xref: /dragonfly/usr.sbin/pfctl/pf_print_state.c (revision 9348a738) 
1 /*	$OpenBSD: pf_print_state.c,v 1.51 2008/06/29 08:42:15 mcbride Exp $	*/
2 
3 /*
4  * Copyright (c) 2001 Daniel Hartmeier
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  */
32 
33 #include <sys/types.h>
34 #include <sys/socket.h>
35 #include <sys/endian.h>
36 #include <net/if.h>
37 #define TCPSTATES
38 #include <netinet/tcp_fsm.h>
39 #include <net/pf/pfvar.h>
40 #include <arpa/inet.h>
41 #include <inttypes.h>
42 #include <netdb.h>
43 
44 #include <stdio.h>
45 #include <string.h>
46 
47 #include "pfctl_parser.h"
48 #include "pfctl.h"
49 
50 void	print_name(struct pf_addr *, sa_family_t);
51 
52 void
53 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
54 {
55 	switch (addr->type) {
56 	case PF_ADDR_DYNIFTL:
57 		printf("(%s", addr->v.ifname);
58 		if (addr->iflags & PFI_AFLAG_NETWORK)
59 			printf(":network");
60 		if (addr->iflags & PFI_AFLAG_BROADCAST)
61 			printf(":broadcast");
62 		if (addr->iflags & PFI_AFLAG_PEER)
63 			printf(":peer");
64 		if (addr->iflags & PFI_AFLAG_NOALIAS)
65 			printf(":0");
66 		if (verbose) {
67 			if (addr->p.dyncnt <= 0)
68 				printf(":*");
69 			else
70 				printf(":%d", addr->p.dyncnt);
71 		}
72 		printf(")");
73 		break;
74 	case PF_ADDR_TABLE:
75 		if (verbose)
76 			if (addr->p.tblcnt == -1)
77 				printf("<%s:*>", addr->v.tblname);
78 			else
79 				printf("<%s:%d>", addr->v.tblname,
80 				    addr->p.tblcnt);
81 		else
82 			printf("<%s>", addr->v.tblname);
83 		return;
84 	case PF_ADDR_RANGE: {
85 		char buf[48];
86 
87 		if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
88 			printf("?");
89 		else
90 			printf("%s", buf);
91 		if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
92 			printf(" - ?");
93 		else
94 			printf(" - %s", buf);
95 		break;
96 	}
97 	case PF_ADDR_ADDRMASK:
98 		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
99 		    PF_AZERO(&addr->v.a.mask, AF_INET6))
100 			printf("any");
101 		else {
102 			char buf[48];
103 
104 			if (inet_ntop(af, &addr->v.a.addr, buf,
105 			    sizeof(buf)) == NULL)
106 				printf("?");
107 			else
108 				printf("%s", buf);
109 		}
110 		break;
111 	case PF_ADDR_NOROUTE:
112 		printf("no-route");
113 		return;
114 	case PF_ADDR_URPFFAILED:
115 		printf("urpf-failed");
116 		return;
117 	case PF_ADDR_RTLABEL:
118 		printf("route \"%s\"", addr->v.rtlabelname);
119 		return;
120 	default:
121 		printf("?");
122 		return;
123 	}
124 
125 	/* mask if not _both_ address and mask are zero */
126 	if (addr->type != PF_ADDR_RANGE &&
127 	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
128 	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
129 		int bits = unmask(&addr->v.a.mask, af);
130 
131 		if (bits != (af == AF_INET ? 32 : 128))
132 			printf("/%d", bits);
133 	}
134 }
135 
136 void
137 print_name(struct pf_addr *addr, sa_family_t af)
138 {
139 	char his_host[NI_MAXHOST];
140 
141 	strlcpy(his_host, "?", sizeof(his_host));
142 	switch (af) {
143 	case AF_INET: {
144 		struct sockaddr_in sin;
145 
146 		memset(&sin, 0, sizeof(sin));
147 		sin.sin_len = sizeof(sin);
148 		sin.sin_family = AF_INET;
149 		sin.sin_addr = addr->v4;
150 		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
151 		    his_host, sizeof(his_host), NULL, 0, NI_NOFQDN);
152 		break;
153 	}
154 	case AF_INET6: {
155 		struct sockaddr_in6 sin6;
156 
