pf_print_state.c revision 130614
1/* $OpenBSD: pf_print_state.c,v 1.39 2004/02/10 17:48:08 henning Exp $ */ 2 3/* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 */ 32 33#include <sys/types.h> 34#include <sys/socket.h> 35#include <net/if.h> 36#define TCPSTATES 37#include <netinet/tcp_fsm.h> 38#include <net/pfvar.h> 39#include <arpa/inet.h> 40#include <netdb.h> 41 42#include <stdio.h> 43#include <string.h> 44 45#include "pfctl_parser.h" 46#include "pfctl.h" 47 48void print_name(struct pf_addr *, sa_family_t); 49 50void 51print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 52{ 53 switch (addr->type) { 54 case PF_ADDR_DYNIFTL: 55 printf("(%s", addr->v.ifname); 56 if (addr->iflags & PFI_AFLAG_NETWORK) 57 printf(":network"); 58 if (addr->iflags & PFI_AFLAG_BROADCAST) 59 printf(":broadcast"); 60 if (addr->iflags & PFI_AFLAG_PEER) 61 printf(":peer"); 62 if (addr->iflags & PFI_AFLAG_NOALIAS) 63 printf(":0"); 64 if (verbose) { 65 if (addr->p.dyncnt <= 0) 66 printf(":*"); 67 else 68 printf(":%d", addr->p.dyncnt); 69 } 70 printf(")"); 71 break; 72 case PF_ADDR_TABLE: 73 if (verbose) 74 if (addr->p.tblcnt == -1) 75 printf("<%s:*>", addr->v.tblname); 76 else 77 printf("<%s:%d>", addr->v.tblname, 78 addr->p.tblcnt); 79 else 80 printf("<%s>", addr->v.tblname); 81 return; 82 case PF_ADDR_ADDRMASK: 83 if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 84 PF_AZERO(&addr->v.a.mask, AF_INET6)) 85 printf("any"); 86 else { 87 char buf[48]; 88 89 if (inet_ntop(af, &addr->v.a.addr, buf, 90 sizeof(buf)) == NULL) 91 printf("?"); 92 else 93 printf("%s", buf); 94 } 95 break; 96 case PF_ADDR_NOROUTE: 97 printf("no-route"); 98 return; 99 default: 100 printf("?"); 101 return; 102 } 103 104 /* mask if not _both_ address and mask are zero */ 105 if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) && 106 PF_AZERO(&addr->v.a.mask, AF_INET6))) { 107 int bits = unmask(&addr->v.a.mask, af); 108 109 if (bits != (af == AF_INET ? 32 : 128)) 110 printf("/%d", bits); 111 } 112} 113 114void 115print_name(struct pf_addr *addr, sa_family_t af) 116{ 117 char host[NI_MAXHOST]; 118 119 strlcpy(host, "?", sizeof(host)); 120 switch (af) { 121 case AF_INET: { 122 struct sockaddr_in sin; 123 124 memset(&sin, 0, sizeof(sin)); 125 sin.sin_len = sizeof(sin); 126 sin.sin_family = AF_INET; 127 sin.sin_addr = addr->v4; 128 getnameinfo((struct sockaddr *)&sin, sin.sin_len, 129 host, sizeof(host), NULL, 0, NI_NOFQDN); 130 break; 131 } 132 case AF_INET6: { 133 struct sockaddr_in6 sin6; 134 135 memset(&sin6, 0, sizeof(sin6)); 136 sin6.sin6_len = sizeof(sin6); 137 sin6.sin6_family = AF_INET6; 138 sin6.sin6_addr = addr->v6; 139 getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 140 host, sizeof(host), NULL, 0, NI_NOFQDN); 141 break; 142 } 143 } 144 printf("%s", host); 145} 146 147void 148print_host(struct pf_state_host *h, sa_family_t af, int opts) 149{ 150 u_int16_t p = ntohs(h->port); 151 152 if (opts & PF_OPT_USEDNS) 153 print_name(&h->addr, af); 154 else { 155 struct pf_addr_wrap aw; 156 157 memset(&aw, 0, sizeof(aw)); 158 aw.v.a.addr = h->addr; 159 if (af == AF_INET) 160 aw.v.a.mask.addr32[0] = 0xffffffff; 161 else { 162 memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 163 af = AF_INET6; 164 } 165 print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 166 } 167 168 if (p) { 169 if (af == AF_INET) 170 printf(":%u", p); 171 else 172 printf("[%u]", p); 173 } 174} 175 176void 177print_seq(struct pf_state_peer *p) 178{ 179 if (p->seqdiff) 180 printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, 181 p->seqdiff); 182 else 183 printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); 184} 185 186void 187print_state(struct pf_state *s, int opts) 188{ 189 struct pf_state_peer *src, *dst; 190 struct protoent *p; 191 int min, sec; 192 193 if (s->direction == PF_OUT) { 194 src = &s->src; 195 dst = &s->dst; 196 } else { 197 src = &s->dst; 198 dst = &s->src; 199 } 200 printf("%s ", s->u.ifname); 201 if ((p = getprotobynumber(s->proto)) != NULL) 202 printf("%s ", p->p_name); 203 else 204 printf("%u ", s->proto); 205 if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || 206 (s->lan.port != s->gwy.port)) { 207 print_host(&s->lan, s->af, opts); 208 if (s->direction == PF_OUT) 209 printf(" -> "); 210 else 211 printf(" <- "); 212 } 213 print_host(&s->gwy, s->af, opts); 214 if (s->direction == PF_OUT) 215 printf(" -> "); 216 else 217 printf(" <- "); 218 print_host(&s->ext, s->af, opts); 219 220 printf(" "); 221 if (s->proto == IPPROTO_TCP) { 222 if (src->state <= TCPS_TIME_WAIT && 223 dst->state <= TCPS_TIME_WAIT) 224 printf(" %s:%s\n", tcpstates[src->state], 225 tcpstates[dst->state]); 226 else if (src->state == PF_TCPS_PROXY_SRC || 227 dst->state == PF_TCPS_PROXY_SRC) 228 printf(" PROXY:SRC\n"); 229 else if (src->state == PF_TCPS_PROXY_DST || 230 dst->state == PF_TCPS_PROXY_DST) 231 printf(" PROXY:DST\n"); 232 else 233 printf(" <BAD STATE LEVELS %u:%u>\n", 234 src->state, dst->state); 235 if (opts & PF_OPT_VERBOSE) { 236 printf(" "); 237 print_seq(src); 238 if (src->wscale && dst->wscale) 239 printf(" wscale %u", 240 src->wscale & PF_WSCALE_MASK); 241 printf(" "); 242 print_seq(dst); 243 if (src->wscale && dst->wscale) 244 printf(" wscale %u", 245 dst->wscale & PF_WSCALE_MASK); 246 printf("\n"); 247 } 248 } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 249 dst->state < PFUDPS_NSTATES) { 250 const char *states[] = PFUDPS_NAMES; 251 252 printf(" %s:%s\n", states[src->state], states[dst->state]); 253 } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 254 dst->state < PFOTHERS_NSTATES) { 255 /* XXX ICMP doesn't really have state levels */ 256 const char *states[] = PFOTHERS_NAMES; 257 258 printf(" %s:%s\n", states[src->state], states[dst->state]); 259 } else { 260 printf(" %u:%u\n", src->state, dst->state); 261 } 262 263 if (opts & PF_OPT_VERBOSE) { 264 sec = s->creation % 60; 265 s->creation /= 60; 266 min = s->creation % 60; 267 s->creation /= 60; 268 printf(" age %.2u:%.2u:%.2u", s->creation, min, sec); 269 sec = s->expire % 60; 270 s->expire /= 60; 271 min = s->expire % 60; 272 s->expire /= 60; 273 printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); 274 printf(", %u:%u pkts, %u:%u bytes", 275 s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]); 276 if (s->anchor.nr != -1) 277 printf(", anchor %u", s->anchor.nr); 278 if (s->rule.nr != -1) 279 printf(", rule %u", s->rule.nr); 280 if (s->src_node != NULL) 281 printf(", source-track"); 282 if (s->nat_src_node != NULL) 283 printf(", sticky-address"); 284 printf("\n"); 285 } 286 if (opts & PF_OPT_VERBOSE2) { 287 printf(" id: %016llx creatorid: %08x\n", 288 betoh64(s->id), ntohl(s->creatorid)); 289 } 290} 291 292int 293unmask(struct pf_addr *m, sa_family_t af) 294{ 295 int i = 31, j = 0, b = 0; 296 u_int32_t tmp; 297 298 while (j < 4 && m->addr32[j] == 0xffffffff) { 299 b += 32; 300 j++; 301 } 302 if (j < 4) { 303 tmp = ntohl(m->addr32[j]); 304 for (i = 31; tmp & (1 << i); --i) 305 b++; 306 } 307 return (b); 308} 309