(int *pSockArr)
{
register int i;
assert(pSockArr != NULL);
if(pSockArr != NULL) {
for (i = 0; i < *pSockArr; i++)
close(pSockArr[i+1]);
free(pSockArr);
}
}
/* create a single UDP socket and bail out if an error occurs.
* This is called from a loop inside create_udp_socket which
* iterates through potentially multiple sockets. NOT to be
* used elsewhere.
*/
static rsRetVal ATTR_NONNULL(1, 2)
create_single_udp_socket(int *const s, /* socket */
struct addrinfo *const r,
const uchar *const hostname,
const int bIsServer,
const int rcvbuf,
const int sndbuf,
const int ipfreebind,
const char *const device
)
{
const int on = 1;
int sockflags;
int actrcvbuf;
int actsndbuf;
socklen_t optlen;
char errStr[1024];
DEFiRet;
assert(r != NULL); // does NOT work with -O2 or higher due to ATTR_NONNULL!
assert(s != NULL);
# if defined (_AIX)
/* AIXPORT : socktype will be SOCK_DGRAM, as set in hints before */
*s = socket(r->ai_family, SOCK_DGRAM, r->ai_protocol);
# else
*s = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
# endif
if (*s < 0) {
if(!(r->ai_family == PF_INET6 && errno == EAFNOSUPPORT)) {
LogError(errno, NO_ERRCODE, "create_udp_socket(), socket");
/* it is debateble if PF_INET with EAFNOSUPPORT should
* also be ignored...
*/
}
ABORT_FINALIZE(RS_RET_ERR);
}
# ifdef IPV6_V6ONLY
if (r->ai_family == AF_INET6) {
int ion = 1;
if (setsockopt(*s, IPPROTO_IPV6, IPV6_V6ONLY,
(char *)&ion, sizeof (ion)) < 0) {
LogError(errno, RS_RET_ERR, "error creating UDP socket - setsockopt");
ABORT_FINALIZE(RS_RET_ERR);
}
}
# endif
if(device) {
# if defined(SO_BINDTODEVICE)
if(setsockopt(*s, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(device) + 1) < 0)
# endif
{
LogError(errno, RS_RET_ERR, "create UDP socket bound to device failed");
ABORT_FINALIZE(RS_RET_ERR);
}
}
if(setsockopt(*s, SOL_SOCKET, SO_REUSEADDR, (char *) &on, sizeof(on)) < 0 ) {
LogError(errno, RS_RET_ERR, "create UDP socket failed to set REUSEADDR");
ABORT_FINALIZE(RS_RET_ERR);
}
/* We need to enable BSD compatibility. Otherwise an attacker
* could flood our log files by sending us tons of ICMP errors.
*/
/* AIXPORT : SO_BSDCOMPAT socket option is deprecated, and its usage
* has been discontinued on most unixes, AIX does not support this option,
* hence avoid the call.
*/
# if !defined(OS_BSD) && !defined(__hpux) && !defined(_AIX)
if (should_use_so_bsdcompat()) {
if (setsockopt(*s, SOL_SOCKET, SO_BSDCOMPAT, (char *) &on, sizeof(on)) < 0) {
LogError(errno, RS_RET_ERR, "create UDP socket failed to set BSDCOMPAT");
ABORT_FINALIZE(RS_RET_ERR);
}
}
# endif
if(bIsServer) {
DBGPRINTF("net.c: trying to set server socket %d to non-blocking mode\n", *s);
if ((sockflags = fcntl(*s, F_GETFL)) != -1) {
sockflags |= O_NONBLOCK;
/* SETFL could fail too, so get it caught by the subsequent
* error check.
*/
sockflags = fcntl(*s, F_SETFL, sockflags);
}
if (sockflags == -1) {
LogError(errno, RS_RET_ERR, "net.c: socket %d fcntl(O_NONBLOCK)", *s);
ABORT_FINALIZE(RS_RET_ERR);
}
}
if(sndbuf != 0) {
# if defined(SO_SNDBUFFORCE)
if(setsockopt(*s, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, sizeof(sndbuf)) < 0)
# endif
{
/* if we fail, try to do it the regular way. Experiments show that at
* least some platforms do not return an error here, but silently set
* it to the max permitted value. So we do our error check a bit
* differently by querying the size below.
