sbin/pfctl/pfctl_parser.c

*5d9ac2dcSdhartmei/*	$OpenBSD: pfctl_parser.c,v 1.68 2002/05/09 19:58:42 dhartmei Exp $ */
14a9b182Skjell
14a9b182Skjell/*
fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier
14a9b182Skjell * All rights reserved.
14a9b182Skjell *
14a9b182Skjell * Redistribution and use in source and binary forms, with or without
14a9b182Skjell * modification, are permitted provided that the following conditions
14a9b182Skjell * are met:
14a9b182Skjell *
14a9b182Skjell *    - Redistributions of source code must retain the above copyright
14a9b182Skjell *      notice, this list of conditions and the following disclaimer.
14a9b182Skjell *    - Redistributions in binary form must reproduce the above
14a9b182Skjell *      copyright notice, this list of conditions and the following
14a9b182Skjell *      disclaimer in the documentation and/or other materials provided
14a9b182Skjell *      with the distribution.
14a9b182Skjell *
14a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
14a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
14a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
5974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
14a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
14a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
14a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
14a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
14a9b182Skjell * POSSIBILITY OF SUCH DAMAGE.
14a9b182Skjell *
14a9b182Skjell */
14a9b182Skjell
252d784aSderaadt#include <sys/types.h>
252d784aSderaadt#include <sys/socket.h>
252d784aSderaadt#include <net/if.h>
252d784aSderaadt#include <netinet/in.h>
6329fa59Sderaadt#include <netinet/in_systm.h>
6329fa59Sderaadt#include <netinet/ip.h>
6329fa59Sderaadt#include <netinet/ip_icmp.h>
30620b12Sfrantzen#include <netinet/icmp6.h>
55507ad0Sfrantzen#define TCPSTATES
55507ad0Sfrantzen#include <netinet/tcp_fsm.h>
252d784aSderaadt#include <net/pfvar.h>
9f13c6caSmillert#include <arpa/inet.h>
252d784aSderaadt
14a9b182Skjell#include <stdio.h>
14a9b182Skjell#include <stdlib.h>
14a9b182Skjell#include <string.h>
14a9b182Skjell#include <ctype.h>
14a9b182Skjell#include <netdb.h>
6329fa59Sderaadt#include <stdarg.h>
6329fa59Sderaadt#include <errno.h>
ff352a37Smarkus#include <err.h>
14a9b182Skjell
14a9b182Skjell#include "pfctl_parser.h"
14a9b182Skjell
ece4c078Smpechint		 unmask (struct pf_addr *, u_int8_t);
032e40b7Sdhartmeivoid		 print_addr (struct pf_addr_wrap *, struct pf_addr *, u_int8_t);
0eed2997Sdhartmeivoid		 print_host (struct pf_state_host *, u_int8_t, int);
6d5ce0fbSderaadtvoid		 print_seq (struct pf_state_peer *);
*5d9ac2dcSdhartmeivoid		 print_op (u_int8_t, const char *, const char *);
81a15e5dSderaadtvoid		 print_port (u_int8_t, u_int16_t, u_int16_t, char *);
*5d9ac2dcSdhartmeivoid		 print_uid (u_int8_t, uid_t, uid_t, const char *);
81a15e5dSderaadtvoid		 print_flags (u_int8_t);
14a9b182Skjell
81a15e5dSderaadtchar *tcpflags = "FSRPAU";
14a9b182Skjell
082ebc44Swilfriedstruct icmptypeent icmp_type[] = {
082ebc44Swilfried	{ "echoreq",	ICMP_ECHO },
082ebc44Swilfried	{ "echorep",	ICMP_ECHOREPLY },
082ebc44Swilfried	{ "unreach",	ICMP_UNREACH },
082ebc44Swilfried	{ "squench",	ICMP_SOURCEQUENCH },
082ebc44Swilfried	{ "redir",	ICMP_REDIRECT },
082ebc44Swilfried	{ "althost",	ICMP_ALTHOSTADDR },
082ebc44Swilfried	{ "routeradv",	ICMP_ROUTERADVERT },
082ebc44Swilfried	{ "routersol",	ICMP_ROUTERSOLICIT },
082ebc44Swilfried	{ "timex",	ICMP_TIMXCEED },
082ebc44Swilfried	{ "paramprob",	ICMP_PARAMPROB },
082ebc44Swilfried	{ "timereq",	ICMP_TSTAMP },
082ebc44Swilfried	{ "timerep",	ICMP_TSTAMPREPLY },
082ebc44Swilfried	{ "inforeq",	ICMP_IREQ },
082ebc44Swilfried	{ "inforep",	ICMP_IREQREPLY },
082ebc44Swilfried	{ "maskreq",	ICMP_MASKREQ },
02cbcc9eSwilfried	{ "maskrep",	ICMP_MASKREPLY },
02cbcc9eSwilfried	{ "trace",	ICMP_TRACEROUTE },
02cbcc9eSwilfried	{ "dataconv",	ICMP_DATACONVERR },
02cbcc9eSwilfried	{ "mobredir",	ICMP_MOBILE_REDIRECT },
02cbcc9eSwilfried	{ "ipv6-where",	ICMP_IPV6_WHEREAREYOU },
02cbcc9eSwilfried	{ "ipv6-here",	ICMP_IPV6_IAMHERE },
02cbcc9eSwilfried	{ "mobregreq",	ICMP_MOBILE_REGREQUEST },
02cbcc9eSwilfried	{ "mobregrep",	ICMP_MOBILE_REGREPLY },
02cbcc9eSwilfried	{ "skip",	ICMP_SKIP },
02cbcc9eSwilfried	{ "photuris",	ICMP_PHOTURIS }
02cbcc9eSwilfried
082ebc44Swilfried};
082ebc44Swilfried
