sbin/pfctl/pfctl_parser.c

*d85e4ad6Sdhartmei/*	$OpenBSD: pfctl_parser.c,v 1.90 2002/06/19 17:44:02 dhartmei Exp $ */
14a9b182Skjell
14a9b182Skjell/*
fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier
14a9b182Skjell * All rights reserved.
14a9b182Skjell *
14a9b182Skjell * Redistribution and use in source and binary forms, with or without
14a9b182Skjell * modification, are permitted provided that the following conditions
14a9b182Skjell * are met:
14a9b182Skjell *
14a9b182Skjell *    - Redistributions of source code must retain the above copyright
14a9b182Skjell *      notice, this list of conditions and the following disclaimer.
14a9b182Skjell *    - Redistributions in binary form must reproduce the above
14a9b182Skjell *      copyright notice, this list of conditions and the following
14a9b182Skjell *      disclaimer in the documentation and/or other materials provided
14a9b182Skjell *      with the distribution.
14a9b182Skjell *
14a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
14a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
14a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
5974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
14a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
14a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
14a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
14a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
14a9b182Skjell * POSSIBILITY OF SUCH DAMAGE.
14a9b182Skjell *
14a9b182Skjell */
14a9b182Skjell
252d784aSderaadt#include <sys/types.h>
252d784aSderaadt#include <sys/socket.h>
252d784aSderaadt#include <net/if.h>
252d784aSderaadt#include <netinet/in.h>
6329fa59Sderaadt#include <netinet/in_systm.h>
6329fa59Sderaadt#include <netinet/ip.h>
6329fa59Sderaadt#include <netinet/ip_icmp.h>
30620b12Sfrantzen#include <netinet/icmp6.h>
252d784aSderaadt#include <net/pfvar.h>
9f13c6caSmillert#include <arpa/inet.h>
252d784aSderaadt
14a9b182Skjell#include <stdio.h>
14a9b182Skjell#include <stdlib.h>
14a9b182Skjell#include <string.h>
14a9b182Skjell#include <ctype.h>
14a9b182Skjell#include <netdb.h>
6329fa59Sderaadt#include <stdarg.h>
6329fa59Sderaadt#include <errno.h>
ff352a37Smarkus#include <err.h>
14a9b182Skjell
14a9b182Skjell#include "pfctl_parser.h"
828e0448Smickey#include "pf_print_state.h"
14a9b182Skjell
5d9ac2dcSdhartmeivoid		 print_op (u_int8_t, const char *, const char *);
81a15e5dSderaadtvoid		 print_port (u_int8_t, u_int16_t, u_int16_t, char *);
5d9ac2dcSdhartmeivoid		 print_uid (u_int8_t, uid_t, uid_t, const char *);
c16ab608Sdhartmeivoid		 print_gid (u_int8_t, gid_t, gid_t, const char *);
81a15e5dSderaadtvoid		 print_flags (u_int8_t);
15e76891Sdhartmeivoid		 print_fromto(struct pf_rule_addr *, struct pf_rule_addr *,
15e76891Sdhartmei		    u_int8_t, u_int8_t);
14a9b182Skjell
bc795af0Shughchar *tcpflags = "FSRPAUEW";
14a9b182Skjell
7d27d81aSdhartmeistatic const struct icmptypeent icmp_type[] = {
082ebc44Swilfried	{ "echoreq",	ICMP_ECHO },
082ebc44Swilfried	{ "echorep",	ICMP_ECHOREPLY },
082ebc44Swilfried	{ "unreach",	ICMP_UNREACH },
082ebc44Swilfried	{ "squench",	ICMP_SOURCEQUENCH },
082ebc44Swilfried	{ "redir",	ICMP_REDIRECT },
082ebc44Swilfried	{ "althost",	ICMP_ALTHOSTADDR },
082ebc44Swilfried	{ "routeradv",	ICMP_ROUTERADVERT },
082ebc44Swilfried	{ "routersol",	ICMP_ROUTERSOLICIT },
082ebc44Swilfried	{ "timex",	ICMP_TIMXCEED },
082ebc44Swilfried	{ "paramprob",	ICMP_PARAMPROB },
082ebc44Swilfried	{ "timereq",	ICMP_TSTAMP },
082ebc44Swilfried	{ "timerep",	ICMP_TSTAMPREPLY },
082ebc44Swilfried	{ "inforeq",	ICMP_IREQ },
082ebc44Swilfried	{ "inforep",	ICMP_IREQREPLY },
082ebc44Swilfried	{ "maskreq",	ICMP_MASKREQ },
02cbcc9eSwilfried	{ "maskrep",	ICMP_MASKREPLY },
02cbcc9eSwilfried	{ "trace",	ICMP_TRACEROUTE },
02cbcc9eSwilfried	{ "dataconv",	ICMP_DATACONVERR },
02cbcc9eSwilfried	{ "mobredir",	ICMP_MOBILE_REDIRECT },
02cbcc9eSwilfried	{ "ipv6-where",	ICMP_IPV6_WHEREAREYOU },
02cbcc9eSwilfried	{ "ipv6-here",	ICMP_IPV6_IAMHERE },
02cbcc9eSwilfried	{ "mobregreq",	ICMP_MOBILE_REGREQUEST },
