sbin/pfctl/pfctl_parser.c

*d0aca2f2Shenning/*	$OpenBSD: pfctl_parser.c,v 1.155 2003/05/14 00:56:38 henning Exp $ */
14a9b182Skjell
14a9b182Skjell/*
fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier
14a9b182Skjell * All rights reserved.
14a9b182Skjell *
14a9b182Skjell * Redistribution and use in source and binary forms, with or without
14a9b182Skjell * modification, are permitted provided that the following conditions
14a9b182Skjell * are met:
14a9b182Skjell *
14a9b182Skjell *    - Redistributions of source code must retain the above copyright
14a9b182Skjell *      notice, this list of conditions and the following disclaimer.
14a9b182Skjell *    - Redistributions in binary form must reproduce the above
14a9b182Skjell *      copyright notice, this list of conditions and the following
14a9b182Skjell *      disclaimer in the documentation and/or other materials provided
14a9b182Skjell *      with the distribution.
14a9b182Skjell *
14a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
14a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
14a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
5974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
14a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
14a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
14a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
14a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
14a9b182Skjell * POSSIBILITY OF SUCH DAMAGE.
14a9b182Skjell *
14a9b182Skjell */
14a9b182Skjell
252d784aSderaadt#include <sys/types.h>
252d784aSderaadt#include <sys/socket.h>
252d784aSderaadt#include <net/if.h>
252d784aSderaadt#include <netinet/in.h>
6329fa59Sderaadt#include <netinet/in_systm.h>
6329fa59Sderaadt#include <netinet/ip.h>
6329fa59Sderaadt#include <netinet/ip_icmp.h>
30620b12Sfrantzen#include <netinet/icmp6.h>
252d784aSderaadt#include <net/pfvar.h>
9f13c6caSmillert#include <arpa/inet.h>
252d784aSderaadt
14a9b182Skjell#include <stdio.h>
14a9b182Skjell#include <stdlib.h>
14a9b182Skjell#include <string.h>
14a9b182Skjell#include <ctype.h>
14a9b182Skjell#include <netdb.h>
6329fa59Sderaadt#include <stdarg.h>
6329fa59Sderaadt#include <errno.h>
ff352a37Smarkus#include <err.h>
94e9410bShenning#include <ifaddrs.h>
14a9b182Skjell
14a9b182Skjell#include "pfctl_parser.h"
eb824e11Sderaadt#include "pfctl.h"
14a9b182Skjell
5d9ac2dcSdhartmeivoid		 print_op (u_int8_t, const char *, const char *);
132c30ccShenningvoid		 print_port (u_int8_t, u_int16_t, u_int16_t, const char *);
1173271aScedricvoid		 print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);
81a15e5dSderaadtvoid		 print_flags (u_int8_t);
15e76891Sdhartmeivoid		 print_fromto(struct pf_rule_addr *, struct pf_rule_addr *,
44f5ed0aScedric		    u_int8_t, u_int8_t, int);
14a9b182Skjell
f2370d27Shenningstruct node_host	*host_if(const char *, int);
383ebbbfShenningstruct node_host	*host_v4(const char *, int);
f2370d27Shenningstruct node_host	*host_v6(const char *, int);
f2370d27Shenningstruct node_host	*host_dns(const char *, int, int);
2a6c1abaShenning
361e311cShenningconst char *tcpflags = "FSRPAUEW";
14a9b182Skjell
7d27d81aSdhartmeistatic const struct icmptypeent icmp_type[] = {
082ebc44Swilfried	{ "echoreq",	ICMP_ECHO },
082ebc44Swilfried	{ "echorep",	ICMP_ECHOREPLY },
082ebc44Swilfried	{ "unreach",	ICMP_UNREACH },
082ebc44Swilfried	{ "squench",	ICMP_SOURCEQUENCH },
082ebc44Swilfried	{ "redir",	ICMP_REDIRECT },
082ebc44Swilfried	{ "althost",	ICMP_ALTHOSTADDR },
082ebc44Swilfried	{ "routeradv",	ICMP_ROUTERADVERT },
082ebc44Swilfried	{ "routersol",	ICMP_ROUTERSOLICIT },
082ebc44Swilfried	{ "timex",	ICMP_TIMXCEED },
082ebc44Swilfried	{ "paramprob",	ICMP_PARAMPROB },
082ebc44Swilfried	{ "timereq",	ICMP_TSTAMP },
082ebc44Swilfried	{ "timerep",	ICMP_TSTAMPREPLY },
082ebc44Swilfried	{ "inforeq",	ICMP_IREQ },
082ebc44Swilfried	{ "inforep",	ICMP_IREQREPLY },
082ebc44Swilfried	{ "maskreq",	ICMP_MASKREQ },
02cbcc9eSwilfried	{ "maskrep",	ICMP_MASKREPLY },
02cbcc9eSwilfried	{ "trace",	ICMP_TRACEROUTE },
02cbcc9eSwilfried	{ "dataconv",	ICMP_DATACONVERR },
02cbcc9eSwilfried	{ "mobredir",	ICMP_MOBILE_REDIRECT },
02cbcc9eSwilfried	{ "ipv6-where",	ICMP_IPV6_WHEREAREYOU },
02cbcc9eSwilfried	{ "ipv6-here",	ICMP_IPV6_IAMHERE },
02cbcc9eSwilfried	{ "mobregreq",	ICMP_MOBILE_REGREQUEST },
02cbcc9eSwilfried	{ "mobregrep",	ICMP_MOBILE_REGREPLY },
02cbcc9eSwilfried	{ "skip",	ICMP_SKIP },
02cbcc9eSwilfried	{ "photuris",	ICMP_PHOTURIS }
082ebc44Swilfried};
082ebc44Swilfried
7d27d81aSdhartmeistatic const struct icmptypeent icmp6_type[] = {
30620b12Sfrantzen	{ "unreach",	ICMP6_DST_UNREACH },
30620b12Sfrantzen	{ "toobig",	ICMP6_PACKET_TOO_BIG },
30620b12Sfrantzen	{ "timex",	ICMP6_TIME_EXCEEDED },
30620b12Sfrantzen	{ "paramprob",	ICMP6_PARAM_PROB },
30620b12Sfrantzen	{ "echoreq",	ICMP6_ECHO_REQUEST },
30620b12Sfrantzen	{ "echorep",	ICMP6_ECHO_REPLY },
30620b12Sfrantzen	{ "groupqry",	ICMP6_MEMBERSHIP_QUERY },
30620b12Sfrantzen	{ "listqry",	MLD6_LISTENER_QUERY },
30620b12Sfrantzen	{ "grouprep",	ICMP6_MEMBERSHIP_REPORT },
30620b12Sfrantzen	{ "listenrep",	MLD6_LISTENER_REPORT },
30620b12Sfrantzen	{ "groupterm",	ICMP6_MEMBERSHIP_REDUCTION },
30620b12Sfrantzen	{ "listendone", MLD6_LISTENER_DONE },
30620b12Sfrantzen	{ "routersol",	ND_ROUTER_SOLICIT },
30620b12Sfrantzen	{ "routeradv",	ND_ROUTER_ADVERT },
30620b12Sfrantzen	{ "neighbrsol", ND_NEIGHBOR_SOLICIT },
30620b12Sfrantzen	{ "neighbradv", ND_NEIGHBOR_ADVERT },
30620b12Sfrantzen	{ "redir",	ND_REDIRECT },
30620b12Sfrantzen	{ "routrrenum", ICMP6_ROUTER_RENUMBERING },
30620b12Sfrantzen	{ "wrureq",	ICMP6_WRUREQUEST },
30620b12Sfrantzen	{ "wrurep",	ICMP6_WRUREPLY },
30620b12Sfrantzen	{ "fqdnreq",	ICMP6_FQDN_QUERY },
30620b12Sfrantzen	{ "fqdnrep",	ICMP6_FQDN_REPLY },
30620b12Sfrantzen	{ "niqry",	ICMP6_NI_QUERY },
30620b12Sfrantzen	{ "nirep",	ICMP6_NI_REPLY },
30620b12Sfrantzen	{ "mtraceresp",	MLD6_MTRACE_RESP },
30620b12Sfrantzen	{ "mtrace",	MLD6_MTRACE }
