pf_print_state.c revision 200930 
1171172Smlaier/*	$OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $	*/
2126353Smlaier
3126353Smlaier/*
4126353Smlaier * Copyright (c) 2001 Daniel Hartmeier
5126353Smlaier * All rights reserved.
6126353Smlaier *
7126353Smlaier * Redistribution and use in source and binary forms, with or without
8126353Smlaier * modification, are permitted provided that the following conditions
9126353Smlaier * are met:
10126353Smlaier *
11126353Smlaier *    - Redistributions of source code must retain the above copyright
12126353Smlaier *      notice, this list of conditions and the following disclaimer.
13126353Smlaier *    - Redistributions in binary form must reproduce the above
14126353Smlaier *      copyright notice, this list of conditions and the following
15126353Smlaier *      disclaimer in the documentation and/or other materials provided
16126353Smlaier *      with the distribution.
17126353Smlaier *
18126353Smlaier * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19126353Smlaier * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20126353Smlaier * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21126353Smlaier * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22126353Smlaier * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23126353Smlaier * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24126353Smlaier * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25126353Smlaier * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26126353Smlaier * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27126353Smlaier * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28126353Smlaier * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29126353Smlaier * POSSIBILITY OF SUCH DAMAGE.
30126353Smlaier *
31126353Smlaier */
32126353Smlaier
33130617Smlaier#include <sys/cdefs.h>
34130617Smlaier__FBSDID("$FreeBSD: head/contrib/pf/pfctl/pf_print_state.c 200930 2009-12-24 00:43:44Z delphij $");
35130617Smlaier
36126353Smlaier#include <sys/types.h>
37126353Smlaier#include <sys/socket.h>
38130617Smlaier#include <sys/endian.h>
39126353Smlaier#include <net/if.h>
40126353Smlaier#define TCPSTATES
41126353Smlaier#include <netinet/tcp_fsm.h>
42126353Smlaier#include <net/pfvar.h>
43126353Smlaier#include <arpa/inet.h>
44126353Smlaier#include <netdb.h>
45126353Smlaier
46126353Smlaier#include <stdio.h>
47126353Smlaier#include <string.h>
48126353Smlaier
49126353Smlaier#include "pfctl_parser.h"
50126353Smlaier#include "pfctl.h"
51126353Smlaier
52126353Smlaiervoid	print_name(struct pf_addr *, sa_family_t);
53126353Smlaier
54126353Smlaiervoid
55126353Smlaierprint_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
56126353Smlaier{
57130614Smlaier	switch (addr->type) {
58126353Smlaier	case PF_ADDR_DYNIFTL:
59130614Smlaier		printf("(%s", addr->v.ifname);
60130614Smlaier		if (addr->iflags & PFI_AFLAG_NETWORK)
61130614Smlaier			printf(":network");
62130614Smlaier		if (addr->iflags & PFI_AFLAG_BROADCAST)
63130614Smlaier			printf(":broadcast");
64130614Smlaier		if (addr->iflags & PFI_AFLAG_PEER)
65130614Smlaier			printf(":peer");
66130614Smlaier		if (addr->iflags & PFI_AFLAG_NOALIAS)
67130614Smlaier			printf(":0");
68130614Smlaier		if (verbose) {
69130614Smlaier			if (addr->p.dyncnt <= 0)
70130614Smlaier				printf(":*");
71130614Smlaier			else
72130614Smlaier				printf(":%d", addr->p.dyncnt);
73130614Smlaier		}