02cbcc9eSwilfried	{ "mobregrep",	ICMP_MOBILE_REGREPLY },
02cbcc9eSwilfried	{ "skip",	ICMP_SKIP },
02cbcc9eSwilfried	{ "photuris",	ICMP_PHOTURIS }
082ebc44Swilfried};
082ebc44Swilfried
7d27d81aSdhartmeistatic const struct icmptypeent icmp6_type[] = {
30620b12Sfrantzen	{ "unreach",	ICMP6_DST_UNREACH },
30620b12Sfrantzen	{ "toobig",	ICMP6_PACKET_TOO_BIG },
30620b12Sfrantzen	{ "timex",	ICMP6_TIME_EXCEEDED },
30620b12Sfrantzen	{ "paramprob",	ICMP6_PARAM_PROB },
30620b12Sfrantzen	{ "echoreq",	ICMP6_ECHO_REQUEST },
30620b12Sfrantzen	{ "echorep",	ICMP6_ECHO_REPLY },
30620b12Sfrantzen	{ "groupqry",	ICMP6_MEMBERSHIP_QUERY },
30620b12Sfrantzen	{ "listqry",	MLD6_LISTENER_QUERY },
30620b12Sfrantzen	{ "grouprep",	ICMP6_MEMBERSHIP_REPORT },
30620b12Sfrantzen	{ "listenrep",	MLD6_LISTENER_REPORT },
30620b12Sfrantzen	{ "groupterm",	ICMP6_MEMBERSHIP_REDUCTION },
30620b12Sfrantzen	{ "listendone", MLD6_LISTENER_DONE },
30620b12Sfrantzen	{ "routersol",	ND_ROUTER_SOLICIT },
30620b12Sfrantzen	{ "routeradv",	ND_ROUTER_ADVERT },
30620b12Sfrantzen	{ "neighbrsol", ND_NEIGHBOR_SOLICIT },
30620b12Sfrantzen	{ "neighbradv", ND_NEIGHBOR_ADVERT },
30620b12Sfrantzen	{ "redir",	ND_REDIRECT },
30620b12Sfrantzen	{ "routrrenum", ICMP6_ROUTER_RENUMBERING },
30620b12Sfrantzen	{ "wrureq",	ICMP6_WRUREQUEST },
30620b12Sfrantzen	{ "wrurep",	ICMP6_WRUREPLY },
30620b12Sfrantzen	{ "fqdnreq",	ICMP6_FQDN_QUERY },
30620b12Sfrantzen	{ "fqdnrep",	ICMP6_FQDN_REPLY },
30620b12Sfrantzen	{ "niqry",	ICMP6_NI_QUERY },
30620b12Sfrantzen	{ "nirep",	ICMP6_NI_REPLY },
30620b12Sfrantzen	{ "mtraceresp",	MLD6_MTRACE_RESP },
30620b12Sfrantzen	{ "mtrace",	MLD6_MTRACE }
30620b12Sfrantzen};
30620b12Sfrantzen
7d27d81aSdhartmeistatic const struct icmpcodeent icmp_code[] = {
082ebc44Swilfried	{ "net-unr",		ICMP_UNREACH,	ICMP_UNREACH_NET },
082ebc44Swilfried	{ "host-unr",		ICMP_UNREACH,	ICMP_UNREACH_HOST },
082ebc44Swilfried	{ "proto-unr",		ICMP_UNREACH,	ICMP_UNREACH_PROTOCOL },
082ebc44Swilfried	{ "port-unr",		ICMP_UNREACH,	ICMP_UNREACH_PORT },
082ebc44Swilfried	{ "needfrag",		ICMP_UNREACH,	ICMP_UNREACH_NEEDFRAG },
082ebc44Swilfried	{ "srcfail",		ICMP_UNREACH,	ICMP_UNREACH_SRCFAIL },
082ebc44Swilfried	{ "net-unk",		ICMP_UNREACH,	ICMP_UNREACH_NET_UNKNOWN },
082ebc44Swilfried	{ "host-unk",		ICMP_UNREACH,	ICMP_UNREACH_HOST_UNKNOWN },
082ebc44Swilfried	{ "isolate",		ICMP_UNREACH,	ICMP_UNREACH_ISOLATED },
082ebc44Swilfried	{ "net-prohib",		ICMP_UNREACH,	ICMP_UNREACH_NET_PROHIB },
082ebc44Swilfried	{ "host-prohib",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PROHIB },
082ebc44Swilfried	{ "net-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSNET },
082ebc44Swilfried	{ "host-tos",		ICMP_UNREACH,	ICMP_UNREACH_TOSHOST },
082ebc44Swilfried	{ "filter-prohib",	ICMP_UNREACH,	ICMP_UNREACH_FILTER_PROHIB },
082ebc44Swilfried	{ "host-preced",	ICMP_UNREACH,	ICMP_UNREACH_HOST_PRECEDENCE },
082ebc44Swilfried	{ "cutoff-preced",	ICMP_UNREACH,	ICMP_UNREACH_PRECEDENCE_CUTOFF },
082ebc44Swilfried	{ "redir-net",		ICMP_REDIRECT,	ICMP_REDIRECT_NET },
082ebc44Swilfried	{ "redir-host",		ICMP_REDIRECT,	ICMP_REDIRECT_HOST },
082ebc44Swilfried	{ "redir-tos-net",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSNET },
082ebc44Swilfried	{ "redir-tos-host",	ICMP_REDIRECT,	ICMP_REDIRECT_TOSHOST },
02cbcc9eSwilfried	{ "normal-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NORMAL },
02cbcc9eSwilfried	{ "common-adv",		ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NOROUTE_COMMON },
082ebc44Swilfried	{ "transit",		ICMP_TIMXCEED,	ICMP_TIMXCEED_INTRANS },
082ebc44Swilfried	{ "reassemb",		ICMP_TIMXCEED,	ICMP_TIMXCEED_REASS },
082ebc44Swilfried	{ "badhead",		ICMP_PARAMPROB,	ICMP_PARAMPROB_ERRATPTR },
082ebc44Swilfried	{ "optmiss",		ICMP_PARAMPROB,	ICMP_PARAMPROB_OPTABSENT },
02cbcc9eSwilfried	{ "badlen",		ICMP_PARAMPROB,	ICMP_PARAMPROB_LENGTH },
02cbcc9eSwilfried	{ "unknown-ind",	ICMP_PHOTURIS,	ICMP_PHOTURIS_UNKNOWN_INDEX },
02cbcc9eSwilfried	{ "auth-fail",		ICMP_PHOTURIS,	ICMP_PHOTURIS_AUTH_FAILED },
02cbcc9eSwilfried	{ "decrypt-fail",	ICMP_PHOTURIS,	ICMP_PHOTURIS_DECRYPT_FAILED }
