parse.y revision 1.464
1/* $OpenBSD: parse.y,v 1.464 2004/12/07 09:36:16 deraadt Exp $ */ 2 3/* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * Copyright (c) 2002,2003 Henning Brauer 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * - Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * - Redistributions in binary form must reproduce the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer in the documentation and/or other materials provided 17 * with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 */ 33 34#include <sys/types.h> 35#include <sys/ioctl.h> 36#include <sys/socket.h> 37#include <sys/param.h> 38#include <sys/proc.h> 39#include <net/if.h> 40#include <netinet/in.h> 41#include <netinet/in_systm.h> 42#include <netinet/ip.h> 43#include <netinet/ip_icmp.h> 44#include <netinet/icmp6.h> 45#include <net/pfvar.h> 46#include <arpa/inet.h> 47 48#include <stdio.h> 49#include <stdlib.h> 50#include <string.h> 51#include <ctype.h> 52#include <netdb.h> 53#include <stdarg.h> 54#include <errno.h> 55#include <err.h> 56#include <ifaddrs.h> 57 58#include "pfctl_parser.h" 59#include "pfctl.h" 60 61void print_op (u_int8_t, const char *, const char *); 62void print_port (u_int8_t, u_int16_t, u_int16_t, const char *); 63void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned); 64void print_flags (u_int8_t); 65void print_fromto(struct pf_rule_addr *, pf_osfp_t, 66 struct pf_rule_addr *, u_int8_t, u_int8_t, int); 67int ifa_skip_if(const char *filter, struct node_host *p); 68 69struct node_host *host_if(const char *, int); 70struct node_host *host_v4(const char *, int); 71struct node_host *host_v6(const char *, int); 72struct node_host *host_dns(const char *, int, int); 73 74const char *tcpflags = "FSRPAUEW"; 75 76static const struct icmptypeent icmp_type[] = { 77 { "echoreq", ICMP_ECHO }, 78 { "echorep", ICMP_ECHOREPLY }, 79 { "unreach", ICMP_UNREACH }, 80 { "squench", ICMP_SOURCEQUENCH }, 81 { "redir", ICMP_REDIRECT }, 82 { "althost", ICMP_ALTHOSTADDR }, 83 { "routeradv", ICMP_ROUTERADVERT }, 84 { "routersol", ICMP_ROUTERSOLICIT }, 85 { "timex", ICMP_TIMXCEED }, 86 { "paramprob", ICMP_PARAMPROB }, 87 { "timereq", ICMP_TSTAMP }, 88 { "timerep", ICMP_TSTAMPREPLY }, 89 { "inforeq", ICMP_IREQ }, 90 { "inforep", ICMP_IREQREPLY }, 91 { "maskreq", ICMP_MASKREQ }, 92 { "maskrep", ICMP_MASKREPLY }, 93 { "trace", ICMP_TRACEROUTE }, 94 { "dataconv", ICMP_DATACONVERR }, 95 { "mobredir", ICMP_MOBILE_REDIRECT }, 96 { "ipv6-where", ICMP_IPV6_WHEREAREYOU }, 97 { "ipv6-here", ICMP_IPV6_IAMHERE }, 98 { "mobregreq", ICMP_MOBILE_REGREQUEST }, 99 { "mobregrep", ICMP_MOBILE_REGREPLY }, 100 { "skip", ICMP_SKIP }, 101 { "photuris", ICMP_PHOTURIS } 102}; 103 104static const struct icmptypeent icmp6_type[] = { 105 { "unreach", ICMP6_DST_UNREACH }, 106 { "toobig", ICMP6_PACKET_TOO_BIG }, 107 { "timex", ICMP6_TIME_EXCEEDED }, 108 { "paramprob", ICMP6_PARAM_PROB }, 109 { "echoreq", ICMP6_ECHO_REQUEST }, 110 { "echorep", ICMP6_ECHO_REPLY }, 111 { "groupqry", ICMP6_MEMBERSHIP_QUERY }, 112 { "listqry", MLD_LISTENER_QUERY }, 113 { "grouprep", ICMP6_MEMBERSHIP_REPORT }, 114 { "listenrep", MLD_LISTENER_REPORT }, 115 { "groupterm", ICMP6_MEMBERSHIP_REDUCTION }, 116 { "listendone", MLD_LISTENER_DONE }, 117 { "routersol", ND_ROUTER_SOLICIT }, 118 { "routeradv", ND_ROUTER_ADVERT }, 119 { "neighbrsol", ND_NEIGHBOR_SOLICIT }, 120 { "neighbradv", ND_NEIGHBOR_ADVERT }, 121 { "redir", ND_REDIRECT }, 122 { "routrrenum", ICMP6_ROUTER_RENUMBERING }, 123 { "wrureq", ICMP6_WRUREQUEST }, 124 { "wrurep", ICMP6_WRUREPLY }, 125 { "fqdnreq", ICMP6_FQDN_QUERY }, 126 { "fqdnrep", ICMP6_FQDN_REPLY }, 127 { "niqry", ICMP6_NI_QUERY }, 128 { "nirep", ICMP6_NI_REPLY }, 129 { "mtraceresp", MLD_MTRACE_RESP }, 130 { "mtrace", MLD_MTRACE } 131}; 132 133static const struct icmpcodeent icmp_code[] = { 134 { "net-unr", ICMP_UNREACH, ICMP_UNREACH_NET }, 135 { "host-unr", ICMP_UNREACH, ICMP_UNREACH_HOST }, 136 { "proto-unr", ICMP_UNREACH, ICMP_UNREACH_PROTOCOL }, 137 { "port-unr", ICMP_UNREACH, ICMP_UNREACH_PORT }, 138 { "needfrag", ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG }, 139 { "srcfail", ICMP_UNREACH, ICMP_UNREACH_SRCFAIL }, 140 { "net-unk", ICMP_UNREACH, ICMP_UNREACH_NET_UNKNOWN }, 141 { "host-unk", ICMP_UNREACH, ICMP_UNREACH_HOST_UNKNOWN }, 142 { "isolate", ICMP_UNREACH, ICMP_UNREACH_ISOLATED }, 143 { "net-prohib", ICMP_UNREACH, ICMP_UNREACH_NET_PROHIB }, 144 { "host-prohib", ICMP_UNREACH, ICMP_UNREACH_HOST_PROHIB }, 145 { "net-tos", ICMP_UNREACH, ICMP_UNREACH_TOSNET }, 146 { "host-tos", ICMP_UNREACH, ICMP_UNREACH_TOSHOST }, 147 { "filter-prohib", ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB }, 148 { "host-preced", ICMP_UNREACH, ICMP_UNREACH_HOST_PRECEDENCE }, 149 { "cutoff-preced", ICMP_UNREACH, ICMP_UNREACH_PRECEDENCE_CUTOFF }, 150 { "redir-net", ICMP_REDIRECT, ICMP_REDIRECT_NET }, 151 { "redir-host", ICMP_REDIRECT, ICMP_REDIRECT_HOST }, 152 { "redir-tos-net", ICMP_REDIRECT, ICMP_REDIRECT_TOSNET }, 153 { "redir-tos-host", ICMP_REDIRECT, ICMP_REDIRECT_TOSHOST }, 154 { "normal-adv", ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NORMAL }, 155 { "common-adv", ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NOROUTE_COMMON }, 156 { "transit", ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS }, 157 { "reassemb", ICMP_TIMXCEED, ICMP_TIMXCEED_REASS }, 158 { "badhead", ICMP_PARAMPROB, ICMP_PARAMPROB_ERRATPTR }, 159 { "optmiss", ICMP_PARAMPROB, ICMP_PARAMPROB_OPTABSENT }, 160 { "badlen", ICMP_PARAMPROB, ICMP_PARAMPROB_LENGTH }, 