1 |
|
|
/* $OpenBSD: pf_print_state.c,v 1.64 2015/01/21 21:50:33 deraadt Exp $ */ |
2 |
|
|
|
3 |
|
|
/* |
4 |
|
|
* Copyright (c) 2001 Daniel Hartmeier |
5 |
|
|
* All rights reserved. |
6 |
|
|
* |
7 |
|
|
* Redistribution and use in source and binary forms, with or without |
8 |
|
|
* modification, are permitted provided that the following conditions |
9 |
|
|
* are met: |
10 |
|
|
* |
11 |
|
|
* - Redistributions of source code must retain the above copyright |
12 |
|
|
* notice, this list of conditions and the following disclaimer. |
13 |
|
|
* - Redistributions in binary form must reproduce the above |
14 |
|
|
* copyright notice, this list of conditions and the following |
15 |
|
|
* disclaimer in the documentation and/or other materials provided |
16 |
|
|
* with the distribution. |
17 |
|
|
* |
18 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
19 |
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
20 |
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
21 |
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
22 |
|
|
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
23 |
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
24 |
|
|
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
25 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
26 |
|
|
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
27 |
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
28 |
|
|
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 |
|
|
* POSSIBILITY OF SUCH DAMAGE. |
30 |
|
|
* |
31 |
|
|
*/ |
32 |
|
|
|
33 |
|
|
#include <sys/types.h> |
34 |
|
|
#include <sys/socket.h> |
35 |
|
|
#include <net/if.h> |
36 |
|
|
#define TCPSTATES |
37 |
|
|
#include <netinet/in.h> |
38 |
|
|
#include <netinet/tcp_fsm.h> |
39 |
|
|
#include <arpa/inet.h> |
40 |
|
|
#include <net/pfvar.h> |
41 |
|
|
#include <netdb.h> |
42 |
|
|
|
43 |
|
|
#include <stdio.h> |
44 |
|
|
#include <string.h> |
45 |
|
|
|
46 |
|
|
#include "pfctl_parser.h" |
47 |
|
|
#include "pfctl.h" |
48 |
|
|
|
49 |
|
|
void print_name(struct pf_addr *, sa_family_t); |
50 |
|
|
|
51 |
|
|
void |
52 |
|
|
print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) |
53 |
|
|
{ |
54 |
|
|
switch (addr->type) { |
55 |
|
|
case PF_ADDR_DYNIFTL: |
56 |
|
|
printf("(%s", addr->v.ifname); |
57 |
|
|
if (addr->iflags & PFI_AFLAG_NETWORK) |
58 |
|
|
printf(":network"); |
59 |
|
|
if (addr->iflags & PFI_AFLAG_BROADCAST) |
60 |
|
|
printf(":broadcast"); |
61 |
|
|
if (addr->iflags & PFI_AFLAG_PEER) |
62 |
|
|
printf(":peer"); |
63 |
|
|
if (addr->iflags & PFI_AFLAG_NOALIAS) |
64 |
|
|
printf(":0"); |
65 |
|
|
if (verbose) { |
66 |
|
|
if (addr->p.dyncnt <= 0) |
67 |
|
|
printf(":*"); |
68 |
|
|
else |
69 |
|
|
