xref: /openbsd/sbin/pfctl/pf_print_state.c (revision 264ca280) 
1 /*	$OpenBSD: pf_print_state.c,v 1.64 2015/01/21 21:50:33 deraadt Exp $	*/
2 
3 /*
4  * Copyright (c) 2001 Daniel Hartmeier
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  */
32 
33 #include <sys/types.h>
34 #include <sys/socket.h>
35 #include <net/if.h>
36 #define TCPSTATES
37 #include <netinet/in.h>
38 #include <netinet/tcp_fsm.h>
39 #include <arpa/inet.h>
40 #include <net/pfvar.h>
41 #include <netdb.h>
42 
43 #include <stdio.h>
44 #include <string.h>
45 
46 #include "pfctl_parser.h"
47 #include "pfctl.h"
48 
49 void	print_name(struct pf_addr *, sa_family_t);
50 
51 void
52 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
53 {
54 	switch (addr->type) {
55 	case PF_ADDR_DYNIFTL:
56 		printf("(%s", addr->v.ifname);
57 		if (addr->iflags & PFI_AFLAG_NETWORK)
58 			printf(":network");
59 		if (addr->iflags & PFI_AFLAG_BROADCAST)
60 			printf(":broadcast");
61 		if (addr->iflags & PFI_AFLAG_PEER)
62 			printf(":peer");
63 		if (addr->iflags & PFI_AFLAG_NOALIAS)
64 			printf(":0");
65 		if (verbose) {
66 			if (addr->p.dyncnt <= 0)
67 				printf(":*");
68 			else
69 				printf(":%d", addr->p.dyncnt);
70 		}
71 		printf(")");
72 		break;
73 	case PF_ADDR_TABLE:
74 		if (verbose)
75 			if (addr->p.tblcnt == -1)
76 				printf("<%s:*>", addr->v.tblname);
77 			else
78 				printf("<%s:%d>", addr->v.tblname,
79 				    addr->p.tblcnt);
80 		else
81 			printf("<%s>", addr->v.tblname);
82 		return;
83 	case PF_ADDR_RANGE: {
84 		char buf[48];
85 
86 		if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
87 			printf("?");
88 		else
89 			printf("%s", buf);
90 		if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
91 			printf(" - ?");
92 		else
93 			printf(" - %s", buf);
94 		break;
95 	}
96 	case PF_ADDR_ADDRMASK:
97 		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
98 		    PF_AZERO(&addr->v.a.mask, AF_INET6))
99 			printf("any");
100 		else {
101 			char buf[48];
102 
103 			if (inet_ntop(af, &addr->v.a.addr, buf,
104 			    sizeof(buf)) == NULL)
105 				printf("?");
106 			else
107 				printf("%s", buf);
108 		}
109 		break;
110 	case PF_ADDR_NOROUTE:
111 		printf("no-route");
112 		return;
113 	case PF_ADDR_URPFFAILED:
114 		printf("urpf-failed");
115 		return;
116 	case PF_ADDR_RTLABEL:
117 		printf("route \"%s\"", addr->v.rtlabelname);
118 		return;
119 	default:
120 		printf("?");
121 		return;
122 	}
123 
124 	/* mask if not _both_ address and mask are zero */
125 	if (addr->type != PF_ADDR_RANGE &&
126 	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
127 	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
128 		int bits = unmask(&addr->v.a.mask, af);
129 
130 		if (bits < (af == AF_INET ? 32 : 128))
131 			printf("/%d", bits);
132 	}
133 }
134 
135 void
136 print_name(struct pf_addr *addr, sa_family_t af)
137 {
138 	char host[NI_MAXHOST];
139 
140 	strlcpy(host, "?", sizeof(host));
141 	switch (af) {
142 	case AF_INET: {
143 		struct sockaddr_in sin;
144 
145 		memset(&sin, 0, sizeof(sin));
146 		sin.sin_len = sizeof(sin);
147 		sin.sin_family = AF_INET;
148 		sin.sin_addr = addr->v4;
149 		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
150 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
151 		break;
152 	}
153 	case AF_INET6: {
154 		struct sockaddr_in6 sin6;
155 
156 		memset(&sin6, 0, sizeof(sin6));
157 		sin6.sin6_len = sizeof(sin6);
