| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Move a `ULOGD_RET_BOOL` case for consistency.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Currently, the plug-in assumes that all IP addresses are 32-bit ipv4
addresses, so ipv6 addresses get truncated and inserted as garbage.
Insert nulls instead.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hitherto we have bound ipv4 addresses as 64-bit ints and 64-bit ints as
32-bit.
Move a `ULOGD_RET_BOOL` case for consistency and fix some nearby
formatting.
Fix some nearby formatting.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Replace hand-rolled ipv4-only formatting code in order to be able to
support ipv6 addresses. This also changes the byte-order expected by
oprint from HBO to NBO.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This plug-in expects ipv4 addresses. Check the length of the key value
in order to filter out ipv6 addresses.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
By using `okey_set_u128` we keep track of the address size and
downstream plug-ins can distinguish the address family.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Keys of type `ULOGD_RET_IPADDR` may be ipv4 or ipv6. ARP protocol
addresses are 32-bits (i.e., ipv4). By using `okey_set_u32` we keep
track of the size and allow downstream plug-ins to handle them
correctly.
Reported-by: Robert O'Brien <robrien@foxtrot-research.com>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Everywhere else ipv4 addresses are left in NBO until output. The only
exception is the IP2HBIN filter, which is explicitly intended to convert
from NBO to HBO.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Replace comma with semicolon.
Fixes: d4cf078cb71a ("add ukey_* function for key assignation")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Use a more modern alternative to bzip2.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Invalid read of size 4
at 0x405F60: ulogd_unregister_fd (select.c:74)
by 0x4E4E3DF: ??? (in /usr/lib/ulogd/ulogd_inppkt_NFLOG.so)
by 0x405003: stop_pluginstances (ulogd.c:1335)
by 0x405003: sigterm_handler_task (ulogd.c:1383)
by 0x405153: call_signal_handler_tasks (ulogd.c:424)
by 0x405153: signal_channel_callback (ulogd.c:443)
by 0x406163: ulogd_select_main (select.c:105)
by 0x403CF3: ulogd_main_loop (ulogd.c:1070)
by 0x403CF3: main (ulogd.c:1649)
Problem is that ulogd_inppkt_NFLOG.c::stop() calls ulogd_unregister_fd()
which does llist_del(). This llist_del may touch ->prev pointer.
As the list element is in private data, we cannot do this llist_del
from stop_pluginstances().
Therefore, the free() process moved location after finishing ulogd_unregister_fd().
Signed-off-by: Kyuwon Shim <kyuwon.shim@alliedtelesis.co.nz>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If ulogd2 receives a signal it will attempt to re-open the pcap output
file. If this fails (because the permissions or ownership have changed
for example), the FILE pointer will be null and when the next packet
comes in, the null pointer will be passed to fwrite and ulogd will
crash.
Instead, assign the return value of `fopen` to a local variable, and
only close the existing stream if `fopen` succeeded.
Link: https://bugs.launchpad.net/ubuntu/+source/ulogd2/+bug/1429778
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Instead of statting the file, and choosing the mode with which to open
it and whether to write the PCAP header based on the result, always open
it with mode "a" and _then_ stat it. This simplifies the flow-control
and avoids a race between statting and opening.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using mysql_config and pcap_config to configure `CFLAGS`, one
requests the actual flags:
$mysql_config --cflags
$pcap_config --cflags
By constrast, when using pg_config, one requests the include-directory:
$pg_config --includedir
Therefore, the `-I` option has to be explicitly added.
Fixes: 20727ab8b9fc ("build: use pkg-config or pg_config for libpq")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Some of the output plug-ins don't handle 64-bit signed values.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The types of `ip_totlen` in the `ulog` view and the `INSERT_IP_PACKET_FULL`
function are `integer`, but the column in the `ulog2` table is `smallint`. The
"total length" field of an IP packet is an unsigned 16-bit integer, whereas
`smallint` in PostgreSQL is a signed 16-bit integer type. Change the type of
`ulog2.ip_totlen` to `integer`.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1556
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hitherto, when adding queries to the back-log, the memory usage has been
incremented and decremented by the size of the query structure and the
length of the SQL statement, `sizeof(struct db_stmt) + len`. However,
when checking whether there is available capacity to add a new query,
the struct size has been ignored. Amend the check to include the struct
size, and also account for the NULL that terminates the SQL.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The `u.string` member of a config entry is an array, and so never `NULL`.
