Bug fix with unbind and freeing handles. Prevention lock of nflog resources in kernel.

Author: root4root

deb-packages/tuninetd_1.3.1_amd64.deb

@@ -4,7 +4,7 @@ all: tuninetd
 
 tuninetd: main.o xnflog.o xpcap.o thread.o xtun.o utils.o
 	[ -d ./bin ] || mkdir -p ./bin
-	gcc main.o xnflog.o xpcap.o thread.o xtun.o utils.o -o ./bin/tuninetd -lpthread -lpcap -lnetfilter_log
+	gcc main.o xnflog.o xpcap.o thread.o xtun.o utils.o -o ./bin/tuninetd -lpthread -lpcap -lnetfilter_log -lnfnetlink
 
 main.o: main.c main.h common.h
 	gcc $(CFLAGS) -c main.c

src/Makefile

@@ -11,15 +11,14 @@
 #include <unistd.h>
 #include <time.h>
 
-#define BUFSIZE 2000
 #define ON 1
 #define OFF 0
 
 #define ERROR 0
 #define WARNING 1
 #define INFO 2
 
-#define VERSION "\ntuninetd 1.3.0\n"
+#define VERSION "\ntuninetd 1.3.1\n"
 
 //global vars.
 short int debug;
@@ -45,8 +44,9 @@ struct globcfg_t {
 void do_debug(const char *msg, ...);
 void message(int, const char *msg, ...);
 
-void sighup_handler(int signo);
-void sigusr_handler(int signo);
+void sighup_handler(int);
+void sigusr_handler(int);
+void sigterm_handler(int);
 void usage();
 void version();
 
@@ -58,4 +58,6 @@ void *tun_x(void *x_void_ptr);
 void *nflog_x(void *x_void_ptr);
 void *pcap_x(void *x_void_ptr);
 
+void xnflog_stop();
+
 #endif

src/common.h

@@ -14,14 +14,11 @@ int main(int argc, char *argv[])
     tim.tv_nsec = 0;
 
     //debug = 1;
-
-    if (signal(SIGHUP, sighup_handler) == SIG_ERR) {
-         message(WARNING, "Warning! Can't catch SIGHUP");
-    }
-
-    if (signal(SIGUSR1, sigusr_handler) == SIG_ERR) {
-         message(WARNING, "Warning! Can't catch SIGUSR1");
-    }
+    
+    signal(SIGTERM, sigterm_handler);
+    signal(SIGHUP, sighup_handler);
+    signal(SIGUSR1, sigusr_handler);
+    signal(SIGINT, sigterm_handler);
 
     while (1) {
 

src/main.c

@@ -101,3 +101,13 @@ void sigusr_handler(int signo)
         message(INFO, "- Current status: up (ON), time since last captured packet: %ld sec.", delta < 0 ? 0 : delta);
     }
 }
+
+void sigterm_handler(int signo)
+{
+    if (globcfg.nf_group >= 0) {
+        xnflog_stop();
+    }
+
+    exit(0);
+
+}

src/utils.c

@@ -1,11 +1,27 @@
 #include "common.h"
+#include <libnfnetlink/libnfnetlink.h>
 #include <libnetfilter_log/libnetfilter_log.h>
 #include <errno.h>
 
+#define BUFSIZE 65536
+#define NFNLBUFSIZ 150000
+
+static char *buf;
+static struct nflog_handle *h;
+static struct nflog_g_handle *qh;
+static int fd;
+
+
+static void setnlbufsiz(unsigned int size, struct nflog_handle *h)
+{
+    //This function returns new buffer size
+    message(INFO, "NFLOG: adjust nfnl_rcvbufsiz to %u", nfnl_rcvbufsiz(nflog_nfnlh(h), size));
+}
+
 static int callback(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg, struct nflog_data *ldata, void *data)
 {
     if (status == OFF) {
-        message(INFO, "NFLOG module: executing START command...");
+        message(INFO, "NFLOG: executing START command...");
         switch_guard(ON);
     }
 