30620b12Sfrantzenstruct icmptypeent icmp6_type[] = {
30620b12Sfrantzen	{ "unreach",	ICMP6_DST_UNREACH },
30620b12Sfrantzen	{ "toobig",	ICMP6_PACKET_TOO_BIG },
30620b12Sfrantzen	{ "timex",	ICMP6_TIME_EXCEEDED },
30620b12Sfrantzen	{ "paramprob",	ICMP6_PARAM_PROB },
30620b12Sfrantzen	{ "echoreq",	ICMP6_ECHO_REQUEST },
30620b12Sfrantzen	{ "echorep",	ICMP6_ECHO_REPLY },
30620b12Sfrantzen	{ "groupqry",	ICMP6_MEMBERSHIP_QUERY },
30620b12Sfrantzen	{ "listqry",	MLD6_LISTENER_QUERY },
30620b12Sfrantzen	{ "grouprep",	ICMP6_MEMBERSHIP_REPORT },
30620b12Sfrantzen	{ "listenrep",	MLD6_LISTENER_REPORT },
30620b12Sfrantzen	{ "groupterm",	ICMP6_MEMBERSHIP_REDUCTION },
30620b12Sfrantzen	{ "listendone", MLD6_LISTENER_DONE },
30620b12Sfrantzen	{ "routersol",	ND_ROUTER_SOLICIT },
30620b12Sfrantzen	{ "routeradv",	ND_ROUTER_ADVERT },
30620b12Sfrantzen	{ "neighbrsol", ND_NEIGHBOR_SOLICIT },
30620b12Sfrantzen	{ "neighbradv", ND_NEIGHBOR_ADVERT },
30620b12Sfrantzen	{ "redir",	ND_REDIRECT },
30620b12Sfrantzen	{ "routrrenum", ICMP6_ROUTER_RENUMBERING },
30620b12Sfrantzen	{ "wrureq",	ICMP6_WRUREQUEST },
30620b12Sfrantzen	{ "wrurep",	ICMP6_WRUREPLY },
30620b12Sfrantzen	{ "fqdnreq",	ICMP6_FQDN_QUERY },
30620b12Sfrantzen	{ "fqdnrep",	ICMP6_FQDN_REPLY },
30620b12Sfrantzen	{ "niqry",	ICMP6_NI_QUERY },
30620b12Sfrantzen	{ "nirep",	ICMP6_NI_REPLY },
30620b12Sfrantzen	{ "mtraceresp",	MLD6_MTRACE_RESP },
30620b12Sfrantzen	{ "mtrace",	MLD6_MTRACE }
30620b12Sfrantzen};
30620b12Sfrantzen
082ebc44Swilfriedstruct icmpcodeent icmp_code[] = {
082ebc44Swilfried	{ "net-unr",		ICMP_UNREACH,	ICMP_UNREACH_NET },
082ebc44Swilfried	{ "host-unr",		ICMP_UNREACH,	ICMP_UNREACH_HOST },
082ebc44Swilfried	{ "proto-unr",		ICMP_UNREACH,	ICMP_UNREACH_PROTOCOL },
082ebc44Swilfried	{ "port-unr",		ICMP_UNREACH,	ICMP_UNREACH_PORT },
082ebc44Swilfried	{ "needfrag",		ICMP_UNREACH,	ICMP_UNREACH_NEEDFRAG },
082ebc44Swilfried	{ "srcfail",		ICMP_UNREACH,	ICMP_UNREACH_SRCFAIL },
082ebc44Swilfried	{ "net-unk",		ICMP_UNREACH,	ICMP_UNREACH_NET_UNKNOWN },
082ebc44Swilfried	{ "host-unk",		ICMP_UNREACH,	ICMP_UNREACH_HOST_UNKNOWN },
082ebc44Swilfried	{ "isolate",		ICMP_UNREACH,	ICMP_UNREACH_ISOLATED },
082ebc44Swilfried	{ "net-prohib",		ICMP_UNREACH,	ICMP_UNREACH_NET_PROHIB },
082ebc44Swilfried	{ "host-prohib",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PROHIB },
082ebc44Swilfried	{ "net-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSNET },
082ebc44Swilfried	{ "host-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSHOST },
082ebc44Swilfried	{ "filter-prohib",	ICMP_UNREACH,	ICMP_UNREACH_FILTER_PROHIB },
082ebc44Swilfried	{ "host-preced",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PRECEDENCE },
082ebc44Swilfried	{ "cutoff-preced",	ICMP_UNREACH,	ICMP_UNREACH_PRECEDENCE_CUTOFF },
082ebc44Swilfried	{ "redir-net",		ICMP_REDIRECT,	ICMP_REDIRECT_NET },
082ebc44Swilfried	{ "redir-host",		ICMP_REDIRECT,	ICMP_REDIRECT_HOST },
082ebc44Swilfried	{ "redir-tos-net",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSNET },
082ebc44Swilfried	{ "redir-tos-host",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSHOST },
02cbcc9eSwilfried	{ "normal-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NORMAL },
02cbcc9eSwilfried	{ "common-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NOROUTE_COMMON },
082ebc44Swilfried	{ "transit",		ICMP_TIMXCEED,	ICMP_TIMXCEED_INTRANS },
082ebc44Swilfried	{ "reassemb",		ICMP_TIMXCEED,	ICMP_TIMXCEED_REASS },
082ebc44Swilfried	{ "badhead",		ICMP_PARAMPROB,	ICMP_PARAMPROB_ERRATPTR },
082ebc44Swilfried	{ "optmiss",		ICMP_PARAMPROB,	ICMP_PARAMPROB_OPTABSENT },
02cbcc9eSwilfried	{ "badlen",		ICMP_PARAMPROB,	ICMP_PARAMPROB_LENGTH },
02cbcc9eSwilfried	{ "unknown-ind",	ICMP_PHOTURIS,	ICMP_PHOTURIS_UNKNOWN_INDEX },
02cbcc9eSwilfried	{ "auth-fail",		ICMP_PHOTURIS,	ICMP_PHOTURIS_AUTH_FAILED },
02cbcc9eSwilfried	{ "decrypt-fail",	ICMP_PHOTURIS,	ICMP_PHOTURIS_DECRYPT_FAILED }
082ebc44Swilfried};
082ebc44Swilfried
30620b12Sfrantzenstruct icmpcodeent icmp6_code[] = {
1d32ee3bSdhartmei	{ "admin-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN },
1d32ee3bSdhartmei	{ "noroute-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE },
30620b12Sfrantzen	{ "notnbr-unr",	ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOTNEIGHBOR },
30620b12Sfrantzen	{ "beyond-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_BEYONDSCOPE },
