1223637Sbz/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */ 2126353Smlaier 3330449Seadler/*- 4330449Seadler * SPDX-License-Identifier: BSD-2-Clause 5330449Seadler * 6126353Smlaier * Copyright (c) 2001 Daniel Hartmeier 7126353Smlaier * All rights reserved. 8126353Smlaier * 9126353Smlaier * Redistribution and use in source and binary forms, with or without 10126353Smlaier * modification, are permitted provided that the following conditions 11126353Smlaier * are met: 12126353Smlaier * 13126353Smlaier * - Redistributions of source code must retain the above copyright 14126353Smlaier * notice, this list of conditions and the following disclaimer. 15126353Smlaier * - Redistributions in binary form must reproduce the above 16126353Smlaier * copyright notice, this list of conditions and the following 17126353Smlaier * disclaimer in the documentation and/or other materials provided 18126353Smlaier * with the distribution. 19126353Smlaier * 20126353Smlaier * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21126353Smlaier * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22126353Smlaier * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23126353Smlaier * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24126353Smlaier * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25126353Smlaier * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26126353Smlaier * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27126353Smlaier * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28126353Smlaier * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29126353Smlaier * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 30126353Smlaier * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31126353Smlaier * POSSIBILITY OF SUCH DAMAGE. 32126353Smlaier * 33126353Smlaier */ 34126353Smlaier 35130617Smlaier#include <sys/cdefs.h> 36130617Smlaier__FBSDID("$FreeBSD: stable/11/sbin/pfctl/pf_print_state.c 330449 2018-03-05 07:26:05Z eadler $"); 37130617Smlaier 38126353Smlaier#include <sys/types.h> 39126353Smlaier#include <sys/socket.h> 40130617Smlaier#include <sys/endian.h> 41126353Smlaier#include <net/if.h> 42126353Smlaier#define TCPSTATES 43126353Smlaier#include <netinet/tcp_fsm.h> 44126353Smlaier#include <net/pfvar.h> 45126353Smlaier#include <arpa/inet.h> 46126353Smlaier#include <netdb.h> 47126353Smlaier 48241052Sglebius#include <stdint.h> 49126353Smlaier#include <stdio.h> 50126353Smlaier#include <string.h> 51126353Smlaier 52126353Smlaier#include "pfctl_parser.h" 53126353Smlaier#include "pfctl.h" 54126353Smlaier 55126353Smlaiervoid print_name(struct pf_addr *, sa_family_t); 56126353Smlaier 57126353Smlaiervoid 58126353Smlaierprint_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 59126353Smlaier{ 60130614Smlaier switch (addr->type) { 61126353Smlaier case PF_ADDR_DYNIFTL: 62130614Smlaier printf("(%s", addr->v.ifname); 63130614Smlaier if (addr->iflags & PFI_AFLAG_NETWORK) 64130614Smlaier printf(":network"); 65130614Smlaier if (addr->iflags & PFI_AFLAG_BROADCAST) 66130614Smlaier printf(":broadcast"); 67130614Smlaier if (addr->iflags & PFI_AFLAG_PEER) 68130614Smlaier printf(":peer"); 69130614Smlaier if (addr->iflags & PFI_AFLAG_NOALIAS) 70130614Smlaier printf(":0"); 71130614Smlaier if (verbose) { 72130614Smlaier if (addr->p.dyncnt <= 0) 73130614Smlaier printf(":*"); 74130614Smlaier else 75130614Smlaier printf(":%d", addr->p.dyncnt); 76130614Smlaier } 77130614Smlaier printf(")"); 78126353Smlaier break; 79126353Smlaier case PF_ADDR_TABLE: 80126353Smlaier if (verbose) 81126353Smlaier if (addr->p.tblcnt == -1) 82126353Smlaier printf("<%s:*>", addr->v.tblname); 83126353Smlaier else 84126353Smlaier printf("<%s:%d>", addr->v.tblname, 85126353Smlaier addr->p.tblcnt); 