printf(":%d", addr->p.dyncnt); |
70 |
|
|
} |
71 |
|
|
printf(")"); |
72 |
|
|
break; |
73 |
|
|
case PF_ADDR_TABLE: |
74 |
|
|
if (verbose) |
75 |
|
|
if (addr->p.tblcnt == -1) |
76 |
|
|
printf("<%s:*>", addr->v.tblname); |
77 |
|
|
else |
78 |
|
|
printf("<%s:%d>", addr->v.tblname, |
79 |
|
|
addr->p.tblcnt); |
80 |
|
|
else |
81 |
|
|
printf("<%s>", addr->v.tblname); |
82 |
|
|
return; |
83 |
|
|
case PF_ADDR_RANGE: { |
84 |
|
|
char buf[48]; |
85 |
|
|
|
86 |
|
|
if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL) |
87 |
|
|
printf("?"); |
88 |
|
|
else |
89 |
|
|
printf("%s", buf); |
90 |
|
|
if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL) |
91 |
|
|
printf(" - ?"); |
92 |
|
|
else |
93 |
|
|
printf(" - %s", buf); |
94 |
|
|
break; |
95 |
|
|
} |
96 |
|
|
case PF_ADDR_ADDRMASK: |
97 |
|
|
if (PF_AZERO(&addr->v.a.addr, AF_INET6) && |
98 |
|
|
PF_AZERO(&addr->v.a.mask, AF_INET6)) |
99 |
|
|
printf("any"); |
100 |
|
|
else { |
101 |
|
|
char buf[48]; |
102 |
|
|
|
103 |
|
|
if (inet_ntop(af, &addr->v.a.addr, buf, |
104 |
|
|
sizeof(buf)) == NULL) |
105 |
|
|
printf("?"); |
106 |
|
|
else |
107 |
|
|
printf("%s", buf); |
108 |
|
|
} |
109 |
|
|
break; |
110 |
|
|
case PF_ADDR_NOROUTE: |
111 |
|
|
printf("no-route"); |
112 |
|
|
return; |
113 |
|
|
case PF_ADDR_URPFFAILED: |
114 |
|
|
printf("urpf-failed"); |
115 |
|
|
return; |
116 |
|
|
case PF_ADDR_RTLABEL: |
117 |
|
|
printf("route \"%s\"", addr->v.rtlabelname); |
118 |
|
|
return; |
119 |
|
|
default: |
120 |
|
|
printf("?"); |
121 |
|
|
return; |
122 |
|
|
} |
123 |
|
|
|
124 |
|
|
/* mask if not _both_ address and mask are zero */ |
125 |
|
|
if (addr->type != PF_ADDR_RANGE && |
126 |
|
|
!(PF_AZERO(&addr->v.a.addr, AF_INET6) && |
127 |
|
|
PF_AZERO(&addr->v.a.mask, AF_INET6))) { |
128 |
|
|
int bits = unmask(&addr->v.a.mask, af); |
129 |
|
|
|
130 |
|
|
if (bits < (af == AF_INET ? 32 : 128)) |
131 |
|
|
printf("/%d", bits); |
132 |
|
|
} |
133 |
|
|
} |
134 |
|
|
|
135 |
|
|
void |
136 |
|
|
print_name(struct pf_addr *addr, sa_family_t af) |
137 |
|
|
{ |
138 |
|
|
char host[NI_MAXHOST]; |
139 |
|
|
|
140 |
|
|
strlcpy(host, "?", sizeof(host)); |
141 |
|
|
switch (af) { |
142 |
|
|
case AF_INET: { |
143 |
|
|
struct sockaddr_in sin; |
144 |
|
|
|
145 |
|
|
memset(&sin, 0, sizeof(sin)); |
146 |
|
|
sin.sin_len = sizeof(sin); |
147 |
|
|
sin.sin_family = AF_INET; |
148 |
|
|
sin.sin_addr = addr->v4; |
149 |
|
|
getnameinfo((struct sockaddr *)&sin, sin.sin_len, |
150 |
|
|
host, sizeof(host), NULL, 0, NI_NOFQDN); |
151 |
|
|
break; |
152 |
|
|
} |
153 |
|
|
case AF_INET6: { |
154 |
|
|
struct sockaddr_in6 sin6; |
155 |
|
|
|
156 |
|
|
memset(&sin6, 0, sizeof(sin6)); |
157 |
|
|
sin6.sin6_len = sizeof(sin6); |
