sbin/pfctl/pfctl_parser.c

*d0cb3502Smcbride/*	$OpenBSD: pfctl_parser.c,v 1.124 2002/12/30 23:46:54 mcbride Exp $ */
14a9b182Skjell
14a9b182Skjell/*
fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier
14a9b182Skjell * All rights reserved.
14a9b182Skjell *
14a9b182Skjell * Redistribution and use in source and binary forms, with or without
14a9b182Skjell * modification, are permitted provided that the following conditions
14a9b182Skjell * are met:
14a9b182Skjell *
14a9b182Skjell *    - Redistributions of source code must retain the above copyright
14a9b182Skjell *      notice, this list of conditions and the following disclaimer.
14a9b182Skjell *    - Redistributions in binary form must reproduce the above
14a9b182Skjell *      copyright notice, this list of conditions and the following
14a9b182Skjell *      disclaimer in the documentation and/or other materials provided
14a9b182Skjell *      with the distribution.
14a9b182Skjell *
14a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
14a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
14a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
5974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
14a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
14a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
14a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
14a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
14a9b182Skjell * POSSIBILITY OF SUCH DAMAGE.
14a9b182Skjell *
14a9b182Skjell */
14a9b182Skjell
252d784aSderaadt#include <sys/types.h>
252d784aSderaadt#include <sys/socket.h>
252d784aSderaadt#include <net/if.h>
252d784aSderaadt#include <netinet/in.h>
6329fa59Sderaadt#include <netinet/in_systm.h>
6329fa59Sderaadt#include <netinet/ip.h>
6329fa59Sderaadt#include <netinet/ip_icmp.h>
30620b12Sfrantzen#include <netinet/icmp6.h>
252d784aSderaadt#include <net/pfvar.h>
9f13c6caSmillert#include <arpa/inet.h>
252d784aSderaadt
14a9b182Skjell#include <stdio.h>
14a9b182Skjell#include <stdlib.h>
14a9b182Skjell#include <string.h>
14a9b182Skjell#include <ctype.h>
14a9b182Skjell#include <netdb.h>
6329fa59Sderaadt#include <stdarg.h>
6329fa59Sderaadt#include <errno.h>
ff352a37Smarkus#include <err.h>
14a9b182Skjell
14a9b182Skjell#include "pfctl_parser.h"
828e0448Smickey#include "pf_print_state.h"
14a9b182Skjell
5d9ac2dcSdhartmeivoid		 print_op (u_int8_t, const char *, const char *);
81a15e5dSderaadtvoid		 print_port (u_int8_t, u_int16_t, u_int16_t, char *);
5d9ac2dcSdhartmeivoid		 print_uid (u_int8_t, uid_t, uid_t, const char *);
c16ab608Sdhartmeivoid		 print_gid (u_int8_t, gid_t, gid_t, const char *);
81a15e5dSderaadtvoid		 print_flags (u_int8_t);
15e76891Sdhartmeivoid		 print_fromto(struct pf_rule_addr *, struct pf_rule_addr *,
15e76891Sdhartmei		    u_int8_t, u_int8_t);
14a9b182Skjell
bc795af0Shughchar *tcpflags = "FSRPAUEW";
14a9b182Skjell
7d27d81aSdhartmeistatic const struct icmptypeent icmp_type[] = {
082ebc44Swilfried	{ "echoreq",	ICMP_ECHO },
082ebc44Swilfried	{ "echorep",	ICMP_ECHOREPLY },
082ebc44Swilfried	{ "unreach",	ICMP_UNREACH },
082ebc44Swilfried	{ "squench",	ICMP_SOURCEQUENCH },
082ebc44Swilfried	{ "redir",	ICMP_REDIRECT },
082ebc44Swilfried	{ "althost",	ICMP_ALTHOSTADDR },
082ebc44Swilfried	{ "routeradv",	ICMP_ROUTERADVERT },
082ebc44Swilfried	{ "routersol",	ICMP_ROUTERSOLICIT },
082ebc44Swilfried	{ "timex",	ICMP_TIMXCEED },
082ebc44Swilfried	{ "paramprob",	ICMP_PARAMPROB },
082ebc44Swilfried	{ "timereq",	ICMP_TSTAMP },
082ebc44Swilfried	{ "timerep",	ICMP_TSTAMPREPLY },
082ebc44Swilfried	{ "inforeq",	ICMP_IREQ },
082ebc44Swilfried	{ "inforep",	ICMP_IREQREPLY },
082ebc44Swilfried	{ "maskreq",	ICMP_MASKREQ },
02cbcc9eSwilfried	{ "maskrep",	ICMP_MASKREPLY },
02cbcc9eSwilfried	{ "trace",	ICMP_TRACEROUTE },
02cbcc9eSwilfried	{ "dataconv",	ICMP_DATACONVERR },
02cbcc9eSwilfried	{ "mobredir",	ICMP_MOBILE_REDIRECT },
02cbcc9eSwilfried	{ "ipv6-where",	ICMP_IPV6_WHEREAREYOU },
02cbcc9eSwilfried	{ "ipv6-here",	ICMP_IPV6_IAMHERE },
02cbcc9eSwilfried	{ "mobregreq",	ICMP_MOBILE_REGREQUEST },
02cbcc9eSwilfried	{ "mobregrep",	ICMP_MOBILE_REGREPLY },
02cbcc9eSwilfried	{ "skip",	ICMP_SKIP },
02cbcc9eSwilfried	{ "photuris",	ICMP_PHOTURIS }
082ebc44Swilfried};
082ebc44Swilfried
7d27d81aSdhartmeistatic const struct icmptypeent icmp6_type[] = {
30620b12Sfrantzen	{ "unreach",	ICMP6_DST_UNREACH },
30620b12Sfrantzen	{ "toobig",	ICMP6_PACKET_TOO_BIG },
30620b12Sfrantzen	{ "timex",	ICMP6_TIME_EXCEEDED },
30620b12Sfrantzen	{ "paramprob",	ICMP6_PARAM_PROB },
30620b12Sfrantzen	{ "echoreq",	ICMP6_ECHO_REQUEST },
30620b12Sfrantzen	{ "echorep",	ICMP6_ECHO_REPLY },