158 		sin6.sin6_family = AF_INET6;
159 		sin6.sin6_addr = addr->v6;
160 		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
161 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
162 		break;
163 	}
164 	}
165 	printf("%s", host);
166 }
167 
168 void
169 print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, u_int16_t rdom,
170     const char *proto, int opts)
171 {
172 	struct servent	*s = NULL;
173 	char		ps[6];
174 
175 	if (rdom)
176 		printf("(%u) ", ntohs(rdom));
177 
178 	if (opts & PF_OPT_USEDNS)
179 		print_name(addr, af);
180 	else {
181 		struct pf_addr_wrap aw;
182 
183 		memset(&aw, 0, sizeof(aw));
184 		aw.v.a.addr = *addr;
185 		if (af == AF_INET)
186 			aw.v.a.mask.addr32[0] = 0xffffffff;
187 		else {
188 			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
189 			af = AF_INET6;
190 		}
191 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
192 	}
193 
194 	if (port) {
195 		snprintf(ps, sizeof(ps), "%u", ntohs(port));
196 		if (opts & PF_OPT_PORTNAMES)
197 			s = getservbyport(port, proto);
198 		if (af == AF_INET)
199 			printf(":%s", s ? s->s_name : ps);
200 		else
201 			printf("[%s]", s ? s->s_name : ps);
202 	}
203 }
204 
205 void
206 print_seq(struct pfsync_state_peer *p)
207 {
208 	if (p->seqdiff)
209 		printf("[%u + %u](+%u)", ntohl(p->seqlo),
210 		    ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff));
211 	else
212 		printf("[%u + %u]", ntohl(p->seqlo),
213 		    ntohl(p->seqhi) - ntohl(p->seqlo));
214 }
215 
216 void
217 print_state(struct pfsync_state *s, int opts)
218 {
219 	struct pfsync_state_peer *src, *dst;
220 	struct pfsync_state_key *sk, *nk;
221 	struct protoent *p;
222 	char *pn = NULL;
223 	int min, sec;
224 	int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
225 	int idx;
226 
227 	if (s->direction == PF_OUT) {
228 		src = &s->src;
229 		dst = &s->dst;
230 		sk = &s->key[PF_SK_STACK];
231 		nk = &s->key[PF_SK_WIRE];
232 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
233 			sk->port[0] = nk->port[0];
234 	} else {
235 		src = &s->dst;
236 		dst = &s->src;
237 		sk = &s->key[PF_SK_WIRE];
238 		nk = &s->key[PF_SK_STACK];
239 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
240 			sk->port[1] = nk->port[1];
241 	}
242 	printf("%s ", s->ifname);
243 	if ((p = getprotobynumber(s->proto)) != NULL) {
244 		pn = p->p_name;
245 		printf("%s ", pn);
246 	} else
247 		printf("%u ", s->proto);
248 
249 	print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, pn, opts);
250 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
251 	    nk->port[1] != sk->port[1] ||
252 	    nk->rdomain != sk->rdomain) {
253 		idx = afto ? 0 : 1;
254 		printf(" (");
255 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
256 		    sk->rdomain, pn, opts);
257 		printf(")");
258 	}
259 	if (s->direction == PF_OUT || (afto && s->direction == PF_IN))
260 		printf(" -> ");
261 	else
262 		printf(" <- ");
263 	print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, pn, opts);
264 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
265 	    nk->port[0] != sk->port[0] ||
266 	    nk->rdomain != sk->rdomain) {
267 		idx = afto ? 1 : 0;
268 		printf(" (");
269 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
270 		    sk->rdomain, pn, opts);
271 		printf(")");
272 	}
273 
274 	printf("    ");
275 	if (s->proto == IPPROTO_TCP) {
276 		if (src->state <= TCPS_TIME_WAIT &&
277 		    dst->state <= TCPS_TIME_WAIT)
