void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); char *homedir = cfg.homedir; extract_command(argc, argv, index); signal (SIGTERM, signal_handler); // if the pid is that of a firejail process, use the pid of the first child process EUID_ROOT(); char *comm = pid_proc_comm(pid); EUID_USER(); if (comm) { if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_caps_seccomp(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) exit(1); } else if (arg_join_filesystem) { if (join_namespace(pid, "mnt")) exit(1); } else { if (join_namespace(pid, "ipc")) exit(1); if (join_namespace(pid, "net")) exit(1); if (join_namespace(pid, "pid")) exit(1); if (join_namespace(pid, "uts")) exit(1); if (join_namespace(pid, "mnt")) exit(1); } pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv; if (!arg_join_network) { rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); } prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died if (chdir("/") < 0) errExit("chdir"); if (homedir) { struct stat s; if (stat(homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(homedir) < 0) errExit("chdir"); } } // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP // set protocol filter if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 protocol_filter(); } // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 seccomp_set(); #endif // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); // user namespace resets capabilities // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); } else drop_privs(arg_nogroups); // nogroups not available for uid 0 // set prompt color to green char *prompt = getenv("FIREJAIL_PROMPT"); if (prompt && strcmp(prompt, "yes") == 0) { //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); } // set nice if (arg_nice) { errno = 0; int rv = nice(cfg.nice); (void) rv; if (errno) { fprintf(stderr, "Warning: cannot set nice value\n"); errno = 0; } } // run cmdline trough shell if (cfg.command_line == NULL) { // if the sandbox was started with --shell=none, it is possible we don't have a shell // inside the sandbox if (cfg.shell == NULL) { cfg.shell = guess_shell(); if (!cfg.shell) { fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); exit(1); } } struct stat s; if (stat(cfg.shell, &s) == -1) { fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell); exit(1); } cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } start_application(); // it will never get here!!! } // wait for the child to finish waitpid(child, NULL, 0); flush_stdin(); exit(0); }
void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); char *homedir = cfg.homedir; extract_command(argc, argv, index); // if the pid is that of a firejail process, use the pid of the first child process EUID_ROOT(); char *comm = pid_proc_comm(pid); EUID_USER(); if (comm) { if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); exit(1); } } EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { extract_caps_seccomp(pid); extract_cpu(pid); extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); } // set cgroup if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) exit(1); } else if (arg_join_filesystem) { if (join_namespace(pid, "mnt")) exit(1); } else { if (join_namespace(pid, "ipc")) exit(1); if (join_namespace(pid, "net")) exit(1); if (join_namespace(pid, "pid")) exit(1); if (join_namespace(pid, "uts")) exit(1); if (join_namespace(pid, "mnt")) exit(1); } pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // chroot into /proc/PID/root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); int rv; if (!arg_join_network) { rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option if (rv == 0) printf("changing root to %s\n", rootdir); } prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died if (chdir("/") < 0) errExit("chdir"); if (homedir) { struct stat s; if (stat(homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(homedir) < 0) errExit("chdir"); } } // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); // set caps filter if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP // set protocol filter