86126353Smlaier else 87126353Smlaier printf("<%s>", addr->v.tblname); 88126353Smlaier return; 89223637Sbz case PF_ADDR_RANGE: { 90223637Sbz char buf[48]; 91223637Sbz 92223637Sbz if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL) 93223637Sbz printf("?"); 94223637Sbz else 95223637Sbz printf("%s", buf); 96223637Sbz if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL) 97223637Sbz printf(" - ?"); 98223637Sbz else 99223637Sbz printf(" - %s", buf); 100223637Sbz break; 101223637Sbz } 102126353Smlaier case PF_ADDR_ADDRMASK: 103126353Smlaier if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 104126353Smlaier PF_AZERO(&addr->v.a.mask, AF_INET6)) 105126353Smlaier printf("any"); 106126353Smlaier else { 107126353Smlaier char buf[48]; 108126353Smlaier 109126353Smlaier if (inet_ntop(af, &addr->v.a.addr, buf, 110126353Smlaier sizeof(buf)) == NULL) 111126353Smlaier printf("?"); 112126353Smlaier else 113126353Smlaier printf("%s", buf); 114126353Smlaier } 115126353Smlaier break; 116126353Smlaier case PF_ADDR_NOROUTE: 117126353Smlaier printf("no-route"); 118126353Smlaier return; 119171172Smlaier case PF_ADDR_URPFFAILED: 120171172Smlaier printf("urpf-failed"); 121171172Smlaier return; 122126353Smlaier default: 123126353Smlaier printf("?"); 124126353Smlaier return; 125126353Smlaier } 126130614Smlaier 127130614Smlaier /* mask if not _both_ address and mask are zero */ 128223637Sbz if (addr->type != PF_ADDR_RANGE && 129223637Sbz !(PF_AZERO(&addr->v.a.addr, AF_INET6) && 130130614Smlaier PF_AZERO(&addr->v.a.mask, AF_INET6))) { 131126353Smlaier int bits = unmask(&addr->v.a.mask, af); 132126353Smlaier 133126353Smlaier if (bits != (af == AF_INET ? 32 : 128)) 134126353Smlaier printf("/%d", bits); 135126353Smlaier } 136126353Smlaier} 137126353Smlaier 138126353Smlaiervoid 139126353Smlaierprint_name(struct pf_addr *addr, sa_family_t af) 140126353Smlaier{ 141126353Smlaier char host[NI_MAXHOST]; 142126353Smlaier 143126353Smlaier strlcpy(host, "?", sizeof(host)); 144126353Smlaier switch (af) { 145126353Smlaier case AF_INET: { 146126353Smlaier struct sockaddr_in sin; 147126353Smlaier 148126353Smlaier memset(&sin, 0, sizeof(sin)); 149126353Smlaier sin.sin_len = sizeof(sin); 150126353Smlaier sin.sin_family = AF_INET; 151126353Smlaier sin.sin_addr = addr->v4; 152126353Smlaier getnameinfo((struct sockaddr *)&sin, sin.sin_len, 153126353Smlaier host, sizeof(host), NULL, 0, NI_NOFQDN); 154126353Smlaier break; 155126353Smlaier } 156126353Smlaier case AF_INET6: { 157126353Smlaier struct sockaddr_in6 sin6; 158126353Smlaier 159126353Smlaier memset(&sin6, 0, sizeof(sin6)); 160126353Smlaier sin6.sin6_len = sizeof(sin6); 161126353Smlaier sin6.sin6_family = AF_INET6; 162126353Smlaier sin6.sin6_addr = addr->v6; 163126353Smlaier getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 164126353Smlaier host, sizeof(host), NULL, 0, NI_NOFQDN); 165126353Smlaier break; 166126353Smlaier } 167126353Smlaier } 168126353Smlaier printf("%s", host); 169126353Smlaier} 170126353Smlaier 171126353Smlaiervoid 172223637Sbzprint_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts) 173126353Smlaier{ 174126353Smlaier if (opts & PF_OPT_USEDNS) 175223637Sbz print_name(addr, af); 176126353Smlaier else { 177126353Smlaier struct pf_addr_wrap aw; 178126353Smlaier 179126353Smlaier memset(&aw, 0, sizeof(aw)); 180223637Sbz aw.v.a.addr = *addr; 181126353Smlaier if (af == AF_INET) 182126353Smlaier aw.v.a.mask.addr32[0] = 0xffffffff; 183130614Smlaier else { 184126353Smlaier memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 185130614Smlaier af = AF_INET6; 186130614Smlaier } 187126353Smlaier print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 188126353Smlaier } 189126353Smlaier 190223637Sbz if (port) { 191126353Smlaier