161 { "unknown-ind", ICMP_PHOTURIS, ICMP_PHOTURIS_UNKNOWN_INDEX }, 162 { "auth-fail", ICMP_PHOTURIS, ICMP_PHOTURIS_AUTH_FAILED }, 163 { "decrypt-fail", ICMP_PHOTURIS, ICMP_PHOTURIS_DECRYPT_FAILED } 164}; 165 166static const struct icmpcodeent icmp6_code[] = { 167 { "admin-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN }, 168 { "noroute-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE }, 169 { "notnbr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOTNEIGHBOR }, 170 { "beyond-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_BEYONDSCOPE }, 171 { "addr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR }, 172 { "port-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT }, 173 { "transit", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT }, 174 { "reassemb", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_REASSEMBLY }, 175 { "badhead", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER }, 176 { "nxthdr", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER }, 177 { "redironlink", ND_REDIRECT, ND_REDIRECT_ONLINK }, 178 { "redirrouter", ND_REDIRECT, ND_REDIRECT_ROUTER } 179}; 180 181const struct pf_timeout pf_timeouts[] = { 182 { "tcp.first", PFTM_TCP_FIRST_PACKET }, 183 { "tcp.opening", PFTM_TCP_OPENING }, 184 { "tcp.established", PFTM_TCP_ESTABLISHED }, 185 { "tcp.closing", PFTM_TCP_CLOSING }, 186 { "tcp.finwait", PFTM_TCP_FIN_WAIT }, 187 { "tcp.closed", PFTM_TCP_CLOSED }, 188 { "tcp.tsdiff", PFTM_TS_DIFF }, 189 { "udp.first", PFTM_UDP_FIRST_PACKET }, 190 { "udp.single", PFTM_UDP_SINGLE }, 191 { "udp.multiple", PFTM_UDP_MULTIPLE }, 192 { "icmp.first", PFTM_ICMP_FIRST_PACKET }, 193 { "icmp.error", PFTM_ICMP_ERROR_REPLY }, 194 { "other.first", PFTM_OTHER_FIRST_PACKET }, 195 { "other.single", PFTM_OTHER_SINGLE }, 196 { "other.multiple", PFTM_OTHER_MULTIPLE }, 197 { "frag", PFTM_FRAG }, 198 { "interval", PFTM_INTERVAL }, 199 { "adaptive.start", PFTM_ADAPTIVE_START }, 200 { "adaptive.end", PFTM_ADAPTIVE_END }, 201 { "src.track", PFTM_SRC_NODE }, 202 { NULL, 0 } 203}; 204 205const struct icmptypeent * 206geticmptypebynumber(u_int8_t type, sa_family_t af) 207{ 208 unsigned int i; 209 210 if (af != AF_INET6) { 211 for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); 212 i++) { 213 if (type == icmp_type[i].type) 214 return (&icmp_type[i]); 215 } 216 } else { 217 for (i=0; i < (sizeof (icmp6_type) / 218 sizeof(icmp6_type[0])); i++) { 219 if (type == icmp6_type[i].type) 220 return (&icmp6_type[i]); 221 } 222 } 223 return (NULL); 224} 225 226const struct icmptypeent * 227geticmptypebyname(char *w, sa_family_t af) 228{ 229 unsigned int i; 230 231 if (af != AF_INET6) { 232 for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); 233 i++) { 234 if (!strcmp(w, icmp_type[i].name)) 235 return (&icmp_type[i]); 236 } 237 } else { 238 for (i=0; i < (sizeof (icmp6_type) / 239 sizeof(icmp6_type[0])); i++) { 240 if (!strcmp(w, icmp6_type[i].name)) 241 return (&icmp6_type[i]); 242 } 243 } 244 return (NULL); 245} 246 247const struct icmpcodeent * 248geticmpcodebynumber(u_int8_t type, u_int8_t code, sa_family_t af) 249{ 250 unsigned int i; 251 252 if (af != AF_INET6) { 253 for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); 254 i++) { 255 if (type == icmp_code[i].type && 256 code == icmp_code[i].code) 257 return (&icmp_code[i]); 258 } 259 } else { 260 for (i=0; i < (sizeof (icmp6_code) / 261 sizeof(icmp6_code[0])); i++) { 262 if (type == icmp6_code[i].type && 263 code == icmp6_code[i].code) 264 return (&icmp6_code[i]); 265 } 266 } 267 return (NULL); 268} 269 270const struct icmpcodeent * 271geticmpcodebyname(u_long type, char *w, sa_family_t af) 272{ 273 unsigned int i; 274 275 if (af != AF_INET6) { 276 for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); 277 i++) { 278 if (type == icmp_code[i].type && 279 !strcmp(w, icmp_code[i].name)) 280 return (&icmp_code[i]); 281 } 282 } else { 283 for (i=0; i < (sizeof (icmp6_code) / 284 sizeof(icmp6_code[0])); i++) { 285 if (type == icmp6_code[i].type && 286 !strcmp(w, icmp6_code[i].name)) 287 return (&icmp6_code[i]); 288 } 289 } 290 return (NULL); 291} 292 293void 294print_op(u_int8_t op, const char *a1, const char *a2) 295{ 296 if (op == PF_OP_IRG) 297 printf(" %s >< %s", a1, a2); 298 else if (op == PF_OP_XRG) 299 printf(" %s <> %s", a1, a2); 300 else if (op == PF_OP_EQ) 301 printf(" = %s", a1); 302 else if (op == PF_OP_NE) 303 printf(" != %s", a1); 304 else if (op == PF_OP_LT) 305 printf(" < %s", a1); 306 else if (op == PF_OP_LE) 307 printf(" <= %s", a1); 308 else if (op == PF_OP_GT) 309 printf(" > %s", a1); 310 else if (op == PF_OP_GE) 311 printf(" >= %s", a1); 312 else if (op == PF_OP_RRG) 313 printf(" %s:%s", a1, a2); 314} 315 316void 317print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto) 318{ 319 char a1[6], a2[6]; 320 struct servent *s; 321 322 s = getservbyport(p1, proto); 323 p1 = ntohs(p1); 324 p2 = ntohs(p2); 325 snprintf(a1, sizeof(a1), "%u", p1); 326 snprintf(a2, sizeof(a2), "%u", p2); 327 printf(" port"); 328 if (s != NULL && (op == PF_OP_EQ || op == PF_OP_NE)) 329 print_op(op, s->s_name, a2); 330 else 331 print_op(op, a1, a2); 332} 333 334void 335print_ugid(u_int8_t op, unsigned u1, unsigned u2, const char *t, unsigned umax) 336{ 337 char a1[11], a2[11]; 338 339 snprintf(a1, sizeof(a1), "%u", u1); 340 snprintf(a2, sizeof(a2), "%u", u2); 341 printf(" %s", t); 342 if (u1 == umax && (op == PF_OP_EQ || op == PF_OP_NE)) 343 print_op(op, "unknown", a2); 344 else 345 print_op(op, a1, a2); 346} 347 348void 