pf_print_state.c revision 1.3.20.2
1 1.3.20.2 joerg /* $NetBSD: pf_print_state.c,v 1.3.20.2 2008/06/04 20:34:37 joerg Exp $ */ 2 1.3.20.1 yamt /* $OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $ */ 3 1.1 itojun 4 1.1 itojun /* 5 1.1 itojun * Copyright (c) 2001 Daniel Hartmeier 6 1.1 itojun * All rights reserved. 7 1.1 itojun * 8 1.1 itojun * Redistribution and use in source and binary forms, with or without 9 1.1 itojun * modification, are permitted provided that the following conditions 10 1.1 itojun * are met: 11 1.1 itojun * 12 1.1 itojun * - Redistributions of source code must retain the above copyright 13 1.1 itojun * notice, this list of conditions and the following disclaimer. 14 1.1 itojun * - Redistributions in binary form must reproduce the above 15 1.1 itojun * copyright notice, this list of conditions and the following 16 1.1 itojun * disclaimer in the documentation and/or other materials provided 17 1.1 itojun * with the distribution. 18 1.1 itojun * 19 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 1.1 itojun * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 1.1 itojun * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 1.1 itojun * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 1.1 itojun * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 1.1 itojun * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 1.1 itojun * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 1.1 itojun * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 1.1 itojun * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 1.1 itojun * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 1.1 itojun * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 1.1 itojun * POSSIBILITY OF SUCH DAMAGE. 31 1.1 itojun * 32 1.1 itojun */ 33 1.1 itojun 34 1.1 itojun #include <sys/types.h> 35 1.1 itojun #include <sys/socket.h> 36 1.1 itojun #include <net/if.h> 37 1.1 itojun #define TCPSTATES 38 1.1 itojun #include <netinet/tcp_fsm.h> 39 1.1 itojun #include <net/pfvar.h> 40 1.1 itojun #include <arpa/inet.h> 41 1.1 itojun #include <netdb.h> 42 1.1 itojun 43 1.1 itojun #include <stdio.h> 44 1.1 itojun #include <string.h> 45 1.1 itojun 46 1.1 itojun #include "pfctl_parser.h" 47 1.1 itojun #include "pfctl.h" 48 1.1 itojun 49 1.1 itojun void print_name(struct pf_addr *, sa_family_t); 50 1.1 itojun 51 1.1 itojun void 52 1.1 itojun print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 53 1.1 itojun { 54 1.1 itojun switch (addr->type) { 55 1.1 itojun case PF_ADDR_DYNIFTL: 56 1.1 itojun printf("(%s", addr->v.ifname); 57 1.1 itojun if (addr->iflags & PFI_AFLAG_NETWORK) 58 1.1 itojun printf(":network"); 59 1.1 itojun if (addr->iflags & PFI_AFLAG_BROADCAST) 60 1.1 itojun printf(":broadcast"); 61 1.1 itojun if (addr->iflags & PFI_AFLAG_PEER) 62 1.1 itojun printf(":peer"); 63 1.1 itojun if (addr->iflags & PFI_AFLAG_NOALIAS) 64 1.1 itojun printf(":0"); 65 1.1 itojun if (verbose) { 66 1.1 itojun if (addr->p.dyncnt <= 0) 67 1.1 itojun printf(":*"); 68 1.1 itojun else 69 1.1 itojun printf(":%d", addr->p.dyncnt); 70 1.1 itojun } 71 1.1 itojun printf(")"); 72 1.1 itojun