pf_print_state.c revision 1.1.1.2
1 1.1.1.2 peter /* $OpenBSD: pf_print_state.c,v 1.40 2004/12/10 22:13:26 henning Exp $ */ 2 1.1 itojun 3 1.1 itojun /* 4 1.1 itojun * Copyright (c) 2001 Daniel Hartmeier 5 1.1 itojun * All rights reserved. 6 1.1 itojun * 7 1.1 itojun * Redistribution and use in source and binary forms, with or without 8 1.1 itojun * modification, are permitted provided that the following conditions 9 1.1 itojun * are met: 10 1.1 itojun * 11 1.1 itojun * - Redistributions of source code must retain the above copyright 12 1.1 itojun * notice, this list of conditions and the following disclaimer. 13 1.1 itojun * - Redistributions in binary form must reproduce the above 14 1.1 itojun * copyright notice, this list of conditions and the following 15 1.1 itojun * disclaimer in the documentation and/or other materials provided 16 1.1 itojun * with the distribution. 17 1.1 itojun * 18 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 1.1 itojun * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 1.1 itojun * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 1.1 itojun * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 1.1 itojun * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 1.1 itojun * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 1.1 itojun * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 1.1 itojun * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 1.1 itojun * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 1.1 itojun * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 1.1 itojun * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 1.1 itojun * POSSIBILITY OF SUCH DAMAGE. 30 1.1 itojun * 31 1.1 itojun */ 32 1.1 itojun 33 1.1 itojun #include <sys/types.h> 34 1.1 itojun #include <sys/socket.h> 35 1.1 itojun #include <net/if.h> 36 1.1 itojun #define TCPSTATES 37 1.1 itojun #include <netinet/tcp_fsm.h> 38 1.1 itojun #include <net/pfvar.h> 39 1.1 itojun #include <arpa/inet.h> 40 1.1 itojun #include <netdb.h> 41 1.1 itojun 42 1.1 itojun #include <stdio.h> 43 1.1 itojun #include <string.h> 44 1.1 itojun 45 1.1 itojun #include "pfctl_parser.h" 46 1.1 itojun #include "pfctl.h" 47 1.1 itojun 48 1.1 itojun void print_name(struct pf_addr *, sa_family_t); 49 1.1 itojun 50 1.1 itojun void 51 1.1 itojun print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 52 1.1 itojun { 53 1.1 itojun switch (addr->type) { 54 1.1 itojun case PF_ADDR_DYNIFTL: 55 1.1 itojun printf("(%s", addr->v.ifname); 56 1.1 itojun if (addr->iflags & PFI_AFLAG_NETWORK) 57 1.1 itojun printf(":network"); 58 1.1 itojun if (addr->iflags & PFI_AFLAG_BROADCAST) 59 1.1 itojun printf(":broadcast"); 60 1.1 itojun if (addr->iflags & PFI_AFLAG_PEER) 61 1.1 itojun printf(":peer"); 62 1.1 itojun if (addr->iflags & PFI_AFLAG_NOALIAS) 63 1.1 itojun printf(":0"); 64 1.1 itojun if (verbose) { 65 1.1 itojun if (addr->p.dyncnt <= 0) 66 1.1 itojun printf(":*"); 67 1.1 itojun else 68 1.1 