*/
if(setsockopt(*s, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf)) != 0) {
/* keep Coverity happy */
DBGPRINTF("setsockopt in %s:%d failed - this is expected and "
"handled at later stages\n", __FILE__, __LINE__);
}
}
/* report socket buffer sizes */
optlen = sizeof(actsndbuf);
if(getsockopt(*s, SOL_SOCKET, SO_SNDBUF, &actsndbuf, &optlen) == 0) {
LogMsg(0, NO_ERRCODE, LOG_INFO,
"socket %d, actual os socket sndbuf size is %d", *s, actsndbuf);
if(sndbuf != 0 && actsndbuf/2 != sndbuf) {
LogError(errno, NO_ERRCODE,
"could not set os socket sndbuf size %d for socket %d, "
"value now is %d", sndbuf, *s, actsndbuf/2);
}
} else {
DBGPRINTF("could not obtain os socket rcvbuf size for socket %d: %s\n",
*s, rs_strerror_r(errno, errStr, sizeof(errStr)));
}
}
if(rcvbuf != 0) {
# if defined(SO_RCVBUFFORCE)
if(setsockopt(*s, SOL_SOCKET, SO_RCVBUFFORCE, &rcvbuf, sizeof(rcvbuf)) < 0)
# endif
{
/* if we fail, try to do it the regular way. Experiments show that at
* least some platforms do not return an error here, but silently set
* it to the max permitted value. So we do our error check a bit
* differently by querying the size below.
*/
if(setsockopt(*s, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(rcvbuf)) != 0) {
/* keep Coverity happy */
DBGPRINTF("setsockopt in %s:%d failed - this is expected and "
"handled at later stages\n", __FILE__, __LINE__);
}
}
optlen = sizeof(actrcvbuf);
if(getsockopt(*s, SOL_SOCKET, SO_RCVBUF, &actrcvbuf, &optlen) == 0) {
LogMsg(0, NO_ERRCODE, LOG_INFO,
"socket %d, actual os socket rcvbuf size %d\n", *s, actrcvbuf);
if(rcvbuf != 0 && actrcvbuf/2 != rcvbuf) {
LogError(errno, NO_ERRCODE,
"cannot set os socket rcvbuf size %d for socket %d, value now is %d",
rcvbuf, *s, actrcvbuf/2);
}
} else {
DBGPRINTF("could not obtain os socket rcvbuf size for socket %d: %s\n",
*s, rs_strerror_r(errno, errStr, sizeof(errStr)));
}
}
if(bIsServer) {
/* rgerhards, 2007-06-22: if we run on a kernel that does not support
* the IPV6_V6ONLY socket option, we need to use a work-around. On such
* systems the IPv6 socket does also accept IPv4 sockets. So an IPv4
* socket can not listen on the same port as an IPv6 socket. The only
* workaround is to ignore the "socket in use" error. This is what we
* do if we have to.
*/
if( (bind(*s, r->ai_addr, r->ai_addrlen) < 0)
# ifndef IPV6_V6ONLY
&& (errno != EADDRINUSE)
# endif
) {
if (errno == EADDRNOTAVAIL && ipfreebind != IPFREEBIND_DISABLED) {
if (setsockopt(*s, IPPROTO_IP, IP_FREEBIND, &on, sizeof(on)) < 0) {
LogError(errno, RS_RET_ERR, "setsockopt(IP_FREEBIND)");
} else if (bind(*s, r->ai_addr, r->ai_addrlen) < 0) {
LogError(errno, RS_RET_ERR, "bind with IP_FREEBIND");
} else {
if (ipfreebind >= IPFREEBIND_ENABLED_WITH_LOG)
LogMsg(0, RS_RET_OK_WARN, LOG_WARNING,
"bound address %s IP free", hostname);
FINALIZE;
}
}
ABORT_FINALIZE(RS_RET_ERR);
}
}
finalize_it:
if(iRet != RS_RET_OK) {
if(*s != -1) {
close(*s);
*s = -1;
}
}
RETiRet;
}
/* creates the UDP listen sockets
* hostname and/or pszPort may be NULL, but not both!
* bIsServer indicates if a server socket should be created
* 1 - server, 0 - client
* Note: server sockets are created in non-blocking mode, client ones
* are blocking.
* param rcvbuf indicates desired rcvbuf size; 0 means OS default,
* similar for sndbuf.