082ebc44Swilfried};
082ebc44Swilfried
7d27d81aSdhartmeistatic const struct icmpcodeent icmp6_code[] = {
1d32ee3bSdhartmei	{ "admin-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN },
1d32ee3bSdhartmei	{ "noroute-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE },
30620b12Sfrantzen	{ "notnbr-unr",	ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOTNEIGHBOR },
30620b12Sfrantzen	{ "beyond-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_BEYONDSCOPE },
30620b12Sfrantzen	{ "addr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR },
30620b12Sfrantzen	{ "port-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT },
30620b12Sfrantzen	{ "transit", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT },
30620b12Sfrantzen	{ "reassemb", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_REASSEMBLY },
30620b12Sfrantzen	{ "badhead", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER },
30620b12Sfrantzen	{ "nxthdr", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER },
30620b12Sfrantzen	{ "redironlink", ND_REDIRECT, ND_REDIRECT_ONLINK },
30620b12Sfrantzen	{ "redirrouter", ND_REDIRECT, ND_REDIRECT_ROUTER }
30620b12Sfrantzen};
30620b12Sfrantzen
d593fb91Sdrahnconst struct pf_timeout pf_timeouts[] = {
d593fb91Sdrahn	{ "tcp.first",		PFTM_TCP_FIRST_PACKET },
d593fb91Sdrahn	{ "tcp.opening",	PFTM_TCP_OPENING },
d593fb91Sdrahn	{ "tcp.established",	PFTM_TCP_ESTABLISHED },
d593fb91Sdrahn	{ "tcp.closing",	PFTM_TCP_CLOSING },
d593fb91Sdrahn	{ "tcp.finwait",	PFTM_TCP_FIN_WAIT },
d593fb91Sdrahn	{ "tcp.closed",		PFTM_TCP_CLOSED },
d593fb91Sdrahn	{ "udp.first",		PFTM_UDP_FIRST_PACKET },
d593fb91Sdrahn	{ "udp.single",		PFTM_UDP_SINGLE },
d593fb91Sdrahn	{ "udp.multiple",	PFTM_UDP_MULTIPLE },
d593fb91Sdrahn	{ "icmp.first",		PFTM_ICMP_FIRST_PACKET },
d593fb91Sdrahn	{ "icmp.error",		PFTM_ICMP_ERROR_REPLY },
d593fb91Sdrahn	{ "other.first",	PFTM_OTHER_FIRST_PACKET },
d593fb91Sdrahn	{ "other.single",	PFTM_OTHER_SINGLE },
d593fb91Sdrahn	{ "other.multiple",	PFTM_OTHER_MULTIPLE },
d593fb91Sdrahn	{ "frag",		PFTM_FRAG },
d593fb91Sdrahn	{ "interval",		PFTM_INTERVAL },
d593fb91Sdrahn	{ NULL,			0 }
d593fb91Sdrahn};
d593fb91Sdrahn
7d27d81aSdhartmeiconst struct icmptypeent *
d14c53d7Swilfriedgeticmptypebynumber(u_int8_t type, u_int8_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); i++) {
082ebc44Swilfried			if (type == icmp_type[i].type)
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_type[i].type)
30620b12Sfrantzen				 return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmptypeent *
d14c53d7Swilfriedgeticmptypebyname(char *w, u_int8_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0])); i++) {
082ebc44Swilfried			if (!strcmp(w, icmp_type[i].name))
082ebc44Swilfried				return (&icmp_type[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_type) /
30620b12Sfrantzen		    sizeof(icmp6_type[0])); i++) {
30620b12Sfrantzen			if (!strcmp(w, icmp6_type[i].name))
30620b12Sfrantzen				return (&icmp6_type[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmpcodeent *
d14c53d7Swilfriedgeticmpcodebynumber(u_int8_t type, u_int8_t code, u_int8_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    code == icmp_code[i].code)
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		   sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    code == icmp6_code[i].code)
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
082ebc44Swilfried}
082ebc44Swilfried
7d27d81aSdhartmeiconst struct icmpcodeent *
d14c53d7Swilfriedgeticmpcodebyname(u_long type, char *w, u_int8_t af)
082ebc44Swilfried{
ed99c291Sderaadt	unsigned int i;
082ebc44Swilfried
d14c53d7Swilfried	if (af != AF_INET6) {
082ebc44Swilfried		for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp_code[i].name))
082ebc44Swilfried				return (&icmp_code[i]);
082ebc44Swilfried		}
30620b12Sfrantzen	} else {
30620b12Sfrantzen		for (i=0; i < (sizeof (icmp6_code) /
30620b12Sfrantzen		    sizeof(icmp6_code[0])); i++) {
30620b12Sfrantzen			if (type == icmp6_code[i].type &&
30620b12Sfrantzen			    !strcmp(w, icmp6_code[i].name))