30620b12Sfrantzen};
30620b12Sfrantzen
7d27d81aSdhartmeistatic const struct icmpcodeent icmp_code[] = {
082ebc44Swilfried	{ "net-unr",		ICMP_UNREACH,	ICMP_UNREACH_NET },
082ebc44Swilfried	{ "host-unr",		ICMP_UNREACH,	ICMP_UNREACH_HOST },
082ebc44Swilfried	{ "proto-unr",		ICMP_UNREACH,	ICMP_UNREACH_PROTOCOL },
082ebc44Swilfried	{ "port-unr",		ICMP_UNREACH,	ICMP_UNREACH_PORT },
082ebc44Swilfried	{ "needfrag",		ICMP_UNREACH,	ICMP_UNREACH_NEEDFRAG },
082ebc44Swilfried	{ "srcfail",		ICMP_UNREACH,	ICMP_UNREACH_SRCFAIL },
082ebc44Swilfried	{ "net-unk",		ICMP_UNREACH,	ICMP_UNREACH_NET_UNKNOWN },
082ebc44Swilfried	{ "host-unk",		ICMP_UNREACH,	ICMP_UNREACH_HOST_UNKNOWN },
082ebc44Swilfried	{ "isolate",		ICMP_UNREACH,	ICMP_UNREACH_ISOLATED },
082ebc44Swilfried	{ "net-prohib",		ICMP_UNREACH,	ICMP_UNREACH_NET_PROHIB },
082ebc44Swilfried	{ "host-prohib",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PROHIB },
082ebc44Swilfried	{ "net-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSNET },
082ebc44Swilfried	{ "host-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSHOST },
082ebc44Swilfried	{ "filter-prohib",	ICMP_UNREACH,	ICMP_UNREACH_FILTER_PROHIB },
082ebc44Swilfried	{ "host-preced",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PRECEDENCE },
082ebc44Swilfried	{ "cutoff-preced",	ICMP_UNREACH,	ICMP_UNREACH_PRECEDENCE_CUTOFF },
082ebc44Swilfried	{ "redir-net",		ICMP_REDIRECT,	ICMP_REDIRECT_NET },
082ebc44Swilfried	{ "redir-host",		ICMP_REDIRECT,	ICMP_REDIRECT_HOST },
082ebc44Swilfried	{ "redir-tos-net",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSNET },
082ebc44Swilfried	{ "redir-tos-host",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSHOST },
02cbcc9eSwilfried	{ "normal-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NORMAL },
02cbcc9eSwilfried	{ "common-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NOROUTE_COMMON },
082ebc44Swilfried	{ "transit",		ICMP_TIMXCEED,	ICMP_TIMXCEED_INTRANS },
082ebc44Swilfried	{ "reassemb",		ICMP_TIMXCEED,	ICMP_TIMXCEED_REASS },
082ebc44Swilfried	{ "badhead",		ICMP_PARAMPROB,	ICMP_PARAMPROB_ERRATPTR },
082ebc44Swilfried	{ "optmiss",		ICMP_PARAMPROB,	ICMP_PARAMPROB_OPTABSENT },
02cbcc9eSwilfried	{ "badlen",		ICMP_PARAMPROB,	ICMP_PARAMPROB_LENGTH },
02cbcc9eSwilfried	{ "unknown-ind",	ICMP_PHOTURIS,	ICMP_PHOTURIS_UNKNOWN_INDEX },
02cbcc9eSwilfried	{ "auth-fail",		ICMP_PHOTURIS,	ICMP_PHOTURIS_AUTH_FAILED },
02cbcc9eSwilfried	{ "decrypt-fail",	ICMP_PHOTURIS,	ICMP_PHOTURIS_DECRYPT_FAILED }
082ebc44Swilfried};
082ebc44Swilfried
7d27d81aSdhartmeistatic const struct icmpcodeent icmp6_code[] = {
1d32ee3bSdhartmei	{ "admin-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN },
1d32ee3bSdhartmei	{ "noroute-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE },
30620b12Sfrantzen	{ "notnbr-unr",	ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOTNEIGHBOR },
30620b12Sfrantzen	{ "beyond-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_BEYONDSCOPE },
30620b12Sfrantzen	{ "addr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR },
30620b12Sfrantzen	{ "port-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT },
30620b12Sfrantzen	{ "transit", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT },
30620b12Sfrantzen	{ "reassemb", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_REASSEMBLY },
30620b12Sfrantzen	{ "badhead", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER },
30620b12Sfrantzen	{ "nxthdr", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER },
30620b12Sfrantzen	{ "redironlink", ND_REDIRECT, ND_REDIRECT_ONLINK },
30620b12Sfrantzen	{ "redirrouter", ND_REDIRECT, ND_REDIRECT_ROUTER }
30620b12Sfrantzen};
30620b12Sfrantzen
d593fb91Sdrahnconst struct pf_timeout pf_timeouts[] = {
d593fb91Sdrahn	{ "tcp.first",		PFTM_TCP_FIRST_PACKET },
d593fb91Sdrahn	{ "tcp.opening",	PFTM_TCP_OPENING },
d593fb91Sdrahn	{ "tcp.established",	PFTM_TCP_ESTABLISHED },
d593fb91Sdrahn	{ "tcp.closing",	PFTM_TCP_CLOSING },
d593fb91Sdrahn	{ "tcp.finwait",	PFTM_TCP_FIN_WAIT },
d593fb91Sdrahn	{ "tcp.closed",		PFTM_TCP_CLOSED },
d593fb91Sdrahn	{ "udp.first",		PFTM_UDP_FIRST_PACKET },
d593fb91Sdrahn	{ "udp.single",		PFTM_UDP_SINGLE },
d593fb91Sdrahn	{ "udp.multiple",	PFTM_UDP_MULTIPLE },
d593fb91Sdrahn	{ "icmp.first",		PFTM_ICMP_FIRST_PACKET },
d593fb91Sdrahn	{ "icmp.error",		PFTM_ICMP_ERROR_REPLY },
d593fb91Sdrahn	{ "other.first",	PFTM_OTHER_FIRST_PACKET },
d593fb91Sdrahn	{ "other.single",	PFTM_OTHER_SINGLE },
d593fb91Sdrahn	{ "other.multiple",	PFTM_OTHER_MULTIPLE },
d593fb91Sdrahn	{ "frag",		PFTM_FRAG },
d593fb91Sdrahn	{ "interval",		PFTM_INTERVAL },
a85e74a5Sdhartmei	{ "adaptive.start",	PFTM_ADAPTIVE_START },
a85e74a5Sdhartmei	{ "adaptive.end",	PFTM_ADAPTIVE_END },
d593fb91Sdrahn	{ NULL,			0 }
d593fb91Sdrahn};
d593fb91Sdrahn
7d27d81aSdhartmeiconst struct icmptypeent *
bb9f691eSmcbridegeticmptypebynumber(u_int8_t type, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int	i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
e4ebe044Shenning		for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0]));
e4ebe044Shenning		    i++) {
082ebc44Swilfried			if (type == icmp_type[i].type)
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_type[i].type)
30620b12Sfrantzen				 return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmptypeent *
bb9f691eSmcbridegeticmptypebyname(char *w, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int	i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
e4ebe044Shenning		for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0]));
e4ebe044Shenning		    i++) {
082ebc44Swilfried			if (!strcmp(w, icmp_type[i].name))
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if (!strcmp(w, icmp6_type[i].name))
30620b12Sfrantzen				return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmpcodeent *
bb9f691eSmcbridegeticmpcodebynumber(u_int8_t type, u_int8_t code, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int	i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