158 |
|
|
sin6.sin6_family = AF_INET6; |
159 |
|
|
sin6.sin6_addr = addr->v6; |
160 |
|
|
getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len, |
161 |
|
|
host, sizeof(host), NULL, 0, NI_NOFQDN); |
162 |
|
|
break; |
163 |
|
|
} |
164 |
|
|
} |
165 |
|
|
printf("%s", host); |
166 |
|
|
} |
167 |
|
|
|
168 |
|
|
void |
169 |
|
|
print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, u_int16_t rdom, |
170 |
|
|
const char *proto, int opts) |
171 |
|
|
{ |
172 |
|
|
struct servent *s = NULL; |
173 |
|
|
char ps[6]; |
174 |
|
|
|
175 |
|
|
if (rdom) |
176 |
|
|
printf("(%u) ", ntohs(rdom)); |
177 |
|
|
|
178 |
|
|
if (opts & PF_OPT_USEDNS) |
179 |
|
|
print_name(addr, af); |
180 |
|
|
else { |
181 |
|
|
struct pf_addr_wrap aw; |
182 |
|
|
|
183 |
|
|
memset(&aw, 0, sizeof(aw)); |
184 |
|
|
aw.v.a.addr = *addr; |
185 |
|
|
if (af == AF_INET) |
186 |
|
|
aw.v.a.mask.addr32[0] = 0xffffffff; |
187 |
|
|
else { |
188 |
|
|
memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); |
189 |
|
|
af = AF_INET6; |
190 |
|
|
} |
191 |
|
|
print_addr(&aw, af, opts & PF_OPT_VERBOSE2); |
192 |
|
|
} |
193 |
|
|
|
194 |
|
|
if (port) { |
195 |
|
|
snprintf(ps, sizeof(ps), "%u", ntohs(port)); |
196 |
|
|
if (opts & PF_OPT_PORTNAMES) |
197 |
|
|
s = getservbyport(port, proto); |
198 |
|
|
if (af == AF_INET) |
199 |
|
|
printf(":%s", s ? s->s_name : ps); |
200 |
|
|
else |
201 |
|
|
printf("[%s]", s ? s->s_name : ps); |
202 |
|
|
} |
203 |
|
|
} |
204 |
|
|
|
205 |
|
|
void |
206 |
|
|
print_seq(struct pfsync_state_peer *p) |
207 |
|
|
{ |
208 |
|
|
if (p->seqdiff) |
209 |
|
|
printf("[%u + %u](+%u)", ntohl(p->seqlo), |
210 |
|
|
ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff)); |
211 |
|
|
else |
212 |
|
|
printf("[%u + %u]", ntohl(p->seqlo), |
213 |
|
|
ntohl(p->seqhi) - ntohl(p->seqlo)); |
214 |
|
|
} |
215 |
|
|
|
216 |
|
|
void |
217 |
|
|
print_state(struct pfsync_state *s, int opts) |
218 |
|
|
{ |
219 |
|
|
struct pfsync_state_peer *src, *dst; |
220 |
|
|
struct pfsync_state_key *sk, *nk; |
221 |
|
|
struct protoent *p; |
222 |
|
|
char *pn = NULL; |
223 |
|
|
int min, sec; |
224 |
|
|
int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af); |
225 |
|
|
int idx; |
226 |
|
|
|
227 |
|
|
if (s->direction == PF_OUT) { |
228 |
|
|
src = &s->src; |
229 |
|
|
dst = &s->dst; |
230 |
|
|
sk = &s->key[PF_SK_STACK]; |
231 |
|
|
nk = &s->key[PF_SK_WIRE]; |
232 |
|
|
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) |
233 |
|
|
sk->port[0] = nk->port[0]; |
234 |
|
|
} else { |
235 |
|
|
src = &s->dst; |
236 |
|
|
dst = &s->src; |
237 |
|
|
sk = &s->key[PF_SK_WIRE]; |
238 |
|
|
nk = &s->key[PF_SK_STACK]; |
239 |
|
|
if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) |
