pf_print_state.c revision 330449
11558Srgrimes/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */ 21558Srgrimes 31558Srgrimes/*- 41558Srgrimes * SPDX-License-Identifier: BSD-2-Clause 51558Srgrimes * 61558Srgrimes * Copyright (c) 2001 Daniel Hartmeier 71558Srgrimes * All rights reserved. 81558Srgrimes * 91558Srgrimes * Redistribution and use in source and binary forms, with or without 101558Srgrimes * modification, are permitted provided that the following conditions 111558Srgrimes * are met: 121558Srgrimes * 131558Srgrimes * - Redistributions of source code must retain the above copyright 141558Srgrimes * notice, this list of conditions and the following disclaimer. 151558Srgrimes * - Redistributions in binary form must reproduce the above 161558Srgrimes * copyright notice, this list of conditions and the following 171558Srgrimes * disclaimer in the documentation and/or other materials provided 181558Srgrimes * with the distribution. 191558Srgrimes * 201558Srgrimes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 211558Srgrimes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 221558Srgrimes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 231558Srgrimes * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 241558Srgrimes * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 251558Srgrimes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 261558Srgrimes * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 271558Srgrimes * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 2826683Sbde * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2950476Speter * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 301558Srgrimes * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31222541Srmacklem * POSSIBILITY OF SUCH DAMAGE. 321558Srgrimes * 3379530Sru */ 341558Srgrimes 351558Srgrimes#include <sys/cdefs.h> 36102231Strhodes__FBSDID("$FreeBSD: stable/11/sbin/pfctl/pf_print_state.c 330449 2018-03-05 07:26:05Z eadler $"); 371558Srgrimes 3868960Sru#include <sys/types.h> 391558Srgrimes#include <sys/socket.h> 40219955Sru#include <sys/endian.h> 4168960Sru#include <net/if.h> 4226683Sbde#define TCPSTATES 43113220Smdodd#include <netinet/tcp_fsm.h> 441558Srgrimes#include <net/pfvar.h> 451558Srgrimes#include <arpa/inet.h> 4626683Sbde#include <netdb.h> 471558Srgrimes 481558Srgrimes#include <stdint.h> 4928458Ssteve#include <stdio.h> 5099503Scharnier#include <string.h> 511558Srgrimes 52117742Siedowse#include "pfctl_parser.h" 53117742Siedowse#include "pfctl.h" 541558Srgrimes 55117742Siedowsevoid print_name(struct pf_addr *, sa_family_t); 561558Srgrimes 57117742Siedowsevoid 58117742Siedowseprint_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 59117742Siedowse{ 60196287Spjd switch (addr->type) { 61196287Spjd case PF_ADDR_DYNIFTL: 621558Srgrimes printf("(%s", addr->v.ifname); 631558Srgrimes if (addr->iflags & PFI_AFLAG_NETWORK) 641558Srgrimes printf(":network"); 651558Srgrimes if (addr->iflags & PFI_AFLAG_BROADCAST) 66102231Strhodes printf(":broadcast"); 671558Srgrimes if (addr->iflags & PFI_AFLAG_PEER) 681558Srgrimes printf(":peer"); 6926683Sbde if (addr->iflags & PFI_AFLAG_NOALIAS) 70102231Strhodes printf(":0"); 7126683Sbde if (verbose) { 72113220Smdodd if (addr->p.dyncnt <= 0) 73113220Smdodd printf(":*"); 74113220Smdodd else 75113220Smdodd printf(":%d", addr->p.dyncnt); 761558Srgrimes } 77102231Strhodes printf(")"); 781558Srgrimes break; 791558Srgrimes case PF_ADDR_TABLE: 80102231Strhodes if (verbose) 81222541Srmacklem if (addr->p.tblcnt == -1) 82222541Srmacklem printf("<%s:*>", addr->v.tblname); 83222541Srmacklem else 841558Srgrimes printf("<%s:%d>", addr->v.tblname, 85102231Strhodes addr->p.tblcnt); 861558Srgrimes else 8728458Ssteve printf("<%s>", addr->v.tblname); 8826683Sbde return; 891558Srgrimes case PF_ADDR_RANGE: { 901558Srgrimes char buf[48]; 9138041Scharnier 9238041Scharnier if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL) 93102231Strhodes printf("?"); 9426683Sbde else 951558Srgrimes printf("%s", buf); 96102231Strhodes if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL) 