30620b12Sfrantzen	{ "groupqry",	ICMP6_MEMBERSHIP_QUERY },
30620b12Sfrantzen	{ "listqry",	MLD6_LISTENER_QUERY },
30620b12Sfrantzen	{ "grouprep",	ICMP6_MEMBERSHIP_REPORT },
30620b12Sfrantzen	{ "listenrep",	MLD6_LISTENER_REPORT },
30620b12Sfrantzen	{ "groupterm",	ICMP6_MEMBERSHIP_REDUCTION },
30620b12Sfrantzen	{ "listendone", MLD6_LISTENER_DONE },
30620b12Sfrantzen	{ "routersol",	ND_ROUTER_SOLICIT },
30620b12Sfrantzen	{ "routeradv",	ND_ROUTER_ADVERT },
30620b12Sfrantzen	{ "neighbrsol", ND_NEIGHBOR_SOLICIT },
30620b12Sfrantzen	{ "neighbradv", ND_NEIGHBOR_ADVERT },
30620b12Sfrantzen	{ "redir",	ND_REDIRECT },
30620b12Sfrantzen	{ "routrrenum", ICMP6_ROUTER_RENUMBERING },
30620b12Sfrantzen	{ "wrureq",	ICMP6_WRUREQUEST },
30620b12Sfrantzen	{ "wrurep",	ICMP6_WRUREPLY },
30620b12Sfrantzen	{ "fqdnreq",	ICMP6_FQDN_QUERY },
30620b12Sfrantzen	{ "fqdnrep",	ICMP6_FQDN_REPLY },
30620b12Sfrantzen	{ "niqry",	ICMP6_NI_QUERY },
30620b12Sfrantzen	{ "nirep",	ICMP6_NI_REPLY },
30620b12Sfrantzen	{ "mtraceresp",	MLD6_MTRACE_RESP },
30620b12Sfrantzen	{ "mtrace",	MLD6_MTRACE }
30620b12Sfrantzen};
30620b12Sfrantzen
7d27d81aSdhartmeistatic const struct icmpcodeent icmp_code[] = {
082ebc44Swilfried	{ "net-unr",		ICMP_UNREACH,	ICMP_UNREACH_NET },
082ebc44Swilfried	{ "host-unr",		ICMP_UNREACH,	ICMP_UNREACH_HOST },
082ebc44Swilfried	{ "proto-unr",		ICMP_UNREACH,	ICMP_UNREACH_PROTOCOL },
082ebc44Swilfried	{ "port-unr",		ICMP_UNREACH,	ICMP_UNREACH_PORT },
082ebc44Swilfried	{ "needfrag",		ICMP_UNREACH,	ICMP_UNREACH_NEEDFRAG },
082ebc44Swilfried	{ "srcfail",		ICMP_UNREACH,	ICMP_UNREACH_SRCFAIL },
082ebc44Swilfried	{ "net-unk",		ICMP_UNREACH,	ICMP_UNREACH_NET_UNKNOWN },
082ebc44Swilfried	{ "host-unk",		ICMP_UNREACH,	ICMP_UNREACH_HOST_UNKNOWN },
082ebc44Swilfried	{ "isolate",		ICMP_UNREACH,	ICMP_UNREACH_ISOLATED },
082ebc44Swilfried	{ "net-prohib",		ICMP_UNREACH,	ICMP_UNREACH_NET_PROHIB },
082ebc44Swilfried	{ "host-prohib",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PROHIB },
082ebc44Swilfried	{ "net-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSNET },
082ebc44Swilfried	{ "host-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSHOST },
082ebc44Swilfried	{ "filter-prohib",	ICMP_UNREACH,	ICMP_UNREACH_FILTER_PROHIB },
082ebc44Swilfried	{ "host-preced",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PRECEDENCE },
082ebc44Swilfried	{ "cutoff-preced",	ICMP_UNREACH,	ICMP_UNREACH_PRECEDENCE_CUTOFF },
082ebc44Swilfried	{ "redir-net",		ICMP_REDIRECT,	ICMP_REDIRECT_NET },
082ebc44Swilfried	{ "redir-host",		ICMP_REDIRECT,	ICMP_REDIRECT_HOST },
082ebc44Swilfried	{ "redir-tos-net",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSNET },
082ebc44Swilfried	{ "redir-tos-host",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSHOST },
02cbcc9eSwilfried	{ "normal-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NORMAL },
02cbcc9eSwilfried	{ "common-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NOROUTE_COMMON },
082ebc44Swilfried	{ "transit",		ICMP_TIMXCEED,	ICMP_TIMXCEED_INTRANS },
082ebc44Swilfried	{ "reassemb",		ICMP_TIMXCEED,	ICMP_TIMXCEED_REASS },
082ebc44Swilfried	{ "badhead",		ICMP_PARAMPROB,	ICMP_PARAMPROB_ERRATPTR },
082ebc44Swilfried	{ "optmiss",		ICMP_PARAMPROB,	ICMP_PARAMPROB_OPTABSENT },
02cbcc9eSwilfried	{ "badlen",		ICMP_PARAMPROB,	ICMP_PARAMPROB_LENGTH },
02cbcc9eSwilfried	{ "unknown-ind",	ICMP_PHOTURIS,	ICMP_PHOTURIS_UNKNOWN_INDEX },
02cbcc9eSwilfried	{ "auth-fail",		ICMP_PHOTURIS,	ICMP_PHOTURIS_AUTH_FAILED },
02cbcc9eSwilfried	{ "decrypt-fail",	ICMP_PHOTURIS,	ICMP_PHOTURIS_DECRYPT_FAILED }
082ebc44Swilfried};
082ebc44Swilfried
7d27d81aSdhartmeistatic const struct icmpcodeent icmp6_code[] = {
1d32ee3bSdhartmei	{ "admin-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN },
1d32ee3bSdhartmei	{ "noroute-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE },
30620b12Sfrantzen	{ "notnbr-unr",	ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOTNEIGHBOR },
30620b12Sfrantzen	{ "beyond-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_BEYONDSCOPE },
30620b12Sfrantzen	{ "addr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR },
30620b12Sfrantzen	{ "port-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT },
30620b12Sfrantzen	{ "transit", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT },
30620b12Sfrantzen	{ "reassemb", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_REASSEMBLY },
30620b12Sfrantzen	{ "badhead", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER },
30620b12Sfrantzen	{ "nxthdr", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER },
30620b12Sfrantzen	{ "redironlink", ND_REDIRECT, ND_REDIRECT_ONLINK },