349print_flags(u_int8_t f) 350{ 351 int i; 352 353 for (i = 0; tcpflags[i]; ++i) 354 if (f & (1 << i)) 355 printf("%c", tcpflags[i]); 356} 357 358void 359print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst, 360 sa_family_t af, u_int8_t proto, int verbose) 361{ 362 char buf[PF_OSFP_LEN*3]; 363 if (src->addr.type == PF_ADDR_ADDRMASK && 364 dst->addr.type == PF_ADDR_ADDRMASK && 365 PF_AZERO(&src->addr.v.a.addr, AF_INET6) && 366 PF_AZERO(&src->addr.v.a.mask, AF_INET6) && 367 PF_AZERO(&dst->addr.v.a.addr, AF_INET6) && 368 PF_AZERO(&dst->addr.v.a.mask, AF_INET6) && 369 !src->neg && !dst->neg && 370 !src->port_op && !dst->port_op && 371 osfp == PF_OSFP_ANY) 372 printf(" all"); 373 else { 374 printf(" from "); 375 if (src->neg) 376 printf("! "); 377 print_addr(&src->addr, af, verbose); 378 if (src->port_op) 379 print_port(src->port_op, src->port[0], 380 src->port[1], 381 proto == IPPROTO_TCP ? "tcp" : "udp"); 382 if (osfp != PF_OSFP_ANY) 383 printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf, 384 sizeof(buf))); 385 386 printf(" to "); 387 if (dst->neg) 388 printf("! "); 389 print_addr(&dst->addr, af, verbose); 390 if (dst->port_op) 391 print_port(dst->port_op, dst->port[0], 392 dst->port[1], 393 proto == IPPROTO_TCP ? "tcp" : "udp"); 394 } 395} 396 397void 398print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2, 399 sa_family_t af, int id) 400{ 401 struct pf_pooladdr *pooladdr; 402 403 if ((TAILQ_FIRST(&pool->list) != NULL) && 404 TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL) 405 printf("{ "); 406 TAILQ_FOREACH(pooladdr, &pool->list, entries){ 407 switch (id) { 408 case PF_NAT: 409 case PF_RDR: 410 case PF_BINAT: 411 print_addr(&pooladdr->addr, af, 0); 412 break; 413 case PF_PASS: 414 if (PF_AZERO(&pooladdr->addr.v.a.addr, af)) 415 printf("%s", pooladdr->ifname); 416 else { 417 printf("(%s ", pooladdr->ifname); 418 print_addr(&pooladdr->addr, af, 0); 419 printf(")"); 420 } 421 break; 422 default: 423 break; 424 } 425 if (TAILQ_NEXT(pooladdr, entries) != NULL) 426 printf(", "); 427 else if (TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL) 428 printf(" }"); 429 } 430 switch (id) { 431 case PF_NAT: 432 if ((p1 != PF_NAT_PROXY_PORT_LOW || 433 p2 != PF_NAT_PROXY_PORT_HIGH) && (p1 != 0 || p2 != 0)) { 434 if (p1 == p2) 435 printf(" port %u", p1); 436 else 437 printf(" port %u:%u", p1, p2); 438 } 439 break; 440 case PF_RDR: 441 if (p1) { 442 printf(" port %u", p1); 443 if (p2 && (p2 != p1)) 444 printf(":%u", p2); 445 } 446 break; 447 default: 448 break; 449 } 450 switch (pool->opts & PF_POOL_TYPEMASK) { 451 case PF_POOL_NONE: 452 break; 453 case PF_POOL_BITMASK: 454 printf(" bitmask"); 455 break; 456 case PF_POOL_RANDOM: 457 printf(" random"); 458 break; 459 case PF_POOL_SRCHASH: 460 printf(" source-hash 0x%08x%08x%08x%08x", 461 pool->key.key32[0], pool->key.key32[1], 462 pool->key.key32[2], pool->key.key32[3]); 463 break; 464 case PF_POOL_ROUNDROBIN: 465 printf(" round-robin"); 466 break; 467 } 468 if (pool->opts & PF_POOL_STICKYADDR) 469 printf(" sticky-address"); 470 if (id == PF_NAT && p1 == 0 && p2 == 0) 471 printf(" static-port"); 472} 473 474const char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES; 475const char *pf_lcounters[LCNT_MAX+1] = LCNT_NAMES; 476const char *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES; 477const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES; 478 479void 480print_status(struct pf_status *s, int opts) 481{ 482 char statline[80], *running; 483 time_t runtime; 484 int i; 485 486 runtime = time(NULL) - s->since; 487 running = s->running ? "Enabled" : "Disabled"; 488 489 if (s->since) { 490 unsigned sec, min, hrs, day = runtime; 491 492 sec = day % 60; 493 day /= 60; 494 min = day % 60; 495 day /= 60; 496 hrs = day % 24; 497 day /= 24; 498 snprintf(statline, sizeof(statline), 499 "Status: %s for %u days %.2u:%.2u:%.2u", 500 running, day, hrs, min, sec); 501 } else 502 snprintf(statline, sizeof(statline), "Status: %s", running); 503 printf("%-44s", statline); 504 switch (s->debug) { 505 case PF_DEBUG_NONE: 506 printf("%15s\n\n", "Debug: None"); 507 break; 508 case PF_DEBUG_URGENT: 509 printf("%15s\n\n", "Debug: Urgent"); 510 break; 511 case PF_DEBUG_MISC: 512 printf("%15s\n\n", "Debug: Misc"); 513 break; 514 case PF_DEBUG_NOISY: 515 printf("%15s\n\n", "Debug: Loud"); 516 break; 517 } 518 printf("Hostid: 0x%08x\n\n", ntohl(s->hostid)); 519 if (s->ifname[0] != 0) { 520 printf("Interface Stats for %-16s %5s %16s\n", 521 s->ifname, "IPv4", "IPv6"); 522 printf(" %-25s %14llu %16llu\n", "Bytes In", 523 (unsigned long long)s->bcounters[0][0], 524 (unsigned long long)s->bcounters[1][0]); 525 printf(" %-25s %14llu %16llu\n", "Bytes Out", 526 (unsigned long long)s->bcounters[0][1], 527 (unsigned long long)s->bcounters[1][1]); 528 printf(" Packets In\n"); 529 printf(" %-23s %14llu %16llu\n", "Passed", 530 (unsigned long long)s->pcounters[0][0][PF_PASS], 531 (unsigned long long)s->pcounters[1][0][PF_PASS]); 532 printf(" %-23s %14llu %16llu\n", "Blocked", 533 (unsigned long long)s->pcounters[0][0][PF_DROP], 534 (unsigned long long)s->pcounters[1][0][PF_DROP]); 535 printf(" Packets Out\n"); 536 printf(" %-23s %14llu %16llu\n", "Passed", 537 (unsigned long long)s->pcounters[0][1][PF_PASS], 538 (unsigned long long)s->pcounters[1][1][PF_PASS]); 539 printf(" %-23s %14llu %16llu\n\n", "Blocked", 540 (unsigned long long)s->pcounters[0][1][PF_DROP], 541 (unsigned long long)s->pcounters[1][1][PF_DROP]); 542 } 543 printf("%-27s %14s %16s\n", "State