157 		memset(&sin6, 0, sizeof(sin6));
158 		sin6.sin6_len = sizeof(sin6);
159 		sin6.sin6_family = AF_INET6;
160 		sin6.sin6_addr = addr->v6;
161 		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
162 		    his_host, sizeof(his_host), NULL, 0, NI_NOFQDN);
163 		break;
164 	}
165 	}
166 	printf("%s", his_host);
167 }
168 
169 void
170 print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts)
171 {
172 	if (opts & PF_OPT_USEDNS)
173 		print_name(addr, af);
174 	else {
175 		struct pf_addr_wrap aw;
176 
177 		memset(&aw, 0, sizeof(aw));
178 		aw.v.a.addr = *addr;
179 		if (af == AF_INET)
180 			aw.v.a.mask.addr32[0] = 0xffffffff;
181 		else {
182 			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
183 			af = AF_INET6;
184 		}
185 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
186 	}
187 
188 	if (port) {
189 		if (af == AF_INET)
190 			printf(":%u", ntohs(port));
191 		else
192 			printf("[%u]", ntohs(port));
193 	}
194 }
195 
196 void
197 print_seq(struct pfsync_state_peer *p)
198 {
199 	if (p->seqdiff)
200 		printf("[%u + %u](+%u)", ntohl(p->seqlo),
201 		    ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff));
202 	else
203 		printf("[%u + %u]", ntohl(p->seqlo),
204 		    ntohl(p->seqhi) - ntohl(p->seqlo));
205 }
206 
207 void
208 print_state(struct pfsync_state *s, int opts)
209 {
210 	struct pfsync_state_peer *src, *dst;
211 	struct pfsync_state_key *sk, *nk;
212 	struct protoent *p;
213 	int min, sec;
214 
215 	if (s->direction == PF_OUT) {
216 		src = &s->src;
217 		dst = &s->dst;
218 		sk = &s->key[PF_SK_STACK];
219 		nk = &s->key[PF_SK_WIRE];
220 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
221 			sk->port[0] = nk->port[0];
222 	} else {
223 		src = &s->dst;
224 		dst = &s->src;
225 		sk = &s->key[PF_SK_WIRE];
226 		nk = &s->key[PF_SK_STACK];
227 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
228 			sk->port[1] = nk->port[1];
229 	}
230 	printf("%s ", s->ifname);
231 	if ((p = getprotobynumber(s->proto)) != NULL)
232 		printf("%s ", p->p_name);
233 	else
234 		printf("%u ", s->proto);
235 
236 	print_host(&nk->addr[1], nk->port[1], s->af, opts);
237 	if (PF_ANEQ(&nk->addr[1], &sk->addr[1], s->af) ||
238 	    nk->port[1] != sk->port[1]) {
239 		printf(" (");
240 		print_host(&sk->addr[1], sk->port[1], s->af, opts);
241 		printf(")");
242 	}
243 	if (s->direction == PF_OUT)
244 		printf(" -> ");
245 	else
246 		printf(" <- ");
247 	print_host(&nk->addr[0], nk->port[0], s->af, opts);
248 	if (PF_ANEQ(&nk->addr[0], &sk->addr[0], s->af) ||
249 	    nk->port[0] != sk->port[0]) {
250 		printf(" (");
251 		print_host(&sk->addr[0], sk->port[0], s->af, opts);
252 		printf(")");
253 	}
254 
255 	printf("    ");
256 	if (s->proto == IPPROTO_TCP) {
257 		if (src->state <= TCPS_TIME_WAIT &&
258 		    dst->state <= TCPS_TIME_WAIT)
259 			printf("   %s:%s\n", tcpstates[src->state],
260 			    tcpstates[dst->state]);
261 		else if (src->state == PF_TCPS_PROXY_SRC ||
262 		    dst->state == PF_TCPS_PROXY_SRC)
263 			printf("   PROXY:SRC\n");
264 		else if (src->state == PF_TCPS_PROXY_DST ||
265 		    dst->state == PF_TCPS_PROXY_DST)
266 			printf("   PROXY:DST\n");
267 		else
268 			printf("   <BAD STATE LEVELS %u:%u>\n",
269 			    src->state, dst->state);
270 		if (opts & PF_OPT_VERBOSE) {
271 			printf("   ");
272 			print_seq(src);
273 			if (src->wscale && dst->wscale)
274 				printf(" wscale %u",
275 				    src->wscale & PF_WSCALE_MASK);