e4ebe044Shenning		for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0]));
e4ebe044Shenning		    i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    code == icmp_code[i].code)
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		   sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    code == icmp6_code[i].code)
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmpcodeent *
bb9f691eSmcbridegeticmpcodebyname(u_long type, char *w, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int	i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
e4ebe044Shenning		for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0]));
e4ebe044Shenning		    i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp_code[i].name))
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		    sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp6_code[i].name))
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
30620b12Sfrantzen}
30620b12Sfrantzen
81a15e5dSderaadtvoid
5d9ac2dcSdhartmeiprint_op(u_int8_t op, const char *a1, const char *a2)
5d9ac2dcSdhartmei{
5d9ac2dcSdhartmei	if (op == PF_OP_IRG)
5d9ac2dcSdhartmei		printf("%s >< %s ", a1, a2);
5d9ac2dcSdhartmei	else if (op == PF_OP_XRG)
5d9ac2dcSdhartmei		printf("%s <> %s ", a1, a2);
1308506cShenning	else if (op == PF_OP_EQ)
5d9ac2dcSdhartmei		printf("= %s ", a1);
1308506cShenning	else if (op == PF_OP_NE)
5d9ac2dcSdhartmei		printf("!= %s ", a1);
1308506cShenning	else if (op == PF_OP_LT)
5d9ac2dcSdhartmei		printf("< %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_LE)
5d9ac2dcSdhartmei		printf("<= %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_GT)
5d9ac2dcSdhartmei		printf("> %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_GE)
5d9ac2dcSdhartmei		printf(">= %s ", a1);
8da4e377Smcbride	else if (op == PF_OP_RRG)
8da4e377Smcbride		printf("%s:%s ", a1, a2);
5d9ac2dcSdhartmei}
5d9ac2dcSdhartmei
5d9ac2dcSdhartmeivoid
132c30ccShenningprint_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
14a9b182Skjell{
e31d21c9Sdhartmei	char		 a1[6], a2[6];
e4ebe044Shenning	struct servent	*s;
81a15e5dSderaadt
e4ebe044Shenning	s = getservbyport(p1, proto);
14a9b182Skjell	p1 = ntohs(p1);
14a9b182Skjell	p2 = ntohs(p2);
5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", p1);
5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", p2);
14a9b182Skjell	printf("port ");
5d9ac2dcSdhartmei	if (s != NULL && (op == PF_OP_EQ || op == PF_OP_NE))
5d9ac2dcSdhartmei		print_op(op, s->s_name, a2);
14a9b182Skjell	else
5d9ac2dcSdhartmei		print_op(op, a1, a2);
5d9ac2dcSdhartmei}
5d9ac2dcSdhartmei
5d9ac2dcSdhartmeivoid
1173271aScedricprint_ugid(u_int8_t op, unsigned u1, unsigned u2, const char *t, unsigned umax)
5d9ac2dcSdhartmei{
d8fcd2dfSdhartmei	char	a1[11], a2[11];
5d9ac2dcSdhartmei
5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", u1);
5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", u2);
5d9ac2dcSdhartmei	printf("%s ", t);
1173271aScedric	if (u1 == umax && (op == PF_OP_EQ || op == PF_OP_NE))
c16ab608Sdhartmei		print_op(op, "unknown", a2);
c16ab608Sdhartmei	else
c16ab608Sdhartmei		print_op(op, a1, a2);
c16ab608Sdhartmei}
c16ab608Sdhartmei
c16ab608Sdhartmeivoid
14a9b182Skjellprint_flags(u_int8_t f)
14a9b182Skjell{
14a9b182Skjell	int	i;
81a15e5dSderaadt
bc795af0Shugh	for (i = 0; tcpflags[i]; ++i)
14a9b182Skjell		if (f & (1 << i))
14a9b182Skjell			printf("%c", tcpflags[i]);
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
15e76891Sdhartmeiprint_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,
44f5ed0aScedric    sa_family_t af, u_int8_t proto, int verbose)
15e76891Sdhartmei{
1173271aScedric	if (src->addr.type == PF_ADDR_ADDRMASK &&
1173271aScedric	    dst->addr.type == PF_ADDR_ADDRMASK &&
bcf142a4Sdhartmei	    PF_AZERO(&src->addr.v.a.addr, AF_INET6) &&
bcf142a4Sdhartmei	    PF_AZERO(&src->addr.v.a.mask, AF_INET6) &&
1173271aScedric	    PF_AZERO(&dst->addr.v.a.addr, AF_INET6) &&
1173271aScedric	    PF_AZERO(&dst->addr.v.a.mask, AF_INET6) &&
1173271aScedric	    !src->not && !dst->not &&
1173271aScedric	    !src->port_op && !dst->port_op)
15e76891Sdhartmei		printf("all ");
15e76891Sdhartmei	else {
15e76891Sdhartmei		printf("from ");
15e76891Sdhartmei		if (src->not)
15e76891Sdhartmei			printf("! ");
44f5ed0aScedric		print_addr(&src->addr, af, verbose);
15e76891Sdhartmei		printf(" ");
15e76891Sdhartmei		if (src->port_op)
15e76891Sdhartmei			print_port(src->port_op, src->port[0],
15e76891Sdhartmei			    src->port[1],
15e76891Sdhartmei			    proto == IPPROTO_TCP ? "tcp" : "udp");
15e76891Sdhartmei
15e76891Sdhartmei		printf("to ");
15e76891Sdhartmei		if (dst->not)
15e76891Sdhartmei			printf("! ");
44f5ed0aScedric		print_addr(&dst->addr, af, verbose);
15e76891Sdhartmei		printf(" ");
15e76891Sdhartmei		if (dst->port_op)
15e76891Sdhartmei			print_port(dst->port_op, dst->port[0],
15e76891Sdhartmei			    dst->port[1],
15e76891Sdhartmei			    proto == IPPROTO_TCP ? "tcp" : "udp");
15e76891Sdhartmei	}
15e76891Sdhartmei}
15e76891Sdhartmei
15e76891Sdhartmeivoid
e0c302d0Smcbrideprint_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
e0c302d0Smcbride    sa_family_t af, int id)
3a44df3cSmcbride{
3a44df3cSmcbride	struct pf_pooladdr	*pooladdr;
3a44df3cSmcbride
6c917913Smcbride	if ((TAILQ_FIRST(&pool->list) != NULL) &&
6c917913Smcbride	    TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
3a44df3cSmcbride		printf("{ ");
3a44df3cSmcbride	TAILQ_FOREACH(pooladdr, &pool->list, entries){
3a44df3cSmcbride		switch (id) {
e8793aa9Smcbride		case PF_NAT:
e8793aa9Smcbride		case PF_RDR:
e8793aa9Smcbride		case PF_BINAT:
44f5ed0aScedric			print_addr(&pooladdr->addr.addr, af, 0);
3a44df3cSmcbride			break;
e8793aa9Smcbride		case PF_PASS:
bcf142a4Sdhartmei			if (PF_AZERO(&pooladdr->addr.addr.v.a.addr, af))
3b9b234fSmcbride				printf("%s", pooladdr->ifname);
790504a6Sdhartmei			else {