74130614Smlaier		printf(")");
75126353Smlaier		break;
76126353Smlaier	case PF_ADDR_TABLE:
77126353Smlaier		if (verbose)
78126353Smlaier			if (addr->p.tblcnt == -1)
79126353Smlaier				printf("<%s:*>", addr->v.tblname);
80126353Smlaier			else
81126353Smlaier				printf("<%s:%d>", addr->v.tblname,
82126353Smlaier				    addr->p.tblcnt);
83126353Smlaier		else
84126353Smlaier			printf("<%s>", addr->v.tblname);
85126353Smlaier		return;
86126353Smlaier	case PF_ADDR_ADDRMASK:
87126353Smlaier		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
88126353Smlaier		    PF_AZERO(&addr->v.a.mask, AF_INET6))
89126353Smlaier			printf("any");
90126353Smlaier		else {
91126353Smlaier			char buf[48];
92126353Smlaier
93126353Smlaier			if (inet_ntop(af, &addr->v.a.addr, buf,
94126353Smlaier			    sizeof(buf)) == NULL)
95126353Smlaier				printf("?");
96126353Smlaier			else
97126353Smlaier				printf("%s", buf);
98126353Smlaier		}
99126353Smlaier		break;
100126353Smlaier	case PF_ADDR_NOROUTE:
101126353Smlaier		printf("no-route");
102126353Smlaier		return;
103171172Smlaier	case PF_ADDR_URPFFAILED:
104171172Smlaier		printf("urpf-failed");
105171172Smlaier		return;
106145840Smlaier	case PF_ADDR_RTLABEL:
107145840Smlaier		printf("route \"%s\"", addr->v.rtlabelname);
108145840Smlaier		return;
109126353Smlaier	default:
110126353Smlaier		printf("?");
111126353Smlaier		return;
112126353Smlaier	}
113130614Smlaier
114130614Smlaier	/* mask if not _both_ address and mask are zero */
115130614Smlaier	if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
116130614Smlaier	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
117126353Smlaier		int bits = unmask(&addr->v.a.mask, af);
118126353Smlaier
119126353Smlaier		if (bits != (af == AF_INET ? 32 : 128))
120126353Smlaier			printf("/%d", bits);
121126353Smlaier	}
122126353Smlaier}
123126353Smlaier
124126353Smlaiervoid
125126353Smlaierprint_name(struct pf_addr *addr, sa_family_t af)
126126353Smlaier{
127126353Smlaier	char host[NI_MAXHOST];
128126353Smlaier
129126353Smlaier	strlcpy(host, "?", sizeof(host));
130126353Smlaier	switch (af) {
131126353Smlaier	case AF_INET: {
132126353Smlaier		struct sockaddr_in sin;
133126353Smlaier
134126353Smlaier		memset(&sin, 0, sizeof(sin));
135126353Smlaier		sin.sin_len = sizeof(sin);
136126353Smlaier		sin.sin_family = AF_INET;
137126353Smlaier		sin.sin_addr = addr->v4;
138126353Smlaier		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
139126353Smlaier		    host, sizeof(host), NULL, 0, NI_NOFQDN);
140126353Smlaier		break;
141126353Smlaier	}
142126353Smlaier	case AF_INET6: {
143126353Smlaier		struct sockaddr_in6 sin6;
144126353Smlaier
145126353Smlaier		memset(&sin6, 0, sizeof(sin6));
146126353Smlaier		sin6.sin6_len = sizeof(sin6);
147126353Smlaier		sin6.sin6_family = AF_INET6;
148126353Smlaier		sin6.sin6_addr = addr->v6;
149126353Smlaier		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
150126353Smlaier		    host, sizeof(host), NULL, 0, NI_NOFQDN);
151126353Smlaier		break;
152126353Smlaier	}
153126353Smlaier	}
154126353Smlaier	printf("%s", host);
155126353Smlaier}
156126353Smlaier
157126353Smlaiervoid
158126353Smlaierprint_host(struct pf_state_host *h, sa_family_t af, int opts)
159126353Smlaier{
160126353Smlaier	u_int16_t p = ntohs(h->port);
161126353Smlaier
162126353Smlaier	if (opts & PF_OPT_USEDNS)
163126353Smlaier		print_name(&h->addr, af);
164126353Smlaier	else {
165126353Smlaier		struct pf_addr_wrap aw;