30620b12Sfrantzen	{ "addr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR },
30620b12Sfrantzen	{ "port-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT },
30620b12Sfrantzen	{ "transit", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT },
30620b12Sfrantzen	{ "reassemb", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_REASSEMBLY },
30620b12Sfrantzen	{ "badhead", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER },
30620b12Sfrantzen	{ "nxthdr", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER },
30620b12Sfrantzen	{ "redironlink", ND_REDIRECT, ND_REDIRECT_ONLINK },
30620b12Sfrantzen	{ "redirrouter", ND_REDIRECT, ND_REDIRECT_ROUTER }
30620b12Sfrantzen};
30620b12Sfrantzen
30620b12Sfrantzen
082ebc44Swilfriedstruct icmptypeent *
d14c53d7Swilfriedgeticmptypebynumber(u_int8_t type, u_int8_t af)
082ebc44Swilfried{
d77ee430Sdhartmei	unsigned i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for(i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); i++) {
082ebc44Swilfried			if(type == icmp_type[i].type)
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for(i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if(type == icmp6_type[i].type)
30620b12Sfrantzen				 return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
082ebc44Swilfriedstruct icmptypeent *
d14c53d7Swilfriedgeticmptypebyname(char *w, u_int8_t af)
082ebc44Swilfried{
d77ee430Sdhartmei	unsigned i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for(i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); i++) {
082ebc44Swilfried			if(!strcmp(w, icmp_type[i].name))
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for(i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if(!strcmp(w, icmp6_type[i].name))
30620b12Sfrantzen				return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
082ebc44Swilfriedstruct icmpcodeent *
d14c53d7Swilfriedgeticmpcodebynumber(u_int8_t type, u_int8_t code, u_int8_t af)
082ebc44Swilfried{
d77ee430Sdhartmei	unsigned i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for(i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    code == icmp_code[i].code)
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for(i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		   sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    code == icmp6_code[i].code)
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
082ebc44Swilfriedstruct icmpcodeent *
d14c53d7Swilfriedgeticmpcodebyname(u_long type, char *w, u_int8_t af)
082ebc44Swilfried{
d77ee430Sdhartmei	unsigned i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for(i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp_code[i].name))
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for(i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		    sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp6_code[i].name))
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
30620b12Sfrantzen}
30620b12Sfrantzen
30620b12Sfrantzenint
ece4c078Smpechunmask(struct pf_addr *m, u_int8_t af)
30620b12Sfrantzen{
30620b12Sfrantzen	int i = 31, j = 0, b = 0, msize;
30620b12Sfrantzen	u_int32_t tmp;
30620b12Sfrantzen
30620b12Sfrantzen	if (af == AF_INET)
30620b12Sfrantzen		msize = 1;
30620b12Sfrantzen	else
30620b12Sfrantzen		msize = 4;
30620b12Sfrantzen	while (j < msize && m->addr32[j] == 0xffffffff) {
30620b12Sfrantzen			b += 32;
30620b12Sfrantzen			j++;
30620b12Sfrantzen	}
30620b12Sfrantzen	if (j < msize) {
30620b12Sfrantzen		tmp = ntohl(m->addr32[j]);
30620b12Sfrantzen		for (i = 31; tmp & (1 << i); --i)
30620b12Sfrantzen			b++;
30620b12Sfrantzen	}
30620b12Sfrantzen	return (b);
082ebc44Swilfried}
082ebc44Swilfried
81a15e5dSderaadtvoid
032e40b7Sdhartmeiprint_addr(struct pf_addr_wrap *addr, struct pf_addr *mask, u_int8_t af)
14a9b182Skjell{
30620b12Sfrantzen	char buf[48];
30620b12Sfrantzen
032e40b7Sdhartmei	if (addr->addr_dyn != NULL)
032e40b7Sdhartmei		printf("(%s)", addr->addr.pfa.ifname);
032e40b7Sdhartmei	else {
032e40b7Sdhartmei		if (inet_ntop(af, &addr->addr, buf, sizeof(buf)) == NULL)
ded7153fSdhartmei			printf("?");
ded7153fSdhartmei		else
ded7153fSdhartmei			printf("%s", buf);
032e40b7Sdhartmei	}
30620b12Sfrantzen	if (mask != NULL) {
032e40b7Sdhartmei		int bits = unmask(mask, af);
032e40b7Sdhartmei
032e40b7Sdhartmei		if (bits != (af == AF_INET ? 32 : 128))
032e40b7Sdhartmei			printf("/%u", bits);