3a44df3cSmcbride				printf("(%s ", pooladdr->ifname);
44f5ed0aScedric				print_addr(&pooladdr->addr.addr, af, 0);
3a44df3cSmcbride				printf(")");
3b9b234fSmcbride			}
3a44df3cSmcbride			break;
e8793aa9Smcbride		default:
e8793aa9Smcbride			break;
3a44df3cSmcbride		}
3a44df3cSmcbride		if (TAILQ_NEXT(pooladdr, entries) != NULL)
3a44df3cSmcbride			printf(", ");
3a44df3cSmcbride		else if (TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
3a44df3cSmcbride			printf(" }");
3a44df3cSmcbride	}
e0c302d0Smcbride	switch (id) {
e8793aa9Smcbride	case PF_NAT:
e0c302d0Smcbride		if (p1 != PF_NAT_PROXY_PORT_LOW ||
e0c302d0Smcbride		    p2 != PF_NAT_PROXY_PORT_HIGH) {
e0c302d0Smcbride			if (p1 == p2)
e0c302d0Smcbride				printf(" port %u", p1);
e0c302d0Smcbride			else
e0c302d0Smcbride				printf(" port %u:%u", p1, p2);
e0c302d0Smcbride		}
e0c302d0Smcbride		break;
e8793aa9Smcbride	case PF_RDR:
e0c302d0Smcbride		if (p1) {
8da4e377Smcbride			printf(" port %u", p1);
8da4e377Smcbride			if (p2 && (p2 != p1))
8da4e377Smcbride				printf(":%u", p2);
e0c302d0Smcbride		}
e0c302d0Smcbride		break;
e0c302d0Smcbride	default:
e0c302d0Smcbride		break;
e0c302d0Smcbride	}
e0c302d0Smcbride	switch (pool->opts & PF_POOL_TYPEMASK) {
e0c302d0Smcbride	case PF_POOL_NONE:
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_BITMASK:
e0c302d0Smcbride		printf(" bitmask");
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_RANDOM:
e0c302d0Smcbride		printf(" random");
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_SRCHASH:
0436fa02Smcbride		printf(" source-hash 0x%08x%08x%08x%08x",
e0c302d0Smcbride		    pool->key.key32[0], pool->key.key32[1],
e0c302d0Smcbride		    pool->key.key32[2], pool->key.key32[3]);
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_ROUNDROBIN:
e0c302d0Smcbride		printf(" round-robin");
e0c302d0Smcbride		break;
e0c302d0Smcbride	}
e0c302d0Smcbride	if (pool->opts & PF_POOL_STATICPORT)
e0c302d0Smcbride		printf(" static-port");
3a44df3cSmcbride}
3a44df3cSmcbride
132c30ccShenningconst char	*pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
132c30ccShenningconst char	*pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
99a73934Sderaadt
14a9b182Skjellvoid
81a15e5dSderaadtprint_status(struct pf_status *s)
14a9b182Skjell{
e4ebe044Shenning	char	statline[80];
c474e331Shenning	time_t	runtime;
99a73934Sderaadt	int	i;
99a73934Sderaadt
c474e331Shenning	runtime = time(NULL) - s->since;
c474e331Shenning
d85e4ad6Sdhartmei	if (s->running) {
d85e4ad6Sdhartmei		unsigned	sec, min, hrs, day = runtime;
d85e4ad6Sdhartmei
d85e4ad6Sdhartmei		sec = day % 60;
d85e4ad6Sdhartmei		day /= 60;
d85e4ad6Sdhartmei		min = day % 60;
d85e4ad6Sdhartmei		day /= 60;
d85e4ad6Sdhartmei		hrs = day % 24;
d85e4ad6Sdhartmei		day /= 24;
c474e331Shenning		snprintf(statline, sizeof(statline),
d85e4ad6Sdhartmei		    "Status: Enabled for %u days %.2u:%.2u:%.2u",
d85e4ad6Sdhartmei		    day, hrs, min, sec);
d85e4ad6Sdhartmei	} else
c474e331Shenning		snprintf(statline, sizeof(statline), "Status: Disabled");
c97b4ee1Shenning	printf("%-44s", statline);
ae58c8acSdhartmei	switch (s->debug) {
ae58c8acSdhartmei	case 0:
c97b4ee1Shenning		printf("%15s\n\n", "Debug: None");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	case 1:
c97b4ee1Shenning		printf("%15s\n\n", "Debug: Urgent");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	case 2:
c97b4ee1Shenning		printf("%15s\n\n", "Debug: Misc");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	}
c474e331Shenning	if (s->ifname[0] != 0) {
c474e331Shenning		printf("Interface Stats for %-16s %5s %16s\n",
c474e331Shenning		    s->ifname, "IPv4", "IPv6");
c474e331Shenning		printf("  %-25s %14llu %16llu\n", "Bytes In",
7189e280Sdhartmei		    s->bcounters[0][0], s->bcounters[1][0]);
c474e331Shenning		printf("  %-25s %14llu %16llu\n", "Bytes Out",
7189e280Sdhartmei		    s->bcounters[0][1], s->bcounters[1][1]);
c474e331Shenning		printf("  Packets In\n");
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Passed",
7189e280Sdhartmei		    s->pcounters[0][0][PF_PASS],
7189e280Sdhartmei		    s->pcounters[1][0][PF_PASS]);
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Blocked",
7189e280Sdhartmei		    s->pcounters[0][0][PF_DROP],
7189e280Sdhartmei		    s->pcounters[1][0][PF_DROP]);
c474e331Shenning		printf("  Packets Out\n");
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Passed",
7189e280Sdhartmei		    s->pcounters[0][1][PF_PASS],
7189e280Sdhartmei		    s->pcounters[1][1][PF_PASS]);
c474e331Shenning		printf("    %-23s %14llu %16llu\n\n", "Blocked",
7189e280Sdhartmei		    s->pcounters[0][1][PF_DROP],
7189e280Sdhartmei		    s->pcounters[1][1][PF_DROP]);
c474e331Shenning	}
c474e331Shenning	printf("%-27s %14s %16s\n", "State Table", "Total", "Rate");
c474e331Shenning	printf("  %-25s %14u %14s\n", "current entries", s->states, "");
c474e331Shenning	for (i = 0; i < FCNT_MAX; i++) {
c474e331Shenning		printf("  %-25s %14lld ", pf_fcounters[i],
84976600Sderaadt			    s->fcounters[i]);
c474e331Shenning		if (runtime > 0)
c474e331Shenning			printf("%14.1f/s\n",
c474e331Shenning			    (double)s->fcounters[i] / (double)runtime);
c474e331Shenning		else
c474e331Shenning			printf("%14s\n", "");
c474e331Shenning	}
99a73934Sderaadt	printf("Counters\n");
c474e331Shenning	for (i = 0; i < PFRES_MAX; i++) {
c474e331Shenning		printf("  %-25s %14lld ", pf_reasons[i],
99a73934Sderaadt		    s->counters[i]);
c474e331Shenning		if (runtime > 0)
c474e331Shenning			printf("%14.1f/s\n",
c474e331Shenning			    (double)s->counters[i] / (double)runtime);
c474e331Shenning		else
c474e331Shenning			printf("%14s\n", "");
c474e331Shenning	}
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
1173271aScedricprint_rule(struct pf_rule *r, int verbose)
14a9b182Skjell{
1173271aScedric	static const char *actiontypes[] = { "pass", "block", "scrub", "nat",
1173271aScedric	    "no nat", "binat", "no binat", "rdr", "no rdr" };