240 |
|
|
sk->port[1] = nk->port[1]; |
241 |
|
|
} |
242 |
|
|
printf("%s ", s->ifname); |
243 |
|
|
if ((p = getprotobynumber(s->proto)) != NULL) { |
244 |
|
|
pn = p->p_name; |
245 |
|
|
printf("%s ", pn); |
246 |
|
|
} else |
247 |
|
|
printf("%u ", s->proto); |
248 |
|
|
|
249 |
|
|
print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, pn, opts); |
250 |
|
|
if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) || |
251 |
|
|
nk->port[1] != sk->port[1] || |
252 |
|
|
nk->rdomain != sk->rdomain) { |
253 |
|
|
idx = afto ? 0 : 1; |
254 |
|
|
printf(" ("); |
255 |
|
|
print_host(&sk->addr[idx], sk->port[idx], sk->af, |
256 |
|
|
sk->rdomain, pn, opts); |
257 |
|
|
printf(")"); |
258 |
|
|
} |
259 |
|
|
if (s->direction == PF_OUT || (afto && s->direction == PF_IN)) |
260 |
|
|
printf(" -> "); |
261 |
|
|
else |
262 |
|
|
printf(" <- "); |
263 |
|
|
print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, pn, opts); |
264 |
|
|
if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) || |
265 |
|
|
nk->port[0] != sk->port[0] || |
266 |
|
|
nk->rdomain != sk->rdomain) { |
267 |
|
|
idx = afto ? 1 : 0; |
268 |
|
|
printf(" ("); |
269 |
|
|
print_host(&sk->addr[idx], sk->port[idx], sk->af, |
270 |
|
|
sk->rdomain, pn, opts); |
271 |
|
|
printf(")"); |
272 |
|
|
} |
273 |
|
|
|
274 |
|
|
printf(" "); |
275 |
|
|
if (s->proto == IPPROTO_TCP) { |
276 |
|
|
if (src->state <= TCPS_TIME_WAIT && |
277 |
|
|
dst->state <= TCPS_TIME_WAIT) |
278 |
|
|
printf(" %s:%s\n", tcpstates[src->state], |
279 |
|
|
tcpstates[dst->state]); |
280 |
|
|
else if (src->state == PF_TCPS_PROXY_SRC || |
281 |
|
|
dst->state == PF_TCPS_PROXY_SRC) |
282 |
|
|
printf(" PROXY:SRC\n"); |
283 |
|
|
else if (src->state == PF_TCPS_PROXY_DST || |
284 |
|
|
dst->state == PF_TCPS_PROXY_DST) |
285 |
|
|
printf(" PROXY:DST\n"); |
286 |
|
|
else |
287 |
|
|
printf(" <BAD STATE LEVELS %u:%u>\n", |
288 |
|
|
src->state, dst->state); |
289 |
|
|
if (opts & PF_OPT_VERBOSE) { |
290 |
|
|
printf(" "); |
291 |
|
|
print_seq(src); |
292 |
|
|
if (src->wscale && dst->wscale) |
293 |
|
|
printf(" wscale %u", |
294 |
|
|
src->wscale & PF_WSCALE_MASK); |
295 |
|
|
printf(" "); |
296 |
|
|
print_seq(dst); |
297 |
|
|
if (src->wscale && dst->wscale) |
298 |
|
|
printf(" wscale %u", |
299 |
|
|
dst->wscale & PF_WSCALE_MASK); |
300 |
|
|
printf("\n"); |
301 |
|
|
} |
302 |
|
|
} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES && |
303 |
|
|
dst->state < PFUDPS_NSTATES) { |
304 |
|
|
const char *states[] = PFUDPS_NAMES; |
305 |
|
|
|
306 |
|
|
printf(" %s:%s\n", states[src->state], states[dst->state]); |
307 |
|
|
} else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 && |
308 |
|
|
src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) { |