30620b12Sfrantzen	{ "redirrouter", ND_REDIRECT, ND_REDIRECT_ROUTER }
30620b12Sfrantzen};
30620b12Sfrantzen
d593fb91Sdrahnconst struct pf_timeout pf_timeouts[] = {
d593fb91Sdrahn	{ "tcp.first",		PFTM_TCP_FIRST_PACKET },
d593fb91Sdrahn	{ "tcp.opening",	PFTM_TCP_OPENING },
d593fb91Sdrahn	{ "tcp.established",	PFTM_TCP_ESTABLISHED },
d593fb91Sdrahn	{ "tcp.closing",	PFTM_TCP_CLOSING },
d593fb91Sdrahn	{ "tcp.finwait",	PFTM_TCP_FIN_WAIT },
d593fb91Sdrahn	{ "tcp.closed",		PFTM_TCP_CLOSED },
d593fb91Sdrahn	{ "udp.first",		PFTM_UDP_FIRST_PACKET },
d593fb91Sdrahn	{ "udp.single",		PFTM_UDP_SINGLE },
d593fb91Sdrahn	{ "udp.multiple",	PFTM_UDP_MULTIPLE },
d593fb91Sdrahn	{ "icmp.first",		PFTM_ICMP_FIRST_PACKET },
d593fb91Sdrahn	{ "icmp.error",		PFTM_ICMP_ERROR_REPLY },
d593fb91Sdrahn	{ "other.first",	PFTM_OTHER_FIRST_PACKET },
d593fb91Sdrahn	{ "other.single",	PFTM_OTHER_SINGLE },
d593fb91Sdrahn	{ "other.multiple",	PFTM_OTHER_MULTIPLE },
d593fb91Sdrahn	{ "frag",		PFTM_FRAG },
d593fb91Sdrahn	{ "interval",		PFTM_INTERVAL },
d593fb91Sdrahn	{ NULL,			0 }
d593fb91Sdrahn};
d593fb91Sdrahn
7d27d81aSdhartmeiconst struct icmptypeent *
bb9f691eSmcbridegeticmptypebynumber(u_int8_t type, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); i++) {
082ebc44Swilfried			if (type == icmp_type[i].type)
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_type[i].type)
30620b12Sfrantzen				 return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmptypeent *
bb9f691eSmcbridegeticmptypebyname(char *w, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); i++) {
082ebc44Swilfried			if (!strcmp(w, icmp_type[i].name))
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if (!strcmp(w, icmp6_type[i].name))
30620b12Sfrantzen				return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmpcodeent *
bb9f691eSmcbridegeticmpcodebynumber(u_int8_t type, u_int8_t code, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    code == icmp_code[i].code)
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		   sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    code == icmp6_code[i].code)
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmpcodeent *
bb9f691eSmcbridegeticmpcodebyname(u_long type, char *w, sa_family_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp_code[i].name))
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		    sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp6_code[i].name))
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
30620b12Sfrantzen}
30620b12Sfrantzen
81a15e5dSderaadtvoid
5d9ac2dcSdhartmeiprint_op(u_int8_t op, const char *a1, const char *a2)
5d9ac2dcSdhartmei{
5d9ac2dcSdhartmei	if (op == PF_OP_IRG)
5d9ac2dcSdhartmei		printf("%s >< %s ", a1, a2);
5d9ac2dcSdhartmei	else if (op == PF_OP_XRG)
5d9ac2dcSdhartmei		printf("%s <> %s ", a1, a2);
1308506cShenning	else if (op == PF_OP_EQ)
5d9ac2dcSdhartmei		printf("= %s ", a1);
1308506cShenning	else if (op == PF_OP_NE)
5d9ac2dcSdhartmei		printf("!= %s ", a1);
1308506cShenning	else if (op == PF_OP_LT)
5d9ac2dcSdhartmei		printf("< %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_LE)
5d9ac2dcSdhartmei		printf("<= %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_GT)
5d9ac2dcSdhartmei		printf("> %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_GE)
5d9ac2dcSdhartmei		printf(">= %s ", a1);
5d9ac2dcSdhartmei}
5d9ac2dcSdhartmei
5d9ac2dcSdhartmeivoid
14a9b182Skjellprint_port(u_int8_t op, u_int16_t p1, u_int16_t p2, char *proto)
14a9b182Skjell{
e31d21c9Sdhartmei	char a1[6], a2[6];
14a9b182Skjell	struct servent *s = getservbyport(p1, proto);
81a15e5dSderaadt
14a9b182Skjell	p1 = ntohs(p1);
14a9b182Skjell	p2 = ntohs(p2);
5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", p1);
5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", p2);
14a9b182Skjell	printf("port ");
5d9ac2dcSdhartmei	if (s != NULL && (op == PF_OP_EQ || op == PF_OP_NE))
5d9ac2dcSdhartmei		print_op(op, s->s_name, a2);
14a9b182Skjell	else
5d9ac2dcSdhartmei		print_op(op, a1, a2);
5d9ac2dcSdhartmei}
5d9ac2dcSdhartmei
5d9ac2dcSdhartmeivoid
5d9ac2dcSdhartmeiprint_uid(u_int8_t op, uid_t u1, uid_t u2, const char *t)
5d9ac2dcSdhartmei{
d8fcd2dfSdhartmei	char a1[11], a2[11];
5d9ac2dcSdhartmei
5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", u1);
5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", u2);
5d9ac2dcSdhartmei	printf("%s ", t);
5d9ac2dcSdhartmei	if (u1 == UID_MAX && (op == PF_OP_EQ || op == PF_OP_NE))
5d9ac2dcSdhartmei		print_op(op, "unknown", a2);
14a9b182Skjell	else
5d9ac2dcSdhartmei		print_op(op, a1, a2);
14a9b182Skjell}
14a9b182Skjell
81a15e5dSderaadtvoid
c16ab608Sdhartmeiprint_gid(u_int8_t op, gid_t g1, gid_t g2, const char *t)
