1/* $OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $ */ 2 3/* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD$"); 35 36#include <sys/types.h> 37#include <sys/socket.h> 38#ifdef __FreeBSD__ 39#include <sys/endian.h> 40#define betoh64 be64toh 41#endif 42#include <net/if.h> 43#define TCPSTATES 44#include <netinet/tcp_fsm.h> 45#include <net/pfvar.h> 46#include <arpa/inet.h> 47#include <netdb.h> 48 49#include <stdio.h> 50#include <string.h> 51 52#include "pfctl_parser.h" 53#include "pfctl.h" 54 55void print_name(struct pf_addr *, sa_family_t); 56 57void 58print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) 59{ 60 switch (addr->type) { 61 case PF_ADDR_DYNIFTL: 62 printf("(%s", addr->v.ifname); 63 if (addr->iflags & PFI_AFLAG_NETWORK) 64 printf(":network"); 65 if (addr->iflags & PFI_AFLAG_BROADCAST) 66 printf(":broadcast"); 67 if (addr->iflags & PFI_AFLAG_PEER) 68 printf(":peer"); 69 if (addr->iflags & PFI_AFLAG_NOALIAS) 70 printf(":0"); 71 if (verbose) { 72 if (addr->p.dyncnt <= 0) 73 printf(":*"); 74 else 75 printf(":%d", addr->p.dyncnt); 76 } 77 printf(")"); 78 break; 79 case PF_ADDR_TABLE: 80 if (verbose) 81 if (addr->p.tblcnt == -1) 82 printf("<%s:*>", addr->v.tblname); 83 else 84 printf("<%s:%d>", addr->v.tblname, 85 addr->p.tblcnt); 86 else 87 printf("<%s>", addr->v.tblname); 88 return; 89 case PF_ADDR_RANGE: { 90 char buf[48]; 91 92 if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL) 93 printf("?"); 94 else 95 printf("%s", buf); 96 if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL) 97 printf(" - ?"); 98 else 99 printf(" - %s", buf); 100 break; 101 } 102 case PF_ADDR_ADDRMASK: 103 if (PF_AZERO(&addr->v.a.addr, AF_INET6) && 104 PF_AZERO(&addr->v.a.mask, AF_INET6)) 105 printf("any"); 106 else { 107 char buf[48]; 108 109 if (inet_ntop(af, &addr->v.a.addr, buf, 110 sizeof(buf)) == NULL) 111 printf("?"); 112 else 113 printf("%s", buf); 114 } 115 break; 116 case PF_ADDR_NOROUTE: 117 printf("no-route"); 118 return; 119 case PF_ADDR_URPFFAILED: 120 printf("urpf-failed"); 121 return; 122 case PF_ADDR_RTLABEL: 123 printf("route \"%s\"", addr->v.rtlabelname); 124 return; 125 default: 126 printf("?"); 127 return; 128 } 129 130 /* mask if not _both_ address and mask are zero */ 131 if (addr->type != PF_ADDR_RANGE && 132 !(PF_AZERO(&addr->v.a.addr, AF_INET6) && 133 PF_AZERO(&addr->v.a.mask, AF_INET6))) { 134 int bits = unmask(&addr->v.a.mask, af); 135 136 if (bits != (af == AF_INET ? 32 : 128)) 137 printf("/%d", bits); 138 } 139} 140 141void 142print_name(struct pf_addr *addr, sa_family_t af) 143{ 144 char host[NI_MAXHOST]; 145 146 strlcpy(host, "?", sizeof(host)); 147 switch (af) { 148 case AF_INET: { 149 struct sockaddr_in sin; 150 151 memset(&sin, 0, sizeof(sin)); 152 sin.sin_len = sizeof(sin); 153 sin.sin_family = AF_INET; 154 sin.sin_addr = addr->v4; 155 getnameinfo((struct sockaddr *)&sin, sin.sin_len, 156 host, sizeof(host), NULL, 0, NI_NOFQDN); 157 break; 158 } 159 case AF_INET6: { 160 struct sockaddr_in6 sin6; 161 162 memset(&sin6, 