30620b12Sfrantzen				return (&icmp6_code[i]);
30620b12Sfrantzen		}
30620b12Sfrantzen	}
30620b12Sfrantzen	return (NULL);
30620b12Sfrantzen}
30620b12Sfrantzen
81a15e5dSderaadtvoid
5d9ac2dcSdhartmeiprint_op(u_int8_t op, const char *a1, const char *a2)
5d9ac2dcSdhartmei{
5d9ac2dcSdhartmei	if (op == PF_OP_IRG)
5d9ac2dcSdhartmei		printf("%s >< %s ", a1, a2);
5d9ac2dcSdhartmei	else if (op == PF_OP_XRG)
5d9ac2dcSdhartmei		printf("%s <> %s ", a1, a2);
1308506cShenning	else if (op == PF_OP_EQ)
5d9ac2dcSdhartmei		printf("= %s ", a1);
1308506cShenning	else if (op == PF_OP_NE)
5d9ac2dcSdhartmei		printf("!= %s ", a1);
1308506cShenning	else if (op == PF_OP_LT)
5d9ac2dcSdhartmei		printf("< %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_LE)
5d9ac2dcSdhartmei		printf("<= %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_GT)
5d9ac2dcSdhartmei		printf("> %s ", a1);
5d9ac2dcSdhartmei	else if (op == PF_OP_GE)
5d9ac2dcSdhartmei		printf(">= %s ", a1);
5d9ac2dcSdhartmei}
5d9ac2dcSdhartmei
5d9ac2dcSdhartmeivoid
14a9b182Skjellprint_port(u_int8_t op, u_int16_t p1, u_int16_t p2, char *proto)
14a9b182Skjell{
e31d21c9Sdhartmei	char a1[6], a2[6];
14a9b182Skjell	struct servent *s = getservbyport(p1, proto);
81a15e5dSderaadt
14a9b182Skjell	p1 = ntohs(p1);
14a9b182Skjell	p2 = ntohs(p2);
5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", p1);
5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", p2);
14a9b182Skjell	printf("port ");
5d9ac2dcSdhartmei	if (s != NULL && (op == PF_OP_EQ || op == PF_OP_NE))
5d9ac2dcSdhartmei		print_op(op, s->s_name, a2);
14a9b182Skjell	else
5d9ac2dcSdhartmei		print_op(op, a1, a2);
5d9ac2dcSdhartmei}
5d9ac2dcSdhartmei
5d9ac2dcSdhartmeivoid
5d9ac2dcSdhartmeiprint_uid(u_int8_t op, uid_t u1, uid_t u2, const char *t)
5d9ac2dcSdhartmei{
d8fcd2dfSdhartmei	char a1[11], a2[11];
5d9ac2dcSdhartmei
5d9ac2dcSdhartmei	snprintf(a1, sizeof(a1), "%u", u1);
5d9ac2dcSdhartmei	snprintf(a2, sizeof(a2), "%u", u2);
5d9ac2dcSdhartmei	printf("%s ", t);
5d9ac2dcSdhartmei	if (u1 == UID_MAX && (op == PF_OP_EQ || op == PF_OP_NE))
5d9ac2dcSdhartmei		print_op(op, "unknown", a2);
14a9b182Skjell	else
5d9ac2dcSdhartmei		print_op(op, a1, a2);
14a9b182Skjell}
14a9b182Skjell
81a15e5dSderaadtvoid
c16ab608Sdhartmeiprint_gid(u_int8_t op, gid_t g1, gid_t g2, const char *t)
c16ab608Sdhartmei{
d8fcd2dfSdhartmei	char a1[11], a2[11];
c16ab608Sdhartmei
c16ab608Sdhartmei	snprintf(a1, sizeof(a1), "%u", g1);
c16ab608Sdhartmei	snprintf(a2, sizeof(a2), "%u", g2);
c16ab608Sdhartmei	printf("%s ", t);
c16ab608Sdhartmei	if (g1 == GID_MAX && (op == PF_OP_EQ || op == PF_OP_NE))
c16ab608Sdhartmei		print_op(op, "unknown", a2);
c16ab608Sdhartmei	else
c16ab608Sdhartmei		print_op(op, a1, a2);
c16ab608Sdhartmei}
c16ab608Sdhartmei
c16ab608Sdhartmeivoid
14a9b182Skjellprint_flags(u_int8_t f)
14a9b182Skjell{
14a9b182Skjell	int i;
81a15e5dSderaadt
bc795af0Shugh	for (i = 0; tcpflags[i]; ++i)
14a9b182Skjell		if (f & (1 << i))
14a9b182Skjell			printf("%c", tcpflags[i]);
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
15e76891Sdhartmeiprint_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,
15e76891Sdhartmei    u_int8_t af, u_int8_t proto)
15e76891Sdhartmei{
15e76891Sdhartmei	if (PF_AZERO(&src->addr.addr, AF_INET6) &&
15e76891Sdhartmei	    PF_AZERO(&src->mask, AF_INET6) &&
15e76891Sdhartmei	    !src->noroute && !dst->noroute &&
15e76891Sdhartmei	    !src->port_op && PF_AZERO(&dst->addr.addr, AF_INET6) &&
15e76891Sdhartmei	    PF_AZERO(&dst->mask, AF_INET6) && !dst->port_op)
15e76891Sdhartmei		printf("all ");
15e76891Sdhartmei	else {
15e76891Sdhartmei		printf("from ");
15e76891Sdhartmei		if (src->noroute)
15e76891Sdhartmei			printf("no-route ");
15e76891Sdhartmei		else if (PF_AZERO(&src->addr.addr, AF_INET6) &&
15e76891Sdhartmei		    PF_AZERO(&src->mask, AF_INET6))
15e76891Sdhartmei			printf("any ");
15e76891Sdhartmei		else {
15e76891Sdhartmei			if (src->not)
15e76891Sdhartmei				printf("! ");
15e76891Sdhartmei			print_addr(&src->addr, &src->mask, af);
15e76891Sdhartmei			printf(" ");