1173271aScedric	static const char *anchortypes[] = { "anchor", "anchor", "anchor",
1173271aScedric	    "nat-anchor", "nat-anchor", "binat-anchor", "binat-anchor",
1173271aScedric	    "rdr-anchor", "rdr-anchor" };
cc5f0329Sdhartmei	int	i, opts;
cc5f0329Sdhartmei
74dc4fddShenning	if (verbose)
78baf774Sdhartmei		printf("@%d ", r->nr);
1173271aScedric	if (r->action > PF_NORDR)
1173271aScedric		printf("action(%d) ", r->action);
1173271aScedric	else if (r->anchorname[0])
1173271aScedric		printf("%s %s ", anchortypes[r->action], r->anchorname);
1173271aScedric	else
1173271aScedric		printf("%s ", actiontypes[r->action]);
1173271aScedric	if (r->action == PF_DROP) {
8a87542aShenning		if (r->rule_flag & PFRULE_RETURN)
8a87542aShenning			printf("return ");
8a87542aShenning		else if (r->rule_flag & PFRULE_RETURNRST) {
1f77cc8aSpb			if (!r->return_ttl)
14a9b182Skjell				printf("return-rst ");
1f77cc8aSpb			else
1f77cc8aSpb				printf("return-rst(ttl %d) ", r->return_ttl);
328b2decShenning		} else if (r->rule_flag & PFRULE_RETURNICMP) {
328b2decShenning			const struct icmpcodeent	*ic, *ic6;
b996d042Sdhartmei
b996d042Sdhartmei			ic = geticmpcodebynumber(r->return_icmp >> 8,
328b2decShenning			    r->return_icmp & 255, AF_INET);
328b2decShenning			ic6 = geticmpcodebynumber(r->return_icmp6 >> 8,
328b2decShenning			    r->return_icmp6 & 255, AF_INET6);
d14c53d7Swilfried
328b2decShenning			switch(r->af) {
328b2decShenning			case AF_INET:
328b2decShenning				printf("return-icmp");
d14c53d7Swilfried				if (ic == NULL)
d14c53d7Swilfried					printf("(%u) ", r->return_icmp & 255);
b996d042Sdhartmei				else
328b2decShenning					printf("(%s) ", ic->name);
328b2decShenning				break;
328b2decShenning			case AF_INET6:
328b2decShenning				printf("return-icmp6");
328b2decShenning				if (ic6 == NULL)
328b2decShenning					printf("(%u) ", r->return_icmp6 & 255);
328b2decShenning				else
328b2decShenning					printf("(%s) ", ic6->name);
328b2decShenning				break;
328b2decShenning			default:
328b2decShenning				printf("return-icmp");
328b2decShenning				if (ic == NULL)
328b2decShenning					printf("(%u, ", r->return_icmp & 255);
328b2decShenning				else
328b2decShenning					printf("(%s, ", ic->name);
328b2decShenning				if (ic6 == NULL)
328b2decShenning					printf("%u) ", r->return_icmp6 & 255);
328b2decShenning				else
328b2decShenning					printf("%s) ", ic6->name);
328b2decShenning				break;
328b2decShenning			}
acf2444cShenning		} else
acf2444cShenning			printf("drop ");
1173271aScedric	}
7189e280Sdhartmei	if (r->direction == PF_IN)
14a9b182Skjell		printf("in ");
7189e280Sdhartmei	else if (r->direction == PF_OUT)
14a9b182Skjell		printf("out ");
7242ce7aSdhartmei	if (r->log == 1)
14a9b182Skjell		printf("log ");
7242ce7aSdhartmei	else if (r->log == 2)
7242ce7aSdhartmei		printf("log-all ");
14a9b182Skjell	if (r->quick)
14a9b182Skjell		printf("quick ");
7d0c9138Shenning	if (r->ifname[0]) {
7d0c9138Shenning		if (r->ifnot)
7d0c9138Shenning			printf("on ! %s ", r->ifname);
7d0c9138Shenning		else
14a9b182Skjell			printf("on %s ", r->ifname);
7d0c9138Shenning	}
cb3a4e31Sjasoni	if (r->rt) {
cb3a4e31Sjasoni		if (r->rt == PF_ROUTETO)
cb3a4e31Sjasoni			printf("route-to ");
fa1cdd09Sdhartmei		else if (r->rt == PF_REPLYTO)
fa1cdd09Sdhartmei			printf("reply-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_DUPTO)
cb3a4e31Sjasoni			printf("dup-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_FASTROUTE)
cb3a4e31Sjasoni			printf("fastroute ");
790504a6Sdhartmei		if (r->rt != PF_FASTROUTE) {
e8793aa9Smcbride			print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
790504a6Sdhartmei			printf(" ");
790504a6Sdhartmei		}
cb3a4e31Sjasoni	}
30620b12Sfrantzen	if (r->af) {
30620b12Sfrantzen		if (r->af == AF_INET)
30620b12Sfrantzen			printf("inet ");
30620b12Sfrantzen		else
30620b12Sfrantzen			printf("inet6 ");
30620b12Sfrantzen	}
14a9b182Skjell	if (r->proto) {
e4ebe044Shenning		struct protoent	*p;
ed99c291Sderaadt
e4ebe044Shenning		if ((p = getprotobynumber(r->proto)) != NULL)
14a9b182Skjell			printf("proto %s ", p->p_name);
14a9b182Skjell		else
14a9b182Skjell			printf("proto %u ", r->proto);
14a9b182Skjell	}
44f5ed0aScedric	print_fromto(&r->src, &r->dst, r->af, r->proto, verbose);
c16ab608Sdhartmei	if (r->uid.op)
1173271aScedric		print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
1173271aScedric		    UID_MAX);
c16ab608Sdhartmei	if (r->gid.op)
1173271aScedric		print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
1173271aScedric		    GID_MAX);
14a9b182Skjell	if (r->flags || r->flagset) {
14a9b182Skjell		printf("flags ");
14a9b182Skjell		print_flags(r->flags);
14a9b182Skjell		printf("/");
14a9b182Skjell		print_flags(r->flagset);
14a9b182Skjell		printf(" ");
14a9b182Skjell	}
082ebc44Swilfried	if (r->type) {
b49ca6bbShenning		const struct icmptypeent	*it;
082ebc44Swilfried
b49ca6bbShenning		it = geticmptypebynumber(r->type-1, r->af);
d14c53d7Swilfried		if (r->af != AF_INET6)
d14c53d7Swilfried			printf("icmp-type");
082ebc44Swilfried		else
d0cb3502Smcbride			printf("icmp6-type");
b49ca6bbShenning		if (it != NULL)
b49ca6bbShenning			printf(" %s ", it->name);
d14c53d7Swilfried		else
d14c53d7Swilfried			printf(" %u ", r->type-1);
082ebc44Swilfried		if (r->code) {
b49ca6bbShenning			const struct icmpcodeent	*ic;
082ebc44Swilfried
b49ca6bbShenning			ic = geticmpcodebynumber(r->type-1, r->code-1, r->af);
b49ca6bbShenning			if (ic != NULL)
b49ca6bbShenning				printf("code %s ", ic->name);
082ebc44Swilfried			else
14a9b182Skjell				printf("code %u ", r->code-1);
082ebc44Swilfried		}
082ebc44Swilfried	}
e4cbe364Sdhartmei	if (r->tos)
e4cbe364Sdhartmei		printf("tos 0x%2.2x ", r->tos);
b96c47abSfrantzen	if (r->keep_state == PF_STATE_NORMAL)
14a9b182Skjell		printf("keep state ");
b96c47abSfrantzen	else if (r->keep_state == PF_STATE_MODULATE)
b96c47abSfrantzen		printf("modulate state ");
cc5f0329Sdhartmei	opts = 0;
b3c86969Sdhartmei	if (r->max_states)
