Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	sbin/pfctl/pf_print_state.c	Lines:	55	217	25.3 %
Date:	2017-11-07	Branches:	59	207	28.5 %


/*	$OpenBSD: pf_print_state.c,v 1.64 2015/01/21 21:50:33 deraadt Exp $	*/

/*
 * Copyright (c) 2001 Daniel Hartmeier
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *    - Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 *    - Redistributions in binary form must reproduce the above
 *      copyright notice, this list of conditions and the following
 *      disclaimer in the documentation and/or other materials provided
 *      with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#define TCPSTATES
#include <netinet/in.h>
#include <netinet/tcp_fsm.h>
#include <arpa/inet.h>
#include <net/pfvar.h>
#include <netdb.h>

#include <stdio.h>
#include <string.h>

#include "pfctl_parser.h"
#include "pfctl.h"

void	print_name(struct pf_addr *, sa_family_t);

void
print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
{
	switch (addr->type) {
	case PF_ADDR_DYNIFTL:
		printf("(%s", addr->v.ifname);
		if (addr->iflags & PFI_AFLAG_NETWORK)
			printf(":network");
		if (addr->iflags & PFI_AFLAG_BROADCAST)
			printf(":broadcast");
		if (addr->iflags & PFI_AFLAG_PEER)
			printf(":peer");
		if (addr->iflags & PFI_AFLAG_NOALIAS)
			printf(":0");
		if (verbose) {
			if (addr->p.dyncnt <= 0)
				printf(":*");
			else
				printf(":%d", addr->p.dyncnt);
		}
		printf(")");
		break;
	case PF_ADDR_TABLE:
		if (verbose)
			if (addr->p.tblcnt == -1)
				printf("<%s:*>", addr->v.tblname);
			else
				printf("<%s:%d>", addr->v.tblname,
				    addr->p.tblcnt);
		else
			printf("<%s>", addr->v.tblname);
		return;
	case PF_ADDR_RANGE: {
		char buf[48];

		if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
			printf("?");
		else
			printf("%s", buf);
		if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
			printf(" - ?");
		else
			printf(" - %s", buf);
		break;
	}
	case PF_ADDR_ADDRMASK:
		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
		    PF_AZERO(&addr->v.a.mask, AF_INET6))
			printf("any");
		else {
			char buf[48];

			if (inet_ntop(af, &addr->v.a.addr, buf,
			    sizeof(buf)) == NULL)
				printf("?");
			else
				printf("%s", buf);
		}
		break;
	case PF_ADDR_NOROUTE:
		printf("no-route");
		return;
	case PF_ADDR_URPFFAILED:
		printf("urpf-failed");
		return;
	case PF_ADDR_RTLABEL:
		printf("route \"%s\"", addr->v.rtlabelname);
		return;
	default:
		printf("?");
		return;
	}

	/* mask if not _both_ address and mask are zero */
	if (addr->type != PF_ADDR_RANGE &&
	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
		int bits = unmask(&addr->v.a.mask, af);

		if (bits < (af == AF_INET ? 32 : 128))
			printf("/%d", bits);
	}
}

void
print_name(struct pf_addr *addr, sa_family_t af)
{
	char host[NI_MAXHOST];

	strlcpy(host, "?", sizeof(host));
	switch (af) {
	case AF_INET: {
		struct sockaddr_in sin;

		memset(&sin, 0, sizeof(sin));
		sin.sin_len = sizeof(sin);
		sin.sin_family = AF_INET;
		sin.sin_addr = addr->v4;
		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
		    host, sizeof(host), NULL, 0, NI_NOFQDN);
		break;
	}
	case AF_INET6: {
		struct sockaddr_in6 sin6;

		memset(&sin6, 0, sizeof(sin6));
		sin6.sin6_len = sizeof(sin6);
		sin6.sin6_family = AF_INET6;
		sin6.sin6_addr = addr->v6;
		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
		    host, sizeof(host), NULL, 0, NI_NOFQDN);
		break;
	}
	}
	printf("%s", host);
}