15e76891Sdhartmei		}
15e76891Sdhartmei		if (src->port_op)
15e76891Sdhartmei			print_port(src->port_op, src->port[0],
15e76891Sdhartmei			    src->port[1],
15e76891Sdhartmei			    proto == IPPROTO_TCP ? "tcp" : "udp");
15e76891Sdhartmei
15e76891Sdhartmei		printf("to ");
15e76891Sdhartmei		if (dst->noroute)
15e76891Sdhartmei			printf("no-route ");
15e76891Sdhartmei		else if (PF_AZERO(&dst->addr.addr, AF_INET6) &&
15e76891Sdhartmei		    PF_AZERO(&dst->mask, AF_INET6))
15e76891Sdhartmei			printf("any ");
15e76891Sdhartmei		else {
15e76891Sdhartmei			if (dst->not)
15e76891Sdhartmei				printf("! ");
15e76891Sdhartmei			print_addr(&dst->addr, &dst->mask, af);
15e76891Sdhartmei			printf(" ");
15e76891Sdhartmei		}
15e76891Sdhartmei		if (dst->port_op)
15e76891Sdhartmei			print_port(dst->port_op, dst->port[0],
15e76891Sdhartmei			    dst->port[1],
15e76891Sdhartmei			    proto == IPPROTO_TCP ? "tcp" : "udp");
15e76891Sdhartmei	}
15e76891Sdhartmei}
15e76891Sdhartmei
15e76891Sdhartmeivoid
81a15e5dSderaadtprint_nat(struct pf_nat *n)
14a9b182Skjell{
f27db9bcSdhartmei	if (n->no)
f27db9bcSdhartmei		printf("no ");
f27db9bcSdhartmei	printf("nat ");
28964e80Sdhartmei	if (n->ifname[0]) {
28964e80Sdhartmei		printf("on ");
870b51d7Schris		if (n->ifnot)
870b51d7Schris			printf("! ");
870b51d7Schris		printf("%s ", n->ifname);
28964e80Sdhartmei	}
032e40b7Sdhartmei	if (n->af) {
032e40b7Sdhartmei		if (n->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (n->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(n->proto);
ed99c291Sderaadt
ab745e3bSmpech		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", n->proto);
80edb1f0Sdhartmei	}
15e76891Sdhartmei	print_fromto(&n->src, &n->dst, n->af, n->proto);
f27db9bcSdhartmei	if (!n->no) {
28964e80Sdhartmei		printf("-> ");
30620b12Sfrantzen		print_addr(&n->raddr, NULL, n->af);
e4b04189Sdhartmei		if (n->proxy_port[0] != PF_NAT_PROXY_PORT_LOW ||
e4b04189Sdhartmei		    n->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) {
e4b04189Sdhartmei			if (n->proxy_port[0] == n->proxy_port[1])
e4b04189Sdhartmei				printf(" port %u", n->proxy_port[0]);
e4b04189Sdhartmei			else
e4b04189Sdhartmei				printf(" port %u:%u", n->proxy_port[0],
e4b04189Sdhartmei				    n->proxy_port[1]);
e4b04189Sdhartmei		}
f27db9bcSdhartmei	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
a3e657d0Sjasoniprint_binat(struct pf_binat *b)
a3e657d0Sjasoni{
f27db9bcSdhartmei	if (b->no)
f27db9bcSdhartmei		printf("no ");
f27db9bcSdhartmei	printf("binat ");
a3e657d0Sjasoni	if (b->ifname[0]) {
a3e657d0Sjasoni		printf("on ");
a3e657d0Sjasoni		printf("%s ", b->ifname);
a3e657d0Sjasoni	}
032e40b7Sdhartmei	if (b->af) {
032e40b7Sdhartmei		if (b->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (b->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(b->proto);
ed99c291Sderaadt
80edb1f0Sdhartmei		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", b->proto);
a3e657d0Sjasoni	}
a3e657d0Sjasoni	printf("from ");
30620b12Sfrantzen	print_addr(&b->saddr, NULL, b->af);
a3e657d0Sjasoni	printf(" ");
a3e657d0Sjasoni	printf("to ");
032e40b7Sdhartmei	if (!PF_AZERO(&b->daddr.addr, b->af) || !PF_AZERO(&b->dmask, b->af)) {
a3e657d0Sjasoni		if (b->dnot)
a3e657d0Sjasoni			printf("! ");
30620b12Sfrantzen		print_addr(&b->daddr, &b->dmask, b->af);
a3e657d0Sjasoni		printf(" ");
a3e657d0Sjasoni	} else
a3e657d0Sjasoni		printf("any ");
f27db9bcSdhartmei	if (!b->no) {
a3e657d0Sjasoni		printf("-> ");
30620b12Sfrantzen		print_addr(&b->raddr, NULL, b->af);
f27db9bcSdhartmei	}
a3e657d0Sjasoni	printf("\n");
a3e657d0Sjasoni}
a3e657d0Sjasoni
a3e657d0Sjasonivoid
81a15e5dSderaadtprint_rdr(struct pf_rdr *r)
14a9b182Skjell{
f27db9bcSdhartmei	if (r->no)
f27db9bcSdhartmei		printf("no ");
f27db9bcSdhartmei	printf("rdr ");
28964e80Sdhartmei	if (r->ifname[0]) {
28964e80Sdhartmei		printf("on ");
870b51d7Schris		if (r->ifnot)
870b51d7Schris			printf("! ");
870b51d7Schris		printf("%s ", r->ifname);
28964e80Sdhartmei	}
032e40b7Sdhartmei	if (r->af) {
032e40b7Sdhartmei		if (r->af == AF_INET)
032e40b7Sdhartmei			printf("inet ");