c16ab608Sdhartmei{
d8fcd2dfSdhartmei	char a1[11], a2[11];
c16ab608Sdhartmei
c16ab608Sdhartmei	snprintf(a1, sizeof(a1), "%u", g1);
c16ab608Sdhartmei	snprintf(a2, sizeof(a2), "%u", g2);
c16ab608Sdhartmei	printf("%s ", t);
c16ab608Sdhartmei	if (g1 == GID_MAX && (op == PF_OP_EQ || op == PF_OP_NE))
c16ab608Sdhartmei		print_op(op, "unknown", a2);
c16ab608Sdhartmei	else
c16ab608Sdhartmei		print_op(op, a1, a2);
c16ab608Sdhartmei}
c16ab608Sdhartmei
c16ab608Sdhartmeivoid
14a9b182Skjellprint_flags(u_int8_t f)
14a9b182Skjell{
14a9b182Skjell	int i;
81a15e5dSderaadt
bc795af0Shugh	for (i = 0; tcpflags[i]; ++i)
14a9b182Skjell		if (f & (1 << i))
14a9b182Skjell			printf("%c", tcpflags[i]);
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
15e76891Sdhartmeiprint_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,
bb9f691eSmcbride    sa_family_t af, u_int8_t proto)
15e76891Sdhartmei{
15e76891Sdhartmei	if (PF_AZERO(&src->addr.addr, AF_INET6) &&
3a44df3cSmcbride	    PF_AZERO(&src->addr.mask, AF_INET6) &&
15e76891Sdhartmei	    !src->noroute && !dst->noroute &&
15e76891Sdhartmei	    !src->port_op && PF_AZERO(&dst->addr.addr, AF_INET6) &&
3a44df3cSmcbride	    PF_AZERO(&dst->addr.mask, AF_INET6) && !dst->port_op)
15e76891Sdhartmei		printf("all ");
15e76891Sdhartmei	else {
15e76891Sdhartmei		printf("from ");
15e76891Sdhartmei		if (src->noroute)
15e76891Sdhartmei			printf("no-route ");
15e76891Sdhartmei		else if (PF_AZERO(&src->addr.addr, AF_INET6) &&
3a44df3cSmcbride		    PF_AZERO(&src->addr.mask, AF_INET6))
15e76891Sdhartmei			printf("any ");
15e76891Sdhartmei		else {
15e76891Sdhartmei			if (src->not)
15e76891Sdhartmei				printf("! ");
3a44df3cSmcbride			print_addr(&src->addr, af);
15e76891Sdhartmei			printf(" ");
15e76891Sdhartmei		}
15e76891Sdhartmei		if (src->port_op)
15e76891Sdhartmei			print_port(src->port_op, src->port[0],
15e76891Sdhartmei			    src->port[1],
15e76891Sdhartmei			    proto == IPPROTO_TCP ? "tcp" : "udp");
15e76891Sdhartmei
15e76891Sdhartmei		printf("to ");
15e76891Sdhartmei		if (dst->noroute)
15e76891Sdhartmei			printf("no-route ");
15e76891Sdhartmei		else if (PF_AZERO(&dst->addr.addr, AF_INET6) &&
3a44df3cSmcbride		    PF_AZERO(&dst->addr.mask, AF_INET6))
15e76891Sdhartmei			printf("any ");
15e76891Sdhartmei		else {
15e76891Sdhartmei			if (dst->not)
15e76891Sdhartmei				printf("! ");
3a44df3cSmcbride			print_addr(&dst->addr, af);
15e76891Sdhartmei			printf(" ");
15e76891Sdhartmei		}
15e76891Sdhartmei		if (dst->port_op)
15e76891Sdhartmei			print_port(dst->port_op, dst->port[0],
15e76891Sdhartmei			    dst->port[1],
15e76891Sdhartmei			    proto == IPPROTO_TCP ? "tcp" : "udp");
15e76891Sdhartmei	}
15e76891Sdhartmei}
15e76891Sdhartmei
15e76891Sdhartmeivoid
e8793aa9Smcbrideprint_rule(struct pf_rule *r, int verbose)
e8793aa9Smcbride{
e8793aa9Smcbride	switch (r->action) {
e8793aa9Smcbride	case PF_NAT:
e8793aa9Smcbride	case PF_NONAT:
60927d26Sdhartmei		print_nat(r, verbose);
e8793aa9Smcbride		break;
e8793aa9Smcbride	case PF_BINAT:
e8793aa9Smcbride	case PF_NOBINAT:
60927d26Sdhartmei		print_binat(r, verbose);
e8793aa9Smcbride		break;
e8793aa9Smcbride	case PF_RDR:
e8793aa9Smcbride	case PF_NORDR:
60927d26Sdhartmei		print_rdr(r, verbose);
e8793aa9Smcbride		break;
e8793aa9Smcbride	default:
e8793aa9Smcbride	case PF_PASS:
e8793aa9Smcbride	case PF_DROP:
e8793aa9Smcbride	case PF_SCRUB:
e8793aa9Smcbride		print_filter(r, verbose);
e8793aa9Smcbride		break;
e8793aa9Smcbride	}
e8793aa9Smcbride}
e8793aa9Smcbride
e8793aa9Smcbridevoid
e0c302d0Smcbrideprint_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
e0c302d0Smcbride    sa_family_t af, int id)
3a44df3cSmcbride{
3a44df3cSmcbride	struct pf_pooladdr *pooladdr;
3a44df3cSmcbride
6c917913Smcbride	if ((TAILQ_FIRST(&pool->list) != NULL) &&
6c917913Smcbride	    TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
3a44df3cSmcbride		printf("{ ");
3a44df3cSmcbride	TAILQ_FOREACH(pooladdr, &pool->list, entries){
3a44df3cSmcbride		switch (id) {
e8793aa9Smcbride		case PF_NAT:
e8793aa9Smcbride		case PF_RDR:
e8793aa9Smcbride		case PF_BINAT:
e8793aa9Smcbride			print_addr(&pooladdr->addr.addr, af);
3a44df3cSmcbride			break;
e8793aa9Smcbride		case PF_PASS:
e8793aa9Smcbride			if (PF_AZERO(&pooladdr->addr.addr.addr, af))
3b9b234fSmcbride				printf("%s", pooladdr->ifname);
790504a6Sdhartmei			else {
3a44df3cSmcbride				printf("(%s ", pooladdr->ifname);
e8793aa9Smcbride				print_addr(&pooladdr->addr.addr, af);
3a44df3cSmcbride				printf(")");
3b9b234fSmcbride			}
3a44df3cSmcbride			break;
e8793aa9Smcbride		default:
e8793aa9Smcbride			break;
3a44df3cSmcbride		}