cc5f0329Sdhartmei		opts = 1;
cc5f0329Sdhartmei	for (i = 0; !opts && i < PFTM_MAX; ++i)
cc5f0329Sdhartmei		if (r->timeout[i])
cc5f0329Sdhartmei			opts = 1;
cc5f0329Sdhartmei	if (opts) {
cc5f0329Sdhartmei		printf("(");
cc5f0329Sdhartmei		if (r->max_states) {
cc5f0329Sdhartmei			printf("max %u", r->max_states);
cc5f0329Sdhartmei			opts = 0;
cc5f0329Sdhartmei		}
cc5f0329Sdhartmei		for (i = 0; i < PFTM_MAX; ++i)
cc5f0329Sdhartmei			if (r->timeout[i]) {
cc5f0329Sdhartmei				if (!opts)
cc5f0329Sdhartmei					printf(", ");
cc5f0329Sdhartmei				opts = 0;
cc5f0329Sdhartmei				printf("%s %u", pf_timeouts[i].name,
cc5f0329Sdhartmei				    r->timeout[i]);
cc5f0329Sdhartmei			}
cc5f0329Sdhartmei		printf(") ");
cc5f0329Sdhartmei	}
6673dee2Sdhartmei	if (r->rule_flag & PFRULE_FRAGMENT)
6673dee2Sdhartmei		printf("fragment ");
67d2a440Sprovos	if (r->rule_flag & PFRULE_NODF)
67d2a440Sprovos		printf("no-df ");
edbe3066Sdhartmei	if (r->rule_flag & PFRULE_RANDOMID)
edbe3066Sdhartmei		printf("random-id ");
e258bfd4Sprovos	if (r->min_ttl)
34c76dcbSprovos		printf("min-ttl %d ", r->min_ttl);
cfa91859Sjasoni	if (r->max_mss)
cfa91859Sjasoni		printf("max-mss %d ", r->max_mss);
f48d62b3Sdhartmei	if (r->allow_opts)
f48d62b3Sdhartmei		printf("allow-opts ");
b02af636Sfrantzen	if (r->action == PF_SCRUB) {
b02af636Sfrantzen		if (r->rule_flag & PFRULE_FRAGDROP)
b02af636Sfrantzen			printf("fragment drop-ovl ");
b02af636Sfrantzen		else if (r->rule_flag & PFRULE_FRAGCROP)
b02af636Sfrantzen			printf("fragment crop ");
b02af636Sfrantzen		else
b02af636Sfrantzen			printf("fragment reassemble ");
b02af636Sfrantzen	}
455ef0c1Sdhartmei	if (r->label[0])
ff45dfa8Scamield		printf("label \"%s\" ", r->label);
f98324c6Shenning	if (r->qname[0] && r->pqname[0])
f98324c6Shenning		printf("queue(%s, %s) ", r->qname, r->pqname);
f98324c6Shenning	else if (r->qname[0])
78e1d2a6Shenning		printf("queue %s ", r->qname);
8aecb81aShenning	if (r->tagname[0])
8aecb81aShenning		printf("tag %s ", r->tagname);
8aecb81aShenning	if (r->match_tagname[0])
0a5f7f2fShenning		printf("tagged %s ", r->match_tagname);
*d0aca2f2Shenning	if (!r->anchorname[0] && (r->action == PF_NAT ||
*d0aca2f2Shenning	    r->action == PF_BINAT || r->action == PF_RDR)) {
*d0aca2f2Shenning		printf("-> ");
*d0aca2f2Shenning		print_pool(&r->rpool, r->rpool.proxy_port[0],
*d0aca2f2Shenning		    r->rpool.proxy_port[1], r->af, r->action);
*d0aca2f2Shenning	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
1f8f21bdSmillertint
ff352a37Smarkusparse_flags(char *s)
14a9b182Skjell{
ff352a37Smarkus	char		*p, *q;
14a9b182Skjell	u_int8_t	 f = 0;
81a15e5dSderaadt
ff352a37Smarkus	for (p = s; *p; p++) {
ff352a37Smarkus		if ((q = strchr(tcpflags, *p)) == NULL)
ff352a37Smarkus			return -1;
ff352a37Smarkus		else
ff352a37Smarkus			f |= 1 << (q - tcpflags);
14a9b182Skjell	}
bc795af0Shugh	return (f ? f : PF_TH_ALL);
14a9b182Skjell}
94e9410bShenning
94e9410bShenningvoid
94e9410bShenningset_ipmask(struct node_host *h, u_int8_t b)
94e9410bShenning{
94e9410bShenning	struct pf_addr	*m, *n;
94e9410bShenning	int		 i, j = 0;
94e9410bShenning
94e9410bShenning	m = &h->addr.v.a.mask;
94e9410bShenning
94e9410bShenning	for (i = 0; i < 4; i++)
94e9410bShenning		m->addr32[i] = 0;
94e9410bShenning
94e9410bShenning	while (b >= 32) {
94e9410bShenning		m->addr32[j++] = 0xffffffff;
94e9410bShenning		b -= 32;
94e9410bShenning	}
94e9410bShenning	for (i = 31; i > 31-b; --i)
94e9410bShenning		m->addr32[j] |= (1 << i);
94e9410bShenning	if (b)
94e9410bShenning		m->addr32[j] = htonl(m->addr32[j]);
94e9410bShenning
94e9410bShenning	/* Mask off bits of the address that will never be used. */
94e9410bShenning	n = &h->addr.v.a.addr;
94e9410bShenning	for (i = 0; i < 4; i++)
94e9410bShenning		n->addr32[i] = n->addr32[i] & m->addr32[i];
94e9410bShenning}
94e9410bShenning
94e9410bShenning/* interface lookup routines */
94e9410bShenning
94e9410bShenningstruct node_host	*iftab;
94e9410bShenning
94e9410bShenningvoid
94e9410bShenningifa_load(void)
94e9410bShenning{
94e9410bShenning	struct ifaddrs		*ifap, *ifa;
94e9410bShenning	struct node_host	*n = NULL, *h = NULL;
94e9410bShenning
94e9410bShenning	if (getifaddrs(&ifap) < 0)
94e9410bShenning		err(1, "getifaddrs");
94e9410bShenning
94e9410bShenning	for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
94e9410bShenning		if (!(ifa->ifa_addr->sa_family == AF_INET ||
94e9410bShenning		    ifa->ifa_addr->sa_family == AF_INET6 ||
94e9410bShenning		    ifa->ifa_addr->sa_family == AF_LINK))
94e9410bShenning				continue;
94e9410bShenning		n = calloc(1, sizeof(struct node_host));
94e9410bShenning		if (n == NULL)
94e9410bShenning			err(1, "address: calloc");
94e9410bShenning		n->af = ifa->ifa_addr->sa_family;
94e9410bShenning		n->ifa_flags = ifa->ifa_flags;
94e9410bShenning#ifdef __KAME__
94e9410bShenning		if (n->af == AF_INET6 &&
94e9410bShenning		    IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)
94e9410bShenning		    ifa->ifa_addr)->sin6_addr) &&
94e9410bShenning		    ((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_scope_id == 0) {
94e9410bShenning			struct sockaddr_in6	*sin6;
94e9410bShenning
94e9410bShenning			sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
94e9410bShenning			sin6->sin6_scope_id = sin6->sin6_addr.s6_addr[2] << 8 |
94e9410bShenning			    sin6->sin6_addr.s6_addr[3];
94e9410bShenning			sin6->sin6_addr.s6_addr[2] = 0;
94e9410bShenning			sin6->sin6_addr.s6_addr[3] = 0;
94e9410bShenning		}
94e9410bShenning#endif
94e9410bShenning		n->ifindex = 0;
94e9410bShenning		if (n->af == AF_INET) {
94e9410bShenning			memcpy(&n->addr.v.a.addr, &((struct sockaddr_in *)
94e9410bShenning			    ifa->ifa_addr)->sin_addr.s_addr,
94e9410bShenning			    sizeof(struct in_addr));
94e9410bShenning			memcpy(&n->addr.v.a.mask, &((struct sockaddr_in *)
94e9410bShenning			    ifa->ifa_netmask)->sin_addr.s_addr,
94e9410bShenning			    sizeof(struct in_addr));
94e9410bShenning			if (ifa->ifa_broadaddr != NULL)