itojun printf(":%d", addr->p.dyncnt); 69 1.1 itojun } 70 1.1 itojun printf(")"); 71 1.1 itojun break; 72 1.1 itojun case PF_ADDR_TABLE: 73 1.1 itojun if (verbose) 74 1.1 itojun if (addr->p.tblcnt == -1) 75 1.1 itojun printf("<%s:*>", addr->v.tblname); 76 1.1 itojun else 77 1.1 itojun printf("<%s:%d>", addr->v.tblname, 78 1.1 itojun addr->p.tblcnt); 79 1.1 itojun else 80 1.1 itojun printf("<%s>", addr->v.tblname); 81 1.1 itojun return; 82 1.1 itojun case PF_ADDR_ADDRMASK: 83 1.1 itojun if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 84 1.1 itojun PF_AZERO(&addr->v.a.mask, AF_INET6)) 85 1.1 itojun printf("any"); 86 1.1 itojun else { 87 1.1 itojun char buf[48]; 88 1.1 itojun 89 1.1 itojun if (inet_ntop(af, &addr->v.a.addr, buf, 90 1.1 itojun sizeof(buf)) == NULL) 91 1.1 itojun printf("?"); 92 1.1 itojun else 93 1.1 itojun printf("%s", buf); 94 1.1 itojun } 95 1.1 itojun break; 96 1.1 itojun case PF_ADDR_NOROUTE: 97 1.1 itojun printf("no-route"); 98 1.1 itojun return; 99 1.1.1.2 peter case PF_ADDR_RTLABEL: 100 1.1.1.2 peter printf("route \"%s\"", addr->v.rtlabelname); 101 1.1.1.2 peter return; 102 1.1 itojun default: 103 1.1 itojun printf("?"); 104 1.1 itojun return; 105 1.1 itojun } 106 1.1 itojun 107 1.1 itojun /* mask if not _both_ address and mask are zero */ 108 1.1 itojun if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) && 109 1.1 itojun PF_AZERO(&addr->v.a.mask, AF_INET6))) { 110 1.1 itojun int bits = unmask(&addr->v.a.mask, af); 111 1.1 itojun 112 1.1 itojun if (bits != (af == AF_INET ? 32 : 128)) 113 1.1 itojun printf("/%d", bits); 114 1.1 itojun } 115 1.1 itojun } 116 1.1 itojun 117 1.1 itojun void 118 1.1 itojun print_name(struct pf_addr *addr, sa_family_t af) 119 1.1 itojun { 120 1.1 itojun char host[NI_MAXHOST]; 121 1.1 itojun 122 1.1 itojun strlcpy(host, "?", sizeof(host)); 123 1.1 itojun switch (af) { 124 1.1 itojun case AF_INET: { 125 1.1 itojun struct sockaddr_in sin; 126 1.1 itojun 127 1.1 itojun memset(&sin, 0, sizeof(sin)); 128 1.1 itojun sin.sin_len = sizeof(sin); 129 1.1 itojun sin.sin_family = AF_INET; 130 1.1 itojun sin.sin_addr = addr->v4; 131 1.1 itojun getnameinfo((struct sockaddr *)&sin, sin.sin_len, 132 1.1 itojun host, sizeof(host), NULL, 0, NI_NOFQDN); 133 1.1 itojun break; 134 1.1 itojun } 135 1.1 itojun case AF_INET6: { 136 1.1 itojun struct sockaddr_in6 sin6; 137 1.1 itojun 138 1.1 itojun memset(&sin6, 0, sizeof(sin6)); 139 1.1 itojun sin6.sin6_len = sizeof(sin6); 140 1.1 itojun sin6.sin6_family = AF_INET6; 141 1.1 itojun sin6.sin6_addr = addr->v6; 142 1.1 itojun getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 143 1.1 itojun host, sizeof(host), NULL, 0, NI_NOFQDN); 144 1.1 itojun break; 145 1.1 itojun } 146 1.1 itojun } 147 1.1 itojun printf("%s", host); 148 1.1 itojun } 149 1.1 itojun 150 1.1 itojun void 151 1.1 itojun print_host(struct pf_state_host *h, sa_family_t af, int opts) 152 1.1 itojun { 153 1.1 itojun u_int16_t p = ntohs(h->port); 