if (af == AF_INET) 192223637Sbz printf(":%u", ntohs(port)); 193126353Smlaier else 194223637Sbz printf("[%u]", ntohs(port)); 195126353Smlaier } 196126353Smlaier} 197126353Smlaier 198126353Smlaiervoid 199223637Sbzprint_seq(struct pfsync_state_peer *p) 200126353Smlaier{ 201126353Smlaier if (p->seqdiff) 202223637Sbz printf("[%u + %u](+%u)", ntohl(p->seqlo), 203223637Sbz ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff)); 204126353Smlaier else 205223637Sbz printf("[%u + %u]", ntohl(p->seqlo), 206223637Sbz ntohl(p->seqhi) - ntohl(p->seqlo)); 207126353Smlaier} 208126353Smlaier 209126353Smlaiervoid 210223637Sbzprint_state(struct pfsync_state *s, int opts) 211126353Smlaier{ 212223637Sbz struct pfsync_state_peer *src, *dst; 213295086Sian struct pfsync_state_key *key, *sk, *nk; 214126353Smlaier struct protoent *p; 215126353Smlaier int min, sec; 216295086Sian#ifndef __NO_STRICT_ALIGNMENT 217295086Sian struct pfsync_state_key aligned_key[2]; 218126353Smlaier 219295086Sian bcopy(&s->key, aligned_key, sizeof(aligned_key)); 220295086Sian key = aligned_key; 221295086Sian#else 222295086Sian key = s->key; 223295086Sian#endif 224295086Sian 225126353Smlaier if (s->direction == PF_OUT) { 226126353Smlaier src = &s->src; 227126353Smlaier dst = &s->dst; 228295086Sian sk = &key[PF_SK_STACK]; 229295086Sian nk = &key[PF_SK_WIRE]; 230223637Sbz if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 231223637Sbz sk->port[0] = nk->port[0]; 232126353Smlaier } else { 233126353Smlaier src = &s->dst; 234126353Smlaier dst = &s->src; 235295086Sian sk = &key[PF_SK_WIRE]; 236295086Sian nk = &key[PF_SK_STACK]; 237223637Sbz if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 238223637Sbz sk->port[1] = nk->port[1]; 239126353Smlaier } 240223637Sbz printf("%s ", s->ifname); 241126353Smlaier if ((p = getprotobynumber(s->proto)) != NULL) 242126353Smlaier printf("%s ", p->p_name); 243126353Smlaier else 244126353Smlaier printf("%u ", s->proto); 245223637Sbz 246223637Sbz print_host(&nk->addr[1], nk->port[1], s->af, opts); 247223637Sbz if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) || 248223637Sbz nk->port[1] != sk->port[1]) { 249223637Sbz printf(" ("); 250223637Sbz print_host(&sk->addr[1], sk->port[1], s->af, opts); 251223637Sbz printf(")"); 252126353Smlaier } 253126353Smlaier if (s->direction == PF_OUT) 254126353Smlaier printf(" -> "); 255126353Smlaier else 256126353Smlaier printf(" <- "); 257223637Sbz print_host(&nk->addr[0], nk->port[0], s->af, opts); 258223637Sbz if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) || 259223637Sbz nk->port[0] != sk->port[0]) { 260223637Sbz printf(" ("); 261223637Sbz print_host(&sk->addr[0], sk->port[0], s->af, opts); 262223637Sbz printf(")"); 263223637Sbz } 264126353Smlaier 265126353Smlaier printf(" "); 266126353Smlaier if (s->proto == IPPROTO_TCP) { 267126353Smlaier if (src->state <= TCPS_TIME_WAIT && 268126353Smlaier dst->state <= TCPS_TIME_WAIT) 269126353Smlaier printf(" %s:%s\n", tcpstates[src->state], 270126353Smlaier tcpstates[dst->state]); 271126353Smlaier else if (src->state == PF_TCPS_PROXY_SRC || 272126353Smlaier dst->state == PF_TCPS_PROXY_SRC) 273126353Smlaier printf(" PROXY:SRC\n"); 274126353Smlaier else if (src->state == PF_TCPS_PROXY_DST || 275126353Smlaier dst->state == PF_TCPS_PROXY_DST) 276126353Smlaier printf(" PROXY:DST\n"); 277126353Smlaier else 278126353Smlaier printf(" <BAD STATE LEVELS %u:%u>\n", 279126353Smlaier src->state, dst->state); 280126353Smlaier if (opts & PF_OPT_VERBOSE) { 281126353Smlaier printf(" "); 282126353Smlaier print_seq(src); 283126353Smlaier if (src->wscale && dst->wscale) 284126353Smlaier printf(" wscale %u", 285126353Smlaier src->wscale & PF_WSCALE_MASK); 286126353Smlaier printf(" "); 287126353Smlaier