032e40b7Sdhartmei		else
032e40b7Sdhartmei			printf("inet6 ");
032e40b7Sdhartmei	}
80edb1f0Sdhartmei	if (r->proto) {
80edb1f0Sdhartmei		struct protoent *p = getprotobynumber(r->proto);
ed99c291Sderaadt
80edb1f0Sdhartmei		if (p != NULL)
80edb1f0Sdhartmei			printf("proto %s ", p->p_name);
80edb1f0Sdhartmei		else
80edb1f0Sdhartmei			printf("proto %u ", r->proto);
e3d52469Smillert	}
28964e80Sdhartmei	printf("from ");
032e40b7Sdhartmei	if (!PF_AZERO(&r->saddr.addr, r->af) || !PF_AZERO(&r->smask, r->af)) {
28964e80Sdhartmei		if (r->snot)
28964e80Sdhartmei			printf("! ");
30620b12Sfrantzen		print_addr(&r->saddr, &r->smask, r->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
28964e80Sdhartmei	printf("to ");
032e40b7Sdhartmei	if (!PF_AZERO(&r->daddr.addr, r->af) || !PF_AZERO(&r->dmask, r->af)) {
e7bd5eebSdhartmei		if (r->dnot)
14a9b182Skjell			printf("! ");
30620b12Sfrantzen		print_addr(&r->daddr, &r->dmask, r->af);
28964e80Sdhartmei		printf(" ");
28964e80Sdhartmei	} else
28964e80Sdhartmei		printf("any ");
80edb1f0Sdhartmei	if (r->dport) {
cb07131dSkjell		printf("port %u", ntohs(r->dport));
cb07131dSkjell		if (r->opts & PF_DPORT_RANGE)
cb07131dSkjell			printf(":%u", ntohs(r->dport2));
80edb1f0Sdhartmei	}
f27db9bcSdhartmei	if (!r->no) {
cb07131dSkjell		printf(" -> ");
30620b12Sfrantzen		print_addr(&r->raddr, NULL, r->af);
28964e80Sdhartmei		printf(" ");
80edb1f0Sdhartmei		if (r->rport) {
14a9b182Skjell			printf("port %u", ntohs(r->rport));
cb07131dSkjell			if (r->opts & PF_RPORT_RANGE)
cb07131dSkjell				printf(":*");
80edb1f0Sdhartmei		}
f27db9bcSdhartmei	}
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
bca2bf17Sdhartmeichar *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
bca2bf17Sdhartmeichar *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
99a73934Sderaadt
14a9b182Skjellvoid
81a15e5dSderaadtprint_status(struct pf_status *s)
14a9b182Skjell{
c474e331Shenning	time_t runtime;
99a73934Sderaadt	int i;
c474e331Shenning	char statline[80];
99a73934Sderaadt
c474e331Shenning	runtime = time(NULL) - s->since;
c474e331Shenning
*d85e4ad6Sdhartmei	if (s->running) {
*d85e4ad6Sdhartmei		unsigned sec, min, hrs, day = runtime;
*d85e4ad6Sdhartmei
*d85e4ad6Sdhartmei		sec = day % 60;
*d85e4ad6Sdhartmei		day /= 60;
*d85e4ad6Sdhartmei		min = day % 60;
*d85e4ad6Sdhartmei		day /= 60;
*d85e4ad6Sdhartmei		hrs = day % 24;
*d85e4ad6Sdhartmei		day /= 24;
c474e331Shenning		snprintf(statline, sizeof(statline),
*d85e4ad6Sdhartmei		    "Status: Enabled for %u days %.2u:%.2u:%.2u",
*d85e4ad6Sdhartmei		    day, hrs, min, sec);
*d85e4ad6Sdhartmei	} else
c474e331Shenning		snprintf(statline, sizeof(statline), "Status: Disabled");
c474e331Shenning	printf("%-34s", statline);
ae58c8acSdhartmei	switch (s->debug) {
ae58c8acSdhartmei	case 0:
c474e331Shenning		printf("%25s\n\n", "Debug: None");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	case 1:
c474e331Shenning		printf("%25s\n\n", "Debug: Urgent");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	case 2:
c474e331Shenning		printf("%25s\n\n", "Debug: Misc");
ae58c8acSdhartmei		break;
ae58c8acSdhartmei	}
c474e331Shenning	if (s->ifname[0] != 0) {
c474e331Shenning		printf("Interface Stats for %-16s %5s %16s\n",
c474e331Shenning		    s->ifname, "IPv4", "IPv6");
c474e331Shenning		printf("  %-25s %14llu %16llu\n", "Bytes In",
c474e331Shenning		    s->bcounters[0][PF_IN], s->bcounters[1][PF_IN]);
c474e331Shenning		printf("  %-25s %14llu %16llu\n", "Bytes Out",
c474e331Shenning		    s->bcounters[0][PF_OUT], s->bcounters[1][PF_OUT]);
c474e331Shenning		printf("  Packets In\n");
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Passed",
30620b12Sfrantzen		    s->pcounters[0][PF_IN][PF_PASS],
c474e331Shenning		    s->pcounters[1][PF_IN][PF_PASS]);
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Blocked",
c474e331Shenning		    s->pcounters[0][PF_IN][PF_DROP],
30620b12Sfrantzen		    s->pcounters[1][PF_IN][PF_DROP]);
c474e331Shenning		printf("  Packets Out\n");
c474e331Shenning		printf("    %-23s %14llu %16llu\n", "Passed",