154 1.1 itojun 155 1.1 itojun if (opts & PF_OPT_USEDNS) 156 1.1 itojun print_name(&h->addr, af); 157 1.1 itojun else { 158 1.1 itojun struct pf_addr_wrap aw; 159 1.1 itojun 160 1.1 itojun memset(&aw, 0, sizeof(aw)); 161 1.1 itojun aw.v.a.addr = h->addr; 162 1.1 itojun if (af == AF_INET) 163 1.1 itojun aw.v.a.mask.addr32[0] = 0xffffffff; 164 1.1 itojun else { 165 1.1 itojun memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 166 1.1 itojun af = AF_INET6; 167 1.1 itojun } 168 1.1 itojun print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 169 1.1 itojun } 170 1.1 itojun 171 1.1 itojun if (p) { 172 1.1 itojun if (af == AF_INET) 173 1.1 itojun printf(":%u", p); 174 1.1 itojun else 175 1.1 itojun printf("[%u]", p); 176 1.1 itojun } 177 1.1 itojun } 178 1.1 itojun 179 1.1 itojun void 180 1.1 itojun print_seq(struct pf_state_peer *p) 181 1.1 itojun { 182 1.1 itojun if (p->seqdiff) 183 1.1 itojun printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, 184 1.1 itojun p->seqdiff); 185 1.1 itojun else 186 1.1 itojun printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); 187 1.1 itojun } 188 1.1 itojun 189 1.1 itojun void 190 1.1 itojun print_state(struct pf_state *s, int opts) 191 1.1 itojun { 192 1.1 itojun struct pf_state_peer *src, *dst; 193 1.1 itojun struct protoent *p; 194 1.1 itojun int min, sec; 195 1.1 itojun 196 1.1 itojun if (s->direction == PF_OUT) { 197 1.1 itojun src = &s->src; 198 1.1 itojun dst = &s->dst; 199 1.1 itojun } else { 200 1.1 itojun src = &s->dst; 201 1.1 itojun dst = &s->src; 202 1.1 itojun } 203 1.1 itojun printf("%s ", s->u.ifname); 204 1.1 itojun if ((p = getprotobynumber(s->proto)) != NULL) 205 1.1 itojun printf("%s ", p->p_name); 206 1.1 itojun else 207 1.1 itojun printf("%u ", s->proto); 208 1.1 itojun if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || 209 1.1 itojun (s->lan.port != s->gwy.port)) { 210 1.1 itojun print_host(&s->lan, s->af, opts); 211 1.1 itojun if (s->direction == PF_OUT) 212 1.1 itojun printf(" -> "); 213 1.1 itojun else 214 1.1 itojun printf(" <- "); 215 1.1 itojun } 216 1.1 itojun print_host(&s->gwy, s->af, opts); 217 1.1 itojun if (s->direction == PF_OUT) 218 1.1 itojun printf(" -> "); 219 1.1 itojun else 220 1.1 itojun printf(" <- "); 221 1.1 itojun print_host(&s->ext, s->af, opts); 222 1.1 itojun 223 1.1 itojun printf(" "); 224 1.1 itojun if (s->proto == IPPROTO_TCP) { 225 1.1 itojun if (src->state <= TCPS_TIME_WAIT && 226 1.1 itojun dst->state <= TCPS_TIME_WAIT) 227 1.1 itojun printf(" %s:%s\n", tcpstates[src->state], 228 1.1 itojun tcpstates[dst->state]); 229 1.1 itojun else if (src->state == PF_TCPS_PROXY_SRC || 230 1.1 itojun dst->state == PF_TCPS_PROXY_SRC) 231 1.1 itojun printf(" PROXY:SRC\n"); 232 1.1 itojun else if (src->state == PF_TCPS_PROXY_DST || 233 1.1 itojun dst->state == PF_TCPS_PROXY_DST) 234 1.1 itojun printf(" PROXY:DST\n"); 235 1.1 itojun else 236 1.1 itojun printf(" <BAD STATE LEVELS %u:%u>\n", 