|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/hex"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"net"
|
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/subgraph/fw-daemon/nfqueue"
|
|
|
|
)
|
|
|
|
|
|
|
|
type socketAddr struct {
|
|
|
|
ip net.IP
|
|
|
|
port uint16
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sa socketAddr) String() string {
|
|
|
|
return fmt.Sprintf("%v:%d", sa.ip, sa.port)
|
|
|
|
}
|
|
|
|
|
|
|
|
type socketStatus struct {
|
|
|
|
local socketAddr
|
|
|
|
remote socketAddr
|
|
|
|
uid int
|
|
|
|
inode uint64
|
|
|
|
pid int
|
|
|
|
// XXX debugging
|
|
|
|
line string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ss *socketStatus) String() string {
|
|
|
|
return fmt.Sprintf("%s -> %s uid=%d inode=%d pid=%d", ss.local, ss.remote, ss.uid, ss.inode, ss.pid)
|
|
|
|
}
|
|
|
|
|
|
|
|
type ConnectionInfo struct {
|
|
|
|
proc *ProcInfo
|
|
|
|
local *socketAddr
|
|
|
|
remote *socketAddr
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ci *ConnectionInfo) String() string {
|
|
|
|
return fmt.Sprintf("%v %s %s", ci.proc, ci.local, ci.remote)
|
|
|
|
}
|
|
|
|
|
|
|
|
func findProcessForPacket(pkt *nfqueue.Packet) *ProcInfo {
|
|
|
|
ss := getSocketForPacket(pkt)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return findProcessForSocket(ss)
|
|
|
|
}
|
|
|
|
func findProcessForSocket(ss *socketStatus) *ProcInfo {
|
|
|
|
|
|
|
|
exePath, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", ss.pid))
|
|
|
|
if err != nil {
|
|
|
|
log.Warning("Error reading exe link for pid %d: %v", ss.pid, err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
bs, err := ioutil.ReadFile(fmt.Sprintf("/proc/%d/cmdline", ss.pid))
|
|
|
|
if err != nil {
|
|
|
|
log.Warning("Error reading cmdline for pid %d: %v", ss.pid, err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
for i, b := range bs {
|
|
|
|
if b == 0 {
|
|
|
|
bs[i] = byte(' ')
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
finfo, err := os.Stat(fmt.Sprintf("/proc/%d", ss.pid))
|
|
|
|
if err != nil {
|
|
|
|
log.Warning("Could not stat /proc/%d: %v", ss.pid, err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
finfo.Sys()
|
|
|
|
return &ProcInfo{
|
|
|
|
pid: ss.pid,
|
|
|
|
uid: ss.uid,
|
|
|
|
exePath: exePath,
|
|
|
|
cmdLine: string(bs),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func getSocketLinesForPacket(pkt *nfqueue.Packet) []string {
|
|
|
|
if pkt.Protocol == nfqueue.TCP {
|
|
|
|
return getSocketLines("tcp")
|
|
|
|
} else if pkt.Protocol == nfqueue.UDP {
|
|
|
|
return getSocketLines("udp")
|
|
|
|
} else {
|
|
|
|
log.Warning("Cannot lookup socket for protocol %s", pkt.Protocol)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func getSocketLines(proto string) []string {
|
|
|
|
path := fmt.Sprintf("/proc/net/%s", proto)
|
|
|
|
data, err := ioutil.ReadFile(path)
|
|
|
|
if err != nil {
|
|
|
|
log.Warning("Error reading %s: %v", path, err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
lines := strings.Split(string(data), "\n")
|
|
|
|
if len(lines) > 0 {
|
|
|
|
lines = lines[1:]
|
|
|
|
}
|
|
|
|
return lines
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sa *socketAddr) parse(s string) error {
|
|
|
|
ipPort := strings.Split(s, ":")
|
|
|
|
if len(ipPort) != 2 {
|
|
|
|
return fmt.Errorf("badly formatted socket address field: %s", s)
|
|
|
|
}
|
|
|
|
ip, err := ParseIp(ipPort[0])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error parsing ip field [%s]: %v", ipPort[0], err)
|
|
|
|
}
|
|
|
|