if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 protocol_filter(); } // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 seccomp_set(); #endif // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); } else drop_privs(arg_nogroups); // nogroups not available for uid 0 // set prompt color to green //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); // run cmdline trough /bin/bash if (cfg.command_line == NULL) { struct stat s; // replace the process with a shell if (stat("/bin/bash", &s) == 0) execlp("/bin/bash", "/bin/bash", NULL); else if (stat("/usr/bin/zsh", &s) == 0) execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); else if (stat("/bin/csh", &s) == 0) execlp("/bin/csh", "/bin/csh", NULL); else if (stat("/bin/sh", &s) == 0) execlp("/bin/sh", "/bin/sh", NULL); // no shell found, print an error and exit fprintf(stderr, "Error: no POSIX shell found\n"); sleep(5); exit(1); } else { // run the command supplied by the user int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } char *arg[5]; arg[0] = "/bin/bash"; arg[1] = "-c"; if (arg_debug) printf("Starting %s\n", cfg.command_line); if (!arg_doubledash) { arg[2] = cfg.command_line; arg[3] = NULL; } else { arg[2] = "--"; arg[3] = cfg.command_line; arg[4] = NULL; } execvp("/bin/bash", arg); } // it will never get here!!! } // wait for the child to finish waitpid(child, NULL, 0); exit(0); }
int sandbox(void* sandbox_arg) { // Get rid of unused parameter warning (void)sandbox_arg; pid_t child_pid = getpid(); if (arg_debug) printf("Initializing child process\n"); // close each end of the unused pipes close(parent_to_child_fds[1]); close(child_to_parent_fds[0]); // wait for parent to do base setup wait_for_other(parent_to_child_fds[0]); if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); //**************************** // set hostname //**************************** if (cfg.hostname) { if (sethostname(cfg.hostname, strlen(cfg.hostname)) < 0) errExit("sethostname"); } //**************************** // mount namespace //**************************** // mount events are not forwarded between the host the sandbox if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { chk_chroot(); } //**************************** // log sandbox data //**************************** if (cfg.name) fs_logger2("sandbox name:", cfg.name); fs_logger2int("sandbox pid:", (int) sandbox_pid); if (cfg.chrootdir) fs_logger("sandbox filesystem: chroot"); else if (arg_overlay) fs_logger("sandbox filesystem: overlay"); else fs_logger("sandbox filesystem: local"); fs_logger("install mount namespace"); //**************************** // netfilter etc. //**************************** if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter netfilter(arg_netfilter_file); } if (arg_netfilter6 && any_bridge_configured()) { // assuming by default the client filter netfilter6(arg_netfilter6_file); } // load IBUS env variables if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) { // do nothing - there are problems with ibus version 1.5.11 } else env_ibus_load(); // grab a copy of cp command fs_build_cp_command(); // trace pre-install if (arg_trace || arg_tracelog) fs_trace_preload(); //**************************** // configure filesystem //**************************** #ifdef HAVE_SECCOMP int enforce_seccomp = 0; #endif #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); // redo cp command fs_build_cp_command(); // force caps and seccomp if not started as root if (getuid() != 0) { // force default seccomp inside the chroot, no keep or drop list // the list build on top of the default drop list is kept intact arg_seccomp = 1; #ifdef HAVE_SECCOMP enforce_seccomp = 1; #endif if (cfg.seccomp_list_drop) { free(cfg.seccomp_list_drop); cfg.seccomp_list_drop = NULL; } if (cfg.seccomp_list_keep) { free(cfg.seccomp_list_keep); cfg.seccomp_list_keep = NULL; } // disable all capabilities if (arg_caps_default_filter || arg_caps_list) fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot // is controlled by a regular usr arg_nogroups = 1; if (!arg_quiet) printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); } else