xref: /openbsd-src/sbin/pfctl/pf_print_state.c (revision 4c1e55dc91edd6e69ccc60ce855900fbc12cf34f) 
1 /*	$OpenBSD: pf_print_state.c,v 1.62 2012/07/08 17:48:37 lteo Exp $	*/
2 
3 /*
4  * Copyright (c) 2001 Daniel Hartmeier
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  */
32 
33 #include <sys/types.h>
34 #include <sys/socket.h>
35 #include <net/if.h>
36 #define TCPSTATES
37 #include <netinet/tcp_fsm.h>
38 #include <net/pfvar.h>
39 #include <arpa/inet.h>
40 #include <netdb.h>
41 
42 #include <stdio.h>
43 #include <string.h>
44 
45 #include "pfctl_parser.h"
46 #include "pfctl.h"
47 
48 void	print_name(struct pf_addr *, sa_family_t);
49 
50 void
51 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
52 {
53 	switch (addr->type) {
54 	case PF_ADDR_DYNIFTL:
55 		printf("(%s", addr->v.ifname);
56 		if (addr->iflags & PFI_AFLAG_NETWORK)
57 			printf(":network");
58 		if (addr->iflags & PFI_AFLAG_BROADCAST)
59 			printf(":broadcast");
60 		if (addr->iflags & PFI_AFLAG_PEER)
61 			printf(":peer");
62 		if (addr->iflags & PFI_AFLAG_NOALIAS)
63 			printf(":0");
64 		if (verbose) {
65 			if (addr->p.dyncnt <= 0)
66 				printf(":*");
67 			else
68 				printf(":%d", addr->p.dyncnt);
69 		}
70 		printf(")");
71 		break;
72 	case PF_ADDR_TABLE:
73 		if (verbose)
74 			if (addr->p.tblcnt == -1)
75 				printf("<%s:*>", addr->v.tblname);
76 			else
77 				printf("<%s:%d>", addr->v.tblname,
78 				    addr->p.tblcnt);
79 		else
80 			printf("<%s>", addr->v.tblname);
81 		return;
82 	case PF_ADDR_RANGE: {
83 		char buf[48];
84 
85 		if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
86 			printf("?");
87 		else
88 			printf("%s", buf);
89 		if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
90 			printf(" - ?");
91 		else
92 			printf(" - %s", buf);
93 		break;
94 	}
95 	case PF_ADDR_ADDRMASK:
96 		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
97 		    PF_AZERO(&addr->v.a.mask, AF_INET6))
98 			printf("any");
99 		else {
100 			char buf[48];
101 
102 			if (inet_ntop(af, &addr->v.a.addr, buf,
103 			    sizeof(buf)) == NULL)
104 				printf("?");
105 			else
106 				printf("%s", buf);
107 		}
108 		break;
109 	case PF_ADDR_NOROUTE:
110 		printf("no-route");
111 		return;
112 	case PF_ADDR_URPFFAILED:
113 		printf("urpf-failed");
114 		return;
115 	case PF_ADDR_RTLABEL:
116 		printf("route \"%s\"", addr->v.rtlabelname);
117 		return;
118 	default:
119 		printf("?");
120 		return;
121 	}
122 
123 	/* mask if not _both_ address and mask are zero */
124 	if (addr->type != PF_ADDR_RANGE &&
125 	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
126 	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
127 		int bits = unmask(&addr->v.a.mask, af);
128 
129 		if (bits < (af == AF_INET ? 32 : 128))
130 			printf("/%d", bits);
131 	}
132 }
133 
134 void
135 print_name(struct pf_addr *addr, sa_family_t af)
136 {
137 	char host[NI_MAXHOST];
138 
139 	strlcpy(host, "?", sizeof(host));
140 	switch (af) {
141 	case AF_INET: {
142 		struct sockaddr_in sin;
143 
144 		memset(&sin, 0, sizeof(sin));
145 		sin.sin_len = sizeof(sin);
146 		sin.sin_family = AF_INET;
147 		sin.sin_addr = addr->v4;
148 		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
149 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
150 		break;
151 	}
152 	case AF_INET6: {
153 		struct sockaddr_in6 sin6;
154 
155 		memset(&sin6, 0, sizeof(sin6));
156 		sin6.sin6_len = sizeof(sin6);