void
print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, u_int16_t rdom,
    const char *proto, int opts)
{
	struct servent	*s = NULL;
	char		ps[6];

	if (rdom)
		printf("(%u) ", ntohs(rdom));

	if (opts & PF_OPT_USEDNS)
		print_name(addr, af);
	else {
		struct pf_addr_wrap aw;

		memset(&aw, 0, sizeof(aw));
		aw.v.a.addr = *addr;
		if (af == AF_INET)
			aw.v.a.mask.addr32[0] = 0xffffffff;
		else {
			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
			af = AF_INET6;
		}
		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
	}

	if (port) {
		snprintf(ps, sizeof(ps), "%u", ntohs(port));
		if (opts & PF_OPT_PORTNAMES)
			s = getservbyport(port, proto);
		if (af == AF_INET)
			printf(":%s", s ? s->s_name : ps);
		else
			printf("[%s]", s ? s->s_name : ps);
	}
}

void
print_seq(struct pfsync_state_peer *p)
{
	if (p->seqdiff)
		printf("[%u + %u](+%u)", ntohl(p->seqlo),
		    ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff));
	else
		printf("[%u + %u]", ntohl(p->seqlo),
		    ntohl(p->seqhi) - ntohl(p->seqlo));
}

void
print_state(struct pfsync_state *s, int opts)
{
	struct pfsync_state_peer *src, *dst;
	struct pfsync_state_key *sk, *nk;
	struct protoent *p;
	char *pn = NULL;
	int min, sec;
	int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
	int idx;

	if (s->direction == PF_OUT) {
		src = &s->src;
		dst = &s->dst;
		sk = &s->key[PF_SK_STACK];
		nk = &s->key[PF_SK_WIRE];
		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
			sk->port[0] = nk->port[0];
	} else {
		src = &s->dst;
		dst = &s->src;
		sk = &s->key[PF_SK_WIRE];
		nk = &s->key[PF_SK_STACK];
		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
			sk->port[1] = nk->port[1];
	}
	printf("%s ", s->ifname);
	if ((p = getprotobynumber(s->proto)) != NULL) {
		pn = p->p_name;
		printf("%s ", pn);
	} else
		printf("%u ", s->proto);

	print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, pn, opts);
	if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
	    nk->port[1] != sk->port[1] ||
	    nk->rdomain != sk->rdomain) {
		idx = afto ? 0 : 1;
		printf(" (");
		print_host(&sk->addr[idx], sk->port[idx], sk->af,
		    sk->rdomain, pn, opts);
		printf(")");
	}
	if (s->direction == PF_OUT || (afto && s->direction == PF_IN))
		printf(" -> ");
	else
		printf(" <- ");
	print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, pn, opts);
	if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
	    nk->port[0] != sk->port[0] ||
	    nk->rdomain != sk->rdomain) {
		idx = afto ? 1 : 0;
		printf(" (");
		print_host(&sk->addr[idx], sk->port[idx], sk->af,
		    sk->rdomain, pn, opts);
		printf(")");
	}

	printf("    ");
	if (s->proto == IPPROTO_TCP) {
		if (src->state <= TCPS_TIME_WAIT &&
		    dst->state <= TCPS_TIME_WAIT)
			printf("   %s:%s\n", tcpstates[src->state],
			    tcpstates[dst->state]);
		else if (src->state == PF_TCPS_PROXY_SRC ||
		    dst->state == PF_TCPS_PROXY_SRC)
			printf("   PROXY:SRC\n");
		else if (src->state == PF_TCPS_PROXY_DST ||
		    dst->state == PF_TCPS_PROXY_DST)
			printf("   PROXY:DST\n");
		else
			printf("   <BAD STATE LEVELS %u:%u>\n",
			    src->state, dst->state);
		if (opts & PF_OPT_VERBOSE) {
			printf("   ");
			print_seq(src);
			if (src->wscale && dst->wscale)
				printf(" wscale %u",
				    src->wscale & PF_WSCALE_MASK);
			printf("  ");
			print_seq(dst);
			if (src->wscale && dst->wscale)
				printf(" wscale %u",
				    dst->wscale & PF_WSCALE_MASK);
			printf("\n");
		}
	} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
	    dst->state < PFUDPS_NSTATES) {
		const char *states[] = PFUDPS_NAMES;