3a44df3cSmcbride		if (TAILQ_NEXT(pooladdr, entries) != NULL)
3a44df3cSmcbride			printf(", ");
3a44df3cSmcbride		else if (TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
3a44df3cSmcbride			printf(" }");
3a44df3cSmcbride	}
e0c302d0Smcbride	switch (id) {
e8793aa9Smcbride	case PF_NAT:
e0c302d0Smcbride		if (p1 != PF_NAT_PROXY_PORT_LOW ||
e0c302d0Smcbride		    p2 != PF_NAT_PROXY_PORT_HIGH) {
e0c302d0Smcbride			if (p1 == p2)
e0c302d0Smcbride			printf(" port %u", p1);
e0c302d0Smcbride			else
e0c302d0Smcbride				printf(" port %u:%u", p1, p2);
e0c302d0Smcbride		}
e0c302d0Smcbride		break;
e8793aa9Smcbride	case PF_RDR:
e0c302d0Smcbride		if (p1) {
e0c302d0Smcbride			printf(" port %u", ntohs(p1));
e8793aa9Smcbride			if (p2 & PF_OP_RRG)
e0c302d0Smcbride				printf(":*");
e0c302d0Smcbride		}
e0c302d0Smcbride		break;
e0c302d0Smcbride	default:
e0c302d0Smcbride		break;
e0c302d0Smcbride	}
e0c302d0Smcbride	switch (pool->opts & PF_POOL_TYPEMASK) {
e0c302d0Smcbride	case PF_POOL_NONE:
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_BITMASK:
e0c302d0Smcbride		printf(" bitmask");
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_RANDOM:
e0c302d0Smcbride		printf(" random");
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_SRCHASH:
0436fa02Smcbride		printf(" source-hash 0x%08x%08x%08x%08x",
e0c302d0Smcbride		    pool->key.key32[0], pool->key.key32[1],
e0c302d0Smcbride		    pool->key.key32[2], pool->key.key32[3]);
e0c302d0Smcbride		break;
e0c302d0Smcbride	case PF_POOL_ROUNDROBIN:
e0c302d0Smcbride		printf(" round-robin");
e0c302d0Smcbride		break;
e0c302d0Smcbride	}
e0c302d0Smcbride	if (pool->opts & PF_POOL_STATICPORT)
e0c302d0Smcbride		printf(" static-port");
3a44df3cSmcbride}
3a44df3cSmcbride
3a44df3cSmcbridevoid
60927d26Sdhartmeiprint_nat(struct pf_rule *n, int verbose)
14a9b182Skjell{
60927d26Sdhartmei	if (verbose)
60927d26Sdhartmei		printf("@%d ", n->nr);
6ac94451Sdhartmei	if (n->anchorname[0])
6ac94451Sdhartmei		printf("nat-anchor %s ", n->anchorname);
6ac94451Sdhartmei	else {
e8793aa9Smcbride		if (n->action == PF_NONAT)
f27db9bcSdhartmei			printf("no ");
f27db9bcSdhartmei		printf("nat ");
6ac94451Sdhartmei	}
28964e80Sdhartmei	if (n->ifname[0]) {
28964e80Sdhartmei		printf("on ");
870b51d7Schris		if (n->ifnot)
870b51d7Schris			printf("! ");
870b51d7Schris		printf("%s ", n->ifname);
28964e80Sdhartmei	}
032e40b7Sdhartmei	if (n->af) {
032e40b7Sdhartmei		if (n->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (n->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(n->proto);
ed99c291Sderaadt
ab745e3bSmpech		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", n->proto);
80edb1f0Sdhartmei	}
15e76891Sdhartmei	print_fromto(&n->src, &n->dst, n->af, n->proto);
e8793aa9Smcbride	if (!n->anchorname[0] && (n->action == PF_NAT)) {
28964e80Sdhartmei		printf("-> ");
e8793aa9Smcbride		print_pool(&n->rpool, n->rpool.proxy_port[0],
e8793aa9Smcbride		    n->rpool.proxy_port[1], n->af, PF_NAT);
f27db9bcSdhartmei	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
60927d26Sdhartmeiprint_binat(struct pf_rule *b, int verbose)
a3e657d0Sjasoni{
60927d26Sdhartmei	if (verbose)
60927d26Sdhartmei		printf("@%d ", b->nr);
6ac94451Sdhartmei	if (b->anchorname[0])
6ac94451Sdhartmei		printf("binat-anchor %s ", b->anchorname);
6ac94451Sdhartmei	else {
e8793aa9Smcbride		if (b->action == PF_NOBINAT)
f27db9bcSdhartmei			printf("no ");
f27db9bcSdhartmei		printf("binat ");
6ac94451Sdhartmei	}
a3e657d0Sjasoni	if (b->ifname[0]) {
a3e657d0Sjasoni		printf("on ");
a3e657d0Sjasoni		printf("%s ", b->ifname);
a3e657d0Sjasoni	}
032e40b7Sdhartmei	if (b->af) {
032e40b7Sdhartmei		if (b->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (b->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(b->proto);
ed99c291Sderaadt
80edb1f0Sdhartmei		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", b->proto);
a3e657d0Sjasoni	}
a3e657d0Sjasoni	printf("from ");
e8793aa9Smcbride	if (!PF_AZERO(&b->src.addr.addr, b->af) ||
e8793aa9Smcbride	    !PF_AZERO(&b->src.addr.mask, b->af)) {
e8793aa9Smcbride		print_addr(&b->src.addr, b->af);
a3e657d0Sjasoni		printf(" ");
6ac94451Sdhartmei	} else
6ac94451Sdhartmei		printf("any ");
a3e657d0Sjasoni	printf("to ");
e8793aa9Smcbride	if (!PF_AZERO(&b->dst.addr.addr, b->af) ||
e8793aa9Smcbride	    !PF_AZERO(&b->dst.addr.mask, b->af)) {
e8793aa9Smcbride		if (b->dst.not)
a3e657d0Sjasoni			printf("! ");
e8793aa9Smcbride		print_addr(&b->dst.addr, b->af);
a3e657d0Sjasoni		printf(" ");
a3e657d0Sjasoni	} else
a3e657d0Sjasoni		printf("any ");
e8793aa9Smcbride	if (!b->anchorname[0] && (b->action == PF_BINAT)) {
a3e657d0Sjasoni		printf("-> ");
e8793aa9Smcbride		print_pool(&b->rpool, 0, 0, b->af, PF_BINAT);