print_seq(dst); 288126353Smlaier if (src->wscale && dst->wscale) 289126353Smlaier printf(" wscale %u", 290126353Smlaier dst->wscale & PF_WSCALE_MASK); 291126353Smlaier printf("\n"); 292126353Smlaier } 293126353Smlaier } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 294126353Smlaier dst->state < PFUDPS_NSTATES) { 295126353Smlaier const char *states[] = PFUDPS_NAMES; 296126353Smlaier 297126353Smlaier printf(" %s:%s\n", states[src->state], states[dst->state]); 298257227Sbapt#ifndef INET6 299126353Smlaier } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 300126353Smlaier dst->state < PFOTHERS_NSTATES) { 301257227Sbapt#else 302257227Sbapt } else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 && 303257227Sbapt src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) { 304257227Sbapt#endif 305126353Smlaier /* XXX ICMP doesn't really have state levels */ 306126353Smlaier const char *states[] = PFOTHERS_NAMES; 307126353Smlaier 308126353Smlaier printf(" %s:%s\n", states[src->state], states[dst->state]); 309126353Smlaier } else { 310126353Smlaier printf(" %u:%u\n", src->state, dst->state); 311126353Smlaier } 312126353Smlaier 313126353Smlaier if (opts & PF_OPT_VERBOSE) { 314223637Sbz u_int64_t packets[2]; 315223637Sbz u_int64_t bytes[2]; 316223637Sbz u_int32_t creation = ntohl(s->creation); 317223637Sbz u_int32_t expire = ntohl(s->expire); 318223637Sbz 319223637Sbz sec = creation % 60; 320223637Sbz creation /= 60; 321223637Sbz min = creation % 60; 322223637Sbz creation /= 60; 323223637Sbz printf(" age %.2u:%.2u:%.2u", creation, min, sec); 324223637Sbz sec = expire % 60; 325223637Sbz expire /= 60; 326223637Sbz min = expire % 60; 327223637Sbz expire /= 60; 328223637Sbz printf(", expires in %.2u:%.2u:%.2u", expire, min, sec); 329223637Sbz 330223637Sbz bcopy(s->packets[0], &packets[0], sizeof(u_int64_t)); 331223637Sbz bcopy(s->packets[1], &packets[1], sizeof(u_int64_t)); 332223637Sbz bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t)); 333223637Sbz bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t)); 334241052Sglebius printf(", %ju:%ju pkts, %ju:%ju bytes", 335241052Sglebius (uintmax_t )be64toh(packets[0]), 336241052Sglebius (uintmax_t )be64toh(packets[1]), 337241052Sglebius (uintmax_t )be64toh(bytes[0]), 338241052Sglebius (uintmax_t )be64toh(bytes[1])); 339223637Sbz if (ntohl(s->anchor) != -1) 340223637Sbz printf(", anchor %u", ntohl(s->anchor)); 341223637Sbz if (ntohl(s->rule) != -1) 342223637Sbz printf(", rule %u", ntohl(s->rule)); 343200930Sdelphij if (s->state_flags & PFSTATE_SLOPPY) 344200930Sdelphij printf(", sloppy"); 345223637Sbz if (s->sync_flags & PFSYNC_FLAG_SRCNODE) 346130614Smlaier printf(", source-track"); 347223637Sbz if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) 348130614Smlaier printf(", sticky-address"); 349126353Smlaier printf("\n"); 350126353Smlaier } 351130614Smlaier if (opts & PF_OPT_VERBOSE2) { 352223637Sbz u_int64_t id; 353223637Sbz 354223637Sbz bcopy(&s->id, &id, sizeof(u_int64_t)); 355241052Sglebius printf(" id: %016jx creatorid: %08x", 356241052Sglebius (uintmax_t )be64toh(id), ntohl(s->creatorid)); 357223637Sbz printf("\n"); 358130614Smlaier } 359126353Smlaier} 360126353Smlaier 361126353Smlaierint 362126353Smlaierunmask(struct pf_addr *m, sa_family_t af) 363126353Smlaier{ 364126353Smlaier int i = 31, j = 0, b = 0; 365126353Smlaier u_int32_t tmp; 366126353Smlaier 367126353Smlaier while (j < 4 && m->addr32[j] == 0xffffffff) { 368126353Smlaier b += 32; 369126353Smlaier j++; 370126353Smlaier } 371126353Smlaier if (j < 4) { 372126353Smlaier tmp = ntohl(m->addr32[j]); 373126353Smlaier for (i = 31; tmp & (1 << i); --i) 374126353Smlaier b++; 375126353Smlaier } 376126353Smlaier return (b); 377126353Smlaier} 378