*/
static int *
create_udp_socket(uchar *hostname,
uchar *pszPort,
const int bIsServer,
const int rcvbuf,
const int sndbuf,
const int ipfreebind,
char *device)
{
struct addrinfo hints, *res, *r;
int error, maxs, *s, *socks;
rsRetVal localRet;
assert(!((pszPort == NULL) && (hostname == NULL))); /* one of them must be non-NULL */
memset(&hints, 0, sizeof(hints));
if(bIsServer)
hints.ai_flags = AI_PASSIVE | AI_NUMERICSERV;
else
hints.ai_flags = AI_NUMERICSERV;
hints.ai_family = glbl.GetDefPFFamily(runConf);
hints.ai_socktype = SOCK_DGRAM;
# if defined (_AIX)
/* AIXPORT : SOCK_DGRAM has the protocol IPPROTO_UDP
* getaddrinfo needs this hint on AIX
*/
hints.ai_protocol = IPPROTO_UDP;
# endif
error = getaddrinfo((char*) hostname, (char*) pszPort, &hints, &res);
if(error) {
LogError(0, NO_ERRCODE, "%s", gai_strerror(error));
LogError(0, NO_ERRCODE, "UDP message reception disabled due to error logged in last message.\n");
return NULL;
}
/* Count max number of sockets we may open */
for (maxs = 0, r = res; r != NULL ; r = r->ai_next, maxs++)
/* EMPTY */;
socks = malloc((maxs+1) * sizeof(int));
if (socks == NULL) {
LogError(0, RS_RET_OUT_OF_MEMORY, "couldn't allocate memory for UDP "
"sockets, suspending UDP message reception");
freeaddrinfo(res);
return NULL;
}
*socks = 0; /* num of sockets counter at start of array */
s = socks + 1;
for (r = res; r != NULL ; r = r->ai_next) {
localRet = create_single_udp_socket(s, r, hostname, bIsServer, rcvbuf,
sndbuf, ipfreebind, device);
if(localRet == RS_RET_OK) {
(*socks)++;
s++;
}
}
if(res != NULL)
freeaddrinfo(res);
if(Debug && *socks != maxs)
dbgprintf("We could initialize %d UDP listen sockets out of %d we received "
"- this may or may not be an error indication.\n", *socks, maxs);
if(*socks == 0) {
LogError(0, NO_ERRCODE, "No UDP socket could successfully be initialized, "
"some functionality may be disabled.\n");
/* we do NOT need to close any sockets, because there were none... */
free(socks);
return(NULL);
}
return(socks);
}
/* check if two provided socket addresses point to the same host. Note that the
* length of the sockets must be provided as third parameter. This is necessary to
* compare non IPv4/v6 hosts, in which case we do a simple memory compare of the
* address structure (in that case, the same host may not reliably be detected).
* Note that we need to do the comparison not on the full structure, because it contains things
* like the port, which we do not need to look at when thinking about hostnames. So we look
* at the relevant fields, what means a somewhat more complicated processing.
* Also note that we use a non-standard calling interface, as this is much more natural and
* it looks extremely unlikely that we get an exception of any kind here. What we
* return is mimiced after memcmp(), and as such useful for building binary trees
* (the order relation may be a bit arbritrary, but at least it is consistent).
* rgerhards, 2009-09-03
*/
static int CmpHost(struct sockaddr_storage *s1, struct sockaddr_storage* s2, size_t socklen)
{
int ret;
if(((struct sockaddr*) s1)->sa_family != ((struct sockaddr*) s2)->sa_family) {
ret = memcmp(s1, s2, socklen);
goto finalize_it;
}
if(((struct sockaddr*) s1)->sa_family == AF_INET) {
if(((struct sockaddr_in *) s1)->sin_addr.s_addr == ((struct sockaddr_in*)s2)->sin_addr.s_addr) {
ret = 0;
} else if(((struct sockaddr_in *) s1)->sin_addr.s_addr < ((struct sockaddr_in*)s2)->sin_addr.s_addr) {
ret = -1;
} else {
ret = 1;
}
} else if(((struct sockaddr*) s1)->sa_family == AF_INET6) {
/* IPv6 addresses are always 16 octets long */
ret = memcmp(((struct sockaddr_in6 *)s1)->sin6_addr.s6_addr,
((struct sockaddr_in6*)s2)->sin6_addr.s6_addr, 16);
} else {
ret = memcmp(s1, s2, socklen);
}
finalize_it:
return ret;
}
/* check if restrictions (ALCs) exists. The goal of this function is to disable the
* somewhat time-consuming ACL checks if no restrictions are defined (the usual case).
* This also permits to gain some speedup by using firewall-based ACLs instead of
* rsyslog ACLs (the recommended method.
* rgerhards, 2009-11-16
*/
static rsRetVal
HasRestrictions(uchar *pszType, int *bHasRestrictions) {
struct AllowedSenders *pAllowRoot = NULL;
DEFiRet;
CHKiRet(setAllowRoot(&pAllowRoot, pszType));
*bHasRestrictions = (pAllowRoot == NULL) ? 0 : 1;
finalize_it:
if(iRet != RS_RET_OK) {
*bHasRestrictions = 1; /* in this case it is better to check individually */
DBGPRINTF("Error %d trying to obtain ACL restriction state of '%s'\n", iRet, pszType);
}
RETiRet;
}
/* return the IP address (IPv4/6) for the provided interface. Returns
* RS_RET_NOT_FOUND if interface can not be found in interface list.
* The family must be correct (AF_INET vs. AF_INET6, AF_UNSPEC means
* either of *these two*).
* The function re-queries the interface list (at least in theory).
* However, it caches entries in order to avoid too-frequent requery.