94e9410bShenning				memcpy(&n->bcast, &((struct sockaddr_in *)
94e9410bShenning				    ifa->ifa_broadaddr)->sin_addr.s_addr,
94e9410bShenning				    sizeof(struct in_addr));
94e9410bShenning		} else if (n->af == AF_INET6) {
94e9410bShenning			memcpy(&n->addr.v.a.addr, &((struct sockaddr_in6 *)
94e9410bShenning			    ifa->ifa_addr)->sin6_addr.s6_addr,
94e9410bShenning			    sizeof(struct in6_addr));
94e9410bShenning			memcpy(&n->addr.v.a.mask, &((struct sockaddr_in6 *)
94e9410bShenning			    ifa->ifa_netmask)->sin6_addr.s6_addr,
94e9410bShenning			    sizeof(struct in6_addr));
94e9410bShenning			if (ifa->ifa_broadaddr != NULL)
94e9410bShenning				memcpy(&n->bcast, &((struct sockaddr_in6 *)
94e9410bShenning				    ifa->ifa_broadaddr)->sin6_addr.s6_addr,
94e9410bShenning				    sizeof(struct in6_addr));
94e9410bShenning			n->ifindex = ((struct sockaddr_in6 *)
94e9410bShenning			    ifa->ifa_addr)->sin6_scope_id;
94e9410bShenning		}
94e9410bShenning		if ((n->ifname = strdup(ifa->ifa_name)) == NULL)
94e9410bShenning			err(1, "ifa_load: strdup");
94e9410bShenning		n->next = NULL;
94e9410bShenning		n->tail = n;
94e9410bShenning		if (h == NULL)
94e9410bShenning			h = n;
94e9410bShenning		else {
94e9410bShenning			h->tail->next = n;
94e9410bShenning			h->tail = n;
94e9410bShenning		}
94e9410bShenning	}
94e9410bShenning	iftab = h;
94e9410bShenning	freeifaddrs(ifap);
94e9410bShenning}
94e9410bShenning
94e9410bShenningstruct node_host *
6cba701cShenningifa_exists(const char *ifa_name)
94e9410bShenning{
94e9410bShenning	struct node_host	*n;
94e9410bShenning
94e9410bShenning	if (iftab == NULL)
94e9410bShenning		ifa_load();
94e9410bShenning
94e9410bShenning	for (n = iftab; n; n = n->next) {
94e9410bShenning		if (n->af == AF_LINK && !strncmp(n->ifname, ifa_name, IFNAMSIZ))
94e9410bShenning			return (n);
94e9410bShenning	}
94e9410bShenning	return (NULL);
94e9410bShenning}
94e9410bShenning
94e9410bShenningstruct node_host *
6cba701cShenningifa_lookup(const char *ifa_name, enum pfctl_iflookup_mode mode)
94e9410bShenning{
94e9410bShenning	struct node_host	*p = NULL, *h = NULL, *n = NULL;
94e9410bShenning	int			 return_all = 0;
94e9410bShenning
94e9410bShenning	if (!strncmp(ifa_name, "self", IFNAMSIZ))
94e9410bShenning		return_all = 1;
94e9410bShenning
94e9410bShenning	if (iftab == NULL)
94e9410bShenning		ifa_load();
94e9410bShenning
94e9410bShenning	for (p = iftab; p; p = p->next) {
94e9410bShenning		if (!((p->af == AF_INET || p->af == AF_INET6) &&
94e9410bShenning		    (!strncmp(p->ifname, ifa_name, IFNAMSIZ) || return_all)))
94e9410bShenning			continue;
94e9410bShenning		if (mode == PFCTL_IFLOOKUP_BCAST && p->af != AF_INET)
94e9410bShenning			continue;
94e9410bShenning		if (mode == PFCTL_IFLOOKUP_NET && p->ifindex > 0)
94e9410bShenning			continue;
94e9410bShenning		n = calloc(1, sizeof(struct node_host));
94e9410bShenning		if (n == NULL)
94e9410bShenning			err(1, "address: calloc");
94e9410bShenning		n->af = p->af;
94e9410bShenning		if (mode == PFCTL_IFLOOKUP_BCAST)
94e9410bShenning			memcpy(&n->addr.v.a.addr, &p->bcast,
94e9410bShenning			    sizeof(struct pf_addr));
94e9410bShenning		else
94e9410bShenning			memcpy(&n->addr.v.a.addr, &p->addr.v.a.addr,
94e9410bShenning			    sizeof(struct pf_addr));
94e9410bShenning		if (mode == PFCTL_IFLOOKUP_NET)
94e9410bShenning			set_ipmask(n, unmask(&p->addr.v.a.mask, n->af));
94e9410bShenning		else {
94e9410bShenning			if (n->af == AF_INET) {
94e9410bShenning				if (p->ifa_flags & IFF_LOOPBACK &&
94e9410bShenning				    p->ifa_flags & IFF_LINK1)
94e9410bShenning					memcpy(&n->addr.v.a.mask,
94e9410bShenning					    &p->addr.v.a.mask,
94e9410bShenning					    sizeof(struct pf_addr));
94e9410bShenning				else
94e9410bShenning					set_ipmask(n, 32);
94e9410bShenning			} else
94e9410bShenning				set_ipmask(n, 128);
94e9410bShenning		}
94e9410bShenning		n->ifindex = p->ifindex;
94e9410bShenning
94e9410bShenning		n->next = NULL;
94e9410bShenning		n->tail = n;
94e9410bShenning		if (h == NULL)
94e9410bShenning			h = n;
94e9410bShenning		else {
94e9410bShenning			h->tail->next = n;
94e9410bShenning			h->tail = n;
94e9410bShenning		}
94e9410bShenning	}
94e9410bShenning	if (h == NULL && mode == PFCTL_IFLOOKUP_HOST) {
94e9410bShenning		fprintf(stderr, "no IP address found for %s\n", ifa_name);
94e9410bShenning	}
94e9410bShenning	return (h);
94e9410bShenning}
94e9410bShenning
94e9410bShenningstruct node_host *
f23861c1Shenninghost(const char *s)
94e9410bShenning{
2a6c1abaShenning	struct node_host	*h = NULL;
f23861c1Shenning	int			 mask, v4mask, v6mask, cont = 1;
f23861c1Shenning	char			*p, *q, *ps;
94e9410bShenning
94e9410bShenning	if ((p = strrchr(s, '/')) != NULL) {
94e9410bShenning		mask = strtol(p+1, &q, 0);
94e9410bShenning		if (!q || *q) {
94e9410bShenning			fprintf(stderr, "invalid netmask\n");
94e9410bShenning			return (NULL);
94e9410bShenning		}
a81c851cShenning		if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL)
94e9410bShenning			err(1, "host: malloc");
94e9410bShenning		strlcpy(ps, s, strlen(s) - strlen(p) + 1);
94e9410bShenning		v4mask = v6mask = mask;
94e9410bShenning	} else {
f23861c1Shenning		if ((ps = strdup(s)) == NULL)
f23861c1Shenning			err(1, "host: strdup");
94e9410bShenning		v4mask = 32;
94e9410bShenning		v6mask = 128;
f23861c1Shenning		mask = -1;
94e9410bShenning	}
94e9410bShenning
2a6c1abaShenning	/* interface with this name exists? */
4a36d485Shenning	if (cont && (h = host_if(ps, mask)) != NULL)
2a6c1abaShenning		cont = 0;
2a6c1abaShenning
2a6c1abaShenning	/* IPv4 address? */
f23861c1Shenning	if (cont && (h = host_v4(s, mask)) != NULL)
2a6c1abaShenning		cont = 0;
2a6c1abaShenning
2a6c1abaShenning	/* IPv6 address? */
2a6c1abaShenning	if (cont && (h = host_v6(ps, v6mask)) != NULL)
2a6c1abaShenning		cont = 0;
2a6c1abaShenning
2a6c1abaShenning	/* dns lookup */
2a6c1abaShenning	if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL)