30620b12Sfrantzen		    s->pcounters[0][PF_OUT][PF_PASS],
c474e331Shenning		    s->pcounters[1][PF_OUT][PF_PASS]);
c474e331Shenning		printf("    %-23s %14llu %16llu\n\n", "Blocked",
c474e331Shenning		    s->pcounters[0][PF_OUT][PF_DROP],
30620b12Sfrantzen		    s->pcounters[1][PF_OUT][PF_DROP]);
c474e331Shenning	}
c474e331Shenning	printf("%-27s %14s %16s\n", "State Table", "Total", "Rate");
c474e331Shenning	printf("  %-25s %14u %14s\n", "current entries", s->states, "");
c474e331Shenning	for (i = 0; i < FCNT_MAX; i++) {
c474e331Shenning		printf("  %-25s %14lld ", pf_fcounters[i],
84976600Sderaadt			    s->fcounters[i]);
c474e331Shenning		if (runtime > 0)
c474e331Shenning			printf("%14.1f/s\n",
c474e331Shenning			    (double)s->fcounters[i] / (double)runtime);
c474e331Shenning		else
c474e331Shenning			printf("%14s\n", "");
c474e331Shenning	}
99a73934Sderaadt	printf("Counters\n");
c474e331Shenning	for (i = 0; i < PFRES_MAX; i++) {
c474e331Shenning		printf("  %-25s %14lld ", pf_reasons[i],
99a73934Sderaadt		    s->counters[i]);
c474e331Shenning		if (runtime > 0)
c474e331Shenning			printf("%14.1f/s\n",
c474e331Shenning			    (double)s->counters[i] / (double)runtime);
c474e331Shenning		else
c474e331Shenning			printf("%14s\n", "");
c474e331Shenning	}
14a9b182Skjell}
14a9b182Skjell
14a9b182Skjellvoid
81a15e5dSderaadtprint_rule(struct pf_rule *r)
14a9b182Skjell{
cc5f0329Sdhartmei	int i, opts;
cc5f0329Sdhartmei
78baf774Sdhartmei	printf("@%d ", r->nr);
8418a02fSprovos	if (r->action == PF_PASS)
14a9b182Skjell		printf("pass ");
b996d042Sdhartmei	else if (r->action == PF_DROP) {
14a9b182Skjell		printf("block ");
1f77cc8aSpb		if (r->rule_flag & PFRULE_RETURNRST) {
1f77cc8aSpb			if (!r->return_ttl)
14a9b182Skjell				printf("return-rst ");
1f77cc8aSpb			else
1f77cc8aSpb				printf("return-rst(ttl %d) ", r->return_ttl);
1f77cc8aSpb		} else if (r->return_icmp) {
7d27d81aSdhartmei			const struct icmpcodeent *ic;
b996d042Sdhartmei
d14c53d7Swilfried			if (r->af != AF_INET6)
b996d042Sdhartmei				printf("return-icmp");
d14c53d7Swilfried			else
d14c53d7Swilfried				printf("return-icmp6");
b996d042Sdhartmei			ic = geticmpcodebynumber(r->return_icmp >> 8,
d14c53d7Swilfried			    r->return_icmp & 255, r->af);
d14c53d7Swilfried
d14c53d7Swilfried			if (ic == NULL)
d14c53d7Swilfried				printf("(%u) ", r->return_icmp & 255);
0eed2997Sdhartmei			else if ((r->af != AF_INET6 && ic->code !=
0eed2997Sdhartmei			    ICMP_UNREACH_PORT) ||
0eed2997Sdhartmei			    (r->af == AF_INET6 && ic->code !=
0eed2997Sdhartmei			    ICMP6_DST_UNREACH_NOPORT))
b996d042Sdhartmei				printf("(%s) ", ic->name);
b996d042Sdhartmei			else
b996d042Sdhartmei				printf(" ");
b996d042Sdhartmei		}
cc42ff11Sfrantzen	} else {
b996d042Sdhartmei		printf("scrub ");
cc42ff11Sfrantzen	}
14a9b182Skjell	if (r->direction == 0)
14a9b182Skjell		printf("in ");
14a9b182Skjell	else
14a9b182Skjell		printf("out ");
7242ce7aSdhartmei	if (r->log == 1)
14a9b182Skjell		printf("log ");
7242ce7aSdhartmei	else if (r->log == 2)
7242ce7aSdhartmei		printf("log-all ");
14a9b182Skjell	if (r->quick)
14a9b182Skjell		printf("quick ");
14a9b182Skjell	if (r->ifname[0])
14a9b182Skjell		printf("on %s ", r->ifname);
cb3a4e31Sjasoni	if (r->rt) {
cb3a4e31Sjasoni		if (r->rt == PF_ROUTETO)
cb3a4e31Sjasoni			printf("route-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_DUPTO)
cb3a4e31Sjasoni			printf("dup-to ");
cb3a4e31Sjasoni		else if (r->rt == PF_FASTROUTE)
cb3a4e31Sjasoni			printf("fastroute");
cb3a4e31Sjasoni		if (r->rt_ifname[0])
cb3a4e31Sjasoni			printf("%s", r->rt_ifname);
cb3a4e31Sjasoni		if (r->af && !PF_AZERO(&r->rt_addr, r->af)) {
032e40b7Sdhartmei			struct pf_addr_wrap aw;
032e40b7Sdhartmei
032e40b7Sdhartmei			aw.addr = r->rt_addr;
032e40b7Sdhartmei			aw.addr_dyn = NULL;
cb3a4e31Sjasoni			printf(":");
032e40b7Sdhartmei			print_addr(&aw, NULL, r->af);
cb3a4e31Sjasoni		}
cb3a4e31Sjasoni		printf(" ");
cb3a4e31Sjasoni	}
30620b12Sfrantzen	if (r->af) {
30620b12Sfrantzen		if (r->af == AF_INET)
30620b12Sfrantzen			printf("inet ");
30620b12Sfrantzen		else
30620b12Sfrantzen			printf("inet6 ");
