pf_print_state.c revision 1.2
1 1.2 itojun /* $NetBSD: pf_print_state.c,v 1.2 2004/06/22 15:16:30 itojun Exp $ */ 2 1.1 itojun /* $OpenBSD: pf_print_state.c,v 1.39 2004/02/10 17:48:08 henning Exp $ */ 3 1.1 itojun 4 1.1 itojun /* 5 1.1 itojun * Copyright (c) 2001 Daniel Hartmeier 6 1.1 itojun * All rights reserved. 7 1.1 itojun * 8 1.1 itojun * Redistribution and use in source and binary forms, with or without 9 1.1 itojun * modification, are permitted provided that the following conditions 10 1.1 itojun * are met: 11 1.1 itojun * 12 1.1 itojun * - Redistributions of source code must retain the above copyright 13 1.1 itojun * notice, this list of conditions and the following disclaimer. 14 1.1 itojun * - Redistributions in binary form must reproduce the above 15 1.1 itojun * copyright notice, this list of conditions and the following 16 1.1 itojun * disclaimer in the documentation and/or other materials provided 17 1.1 itojun * with the distribution. 18 1.1 itojun * 19 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 1.1 itojun * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 1.1 itojun * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 1.1 itojun * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 1.1 itojun * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 1.1 itojun * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 1.1 itojun * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 1.1 itojun * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 1.1 itojun * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 1.1 itojun * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 1.1 itojun * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 1.1 itojun * POSSIBILITY OF SUCH DAMAGE. 31 1.1 itojun * 32 1.1 itojun */ 33 1.1 itojun 34 1.1 itojun #include <sys/types.h> 35 1.1 itojun #include <sys/socket.h> 36 1.1 itojun #include <net/if.h> 37 1.1 itojun #define TCPSTATES 38 1.1 itojun #include <netinet/tcp_fsm.h> 39 1.2 itojun #ifdef __NetBSD__ 40 1.2 itojun #include <netinet/in.h> 41 1.2 itojun #endif 42 1.1 itojun #include <net/pfvar.h> 43 1.1 itojun #include <arpa/inet.h> 44 1.1 itojun #include <netdb.h> 45 1.1 itojun 46 1.1 itojun #include <stdio.h> 47 1.1 itojun #include <string.h> 48 1.1 itojun 49 1.1 itojun #include "pfctl_parser.h" 50 1.1 itojun #include "pfctl.h" 51 1.1 itojun 52 1.1 itojun void print_name(struct pf_addr *, sa_family_t); 53 1.1 itojun 54 1.1 itojun void 55 1.1 itojun print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 56 1.1 itojun { 57 1.1 itojun switch (addr->type) { 58 1.1 itojun case PF_ADDR_DYNIFTL: 59 1.1 itojun printf("(%s", addr->v.ifname); 60 1.1 itojun if (addr->iflags & PFI_AFLAG_NETWORK) 61 1.1 itojun printf(":network"); 62 1.1 itojun if (addr->iflags & PFI_AFLAG_BROADCAST) 63 1.1 itojun printf(":broadcast"); 64 1.1 itojun if (addr->iflags & PFI_AFLAG_PEER) 65 1.1 itojun printf(":peer"); 66 1.1 itojun if (addr->iflags & PFI_AFLAG_NOALIAS) 67 1.1 itojun printf(":0"); 68 1.1 itojun if (verbose) { 69 1.1 itojun if (addr->p.dyncnt <= 0) 70 1.1 itojun printf(":*"); 71 1.1 itojun else 72 1.1 itojun printf(":%d", addr->p.dyncnt); 73 1.1 itojun } 74 1.1 itojun printf(")"); 75 1.1 itojun break; 76 1.1 itojun case PF_ADDR_TABLE: 77 1.1 itojun if (verbose) 78 1.1 itojun if (addr->p.tblcnt == -1) 79 1.1 itojun printf("<%s:*>", addr->v.tblname); 80 1.1 itojun else 81 1.1 itojun printf("<%s:%d>", addr->v.tblname, 82 1.1 itojun addr->p.tblcnt); 83 1.1 itojun else 84 1.1 itojun printf("<%s>", addr->v.tblname); 85 1.1 itojun return; 86 1.1 itojun case PF_ADDR_ADDRMASK: 87 1.1 itojun if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 88 1.1 itojun PF_AZERO(&addr->v.a.mask, AF_INET6)) 89 1.1 itojun printf("any"); 90 1.1 itojun else { 91 1.1 itojun char buf[48]; 92 1.1 itojun 93 1.1 itojun if (inet_ntop(af, &addr->v.a.addr, buf, 94 1.1 itojun sizeof(buf)) == NULL) 95 1.1 itojun printf("?"); 96 1.1 itojun else 97 1.1 itojun printf("%s", buf); 98 1.1 itojun } 99 1.1 itojun break; 100 1.1 itojun case PF_ADDR_NOROUTE: 101 1.1 itojun printf("no-route"); 102 1.1 itojun return; 103 1.1 itojun default: 104 1.1 itojun printf("?"); 105 1.1 itojun return; 106 1.1 itojun } 107 1.1 itojun 108 1.1 itojun /* mask if not _both_ address and mask are zero */ 109 1.1 itojun if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) && 110 1.1 itojun PF_AZERO(&addr->v.a.mask, AF_INET6))) { 111 1.1 itojun int bits = unmask(&addr->v.a.mask, af); 112 1.1 itojun 113 1.1 itojun if (bits != (af == AF_INET ? 32 : 128)) 114 1.1 itojun printf("/%d", bits); 115 1.1 itojun } 116 1.1 itojun } 117 1.1 itojun 118 1.1 itojun void 119 1.1 itojun print_name(struct pf_addr *addr, sa_family_t af) 120 1.1 itojun { 121 1.1 itojun char host[NI_MAXHOST]; 122 1.1 itojun 123 1.1 itojun strlcpy(host, "?", sizeof(host)); 124 1.1 itojun switch (af) { 125 1.1 itojun case AF_INET: { 126 1.1 itojun struct sockaddr_in sin; 127 1.1 itojun 128 1.1 itojun memset(&sin, 0, sizeof(sin)); 129 1.1 itojun sin.sin_len = sizeof(sin); 130 1.1 itojun sin.sin_family = AF_INET; 131 1.1 itojun sin.sin_addr = addr->v4; 132 1.1 itojun getnameinfo((struct sockaddr *)&sin, sin.sin_len, 133 1.1 itojun host, sizeof(host), NULL, 0, NI_NOFQDN); 134 1.1 itojun break; 135 1.1 itojun } 136 1.1 itojun case AF_INET6: { 137 1.1 itojun struct sockaddr_in6 sin6; 138 1.1 itojun 139 1.1 itojun memset(&sin6, 0, sizeof(sin6)); 140 1.1 itojun sin6.sin6_len = sizeof(sin6); 141 1.1 itojun sin6.sin6_family = AF_INET6; 142 1.1 itojun sin6.sin6_addr = addr->v6; 143 1.1 itojun getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 144 1.1 itojun host, sizeof(host), NULL, 0, NI_NOFQDN); 145 1.1 itojun break; 146 1.1 itojun } 147 1.1 itojun } 148 1.1 itojun printf("%s", host); 149 1.1 itojun } 150 1.1 itojun 151 1.1 itojun void 152 1.1 itojun print_host(struct pf_state_host *h, sa_family_t af, int opts) 153 1.1 itojun { 154 1.1 itojun u_int16_t p = ntohs(h->port); 155 1.1 itojun 156 1.1 itojun if (opts & PF_OPT_USEDNS) 157 1.1 itojun