166126353Smlaier
167126353Smlaier		memset(&aw, 0, sizeof(aw));
168126353Smlaier		aw.v.a.addr = h->addr;
169126353Smlaier		if (af == AF_INET)
170126353Smlaier			aw.v.a.mask.addr32[0] = 0xffffffff;
171130614Smlaier		else {
172126353Smlaier			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
173130614Smlaier			af = AF_INET6;
174130614Smlaier		}
175126353Smlaier		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
176126353Smlaier	}
177126353Smlaier
178126353Smlaier	if (p) {
179126353Smlaier		if (af == AF_INET)
180126353Smlaier			printf(":%u", p);
181126353Smlaier		else
182126353Smlaier			printf("[%u]", p);
183126353Smlaier	}
184126353Smlaier}
185126353Smlaier
186126353Smlaiervoid
187126353Smlaierprint_seq(struct pf_state_peer *p)
188126353Smlaier{
189126353Smlaier	if (p->seqdiff)
190126353Smlaier		printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
191126353Smlaier		    p->seqdiff);
192126353Smlaier	else
193126353Smlaier		printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo);
194126353Smlaier}
195126353Smlaier
196126353Smlaiervoid
197126353Smlaierprint_state(struct pf_state *s, int opts)
198126353Smlaier{
199126353Smlaier	struct pf_state_peer *src, *dst;
200126353Smlaier	struct protoent *p;
201126353Smlaier	int min, sec;
202126353Smlaier
203126353Smlaier	if (s->direction == PF_OUT) {
204126353Smlaier		src = &s->src;
205126353Smlaier		dst = &s->dst;
206126353Smlaier	} else {
207126353Smlaier		src = &s->dst;
208126353Smlaier		dst = &s->src;
209126353Smlaier	}
210130614Smlaier	printf("%s ", s->u.ifname);
211126353Smlaier	if ((p = getprotobynumber(s->proto)) != NULL)
212126353Smlaier		printf("%s ", p->p_name);
213126353Smlaier	else
214126353Smlaier		printf("%u ", s->proto);
215126353Smlaier	if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
216126353Smlaier	    (s->lan.port != s->gwy.port)) {
217126353Smlaier		print_host(&s->lan, s->af, opts);
218126353Smlaier		if (s->direction == PF_OUT)
219126353Smlaier			printf(" -> ");
220126353Smlaier		else
221126353Smlaier			printf(" <- ");
222126353Smlaier	}
223126353Smlaier	print_host(&s->gwy, s->af, opts);
224126353Smlaier	if (s->direction == PF_OUT)
225126353Smlaier		printf(" -> ");
226126353Smlaier	else
227126353Smlaier		printf(" <- ");
228126353Smlaier	print_host(&s->ext, s->af, opts);
229126353Smlaier
230126353Smlaier	printf("    ");
231126353Smlaier	if (s->proto == IPPROTO_TCP) {
232126353Smlaier		if (src->state <= TCPS_TIME_WAIT &&
233126353Smlaier		    dst->state <= TCPS_TIME_WAIT)
234126353Smlaier			printf("   %s:%s\n", tcpstates[src->state],
235126353Smlaier			    tcpstates[dst->state]);
236126353Smlaier		else if (src->state == PF_TCPS_PROXY_SRC ||
237126353Smlaier		    dst->state == PF_TCPS_PROXY_SRC)
238126353Smlaier			printf("   PROXY:SRC\n");
239126353Smlaier		else if (src->state == PF_TCPS_PROXY_DST ||
240126353Smlaier		    dst->state == PF_TCPS_PROXY_DST)
241126353Smlaier			printf("   PROXY:DST\n");
242126353Smlaier		else
243126353Smlaier			printf("   <BAD STATE LEVELS %u:%u>\n",
244126353Smlaier			    src->state, dst->state);
245126353Smlaier		if (opts & PF_OPT_VERBOSE) {
246126353Smlaier			printf("   ");
247126353Smlaier			print_seq(src);
248126353Smlaier			if (src->wscale && dst->wscale)
249126353Smlaier				printf(" wscale %u",
250126353Smlaier				    src->wscale & PF_WSCALE_MASK);
251126353Smlaier			printf("  ");
252126353Smlaier			print_seq(dst);