f27db9bcSdhartmei	}
a3e657d0Sjasoni	printf("\n");
a3e657d0Sjasoni}
a3e657d0Sjasoni
a3e657d0Sjasonivoid
60927d26Sdhartmeiprint_rdr(struct pf_rule *r, int verbose)
14a9b182Skjell{
60927d26Sdhartmei	if (verbose)
60927d26Sdhartmei		printf("@%d ", r->nr);
6ac94451Sdhartmei	if (r->anchorname[0])
6ac94451Sdhartmei		printf("rdr-anchor %s ", r->anchorname);
6ac94451Sdhartmei	else {
e8793aa9Smcbride		if (r->action == PF_NORDR)
f27db9bcSdhartmei			printf("no ");
f27db9bcSdhartmei		printf("rdr ");
6ac94451Sdhartmei	}
28964e80Sdhartmei	if (r->ifname[0]) {
28964e80Sdhartmei		printf("on ");
870b51d7Schris		if (r->ifnot)
870b51d7Schris			printf("! ");
870b51d7Schris		printf("%s ", r->ifname);
28964e80Sdhartmei	}
032e40b7Sdhartmei	if (r->af) {
032e40b7Sdhartmei		if (r->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (r->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(r->proto);
ed99c291Sderaadt
80edb1f0Sdhartmei		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", r->proto);
e3d52469Smillert	}
28964e80Sdhartmei	printf("from ");
e8793aa9Smcbride	if (!PF_AZERO(&r->src.addr.addr, r->af) ||
e8793aa9Smcbride	    !PF_AZERO(&r->src.addr.mask, r->af)) {
e8793aa9Smcbride		if (r->src.not)
28964e80Sdhartmei			printf("! ");
e8793aa9Smcbride		print_addr(&r->src.addr, r->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
28964e80Sdhartmei	printf("to ");
e8793aa9Smcbride	if (!PF_AZERO(&r->dst.addr.addr, r->af) ||
e8793aa9Smcbride	    !PF_AZERO(&r->dst.addr.mask, r->af)) {
e8793aa9Smcbride		if (r->dst.not)
14a9b182Skjell			printf("! ");
e8793aa9Smcbride		print_addr(&r->dst.addr, r->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
e8793aa9Smcbride	if (r->dst.port[0]) {
e8793aa9Smcbride		printf("port %u", ntohs(r->dst.port[0]));
e8793aa9Smcbride		if (r->rpool.port_op & PF_OP_RRG)
e8793aa9Smcbride			printf(":%u", ntohs(r->dst.port[1]));
0436fa02Smcbride		printf(" ");
80edb1f0Sdhartmei	}
e8793aa9Smcbride	if (!r->anchorname[0] && (r->action == PF_RDR)) {
cb07131dSkjell		printf("-> ");
e8793aa9Smcbride		print_pool(&r->rpool, r->rpool.proxy_port[0],
e8793aa9Smcbride		    r->rpool.port_op, r->af, PF_RDR);
f27db9bcSdhartmei	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
bca2bf17Sdhartmeichar *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
bca2bf17Sdhartmeichar *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
99a73934Sderaadt
14a9b182Skjellvoid
81a15e5dSderaadtprint_status(struct pf_status *s)
14a9b182Skjell{
c474e331Shenning	time_t runtime;
99a73934Sderaadt	int i;
c474e331Shenning	char statline[80];
99a73934Sderaadt
c474e331Shenning	runtime = time(NULL) - s->since;
c474e331Shenning
d85e4ad6Sdhartmei	if (s->running) {
d85e4ad6Sdhartmei		unsigned sec, min, hrs, day = runtime;
d85e4ad6Sdhartmei
d85e4ad6Sdhartmei		sec = day % 60;
d85e4ad6Sdhartmei		day /= 60;
d85e4ad6Sdhartmei		min = day % 60;
d85e4ad6Sdhartmei		day /= 60;
d85e4ad6Sdhartmei		hrs = day % 24;
d85e4ad6Sdhartmei		day /= 24;
c474e331Shenning		snprintf(statline, sizeof(statline),
d85e4ad6Sdhartmei		    "Status: Enabled for %u days %.2u:%.2u:%.2u",
d85e4ad6Sdhartmei		    day, hrs, min, sec);
d85e4ad6Sdhartmei	} else
c474e331Shenning		snprintf(statline, sizeof(statline), "Status: Disabled");
c97b4ee1Shenning	printf("%-44s", statline);
ae58c8acSdhartmei	switch (s->debug) {
ae58c8acSdhartmei	case 0:
c97b4ee1Shenning		printf("%15s\n\n", "Debug: None");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	case 1:
c97b4ee1Shenning		printf("%15s\n\n", "Debug: Urgent");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	case 2:
c97b4ee1Shenning		printf("%15s\n\n", "Debug: Misc");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	}
c474e331Shenning	if (s->ifname[0] != 0) {
c474e331Shenning		printf("Interface Stats for %-16s %5s %16s\n",
c474e331Shenning		    s->ifname, "IPv4", "IPv6");
c474e331Shenning		printf("  %-25s %14llu %16llu\n", "Bytes In",
7189e280Sdhartmei		    s->bcounters[0][0], s->bcounters[1][0]);
c474e331Shenning		printf("  %-25s %14llu %16llu\n", "Bytes Out",
7189e280Sdhartmei		    s->bcounters[0][1], s->bcounters[1][1]);
c474e331Shenning		printf("  Packets In\n");
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Passed",
7189e280Sdhartmei		    s->pcounters[0][0][PF_PASS],
7189e280Sdhartmei		    s->pcounters[1][0][PF_PASS]);
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Blocked",
7189e280Sdhartmei		    s->pcounters[0][0][PF_DROP],
7189e280Sdhartmei		    s->pcounters[1][0][PF_DROP]);
c474e331Shenning		printf("  Packets Out\n");
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Passed",
7189e280Sdhartmei		    s->pcounters[0][1][PF_PASS],