print_name(&h->addr, af); 158 1.1 itojun else { 159 1.1 itojun struct pf_addr_wrap aw; 160 1.1 itojun 161 1.1 itojun memset(&aw, 0, sizeof(aw)); 162 1.1 itojun aw.v.a.addr = h->addr; 163 1.1 itojun if (af == AF_INET) 164 1.1 itojun aw.v.a.mask.addr32[0] = 0xffffffff; 165 1.1 itojun else { 166 1.1 itojun memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 167 1.1 itojun af = AF_INET6; 168 1.1 itojun } 169 1.1 itojun print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 170 1.1 itojun } 171 1.1 itojun 172 1.1 itojun if (p) { 173 1.1 itojun if (af == AF_INET) 174 1.1 itojun printf(":%u", p); 175 1.1 itojun else 176 1.1 itojun printf("[%u]", p); 177 1.1 itojun } 178 1.1 itojun } 179 1.1 itojun 180 1.1 itojun void 181 1.1 itojun print_seq(struct pf_state_peer *p) 182 1.1 itojun { 183 1.1 itojun if (p->seqdiff) 184 1.1 itojun printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, 185 1.1 itojun p->seqdiff); 186 1.1 itojun else 187 1.1 itojun printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); 188 1.1 itojun } 189 1.1 itojun 190 1.1 itojun void 191 1.1 itojun print_state(struct pf_state *s, int opts) 192 1.1 itojun { 193 1.1 itojun struct pf_state_peer *src, *dst; 194 1.1 itojun struct protoent *p; 195 1.1 itojun int min, sec; 196 1.1 itojun 197 1.1 itojun if (s->direction == PF_OUT) { 198 1.1 itojun src = &s->src; 199 1.1 itojun dst = &s->dst; 200 1.1 itojun } else { 201 1.1 itojun src = &s->dst; 202 1.1 itojun dst = &s->src; 203 1.1 itojun } 204 1.1 itojun printf("%s ", s->u.ifname); 205 1.1 itojun if ((p = getprotobynumber(s->proto)) != NULL) 206 1.1 itojun printf("%s ", p->p_name); 207 1.1 itojun else 208 1.1 itojun printf("%u ", s->proto); 209 1.1 itojun if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || 210 1.1 itojun (s->lan.port != s->gwy.port)) { 211 1.1 itojun print_host(&s->lan, s->af, opts); 212 1.1 itojun if (s->direction == PF_OUT) 213 1.1 itojun printf(" -> "); 214 1.1 itojun else 215 1.1 itojun printf(" <- "); 216 1.1 itojun } 217 1.1 itojun print_host(&s->gwy, s->af, opts); 218 1.1 itojun if (s->direction == PF_OUT) 219 1.1 itojun printf(" -> "); 220 1.1 itojun else 221 1.1 itojun printf(" <- "); 222 1.1 itojun print_host(&s->ext, s->af, opts); 223 1.1 itojun 224 1.1 itojun printf(" "); 225 1.1 itojun if (s->proto == IPPROTO_TCP) { 226 1.1 itojun if (src->state <= TCPS_TIME_WAIT && 227 1.1 itojun dst->state <= TCPS_TIME_WAIT) 228 1.1 itojun printf(" %s:%s\n", tcpstates[src->state], 229 1.1 itojun tcpstates[dst->state]); 230 1.1 itojun else if (src->state == PF_TCPS_PROXY_SRC || 231 1.1 itojun dst->state == PF_TCPS_PROXY_SRC) 232 1.1 itojun printf(" PROXY:SRC\n"); 233 1.1 itojun else if (src->state == PF_TCPS_PROXY_DST || 234 1.1 itojun dst->state == PF_TCPS_PROXY_DST) 235 1.1 itojun printf(" PROXY:DST\n"); 236 1.1 itojun else 237 1.1 itojun printf(" <BAD STATE LEVELS %u:%u>\n", 238 1.1 itojun src->state, dst->state); 239 1.1 itojun if (opts & PF_OPT_VERBOSE) { 240 1.1 itojun printf(" "); 241 1.1 itojun print_seq(src); 