* rgerhards, 2012-03-06
*/
static rsRetVal
getIFIPAddr(uchar *szif, int family, uchar *pszbuf, int lenBuf)
{
#ifdef _AIX
struct ifaddrs_rsys * ifaddrs = NULL;
struct ifaddrs_rsys * ifa;
#else
struct ifaddrs * ifaddrs = NULL;
struct ifaddrs * ifa;
#endif
union {
struct sockaddr *sa;
struct sockaddr_in *ipv4;
struct sockaddr_in6 *ipv6;
} savecast;
void * pAddr;
DEFiRet;
if(getifaddrs(&ifaddrs) != 0) {
ABORT_FINALIZE(RS_RET_ERR);
}
for (ifa = ifaddrs; ifa != NULL; ifa = ifa->ifa_next) {
if(strcmp(ifa->ifa_name, (char*)szif))
continue;
savecast.sa = ifa->ifa_addr;
if( (family == AF_INET6 || family == AF_UNSPEC)
&& ifa->ifa_addr->sa_family == AF_INET6) {
pAddr = &(savecast.ipv6->sin6_addr);
inet_ntop(AF_INET6, pAddr, (char*)pszbuf, lenBuf);
break;
} else if(/* (family == AF_INET || family == AF_UNSPEC)
&&*/ ifa->ifa_addr->sa_family == AF_INET) {
pAddr = &(savecast.ipv4->sin_addr);
inet_ntop(AF_INET, pAddr, (char*)pszbuf, lenBuf);
break;
}
}
if(ifaddrs != NULL)
freeifaddrs(ifaddrs);
if(ifa == NULL)
iRet = RS_RET_NOT_FOUND;
finalize_it:
RETiRet;
}
/* queryInterface function
* rgerhards, 2008-03-05
*/
BEGINobjQueryInterface(net)
CODESTARTobjQueryInterface(net)
if(pIf->ifVersion != netCURR_IF_VERSION) { /* check for current version, increment on each change */
ABORT_FINALIZE(RS_RET_INTERFACE_NOT_SUPPORTED);
}
/* ok, we have the right interface, so let's fill it
* Please note that we may also do some backwards-compatibility
* work here (if we can support an older interface version - that,
* of course, also affects the "if" above).
*/
pIf->cvthname = cvthname;
/* things to go away after proper modularization */
pIf->addAllowedSenderLine = addAllowedSenderLine;
pIf->PrintAllowedSenders = PrintAllowedSenders;
pIf->clearAllowedSenders = clearAllowedSenders;
pIf->debugListenInfo = debugListenInfo;
pIf->create_udp_socket = create_udp_socket;
pIf->closeUDPListenSockets = closeUDPListenSockets;
pIf->isAllowedSender = isAllowedSender;
pIf->isAllowedSender2 = isAllowedSender2;
pIf->should_use_so_bsdcompat = should_use_so_bsdcompat;
pIf->getLocalHostname = getLocalHostname;
pIf->AddPermittedPeer = AddPermittedPeer;
pIf->DestructPermittedPeers = DestructPermittedPeers;
pIf->PermittedPeerWildcardMatch = PermittedPeerWildcardMatch;
pIf->CmpHost = CmpHost;
pIf->HasRestrictions = HasRestrictions;
pIf->GetIFIPAddr = getIFIPAddr;
finalize_it:
ENDobjQueryInterface(net)
/* exit our class
* rgerhards, 2008-03-10
*/
BEGINObjClassExit(net, OBJ_IS_LOADABLE_MODULE) /* CHANGE class also in END MACRO! */
CODESTARTObjClassExit(net)
/* release objects we no longer need */
objRelease(glbl, CORE_COMPONENT);
objRelease(prop, CORE_COMPONENT);
ENDObjClassExit(net)
/* Initialize the net class. Must be called as the very first method
* before anything else is called inside this class.
* rgerhards, 2008-02-19
*/
BEGINAbstractObjClassInit(net, 1, OBJ_IS_CORE_MODULE) /* class, version */
/* request objects we use */
CHKiRet(objUse(glbl, CORE_COMPONENT));
CHKiRet(objUse(prop, CORE_COMPONENT));
/* set our own handlers */
ENDObjClassInit(net)
/* --------------- here now comes the plumbing that makes as a library module --------------- */
BEGINmodExit
CODESTARTmodExit
netClassExit();
ENDmodExit
BEGINqueryEtryPt
CODESTARTqueryEtryPt
CODEqueryEtryPt_STD_LIB_QUERIES
ENDqueryEtryPt
BEGINmodInit()
CODESTARTmodInit
*ipIFVersProvided = CURR_MOD_IF_VERSION; /* we only support the current interface specification */
/* Initialize all classes that are in our module - this includes ourselfs */
CHKiRet(netClassInit(pModInfo)); /* must be done after tcps_sess, as we use it */
ENDmodInit
/* vi:set ai:
*/
Reference in New Issue View Git Blame Copy Permalink