Output the device string unconditionally.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three of the filter plug-ins define arrays to hold output key values.
The arrays are sized based on the values of enums. For example:
enum output_keys {
KEY_MAC_TYPE,
KEY_MAC_PROTOCOL,
KEY_MAC_SADDR,
START_KEY = KEY_MAC_SADDR,
KEY_MAC_DADDR,
KEY_MAC_ADDR,
MAX_KEY = KEY_MAC_ADDR,
};
static char hwmac_str[MAX_KEY - START_KEY][HWADDR_LENGTH];
The arrays are indexed by subtracting `START_KEY` from the enum value of
the key currently being processed: `hwmac_str[okey - START_KEY]`.
However, this means that the last key (`KEY_MAC_ADDR` in this example)
will run off the end of the array. Increase the size of the arrays.
In the case of `IP2BIN` and `IP2HBIN`, there is no overrun, but only
because they use the wrong upper bound when looping over the keys, and
thus don't assign a value to the last key. Correct the bound.
Also some small white-space tweaks.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=890
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If `config_parse_file` returns `-ERRTOOLONG`, `config_errce` may be
`NULL`. However, the calling function checks whether
`config_errce->key` is `NULL` instead.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, MySQL smallints are signed. This causes problems inserting packets
for ethertypes above 0x7fff, such as IPv6 (0x86dd):
MariaDB [ulogd]> SELECT INSERT_PACKET_FULL(...,'f4:7b:09:41:7a:71','f0:2f:74:4e:b2:f3',34525,0,NULL,NULL,NULL);
^^^^^
which fails as follows:
ERROR 1264 (22003): Out of range value for column 'mac_protocol' at row 1
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If SQLITE3 support has been explicitly requested, abort if it is not
available.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If PostgreSQL support has been explicitly requested, abort if it is not
available.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If libpcap support has been explicitly requested, abort if it is not
available.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If MySQL support has been explicitly requested, abort if it is not
available.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If DBI support has been explicitly requested, abort if it is not
available.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Recent versions of postgresql support pkg-config. Use pkg-config if
available, otherwise fall back to pg_config.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Recent versions of libpcap support pkg-config. Older versions provide a
pcap-config script. Use pkg-config if available, otherwise fall back to
pcap-config.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Recent versions of mariadb and mysql support pkg-config. Older versions
provide a mysql_config script. Use pkg-config if available, otherwise
fall back to mysql_config.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
libdbi introduced pkg-config support in 0.9.0, which was released in
2013. Use it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we use `AC_ARG_WITH` for output plugins. However, this is
not consistent with the input plugins, which use `AC_ARG_ENABLE`, and in
some cases (dbi, mysql, pgsql) the macro calls in configure.ac conflict
with others in acinclude.m4. Use `AC_ARG_ENABLE` instead and change the
name of the option for the JSON plugin from `jansson` to `json`.
Fixes: 51ba7aec8951 ("Fix automagic support of dbi, pcap and sqlite3")
Fixes: c61c05c2d050 ("configure.ac: Add --without-{mysql,pgsql}")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
There's local variable left over from a previous tidy-up. Remove it.
Fixes: 67b0be90f16f ("output: SQLITE3: improve mapping of fields to DB columns")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Add ULOGD_DTYPE_RAW to GPRINT to make it work, it does not provide much
information since raw packets come with only a few fields set on.
Therefore, update example ulogd.conf.in file since BASE provides a more
complete packet dissection.
Fixes: 59a71256945d ("src: add example use of GPRINT to ulogd.conf.in configuration file")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
struct config_entry already provides storage for the host and port
strings, .u.string is never NULL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Verify that the path is shorter than 108 bytes (maximum unix socket path).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ipfix.h header includes three macros which expand to compiler attributes.