		printf("   %s:%s\n", states[src->state], states[dst->state]);
	} else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 &&
	    src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
		/* XXX ICMP doesn't really have state levels */
		const char *states[] = PFOTHERS_NAMES;

		printf("   %s:%s\n", states[src->state], states[dst->state]);
	} else {
		printf("   %u:%u\n", src->state, dst->state);
	}

	if (opts & PF_OPT_VERBOSE) {
		u_int64_t packets[2];
		u_int64_t bytes[2];
		u_int32_t creation = ntohl(s->creation);
		u_int32_t expire = ntohl(s->expire);

		sec = creation % 60;
		creation /= 60;
		min = creation % 60;
		creation /= 60;
		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
		sec = expire % 60;
		expire /= 60;
		min = expire % 60;
		expire /= 60;
		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);

		bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
		bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
		bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
		bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
		printf(", %llu:%llu pkts, %llu:%llu bytes",
		    betoh64(packets[0]),
		    betoh64(packets[1]),
		    betoh64(bytes[0]),
		    betoh64(bytes[1]));
		if (ntohl(s->anchor) != -1)
			printf(", anchor %u", ntohl(s->anchor));
		if (ntohl(s->rule) != -1)
			printf(", rule %u", ntohl(s->rule));
		if (ntohs(s->state_flags) & PFSTATE_SLOPPY)
			printf(", sloppy");
		if (ntohs(s->state_flags) & PFSTATE_PFLOW)
			printf(", pflow");
		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
			printf(", source-track");
		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
			printf(", sticky-address");
		printf("\n");
	}
	if (opts & PF_OPT_VERBOSE2) {
		u_int64_t id;

		bcopy(&s->id, &id, sizeof(u_int64_t));
		printf("   id: %016llx creatorid: %08x",
		    betoh64(id), ntohl(s->creatorid));
		printf("\n");
	}
}

int
unmask(struct pf_addr *m, sa_family_t af)
{
	int i = 31, j = 0, b = 0;
	u_int32_t tmp;