242 1.1 itojun if (src->wscale && dst->wscale) 243 1.1 itojun printf(" wscale %u", 244 1.1 itojun src->wscale & PF_WSCALE_MASK); 245 1.1 itojun printf(" "); 246 1.1 itojun print_seq(dst); 247 1.1 itojun if (src->wscale && dst->wscale) 248 1.1 itojun printf(" wscale %u", 249 1.1 itojun dst->wscale & PF_WSCALE_MASK); 250 1.1 itojun printf("\n"); 251 1.1 itojun } 252 1.1 itojun } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 253 1.1 itojun dst->state < PFUDPS_NSTATES) { 254 1.1 itojun const char *states[] = PFUDPS_NAMES; 255 1.1 itojun 256 1.1 itojun printf(" %s:%s\n", states[src->state], states[dst->state]); 257 1.1 itojun } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 258 1.1 itojun dst->state < PFOTHERS_NSTATES) { 259 1.1 itojun /* XXX ICMP doesn't really have state levels */ 260 1.1 itojun const char *states[] = PFOTHERS_NAMES; 261 1.1 itojun 262 1.1 itojun printf(" %s:%s\n", states[src->state], states[dst->state]); 263 1.1 itojun } else { 264 1.1 itojun printf(" %u:%u\n", src->state, dst->state); 265 1.1 itojun } 266 1.1 itojun 267 1.1 itojun if (opts & PF_OPT_VERBOSE) { 268 1.1 itojun sec = s->creation % 60; 269 1.1 itojun s->creation /= 60; 270 1.1 itojun min = s->creation % 60; 271 1.1 itojun s->creation /= 60; 272 1.1 itojun printf(" age %.2u:%.2u:%.2u", s->creation, min, sec); 273 1.1 itojun sec = s->expire % 60; 274 1.1 itojun s->expire /= 60; 275 1.1 itojun min = s->expire % 60; 276 1.1 itojun s->expire /= 60; 277 1.1 itojun printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); 278 1.1 itojun printf(", %u:%u pkts, %u:%u bytes", 279 1.1 itojun s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]); 280 1.1 itojun if (s->anchor.nr != -1) 281 1.1 itojun printf(", anchor %u", s->anchor.nr); 282 1.1 itojun if (s->rule.nr != -1) 283 1.1 itojun printf(", rule %u", s->rule.nr); 284 1.1 itojun if (s->src_node != NULL) 285 1.1 itojun printf(", source-track"); 286 1.1 itojun if (s->nat_src_node != NULL) 287 1.1 itojun printf(", sticky-address"); 288 1.1 itojun printf("\n"); 289 1.1 itojun } 290 1.1 itojun if (opts & PF_OPT_VERBOSE2) { 291 1.2 itojun #ifdef __OpenBSD__ 292 1.1 itojun printf(" id: %016llx creatorid: %08x\n", 293 1.1 itojun betoh64(s->id), ntohl(s->creatorid)); 294 1.2 itojun #else 295 1.2 itojun printf(" id: %016llx creatorid: %08x\n", 296 1.2 itojun (unsigned long long)be64toh(s->id), ntohl(s->creatorid)); 297 1.2 itojun #endif 298 1.1 itojun } 299 1.1 itojun } 300 1.1 itojun 301 1.1 itojun int 302 1.1 itojun unmask(struct pf_addr *m, sa_family_t af) 303 1.1 itojun { 304 1.1 itojun int i = 31, j = 0, b = 0; 305 1.1 itojun u_int32_t tmp; 306 1.1 itojun 307 1.1 itojun while (j < 4 && m->addr32[j] == 0xffffffff) { 308 1.1 itojun b += 32; 309 1.1 itojun j++; 310 1.1 itojun } 311 1.1 itojun if (j < 4) { 312 1.1 itojun tmp = ntohl(m->addr32[j]); 313 1.1 itojun for (i = 31; tmp & (1 << i); --i) 314 1.1 itojun b++; 315 1.1 itojun } 316 1.1 itojun return (b); 317 1.1 itojun } 318
Indexes created Fri Sep 26 20:09:58 GMT 2025