7189e280Sdhartmei		    s->pcounters[1][1][PF_PASS]);
c474e331Shenning		printf("    %-23s %14llu %16llu\n\n", "Blocked",
7189e280Sdhartmei		    s->pcounters[0][1][PF_DROP],
7189e280Sdhartmei		    s->pcounters[1][1][PF_DROP]);
c474e331Shenning	}
c474e331Shenning	printf("%-27s %14s %16s\n", "State Table", "Total", "Rate");
c474e331Shenning	printf("  %-25s %14u %14s\n", "current entries", s->states, "");
c474e331Shenning	for (i = 0; i < FCNT_MAX; i++) {
c474e331Shenning		printf("  %-25s %14lld ", pf_fcounters[i],
84976600Sderaadt			    s->fcounters[i]);
c474e331Shenning		if (runtime > 0)
c474e331Shenning			printf("%14.1f/s\n",
c474e331Shenning			    (double)s->fcounters[i] / (double)runtime);
c474e331Shenning		else
c474e331Shenning			printf("%14s\n", "");
c474e331Shenning	}
99a73934Sderaadt	printf("Counters\n");
c474e331Shenning	for (i = 0; i < PFRES_MAX; i++) {
c474e331Shenning		printf("  %-25s %14lld ", pf_reasons[i],
99a73934Sderaadt		    s->counters[i]);
c474e331Shenning		if (runtime > 0)
c474e331Shenning			printf("%14.1f/s\n",
c474e331Shenning			    (double)s->counters[i] / (double)runtime);
c474e331Shenning		else
c474e331Shenning			printf("%14s\n", "");
c474e331Shenning	}
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
e8793aa9Smcbrideprint_filter(struct pf_rule *r, int verbose)
14a9b182Skjell{
cc5f0329Sdhartmei	int i, opts;
cc5f0329Sdhartmei
74dc4fddShenning	if (verbose)
78baf774Sdhartmei		printf("@%d ", r->nr);
6ac94451Sdhartmei	if (r->anchorname[0])
6ac94451Sdhartmei		printf("anchor %s ", r->anchorname);
6ac94451Sdhartmei	else if (r->action == PF_PASS)
14a9b182Skjell		printf("pass ");
b996d042Sdhartmei	else if (r->action == PF_DROP) {
14a9b182Skjell		printf("block ");
8a87542aShenning		if (r->rule_flag & PFRULE_RETURN)
8a87542aShenning			printf("return ");
8a87542aShenning		else if (r->rule_flag & PFRULE_RETURNRST) {
1f77cc8aSpb			if (!r->return_ttl)
14a9b182Skjell				printf("return-rst ");
1f77cc8aSpb			else
1f77cc8aSpb				printf("return-rst(ttl %d) ", r->return_ttl);
328b2decShenning		} else if (r->rule_flag & PFRULE_RETURNICMP) {
328b2decShenning			const struct icmpcodeent *ic, *ic6;
b996d042Sdhartmei
b996d042Sdhartmei			ic = geticmpcodebynumber(r->return_icmp >> 8,
328b2decShenning			    r->return_icmp & 255, AF_INET);
328b2decShenning			ic6 = geticmpcodebynumber(r->return_icmp6 >> 8,
328b2decShenning			    r->return_icmp6 & 255, AF_INET6);
d14c53d7Swilfried
328b2decShenning			switch(r->af) {
328b2decShenning			case AF_INET:
328b2decShenning				printf("return-icmp");
d14c53d7Swilfried				if (ic == NULL)
d14c53d7Swilfried					printf("(%u) ", r->return_icmp & 255);
b996d042Sdhartmei				else
328b2decShenning					printf("(%s) ", ic->name);
328b2decShenning				break;
328b2decShenning			case AF_INET6:
328b2decShenning				printf("return-icmp6");
328b2decShenning				if (ic6 == NULL)
328b2decShenning					printf("(%u) ", r->return_icmp6 & 255);
328b2decShenning				else
328b2decShenning					printf("(%s) ", ic6->name);
328b2decShenning				break;
328b2decShenning			default:
328b2decShenning				printf("return-icmp");
328b2decShenning				if (ic == NULL)
328b2decShenning					printf("(%u, ", r->return_icmp & 255);
328b2decShenning				else
328b2decShenning					printf("(%s, ", ic->name);
328b2decShenning				if (ic6 == NULL)
328b2decShenning					printf("%u) ", r->return_icmp6 & 255);
328b2decShenning				else
328b2decShenning					printf("%s) ", ic6->name);
328b2decShenning				break;
328b2decShenning			}
acf2444cShenning		} else
acf2444cShenning			printf("drop ");
6ac94451Sdhartmei	} else
b996d042Sdhartmei		printf("scrub ");
7189e280Sdhartmei	if (r->direction == PF_IN)
14a9b182Skjell		printf("in ");
7189e280Sdhartmei	else if (r->direction == PF_OUT)
14a9b182Skjell		printf("out ");
7242ce7aSdhartmei	if (r->log == 1)
14a9b182Skjell		printf("log ");
7242ce7aSdhartmei	else if (r->log == 2)
7242ce7aSdhartmei		printf("log-all ");
14a9b182Skjell	if (r->quick)
14a9b182Skjell		printf("quick ");
7d0c9138Shenning	if (r->ifname[0]) {
7d0c9138Shenning		if (r->ifnot)
7d0c9138Shenning			printf("on ! %s ", r->ifname);
7d0c9138Shenning		else
14a9b182Skjell			printf("on %s ", r->ifname);
7d0c9138Shenning	}
cb3a4e31Sjasoni	if (r->rt) {
cb3a4e31Sjasoni		if (r->rt == PF_ROUTETO)
cb3a4e31Sjasoni			printf("route-to ");
fa1cdd09Sdhartmei		else if (r->rt == PF_REPLYTO)
fa1cdd09Sdhartmei			printf("reply-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_DUPTO)
cb3a4e31Sjasoni			printf("dup-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_FASTROUTE)
cb3a4e31Sjasoni			printf("fastroute ");
790504a6Sdhartmei		if (r->rt != PF_FASTROUTE) {
