1/* $OpenBSD: pf_print_state.c,v 1.40 2004/12/10 22:13:26 henning Exp $ */
|
1/* $OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $ */ |
2 3/* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 */ 32 33#include <sys/cdefs.h>
|
34__FBSDID("$FreeBSD: head/contrib/pf/pfctl/pf_print_state.c 145840 2005-05-03 16:55:20Z mlaier $");
|
34__FBSDID("$FreeBSD: head/contrib/pf/pfctl/pf_print_state.c 171172 2007-07-03 12:30:03Z mlaier $"); |
35 36#include <sys/types.h> 37#include <sys/socket.h> 38#include <sys/endian.h> 39#include <net/if.h> 40#define TCPSTATES 41#include <netinet/tcp_fsm.h> 42#include <net/pfvar.h> 43#include <arpa/inet.h> 44#include <netdb.h> 45 46#include <stdio.h> 47#include <string.h> 48 49#include "pfctl_parser.h" 50#include "pfctl.h" 51 52void print_name(struct pf_addr *, sa_family_t); 53 54void 55print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 56{ 57 switch (addr->type) { 58 case PF_ADDR_DYNIFTL: 59 printf("(%s", addr->v.ifname); 60 if (addr->iflags & PFI_AFLAG_NETWORK) 61 printf(":network"); 62 if (addr->iflags & PFI_AFLAG_BROADCAST) 63 printf(":broadcast"); 64 if (addr->iflags & PFI_AFLAG_PEER) 65 printf(":peer"); 66 if (addr->iflags & PFI_AFLAG_NOALIAS) 67 printf(":0"); 68 if (verbose) { 69 if (addr->p.dyncnt <= 0) 70 printf(":*"); 71 else 72 printf(":%d", addr->p.dyncnt); 73 } 74 printf(")"); 75 break; 76 case PF_ADDR_TABLE: 77 if (verbose) 78 if (addr->p.tblcnt == -1) 79 printf("<%s:*>", addr->v.tblname); 80 else 81 printf("<%s:%d>", addr->v.tblname, 82 addr->p.tblcnt); 83 else 84 printf("<%s>", addr->v.tblname); 85 return; 86 case PF_ADDR_ADDRMASK: 87 if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 88 PF_AZERO(&addr->v.a.mask, AF_INET6)) 89 printf("any"); 90 else { 91 char buf[48]; 92 93 if (inet_ntop(af, &addr->v.a.addr, buf, 94 sizeof(buf)) == NULL) 95 printf("?"); 96 else 97 printf("%s", buf); 98 } 99 break; 100 case PF_ADDR_NOROUTE: 101 printf("no-route"); 102 return;
|
103 case PF_ADDR_URPFFAILED: 104 printf("urpf-failed"); 105 return; |
106 case PF_ADDR_RTLABEL: 107 printf("route \"%s\"", addr->v.rtlabelname); 108 return; 109 default: 110 printf("?"); 111 return; 112 } 113 114 /* mask if not _both_ address and mask are zero */ 115 if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) && 116 PF_AZERO(&addr->v.a.mask, AF_INET6))) { 117 int bits = unmask(&addr->v.a.mask, af); 118 119 if (bits != (af == AF_INET ? 32 : 128)) 120 printf("/%d", bits); 121 } 122} 123 124void 125print_name(struct pf_addr *addr, sa_family_t af) 126{ 127 char host[NI_MAXHOST]; 128 129 strlcpy(host, "?", sizeof(host)); 130 switch (af) { 131 case AF_INET: { 132 struct sockaddr_in sin; 133 134 memset(&sin, 0, sizeof(sin)); 135 sin.sin_len = sizeof(sin); 136 sin.sin_family = AF_INET; 137 sin.sin_addr = addr->v4; 138 getnameinfo((struct sockaddr *)&sin, sin.sin_len, 139 host, sizeof(host), NULL, 0, NI_NOFQDN); 140 break; 141 } 142 case AF_INET6: { 143 struct sockaddr_in6 sin6; 144 145 memset(&sin6, 0, sizeof(sin6)); 146 sin6.sin6_len = sizeof(sin6); 147 sin6.sin6_family = AF_INET6; 148 sin6.sin6_addr = addr->v6; 149 getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 150 host, sizeof(host), NULL, 0, NI_NOFQDN); 151 break; 152 } 153 } 154 printf("%s", host); 155} 156 157void 158print_host(struct pf_state_host *h, sa_family_t af, int opts) 159{ 160 u_int16_t p = ntohs(h->port); 161 162 if (opts & PF_OPT_USEDNS) 163 print_name(&h->addr, af); 164 else { 165 struct pf_addr_wrap aw; 166 167 memset(&aw, 0, sizeof(aw)); 168 aw.v.a.addr = h->addr; 169 if (af == AF_INET) 170 aw.v.a.mask.addr32[0] = 0xffffffff; 171 else { 172 memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 173 af = AF_INET6; 174 } 175 print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 176 } 177 178 if (p) { 179 if (af == AF_INET) 180 printf(":%u", p); 181 else 182 printf("[%u]", p); 183 } 184} 185 186void 187print_seq(struct pf_state_peer *p) 188{ 189 if (p->seqdiff) 190 printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, 191 p->seqdiff); 192 else 193 printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); 194} 195 196void 197print_state(struct pf_state *s, int opts) 198{ 199 struct pf_state_peer *src, *dst; 200 struct protoent *p; 201 int min, sec; 202 203 if (s->direction == PF_OUT) { 204 src = &s->src; 205 dst = &s->dst; 206 } else { 207 src = &s->dst; 208 dst = &s->src; 209 } 210 printf("%s ", s->u.ifname); 211 if ((p = getprotobynumber(s->proto)) != NULL) 212 printf("%s ", p->p_name); 213 else 214 printf("%u ", s->proto); 215 if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || 216 (s->lan.port != s->gwy.port)) { 217 print_host(&s->lan, s->af, opts); 218 if (s->direction == PF_OUT) 219 printf(" -> "); 220 else 221 printf(" <- "); 222 } 223 print_host(&s->gwy, s->af, opts); 224 if (s->direction == PF_OUT) 225 printf(" -> "); 226 else 227 printf(" <- "); 228 print_host(&s->ext, s->af, opts); 229 230 printf(" "); 231 if (s->proto == IPPROTO_TCP) { 232 if (src->state <= TCPS_TIME_WAIT && 233 dst->state <= TCPS_TIME_WAIT) 234 printf(" %s:%s\n", tcpstates[src->state], 235 tcpstates[dst->state]); 236 else if (src->state == PF_TCPS_PROXY_SRC || 237 dst->state == PF_TCPS_PROXY_SRC) 238 printf(" PROXY:SRC\n"); 239 else if (src->state == PF_TCPS_PROXY_DST || 240 dst->state == PF_TCPS_PROXY_DST) 241 printf(" PROXY:DST\n"); 242 else 243 printf(" <BAD STATE LEVELS %u:%u>\n", 244 src->state, dst->state); 245 if (opts & PF_OPT_VERBOSE) { 246 printf(" "); 247 print_seq(src); 248 if (src->wscale && dst->wscale) 249 printf(" wscale %u", 250 src->wscale & PF_WSCALE_MASK); 251 printf(" "); 252 print_seq(dst); 253 if (src->wscale && dst->wscale) 254 printf(" wscale %u", 255 dst->wscale & PF_WSCALE_MASK); 256 printf("\n"); 257 } 258 } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 259 dst->state < PFUDPS_NSTATES) { 260 const char *states[] = PFUDPS_NAMES; 261 262 printf(" %s:%s\n", states[src->state], states[dst->state]); 263 } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 264 dst->state < PFOTHERS_NSTATES) { 265 /* XXX ICMP doesn't really have state levels */ 266 const char *states[] = PFOTHERS_NAMES; 267 268 printf(" %s:%s\n", states[src->state], states[dst->state]); 269 } else { 270 printf(" %u:%u\n", src->state, dst->state); 271 } 272 273 if (opts & PF_OPT_VERBOSE) { 274 sec = s->creation % 60; 275 s->creation /= 60; 276 min = s->creation % 60; 277 s->creation /= 60; 278 printf(" age %.2u:%.2u:%.2u", s->creation, min, sec); 279 sec = s->expire % 60; 280 s->expire /= 60; 281 min = s->expire % 60; 282 s->expire /= 60; 283 printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
|
281 printf(", %u:%u pkts, %u:%u bytes",
|
284 printf(", %llu:%llu pkts, %llu:%llu bytes", 285#ifdef __FreeBSD__ 286 (unsigned long long)s->packets[0], 287 (unsigned long long)s->packets[1], 288 (unsigned long long)s->bytes[0], 289 (unsigned long long)s->bytes[1]); 290#else |
291 s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
|
292#endif |
293 if (s->anchor.nr != -1) 294 printf(", anchor %u", s->anchor.nr); 295 if (s->rule.nr != -1) 296 printf(", rule %u", s->rule.nr); 297 if (s->src_node != NULL) 298 printf(", source-track"); 299 if (s->nat_src_node != NULL) 300 printf(", sticky-address"); 301 printf("\n"); 302 } 303 if (opts & PF_OPT_VERBOSE2) {
|
304 printf(" id: %016llx creatorid: %08x%s\n", |
305#ifdef __FreeBSD__
|
295 printf(" id: %016llx creatorid: %08x\n",
296 (long long)be64toh(s->id), ntohl(s->creatorid));
|
306 (unsigned long long)be64toh(s->id), ntohl(s->creatorid), |
307#else
|
298 printf(" id: %016llx creatorid: %08x\n",
299 betoh64(s->id), ntohl(s->creatorid));
|
308 betoh64(s->id), ntohl(s->creatorid), |
309#endif
|
310 ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : "")); |
311 } 312} 313 314int 315unmask(struct pf_addr *m, sa_family_t af) 316{ 317 int i = 31, j = 0, b = 0; 318 u_int32_t tmp; 319 320 while (j < 4 && m->addr32[j] == 0xffffffff) { 321 b += 32; 322 j++; 323 } 324 if (j < 4) { 325 tmp = ntohl(m->addr32[j]); 326 for (i = 31; tmp & (1 << i); --i) 327 b++; 328 } 329 return (b); 330}
|