@@ -14,54 +30,82 @@ static int callback(struct nflog_g_handle *gh, struct nfgenmsg *nfmsg, struct nf
     return 0;
 }
 
-void *nflog_x(void *x_void_ptr)
+
+void xnflog_start()
 {
-    struct nflog_handle *h;
-    struct nflog_g_handle *qh;
-    ssize_t rv;
-    char buf[4096];
-    int fd;
+    buf = calloc(BUFSIZE, sizeof(char));
 
     h = nflog_open();
 
+    short int pf_available = 3; //AF_INET, AF_INET6, AF_BRIDGE
+
     if (!h) {
-        message(ERROR, "Error during nflog_open(). Abort.");
+        message(ERROR, "NFLOG: error during nflog_open(). Abort.");
         exit(1);
     }
 
-    if (nflog_unbind_pf(h, AF_INET) < 0) {
-        message(ERROR, "Error nflog_unbind_pf(). Abort.");
-        exit(1);
-    }
+    setnlbufsiz(NFNLBUFSIZ, h);
 
-    if (nflog_bind_pf(h, AF_INET) < 0) {
-        message(ERROR, "Error during nflog_bind_pf(). Abort");
+    pf_available -= nflog_bind_pf(h, AF_INET) < 0 ? 1 : 0;
+    pf_available -= nflog_bind_pf(h, AF_INET6) < 0 ? 1 : 0;
+    pf_available -= nflog_bind_pf(h, AF_BRIDGE) < 0 ? 1 : 0;
+   
+    if (pf_available == 0) {
+        message(ERROR, "NFLOG: can't bind to any protocol family (IPv4, IPv6 or BRIDGE)");
         exit(1);
     }
 
     qh = nflog_bind_group(h, globcfg.nf_group);
 
     if (!qh) {
-        message(ERROR, "No handle for group %i, can't bind. Abort.", globcfg.nf_group);
+        message(ERROR, "NFLOG: no handle for group %i, can't bind, errno: %i. Abort.", globcfg.nf_group, errno);
         exit(1);
     }
 
     if (nflog_set_mode(qh, NFULNL_COPY_PACKET, 0xffff) < 0) {
-        message(ERROR, "Can't set NFULNL_COPY_PACKET mode. Abort.");
+        message(ERROR, "NFLOG: can't set NFULNL_COPY_PACKET mode. Abort.");
         exit(1);
     }
 
     nflog_callback_register(qh, &callback, NULL);
 
     fd = nflog_fd(h);
+    
+}
 
-    while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0) {
-        nflog_handle_packet(h, buf, rv);
+void xnflog_stop()
+{
+    message(INFO, "NFLOG: Shutting down...");
+    shutdown(fd, SHUT_RD);
+    nflog_unbind_group(qh);
+    nflog_unbind_pf(h, AF_INET);
+    nflog_unbind_pf(h, AF_INET6);
+    nflog_unbind_pf(h, AF_BRIDGE);
+    nflog_close(h);
+    free(buf);
+}
+
+
+void *nflog_x(void *x_void_ptr)
+{
+    xnflog_start();
+
+    ssize_t rv;
+
+    while ((rv = recv(fd, (void *)buf, BUFSIZE, 0))) {
+
+        if (rv >= 0) {
+            nflog_handle_packet(h, buf, rv);
+        } else if (errno == ENOBUFS) {
+            message(WARNING, "NFLOG: warning! No enough nfnlbufsiz...");
+        } else {
+            break;
+        }
     }
 
-    message(WARNING, "NFLOG module shut down with code %i. Check errno.h for details.", errno);
+    message(WARNING, "NFLOG: shut down with code %i. Check errno.h for details.", errno);
 
-    nflog_close(h);
+    xnflog_stop();
 
     return 0;
 }

src/xnflog.c

@@ -1,5 +1,7 @@
 #include "common.h"
 
+#define BUFSIZE 2000
+
 static int tun_alloc(char *dev, int flags) 
 {
     struct ifreq ifr;