e8793aa9Smcbride			print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
790504a6Sdhartmei			printf(" ");
790504a6Sdhartmei		}
cb3a4e31Sjasoni	}
30620b12Sfrantzen	if (r->af) {
30620b12Sfrantzen		if (r->af == AF_INET)
30620b12Sfrantzen			printf("inet ");
30620b12Sfrantzen		else
30620b12Sfrantzen			printf("inet6 ");
30620b12Sfrantzen	}
14a9b182Skjell	if (r->proto) {
14a9b182Skjell		struct protoent *p = getprotobynumber(r->proto);
ed99c291Sderaadt
14a9b182Skjell		if (p != NULL)
14a9b182Skjell			printf("proto %s ", p->p_name);
14a9b182Skjell		else
14a9b182Skjell			printf("proto %u ", r->proto);
14a9b182Skjell	}
15e76891Sdhartmei	print_fromto(&r->src, &r->dst, r->af, r->proto);
c16ab608Sdhartmei	if (r->uid.op)
c16ab608Sdhartmei		print_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user");
c16ab608Sdhartmei	if (r->gid.op)
c16ab608Sdhartmei		print_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group");
14a9b182Skjell	if (r->flags || r->flagset) {
14a9b182Skjell		printf("flags ");
14a9b182Skjell		print_flags(r->flags);
14a9b182Skjell		printf("/");
14a9b182Skjell		print_flags(r->flagset);
14a9b182Skjell		printf(" ");
14a9b182Skjell	}
082ebc44Swilfried	if (r->type) {
b49ca6bbShenning		const struct icmptypeent *it;
082ebc44Swilfried
b49ca6bbShenning		it = geticmptypebynumber(r->type-1, r->af);
d14c53d7Swilfried		if (r->af != AF_INET6)
d14c53d7Swilfried			printf("icmp-type");
082ebc44Swilfried		else
*d0cb3502Smcbride			printf("icmp6-type");
b49ca6bbShenning		if (it != NULL)
b49ca6bbShenning			printf(" %s ", it->name);
d14c53d7Swilfried		else
d14c53d7Swilfried			printf(" %u ", r->type-1);
082ebc44Swilfried		if (r->code) {
b49ca6bbShenning			const struct icmpcodeent *ic;
082ebc44Swilfried
b49ca6bbShenning			ic = geticmpcodebynumber(r->type-1, r->code-1, r->af);
b49ca6bbShenning			if (ic != NULL)
b49ca6bbShenning				printf("code %s ", ic->name);
082ebc44Swilfried			else
14a9b182Skjell				printf("code %u ", r->code-1);
082ebc44Swilfried		}
082ebc44Swilfried	}
e4cbe364Sdhartmei	if (r->tos)
e4cbe364Sdhartmei		printf("tos 0x%2.2x ", r->tos);
b96c47abSfrantzen	if (r->keep_state == PF_STATE_NORMAL)
14a9b182Skjell		printf("keep state ");
b96c47abSfrantzen	else if (r->keep_state == PF_STATE_MODULATE)
b96c47abSfrantzen		printf("modulate state ");
cc5f0329Sdhartmei	opts = 0;
b3c86969Sdhartmei	if (r->max_states)
cc5f0329Sdhartmei		opts = 1;
cc5f0329Sdhartmei	for (i = 0; !opts && i < PFTM_MAX; ++i)
cc5f0329Sdhartmei		if (r->timeout[i])
cc5f0329Sdhartmei			opts = 1;
cc5f0329Sdhartmei	if (opts) {
cc5f0329Sdhartmei		printf("(");
cc5f0329Sdhartmei		if (r->max_states) {
cc5f0329Sdhartmei			printf("max %u", r->max_states);
cc5f0329Sdhartmei			opts = 0;
cc5f0329Sdhartmei		}
cc5f0329Sdhartmei		for (i = 0; i < PFTM_MAX; ++i)
cc5f0329Sdhartmei			if (r->timeout[i]) {
cc5f0329Sdhartmei				if (!opts)
cc5f0329Sdhartmei					printf(", ");
cc5f0329Sdhartmei				opts = 0;
cc5f0329Sdhartmei				printf("%s %u", pf_timeouts[i].name,
cc5f0329Sdhartmei				    r->timeout[i]);
cc5f0329Sdhartmei			}
cc5f0329Sdhartmei		printf(") ");
cc5f0329Sdhartmei	}
6673dee2Sdhartmei	if (r->rule_flag & PFRULE_FRAGMENT)
6673dee2Sdhartmei		printf("fragment ");
67d2a440Sprovos	if (r->rule_flag & PFRULE_NODF)
67d2a440Sprovos		printf("no-df ");
e258bfd4Sprovos	if (r->min_ttl)
34c76dcbSprovos		printf("min-ttl %d ", r->min_ttl);
cfa91859Sjasoni	if (r->max_mss)
cfa91859Sjasoni		printf("max-mss %d ", r->max_mss);
f48d62b3Sdhartmei	if (r->allow_opts)
f48d62b3Sdhartmei		printf("allow-opts ");
b02af636Sfrantzen	if (r->action == PF_SCRUB) {
b02af636Sfrantzen		if (r->rule_flag & PFRULE_FRAGDROP)
b02af636Sfrantzen			printf("fragment drop-ovl ");
b02af636Sfrantzen		else if (r->rule_flag & PFRULE_FRAGCROP)
b02af636Sfrantzen			printf("fragment crop ");
b02af636Sfrantzen		else
b02af636Sfrantzen			printf("fragment reassemble ");
b02af636Sfrantzen	}
455ef0c1Sdhartmei	if (r->label[0])
455ef0c1Sdhartmei		printf("label %s ", r->label);
f98324c6Shenning	if (r->qname[0] && r->pqname[0])
f98324c6Shenning		printf("queue(%s, %s) ", r->qname, r->pqname);
f98324c6Shenning	else if (r->qname[0])
78e1d2a6Shenning		printf("queue %s ", r->qname);
67d2a440Sprovos
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
1f8f21bdSmillertint
ff352a37Smarkusparse_flags(char *s)
14a9b182Skjell{
ff352a37Smarkus	char *p, *q;
14a9b182Skjell	u_int8_t f = 0;
81a15e5dSderaadt
ff352a37Smarkus	for (p = s; *p; p++) {
ff352a37Smarkus		if ((q = strchr(tcpflags, *p)) == NULL)
ff352a37Smarkus			return -1;
ff352a37Smarkus		else
ff352a37Smarkus			f |= 1 << (q - tcpflags);
14a9b182Skjell	}
bc795af0Shugh	return (f ? f : PF_TH_ALL);
14a9b182Skjell}