309 |
|
|
/* XXX ICMP doesn't really have state levels */ |
310 |
|
|
const char *states[] = PFOTHERS_NAMES; |
311 |
|
|
|
312 |
|
|
printf(" %s:%s\n", states[src->state], states[dst->state]); |
313 |
|
|
} else { |
314 |
|
|
printf(" %u:%u\n", src->state, dst->state); |
315 |
|
|
} |
316 |
|
|
|
317 |
|
|
if (opts & PF_OPT_VERBOSE) { |
318 |
|
|
u_int64_t packets[2]; |
319 |
|
|
u_int64_t bytes[2]; |
320 |
|
|
u_int32_t creation = ntohl(s->creation); |
321 |
|
|
u_int32_t expire = ntohl(s->expire); |
322 |
|
|
|
323 |
|
|
sec = creation % 60; |
324 |
|
|
creation /= 60; |
325 |
|
|
min = creation % 60; |
326 |
|
|
creation /= 60; |
327 |
|
|
printf(" age %.2u:%.2u:%.2u", creation, min, sec); |
328 |
|
|
sec = expire % 60; |
329 |
|
|
expire /= 60; |
330 |
|
|
min = expire % 60; |
331 |
|
|
expire /= 60; |
332 |
|
|
printf(", expires in %.2u:%.2u:%.2u", expire, min, sec); |
333 |
|
|
|
334 |
|
|
bcopy(s->packets[0], &packets[0], sizeof(u_int64_t)); |
335 |
|
|
bcopy(s->packets[1], &packets[1], sizeof(u_int64_t)); |
336 |
|
|
bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t)); |
337 |
|
|
bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t)); |
338 |
|
|
printf(", %llu:%llu pkts, %llu:%llu bytes", |
339 |
|
|
betoh64(packets[0]), |
340 |
|
|
betoh64(packets[1]), |
341 |
|
|
betoh64(bytes[0]), |
342 |
|
|
betoh64(bytes[1])); |
343 |
|
|
if (ntohl(s->anchor) != -1) |
344 |
|
|
printf(", anchor %u", ntohl(s->anchor)); |
345 |
|
|
if (ntohl(s->rule) != -1) |
346 |
|
|
printf(", rule %u", ntohl(s->rule)); |
347 |
|
|
if (ntohs(s->state_flags) & PFSTATE_SLOPPY) |
348 |
|
|
printf(", sloppy"); |
349 |
|
|
if (ntohs(s->state_flags) & PFSTATE_PFLOW) |
350 |
|
|
printf(", pflow"); |
351 |
|
|
if (s->sync_flags & PFSYNC_FLAG_SRCNODE) |
352 |
|
|
printf(", source-track"); |
353 |
|
|
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) |
354 |
|
|
printf(", sticky-address"); |
355 |
|
|
printf("\n"); |
356 |
|
|
} |
357 |
|
|
if (opts & PF_OPT_VERBOSE2) { |
358 |
|
|
u_int64_t id; |
359 |
|
|
|
360 |
|
|
bcopy(&s->id, &id, sizeof(u_int64_t)); |
361 |
|
|
printf(" id: %016llx creatorid: %08x", |
362 |
|
|
betoh64(id), ntohl(s->creatorid)); |
363 |
|
|
printf("\n"); |
364 |
|
|
} |
365 |
|
|
} |
366 |
|
|
|
367 |
|
|
int |
368 |
|
|
unmask(struct pf_addr *m, sa_family_t af) |
369 |
|
|
{ |
370 |
|
|
int i = 31, j = 0, b = 0; |
371 |
|
|
u_int32_t tmp; |
372 |
|
|
|
373 |
|
|
while (j < 4 && m->addr32[j] == 0xffffffff) { |
374 |
|
|
b += 32; |
375 |
|
|
j++; |
376 |
|
|
} |
377 |
|
|
if (j < 4) { |
378 |
|
|
tmp = ntohl(m->addr32[j]); |
379 |
|
|
for (i = 31; tmp & (1 << i); --i) |
380 |
|
|
b++; |
381 |
|
|
} |
382 |
|
|
return (b); |
383 |
|
|
} |