port, err := ParsePort(ipPort[1])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error parsing port field [%s]: %v", ipPort[1], err)
|
|
|
|
}
|
|
|
|
sa.ip = ip
|
|
|
|
sa.port = port
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ss *socketStatus) parseLine(line string) error {
|
|
|
|
fs := strings.Fields(line)
|
|
|
|
if len(fs) < 10 {
|
|
|
|
return errors.New("insufficient fields")
|
|
|
|
}
|
|
|
|
if err := ss.local.parse(fs[1]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := ss.remote.parse(fs[2]); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
uid, err := strconv.ParseUint(fs[7], 10, 32)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
ss.uid = int(uid)
|
|
|
|
inode, err := strconv.ParseUint(fs[9], 10, 64)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
ss.inode = inode
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getSocketForPacket(pkt *nfqueue.Packet) *socketStatus {
|
|
|
|
ss := findSocket(pkt)
|
|
|
|
if ss == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
pid := findPidForInode(ss.inode)
|
|
|
|
if pid > 0 {
|
|
|
|
ss.pid = pid
|
|
|
|
return ss
|
|
|
|
}
|
|
|
|
log.Info("Unable to find socket link socket:[%d] %s", ss.inode, printPacket(pkt, ""))
|
|
|
|
log.Info("Line was %s", ss.line)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func findSocket(pkt *nfqueue.Packet) *socketStatus {
|
|
|
|
var status socketStatus
|
|
|
|
for _, line := range getSocketLinesForPacket(pkt) {
|
|
|
|
if len(line) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := status.parseLine(line); err != nil {
|
|
|
|
log.Warning("Unable to parse line [%s]: %v", line, err)
|
|
|
|
} else if status.remote.ip.Equal(pkt.Dst) && status.remote.port == pkt.DstPort && status.local.ip.Equal(pkt.Src) && status.local.port == pkt.SrcPort {
|
|
|
|
status.line = line
|
|
|
|
return &status
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Info("Failed to find socket for packet: %s", printPacket(pkt, ""))
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func ParseIp(ip string) (net.IP, error) {
|
|
|
|
var result net.IP
|
|
|
|
dst, err := hex.DecodeString(ip)
|
|
|
|
if err != nil {
|
|
|
|
return result, fmt.Errorf("Error parsing IP: %s", err)
|
|
|
|
}
|
|
|
|
// Reverse byte order -- /proc/net/tcp etc. is little-endian
|
|
|
|
// TODO: Does this vary by architecture?
|
|
|
|
for i, j := 0, len(dst)-1; i < j; i, j = i+1, j-1 {
|
|
|
|
dst[i], dst[j] = dst[j], dst[i]
|
|
|
|
}
|
|
|
|
result = net.IP(dst)
|
|
|
|
return result, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func ParsePort(port string) (uint16, error) {
|
|
|
|
p64, err := strconv.ParseInt(port, 16, 32)
|
|
|
|
if err != nil {
|
|
|
|
return 0, fmt.Errorf("Error parsing port: %s", err)
|
|
|
|
}
|
|
|
|
return uint16(p64), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func findPidForInode(inode uint64) int {
|
|
|
|
search := fmt.Sprintf("socket:[%d]", inode)
|
|
|
|
for _, pid := range getAllPids() {
|
|
|
|
if matchesSocketLink(pid, search) {
|
|
|
|
return pid
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
|
|
|
|
func matchesSocketLink(pid int, search string) bool {
|
|
|
|
paths, _ := filepath.Glob(fmt.Sprintf("/proc/%d/fd/*", pid))
|
|
|
|
for _, p := range paths {
|
|
|
|
link, err := os.Readlink(p)
|
|
|
|
if err == nil && link == search {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func getAllPids() []int {
|
|
|
|
var pids []int
|
|
|
|
d, err := os.Open("/proc")
|
|
|
|
if err != nil {
|
|
|
|
log.Warning("Error opening /proc: %v", err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
defer d.Close()