30620b12Sfrantzen	}
14a9b182Skjell}
14a9b182Skjell
81a15e5dSderaadtvoid
0eed2997Sdhartmeiprint_name(struct pf_addr *addr, struct pf_addr *mask, int af)
0eed2997Sdhartmei{
0eed2997Sdhartmei	char buf[48];
0eed2997Sdhartmei	struct hostent *hp;
0eed2997Sdhartmei
ded7153fSdhartmei	if (inet_ntop(af, addr, buf, sizeof(buf)) == NULL)
ded7153fSdhartmei		printf("?");
ded7153fSdhartmei	else {
ded7153fSdhartmei		hp = getpfhostname(buf);
0eed2997Sdhartmei		printf("%s", hp->h_name);
ded7153fSdhartmei	}
0eed2997Sdhartmei	if (mask != NULL) {
032e40b7Sdhartmei
0eed2997Sdhartmei		if (!PF_AZERO(mask, af))
0eed2997Sdhartmei			printf("/%u", unmask(mask, af));
0eed2997Sdhartmei	}
0eed2997Sdhartmei}
0eed2997Sdhartmei
0eed2997Sdhartmeivoid
0eed2997Sdhartmeiprint_host(struct pf_state_host *h, u_int8_t af, int opts)
14a9b182Skjell{
14a9b182Skjell	u_int16_t p = ntohs(h->port);
81a15e5dSderaadt
0eed2997Sdhartmei	if (opts & PF_OPT_USEDNS)
0eed2997Sdhartmei		print_name(&h->addr, NULL, af);
032e40b7Sdhartmei	else {
032e40b7Sdhartmei		struct pf_addr_wrap aw;
032e40b7Sdhartmei
032e40b7Sdhartmei		aw.addr = h->addr;
032e40b7Sdhartmei		aw.addr_dyn = NULL;
032e40b7Sdhartmei		print_addr(&aw, NULL, af);
032e40b7Sdhartmei	}
0eed2997Sdhartmei
80edb1f0Sdhartmei	if (p) {
30620b12Sfrantzen		if (af == AF_INET)
30620b12Sfrantzen			printf(":%u", p);
30620b12Sfrantzen		else
30620b12Sfrantzen			printf("[%u]", p);
14a9b182Skjell	}
80edb1f0Sdhartmei}
14a9b182Skjell
30620b12Sfrantzen
81a15e5dSderaadtvoid
6d5ce0fbSderaadtprint_seq(struct pf_state_peer *p)
14a9b182Skjell{
b96c47abSfrantzen	if (p->seqdiff)
b96c47abSfrantzen		printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
b96c47abSfrantzen		    p->seqdiff);
b96c47abSfrantzen	else
14a9b182Skjell		printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo);
14a9b182Skjell}
14a9b182Skjell
81a15e5dSderaadtvoid
*5d9ac2dcSdhartmeiprint_op(u_int8_t op, const char *a1, const char *a2)
*5d9ac2dcSdhartmei{
*5d9ac2dcSdhartmei	if (op == PF_OP_IRG)
*5d9ac2dcSdhartmei		printf("%s >< %s ", a1, a2);
*5d9ac2dcSdhartmei	else if (op == PF_OP_XRG)
*5d9ac2dcSdhartmei		printf("%s <> %s ", a1, a2);
*5d9ac2dcSdhartmei	else if (op == PF_OP_EQ) {
*5d9ac2dcSdhartmei		printf("= %s ", a1);
*5d9ac2dcSdhartmei	} else if (op == PF_OP_NE) {
*5d9ac2dcSdhartmei		printf("!= %s ", a1);
*5d9ac2dcSdhartmei	} else if (op == PF_OP_LT)
*5d9ac2dcSdhartmei		printf("< %s ", a1);
*5d9ac2dcSdhartmei	else if (op == PF_OP_LE)
*5d9ac2dcSdhartmei		printf("<= %s ", a1);
*5d9ac2dcSdhartmei	else if (op == PF_OP_GT)
*5d9ac2dcSdhartmei		printf("> %s ", a1);
*5d9ac2dcSdhartmei	else if (op == PF_OP_GE)
*5d9ac2dcSdhartmei		printf(">= %s ", a1);
*5d9ac2dcSdhartmei}
*5d9ac2dcSdhartmei
*5d9ac2dcSdhartmeivoid
14a9b182Skjellprint_port(u_int8_t op, u_int16_t p1, u_int16_t p2, char *proto)
14a9b182Skjell{
*5d9ac2dcSdhartmei	char a1[5], a2[5];
14a9b182Skjell	struct servent *s = getservbyport(p1, proto);
81a15e5dSderaadt
14a9b182Skjell	p1 = ntohs(p1);
14a9b182Skjell	p2 = ntohs(p2);
*5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", p1);
*5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", p2);
14a9b182Skjell	printf("port ");
*5d9ac2dcSdhartmei	if (s != NULL && (op == PF_OP_EQ || op == PF_OP_NE))
*5d9ac2dcSdhartmei		print_op(op, s->s_name, a2);
14a9b182Skjell	else
*5d9ac2dcSdhartmei		print_op(op, a1, a2);
*5d9ac2dcSdhartmei}
*5d9ac2dcSdhartmei
*5d9ac2dcSdhartmeivoid
*5d9ac2dcSdhartmeiprint_uid(u_int8_t op, uid_t u1, uid_t u2, const char *t)
*5d9ac2dcSdhartmei{
*5d9ac2dcSdhartmei	char a1[5], a2[5];
*5d9ac2dcSdhartmei
*5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", u1);
*5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", u2);
*5d9ac2dcSdhartmei	printf("%s ", t);
*5d9ac2dcSdhartmei	if (u1 == UID_MAX && (op == PF_OP_EQ || op == PF_OP_NE))
*5d9ac2dcSdhartmei		print_op(op, "unknown", a2);
14a9b182Skjell	else
*5d9ac2dcSdhartmei		print_op(op, a1, a2);
14a9b182Skjell}
14a9b182Skjell
81a15e5dSderaadtvoid
14a9b182Skjellprint_flags(u_int8_t f)
14a9b182Skjell{
14a9b182Skjell	int i;
81a15e5dSderaadt
14a9b182Skjell	for (i = 0; i < 6; ++i)
14a9b182Skjell		if (f & (1 << i))
14a9b182Skjell			printf("%c", tcpflags[i]);
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
81a15e5dSderaadtprint_nat(struct pf_nat *n)
14a9b182Skjell{
f27db9bcSdhartmei	if (n->no)
f27db9bcSdhartmei		printf("no ");