break; 73 1.1 itojun case PF_ADDR_TABLE: 74 1.1 itojun if (verbose) 75 1.1 itojun if (addr->p.tblcnt == -1) 76 1.1 itojun printf("<%s:*>", addr->v.tblname); 77 1.1 itojun else 78 1.1 itojun printf("<%s:%d>", addr->v.tblname, 79 1.1 itojun addr->p.tblcnt); 80 1.1 itojun else 81 1.1 itojun printf("<%s>", addr->v.tblname); 82 1.1 itojun return; 83 1.1 itojun case PF_ADDR_ADDRMASK: 84 1.1 itojun if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 85 1.1 itojun PF_AZERO(&addr->v.a.mask, AF_INET6)) 86 1.1 itojun printf("any"); 87 1.1 itojun else { 88 1.1 itojun char buf[48]; 89 1.1 itojun 90 1.1 itojun if (inet_ntop(af, &addr->v.a.addr, buf, 91 1.1 itojun sizeof(buf)) == NULL) 92 1.1 itojun printf("?"); 93 1.1 itojun else 94 1.1 itojun printf("%s", buf); 95 1.1 itojun } 96 1.1 itojun break; 97 1.1 itojun case PF_ADDR_NOROUTE: 98 1.1 itojun printf("no-route"); 99 1.1 itojun return; 100 1.3.20.1 yamt case PF_ADDR_URPFFAILED: 101 1.3.20.1 yamt printf("urpf-failed"); 102 1.3.20.1 yamt return; 103 1.3 peter case PF_ADDR_RTLABEL: 104 1.3 peter printf("route \"%s\"", addr->v.rtlabelname); 105 1.3 peter return; 106 1.1 itojun default: 107 1.1 itojun printf("?"); 108 1.1 itojun return; 109 1.1 itojun } 110 1.1 itojun 111 1.1 itojun /* mask if not _both_ address and mask are zero */ 112 1.1 itojun if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) && 113 1.1 itojun PF_AZERO(&addr->v.a.mask, AF_INET6))) { 114 1.1 itojun int bits = unmask(&addr->v.a.mask, af); 115 1.1 itojun 116 1.1 itojun if (bits != (af == AF_INET ? 32 : 128)) 117 1.1 itojun printf("/%d", bits); 118 1.1 itojun } 119 1.1 itojun } 120 1.1 itojun 121 1.1 itojun void 122 1.1 itojun print_name(struct pf_addr *addr, sa_family_t af) 123 1.1 itojun { 124 1.1 itojun char host[NI_MAXHOST]; 125 1.1 itojun 126 1.1 itojun strlcpy(host, "?", sizeof(host)); 127 1.1 itojun switch (af) { 128 1.1 itojun case AF_INET: { 129 1.1 itojun struct sockaddr_in sin; 130 1.1 itojun 131 1.1 itojun memset(&sin, 0, sizeof(sin)); 132 1.1 itojun sin.sin_len = sizeof(sin); 133 1.1 itojun sin.sin_family = AF_INET; 134 1.1 itojun sin.sin_addr = addr->v4; 135 1.1 itojun getnameinfo((struct sockaddr *)&sin, sin.sin_len, 136 1.1 itojun host, sizeof(host), NULL, 0, NI_NOFQDN); 137 1.1 itojun break; 138 1.1 itojun } 139 1.1 itojun case AF_INET6: { 140 1.1 itojun struct sockaddr_in6 sin6; 141 1.1 itojun 142 1.1 itojun memset(&sin6, 0, sizeof(sin6)); 143 1.1 itojun sin6.sin6_len = sizeof(sin6); 144 1.1 itojun sin6.sin6_family = AF_INET6; 145 1.1 itojun sin6.sin6_addr = addr->v6; 146 1.1 itojun getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 147 1.1 itojun host, sizeof(host), NULL, 0, NI_NOFQDN); 148 1.1 itojun break; 149 1.1 itojun } 150 1.1 itojun } 151 1.1 itojun printf("%s", host); 152 1.1 itojun } 153 1.1 itojun 154 1.1 itojun void 155 1.3.20.1 yamt print_host(struct pfsync_state_host *h, sa_family_t af, int opts) 156 1.1 itojun { 157 1.1 itojun u_int16_t p = ntohs(h->port); 158 1.1 itojun 159 1.1 itojun if (opts & PF_OPT_USEDNS) 160 1.1 itojun print_name(&h->addr, af); 161 1.1 itojun else { 162 1.1 itojun struct pf_addr_wrap aw; 