|
|
|
|
names, err := d.Readdirnames(0)
|
|
|
|
if err != nil {
|
|
|
|
log.Warning("Error reading directory names from /proc: %v", err)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
for _, n := range names {
|
|
|
|
if pid, err := strconv.ParseUint(n, 10, 32); err == nil {
|
|
|
|
pids = append(pids, int(pid))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return pids
|
|
|
|
}
|
|
|
|
|
|
|
|
func getConnections() ([]*ConnectionInfo, error) {
|
|
|
|
conns,err := readConntrack()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
resolveProcinfo(conns)
|
|
|
|
return conns, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func resolveProcinfo(conns []*ConnectionInfo) {
|
|
|
|
var sockets []*socketStatus
|
|
|
|
for _,line := range getSocketLines("tcp") {
|
|
|
|
if len(strings.TrimSpace(line)) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
ss := new(socketStatus)
|
|
|
|
if err := ss.parseLine(line); err != nil {
|
|
|
|
log.Warning("Unable to parse line [%s]: %v", line, err)
|
|
|
|
} else {
|
|
|
|
pid := findPidForInode(ss.inode)
|
|
|
|
if pid > 0 {
|
|
|
|
ss.pid = pid
|
|
|
|
fmt.Println("Socket", ss)
|
|
|
|
sockets = append(sockets, ss)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _,ci := range conns {
|
|
|
|
ss := findContrackSocket(ci, sockets)
|
|
|
|
if ss == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
proc := findProcessForSocket(ss)
|
|
|
|
if proc != nil {
|
|
|
|
ci.proc = proc
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func findContrackSocket(ci *ConnectionInfo, sockets []*socketStatus) *socketStatus {
|
|
|
|
for _,ss := range sockets {
|
|
|
|
if ss.local.port == ci.local.port && ss.remote.ip.Equal(ci.remote.ip) && ss.remote.port == ci.remote.port {
|
|
|
|
return ss
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func readConntrack() ([]*ConnectionInfo, error) {
|
|
|
|
path := fmt.Sprintf("/proc/net/ip_conntrack")
|
|
|
|
data, err := ioutil.ReadFile(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
var result []*ConnectionInfo
|
|
|
|
lines := strings.Split(string(data), "\n")
|
|
|
|
for _,line := range(lines) {
|
|
|
|
ci,err := parseConntrackLine(line)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if ci != nil {
|
|
|
|
result = append(result, ci)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return result, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func parseConntrackLine(line string) (*ConnectionInfo, error) {
|
|
|
|
parts := strings.Fields(line)
|
|
|
|
if len(parts) < 8 || parts[0] != "tcp" || parts[3] != "ESTABLISHED" {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
local,err := conntrackAddr(parts[4], parts[6])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
remote,err := conntrackAddr(parts[5], parts[7])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &ConnectionInfo{
|
|
|
|
local: local,
|
|
|
|
remote: remote,
|
|
|
|
},nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func conntrackAddr(ip_str, port_str string) (*socketAddr, error) {
|
|
|
|
ip := net.ParseIP(stripLabel(ip_str))
|
|
|
|
if ip == nil {
|
|
|
|
return nil, errors.New("Could not parse IP: "+ip_str)
|
|
|
|
}
|
|
|
|
i64, err := strconv.Atoi(stripLabel(port_str))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &socketAddr{
|
|
|
|
ip: ip,
|
|
|
|
port: uint16(i64),
|
|
|
|
},nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func stripLabel(s string) string {
|
|
|
|
idx := strings.Index(s, "=")
|
|
|
|
if idx == -1 {
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
return s[idx+1:]
|
|
|
|
}
|