Table", "Total", "Rate"); 544 printf(" %-25s %14u %14s\n", "current entries", s->states, ""); 545 for (i = 0; i < FCNT_MAX; i++) { 546 printf(" %-25s %14llu ", pf_fcounters[i], 547 (unsigned long long)s->fcounters[i]); 548 if (runtime > 0) 549 printf("%14.1f/s\n", 550 (double)s->fcounters[i] / (double)runtime); 551 else 552 printf("%14s\n", ""); 553 } 554 if (opts & PF_OPT_VERBOSE) { 555 printf("Source Tracking Table\n"); 556 printf(" %-25s %14u %14s\n", "current entries", 557 s->src_nodes, ""); 558 for (i = 0; i < SCNT_MAX; i++) { 559 printf(" %-25s %14lld ", pf_scounters[i], 560 s->scounters[i]); 561 if (runtime > 0) 562 printf("%14.1f/s\n", 563 (double)s->scounters[i] / (double)runtime); 564 else 565 printf("%14s\n", ""); 566 } 567 } 568 printf("Counters\n"); 569 for (i = 0; i < PFRES_MAX; i++) { 570 printf(" %-25s %14llu ", pf_reasons[i], 571 (unsigned long long)s->counters[i]); 572 if (runtime > 0) 573 printf("%14.1f/s\n", 574 (double)s->counters[i] / (double)runtime); 575 else 576 printf("%14s\n", ""); 577 } 578 if (opts & PF_OPT_VERBOSE) { 579 printf("Limit Counters\n"); 580 for (i = 0; i < LCNT_MAX; i++) { 581 printf(" %-25s %14lld ", pf_lcounters[i], 582 s->lcounters[i]); 583 if (runtime > 0) 584 printf("%14.1f/s\n", 585 (double)s->lcounters[i] / (double)runtime); 586 else 587 printf("%14s\n", ""); 588 } 589 } 590} 591 592void 593print_src_node(struct pf_src_node *sn, int opts) 594{ 595 struct pf_addr_wrap aw; 596 int min, sec; 597 598 memset(&aw, 0, sizeof(aw)); 599 if (sn->af == AF_INET) 600 aw.v.a.mask.addr32[0] = 0xffffffff; 601 else 602 memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); 603 604 aw.v.a.addr = sn->addr; 605 print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2); 606 printf(" -> "); 607 aw.v.a.addr = sn->raddr; 608 print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2); 609 printf(" ( states %u, connections %u, rate %u.%u/%us )\n", sn->states, 610 sn->conn, sn->conn_rate.count / 1000, 611 (sn->conn_rate.count % 1000) / 100, sn->conn_rate.seconds); 612 if (opts & PF_OPT_VERBOSE) { 613 sec = sn->creation % 60; 614 sn->creation /= 60; 615 min = sn->creation % 60; 616 sn->creation /= 60; 617 printf(" age %.2u:%.2u:%.2u", sn->creation, min, sec); 618 if (sn->states == 0) { 619 sec = sn->expire % 60; 620 sn->expire /= 60; 621 min = sn->expire % 60; 622 sn->expire /= 60; 623 printf(", expires in %.2u:%.2u:%.2u", 624 sn->expire, min, sec); 625 } 626 printf(", %u pkts, %u bytes", sn->packets, sn->bytes); 627 switch (sn->ruletype) { 628 case PF_NAT: 629 if (sn->rule.nr != -1) 630 printf(", nat rule %u", sn->rule.nr); 631 break; 632 case PF_RDR: 633 if (sn->rule.nr != -1) 634 printf(", rdr rule %u", sn->rule.nr); 635 break; 636 case PF_PASS: 637 if (sn->rule.nr != -1) 638 printf(", filter rule %u", sn->rule.nr); 639 break; 640 } 641 printf("\n"); 642 } 643} 644 645void 646print_rule(struct pf_rule *r, const char *anchor_call, int verbose) 647{ 648 static const char *actiontypes[] = { "pass", "block", "scrub", 649 "no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" }; 650 static const char *anchortypes[] = { "anchor", "anchor", "anchor", 651 "anchor", "nat-anchor", "nat-anchor", "binat-anchor", 652 "binat-anchor", "rdr-anchor", "rdr-anchor" }; 653 int i, opts; 654 655 if (verbose) 656 printf("@%d ", r->nr); 657 if (r->action > PF_NORDR) 658 printf("action(%d)", r->action); 659 else if (anchor_call[0]) 660 printf("%s \"%s\"", anchortypes[r->action], 661 anchor_call); 662 else { 663 printf("%s", actiontypes[r->action]); 664 if (r->natpass) 665 printf(" pass"); 666 } 667 if (r->action == PF_DROP) { 668 if (r->rule_flag & PFRULE_RETURN) 669 printf(" return"); 670 else if (r->rule_flag & PFRULE_RETURNRST) { 671 if (!r->return_ttl) 672 printf(" return-rst"); 673 else 674 printf(" return-rst(ttl %d)", r->return_ttl); 675 } else if (r->rule_flag & PFRULE_RETURNICMP) { 676 const struct icmpcodeent *ic, *ic6; 677 678 ic = geticmpcodebynumber(r->return_icmp >> 8, 679 r->return_icmp & 255, AF_INET); 680 ic6 = geticmpcodebynumber(r->return_icmp6 >> 8, 681 r->return_icmp6 & 255, AF_INET6); 682 683 switch (r->af) { 684 case AF_INET: 685 printf(" return-icmp"); 686 if (ic == NULL) 687 printf("(%u)", r->return_icmp & 255); 688 else 689 printf("(%s)", ic->name); 690 break; 691 case AF_INET6: 692 printf(" return-icmp6"); 693 if (ic6 == NULL) 694 printf("(%u)", r->return_icmp6 & 255); 695 else 696 printf("(%s)", ic6->name); 697 break; 698 default: 699 printf(" return-icmp"); 700 if (ic == NULL) 701 printf("(%u, ", r->return_icmp & 255); 702 else 703 printf("(%s, ", ic->name); 704 if (ic6 == NULL) 705 printf("%u)", r->return_icmp6 & 255); 706 else 707 printf("%s)", ic6->name); 708 break; 709 } 710 } else 711 printf(" drop"); 712 } 713 if (r->direction == PF_IN) 714 printf(" in"); 715 else if (r->direction == PF_OUT) 716 printf(" out"); 717 if (r->log == 1) 718 printf(" log"); 719 else if (r->log == 2) 720 printf(" log-all"); 721 if (r->quick) 722 printf(" quick"); 723 if (r->ifname[0]) { 724 if (r->ifnot) 725 printf(" on ! %s", r->ifname); 726 else 727 printf(" on %s", r->ifname); 728 } 729 if (r->rt) { 730 if (r->rt == PF_ROUTETO) 731 printf(" route-to"); 732 else if (r->rt == PF_REPLYTO) 733 printf(" reply-to"); 734 else if (r->rt == PF_DUPTO) 735 printf(" dup-to"); 736 else if (r->rt == PF_FASTROUTE) 737 printf(" fastroute"); 738 if (r->rt != PF_FASTROUTE) { 739 printf(" "); 740 print_pool(&r->rpool, 0, 0, r->af, PF_PASS); 741 } 742 } 743 if (r->af) { 744 if (r->af == AF_INET) 745 