Presumably, at some point the definitions were one branch of an if-else
preprocessor conditional where the definitions in the other branch expanded to
nothing. This is no longer the case. Only one of the macros (`__packed`) is
used and the raw attribute is used elsewhere in the code-base. Remove the
macros.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have `buflen` available. We can remove `strncat` and assign the characters
directly, without traversing the whole buffer.
Fixes a compiler warning:
logd_output_JSON.c:407:9: warning: `strncat` specified bound 1 equals source length
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `realloc` extending the buffer containing the JSON to allow us to
insert a final new-line may fail. Therefore, we need to assign the
return-value to a temporary variable or we will not able to free the
existing buffer on error.
Use the correct type for `buflen`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output buffer for date-times is of sufficient size provided that we
don't get oversized integer values for any of the fields, which is a
reasonable assumption. However, the compiler complains about possible
truncation, e.g.:
ulogd_output_JSON.c:314:65: warning: `%06u` directive output may be truncated writing between 6 and 10 bytes into a region of size between 0 and 18
ulogd_output_JSON.c:313:25: note: `snprintf` output between 27 and 88 bytes into a destination of size 38
Fix the warnings by increasing the buffer size.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The compiler has two sets of complaints. Firstly, `t->tm_gmtoffset` is
a `long int`, but it is being passed to `abs`, which leads to warnings
such as:
ulogd_output_JSON.c:308:34: warning: absolute value function `abs` given an argument of type `long int` but has parameter of type `int` which may cause truncation of value
Secondly, it can't verify that the hour value derived from the offset
will in fact fit into `%02d`, thus:
ulogd_output_JSON.c:306:37: warning: `%02d` directive output may be truncated writing between 2 and 6 bytes into a region of size 5
To remedy these, we now mod the offset by 86,400 and assign it to an `int`
before deriving the hour and minute values.
We also change the format-specifier for the hour value to `%+03d` which
causes a sign to be printed even if the value is positive, thus allowing
us not to specify the sign explicitly and to drop the `abs` call for the
hour value.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, `strncpy` is used to copy the SQL statement to the ring
buffer, passing the length of the source string, which leads gcc to
complain:
../../util/db.c:231:25: warning: `strncpy` specified bound depends on the length of the source argument
In fact, the ring buffer is sized to be a multiple of the size of the
SQL buffer, and the SQL is simply copied multiple times at increasing
offsets, so use `strcpy` instead.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we copy the key-name to a buffer, iterate over it to replace
the full-stops with underscores, using `strchr` from the start of the
buffer on each iteration, then append the buffer to the SQL statement.
Apart from the inefficiency, `strncpy` is used to do the copies, which
leads gcc to complain:
../../util/db.c:118:25: warning: `strncpy` output may be truncated copying 31 bytes from a string of length 31
Furthermore, the buffer is one character too short and so there is the
possibility of overruns.
Instead, append the key-name directly to the statement using `sprintf`,
and run `strchr` from the last underscore on each iteration.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`sql_createstmt` contains a variable `stmt_val` which points to the end
of the SQL already written, where the next chunk should be appended.
Currently, this is assigned after every write:
sprintf(stmt_val, ...);
stmt_val = mi->stmt + strlen(mi->stmt);
However, since `sprintf` returns the number of bytes written, increment
`stmt_val` by the return-value of `sprintf` in order to avoid the
repeated `strlen` calls.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
`sqlite3_createstmt` returns non-zero on error, but the return-value was
being ignored. Change the calling code to check the return-value, log
an error message and propagate the error.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we derive a field-name by replacing all the underscores in a
DB column-name with full-stops and use the field-name to find the
matching input-key. However, every time we create a new insert SQL
statement, we derive the column-names by copying the field-names to a
buffer, replacing all the full-stops with underscores, and then
appending the buffer containing the column-name to the one containing
the statments.
Apart from the inefficiency, `strncpy` is used to do the copies, which
leads gcc to complain:
ulogd_output_SQLITE3.c:234:17: warning: `strncpy` output may be truncated copying 31 bytes from a string of length 31
Instead, leave the underscores in the field-name, but copy it once to a
buffer in which the underscores are replaced and use this to find the
input-key.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|