f27db9bcSdhartmei	printf("nat ");
28964e80Sdhartmei	if (n->ifname[0]) {
28964e80Sdhartmei		printf("on ");
870b51d7Schris		if (n->ifnot)
870b51d7Schris			printf("! ");
870b51d7Schris		printf("%s ", n->ifname);
28964e80Sdhartmei	}
032e40b7Sdhartmei	if (n->af) {
032e40b7Sdhartmei		if (n->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (n->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(n->proto);
ab745e3bSmpech		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", n->proto);
80edb1f0Sdhartmei	}
28964e80Sdhartmei	printf("from ");
032e40b7Sdhartmei	if (!PF_AZERO(&n->saddr.addr, n->af) || !PF_AZERO(&n->smask, n->af)) {
28964e80Sdhartmei		if (n->snot)
14a9b182Skjell			printf("! ");
30620b12Sfrantzen		print_addr(&n->saddr, &n->smask, n->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
28964e80Sdhartmei	printf("to ");
032e40b7Sdhartmei	if (!PF_AZERO(&n->daddr.addr, n->af) || !PF_AZERO(&n->dmask, n->af)) {
05885aacSfrantzen		if (n->dnot)
28964e80Sdhartmei			printf("! ");
30620b12Sfrantzen		print_addr(&n->daddr, &n->dmask, n->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
f27db9bcSdhartmei	if (!n->no) {
28964e80Sdhartmei		printf("-> ");
30620b12Sfrantzen		print_addr(&n->raddr, NULL, n->af);
f27db9bcSdhartmei	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
a3e657d0Sjasoniprint_binat(struct pf_binat *b)
a3e657d0Sjasoni{
f27db9bcSdhartmei	if (b->no)
f27db9bcSdhartmei		printf("no ");
f27db9bcSdhartmei	printf("binat ");
a3e657d0Sjasoni	if (b->ifname[0]) {
a3e657d0Sjasoni		printf("on ");
a3e657d0Sjasoni		printf("%s ", b->ifname);
a3e657d0Sjasoni	}
032e40b7Sdhartmei	if (b->af) {
032e40b7Sdhartmei		if (b->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (b->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(b->proto);
80edb1f0Sdhartmei		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", b->proto);
a3e657d0Sjasoni	}
a3e657d0Sjasoni	printf("from ");
30620b12Sfrantzen	print_addr(&b->saddr, NULL, b->af);
a3e657d0Sjasoni	printf(" ");
a3e657d0Sjasoni	printf("to ");
032e40b7Sdhartmei	if (!PF_AZERO(&b->daddr.addr, b->af) || !PF_AZERO(&b->dmask, b->af)) {
a3e657d0Sjasoni		if (b->dnot)
a3e657d0Sjasoni			printf("! ");
30620b12Sfrantzen		print_addr(&b->daddr, &b->dmask, b->af);
a3e657d0Sjasoni		printf(" ");
a3e657d0Sjasoni	} else
a3e657d0Sjasoni		printf("any ");
f27db9bcSdhartmei	if (!b->no) {
a3e657d0Sjasoni	 	printf("-> ");
30620b12Sfrantzen		print_addr(&b->raddr, NULL, b->af);
f27db9bcSdhartmei	}
a3e657d0Sjasoni	printf("\n");
a3e657d0Sjasoni}
a3e657d0Sjasoni
a3e657d0Sjasonivoid
81a15e5dSderaadtprint_rdr(struct pf_rdr *r)
14a9b182Skjell{
f27db9bcSdhartmei	if (r->no)
f27db9bcSdhartmei		printf("no ");
f27db9bcSdhartmei	printf("rdr ");
28964e80Sdhartmei	if (r->ifname[0]) {
28964e80Sdhartmei		printf("on ");
870b51d7Schris		if (r->ifnot)
870b51d7Schris			printf("! ");
870b51d7Schris		printf("%s ", r->ifname);
28964e80Sdhartmei	}
032e40b7Sdhartmei	if (r->af) {
032e40b7Sdhartmei		if (r->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (r->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(r->proto);
80edb1f0Sdhartmei		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", r->proto);
e3d52469Smillert	}
28964e80Sdhartmei	printf("from ");
032e40b7Sdhartmei	if (!PF_AZERO(&r->saddr.addr, r->af) || !PF_AZERO(&r->smask, r->af)) {
28964e80Sdhartmei		if (r->snot)
28964e80Sdhartmei			printf("! ");
30620b12Sfrantzen		print_addr(&r->saddr, &r->smask, r->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
28964e80Sdhartmei	printf("to ");
032e40b7Sdhartmei	if (!PF_AZERO(&r->daddr.addr, r->af) || !PF_AZERO(&r->dmask, r->af)) {
e7bd5eebSdhartmei		if (r->dnot)
14a9b182Skjell			printf("! ");
30620b12Sfrantzen		print_addr(&r->daddr, &r->dmask, r->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
80edb1f0Sdhartmei	if (r->dport) {
cb07131dSkjell		printf("port %u", ntohs(r->dport));
cb07131dSkjell		if (r->opts & PF_DPORT_RANGE)
cb07131dSkjell			printf(":%u", ntohs(r->dport2));
80edb1f0Sdhartmei	}
f27db9bcSdhartmei	if (!r->no) {
cb07131dSkjell		printf(" -> ");
30620b12Sfrantzen		print_addr(&r->raddr, NULL, r->af);
28964e80Sdhartmei		printf(" ");
80edb1f0Sdhartmei		if (r->rport) {
14a9b182Skjell			printf("port %u", ntohs(r->rport));
cb07131dSkjell			if (r->opts & PF_RPORT_RANGE)
cb07131dSkjell				printf(":*");
80edb1f0Sdhartmei		}
f27db9bcSdhartmei	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