278 			printf("   %s:%s\n", tcpstates[src->state],
279 			    tcpstates[dst->state]);
280 		else if (src->state == PF_TCPS_PROXY_SRC ||
281 		    dst->state == PF_TCPS_PROXY_SRC)
282 			printf("   PROXY:SRC\n");
283 		else if (src->state == PF_TCPS_PROXY_DST ||
284 		    dst->state == PF_TCPS_PROXY_DST)
285 			printf("   PROXY:DST\n");
286 		else
287 			printf("   <BAD STATE LEVELS %u:%u>\n",
288 			    src->state, dst->state);
289 		if (opts & PF_OPT_VERBOSE) {
290 			printf("   ");
291 			print_seq(src);
292 			if (src->wscale && dst->wscale)
293 				printf(" wscale %u",
294 				    src->wscale & PF_WSCALE_MASK);
295 			printf("  ");
296 			print_seq(dst);
297 			if (src->wscale && dst->wscale)
298 				printf(" wscale %u",
299 				    dst->wscale & PF_WSCALE_MASK);
300 			printf("\n");
301 		}
302 	} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
303 	    dst->state < PFUDPS_NSTATES) {
304 		const char *states[] = PFUDPS_NAMES;
305 
306 		printf("   %s:%s\n", states[src->state], states[dst->state]);
307 	} else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 &&
308 	    src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
309 		/* XXX ICMP doesn't really have state levels */
310 		const char *states[] = PFOTHERS_NAMES;
311 
312 		printf("   %s:%s\n", states[src->state], states[dst->state]);
313 	} else {
314 		printf("   %u:%u\n", src->state, dst->state);
315 	}
316 
317 	if (opts & PF_OPT_VERBOSE) {
318 		u_int64_t packets[2];
319 		u_int64_t bytes[2];
320 		u_int32_t creation = ntohl(s->creation);
321 		u_int32_t expire = ntohl(s->expire);
322 
323 		sec = creation % 60;
324 		creation /= 60;
325 		min = creation % 60;
326 		creation /= 60;
327 		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
328 		sec = expire % 60;
329 		expire /= 60;
330 		min = expire % 60;
331 		expire /= 60;
332 		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
333 
334 		bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
335 		bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
336 		bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
337 		bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
338 		printf(", %llu:%llu pkts, %llu:%llu bytes",
339 		    betoh64(packets[0]),
340 		    betoh64(packets[1]),
341 		    betoh64(bytes[0]),
342 		    betoh64(bytes[1]));
343 		if (ntohl(s->anchor) != -1)
344 			printf(", anchor %u", ntohl(s->anchor));
345 		if (ntohl(s->rule) != -1)
346 			printf(", rule %u", ntohl(s->rule));
347 		if (ntohs(s->state_flags) & PFSTATE_SLOPPY)
348 			printf(", sloppy");
349 		if (ntohs(s->state_flags) & PFSTATE_PFLOW)
350 			printf(", pflow");
351 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
352 			printf(", source-track");
353 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
354 			printf(", sticky-address");
355 		printf("\n");
356 	}
357 	if (opts & PF_OPT_VERBOSE2) {
358 		u_int64_t id;
359 
360 		bcopy(&s->id, &id, sizeof(u_int64_t));
361 		printf("   id: %016llx creatorid: %08x",
362 		    betoh64(id), ntohl(s->creatorid));
363 		printf("\n");
364 	}
365 }
366 
367 int
368 unmask(struct pf_addr *m, sa_family_t af)
369 {
370 	int i = 31, j = 0, b = 0;
371 	u_int32_t tmp;
372 
373 	while (j < 4 && m->addr32[j] == 0xffffffff) {
374 		b += 32;
375 		j++;
376 	}
377 	if (j < 4) {
378 		tmp = ntohl(m->addr32[j]);
379 		for (i = 31; tmp & (1 << i); --i)
380 			b++;
381 	}
382 	return (b);
383 }
384