MaxMind DB

- MaxMind DB support
  - Refactor to have functions always present and be more C++
  - Use pkg-config to detect library
  - Move function to .cpp to avoid including config.h in .h
  - Add `PACKETQ_MAXMIND_PATH` setting and search for database files in common paths
  - Only open the databases once
- Use same stderr warning format everywhere

Author: jelu

FUNCTIONS.md

@@ -51,15 +51,18 @@ Defaults to 24 for IPv4 and 48 for IPv6 (/24 and /48 respectively)
 
 ### CC(address)
 
-Returns the 2-letter ISO country code associated with the address from a MaxMind database.
-The database must be specified in the environment variable "PACKETQ_MAXMIND_CC_DB".  Returns
-an empty string for lookup failures.
+Returns the 2-letter ISO country code associated with the address from
+a MaxMind database (see MaxMind Database below on selecting database).
+
+Returns an empty string on lookup failures or if this feature was not
+built in.
 
 ### ASN(address)
 
-Returns the autonomous system number associated with the address from a MaxMind database as
-an integer.  The database must be specified in the environment variable "PACKETQ_MAXMIND_ASN_DB".
- Returns -1 for lookup failures.
+Returns the autonomous system number associated with the address from
+a MaxMind database (see MaxMind Database below on selecting database).
+
+Returns -1 on lookup failures or if this feature was not built in.
 
 ## String operations
 
@@ -81,3 +84,17 @@ i.e: `trim('se.domains.se', 'se')` returns `.domains.`.
 ### LOWER(string)
 
 Turns `string` into lowercase.
+
+# MaxMind Database
+
+PacketQ will try to open MaxMind databases that resides in common path on
+major distributions, but you can also specify paths and database files
+using environment variables.
+
+`PACKETQ_MAXMIND_PATH` sets the path to look for the databases in addition
+to the common paths, it will try `GeoLite2-Country.mmdb` for `CC()` and
+`GeoLite2-ASN.mmdb` for `ASN()`.
+
+You can also specify the full path to the database file you wish to use
+for each function with `PACKETQ_MAXMIND_CC_DB` and `PACKETQ_MAXMIND_ASN_DB`,
+these settings will override path settings.

configure.ac

@@ -50,17 +50,11 @@ AC_ARG_ENABLE([gcov], [AS_HELP_STRING([--enable-gcov], [Enable coverage testing]
 AM_CONDITIONAL([ENABLE_GCOV], [test "x$enable_gcov" != "xno"])
 AM_EXTRA_RECURSIVE_TARGETS([gcov])
 
-# Check for MaxMindDB
-AC_CHECK_LIB([maxminddb], [MMDB_open], [
-       AC_MSG_NOTICE([enabling MaxMindDB])
-       AS_VAR_APPEND(LDFLAGS, [" -lmaxminddb"])
-       AC_DEFINE([MAXMINDDB], [1], [Enable MaxMindDB])], [
-       AC_MSG_NOTICE([disabling MaxMindDB])])
-
 # Checks for libraries.
 AC_CHECK_LIB([z], [deflate])
 AC_CHECK_LIB([socket], socket)
 AC_CHECK_LIB([nsl], inet_ntop)
+PKG_CHECK_MODULES([libmaxminddb], [libmaxminddb], [AC_DEFINE([HAVE_LIBMAXMINDDB], [1], [Define to 1 if you have libmaxminddb.])], [:])
 
 # Checks for header files.
 AC_HEADER_STDC
@@ -88,8 +82,8 @@ AC_CHECK_HEADERS([syslog.h])
 AC_LANG([C])
 
 AC_CONFIG_FILES([
-    Makefile
-    src/Makefile
-    src/test/Makefile
+  Makefile
+  src/Makefile
+  src/test/Makefile
 ])
 AC_OUTPUT

src/Makefile.am

@@ -25,6 +25,7 @@ SUBDIRS = test
 AM_CXXFLAGS = -I$(srcdir) \
   -I$(srcdir)/Murmur \
   -I$(top_srcdir) \
+  $(libmaxminddb_CFLAGS) \
   -std=c++0x \
   -Wall -Wno-parentheses -Wno-switch -Wno-sign-compare -Wno-char-subscripts
 