printf(" inet"); 746 else 747 printf(" inet6"); 748 } 749 if (r->proto) { 750 struct protoent *p; 751 752 if ((p = getprotobynumber(r->proto)) != NULL) 753 printf(" proto %s", p->p_name); 754 else 755 printf(" proto %u", r->proto); 756 } 757 print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto, 758 verbose); 759 if (r->uid.op) 760 print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user", 761 UID_MAX); 762 if (r->gid.op) 763 print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group", 764 GID_MAX); 765 if (r->flags || r->flagset) { 766 printf(" flags "); 767 print_flags(r->flags); 768 printf("/"); 769 print_flags(r->flagset); 770 } 771 if (r->type) { 772 const struct icmptypeent *it; 773 774 it = geticmptypebynumber(r->type-1, r->af); 775 if (r->af != AF_INET6) 776 printf(" icmp-type"); 777 else 778 printf(" icmp6-type"); 779 if (it != NULL) 780 printf(" %s", it->name); 781 else 782 printf(" %u", r->type-1); 783 if (r->code) { 784 const struct icmpcodeent *ic; 785 786 ic = geticmpcodebynumber(r->type-1, r->code-1, r->af); 787 if (ic != NULL) 788 printf(" code %s", ic->name); 789 else 790 printf(" code %u", r->code-1); 791 } 792 } 793 if (r->tos) 794 printf(" tos 0x%2.2x", r->tos); 795 if (r->keep_state == PF_STATE_NORMAL) 796 printf(" keep state"); 797 else if (r->keep_state == PF_STATE_MODULATE) 798 printf(" modulate state"); 799 else if (r->keep_state == PF_STATE_SYNPROXY) 800 printf(" synproxy state"); 801 if (r->prob) { 802 char buf[20]; 803 804 snprintf(buf, sizeof(buf), "%f", r->prob*100.0/(UINT_MAX+1.0)); 805 for (i = strlen(buf)-1; i > 0; i--) { 806 if (buf[i] == '0') 807 buf[i] = '\0'; 808 else { 809 if (buf[i] == '.') 810 buf[i] = '\0'; 811 break; 812 } 813 } 814 printf(" probability %s%%", buf); 815 } 816 opts = 0; 817 if (r->max_states || r->max_src_nodes || r->max_src_states) 818 opts = 1; 819 if (r->rule_flag & PFRULE_NOSYNC) 820 opts = 1; 821 if (r->rule_flag & PFRULE_SRCTRACK) 822 opts = 1; 823 if (r->rule_flag & (PFRULE_IFBOUND | PFRULE_GRBOUND)) 824 opts = 1; 825 for (i = 0; !opts && i < PFTM_MAX; ++i) 826 if (r->timeout[i]) 827 opts = 1; 828 if (opts) { 829 printf(" ("); 830 if (r->max_states) { 831 printf("max %u", r->max_states); 832 opts = 0; 833 } 834 if (r->rule_flag & PFRULE_NOSYNC) { 835 if (!opts) 836 printf(", "); 837 printf("no-sync"); 838 opts = 0; 839 } 840 if (r->rule_flag & PFRULE_SRCTRACK) { 841 if (!opts) 842 printf(", "); 843 printf("source-track"); 844 if (r->rule_flag & PFRULE_RULESRCTRACK) 845 printf(" rule"); 846 else 847 printf(" global"); 848 opts = 0; 849 } 850 if (r->max_src_states) { 851 if (!opts) 852 printf(", "); 853 printf("max-src-states %u", r->max_src_states); 854 opts = 0; 855 } 856 if (r->max_src_conn) { 857 if (!opts) 858 printf(", "); 859 printf("max-src-conn %u", r->max_src_conn); 860 opts = 0; 861 } 862 if (r->max_src_conn_rate.limit) { 863 if (!opts) 864 printf(", "); 865 printf("max-src-conn-rate %u/%u", 866 r->max_src_conn_rate.limit, 867 r->max_src_conn_rate.seconds); 868 opts = 0; 869 } 870 if (r->max_src_nodes) { 871 if (!opts) 872 printf(", "); 873 printf("max-src-nodes %u", r->max_src_nodes); 874 opts = 0; 875 } 876 if (r->overload_tblname[0]) { 877 if (!opts) 878 printf(", "); 879 printf("overload <%s>", r->overload_tblname); 880 if (r->rule_flag & PFRULE_SRCTRACK_FLUSH) 881 printf(" flush"); 882 } 883 if (r->rule_flag & PFRULE_IFBOUND) { 884 if (!opts) 885 printf(", "); 886 printf("if-bound"); 887 opts = 0; 888 } 889 if (r->rule_flag & PFRULE_GRBOUND) { 890 if (!opts) 891 printf(", "); 892 printf("group-bound"); 893 opts = 0; 894 } 895 for (i = 0; i < PFTM_MAX; ++i) 896 if (r->timeout[i]) { 897 int j; 898 899 if (!opts) 900 printf(", "); 901 opts = 0; 902 for (j = 0; j < sizeof(pf_timeouts) / 903 sizeof(pf_timeouts[0]); ++j) 904 if (pf_timeouts[j].timeout == i) 905 break; 906 printf("%s %u", j == PFTM_MAX ? "inv.timeout" : 907 pf_timeouts[j].name, r->timeout[i]); 908 } 909 printf(")"); 910 } 911 if (r->rule_flag & PFRULE_FRAGMENT) 912 printf(" fragment"); 913 if (r->rule_flag & PFRULE_NODF) 914 printf(" no-df"); 915 if (r->rule_flag & PFRULE_RANDOMID) 916 printf(" random-id"); 917 if (r->min_ttl) 918 printf(" min-ttl %d", r->min_ttl); 919 if (r->max_mss) 920 printf(" max-mss %d", r->max_mss); 921 if (r->allow_opts) 922 printf(" allow-opts"); 923 if (r->action == PF_SCRUB) { 924 if (r->rule_flag & PFRULE_REASSEMBLE_TCP) 925 printf(" reassemble tcp"); 926 927 if (r->rule_flag & PFRULE_FRAGDROP) 928 printf(" fragment drop-ovl"); 929 else if (r->rule_flag & PFRULE_FRAGCROP) 930 printf(" fragment crop"); 931 else 932 printf(" fragment reassemble"); 933 } 934 if (r->label[0]) 935 printf(" label \"%s\"", r->label); 936 if (r->qname[0] && r->pqname[0]) 937 printf(" queue(%s, %s)", r->qname, r->pqname); 938 else if (r->qname[0]) 939 printf(" queue %s", r->qname); 940 if (r->tagname[0]) 941 printf(" tag %s", r->tagname); 942 if (r->match_tagname[0]) { 943 if (r->match_tag_not) 944 printf(" !"); 945 printf(" tagged %s", r->match_tagname); 946 } 947 if (!anchor_call[0] && (r->action == PF_NAT || 948 r->action == PF_BINAT || r->action == PF_RDR)) { 949 printf(" -> "); 950 print_pool(&r->rpool, r->rpool.proxy_port[0], 951 r->rpool.proxy_port[1], r->af, r->action); 952 } 953 printf("\n"); 954} 955 956void 957print_tabledef(const char *name, int flags, int addrs, 958 struct node_tinithead *nodes) 959{ 960 struct node_tinit *ti, *nti; 961 struct node_host *h; 962 963 printf("table <%s>", name); 964 if (flags & PFR_TFLAG_CONST) 965 printf(" const"); 