237 1.1 itojun src->state, dst->state); 238 1.1 itojun if (opts & PF_OPT_VERBOSE) { 239 1.1 itojun printf(" "); 240 1.1 itojun print_seq(src); 241 1.1 itojun if (src->wscale && dst->wscale) 242 1.1 itojun printf(" wscale %u", 243 1.1 itojun src->wscale & PF_WSCALE_MASK); 244 1.1 itojun printf(" "); 245 1.1 itojun print_seq(dst); 246 1.1 itojun if (src->wscale && dst->wscale) 247 1.1 itojun printf(" wscale %u", 248 1.1 itojun dst->wscale & PF_WSCALE_MASK); 249 1.1 itojun printf("\n"); 250 1.1 itojun } 251 1.1 itojun } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 252 1.1 itojun dst->state < PFUDPS_NSTATES) { 253 1.1 itojun const char *states[] = PFUDPS_NAMES; 254 1.1 itojun 255 1.1 itojun printf(" %s:%s\n", states[src->state], states[dst->state]); 256 1.1 itojun } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 257 1.1 itojun dst->state < PFOTHERS_NSTATES) { 258 1.1 itojun /* XXX ICMP doesn't really have state levels */ 259 1.1 itojun const char *states[] = PFOTHERS_NAMES; 260 1.1 itojun 261 1.1 itojun printf(" %s:%s\n", states[src->state], states[dst->state]); 262 1.1 itojun } else { 263 1.1 itojun printf(" %u:%u\n", src->state, dst->state); 264 1.1 itojun } 265 1.1 itojun 266 1.1 itojun if (opts & PF_OPT_VERBOSE) { 267 1.1 itojun sec = s->creation % 60; 268 1.1 itojun s->creation /= 60; 269 1.1 itojun min = s->creation % 60; 270 1.1 itojun s->creation /= 60; 271 1.1 itojun printf(" age %.2u:%.2u:%.2u", s->creation, min, sec); 272 1.1 itojun sec = s->expire % 60; 273 1.1 itojun s->expire /= 60; 274 1.1 itojun min = s->expire % 60; 275 1.1 itojun s->expire /= 60; 276 1.1 itojun printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); 277 1.1 itojun printf(", %u:%u pkts, %u:%u bytes", 278 1.1 itojun s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]); 279 1.1 itojun if (s->anchor.nr != -1) 280 1.1 itojun printf(", anchor %u", s->anchor.nr); 281 1.1 itojun if (s->rule.nr != -1) 282 1.1 itojun printf(", rule %u", s->rule.nr); 283 1.1 itojun if (s->src_node != NULL) 284 1.1 itojun printf(", source-track"); 285 1.1 itojun if (s->nat_src_node != NULL) 286 1.1 itojun printf(", sticky-address"); 287 1.1 itojun printf("\n"); 288 1.1 itojun } 289 1.1 itojun if (opts & PF_OPT_VERBOSE2) { 290 1.1 itojun printf(" id: %016llx creatorid: %08x\n", 291 1.1 itojun betoh64(s->id), ntohl(s->creatorid)); 292 1.1 itojun } 293 1.1 itojun } 294 1.1 itojun 295 1.1 itojun int 296 1.1 itojun unmask(struct pf_addr *m, sa_family_t af) 297 1.1 itojun { 298 1.1 itojun int i = 31, j = 0, b = 0; 299 1.1 itojun u_int32_t tmp; 300 1.1 itojun 301 1.1 itojun while (j < 4 && m->addr32[j] == 0xffffffff) { 302 1.1 itojun b += 32; 303 1.1 itojun j++; 304 1.1 itojun } 305 1.1 itojun if (j < 4) { 306 1.1 itojun tmp = ntohl(m->addr32[j]); 307 1.1 itojun for (i = 31; tmp & (1 << i); --i) 308 1.1 itojun b++; 309 1.1 itojun } 310 1.1 itojun return (b); 311 1.1 itojun } 312
Indexes created Tue Oct 28 02:10:10 GMT 2025