bca2bf17Sdhartmeichar *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
bca2bf17Sdhartmeichar *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
99a73934Sderaadt
14a9b182Skjellvoid
81a15e5dSderaadtprint_status(struct pf_status *s)
14a9b182Skjell{
81a15e5dSderaadt
99a73934Sderaadt	time_t t = time(NULL);
99a73934Sderaadt	int i;
99a73934Sderaadt
ae58c8acSdhartmei	printf("Status: %s  Time: %u  Since: %u  Debug: ",
7f08579dSkjell	    s->running ? "Enabled" : "Disabled",
7f08579dSkjell	    t, s->since);
ae58c8acSdhartmei	switch (s->debug) {
ae58c8acSdhartmei		case 0:
ae58c8acSdhartmei			printf("None");
ae58c8acSdhartmei			break;
ae58c8acSdhartmei		case 1:
ae58c8acSdhartmei			printf("Urgent");
ae58c8acSdhartmei			break;
ae58c8acSdhartmei		case 2:
ae58c8acSdhartmei			printf("Misc");
ae58c8acSdhartmei			break;
ae58c8acSdhartmei	}
30620b12Sfrantzen	printf("\nBytes In IPv4: %-10llu  Bytes Out: %-10llu\n",
30620b12Sfrantzen	    s->bcounters[0][PF_IN], s->bcounters[0][PF_OUT]);
30620b12Sfrantzen	printf("         IPv6: %-10llu  Bytes Out: %-10llu\n",
30620b12Sfrantzen	    s->bcounters[1][PF_IN], s->bcounters[1][PF_OUT]);
30620b12Sfrantzen	printf("Inbound Packets IPv4:  Passed: %-10llu  Dropped: %-10llu\n",
30620b12Sfrantzen	    s->pcounters[0][PF_IN][PF_PASS],
30620b12Sfrantzen	    s->pcounters[0][PF_IN][PF_DROP]);
30620b12Sfrantzen	printf("                IPv6:  Passed: %-10llu  Dropped: %-10llu\n",
30620b12Sfrantzen	    s->pcounters[1][PF_IN][PF_PASS],
30620b12Sfrantzen	    s->pcounters[1][PF_IN][PF_DROP]);
30620b12Sfrantzen	printf("Outbound Packets IPv4: Passed: %-10llu  Dropped: %-10llu\n",
30620b12Sfrantzen	    s->pcounters[0][PF_OUT][PF_PASS],
30620b12Sfrantzen	    s->pcounters[0][PF_OUT][PF_DROP]);
30620b12Sfrantzen	printf("                 IPv6: Passed: %-10llu  Dropped: %-10llu\n",
30620b12Sfrantzen	    s->pcounters[1][PF_OUT][PF_PASS],
30620b12Sfrantzen	    s->pcounters[1][PF_OUT][PF_DROP]);
84976600Sderaadt	printf("States: %u\n", s->states);
84976600Sderaadt	printf("pf Counters\n");
bca2bf17Sdhartmei	for (i = 0; i < FCNT_MAX; i++)
184bf464Sderaadt		printf("%-25s %-8lld\n", pf_fcounters[i],
84976600Sderaadt		    s->fcounters[i]);
99a73934Sderaadt	printf("Counters\n");
99a73934Sderaadt	for (i = 0; i < PFRES_MAX; i++)
184bf464Sderaadt		printf("%-25s %-8lld\n", pf_reasons[i],
99a73934Sderaadt		    s->counters[i]);
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
fdd4db37Sdhartmeiprint_state(struct pf_state *s, int opts)
14a9b182Skjell{
6d5ce0fbSderaadt	struct pf_state_peer *src, *dst;
80edb1f0Sdhartmei	struct protoent *p;
14a9b182Skjell	u_int8_t hrs, min, sec;
252d784aSderaadt
14a9b182Skjell	if (s->direction == PF_OUT) {
14a9b182Skjell		src = &s->src;
14a9b182Skjell		dst = &s->dst;
14a9b182Skjell	} else {
14a9b182Skjell		src = &s->dst;
14a9b182Skjell		dst = &s->src;
14a9b182Skjell	}
80edb1f0Sdhartmei	if ((p = getprotobynumber(s->proto)) != NULL)
80edb1f0Sdhartmei		printf("%s ", p->p_name);
80edb1f0Sdhartmei	else
80edb1f0Sdhartmei		printf("%u ", s->proto);
30620b12Sfrantzen	if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
30620b12Sfrantzen	    (s->lan.port != s->gwy.port)) {
0eed2997Sdhartmei		print_host(&s->lan, s->af, opts);
14a9b182Skjell		if (s->direction == PF_OUT)
14a9b182Skjell			printf(" -> ");
14a9b182Skjell		else
14a9b182Skjell			printf(" <- ");
14a9b182Skjell	}
0eed2997Sdhartmei	print_host(&s->gwy, s->af, opts);
14a9b182Skjell	if (s->direction == PF_OUT)
14a9b182Skjell		printf(" -> ");
14a9b182Skjell	else
14a9b182Skjell		printf(" <- ");
0eed2997Sdhartmei	print_host(&s->ext, s->af, opts);
14a9b182Skjell
b96c47abSfrantzen	printf("    ");
14a9b182Skjell	if (s->proto == IPPROTO_TCP) {
b96c47abSfrantzen		if (src->state <= TCPS_TIME_WAIT &&
b96c47abSfrantzen		    dst->state <= TCPS_TIME_WAIT) {
b96c47abSfrantzen			printf("   %s:%s\n", tcpstates[src->state],
55507ad0Sfrantzen			    tcpstates[dst->state]);
b96c47abSfrantzen		} else {
b96c47abSfrantzen			printf("   <BAD STATE LEVELS>\n");
b96c47abSfrantzen		}
fdd4db37Sdhartmei		if (opts & PF_OPT_VERBOSE) {
b96c47abSfrantzen			printf("   ");
14a9b182Skjell			print_seq(src);
14a9b182Skjell			printf("  ");
14a9b182Skjell			print_seq(dst);
14a9b182Skjell			printf("\n");
fdd4db37Sdhartmei		}
55507ad0Sfrantzen	} else {
b96c47abSfrantzen		printf("   %u:%u\n", src->state, dst->state);