966 if (flags & PFR_TFLAG_PERSIST) 967 printf(" persist"); 968 SIMPLEQ_FOREACH(ti, nodes, entries) { 969 if (ti->file) { 970 printf(" file \"%s\"", ti->file); 971 continue; 972 } 973 printf(" {"); 974 for (;;) { 975 for (h = ti->host; h != NULL; h = h->next) { 976 printf(h->not ? " !" : " "); 977 print_addr(&h->addr, h->af, 0); 978 } 979 nti = SIMPLEQ_NEXT(ti, entries); 980 if (nti != NULL && nti->file == NULL) 981 ti = nti; /* merge lists */ 982 else 983 break; 984 } 985 printf(" }"); 986 } 987 if (addrs && SIMPLEQ_EMPTY(nodes)) 988 printf(" { }"); 989 printf("\n"); 990} 991 992int 993parse_flags(char *s) 994{ 995 char *p, *q; 996 u_int8_t f = 0; 997 998 for (p = s; *p; p++) { 999 if ((q = strchr(tcpflags, *p)) == NULL) 1000 return -1; 1001 else 1002 f |= 1 << (q - tcpflags); 1003 } 1004 return (f ? f : PF_TH_ALL); 1005} 1006 1007void 1008set_ipmask(struct node_host *h, u_int8_t b) 1009{ 1010 struct pf_addr *m, *n; 1011 int i, j = 0; 1012 1013 m = &h->addr.v.a.mask; 1014 memset(m, 0, sizeof(*m)); 1015 1016 while (b >= 32) { 1017 m->addr32[j++] = 0xffffffff; 1018 b -= 32; 1019 } 1020 for (i = 31; i > 31-b; --i) 1021 m->addr32[j] |= (1 << i); 1022 if (b) 1023 m->addr32[j] = htonl(m->addr32[j]); 1024 1025 /* Mask off bits of the address that will never be used. */ 1026 n = &h->addr.v.a.addr; 1027 if (h->addr.type == PF_ADDR_ADDRMASK) 1028 for (i = 0; i < 4; i++) 1029 n->addr32[i] = n->addr32[i] & m->addr32[i]; 1030} 1031 1032int 1033check_netmask(struct node_host *h, sa_family_t af) 1034{ 1035 struct node_host *n = NULL; 1036 struct pf_addr *m; 1037 1038 for (n = h; n != NULL; n = n->next) { 1039 if (h->addr.type == PF_ADDR_TABLE) 1040 continue; 1041 m = &h->addr.v.a.mask; 1042 /* fix up netmask for dynaddr */ 1043 if (af == AF_INET && h->addr.type == PF_ADDR_DYNIFTL && 1044 unmask(m, AF_INET6) > 32) 1045 set_ipmask(n, 32); 1046 /* netmasks > 32 bit are invalid on v4 */ 1047 if (af == AF_INET && 1048 (m->addr32[1] || m->addr32[2] || m->addr32[3])) { 1049 fprintf(stderr, "netmask %u invalid for IPv4 address\n", 1050 unmask(m, AF_INET6)); 1051 return (1); 1052 } 1053 } 1054 return (0); 1055} 1056 1057/* interface lookup routines */ 1058 1059struct node_host *iftab; 1060 1061void 1062ifa_load(void) 1063{ 1064 struct ifaddrs *ifap, *ifa; 1065 struct node_host *n = NULL, *h = NULL; 1066 1067 if (getifaddrs(&ifap) < 0) 1068 err(1, "getifaddrs"); 1069 1070 for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 1071 if (!(ifa->ifa_addr->sa_family == AF_INET || 1072 ifa->ifa_addr->sa_family == AF_INET6 || 1073 ifa->ifa_addr->sa_family == AF_LINK)) 1074 continue; 1075 n = calloc(1, sizeof(struct node_host)); 1076 if (n == NULL) 1077 err(1, "address: calloc"); 1078 n->af = ifa->ifa_addr->sa_family; 1079 n->ifa_flags = ifa->ifa_flags; 1080#ifdef __KAME__ 1081 if (n->af == AF_INET6 && 1082 IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *) 1083 ifa->ifa_addr)->sin6_addr) && 1084 ((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_scope_id == 1085 0) { 1086 struct sockaddr_in6 *sin6; 1087 1088 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; 1089 sin6->sin6_scope_id = sin6->sin6_addr.s6_addr[2] << 8 | 1090 sin6->sin6_addr.s6_addr[3]; 1091 sin6->sin6_addr.s6_addr[2] = 0; 1092 sin6->sin6_addr.s6_addr[3] = 0; 1093 } 1094#endif 1095 n->ifindex = 0; 1096 if (n->af == AF_INET) { 1097 memcpy(&n->addr.v.a.addr, &((struct sockaddr_in *) 1098 ifa->ifa_addr)->sin_addr.s_addr, 1099 sizeof(struct in_addr)); 1100 memcpy(&n->addr.v.a.mask, &((struct sockaddr_in *) 1101 ifa->ifa_netmask)->sin_addr.s_addr, 1102 sizeof(struct in_addr)); 1103 if (ifa->ifa_broadaddr != NULL) 1104 memcpy(&n->bcast, &((struct sockaddr_in *) 1105 ifa->ifa_broadaddr)->sin_addr.s_addr, 1106 sizeof(struct in_addr)); 1107 if (ifa->ifa_dstaddr != NULL) 1108 memcpy(&n->peer, &((struct sockaddr_in *) 1109 ifa->ifa_dstaddr)->sin_addr.s_addr, 1110 sizeof(struct in_addr)); 1111 } else if (n->af == AF_INET6) { 1112 memcpy(&n->addr.v.a.addr, &((struct sockaddr_in6 *) 1113 ifa->ifa_addr)->sin6_addr.s6_addr, 1114 sizeof(struct in6_addr)); 1115 memcpy(&n->addr.v.a.mask, &((struct sockaddr_in6 *) 1116 ifa->ifa_netmask)->sin6_addr.s6_addr, 1117 sizeof(struct in6_addr)); 1118 if (ifa->ifa_broadaddr != NULL) 1119 memcpy(&n->bcast, &((struct sockaddr_in6 *) 1120 ifa->ifa_broadaddr)->sin6_addr.s6_addr, 1121 sizeof(struct in6_addr)); 1122 if (ifa->ifa_dstaddr != NULL) 1123 memcpy(&n->peer, &((struct sockaddr_in6 *) 1124 ifa->ifa_dstaddr)->sin6_addr.s6_addr, 1125 sizeof(struct in6_addr)); 1126 n->ifindex = ((struct sockaddr_in6 *) 1127 ifa->ifa_addr)->sin6_scope_id; 1128 } 1129 if ((n->ifname = strdup(ifa->ifa_name)) == NULL) 1130 err(1, "ifa_load: strdup"); 1131 n->next = NULL; 1132 n->tail = n; 1133 if (h == NULL) 1134 h = n; 1135 else { 1136 h->tail->next = n; 1137 h->tail = n; 1138 } 1139 } 1140 1141 iftab = h; 1142 freeifaddrs(ifap); 1143} 1144 1145struct node_host * 1146ifa_exists(const char *ifa_name, int group_ok) 1147{ 1148 struct node_host *n; 1149 1150 if (iftab == NULL) 1151 ifa_load(); 1152 1153 for (n = iftab; n; n = n->next) { 1154 if (n->af == AF_LINK && !strncmp(n->ifname, ifa_name, IFNAMSIZ)) 1155 return (n); 1156 } 1157 1158 return (NULL); 1159} 1160 1161struct node_host * 1162ifa_lookup(const char *ifa_name, int flags) 1163{ 1164 struct node_host *p = NULL, *h = NULL, *n = NULL; 1165 int got4 = 0, got6 = 0; 1166 const char *last_if = NULL; 1167 1168 if (!strncmp(ifa_name, "self", IFNAMSIZ)) 1169 ifa_name = NULL; 1170 1171 if (iftab == NULL) 1172 ifa_load(); 1173 1174 for (p = iftab; p; p = p->next) { 1175 if (ifa_skip_if(ifa_name, p)) 1176 continue; 1177 if ((flags & PFI_AFLAG_BROADCAST) && p->af != AF_INET) 1178 continue; 1179 if ((flags & PFI_AFLAG_BROADCAST) && 1180 !