	while (j < 4 && m->addr32[j] == 0xffffffff) {
		b += 32;
		j++;
	}
	if (j < 4) {
		tmp = ntohl(m->addr32[j]);
		for (i = 31; tmp & (1 << i); --i)
			b++;
	}
	return (b);
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: pf_print_state.c,v 1.64 2015/01/21 21:50:33 deraadt Exp $ */
2
3			/*
4			* Copyright (c) 2001 Daniel Hartmeier
5			* All rights reserved.
6			*
7			* Redistribution and use in source and binary forms, with or without
8			* modification, are permitted provided that the following conditions
9			* are met:
10			*
11			* - Redistributions of source code must retain the above copyright
12			* notice, this list of conditions and the following disclaimer.
13			* - Redistributions in binary form must reproduce the above
14			* copyright notice, this list of conditions and the following
15			* disclaimer in the documentation and/or other materials provided
16			* with the distribution.
17			*
18			* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19			* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20			* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21			* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22			* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23			* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24			* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26			* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27			* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28			* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			* POSSIBILITY OF SUCH DAMAGE.
30			*
31			*/
32
33			#include <sys/types.h>
34			#include <sys/socket.h>
35			#include <net/if.h>
36			#define TCPSTATES
37			#include <netinet/in.h>
38			#include <netinet/tcp_fsm.h>
39			#include <arpa/inet.h>
40			#include <net/pfvar.h>
41			#include <netdb.h>
42
43			#include <stdio.h>
44			#include <string.h>
45
46			#include "pfctl_parser.h"
47			#include "pfctl.h"
48
49			void print_name(struct pf_addr *, sa_family_t);
50
51			void
52			print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
53			{
54	✓✓✓✓ ✓✗✓✗	10658	switch (addr->type) {
55			case PF_ADDR_DYNIFTL:
56		439	printf("(%s", addr->v.ifname);
57	✓✓	439	if (addr->iflags & PFI_AFLAG_NETWORK)
58		30	printf(":network");
59	✓✓	439	if (addr->iflags & PFI_AFLAG_BROADCAST)
60		22	printf(":broadcast");
61	✓✓	439	if (addr->iflags & PFI_AFLAG_PEER)
62		38	printf(":peer");
63	✓✓	439	if (addr->iflags & PFI_AFLAG_NOALIAS)
64		223	printf(":0");
65	✓✓	439	if (verbose) {
66	✓✓	192	if (addr->p.dyncnt <= 0)
67		66	printf(":*");
68			else
69		126	printf(":%d", addr->p.dyncnt);
70			}
71		439	printf(")");
72		439	break;
73			case PF_ADDR_TABLE:
74	✓✓	299	if (verbose)
75	✓✓	141	if (addr->p.tblcnt == -1)
76		105	printf("<%s:*>", addr->v.tblname);
77			else
78		36	printf("<%s:%d>", addr->v.tblname,
79			addr->p.tblcnt);
80			else
81		158	printf("<%s>", addr->v.tblname);
82			return;
83			case PF_ADDR_RANGE: {
84		12	char buf[48];
85
86	✗✓	12	if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
87			printf("?");
88			else
89		12	printf("%s", buf);
90	✗✓	12	if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
91			printf(" - ?");
92			else
93		12	printf(" - %s", buf);
94			break;
95		12	}
96			case PF_ADDR_ADDRMASK:
97	✓✓✓✗ ✓✗✓✓ ✓✗	12052	if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
98	✓✓✓✗ ✓✗	6232	PF_AZERO(&addr->v.a.mask, AF_INET6))
99		1551	printf("any");
100			else {
101		2944	char buf[48];
102
103	✗✓	5888	if (inet_ntop(af, &addr->v.a.addr, buf,
104		2944	sizeof(buf)) == NULL)
105			printf("?");
106			else
107		2944	printf("%s", buf);
108		2944	}
109			break;
110			case PF_ADDR_NOROUTE:
111		76	printf("no-route");
112		76	return;
113			case PF_ADDR_URPFFAILED:
114			printf("urpf-failed");
115			return;
116			case PF_ADDR_RTLABEL:
117		8	printf("route \"%s\"", addr->v.rtlabelname);
118		8	return;
119			default:
120			printf("?");
121			return;
122			}
123
124			/* mask if not _both_ address and mask are zero */