arg_seccomp = 1; //**************************** // trace pre-install, this time inside chroot //**************************** if (arg_trace || arg_tracelog) fs_trace_preload(); } else #endif if (arg_overlay) fs_overlayfs(); else fs_basic_fs(); //**************************** // set hostname in /etc/hostname //**************************** if (cfg.hostname) { fs_hostname(cfg.hostname); } //**************************** // private mode //**************************** if (arg_private) { if (cfg.home_private) // --private= fs_private_homedir(); else // --private fs_private(); } if (arg_private_dev) fs_private_dev(); if (arg_private_etc) { fs_private_etc_list(); // create /etc/ld.so.preload file again if (arg_trace || arg_tracelog) fs_trace_preload(); } if (arg_private_bin) fs_private_bin_list(); if (arg_private_tmp) fs_private_tmp(); //**************************** // apply the profile file //**************************** if (cfg.profile) { // apply all whitelist commands ... fs_whitelist(); // ... followed by blacklist commands fs_blacklist(); } //**************************** // install trace //**************************** if (arg_trace || arg_tracelog) fs_trace(); //**************************** // update /proc, /dev, /boot directorymy //**************************** fs_proc_sys_dev_boot(); //**************************** // --nosound and fix for pulseaudio 7.0 //**************************** if (arg_nosound) pulseaudio_disable(); else pulseaudio_init(); //**************************** // networking //**************************** if (arg_nonetwork) { net_if_up("lo"); if (arg_debug) printf("Network namespace enabled, only loopback interface available\n"); } else if (any_bridge_configured() || any_interface_configured()) { // configure lo and eth0...eth3 net_if_up("lo"); if (mac_not_zero(cfg.bridge0.macsandbox)) net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox); sandbox_if_up(&cfg.bridge0); if (mac_not_zero(cfg.bridge1.macsandbox)) net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox); sandbox_if_up(&cfg.bridge1); if (mac_not_zero(cfg.bridge2.macsandbox)) net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox); sandbox_if_up(&cfg.bridge2); if (mac_not_zero(cfg.bridge3.macsandbox)) net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); sandbox_if_up(&cfg.bridge3); // add a default route if (cfg.defaultgw) { // set the default route if (net_add_route(0, 0, cfg.defaultgw)) fprintf(stderr, "Warning: cannot configure default route\n"); } // enable interfaces if (cfg.interface0.configured && cfg.interface0.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); net_if_ip(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); net_if_up(cfg.interface0.dev); } if (cfg.interface1.configured && cfg.interface1.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); net_if_ip(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); net_if_up(cfg.interface1.dev); } if (cfg.interface2.configured && cfg.interface2.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); net_if_ip(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); net_if_up(cfg.interface2.dev); } if (cfg.interface3.configured && cfg.interface3.ip) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); net_if_ip(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); net_if_up(cfg.interface3.dev); } if (arg_debug) printf("Network namespace enabled\n"); } // if any dns server is configured, it is time to set it now fs_resolvconf(); fs_logger_print(); fs_logger_change_owner(); // print network configuration if (!arg_quiet) { if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) { printf("\n"); if (any_bridge_configured() || any_interface_configured()) net_ifprint(); if (cfg.defaultgw != 0) printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); if (cfg.dns1 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); if (cfg.dns2 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); if (cfg.dns3 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); printf("\n"); } } fs_delete_cp_command(); //**************************** // set application environment //**************************** prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died int cwd = 0; if (cfg.cwd) { if (chdir(cfg.cwd) == 0) cwd = 1; } if (!cwd) { if (chdir("/") < 0) errExit("chdir"); if (cfg.homedir) { struct stat s; if (stat(cfg.homedir, &s) == 0) { /* coverity[toctou] */ if (chdir(cfg.homedir) < 0) errExit("chdir"); } } } // set environment env_defaults(); // set user-supplied environment variables env_apply(); // set nice if (arg_nice) { errno = 0; int rv = nice(cfg.nice); (void) rv; if (errno) { fprintf(stderr, "Warning: cannot set nice value\n"); errno = 0; } } // clean /tmp/.X11-unix sockets fs_x11(); //**************************** // set security filters //**************************** // set capabilities if (!arg_noroot) set_caps(); // set rlimits set_rlimits(); // set seccomp #ifdef HAVE_SECCOMP // install protocol filter if (cfg.protocol) { protocol_filter(); // install filter protocol_filter_save(); // save filter in PROTOCOL_CFG } // if a keep list is available, disregard the drop list if (arg_seccomp == 1) { if (cfg.seccomp_list_keep) seccomp_filter_keep(); else if (cfg.seccomp_list_errno) seccomp_filter_errno(); else seccomp_filter_drop(enforce_seccomp); } #endif // set cpu affinity if (cfg.cpus) { save_cpu(); // save cpu affinity mask to CPU_CFG file set_cpu_affinity(); } // save cgroup in CGROUP_CFG file if (cfg.cgroup) save_cgroup(); //**************************************** // drop privileges or create a new user namespace //**************************************** save_nogroups(); if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { fprintf(stderr, "Error: cannot mount a new user namespace\n"); perror("unshare"); drop_privs(arg_nogroups); } } else drop_privs(arg_nogroups); // notify parent that new user namespace has been created so a proper // UID/GID map can be setup notify_other(child_to_parent_fds[1]); close(child_to_parent_fds[1]); // wait for parent to finish setting up a proper UID/GID map wait_for_other(parent_to_child_fds[0]); close(parent_to_child_fds[0]); // somehow, the new user namespace resets capabilities; // we need to do them again if (arg_noroot) { set_caps(); if (arg_debug) printf("noroot user namespace installed\n"); } //**************************************** // fork the application and monitor it //**************************************** pid_t app_pid = fork(); if (app_pid == -1) errExit("fork"); if (app_pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died start_application(); // start app } monitor_application(app_pid); // monitor application return 0; }
int main(int argc, char *argv[]) { configuration_t configuration; int i, j; struct timeval tm; struct timezone tz; measurement_t *measurement; struct timeval next, wait; int subject_id, flow_id; unsigned long long packets, bytes; double mbps; char command[MAX_COMMAND+1]; char hostname_interface[MAX_HOSTNAME_INTERFACE+1]; /* DiMAPI connect string as "hostname:interface,..." */ struct timeval tv_start, tv_stop; /* to measure how fast mapi_read_result() responds */ int tv_diff_pkt, tv_diff_byte; /* time used by mapi_read_results() */ int tv_diff_threshold; /* 1 if threshold was reached */ mapi_results_t *pkt_counter_res; mapi_results_t *byte_counter_res; unsigned long long pkt_counter; unsigned long long byte_counter; int scope_size; double pkt_sec; /* seconds from previous packet result */ double byte_sec; /* seconds from previous byte result */ mapi_flow_info_t info; mapi_device_info_t dinfo; openlog("abw", LOG_PID, LOG_LOCAL0); syslog(LOG_DEBUG, "starting abw"); memset((void *)&configuration, 0, (size_t)(sizeof(configuration))); /* Create global configuration */ if ((configuration.global=malloc(sizeof(global_t)))==NULL) { fprintf(stderr, "%s: malloc() failed\n", __func__); return -1; } memset(configuration.global, 0, sizeof(global_t)); /* Create first subject, scope, parameters and measurement so that they can be filled-in by command-line options */ /* if ((configuration.subject=new_subject())==NULL) { fprintf(stderr, "%s: new_subject() failed\n", __func__); return -1; } if ((configuration.scope=new_scope())==NULL) { fprintf(stderr, "%s: new_subject() failed\n", __func__); return -1; } if ((configuration.parameters=new_parameters())==NULL) { fprintf(stderr, "%s: new_parameters() failed\n", __func__); return -1; } if ((configuration.measurement=new_measurement())==NULL) { fprintf(stderr, "%s: new_measurement() failed\n", __func__); return -1; } */ /* Read command line */ if (read_command_line(argc, argv, &configuration)<0) { fprintf(stderr, "%s: read_command_line() failed\n", __func__); return -1; } /* Read configuration file */ if (configuration.global->conf_filename) { if (read_conf_file(&configuration)<0) { fprintf(stderr, "%s: read_conf_file() failed\n", __func__); return -1; } } /* Fill-in local hostname */ if (get_local_hostname(&(configuration.global->hostname))<0) { fprintf(stderr, "%s: get_local_hostname() failed\n", __func__); return -1; } /* Check if specified values are within acceptable limits */ if (check_conf(&configuration)<0) { fprintf(stderr, "%s: check_conf() failed\n", __func__); exit(-1); } /* Print configuration */ if (debug) print_conf(&configuration); if (daemonize) { printf("Switching to daemon\n"); if (continue_as_daemon()<0) { fprintf(stderr, "%s: continue_as_daemon() failed\n", __func__); return -1; } printf("Continuing as daemon\n"); } /* * Create RRD files */ /* Go over all measurements */ measurement=configuration.measurement; while (measurement) { int parameters_id; char *filename; parameters_id = measurement->parameters_id; /* Go over all protocols */ j=0; while (protocols[j].protocol) { if ((filename= abw_rrd_create_filename(measurement->scope, parameters_id, protocols[j].protocol))==NULL) { fprintf(stderr, "%s: rrd_create_filename() failed\n", __func__); return -1; } if (abw_rrd_create_file(filename)<0) { fprintf(stderr, "%s: abw_rrd_create_file() failed\n", __func__); return -1; } j++; } /* Go over all protocols */ /* Go over all tracked protocols */ j=0; while (tracked_protocols[j].protocol) { if ((filename= abw_rrd_create_filename(measurement->scope, parameters_id, tracked_protocols[j].protocol))==NULL) { fprintf(stderr, "%s: rrd_create_filename() failed\n", __func__); return -1; } if (abw_rrd_create_file(filename)<0) { fprintf(stderr, "%s: abw_rrd_create_file() failed\n", __func__); return -1; } j++; } /* Go over all tracked protocols */ /* Create RRD file for "all" protocol (all traffic together) */ if ((filename= abw_rrd_create_filename(measurement->scope, parameters_id, "all"))==NULL) { fprintf(stderr, "%s: rrd_create_filename() failed\n", __func__); return -1; } if (abw_rrd_create_file(filename)<0) { fprintf(stderr, "%s: abw_rrd_create_file() failed\n", __func__); return -1; } measurement=measurement->next; } /* while (measurement) */ /* * Create MAPI flows */ flow_id=0; /* Go over all measurements */ measurement=configuration.measurement; while (measurement) { /* Go over all monitored protocols */ i=0; while (measurement->protocols_array[i] && i<MAX_PROTOCOLS) { int parameters_id; char *protocol; /* Create data structure to maintain MAPI information */ if (flow_id>=MAX_FLOWS) { fprintf(stderr, "%s: more than %d flows requested\n", __func__, MAX_FLOWS); return -1; } if ((flow[flow_id]=new_flow())==NULL) { fprintf(stderr, "%s: new_flow() failed\n", __func__); return -1; } flow[flow_id]->measurement=measurement; flow[flow_id]->protocol=measurement->protocols_array[i]; parameters_id = measurement->parameters_id; protocol = measurement->protocols_array[i]; if ((flow[flow_id]->rrd_filename= abw_rrd_create_filename(measurement->scope, parameters_id, protocol))==NULL) { fprintf(stderr, "%s: rrd_create_filename() failed\n", __func__); return -1; } /* * If scope has only one subject and if hostname is "localhost" or * equal to local hostname, then use MAPI connect string (not DiMAPI) */ if (!