276 			printf("  ");
277 			print_seq(dst);
278 			if (src->wscale && dst->wscale)
279 				printf(" wscale %u",
280 				    dst->wscale & PF_WSCALE_MASK);
281 			printf("\n");
282 		}
283 	} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
284 	    dst->state < PFUDPS_NSTATES) {
285 		const char *states[] = PFUDPS_NAMES;
286 
287 		printf("   %s:%s\n", states[src->state], states[dst->state]);
288 	} else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
289 	    dst->state < PFOTHERS_NSTATES) {
290 		/* XXX ICMP doesn't really have state levels */
291 		const char *states[] = PFOTHERS_NAMES;
292 
293 		printf("   %s:%s\n", states[src->state], states[dst->state]);
294 	} else {
295 		printf("   %u:%u\n", src->state, dst->state);
296 	}
297 
298 	if (opts & PF_OPT_VERBOSE) {
299 		u_int64_t packets[2];
300 		u_int64_t bytes[2];
301 		u_int32_t creation = ntohl(s->creation);
302 		u_int32_t expire = ntohl(s->expire);
303 
304 		printf("   rule %u", ntohl(s->rule));
305 		if (ntohl(s->anchor) != -1)
306 			printf(", anchor %u", ntohl(s->anchor));
307 		printf(", flags:");
308 		if (s->state_flags & PFSTATE_ALLOWOPTS)
309 			printf(" allowopts");
310 		if (s->state_flags & PFSTATE_SLOPPY)
311 			printf(" sloppy");
312 		if (s->state_flags & PFSTATE_STACK_GLOBAL)
313 			printf(" global");
314 		if (s->state_flags & PFSTATE_CREATEINPROG)
315 			printf(" creating");
316 		if (s->state_flags & PFSTATE_HALF_DUPLEX)
317 			printf(" (TRANSLATION COLLISION)");
318 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
319 			printf(" source-track");
320 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
321 			printf(" sticky-address");
322 		switch(s->pickup_mode) {
323 		case PF_PICKUPS_UNSPECIFIED:
324 			break;
325 		case PF_PICKUPS_DISABLED:
326 			printf(" no-pickups");
327 			break;
328 		case PF_PICKUPS_HASHONLY:
329 			printf(" hash-only");
330 			break;
331 		case PF_PICKUPS_ENABLED:
332 			printf(" pickups");
333 			break;
334 		}
335 		printf("\n");
336 
337 		sec = creation % 60;
338 		creation /= 60;
339 		min = creation % 60;
340 		creation /= 60;
341 		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
342 		sec = expire % 60;
343 		expire /= 60;
344 		min = expire % 60;
345 		expire /= 60;
346 		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
347 
348 		bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
349 		bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
350 		bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
351 		bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
352 		printf(", %" PRIu64 ":%" PRIu64 " pkts, %" PRIu64 ":%"
353 		       PRIu64 " bytes\n",
354 		    be64toh(packets[0]),
355 		    be64toh(packets[1]),
356 		    be64toh(bytes[0]),
357 		    be64toh(bytes[1]));
358 	}
359 	if (opts & PF_OPT_VERBOSE2) {
360 		u_int64_t id;
361 
362 		bcopy(&s->id, &id, sizeof(u_int64_t));
363 		printf("   id: %016jx creatorid: %08x cpuid: %-3d",
364 		       be64toh(id),  ntohl(s->creatorid), s->cpuid);
365 		printf("\n");
366 	}
367 }
368 
369 int
370 unmask(struct pf_addr *m, sa_family_t af __unused)
371 {
372 	int i = 31, j = 0, b = 0;
373 	u_int32_t tmp;
374 
375 	while (j < 4 && m->addr32[j] == 0xffffffff) {
376 		b += 32;
377 		j++;
378 	}
379 	if (j < 4) {
380 		tmp = ntohl(m->addr32[j]);
381 		for (i = 31; tmp & (1 << i); --i)
382 			b++;
383 	}
384 	return (b);
385 }
386