125	✓✓✗✓	6497	if (addr->type != PF_ADDR_RANGE &&
126	✓✓✓✗ ✓✗✓✓	10940	!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
127	✓✓✓✗ ✓✗	6232	PF_AZERO(&addr->v.a.mask, AF_INET6))) {
128		3383	int bits = unmask(&addr->v.a.mask, af);
129
130	✓✓	3383	if (bits < (af == AF_INET ? 32 : 128))
131		997	printf("/%d", bits);
132		3383	}
133		5329	}
134
135			void
136			print_name(struct pf_addr *addr, sa_family_t af)
137			{
138			char host[NI_MAXHOST];
139
140			strlcpy(host, "?", sizeof(host));
141			switch (af) {
142			case AF_INET: {
143			struct sockaddr_in sin;
144
145			memset(&sin, 0, sizeof(sin));
146			sin.sin_len = sizeof(sin);
147			sin.sin_family = AF_INET;
148			sin.sin_addr = addr->v4;
149			getnameinfo((struct sockaddr *)&sin, sin.sin_len,
150			host, sizeof(host), NULL, 0, NI_NOFQDN);
151			break;
152			}
153			case AF_INET6: {
154			struct sockaddr_in6 sin6;
155
156			memset(&sin6, 0, sizeof(sin6));
157			sin6.sin6_len = sizeof(sin6);
158			sin6.sin6_family = AF_INET6;
159			sin6.sin6_addr = addr->v6;
160			getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
161			host, sizeof(host), NULL, 0, NI_NOFQDN);
162			break;
163			}
164			}
165			printf("%s", host);
166			}
167
168			void
169			print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, u_int16_t rdom,
170			const char *proto, int opts)
171			{
172			struct servent *s = NULL;
173			char ps[6];
174
175			if (rdom)
176			printf("(%u) ", ntohs(rdom));
177
178			if (opts & PF_OPT_USEDNS)
179			print_name(addr, af);
180			else {
181			struct pf_addr_wrap aw;
182
183			memset(&aw, 0, sizeof(aw));
184			aw.v.a.addr = *addr;
185			if (af == AF_INET)
186			aw.v.a.mask.addr32[0] = 0xffffffff;
187			else {
188			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
189			af = AF_INET6;
190			}
191			print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
192			}
193
194			if (port) {
195			snprintf(ps, sizeof(ps), "%u", ntohs(port));
196			if (opts & PF_OPT_PORTNAMES)
197			s = getservbyport(port, proto);
198			if (af == AF_INET)
199			printf(":%s", s ? s->s_name : ps);
200			else
201			printf("[%s]", s ? s->s_name : ps);
202			}
203			}
204
205			void
206			print_seq(struct pfsync_state_peer *p)
207			{
208			if (p->seqdiff)
209			printf("[%u + %u](+%u)", ntohl(p->seqlo),
210			ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff));
211			else
212			printf("[%u + %u]", ntohl(p->seqlo),
213			ntohl(p->seqhi) - ntohl(p->seqlo));
214			}
215
216			void
217			print_state(struct pfsync_state *s, int opts)
218			{
219			struct pfsync_state_peer src, dst;
220			struct pfsync_state_key sk, nk;
221			struct protoent *p;
222			char *pn = NULL;
223			int min, sec;
224			int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
225			int idx;
226
227			if (s->direction == PF_OUT) {
228			src = &s->src;
229			dst = &s->dst;
230			sk = &s->key[PF_SK_STACK];
231			nk = &s->key[PF_SK_WIRE];
232			if (s->proto == IPPROTO_ICMP \|\| s->proto == IPPROTO_ICMPV6)
233			sk->port[0] = nk->port[0];
234			} else {
235			src = &s->dst;
236			dst = &s->src;
237			sk = &s->key[PF_SK_WIRE];
238			nk = &s->key[PF_SK_STACK];
239			if (s->proto == IPPROTO_ICMP \|\| s->proto == IPPROTO_ICMPV6)
240			sk->port[1] = nk->port[1];
241			}
242			printf("%s ", s->ifname);
243			if ((p = getprotobynumber(s->proto)) != NULL) {
244			pn = p->p_name;
245			printf("%s ", pn);
246			} else
247			printf("%u ", s->proto);
248
249			print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, pn, opts);
250			if (nk->af != sk->af \|\| PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) \|\|
251			nk->port[1] != sk->port[1] \|\|
252			nk->rdomain != sk->rdomain) {
253			idx = afto ? 0 : 1;
254			printf(" (");
255			print_host(&sk->addr[idx], sk->port[idx], sk->af,
256			sk->rdomain, pn, opts);
257			printf(")");
258			}
259			if (s->direction == PF_OUT \|\| (afto && s->direction == PF_IN))
260			printf(" -> ");
261			else