@@ -34,6 +35,7 @@ packetq_SOURCES = dns.cpp dns.h icmp.cpp icmp.h output.h packet_handler.cpp \
   packet_handler.h packetq.cpp packetq.h pcap.cpp pcap.h reader.cpp \
   reader.h refcountstring.h segzip.h server.cpp server.h sql.cpp sql.h \
   tcp.cpp tcp.h variant.h
+packetq_LDADD = $(libmaxminddb_LIBS)
 
 dist_packetq_SOURCES = Murmur/MurmurHash3.cpp Murmur/MurmurHash3.h
 

src/packet_handler.cpp

@@ -375,7 +375,7 @@ bool Packet::parse_transport(unsigned char* data, int len)
         data += dataoffs;
         len -= dataoffs;
         if (len < 0) {
-            fprintf(stderr, "warning: Found TCP packet with bad length\n");
+            fprintf(stderr, "Warning: Found TCP packet with bad length\n");
             return false;
         }
 
@@ -393,7 +393,7 @@ bool Packet::parse_transport(unsigned char* data, int len)
         len -= 8;
 
         if (len < 0) {
-            fprintf(stderr, "warning: Found UDP packet with bad length\n");
+            fprintf(stderr, "Warning: Found UDP packet with bad length\n");
             return false;
         }
     }

src/sql.cpp

@@ -19,6 +19,8 @@
  * along with PacketQ.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "config.h"
+
 #include "sql.h"
 #include "output.h"
 #include "packet_handler.h"
@@ -31,6 +33,14 @@
 #ifdef WIN32
 #include <windows.h>
 #endif
+#ifdef HAVE_LIBMAXMINDDB
+#include <maxminddb.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+static MMDB_s* __cc_mmdb  = 0;
+static MMDB_s* __asn_mmdb = 0;
+#endif
 
 namespace packetq {
 
@@ -1884,14 +1894,12 @@ OP* OP::compile(const std::vector<Table*>& tables, const std::vector<int>& searc
         } else if (cmpi(get_token(), "netmask")) {
             m_t = Coltype::_text;
             ret = new Netmask_func(*this);
-#ifdef MAXMINDDB
         } else if (cmpi(get_token(), "cc")) {
             m_t = Coltype::_text;
             ret = new Cc_func(*this);
         } else if (cmpi(get_token(), "asn")) {
             m_t = Coltype::_int;
             ret = new Asn_func(*this);
-#endif /* MAXMIND */
         } else if (cmpi(get_token(), "count")) {
             m_t = Coltype::_int;
             ret = new Count_func(*this, dest_table);
@@ -2511,6 +2519,185 @@ void Trim_func::evaluate(Row** rows, Variant& v)
     }
 }
 