157 		sin6.sin6_family = AF_INET6;
158 		sin6.sin6_addr = addr->v6;
159 		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
160 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
161 		break;
162 	}
163 	}
164 	printf("%s", host);
165 }
166 
167 void
168 print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, u_int16_t rdom,
169     const char *proto, int opts)
170 {
171 	struct servent	*s = NULL;
172 	char		ps[6];
173 
174 	if (rdom)
175 		printf("(%u) ", ntohs(rdom));
176 
177 	if (opts & PF_OPT_USEDNS)
178 		print_name(addr, af);
179 	else {
180 		struct pf_addr_wrap aw;
181 
182 		memset(&aw, 0, sizeof(aw));
183 		aw.v.a.addr = *addr;
184 		if (af == AF_INET)
185 			aw.v.a.mask.addr32[0] = 0xffffffff;
186 		else {
187 			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
188 			af = AF_INET6;
189 		}
190 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
191 	}
192 
193 	if (port) {
194 		snprintf(ps, sizeof(ps), "%u", ntohs(port));
195 		if (opts & PF_OPT_PORTNAMES)
196 			s = getservbyport(port, proto);
197 		if (af == AF_INET)
198 			printf(":%s", s ? s->s_name : ps);
199 		else
200 			printf("[%s]", s ? s->s_name : ps);
201 	}
202 }
203 
204 void
205 print_seq(struct pfsync_state_peer *p)
206 {
207 	if (p->seqdiff)
208 		printf("[%u + %u](+%u)", ntohl(p->seqlo),
209 		    ntohl(p->seqhi) - ntohl(p->seqlo), ntohl(p->seqdiff));
210 	else
211 		printf("[%u + %u]", ntohl(p->seqlo),
212 		    ntohl(p->seqhi) - ntohl(p->seqlo));
213 }
214 
215 void
216 print_state(struct pfsync_state *s, int opts)
217 {
218 	struct pfsync_state_peer *src, *dst;
219 	struct pfsync_state_key *sk, *nk;
220 	struct protoent *p;
221 	char *pn = NULL;
222 	int min, sec;
223 	int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
224 	int idx;
225 
226 	if (s->direction == PF_OUT) {
227 		src = &s->src;
228 		dst = &s->dst;
229 		sk = &s->key[PF_SK_STACK];
230 		nk = &s->key[PF_SK_WIRE];
231 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
232 			sk->port[0] = nk->port[0];
233 	} else {
234 		src = &s->dst;
235 		dst = &s->src;
236 		sk = &s->key[PF_SK_WIRE];
237 		nk = &s->key[PF_SK_STACK];
238 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6)
239 			sk->port[1] = nk->port[1];
240 	}
241 	printf("%s ", s->ifname);
242 	if ((p = getprotobynumber(s->proto)) != NULL) {
243 		pn = p->p_name;
244 		printf("%s ", pn);
245 	} else
246 		printf("%u ", s->proto);
247 
248 	print_host(&nk->addr[1], nk->port[1], nk->af, nk->rdomain, pn, opts);
249 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
250 	    nk->port[1] != sk->port[1] ||
251 	    nk->rdomain != sk->rdomain) {
252 		idx = afto ? 0 : 1;
253 		printf(" (");
254 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
255 		    sk->rdomain, pn, opts);
256 		printf(")");
257 	}
258 	if (s->direction == PF_OUT || (afto && s->direction == PF_IN))
259 		printf(" -> ");
260 	else
261 		printf(" <- ");
262 	print_host(&nk->addr[0], nk->port[0], nk->af, nk->rdomain, pn, opts);
263 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
264 	    nk->port[0] != sk->port[0] ||
265 	    nk->rdomain != sk->rdomain) {
266 		idx = afto ? 1 : 0;
267 		printf(" (");
268 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
269 		    sk->rdomain, pn, opts);
270 		printf(")");
271 	}
272 
273 	printf("    ");
274 	if (s->proto == IPPROTO_TCP) {
275 		if (src->state <= TCPS_TIME_WAIT &&