971558Srgrimes printf(" - ?"); 98102231Strhodes else 991558Srgrimes printf(" - %s", buf); 100102231Strhodes break; 1011558Srgrimes } 1021558Srgrimes case PF_ADDR_ADDRMASK: 1031558Srgrimes if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 10428458Ssteve PF_AZERO(&addr->v.a.mask, AF_INET6)) 1051558Srgrimes printf("any"); 1061558Srgrimes else { 10777575Sru char buf[48]; 1081558Srgrimes 1091558Srgrimes if (inet_ntop(af, &addr->v.a.addr, buf, 110102231Strhodes sizeof(buf)) == NULL) 1111558Srgrimes printf("?"); 1121558Srgrimes else 11377575Sru printf("%s", buf); 11463073Sdwmalone } 11563073Sdwmalone break; 11663073Sdwmalone case PF_ADDR_NOROUTE: 1171558Srgrimes printf("no-route"); 118102231Strhodes return; 1191558Srgrimes case PF_ADDR_URPFFAILED: 1201558Srgrimes printf("urpf-failed"); 121113220Smdodd return; 122115162Sru default: 123115162Sru printf("?"); 124113220Smdodd return; 125115162Sru } 126115162Sru 127115162Sru /* mask if not _both_ address and mask are zero */ 128113224Smdodd if (addr->type != PF_ADDR_RANGE && 129126569Sbrueffer !(PF_AZERO(&addr->v.a.addr, AF_INET6) && 130113224Smdodd PF_AZERO(&addr->v.a.mask, AF_INET6))) { 131113224Smdodd int bits = unmask(&addr->v.a.mask, af); 132115162Sru 133113224Smdodd if (bits != (af == AF_INET ? 32 : 128)) 134113220Smdodd printf("/%d", bits); 1351558Srgrimes } 1361558Srgrimes} 1371558Srgrimes 138102231Strhodesvoid 1391558Srgrimesprint_name(struct pf_addr *addr, sa_family_t af) 1401558Srgrimes{ 1411558Srgrimes char host[NI_MAXHOST]; 1421558Srgrimes 1431558Srgrimes strlcpy(host, "?", sizeof(host)); 1441558Srgrimes switch (af) { 1451558Srgrimes case AF_INET: { 14628458Ssteve struct sockaddr_in sin; 14799503Scharnier 1481558Srgrimes memset(&sin, 0, sizeof(sin)); 149 sin.sin_len = sizeof(sin); 150 sin.sin_family = AF_INET; 151 sin.sin_addr = addr->v4; 152 getnameinfo((struct sockaddr *)&sin, sin.sin_len, 153 host, sizeof(host), NULL, 0, NI_NOFQDN); 154 break; 155 } 156 case AF_INET6: { 157 struct sockaddr_in6 sin6; 158 159 memset(&sin6, 0, sizeof(sin6)); 160 sin6.sin6_len = sizeof(sin6); 161 sin6.sin6_family = AF_INET6; 162 sin6.sin6_addr = addr->v6; 163 getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 164 host, sizeof(host), NULL, 0, NI_NOFQDN); 165 break; 166 } 167 } 168 printf("%s", host); 169} 170 171void 172print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts) 173{ 174 if (opts & PF_OPT_USEDNS) 175 print_name(addr, af); 176 else { 177 struct pf_addr_wrap aw; 178 179 memset(&aw, 0, sizeof(aw)); 180 aw.v.a.addr = *addr; 181 if (af == AF_INET) 182 aw.v.a.mask.addr32[0] = 0xffffffff; 183 else { 184 memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 185 af = AF_INET6; 186 } 187 print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 188 } 189 190 if (port) { 191 if (af == AF_INET) 192 printf(":%u", ntohs(port)); 193 else 194 printf("[%u]", ntohs(port)); 195 } 196} 197 198void 199print_seq(struct pfsync_state_peer *p) 200{ 201 if (p->seqdiff) 202 printf("[%u + %u](+%u)", ntohl(p->seqlo), 203 ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff)); 204 else 205 printf("[%u + %u]", ntohl(p->seqlo), 206 ntohl(p->seqhi) - ntohl(p->seqlo)); 207} 208 209void 210print_state(struct pfsync_state *s, int opts) 211{ 212 struct pfsync_state_peer *src, *dst; 213 struct pfsync_state_key *key, *sk, *nk; 214 struct protoent *p; 215 int min, sec; 216#ifndef __NO_STRICT_ALIGNMENT 217 struct pfsync_state_key aligned_key[2]; 218 219 bcopy(&s->key, aligned_key, sizeof(aligned_key)); 220 key = aligned_key; 221#else 222 key = s->key; 223#endif 224 225 if (s->direction == PF_OUT) { 226 src = &s->src; 227 dst = &s->dst; 228 sk = &key[PF_SK_STACK]; 229 nk = &key[PF_SK_WIRE]; 230 if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 231 sk->port[0] = nk->port[0]; 232 } else { 233 src = &s->dst; 234 dst = &s->src; 235 sk = &key[PF_SK_WIRE]; 236 nk = &key[PF_SK_STACK]; 237 if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 238 sk->port[1] = nk->port[1]; 239 } 240 printf("%s ", s->ifname); 241 if ((p = getprotobynumber(s->proto)) != NULL) 242 printf("%s ", p->p_name); 243 else 244 printf("%u ", s->proto); 245 246 print_host(&nk->addr[1], nk->port[1], s->af, opts); 247 if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) || 248 nk->port[1] != sk->port[1]) { 249 printf(" ("); 250 print_host(&sk->addr[1], sk->port[1], s->af, opts); 251 printf(")"); 252 } 253 if (s->direction == PF_OUT) 254 printf(" -> "); 255 else 256 printf(" <- "); 257 print_host(&nk->addr[0], nk->port[0], s->af, opts); 258 if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) || 259 nk->port[0] != sk->port[0]) { 260 printf(" ("); 261 print_host(&sk->addr[0], sk->port[0], s->af, opts); 262 printf(")"); 263 } 264 265 printf(" "); 266 if (s->proto == IPPROTO_TCP) { 267 if (src->state <= TCPS_TIME_WAIT && 268 dst->state <= TCPS_TIME_WAIT) 269 printf(" %s:%s\n", tcpstates[src->state], 270 tcpstates[dst->state]); 271 else if (src->state == PF_TCPS_PROXY_SRC || 272 dst->state == PF_TCPS_PROXY_SRC) 273 printf(" PROXY:SRC\n"); 274 else if (src->state == PF_TCPS_PROXY_DST || 275 dst->state == PF_TCPS_PROXY_DST) 276 printf(" PROXY:DST\n"); 277 else 278 printf(" <BAD STATE LEVELS %u:%u>\n", 279 src->state, dst->state); 280 if (opts & PF_OPT_VERBOSE) { 281 printf(" "); 282 print_seq(src); 283 if (src->wscale && dst->wscale) 284 printf(" wscale %u", 285 src->wscale & PF_WSCALE_MASK); 286 printf(" "); 287 print_seq(dst); 288 if (src->wscale && dst->wscale) 289 printf(" wscale %u", 290 dst->wscale & PF_WSCALE_MASK); 291 printf("\n"); 292 } 293 } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 294 dst->state < PFUDPS_NSTATES) { 295 const char *states[] = PFUDPS_NAMES; 296 297 printf(" %s:%s\n", states[src->state], states[dst->state]); 298#ifndef INET6 299 } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 300 dst->state < PFOTHERS_NSTATES) { 301#else 302 } else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 && 303 src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) { 304#endif 305 /* XXX ICMP doesn't really have state levels */ 306 const char *states[] = PFOTHERS_NAMES; 307 308 printf(" %s:%s\n", states[src->state], states[dst->state]); 309 } else { 310 printf(" %u:%u\n", src->state, dst->state); 311 } 312 313 if (opts & PF_OPT_VERBOSE) { 314 u_int64_t packets[2]; 315 u_int64_t bytes[2]; 316 u_int32_t creation = ntohl(s->creation); 317 u_int32_t expire = ntohl(s->expire); 318 319 sec = creation % 60; 320 creation /= 60; 321 min = creation % 60; 322 creation /= 60; 323 printf(" age %.2u:%.2u:%.2u", creation, min, sec); 324 sec = expire % 60; 325 expire /= 60; 326 min = expire % 60; 327 expire /= 60; 328 printf(", expires in %.2u:%.2u:%.2u", expire, min, sec); 329 330 bcopy(s->packets[0], &packets[0], sizeof(u_int64_t)); 331 bcopy(s->packets[1], &packets[1], sizeof(u_int64_t)); 332 bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t)); 333 bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t)); 334 printf(", %ju:%ju pkts, %ju:%ju bytes", 335 (uintmax_t )be64toh(packets[0]), 336 (uintmax_t )be64toh(packets[1]), 337 (uintmax_t )be64toh(bytes[0]), 338 (uintmax_t )be64toh(bytes[1])); 339 if (ntohl(s->anchor) != -1) 340 printf(", anchor %u", ntohl(s->anchor)); 341 if (ntohl(s->rule) != -1) 342 printf(", rule %u", ntohl(s->rule)); 343 if (s->state_flags & PFSTATE_SLOPPY) 344 printf(", sloppy"); 345 if (s->sync_flags & PFSYNC_FLAG_SRCNODE) 346 printf(", source-track"); 347 if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) 348 printf(", sticky-address"); 349 printf("\n"); 350 } 351 if (opts & PF_OPT_VERBOSE2) { 352 u_int64_t id; 353 354 bcopy(&s->id, &id, sizeof(u_int64_t)); 355 printf(" id: %016jx creatorid: %08x", 356 (uintmax_t )be64toh(id), ntohl(s->creatorid)); 357 printf("\n"); 358 } 359} 360 361int 362unmask(struct pf_addr *m, sa_family_t af) 363{ 364 int i = 31, j = 0, b = 0; 365 u_int32_t tmp; 366 367 while (j < 4 && m->addr32[j] == 0xffffffff) { 368 b += 32; 369 j++; 370 } 371 if (j < 4) { 372 tmp = ntohl(m->addr32[j]); 373 for (i = 31; tmp & (1 << i); --i) 374 b++; 375 } 376 return (b); 377} 378