+Cc_func::Cc_func(const OP& op)
+    : OP(op)
+{
+#ifdef HAVE_LIBMAXMINDDB
+    if (__cc_mmdb) {
+        return;
+    }
+
+    std::string db;
+    char*       env = getenv("PACKETQ_MAXMIND_CC_DB");
+    if (env) {
+        db = env;
+    }
+
+    if (db.empty()) {
+        std::list<std::string> paths = {
+            "/var/lib/GeoIP", "/usr/share/GeoIP", "/usr/local/share/GeoIP"
+        };
+
+        if ((env = getenv("PACKETQ_MAXMIND_PATH"))) {
+            paths.push_front(std::string(env));
+        }
+
+        std::list<std::string>::iterator i = paths.begin();
+        for (; i != paths.end(); i++) {
+            db = (*i) + "/GeoLite2-Country.mmdb";
+            struct stat s;
+            if (!stat(db.c_str(), &s)) {
+                break;
+            }
+        }
+        if (i == paths.end()) {
+            return;
+        }
+    }
+
+    MMDB_s* mmdb = new MMDB_s;
+    if (!mmdb) {
+        return;
+    }
+
+    int ret = MMDB_open(db.c_str(), 0, mmdb);
+    if (ret != MMDB_SUCCESS) {
+        fprintf(stderr, "Warning: cannot open MaxMind CC database \"%s\": %s\n", db.c_str(), MMDB_strerror(ret));
+        free(mmdb);
+        return;
+    }
+
+    __cc_mmdb = mmdb;
+#endif
+}
+
+void Cc_func::evaluate(Row** rows, Variant& v)
+{
+#ifdef HAVE_LIBMAXMINDDB
+    if (!__cc_mmdb) {
+        RefCountStringHandle res(RefCountString::construct(""));
+        v = *res;
+        return;
+    }
+
+    Variant str;
+    m_param[0]->evaluate(rows, str);
+    RefCountStringHandle str_handle(str.get_text());
+
+    int gai_error, ret;
+
+    MMDB_lookup_result_s mmdb_result = MMDB_lookup_string(__cc_mmdb, (*str_handle)->data, &gai_error, &ret);
+
+    if (gai_error || ret != MMDB_SUCCESS || !mmdb_result.found_entry) {
+        RefCountStringHandle res(RefCountString::construct(""));
+        v = *res;
+        return;
+    }
+
+    MMDB_entry_data_s entry_data;
+    ret = MMDB_get_value(&mmdb_result.entry, &entry_data, "country", "iso_code", NULL);
+
+    if (ret != MMDB_SUCCESS || !entry_data.has_data || entry_data.type != MMDB_DATA_TYPE_UTF8_STRING) {
+        RefCountStringHandle res(RefCountString::construct(""));
+        v = *res;
+        return;
+    }
+
+    RefCountStringHandle res(RefCountString::construct(entry_data.utf8_string, 0, entry_data.data_size));
+    v = *res;
+#else
+    RefCountStringHandle res(RefCountString::construct(""));
+    v = *res;
+#endif
+}
+
+Asn_func::Asn_func(const OP& op)
+    : OP(op)
+{
+#ifdef HAVE_LIBMAXMINDDB
+    if (__asn_mmdb) {
+        return;
+    }
+
+    std::string db;
+    char*       env = getenv("PACKETQ_MAXMIND_ASN_DB");
+    if (env) {
+        db = env;
+    }
+
+    if (db.empty()) {
+        std::list<std::string> paths = {
+            "/var/lib/GeoIP", "/usr/share/GeoIP", "/usr/local/share/GeoIP"
+        };
+
+        if ((env = getenv("PACKETQ_MAXMIND_PATH"))) {
+            paths.push_front(std::string(env));
+        }
+
+        std::list<std::string>::iterator i = paths.begin();
+        for (; i != paths.end(); i++) {
+            db = (*i) + "/GeoLite2-ASN.mmdb";
+            struct stat s;
+            if (!stat(db.c_str(), &s)) {
+                break;
+            }
+        }
+        if (i == paths.end()) {
+            return;
+        }
+    }
+
+    MMDB_s* mmdb = new MMDB_s;
+    if (!mmdb) {
+        return;
+    }
+
+    int ret = MMDB_open(db.c_str(), 0, mmdb);
+    if (ret != MMDB_SUCCESS) {
+        fprintf(stderr, "Warning: cannot open MaxMind ASN database \"%s\": %s\n", db.c_str(), MMDB_strerror(ret));
+        free(mmdb);
+        return;
+    }
+
+    __asn_mmdb = mmdb;
+#endif
+}
+
+void Asn_func::evaluate(Row** rows, Variant& v)
+{
+#ifdef HAVE_LIBMAXMINDDB
+    if (!__asn_mmdb) {
+        v = -1;
+        return;
+    }
+
+    Variant str;
+    m_param[0]->evaluate(rows, str);
+    RefCountStringHandle str_handle(str.get_text());
+
+    int gai_error, ret;
+
+    MMDB_lookup_result_s mmdb_result = MMDB_lookup_string(__asn_mmdb, (*str_handle)->data, &gai_error, &ret);
+
+    if (gai_error || ret != MMDB_SUCCESS || !mmdb_result.found_entry) {
+        v = -1;
+        return;
+    }
+
+    MMDB_entry_data_s entry_data;
+    ret = MMDB_get_value(&mmdb_result.entry, &entry_data, "autonomous_system_number", NULL);
+
+    if (ret != MMDB_SUCCESS || !entry_data.has_data || entry_data.type != MMDB_DATA_TYPE_UINT32) {
+        v = -1;
+        return;
+    }
+
+    v = (int_column)entry_data.uint32;
+#else
+    v = -1;
+#endif
+}
+
 DB g_db;
 
 Coldef Column::m_coldefs[COLTYPE_MAX];