163 1.1 itojun 164 1.1 itojun memset(&aw, 0, sizeof(aw)); 165 1.1 itojun aw.v.a.addr = h->addr; 166 1.1 itojun if (af == AF_INET) 167 1.1 itojun aw.v.a.mask.addr32[0] = 0xffffffff; 168 1.1 itojun else { 169 1.1 itojun memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 170 1.1 itojun af = AF_INET6; 171 1.1 itojun } 172 1.1 itojun print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 173 1.1 itojun } 174 1.1 itojun 175 1.1 itojun if (p) { 176 1.1 itojun if (af == AF_INET) 177 1.1 itojun printf(":%u", p); 178 1.1 itojun else 179 1.1 itojun printf("[%u]", p); 180 1.1 itojun } 181 1.1 itojun } 182 1.1 itojun 183 1.1 itojun void 184 1.3.20.1 yamt print_seq(struct pfsync_state_peer *p) 185 1.1 itojun { 186 1.1 itojun if (p->seqdiff) 187 1.1 itojun printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, 188 1.1 itojun p->seqdiff); 189 1.1 itojun else 190 1.1 itojun printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); 191 1.1 itojun } 192 1.1 itojun 193 1.1 itojun void 194 1.3.20.1 yamt print_state(struct pfsync_state *s, int opts) 195 1.1 itojun { 196 1.3.20.1 yamt struct pfsync_state_peer *src, *dst; 197 1.1 itojun struct protoent *p; 198 1.1 itojun int min, sec; 199 1.1 itojun 200 1.1 itojun if (s->direction == PF_OUT) { 201 1.1 itojun src = &s->src; 202 1.1 itojun dst = &s->dst; 203 1.1 itojun } else { 204 1.1 itojun src = &s->dst; 205 1.1 itojun dst = &s->src; 206 1.1 itojun } 207 1.3.20.1 yamt printf("%s ", s->ifname); 208 1.1 itojun if ((p = getprotobynumber(s->proto)) != NULL) 209 1.1 itojun printf("%s ", p->p_name); 210 1.1 itojun else 211 1.1 itojun printf("%u ", s->proto); 212 1.1 itojun if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || 213 1.1 itojun (s->lan.port != s->gwy.port)) { 214 1.1 itojun print_host(&s->lan, s->af, opts); 215 1.1 itojun if (s->direction == PF_OUT) 216 1.1 itojun printf(" -> "); 217 1.1 itojun else 218 1.1 itojun printf(" <- "); 219 1.1 itojun } 220 1.1 itojun print_host(&s->gwy, s->af, opts); 221 1.1 itojun if (s->direction == PF_OUT) 222 1.1 itojun printf(" -> "); 223 1.1 itojun else 224 1.1 itojun printf(" <- "); 225 1.1 itojun print_host(&s->ext, s->af, opts); 226 1.1 itojun 227 1.1 itojun printf(" "); 228 1.1 itojun if (s->proto == IPPROTO_TCP) { 229 1.1 itojun if (src->state <= TCPS_TIME_WAIT && 230 1.1 itojun dst->state <= TCPS_TIME_WAIT) 231 1.1 itojun printf(" %s:%s\n", tcpstates[src->state], 232 1.1 itojun tcpstates[dst->state]); 233 1.1 itojun else if (src->state == PF_TCPS_PROXY_SRC || 234 1.1 itojun dst->state == PF_TCPS_PROXY_SRC) 235 1.1 itojun printf(" PROXY:SRC\n"); 236 1.1 itojun else if (src->state == PF_TCPS_PROXY_DST || 237 1.1 itojun dst->state == PF_TCPS_PROXY_DST) 238 1.1 itojun printf(" PROXY:DST\n"); 239 1.1 itojun else 240 1.1 itojun printf(" <BAD STATE LEVELS %u:%u>\n", 241 1.1 itojun src->state, dst->state); 242 1.1 itojun if (opts & PF_OPT_VERBOSE) { 243 1.1 itojun printf(" "); 244 1.1 itojun print_seq(src); 245 1.1 itojun if (src->wscale && dst->wscale) 246 1.1 itojun printf(" wscale %u", 247 1.1 itojun src->wscale & PF_WSCALE_MASK); 248 1.1 itojun printf(" "); 249 1.1 itojun