276 		    dst->state <= TCPS_TIME_WAIT)
277 			printf("   %s:%s\n", tcpstates[src->state],
278 			    tcpstates[dst->state]);
279 		else if (src->state == PF_TCPS_PROXY_SRC ||
280 		    dst->state == PF_TCPS_PROXY_SRC)
281 			printf("   PROXY:SRC\n");
282 		else if (src->state == PF_TCPS_PROXY_DST ||
283 		    dst->state == PF_TCPS_PROXY_DST)
284 			printf("   PROXY:DST\n");
285 		else
286 			printf("   <BAD STATE LEVELS %u:%u>\n",
287 			    src->state, dst->state);
288 		if (opts & PF_OPT_VERBOSE) {
289 			printf("   ");
290 			print_seq(src);
291 			if (src->wscale && dst->wscale)
292 				printf(" wscale %u",
293 				    src->wscale & PF_WSCALE_MASK);
294 			printf("  ");
295 			print_seq(dst);
296 			if (src->wscale && dst->wscale)
297 				printf(" wscale %u",
298 				    dst->wscale & PF_WSCALE_MASK);
299 			printf("\n");
300 		}
301 	} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
302 	    dst->state < PFUDPS_NSTATES) {
303 		const char *states[] = PFUDPS_NAMES;
304 
305 		printf("   %s:%s\n", states[src->state], states[dst->state]);
306 	} else if (s->proto != IPPROTO_ICMP && s->proto != IPPROTO_ICMPV6 &&
307 	    src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
308 		/* XXX ICMP doesn't really have state levels */
309 		const char *states[] = PFOTHERS_NAMES;
310 
311 		printf("   %s:%s\n", states[src->state], states[dst->state]);
312 	} else {
313 		printf("   %u:%u\n", src->state, dst->state);
314 	}
315 
316 	if (opts & PF_OPT_VERBOSE) {
317 		u_int64_t packets[2];
318 		u_int64_t bytes[2];
319 		u_int32_t creation = ntohl(s->creation);
320 		u_int32_t expire = ntohl(s->expire);
321 
322 		sec = creation % 60;
323 		creation /= 60;
324 		min = creation % 60;
325 		creation /= 60;
326 		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
327 		sec = expire % 60;
328 		expire /= 60;
329 		min = expire % 60;
330 		expire /= 60;
331 		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
332 
333 		bcopy(s->packets[0], &packets[0], sizeof(u_int64_t));
334 		bcopy(s->packets[1], &packets[1], sizeof(u_int64_t));
335 		bcopy(s->bytes[0], &bytes[0], sizeof(u_int64_t));
336 		bcopy(s->bytes[1], &bytes[1], sizeof(u_int64_t));
337 		printf(", %llu:%llu pkts, %llu:%llu bytes",
338 		    betoh64(packets[0]),
339 		    betoh64(packets[1]),
340 		    betoh64(bytes[0]),
341 		    betoh64(bytes[1]));
342 		if (ntohl(s->anchor) != -1)
343 			printf(", anchor %u", ntohl(s->anchor));
344 		if (ntohl(s->rule) != -1)
345 			printf(", rule %u", ntohl(s->rule));
346 		if (s->state_flags & PFSTATE_SLOPPY)
347 			printf(", sloppy");
348 		if (s->state_flags & PFSTATE_PFLOW)
349 			printf(", pflow");
350 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
351 			printf(", source-track");
352 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
353 			printf(", sticky-address");
354 		printf("\n");
355 	}
356 	if (opts & PF_OPT_VERBOSE2) {
357 		u_int64_t id;
358 
359 		bcopy(&s->id, &id, sizeof(u_int64_t));
360 		printf("   id: %016llx creatorid: %08x",
361 		    betoh64(id), ntohl(s->creatorid));
362 		printf("\n");
363 	}
364 }
365 
366 int
367 unmask(struct pf_addr *m, sa_family_t af)
368 {
369 	int i = 31, j = 0, b = 0;
370 	u_int32_t tmp;
371 
372 	while (j < 4 && m->addr32[j] == 0xffffffff) {
373 		b += 32;
374 		j++;
375 	}
376 	if (j < 4) {
377 		tmp = ntohl(m->addr32[j]);
378 		for (i = 31; tmp & (1 << i); --i)
379 			b++;
380 	}
381 	return (b);
382 }
383