2a6c1abaShenning		cont = 0;
2a6c1abaShenning	free(ps);
2a6c1abaShenning
2a6c1abaShenning	if (h == NULL || cont == 1) {
2a6c1abaShenning		fprintf(stderr, "no IP address found for %s\n", s);
2a6c1abaShenning		return (NULL);
2a6c1abaShenning	}
2a6c1abaShenning	return (h);
2a6c1abaShenning}
2a6c1abaShenning
2a6c1abaShenningstruct node_host *
f2370d27Shenninghost_if(const char *s, int mask)
2a6c1abaShenning{
2a6c1abaShenning	struct node_host	*n, *h = NULL;
4a36d485Shenning	char			*p, *ps;
4a36d485Shenning	int			 mode = PFCTL_IFLOOKUP_HOST;
2a6c1abaShenning
4a36d485Shenning	if ((p = strrchr(s, ':')) != NULL &&
4a36d485Shenning	    (!strcmp(p+1, "network") || !strcmp(p+1, "broadcast"))) {
4a36d485Shenning		if (!strcmp(p+1, "network"))
4a36d485Shenning			mode = PFCTL_IFLOOKUP_NET;
4a36d485Shenning		if (!strcmp(p+1, "broadcast"))
4a36d485Shenning			mode = PFCTL_IFLOOKUP_BCAST;
4a36d485Shenning		if (mask > -1) {
4a36d485Shenning			fprintf(stderr, "network or broadcast lookup, but "
4a36d485Shenning			    "extra netmask given\n");
4a36d485Shenning			return (NULL);
4a36d485Shenning		}
4a36d485Shenning		if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL)
4a36d485Shenning			err(1, "host: malloc");
4a36d485Shenning		strlcpy(ps, s, strlen(s) - strlen(p) + 1);
4a36d485Shenning	} else
4a36d485Shenning		if ((ps = strdup(s)) == NULL)
4a36d485Shenning			err(1, "host_if: strdup");
4a36d485Shenning
4a36d485Shenning	if (ifa_exists(ps) || !strncmp(ps, "self", IFNAMSIZ)) {
2a6c1abaShenning		/* interface with this name exists */
4a36d485Shenning		h = ifa_lookup(ps, mode);
2a6c1abaShenning		for (n = h; n != NULL && mask > -1; n = n->next)
2a6c1abaShenning			set_ipmask(n, mask);
2a6c1abaShenning	}
4a36d485Shenning
4a36d485Shenning	free(ps);
2a6c1abaShenning	return (h);
2a6c1abaShenning}
2a6c1abaShenning
2a6c1abaShenningstruct node_host *
383ebbbfShenninghost_v4(const char *s, int mask)
2a6c1abaShenning{
2a6c1abaShenning	struct node_host	*h = NULL;
2a6c1abaShenning	struct in_addr		 ina;
2a6c1abaShenning	int			 bits;
2a6c1abaShenning
94e9410bShenning	memset(&ina, 0, sizeof(struct in_addr));
3c58a40aScedric	if ((bits = inet_net_pton(AF_INET, s, &ina, sizeof(ina))) > -1) {
94e9410bShenning		h = calloc(1, sizeof(struct node_host));
94e9410bShenning		if (h == NULL)
94e9410bShenning			err(1, "address: calloc");
94e9410bShenning		h->ifname = NULL;
94e9410bShenning		h->af = AF_INET;
94e9410bShenning		h->addr.v.a.addr.addr32[0] = ina.s_addr;
94e9410bShenning		set_ipmask(h, bits);
94e9410bShenning		h->next = NULL;
94e9410bShenning		h->tail = h;
94e9410bShenning	}
2a6c1abaShenning
94e9410bShenning	return (h);
94e9410bShenning}
2a6c1abaShenning
2a6c1abaShenningstruct node_host *
f2370d27Shenninghost_v6(const char *s, int mask)
2a6c1abaShenning{
2a6c1abaShenning	struct addrinfo		 hints, *res;
2a6c1abaShenning	struct node_host	*h = NULL;
94e9410bShenning
94e9410bShenning	memset(&hints, 0, sizeof(hints));
94e9410bShenning	hints.ai_family = AF_INET6;
94e9410bShenning	hints.ai_socktype = SOCK_DGRAM; /*dummy*/
94e9410bShenning	hints.ai_flags = AI_NUMERICHOST;
2a6c1abaShenning	if (getaddrinfo(s, "0", &hints, &res) == 0) {
2a6c1abaShenning		h = calloc(1, sizeof(struct node_host));
2a6c1abaShenning		if (h == NULL)
94e9410bShenning			err(1, "address: calloc");
2a6c1abaShenning		h->ifname = NULL;
2a6c1abaShenning		h->af = AF_INET6;
2a6c1abaShenning		memcpy(&h->addr.v.a.addr,
94e9410bShenning		    &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
2a6c1abaShenning		    sizeof(h->addr.v.a.addr));
2a6c1abaShenning		h->ifindex =
2a6c1abaShenning		    ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id;
2a6c1abaShenning		set_ipmask(h, mask);
94e9410bShenning		freeaddrinfo(res);
2a6c1abaShenning		h->next = NULL;
2a6c1abaShenning		h->tail = h;
94e9410bShenning	}
94e9410bShenning
2a6c1abaShenning	return (h);
2a6c1abaShenning}
2a6c1abaShenning
2a6c1abaShenningstruct node_host *
f2370d27Shenninghost_dns(const char *s, int v4mask, int v6mask)
2a6c1abaShenning{
2a6c1abaShenning	struct addrinfo		 hints, *res0, *res;
2a6c1abaShenning	struct node_host	*n, *h = NULL;
2a6c1abaShenning	int			 error;
2a6c1abaShenning
94e9410bShenning	memset(&hints, 0, sizeof(hints));
94e9410bShenning	hints.ai_family = PF_UNSPEC;
94e9410bShenning	hints.ai_socktype = SOCK_STREAM; /* DUMMY */
2a6c1abaShenning	error = getaddrinfo(s, NULL, &hints, &res0);
2a6c1abaShenning	if (error)
2a6c1abaShenning		return (h);
2a6c1abaShenning
94e9410bShenning	for (res = res0; res; res = res->ai_next) {
94e9410bShenning		if (res->ai_family != AF_INET &&
94e9410bShenning		    res->ai_family != AF_INET6)
94e9410bShenning			continue;
94e9410bShenning		n = calloc(1, sizeof(struct node_host));
94e9410bShenning		if (n == NULL)
2a6c1abaShenning			err(1, "host_dns: calloc");
94e9410bShenning		n->ifname = NULL;
94e9410bShenning		n->af = res->ai_family;
94e9410bShenning		if (res->ai_family == AF_INET) {
94e9410bShenning			memcpy(&n->addr.v.a.addr,
2a6c1abaShenning			    &((struct sockaddr_in *)
2a6c1abaShenning			    res->ai_addr)->sin_addr.s_addr,
94e9410bShenning			    sizeof(struct in_addr));
94e9410bShenning			set_ipmask(n, v4mask);
94e9410bShenning		} else {
94e9410bShenning			memcpy(&n->addr.v.a.addr,
2a6c1abaShenning			    &((struct sockaddr_in6 *)
2a6c1abaShenning			    res->ai_addr)->sin6_addr.s6_addr,
94e9410bShenning			    sizeof(struct in6_addr));
94e9410bShenning			n->ifindex =
2a6c1abaShenning			    ((struct sockaddr_in6 *)
2a6c1abaShenning			    res->ai_addr)->sin6_scope_id;
94e9410bShenning			set_ipmask(n, v6mask);
94e9410bShenning		}
94e9410bShenning		n->next = NULL;
94e9410bShenning		n->tail = n;
94e9410bShenning		if (h == NULL)
94e9410bShenning			h = n;
94e9410bShenning		else {
94e9410bShenning			h->tail->next = n;
94e9410bShenning			h->tail = n;
94e9410bShenning		}
94e9410bShenning	}
94e9410bShenning	freeaddrinfo(res0);
94e9410bShenning
94e9410bShenning	return (h);
94e9410bShenning}