14a9b182Skjell	}
14a9b182Skjell
fdd4db37Sdhartmei	if (opts & PF_OPT_VERBOSE) {
14a9b182Skjell		sec = s->creation % 60;
14a9b182Skjell		s->creation /= 60;
14a9b182Skjell		min = s->creation % 60;
14a9b182Skjell		s->creation /= 60;
14a9b182Skjell		hrs = s->creation;
55507ad0Sfrantzen		printf("   age %.2u:%.2u:%.2u", hrs, min, sec);
14a9b182Skjell		sec = s->expire % 60;
14a9b182Skjell		s->expire /= 60;
14a9b182Skjell		min = s->expire % 60;
14a9b182Skjell		s->expire /= 60;
14a9b182Skjell		hrs = s->expire;
14a9b182Skjell		printf(", expires in %.2u:%.2u:%.2u", hrs, min, sec);
ab06fc45Sdhartmei		printf(", %u pkts, %u bytes", s->packets, s->bytes);
ab06fc45Sdhartmei		if (s->rule.nr != USHRT_MAX)
ab06fc45Sdhartmei			printf(", rule %u", s->rule.nr);
ab06fc45Sdhartmei		printf("\n");
14a9b182Skjell	}
fdd4db37Sdhartmei}
14a9b182Skjell
14a9b182Skjellvoid
81a15e5dSderaadtprint_rule(struct pf_rule *r)
14a9b182Skjell{
78baf774Sdhartmei	printf("@%d ", r->nr);
8418a02fSprovos	if (r->action == PF_PASS)
14a9b182Skjell		printf("pass ");
b996d042Sdhartmei	else if (r->action == PF_DROP) {
14a9b182Skjell		printf("block ");
67d2a440Sprovos		if (r->rule_flag & PFRULE_RETURNRST)
14a9b182Skjell			printf("return-rst ");
b996d042Sdhartmei		else if (r->return_icmp) {
b996d042Sdhartmei			struct icmpcodeent *ic;
b996d042Sdhartmei
d14c53d7Swilfried			if (r->af != AF_INET6)
b996d042Sdhartmei				printf("return-icmp");
d14c53d7Swilfried			else
d14c53d7Swilfried				printf("return-icmp6");
b996d042Sdhartmei			ic = geticmpcodebynumber(r->return_icmp >> 8,
d14c53d7Swilfried			    r->return_icmp & 255, r->af);
d14c53d7Swilfried
d14c53d7Swilfried			if (ic == NULL)
d14c53d7Swilfried				printf("(%u) ", r->return_icmp & 255);
0eed2997Sdhartmei			else if ((r->af != AF_INET6 && ic->code !=
0eed2997Sdhartmei			    ICMP_UNREACH_PORT) ||
0eed2997Sdhartmei			    (r->af == AF_INET6 && ic->code !=
0eed2997Sdhartmei			    ICMP6_DST_UNREACH_NOPORT))
b996d042Sdhartmei				printf("(%s) ", ic->name);
b996d042Sdhartmei			else
b996d042Sdhartmei				printf(" ");
b996d042Sdhartmei		}
b996d042Sdhartmei	} else
b996d042Sdhartmei		printf("scrub ");
14a9b182Skjell	if (r->direction == 0)
14a9b182Skjell		printf("in ");
14a9b182Skjell	else
14a9b182Skjell		printf("out ");
7242ce7aSdhartmei	if (r->log == 1)
14a9b182Skjell		printf("log ");
7242ce7aSdhartmei	else if (r->log == 2)
7242ce7aSdhartmei		printf("log-all ");
14a9b182Skjell	if (r->quick)
14a9b182Skjell		printf("quick ");
14a9b182Skjell	if (r->ifname[0])
14a9b182Skjell		printf("on %s ", r->ifname);
cb3a4e31Sjasoni	if (r->rt) {
cb3a4e31Sjasoni		if (r->rt == PF_ROUTETO)
cb3a4e31Sjasoni			printf("route-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_DUPTO)
cb3a4e31Sjasoni			printf("dup-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_FASTROUTE)
cb3a4e31Sjasoni			printf("fastroute");
cb3a4e31Sjasoni		if (r->rt_ifname[0])
cb3a4e31Sjasoni			printf("%s", r->rt_ifname);
cb3a4e31Sjasoni		if (r->af && !PF_AZERO(&r->rt_addr, r->af)) {
032e40b7Sdhartmei			struct pf_addr_wrap aw;
032e40b7Sdhartmei
032e40b7Sdhartmei			aw.addr = r->rt_addr;
032e40b7Sdhartmei			aw.addr_dyn = NULL;
cb3a4e31Sjasoni			printf(":");
032e40b7Sdhartmei			print_addr(&aw, NULL, r->af);
cb3a4e31Sjasoni		}
cb3a4e31Sjasoni		printf(" ");
cb3a4e31Sjasoni	}
30620b12Sfrantzen	if (r->af) {
30620b12Sfrantzen		if (r->af == AF_INET)
30620b12Sfrantzen			printf("inet ");
30620b12Sfrantzen		else
30620b12Sfrantzen			printf("inet6 ");
30620b12Sfrantzen	}
14a9b182Skjell	if (r->proto) {
14a9b182Skjell		struct protoent *p = getprotobynumber(r->proto);
14a9b182Skjell		if (p != NULL)
14a9b182Skjell			printf("proto %s ", p->p_name);
14a9b182Skjell		else
14a9b182Skjell			printf("proto %u ", r->proto);
14a9b182Skjell	}
032e40b7Sdhartmei	if (PF_AZERO(&r->src.addr.addr, AF_INET6) &&
30620b12Sfrantzen	    PF_AZERO(&r->src.mask, AF_INET6) &&
3cb9a5b2Smickey	    !r->src.noroute && !r->dst.noroute &&
032e40b7Sdhartmei	    !r->src.port_op && PF_AZERO(&r->dst.addr.addr, AF_INET6) &&
30620b12Sfrantzen	    PF_AZERO(&r->dst.mask, AF_INET6) && !r->dst.port_op)
14a9b182Skjell		printf("all ");
14a9b182Skjell	else {
14a9b182Skjell		printf("from ");
3cb9a5b2Smickey		if (r->src.noroute)
3cb9a5b2Smickey			printf("no-route ");
032e40b7Sdhartmei		else if (PF_AZERO(&r->src.addr.addr, AF_INET6) &&
30620b12Sfrantzen		    PF_AZERO(&r->src.mask, AF_INET6))