print_seq(dst); 250 1.1 itojun if (src->wscale && dst->wscale) 251 1.1 itojun printf(" wscale %u", 252 1.1 itojun dst->wscale & PF_WSCALE_MASK); 253 1.1 itojun printf("\n"); 254 1.1 itojun } 255 1.1 itojun } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 256 1.1 itojun dst->state < PFUDPS_NSTATES) { 257 1.1 itojun const char *states[] = PFUDPS_NAMES; 258 1.1 itojun 259 1.1 itojun printf(" %s:%s\n", states[src->state], states[dst->state]); 260 1.1 itojun } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 261 1.1 itojun dst->state < PFOTHERS_NSTATES) { 262 1.1 itojun /* XXX ICMP doesn't really have state levels */ 263 1.1 itojun const char *states[] = PFOTHERS_NAMES; 264 1.1 itojun 265 1.1 itojun printf(" %s:%s\n", states[src->state], states[dst->state]); 266 1.1 itojun } else { 267 1.1 itojun printf(" %u:%u\n", src->state, dst->state); 268 1.1 itojun } 269 1.1 itojun 270 1.1 itojun if (opts & PF_OPT_VERBOSE) { 271 1.1 itojun sec = s->creation % 60; 272 1.1 itojun s->creation /= 60; 273 1.1 itojun min = s->creation % 60; 274 1.1 itojun s->creation /= 60; 275 1.1 itojun printf(" age %.2u:%.2u:%.2u", s->creation, min, sec); 276 1.1 itojun sec = s->expire % 60; 277 1.1 itojun s->expire /= 60; 278 1.1 itojun min = s->expire % 60; 279 1.1 itojun s->expire /= 60; 280 1.1 itojun printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); 281 1.3.20.1 yamt printf(", %llu:%llu pkts, %llu:%llu bytes", 282 1.3.20.2 joerg (unsigned long long int)pf_state_counter_from_pfsync(s->packets[0]), 283 1.3.20.2 joerg (unsigned long long int)pf_state_counter_from_pfsync(s->packets[1]), 284 1.3.20.2 joerg (unsigned long long int)pf_state_counter_from_pfsync(s->bytes[0]), 285 1.3.20.2 joerg (unsigned long long int)pf_state_counter_from_pfsync(s->bytes[1])); 286 1.3.20.1 yamt if (s->anchor != -1) 287 1.3.20.1 yamt printf(", anchor %u", s->anchor); 288 1.3.20.1 yamt if (s->rule != -1) 289 1.3.20.1 yamt printf(", rule %u", s->rule); 290 1.3.20.1 yamt if (s->sync_flags & PFSYNC_FLAG_SRCNODE) 291 1.1 itojun printf(", source-track"); 292 1.3.20.1 yamt if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) 293 1.1 itojun printf(", sticky-address"); 294 1.1 itojun printf("\n"); 295 1.1 itojun } 296 1.1 itojun if (opts & PF_OPT_VERBOSE2) { 297 1.3.20.1 yamt printf(" id: %016llx creatorid: %08x%s\n", 298 1.3.20.2 joerg (unsigned long long int)pf_state_counter_from_pfsync(s->id), 299 1.3.20.2 joerg ntohl(s->creatorid), 300 1.3.20.1 yamt ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : "")); 301 1.1 itojun } 302 1.1 itojun } 303 1.1 itojun 304 1.1 itojun int 305 1.1 itojun unmask(struct pf_addr *m, sa_family_t af) 306 1.1 itojun { 307 1.1 itojun int i = 31, j = 0, b = 0; 308 1.1 itojun u_int32_t tmp; 309 1.1 itojun 310 1.1 itojun while (j < 4 && m->addr32[j] == 0xffffffff) { 311 1.1 itojun b += 32; 312 1.1 itojun j++; 313 1.1 itojun } 314 1.1 itojun if (j < 4) { 315 1.1 itojun tmp = ntohl(m->addr32[j]); 316 1.1 itojun for (i = 31; tmp & (1 << i); --i) 317 1.1 itojun b++; 318 1.1 itojun } 319 1.1 itojun return (b); 320 1.1 itojun } 321
Indexes created Sun Oct 19 02:09:48 GMT 2025