0, sizeof(sin6)); 163 sin6.sin6_len = sizeof(sin6); 164 sin6.sin6_family = AF_INET6; 165 sin6.sin6_addr = addr->v6; 166 getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, 167 host, sizeof(host), NULL, 0, NI_NOFQDN); 168 break; 169 } 170 } 171 printf("%s", host); 172} 173 174void 175print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts) 176{ 177 if (opts & PF_OPT_USEDNS) 178 print_name(addr, af); 179 else { 180 struct pf_addr_wrap aw; 181 182 memset(&aw, 0, sizeof(aw)); 183 aw.v.a.addr = *addr; 184 if (af == AF_INET) 185 aw.v.a.mask.addr32[0] = 0xffffffff; 186 else { 187 memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 188 af = AF_INET6; 189 } 190 print_addr(&aw, af, opts & PF_OPT_VERBOSE2); 191 } 192 193 if (port) { 194 if (af == AF_INET) 195 printf(":%u", ntohs(port)); 196 else 197 printf("[%u]", ntohs(port)); 198 } 199} 200 201void 202print_seq(struct pfsync_state_peer *p) 203{ 204 if (p->seqdiff) 205 printf("[%u + %u](+%u)", ntohl(p->seqlo), 206 ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff)); 207 else 208 printf("[%u + %u]", ntohl(p->seqlo), 209 ntohl(p->seqhi) - ntohl(p->seqlo)); 210} 211 212void 213print_state(struct pfsync_state *s, int opts) 214{ 215 struct pfsync_state_peer *src, *dst; 216 struct pfsync_state_key *sk, *nk; 217 struct protoent *p; 218 int min, sec; 219 220 if (s->direction == PF_OUT) { 221 src = &s->src; 222 dst = &s->dst; 223 sk = &s->key[PF_SK_STACK]; 224 nk = &s->key[PF_SK_WIRE]; 225 if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 226 sk->port[0] = nk->port[0]; 227 } else { 228 src = &s->dst; 229 dst = &s->src; 230 sk = &s->key[PF_SK_WIRE]; 231 nk = &s->key[PF_SK_STACK]; 232 if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 233 sk->port[1] = nk->port[1]; 234 } 235 printf("%s ", s->ifname); 236 if ((p = getprotobynumber(s->proto)) != NULL) 237 printf("%s ", p->p_name); 238 else 239 printf("%u ", s->proto); 240 241 print_host(&nk->addr[1], nk->port[1], s->af, opts); 242 if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) || 243 nk->port[1] != sk->port[1]) { 244 printf(" ("); 245 print_host(&sk->addr[1], sk->port[1], s->af, opts); 246 printf(")"); 247 } 248 if (s->direction == PF_OUT) 249 printf(" -> "); 250 else 251 printf(" <- "); 252 print_host(&nk->addr[0], nk->port[0], s->af, opts); 253 if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) || 254 nk->port[0] != sk->port[0]) { 255 printf(" ("); 256 print_host(&sk->addr[0], sk->port[0], s->af, opts); 257 printf(")"); 258 } 259 260 printf(" "); 261 if (s->proto == IPPROTO_TCP) { 262 if (src->state <= TCPS_TIME_WAIT && 263 dst->state <= TCPS_TIME_WAIT) 264 printf(" %s:%s\n", tcpstates[src->state], 265 tcpstates[dst->state]); 266 else if (src->state == PF_TCPS_PROXY_SRC || 267 dst->state == PF_TCPS_PROXY_SRC) 268 printf(" PROXY:SRC\n"); 269 else if (src->state == PF_TCPS_PROXY_DST || 270 dst->state == PF_TCPS_PROXY_DST) 271 printf(" PROXY:DST\n"); 272 else 273 printf(" <BAD STATE LEVELS %u:%u>\n", 274 src->state, dst->state); 275 if (opts & PF_OPT_VERBOSE) { 276 printf(" "); 277 print_seq(src); 278 if (src->wscale && dst->wscale) 279 printf(" wscale %u", 280 src->wscale & PF_WSCALE_MASK); 281 printf(" "); 282 print_seq(dst); 283 if (src->wscale && dst->wscale) 284 printf(" wscale %u", 285 dst->wscale & PF_WSCALE_MASK); 286 printf("\n"); 287 } 288 } else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && 289 dst->state < PFUDPS_NSTATES) { 290 const char *states[] = PFUDPS_NAMES; 291 292 printf(" %s:%s\n", states[src->state], states[dst->state]); 293 } else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES && 294 dst->state < PFOTHERS_NSTATES) { 295 /* XXX ICMP doesn't really have state levels */ 296 const char *states[] = PFOTHERS_NAMES; 297 298 printf(" %s:%s\n", states[src->state], states[dst->state]); 299 } else { 300 printf(" %u:%u\n", src->state, dst->state); 301 } 302 303 if (opts & PF_OPT_VERBOSE) { 304 u_int64_t packets[2]; 305 u_int64_t bytes[2]; 306 u_int32_t creation = ntohl(s->creation); 307 u_int32_t expire = ntohl(s->expire); 308 309 sec = creation % 60; 310 creation /= 60; 311 min = creation % 60; 312 creation /= 60; 313 printf(" age %.2u:%.2u:%.2u", creation, min, sec); 314 sec = expire % 60; 315 expire /= 60; 316 min = expire % 60; 317 expire /= 60; 318 printf(", expires in %.2u:%.2u:%.2u", expire, min, sec); 319 320 bcopy(s->packets[0], &packets[0], sizeof(u_int64_t)); 321 bcopy(s->packets[1], &packets[1], sizeof(u_int64_t)); 322 bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t)); 323 bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t)); 324 printf(", %llu:%llu pkts, %llu:%llu bytes", 325#ifdef __FreeBSD__ 326 (unsigned long long)betoh64(packets[0]), 327 (unsigned long long)betoh64(packets[1]), 328 (unsigned long long)betoh64(bytes[0]), 329 (unsigned long long)betoh64(bytes[1])); 330#else 331 betoh64(packets[0]), 332 betoh64(packets[1]), 333 betoh64(bytes[0]), 334 betoh64(bytes[1])); 335#endif 336 if (ntohl(s->anchor) != -1) 337 printf(", anchor %u", ntohl(s->anchor)); 338 if (ntohl(s->rule) != -1) 339 printf(", rule %u", ntohl(s->rule)); 340 if (s->state_flags & PFSTATE_SLOPPY) 341 printf(", sloppy"); 342 if (s->state_flags & PFSTATE_PFLOW) 343 printf(", pflow"); 344 if (s->sync_flags & PFSYNC_FLAG_SRCNODE) 345 printf(", source-track"); 346 if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) 347 printf(", sticky-address"); 348 printf("\n"); 349 } 350 if (opts & PF_OPT_VERBOSE2) { 351 u_int64_t id; 352 353 bcopy(&s->id, &id, sizeof(u_int64_t)); 354 printf(" id: %016llx creatorid: %08x", 355#ifdef __FreeBSD__ 356 (unsigned long long)betoh64(id), ntohl(s->creatorid)); 357#else 358 betoh64(id), ntohl(s->creatorid)); 359#endif 360 printf("\n"); 361 } 362} 363 364int 365unmask(struct pf_addr *m, sa_family_t af) 366{ 367 int i = 31, j = 0, b = 0; 368 u_int32_t tmp; 369 370 while (j < 4 && m->addr32[j] == 0xffffffff) { 371 b += 32; 372 j++; 373 } 374 if (j < 4) { 375 tmp = ntohl(m->addr32[j]); 376 for (i = 31; tmp & (1 << i); --i) 377 b++; 378 } 379 return (b); 380} 381