(p->ifa_flags & IFF_BROADCAST)) 1181 continue; 1182 if ((flags & PFI_AFLAG_PEER) && 1183 !(p->ifa_flags & IFF_POINTOPOINT)) 1184 continue; 1185 if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0) 1186 continue; 1187 if (last_if == NULL || strcmp(last_if, p->ifname)) 1188 got4 = got6 = 0; 1189 last_if = p->ifname; 1190 if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET && got4) 1191 continue; 1192 if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET6 && got6) 1193 continue; 1194 if (p->af == AF_INET) 1195 got4 = 1; 1196 else 1197 got6 = 1; 1198 n = calloc(1, sizeof(struct node_host)); 1199 if (n == NULL) 1200 err(1, "address: calloc"); 1201 n->af = p->af; 1202 if (flags & PFI_AFLAG_BROADCAST) 1203 memcpy(&n->addr.v.a.addr, &p->bcast, 1204 sizeof(struct pf_addr)); 1205 else if (flags & PFI_AFLAG_PEER) 1206 memcpy(&n->addr.v.a.addr, &p->peer, 1207 sizeof(struct pf_addr)); 1208 else 1209 memcpy(&n->addr.v.a.addr, &p->addr.v.a.addr, 1210 sizeof(struct pf_addr)); 1211 if (flags & PFI_AFLAG_NETWORK) 1212 set_ipmask(n, unmask(&p->addr.v.a.mask, n->af)); 1213 else { 1214 if (n->af == AF_INET) { 1215 if (p->ifa_flags & IFF_LOOPBACK && 1216 p->ifa_flags & IFF_LINK1) 1217 memcpy(&n->addr.v.a.mask, 1218 &p->addr.v.a.mask, 1219 sizeof(struct pf_addr)); 1220 else 1221 set_ipmask(n, 32); 1222 } else 1223 set_ipmask(n, 128); 1224 } 1225 n->ifindex = p->ifindex; 1226 1227 n->next = NULL; 1228 n->tail = n; 1229 if (h == NULL) 1230 h = n; 1231 else { 1232 h->tail->next = n; 1233 h->tail = n; 1234 } 1235 } 1236 return (h); 1237} 1238 1239int 1240ifa_skip_if(const char *filter, struct node_host *p) 1241{ 1242 int n; 1243 1244 if (p->af != AF_INET && p->af != AF_INET6) 1245 return (1); 1246 if (filter == NULL || !*filter) 1247 return (0); 1248 if (!strcmp(p->ifname, filter)) 1249 return (0); /* exact match */ 1250 n = strlen(filter); 1251 if (n < 1 || n >= IFNAMSIZ) 1252 return (1); /* sanity check */ 1253 if (filter[n-1] >= '0' && filter[n-1] <= '9') 1254 return (1); /* only do exact match in that case */ 1255 if (strncmp(p->ifname, filter, n)) 1256 return (1); /* prefix doesn't match */ 1257 return (p->ifname[n] < '0' || p->ifname[n] > '9'); 1258} 1259 1260 1261struct node_host * 1262host(const char *s) 1263{ 1264 struct node_host *h = NULL; 1265 int mask, v4mask, v6mask, cont = 1; 1266 char *p, *q, *ps; 1267 1268 if ((p = strrchr(s, '/')) != NULL) { 1269 mask = strtol(p+1, &q, 0); 1270 if (!q || *q || mask > 128 || q == (p+1)) { 1271 fprintf(stderr, "invalid netmask '%s'\n", p); 1272 return (NULL); 1273 } 1274 if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL) 1275 err(1, "host: malloc"); 1276 strlcpy(ps, s, strlen(s) - strlen(p) + 1); 1277 v4mask = v6mask = mask; 1278 } else { 1279 if ((ps = strdup(s)) == NULL) 1280 err(1, "host: strdup"); 1281 v4mask = 32; 1282 v6mask = 128; 1283 mask = -1; 1284 } 1285 1286 /* interface with this name exists? */ 1287 if (cont && (h = host_if(ps, mask)) != NULL) 1288 cont = 0; 1289 1290 /* IPv4 address? */ 1291 if (cont && (h = host_v4(s, mask)) != NULL) 1292 cont = 0; 1293 1294 /* IPv6 address? */ 1295 if (cont && (h = host_v6(ps, v6mask)) != NULL) 1296 cont = 0; 1297 1298 /* dns lookup */ 1299 if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL) 1300 cont = 0; 1301 free(ps); 1302 1303 if (h == NULL || cont == 1) { 1304 fprintf(stderr, "no IP address found for %s\n", s); 1305 return (NULL); 1306 } 1307 return (h); 1308} 1309 1310struct node_host * 1311host_if(const char *s, int mask) 1312{ 1313 struct node_host *n, *h = NULL; 1314 char *p, *ps; 1315 int flags = 0; 1316 1317 if ((ps = strdup(s)) == NULL) 1318 err(1, "host_if: strdup"); 1319 while ((p = strrchr(ps, ':')) != NULL) { 1320 if (!strcmp(p+1, "network")) 1321 flags |= PFI_AFLAG_NETWORK; 1322 else if (!strcmp(p+1, "broadcast")) 1323 flags |= PFI_AFLAG_BROADCAST; 1324 else if (!strcmp(p+1, "peer")) 1325 flags |= PFI_AFLAG_PEER; 1326 else if (!strcmp(p+1, "0")) 1327 flags |= PFI_AFLAG_NOALIAS; 1328 else { 1329 free(ps); 1330 return (NULL); 1331 } 1332 *p = '\0'; 1333 } 1334 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) { /* Yep! */ 1335 fprintf(stderr, "illegal combination of interface modifiers\n"); 1336 free(ps); 1337 return (NULL); 1338 } 1339 if ((flags & (PFI_AFLAG_NETWORK|PFI_AFLAG_BROADCAST)) && mask > -1) { 1340 fprintf(stderr, "network or broadcast lookup, but " 1341 "extra netmask given\n"); 1342 free(ps); 1343 return (NULL); 1344 } 1345 if (ifa_exists(ps, 1) || !strncmp(ps, "self", IFNAMSIZ)) { 1346 /* interface with this name exists */ 1347 h = ifa_lookup(ps, flags); 1348 for (n = h; n != NULL && mask > -1; n = n->next) 1349 set_ipmask(n, mask); 1350 } 1351 1352 free(ps); 1353 return (h); 1354} 1355 1356struct node_host * 1357host_v4(const char *s, int mask) 1358{ 1359 struct node_host *h = NULL; 1360 struct in_addr ina; 1361 int bits = 32; 1362 1363 memset(&ina, 0, sizeof(struct in_addr)); 1364 if (strrchr(s, '/') != NULL) { 1365 if ((bits = inet_net_pton(AF_INET, s, &ina, sizeof(ina))) == -1) 1366 return (NULL); 1367 } else { 1368 if (inet_pton(AF_INET, s, &ina) != 1) 1369 return (NULL); 1370 } 1371 1372 h = calloc(1, sizeof(struct node_host)); 1373 if (h == NULL) 1374 err(1, "address: calloc"); 1375 h->ifname = NULL; 1376 h->af = AF_INET; 1377 