static Boolean
eventCallback(int so)
{
ssize_t status;
union {
char bytes[1024];
struct kern_event_msg ev_msg1; // first kernel event
} buf;
struct kern_event_msg *ev_msg = &buf.ev_msg1;
ssize_t offset = 0;
status = recv(so, &buf, sizeof(buf), 0);
if (status == -1) {
SCLog(TRUE, LOG_ERR, CFSTR("recv() failed: %s"), strerror(errno));
return FALSE;
}
cache_open();
while (offset < status) {
if ((offset + ev_msg->total_size) > status) {
SCLog(TRUE, LOG_NOTICE, CFSTR("missed SYSPROTO_EVENT event, buffer not big enough"));
break;
}
switch (ev_msg->vendor_code) {
case KEV_VENDOR_APPLE :
switch (ev_msg->kev_class) {
case KEV_NETWORK_CLASS :
processEvent_Apple_Network(ev_msg);
break;
case KEV_IOKIT_CLASS :
case KEV_SYSTEM_CLASS :
case KEV_APPLESHARE_CLASS :
case KEV_FIREWALL_CLASS :
case KEV_IEEE80211_CLASS :
break;
default :
/* unrecognized (Apple) event class */
logEvent(CFSTR("New (Apple) class"), ev_msg);
break;
}
break;
default :
/* unrecognized vendor code */
logEvent(CFSTR("New vendor"), ev_msg);
break;
}
offset += ev_msg->total_size;
ev_msg = (struct kern_event_msg *)(void *)&buf.bytes[offset];
}
cache_write(store);
cache_close();
post_network_changed();
return TRUE;
}
__private_extern__
void
prime_KernelEventMonitor()
{
struct ifaddrs *ifap = NULL;
struct ifaddrs *scan;
int sock = -1;
SCLog(_verbose, LOG_DEBUG, CFSTR("prime() called"));
cache_open();
sock = dgram_socket(AF_INET);
if (sock == -1) {
SCLog(TRUE, LOG_ERR, CFSTR("could not get interface list, socket() failed: %s"), strerror(errno));
goto done;
}
if (getifaddrs(&ifap) == -1) {
SCLog(TRUE,
LOG_ERR,
CFSTR("could not get interface info, getifaddrs() failed: %s"),
strerror(errno));
goto done;
}
/* update list of interfaces & link status */
for (scan = ifap; scan != NULL; scan = scan->ifa_next) {
if (scan->ifa_addr == NULL
|| scan->ifa_addr->sa_family != AF_LINK) {
continue;
}
/* get the per-interface link/media information */
link_add(scan->ifa_name);
}
/*
* update IPv4 network addresses already assigned to
* the interfaces.
*/
interface_update_ipv4(ifap, NULL);
/*
* update IPv6 network addresses already assigned to
* the interfaces.
*/
interface_update_ipv6(ifap, NULL);
freeifaddrs(ifap);
done:
if (sock != -1)
close(sock);
cache_write(store);
cache_close();
network_changed = TRUE;
post_network_changed();
return;
}
static void
eventCallback(CFSocketRef s, CFSocketCallBackType type, CFDataRef address, const void *data, void *info)
{
int so = CFSocketGetNative(s);
int status;
union {
char bytes[1024];
struct kern_event_msg ev_msg1; // first kernel event
} buf;
struct kern_event_msg *ev_msg = &buf.ev_msg1;
int offset = 0;
status = recv(so, &buf, sizeof(buf), 0);
if (status == -1) {
SCLog(TRUE, LOG_ERR, CFSTR("recv() failed: %s"), strerror(errno));
goto error;
}
cache_open();
while (offset < status) {
if ((offset + ev_msg->total_size) > status) {
SCLog(TRUE, LOG_NOTICE, CFSTR("missed SYSPROTO_EVENT event, buffer not big enough"));
break;
}
switch (ev_msg->vendor_code) {
case KEV_VENDOR_APPLE :
switch (ev_msg->kev_class) {
case KEV_NETWORK_CLASS :
processEvent_Apple_Network(ev_msg);
break;
case KEV_IOKIT_CLASS :
case KEV_SYSTEM_CLASS :
case KEV_APPLESHARE_CLASS :
case KEV_FIREWALL_CLASS :
case KEV_IEEE80211_CLASS :
break;
default :
/* unrecognized (Apple) event class */
logEvent(CFSTR("New (Apple) class"), ev_msg);
break;
}
break;
default :
/* unrecognized vendor code */
logEvent(CFSTR("New vendor"), ev_msg);
break;
}
offset += ev_msg->total_size;
ev_msg = (struct kern_event_msg *)(void *)&buf.bytes[offset];
}
cache_write(store);
cache_close();
post_network_changed();
return;
error :
SCLog(TRUE, LOG_ERR, CFSTR("kernel event monitor disabled."));
CFSocketInvalidate(s);
return;
}