(measurement->scope->subject[1]) && (!strcmp(measurement->scope->subject[0]->hostname, "localhost") || !strcmp(measurement->scope->subject[0]->hostname, configuration.global->hostname))) strcpy(hostname_interface, measurement->scope->subject[0]->interface); /* * Prepare DiMAPI connect string as hostname:interface, ... */ else { j=0; hostname_interface[0]='\0'; while (measurement->scope->subject[j] && j<MAX_SUBJECTS) { /* Append comma "," */ if (hostname_interface[0]) { if (strlen(hostname_interface)+1>=MAX_HOSTNAME_INTERFACE) { fprintf(stderr, "%s: DiMAPI connect string is longer than %d characters\n", __func__, MAX_HOSTNAME_INTERFACE); return -1; } strcat(hostname_interface, ","); } /* Append next hostname:interface */ if (strlen(hostname_interface) + strlen(measurement->scope->subject[j]->hostname) + strlen(measurement->scope->subject[j]->interface) >= MAX_HOSTNAME_INTERFACE) { fprintf(stderr, "%s: DiMAPI connect string is longer than %d characters\n", __func__, MAX_HOSTNAME_INTERFACE); return -1; } sprintf(hostname_interface + strlen(hostname_interface), "%s:%s", measurement->scope->subject[j]->hostname, measurement->scope->subject[j]->interface); j++; } /* while (measurement->scope->subject[j] && j<MAX_SUBJECTS) */ } /* Creating DiMAPI connect string */ /* Create a new MAPI flow */ if (debug) printf("%s: mapi_create_flow(%s)\n", __func__, hostname_interface); if ((flow[flow_id]->fd=mapi_create_flow(hostname_interface))<0) { fprintf(stderr, "%s: mapi_create_flow(%s) failed\n", __func__, hostname_interface); fprintf(stderr, "%s: Do you run mapid daemon on the machine where you connect to?\n", __func__); fprintf(stderr, "%s: Do you run mapicommd daemon on the machine where you connect to? (if you are connecting to a non-local machine or to multiple machines)\n", __func__); return -1; } /* If this is a MAPI flow (not DiMAPI flow), then set MPLS and VLAN flags according to mapi.conf. Otherwise the flags were set in abw.conf */ if (!strchr(hostname_interface, ':')) { if (debug) printf("%s: MAPI flow on \"%s\", setting MPLS and VLAN flags from mapi.conf\n", __func__, hostname_interface); if ((mapi_get_flow_info(flow[flow_id]->fd, &info)) < 0){ fprintf(stderr, "%s: mapi_get_flow_info() failed\n", __func__); return -1; } if ((mapi_get_device_info(info.devid, &dinfo)) < 0) { fprintf(stderr, "%s: mapi_get_device_info() failed\n", __func__); return -1; } measurement->scope->mpls = dinfo.mpls; measurement->scope->vlan = dinfo.vlan; } else if (debug) printf("%s: DiMAPI flow on \"%s\", setting MPLS and VLAN flags from abw.conf\n", __func__, hostname_interface); /* Prepare header filter for this protocol */ if ((flow[flow_id]->tracked_protocol= protocol_filter(measurement->parameters->header_filter, flow[flow_id]->protocol, measurement->scope->mpls, measurement->scope->vlan, &(flow[flow_id]->header_filter)))<0) { fprintf(stderr, "%s: protocol_filter() failed\n", __func__); return -1; } if (debug) printf("measurement->parameters->header_filter: %s, flow[flow_id]->protocol: %s, flow[flow_id]->header_filter: %s, track_function: %s\n", (measurement->parameters->header_filter)?measurement->parameters->header_filter:"NULL", flow[flow_id]->protocol, (flow[flow_id]->header_filter)?flow[flow_id]->header_filter:"NULL", (flow[flow_id]->tracked_protocol)?tracked_protocols[flow[flow_id]->tracked_protocol-1].track_function:"none"); /* Filter based on input port, we can use port number in the first subject of the scope, because all subjects in a scope must have the same port number */ if (measurement->scope->subject[0]->port >= 0) { if ((flow[flow_id]->interface_fid=mapi_apply_function(flow[flow_id]->fd, "INTERFACE", measurement->scope->subject[0]->port))<0) { fprintf(stderr, "%s: INTERFACE failed\n", __func__); return -1; } } /* Note that BPF_FILTER uses compiled header filter that selects packets of the given protocol */ /* BPF_FILTER is applied if a) header_filter was specified in [parameters] section or b) protocol other than "all" and other than some that requires tracking was specified in [parameters] section or c) MPLS is used on links in this [scope] */ if (flow[flow_id]->header_filter) { if (debug) printf("%s: mapi_apply_function(%d, BPF_FILTER, \"%s\")\n", __func__, flow[flow_id]->fd, flow[flow_id]->header_filter); if ((flow[flow_id]->bpf_filter_fid= mapi_apply_function(flow[flow_id]->fd, "BPF_FILTER", flow[flow_id]->header_filter))<0) { fprintf(stderr, "%s: BPF_FILTER (\"%s\") failed\n", __func__, flow[flow_id]->header_filter); return -1; } } /* Track application protocol, BPF_FILTER could have been applied before */ if (flow[flow_id]->tracked_protocol) { if (debug) printf("%s: mapi_apply_function(%d, %s)\n", __func__, flow[flow_id]->fd, tracked_protocols[flow[flow_id]->tracked_protocol-1]. track_function); if ((flow[flow_id]->track_function_fid= mapi_apply_function(flow[flow_id]->fd, tracked_protocols[flow[flow_id]->tracked_protocol-1]. track_function))<0) { fprintf(stderr, "%s: tracking (%s) failed\n", __func__, tracked_protocols[flow[flow_id]->tracked_protocol-1]. track_function); return -1; } } /* Sampling */ if (measurement->parameters->sau_mode == 'd' && (unsigned int)(measurement->parameters->sau_threshold) != 1) { if ((flow[flow_id]->sample_fid= mapi_apply_function(flow[flow_id]->fd, "SAMPLE", measurement->parameters->sau_threshold, PERIODIC))<0) { fprintf(stderr, "%s: SAMPLE (PERIODIC, %.02f) failed\n", __func__, measurement->parameters->sau_threshold); return -1; } } else if (measurement->parameters->sau_mode == 'p' && (unsigned int)(measurement->parameters->sau_threshold) != 1) { if ((flow[flow_id]->sample_fid= mapi_apply_function(flow[flow_id]->fd, "SAMPLE", (measurement->parameters->sau_threshold)*100, PROBABILISTIC))<0) { fprintf(stderr, "%s: SAMPLE (PROBABILISTIC, %.02f) failed\n", __func__, (measurement->parameters->sau_threshold)*100); return -1; } } /* Payload searching */ if (measurement->parameters->payload_strings[0]) { if ((flow[flow_id]->str_search_fid= mapi_apply_function(flow[flow_id]->fd, "STR_SEARCH", measurement->parameters->payload_strings[0], 0, 0))<0) { fprintf(stderr, "%s: STR_SEARCH (%s) failed\n", __func__, measurement->parameters->payload_strings[0]); return -1; } } /* Counting packets and bytes */ if ((flow[flow_id]->pkt_counter_fid= mapi_apply_function(flow[flow_id]->fd, "PKT_COUNTER"))<0) { fprintf(stderr, "%s: PKT_COUNTER failed\n", __func__); return -1; } /* Simultaneous use of PKT_COUNTER and BYTE_COUNTER does not work with DAG4.3GE. Temporary hack: always use stflib version */ if ((flow[flow_id]->byte_counter_fid= mapi_apply_function(flow[flow_id]->fd, "stdflib:BYTE_COUNTER"))<0) { fprintf(stderr, "%s: BYTE_COUNTER failed\n", __func__); return -1; } /* Connect to flow */ if (!configuration.global->no_measure) { if (mapi_connect(flow[flow_id]->fd)<0) { fprintf(stderr, "%s: mapi_connect() (%s) failed\n", __func__, hostname_interface); return -1; } if ((scope_size=mapi_get_scope_size(flow[flow_id]->fd)) != flow[flow_id]->measurement->scope->subject_no) { fprintf(stderr, "%s: mapi_get_scope_size() returned %d for %d subjects\n", __func__, scope_size, flow[flow_id]->measurement->scope->subject_no); return -1; } } i++; flow_id++; } /* while (measurement->protocols_array[i] && i<MAX_PROTOCOLS) */ measurement=measurement->next; } /* while (measurement) */ if (configuration.global->no_measure || !configuration.measurement) return 0; /* Periodically get results from MAPI flows */ while (1) { if (gettimeofday(&tm, &tz)<0) { fprintf(stderr, "%s: gettimeofday() failed\n", __func__); return -1; } flow_id=0; while (flow[flow_id] && flow_id<MAX_FLOWS) { int scope_packets, scope_bytes; if (!configuration.global->no_stdout) { printf("%d %u.%u", flow[flow_id]->measurement->scope->id, (unsigned int)(tm.tv_sec), (unsigned int)(tm.tv_usec)); if (!configuration.global->stdout_simple) printf(" %s\n", flow[flow_id]->protocol); } gettimeofday(&tv_start, NULL); if ((pkt_counter_res=mapi_read_results(flow[flow_id]->fd, flow[flow_id]->pkt_counter_fid))==NULL) { fprintf(stderr, "%s: mapi_read_results() for flow %d failed\n", __func__, flow_id); return -1; } gettimeofday(&tv_stop, NULL); tv_diff_pkt=timestamp_diff(&tv_start, &tv_stop); gettimeofday(&tv_start, NULL); if ((byte_counter_res=mapi_read_results(flow[flow_id]->fd, flow[flow_id]->byte_counter_fid))==NULL) { fprintf(stderr, "%s: mapi_read_results() for flow %d failed\n", __func__, flow_id); return -1; } gettimeofday(&tv_stop, NULL); tv_diff_byte=timestamp_diff(&tv_start, &tv_stop); if (tv_diff_pkt>=TV_DIFF_THRESHOLD || tv_diff_byte>=TV_DIFF_THRESHOLD) tv_diff_threshold=1; else tv_diff_threshold=0; if (tv_diff_pkt>=TV_DIFF_THRESHOLD) syslog(LOG_DEBUG, "mapi_read_result() for PKT_COUNTER takes %d us for measurement ID %d and protocol %s (threshold %d us reached)", tv_diff_pkt, flow[flow_id]->measurement->id, flow[flow_id]->protocol, TV_DIFF_THRESHOLD); if (tv_diff_byte>=TV_DIFF_THRESHOLD) syslog(LOG_DEBUG, "mapi_read_result() for BYTE_COUNTER takes %d us for measurement ID %d and protocol %s (threshold %d us reached)", tv_diff_byte, flow[flow_id]->measurement->id, flow[flow_id]->protocol, TV_DIFF_THRESHOLD); scope_size = flow[flow_id]->measurement->scope->subject_no; scope_packets=0; scope_bytes=0; for (subject_id=0; subject_id<scope_size; subject_id++) { pkt_counter= *((unsigned long long*)(pkt_counter_res[subject_id].res)); byte_counter= *((unsigned long long*)(byte_counter_res[subject_id].res)); packets=pkt_counter - flow[flow_id]->pkt_counter[subject_id]; bytes=byte_counter - flow[flow_id]->byte_counter[subject_id]; mbps=(double)bytes*8/1000000; flow[flow_id]->pkt_counter[subject_id]=pkt_counter; flow[flow_id]->byte_counter[subject_id]=byte_counter; /* Determine seconds from previous result */ if (flow[flow_id]->pkt_ts[subject_id]) pkt_sec=(double)(pkt_counter_res[subject_id].ts - flow[flow_id]->pkt_ts[subject_id])/1000000; else pkt_sec= flow[flow_id]->measurement->parameters->interval.tv_sec + (double)(flow[flow_id]->measurement->parameters->interval.tv_usec)/1000000; if (flow[flow_id]->byte_ts[subject_id]) byte_sec=(double)(byte_counter_res[subject_id].ts - flow[flow_id]->byte_ts[subject_id])/1000000; else byte_sec= flow[flow_id]->measurement->parameters->interval.tv_sec + (double)(flow[flow_id]->measurement->parameters->interval.tv_usec)/1000000; scope_packets+=(packets/pkt_sec); scope_bytes+=(bytes/byte_sec); flow[flow_id]->pkt_ts[subject_id]= pkt_counter_res[subject_id].ts; flow[flow_id]->byte_ts[subject_id]= byte_counter_res[subject_id].ts; if (tv_diff_threshold) { syslog(LOG_DEBUG, "%s:%s: %.02f seconds from previous result", flow[flow_id]->measurement->scope->subject[subject_id]->hostname, flow[flow_id]->measurement->scope->subject[subject_id]->interface, byte_sec); } /* Print result */ if (!configuration.global->no_stdout) { if (configuration.global->stdout_simple) printf(" %0.2f %0.2f %0.2f", packets/pkt_sec, bytes/byte_sec, mbps/byte_sec); else printf(" %0.2f packets/s, %0.2f bytes/s, %0.2f Mb/s, time %uus/%uus, interval %0.2fs/%0.2fs\n", packets/pkt_sec, bytes/byte_sec, mbps/byte_sec, tv_diff_pkt, tv_diff_byte, pkt_sec, byte_sec); } } /* for (subject_id=0; subject_id++; subject_id<scope_size) */ if (!configuration.global->no_stdout) printf("\n"); /* If interval is at least 1 second, then store results to RRD file */ if (flow[flow_id]->measurement->parameters->interval.tv_sec) { sprintf(command, "rrdtool update %s %u:%lu:%lu:%.6f", flow[flow_id]->rrd_filename, (unsigned int)(tm.tv_sec), (unsigned long)(scope_packets), (unsigned long)(scope_bytes), (double)scope_bytes*8/1000000); if (configuration.global->debug > 1) syslog(LOG_DEBUG, "system(%s)", command); if (tm.tv_sec == flow[flow_id]->rrd_ts) syslog(LOG_ERR, "duplicate RRD timestamp %u for scope %d\n", (unsigned int)(tm.tv_sec), flow[flow_id]->measurement->scope->id); else flow[flow_id]->rrd_ts=tm.tv_sec; if (debug) printf("%s: system(%s)\n", __func__, command); if (system(command)<0) { fprintf(stderr, "%s: command(%s) failed\n", __func__, command); return -1; } } flow_id++; } /* while (flow[flow_id] && flow_id<MAX_FLOWS) */ abw_next_timestamp(&(configuration.measurement->parameters->interval), &next, &wait); if (!configuration.global->no_stdout && !configuration.global->stdout_simple) { printf("next.tv_sec: %d, next.tv_usec: %d, wait.tv_sec: %d, wait.tv_usec: %d\n", (int)(next.tv_sec), (int)(next.tv_usec), (int)(wait.tv_sec), (int)(wait.tv_usec)); printf("===============================================================================\n"); } usleep(wait.tv_sec * 1000000 + wait.tv_usec); } /* while (1) */ return 0; } /* main() */