14a9b182Skjell			printf("any ");
14a9b182Skjell		else {
14a9b182Skjell			if (r->src.not)
14a9b182Skjell				printf("! ");
30620b12Sfrantzen			print_addr(&r->src.addr, &r->src.mask, r->af);
14a9b182Skjell			printf(" ");
14a9b182Skjell		}
14a9b182Skjell		if (r->src.port_op)
14a9b182Skjell			print_port(r->src.port_op, r->src.port[0],
5df8e51cSsmart			    r->src.port[1],
5df8e51cSsmart			    r->proto == IPPROTO_TCP ? "tcp" : "udp");
14a9b182Skjell
14a9b182Skjell		printf("to ");
3cb9a5b2Smickey		if (r->dst.noroute)
3cb9a5b2Smickey			printf("no-route ");
032e40b7Sdhartmei		else if (PF_AZERO(&r->dst.addr.addr, AF_INET6) &&
30620b12Sfrantzen		    PF_AZERO(&r->dst.mask, AF_INET6))
14a9b182Skjell			printf("any ");
14a9b182Skjell		else {
14a9b182Skjell			if (r->dst.not)
14a9b182Skjell				printf("! ");
30620b12Sfrantzen			print_addr(&r->dst.addr, &r->dst.mask, r->af);
14a9b182Skjell			printf(" ");
14a9b182Skjell		}
14a9b182Skjell		if (r->dst.port_op)
14a9b182Skjell			print_port(r->dst.port_op, r->dst.port[0],
5df8e51cSsmart			    r->dst.port[1],
5df8e51cSsmart			    r->proto == IPPROTO_TCP ? "tcp" : "udp");
14a9b182Skjell	}
*5d9ac2dcSdhartmei	if (r->ruid.op) {
*5d9ac2dcSdhartmei		print_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1], "ruid");
*5d9ac2dcSdhartmei	}
*5d9ac2dcSdhartmei	if (r->euid.op) {
*5d9ac2dcSdhartmei		print_uid(r->euid.op, r->euid.uid[0], r->euid.uid[1], "euid");
*5d9ac2dcSdhartmei	}
14a9b182Skjell	if (r->flags || r->flagset) {
14a9b182Skjell		printf("flags ");
14a9b182Skjell		print_flags(r->flags);
14a9b182Skjell		printf("/");
14a9b182Skjell		print_flags(r->flagset);
14a9b182Skjell		printf(" ");
14a9b182Skjell	}
082ebc44Swilfried	if (r->type) {
082ebc44Swilfried		struct icmptypeent *p;
082ebc44Swilfried
d14c53d7Swilfried		p = geticmptypebynumber(r->type-1, r->af);
d14c53d7Swilfried		if (r->af != AF_INET6)
d14c53d7Swilfried			printf("icmp-type");
082ebc44Swilfried		else
d14c53d7Swilfried			printf("ipv6-icmp-type");
d14c53d7Swilfried		if (p != NULL)
d14c53d7Swilfried			printf(" %s ", p->name);
d14c53d7Swilfried		else
d14c53d7Swilfried			printf(" %u ", r->type-1);
082ebc44Swilfried		if (r->code) {
082ebc44Swilfried			struct icmpcodeent *p;
082ebc44Swilfried
d14c53d7Swilfried			p = geticmpcodebynumber(r->type-1, r->code-1, r->af);
082ebc44Swilfried			if (p != NULL)
082ebc44Swilfried				printf("code %s ", p->name);
082ebc44Swilfried			else
14a9b182Skjell				printf("code %u ", r->code-1);
082ebc44Swilfried		}
082ebc44Swilfried	}
b96c47abSfrantzen	if (r->keep_state == PF_STATE_NORMAL)
14a9b182Skjell		printf("keep state ");
b96c47abSfrantzen	else if (r->keep_state == PF_STATE_MODULATE)
b96c47abSfrantzen		printf("modulate state ");
6673dee2Sdhartmei	if (r->rule_flag & PFRULE_FRAGMENT)
6673dee2Sdhartmei		printf("fragment ");
67d2a440Sprovos	if (r->rule_flag & PFRULE_NODF)
67d2a440Sprovos		printf("no-df ");
e258bfd4Sprovos	if (r->min_ttl)
34c76dcbSprovos		printf("min-ttl %d ", r->min_ttl);
f48d62b3Sdhartmei	if (r->allow_opts)
f48d62b3Sdhartmei		printf("allow-opts ");
455ef0c1Sdhartmei	if (r->label[0])
455ef0c1Sdhartmei		printf("label %s", r->label);
67d2a440Sprovos
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
1f8f21bdSmillertint
ff352a37Smarkusparse_flags(char *s)
14a9b182Skjell{
ff352a37Smarkus	char *p, *q;
14a9b182Skjell	u_int8_t f = 0;
81a15e5dSderaadt
ff352a37Smarkus	for (p = s; *p; p++) {
ff352a37Smarkus		if ((q = strchr(tcpflags, *p)) == NULL)
ff352a37Smarkus			return -1;
ff352a37Smarkus		else
ff352a37Smarkus			f |= 1 << (q - tcpflags);
14a9b182Skjell	}
dbfb98deSprovos	return (f ? f : 63);
14a9b182Skjell}
0eed2997Sdhartmei
0eed2997Sdhartmeistruct hostent *
0eed2997Sdhartmeigetpfhostname(const char *addr_str)
0eed2997Sdhartmei{
1feb912bSdhartmei	in_addr_t		 addr_num;
0eed2997Sdhartmei	struct hostent		*hp;
0eed2997Sdhartmei	static struct hostent	 myhp;
0eed2997Sdhartmei
0eed2997Sdhartmei	addr_num = inet_addr(addr_str);
0eed2997Sdhartmei	if (addr_num == INADDR_NONE) {
0eed2997Sdhartmei		myhp.h_name = (char *)addr_str;
0eed2997Sdhartmei		hp = &myhp;
0eed2997Sdhartmei		return (hp);
0eed2997Sdhartmei	}
0eed2997Sdhartmei	hp = gethostbyaddr((char *)&addr_num, sizeof(addr_num), AF_INET);
0eed2997Sdhartmei	if (hp == NULL) {
0eed2997Sdhartmei		myhp.h_name = (char *)addr_str;
0eed2997Sdhartmei		hp = &myhp;
0eed2997Sdhartmei	}
0eed2997Sdhartmei	return (hp);
0eed2997Sdhartmei}