h->addr.v.a.addr.addr32[0] = ina.s_addr; 1378 set_ipmask(h, bits); 1379 h->next = NULL; 1380 h->tail = h; 1381 1382 return (h); 1383} 1384 1385struct node_host * 1386host_v6(const char *s, int mask) 1387{ 1388 struct addrinfo hints, *res; 1389 struct node_host *h = NULL; 1390 1391 memset(&hints, 0, sizeof(hints)); 1392 hints.ai_family = AF_INET6; 1393 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 1394 hints.ai_flags = AI_NUMERICHOST; 1395 if (getaddrinfo(s, "0", &hints, &res) == 0) { 1396 h = calloc(1, sizeof(struct node_host)); 1397 if (h == NULL) 1398 err(1, "address: calloc"); 1399 h->ifname = NULL; 1400 h->af = AF_INET6; 1401 memcpy(&h->addr.v.a.addr, 1402 &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 1403 sizeof(h->addr.v.a.addr)); 1404 h->ifindex = 1405 ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id; 1406 set_ipmask(h, mask); 1407 freeaddrinfo(res); 1408 h->next = NULL; 1409 h->tail = h; 1410 } 1411 1412 return (h); 1413} 1414 1415struct node_host * 1416host_dns(const char *s, int v4mask, int v6mask) 1417{ 1418 struct addrinfo hints, *res0, *res; 1419 struct node_host *n, *h = NULL; 1420 int error, noalias = 0; 1421 int got4 = 0, got6 = 0; 1422 char *p, *ps; 1423 1424 if ((ps = strdup(s)) == NULL) 1425 err(1, "host_dns: strdup"); 1426 if ((p = strrchr(ps, ':')) != NULL && !strcmp(p, ":0")) { 1427 noalias = 1; 1428 *p = '\0'; 1429 } 1430 memset(&hints, 0, sizeof(hints)); 1431 hints.ai_family = PF_UNSPEC; 1432 hints.ai_socktype = SOCK_STREAM; /* DUMMY */ 1433 error = getaddrinfo(ps, NULL, &hints, &res0); 1434 if (error) { 1435 free(ps); 1436 return (h); 1437 } 1438 1439 for (res = res0; res; res = res->ai_next) { 1440 if (res->ai_family != AF_INET && 1441 res->ai_family != AF_INET6) 1442 continue; 1443 if (noalias) { 1444 if (res->ai_family == AF_INET) { 1445 if (got4) 1446 continue; 1447 got4 = 1; 1448 } else { 1449 if (got6) 1450 continue; 1451 got6 = 1; 1452 } 1453 } 1454 n = calloc(1, sizeof(struct node_host)); 1455 if (n == NULL) 1456 err(1, "host_dns: calloc"); 1457 n->ifname = NULL; 1458 n->af = res->ai_family; 1459 if (res->ai_family == AF_INET) { 1460 memcpy(&n->addr.v.a.addr, 1461 &((struct sockaddr_in *) 1462 res->ai_addr)->sin_addr.s_addr, 1463 sizeof(struct in_addr)); 1464 set_ipmask(n, v4mask); 1465 } else { 1466 memcpy(&n->addr.v.a.addr, 1467 &((struct sockaddr_in6 *) 1468 res->ai_addr)->sin6_addr.s6_addr, 1469 sizeof(struct in6_addr)); 1470 n->ifindex = 1471 ((struct sockaddr_in6 *) 1472 res->ai_addr)->sin6_scope_id; 1473 set_ipmask(n, v6mask); 1474 } 1475 n->next = NULL; 1476 n->tail = n; 1477 if (h == NULL) 1478 h = n; 1479 else { 1480 h->tail->next = n; 1481 h->tail = n; 1482 } 1483 } 1484 freeaddrinfo(res0); 1485 free(ps); 1486 1487 return (h); 1488} 1489 1490/* 1491 * convert a hostname to a list of addresses and put them in the given buffer. 1492 * test: 1493 * if set to 1, only simple addresses are accepted (no netblock, no "!"). 1494 */ 1495int 1496append_addr(struct pfr_buffer *b, char *s, int test) 1497{ 1498 char *r; 1499 struct node_host *h, *n; 1500 int rv, not = 0; 1501 1502 for (r = s; *r == '!'; r++) 1503 not = !not; 1504 if ((n = host(r)) == NULL) { 1505 errno = 0; 1506 return (-1); 1507 } 1508 rv = append_addr_host(b, n, test, not); 1509 do { 1510 h = n; 1511 n = n->next; 1512 free(h); 1513 } while (n != NULL); 1514 return (rv); 1515} 1516 1517/* 1518 * same as previous function, but with a pre-parsed input and the ability 1519 * to "negate" the result. Does not free the node_host list. 1520 * not: 1521 * setting it to 1 is equivalent to adding "!" in front of parameter s. 1522 */ 1523int 1524append_addr_host(struct pfr_buffer *b, struct node_host *n, int test, int not) 1525{ 1526 int bits; 1527 struct pfr_addr addr; 1528 1529 do { 1530 bzero(&addr, sizeof(addr)); 1531 addr.pfra_not = n->not ^ not; 1532 addr.pfra_af = n->af; 1533 addr.pfra_net = unmask(&n->addr.v.a.mask, n->af); 1534 switch (n->af) { 1535 case AF_INET: 1536 addr.pfra_ip4addr.s_addr = n->addr.v.a.addr.addr32[0]; 1537 bits = 32; 1538 break; 1539 case AF_INET6: 1540 memcpy(&addr.pfra_ip6addr, &n->addr.v.a.addr.v6, 1541 sizeof(struct in6_addr)); 1542 bits = 128; 1543 break; 1544 default: 1545 errno = EINVAL; 1546 return (-1); 1547 } 1548 if ((test && (not || addr.pfra_net != bits)) || 1549 addr.pfra_net > bits) { 1550 errno = EINVAL; 1551 return (-1); 1552 } 1553 if (pfr_buf_add(b, &addr)) 1554 return (-1); 1555 } while ((n = n->next) != NULL); 1556 1557 return (0); 1558} 1559 1560int 1561pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor) 1562{ 1563 struct pfioc_trans_e trans; 1564 1565 bzero(&trans, sizeof(trans)); 1566 trans.rs_num = rs_num; 1567 if (strlcpy(trans.anchor, anchor, 1568 sizeof(trans.anchor)) >= sizeof(trans.anchor)) 1569 errx(1, "pfctl_add_trans: strlcpy"); 1570 1571 return pfr_buf_add(buf, &trans); 1572} 1573 1574u_int32_t 1575pfctl_get_ticket(struct pfr_buffer *buf, int rs_num, const char *anchor) 1576{ 1577 struct pfioc_trans_e *p; 1578 1579 PFRB_FOREACH(p, buf) 1580 if (rs_num == p->rs_num && !strcmp(anchor, p->anchor)) 1581 return (p->ticket); 1582 errx(1, "pfctl_get_ticket: assertion failed"); 1583} 1584 1585int 1586pfctl_trans(int dev, struct pfr_buffer *buf, u_long cmd, int from) 1587{ 1588 struct pfioc_trans trans; 1589 1590 bzero(&trans, sizeof(trans)); 1591 trans.size = buf->pfrb_size - from; 1592 trans.esize = sizeof(struct pfioc_trans_e); 1593 trans.array = ((struct pfioc_trans_e *)buf->pfrb_caddr) + from; 1594 return ioctl(dev, cmd, &trans); 1595} 1596