30620b12Sfrantzen	}
14a9b182Skjell	if (r->proto) {
14a9b182Skjell		struct protoent *p = getprotobynumber(r->proto);
ed99c291Sderaadt
14a9b182Skjell		if (p != NULL)
14a9b182Skjell			printf("proto %s ", p->p_name);
14a9b182Skjell		else
14a9b182Skjell			printf("proto %u ", r->proto);
14a9b182Skjell	}
15e76891Sdhartmei	print_fromto(&r->src, &r->dst, r->af, r->proto);
c16ab608Sdhartmei	if (r->uid.op)
c16ab608Sdhartmei		print_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user");
c16ab608Sdhartmei	if (r->gid.op)
c16ab608Sdhartmei		print_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group");
14a9b182Skjell	if (r->flags || r->flagset) {
14a9b182Skjell		printf("flags ");
14a9b182Skjell		print_flags(r->flags);
14a9b182Skjell		printf("/");
14a9b182Skjell		print_flags(r->flagset);
14a9b182Skjell		printf(" ");
14a9b182Skjell	}
082ebc44Swilfried	if (r->type) {
7d27d81aSdhartmei		const struct icmptypeent *p;
082ebc44Swilfried
d14c53d7Swilfried		p = geticmptypebynumber(r->type-1, r->af);
d14c53d7Swilfried		if (r->af != AF_INET6)
d14c53d7Swilfried			printf("icmp-type");
082ebc44Swilfried		else
d14c53d7Swilfried			printf("ipv6-icmp-type");
d14c53d7Swilfried		if (p != NULL)
d14c53d7Swilfried			printf(" %s ", p->name);
d14c53d7Swilfried		else
d14c53d7Swilfried			printf(" %u ", r->type-1);
082ebc44Swilfried		if (r->code) {
7d27d81aSdhartmei			const struct icmpcodeent *p;
082ebc44Swilfried
d14c53d7Swilfried			p = geticmpcodebynumber(r->type-1, r->code-1, r->af);
082ebc44Swilfried			if (p != NULL)
082ebc44Swilfried				printf("code %s ", p->name);
082ebc44Swilfried			else
14a9b182Skjell				printf("code %u ", r->code-1);
082ebc44Swilfried		}
082ebc44Swilfried	}
b96c47abSfrantzen	if (r->keep_state == PF_STATE_NORMAL)
14a9b182Skjell		printf("keep state ");
b96c47abSfrantzen	else if (r->keep_state == PF_STATE_MODULATE)
b96c47abSfrantzen		printf("modulate state ");
cc5f0329Sdhartmei	opts = 0;
b3c86969Sdhartmei	if (r->max_states)
cc5f0329Sdhartmei		opts = 1;
cc5f0329Sdhartmei	for (i = 0; !opts && i < PFTM_MAX; ++i)
cc5f0329Sdhartmei		if (r->timeout[i])
cc5f0329Sdhartmei			opts = 1;
cc5f0329Sdhartmei	if (opts) {
cc5f0329Sdhartmei		printf("(");
cc5f0329Sdhartmei		if (r->max_states) {
cc5f0329Sdhartmei			printf("max %u", r->max_states);
cc5f0329Sdhartmei			opts = 0;
cc5f0329Sdhartmei		}
cc5f0329Sdhartmei		for (i = 0; i < PFTM_MAX; ++i)
cc5f0329Sdhartmei			if (r->timeout[i]) {
cc5f0329Sdhartmei				if (!opts)
cc5f0329Sdhartmei					printf(", ");
cc5f0329Sdhartmei				opts = 0;
cc5f0329Sdhartmei				printf("%s %u", pf_timeouts[i].name,
cc5f0329Sdhartmei				    r->timeout[i]);
cc5f0329Sdhartmei			}
cc5f0329Sdhartmei		printf(") ");
cc5f0329Sdhartmei	}
6673dee2Sdhartmei	if (r->rule_flag & PFRULE_FRAGMENT)
6673dee2Sdhartmei		printf("fragment ");
67d2a440Sprovos	if (r->rule_flag & PFRULE_NODF)
67d2a440Sprovos		printf("no-df ");
e258bfd4Sprovos	if (r->min_ttl)
34c76dcbSprovos		printf("min-ttl %d ", r->min_ttl);
cfa91859Sjasoni	if (r->max_mss)
cfa91859Sjasoni		printf("max-mss %d ", r->max_mss);
f48d62b3Sdhartmei	if (r->allow_opts)
f48d62b3Sdhartmei		printf("allow-opts ");
b02af636Sfrantzen	if (r->action == PF_SCRUB) {
b02af636Sfrantzen		if (r->rule_flag & PFRULE_FRAGDROP)
b02af636Sfrantzen			printf("fragment drop-ovl ");
b02af636Sfrantzen		else if (r->rule_flag & PFRULE_FRAGCROP)
b02af636Sfrantzen			printf("fragment crop ");
b02af636Sfrantzen		else
b02af636Sfrantzen			printf("fragment reassemble ");
b02af636Sfrantzen	}
455ef0c1Sdhartmei	if (r->label[0])
455ef0c1Sdhartmei		printf("label %s", r->label);
67d2a440Sprovos
14a9b182Skjell	printf("\n");
14a9b182Skjell}
14a9b182Skjell
1f8f21bdSmillertint
ff352a37Smarkusparse_flags(char *s)
14a9b182Skjell{
ff352a37Smarkus	char *p, *q;
14a9b182Skjell	u_int8_t f = 0;
81a15e5dSderaadt
ff352a37Smarkus	for (p = s; *p; p++) {
ff352a37Smarkus		if ((q = strchr(tcpflags, *p)) == NULL)
ff352a37Smarkus			return -1;
ff352a37Smarkus		else
ff352a37Smarkus			f |= 1 << (q - tcpflags);
14a9b182Skjell	}
bc795af0Shugh	return (f ? f : PF_TH_ALL);
14a9b182Skjell}