253126353Smlaier			if (src->wscale && dst->wscale)
254126353Smlaier				printf(" wscale %u",
255126353Smlaier				    dst->wscale & PF_WSCALE_MASK);
256126353Smlaier			printf("\n");
257126353Smlaier		}
258126353Smlaier	} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
259126353Smlaier	    dst->state < PFUDPS_NSTATES) {
260126353Smlaier		const char *states[] = PFUDPS_NAMES;
261126353Smlaier
262126353Smlaier		printf("   %s:%s\n", states[src->state], states[dst->state]);
263126353Smlaier	} else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
264126353Smlaier	    dst->state < PFOTHERS_NSTATES) {
265126353Smlaier		/* XXX ICMP doesn't really have state levels */
266126353Smlaier		const char *states[] = PFOTHERS_NAMES;
267126353Smlaier
268126353Smlaier		printf("   %s:%s\n", states[src->state], states[dst->state]);
269126353Smlaier	} else {
270126353Smlaier		printf("   %u:%u\n", src->state, dst->state);
271126353Smlaier	}
272126353Smlaier
273126353Smlaier	if (opts & PF_OPT_VERBOSE) {
274126353Smlaier		sec = s->creation % 60;
275126353Smlaier		s->creation /= 60;
276126353Smlaier		min = s->creation % 60;
277126353Smlaier		s->creation /= 60;
278126353Smlaier		printf("   age %.2u:%.2u:%.2u", s->creation, min, sec);
279126353Smlaier		sec = s->expire % 60;
280126353Smlaier		s->expire /= 60;
281126353Smlaier		min = s->expire % 60;
282126353Smlaier		s->expire /= 60;
283126353Smlaier		printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
284171172Smlaier		printf(", %llu:%llu pkts, %llu:%llu bytes",
285171172Smlaier#ifdef __FreeBSD__
286171172Smlaier		    (unsigned long long)s->packets[0],
287171172Smlaier		    (unsigned long long)s->packets[1],
288171172Smlaier		    (unsigned long long)s->bytes[0],
289171172Smlaier		    (unsigned long long)s->bytes[1]);
290171172Smlaier#else
291126353Smlaier		    s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
292171172Smlaier#endif
293126353Smlaier		if (s->anchor.nr != -1)
294126353Smlaier			printf(", anchor %u", s->anchor.nr);
295126353Smlaier		if (s->rule.nr != -1)
296126353Smlaier			printf(", rule %u", s->rule.nr);
297200930Sdelphij		if (s->state_flags & PFSTATE_SLOPPY)
298200930Sdelphij			printf(", sloppy");
299130614Smlaier		if (s->src_node != NULL)
300130614Smlaier			printf(", source-track");
301130614Smlaier		if (s->nat_src_node != NULL)
302130614Smlaier			printf(", sticky-address");
303126353Smlaier		printf("\n");
304126353Smlaier	}
305130614Smlaier	if (opts & PF_OPT_VERBOSE2) {
306171172Smlaier		printf("   id: %016llx creatorid: %08x%s\n",
307130617Smlaier#ifdef __FreeBSD__
308171172Smlaier		    (unsigned long long)be64toh(s->id), ntohl(s->creatorid),
309130617Smlaier#else
310171172Smlaier		    betoh64(s->id), ntohl(s->creatorid),
311130617Smlaier#endif
312171172Smlaier		    ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
313130614Smlaier	}
314126353Smlaier}
315126353Smlaier
316126353Smlaierint
317126353Smlaierunmask(struct pf_addr *m, sa_family_t af)
318126353Smlaier{
319126353Smlaier	int i = 31, j = 0, b = 0;
320126353Smlaier	u_int32_t tmp;
321126353Smlaier
322126353Smlaier	while (j < 4 && m->addr32[j] == 0xffffffff) {
323126353Smlaier		b += 32;
324126353Smlaier		j++;
325126353Smlaier	}
326126353Smlaier	if (j < 4) {
327126353Smlaier		tmp = ntohl(m->addr32[j]);
328126353Smlaier		for (i = 31; tmp & (1 << i); --i)
329126353Smlaier			b++;
330126353Smlaier	}
331126353Smlaier	return (b);
332126353Smlaier}
333