262			printf(" <- ");
263			print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, pn, opts);
264			if (nk->af != sk->af \|\| PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) \|\|
265			nk->port[0] != sk->port[0] \|\|
266			nk->rdomain != sk->rdomain) {
267			idx = afto ? 1 : 0;
268			printf(" (");
269			print_host(&sk->addr[idx], sk->port[idx], sk->af,
270			sk->rdomain, pn, opts);
271			printf(")");
272			}
273
274			printf(" ");
275			if (s->proto == IPPROTO_TCP) {
276			if (src->state <= TCPS_TIME_WAIT &&
277			dst->state <= TCPS_TIME_WAIT)
278			printf(" %s:%s\n", tcpstates[src->state],
279			tcpstates[dst->state]);
280			else if (src->state == PF_TCPS_PROXY_SRC \|\|
281			dst->state == PF_TCPS_PROXY_SRC)
282			printf(" PROXY:SRC\n");
283			else if (src->state == PF_TCPS_PROXY_DST \|\|
284			dst->state == PF_TCPS_PROXY_DST)
285			printf(" PROXY:DST\n");
286			else
287			printf(" <BAD STATE LEVELS %u:%u>\n",
288			src->state, dst->state);
289			if (opts & PF_OPT_VERBOSE) {
290			printf(" ");
291			print_seq(src);
292			if (src->wscale && dst->wscale)
293			printf(" wscale %u",
294			src->wscale & PF_WSCALE_MASK);
295			printf(" ");
296			print_seq(dst);
297			if (src->wscale && dst->wscale)
298			printf(" wscale %u",
299			dst->wscale & PF_WSCALE_MASK);
300			printf("\n");
301			}
302			} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
303			dst->state < PFUDPS_NSTATES) {
304			const char *states[] = PFUDPS_NAMES;
305
306			printf(" %s:%s\n", states[src->state], states[dst->state]);
307			} else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 &&
308			src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
309			/* XXX ICMP doesn't really have state levels */
310			const char *states[] = PFOTHERS_NAMES;
311
312			printf(" %s:%s\n", states[src->state], states[dst->state]);
313			} else {
314			printf(" %u:%u\n", src->state, dst->state);
315			}
316
317			if (opts & PF_OPT_VERBOSE) {
318			u_int64_t packets[2];
319			u_int64_t bytes[2];
320			u_int32_t creation = ntohl(s->creation);
321			u_int32_t expire = ntohl(s->expire);
322
323			sec = creation % 60;
324			creation /= 60;
325			min = creation % 60;
326			creation /= 60;
327			printf(" age %.2u:%.2u:%.2u", creation, min, sec);
328			sec = expire % 60;
329			expire /= 60;
330			min = expire % 60;
331			expire /= 60;
332			printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
333
334			bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
335			bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
336			bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
337			bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
338			printf(", %llu:%llu pkts, %llu:%llu bytes",
339			betoh64(packets[0]),
340			betoh64(packets[1]),
341			betoh64(bytes[0]),
342			betoh64(bytes[1]));
343			if (ntohl(s->anchor) != -1)
344			printf(", anchor %u", ntohl(s->anchor));
345			if (ntohl(s->rule) != -1)
346			printf(", rule %u", ntohl(s->rule));
347			if (ntohs(s->state_flags) & PFSTATE_SLOPPY)
348			printf(", sloppy");
349			if (ntohs(s->state_flags) & PFSTATE_PFLOW)
350			printf(", pflow");
351			if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
352			printf(", source-track");
353			if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
354			printf(", sticky-address");
355			printf("\n");
356			}
357			if (opts & PF_OPT_VERBOSE2) {
358			u_int64_t id;
359
360			bcopy(&s->id, &id, sizeof(u_int64_t));
361			printf(" id: %016llx creatorid: %08x",
362			betoh64(id), ntohl(s->creatorid));
363			printf("\n");
364			}
365			}
366
367			int
368			unmask(struct pf_addr *m, sa_family_t af)
369			{
370			int i = 31, j = 0, b = 0;
371			u_int32_t tmp;
372
373	✓✓✓✓	50397	while (j < 4 && m->addr32[j] == 0xffffffff) {
374		8335	b += 32;
375		8335	j++;
376			}
377	✓✓	6635	if (j < 4) {
378		5487	tmp = ntohl(m->addr32[j]);
379	✓✓	79234	for (i = 31; tmp & (1 << i); --i)
380		34130	b++;
381			}
382		6635	return (b);
383			}