xref: /titanic_41/usr/src/cmd/ipf/tools/ipfstat.c (revision c4a60461173b2401c7ffb8916e31ecc2cccf65c4)
1 /*
2  * Copyright (C) 1993-2001, 2003 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  *
9  * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
10  */
11 
12 #ifdef __FreeBSD__
13 # ifndef __FreeBSD_cc_version
14 #  include <osreldate.h>
15 # else
16 #  if __FreeBSD_cc_version < 430000
17 #   include <osreldate.h>
18 #  endif
19 # endif
20 #endif
21 #include <sys/ioctl.h>
22 #include <fcntl.h>
23 #ifdef linux
24 # include <linux/a.out.h>
25 #else
26 # include <nlist.h>
27 #endif
28 #include <ctype.h>
29 #if defined(sun) && (defined(__svr4__) || defined(__SVR4))
30 # include <stddef.h>
31 #endif
32 #include "ipf.h"
33 #include "netinet/ipl.h"
34 #if defined(STATETOP)
35 # if defined(_BSDI_VERSION)
36 #  undef STATETOP
37 # endif
38 # if defined(__FreeBSD__) && \
39      (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
40 #  undef STATETOP
41 # endif
42 # if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000)
43 #  undef STATETOP
44 # endif
45 # if defined(sun)
46 #  if defined(__svr4__) || defined(__SVR4)
47 #   include <sys/select.h>
48 #  else
49 #   undef STATETOP	/* NOT supported on SunOS4 */
50 #  endif
51 # endif
52 #endif
53 #if defined(STATETOP) && !defined(linux)
54 # include <netinet/ip_var.h>
55 # include <netinet/tcp_fsm.h>
56 #endif
57 #ifdef STATETOP
58 # include <ctype.h>
59 # include <signal.h>
60 # if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
61      defined(__sgi)
62 #  ifdef ERR
63 #   undef ERR
64 #  endif
65 #  undef ISASCII
66 #  undef ISPRINT
67 #  include <curses.h>
68 # else /* SOLARIS */
69 #  include <ncurses.h>
70 # endif /* SOLARIS */
71 #endif /* STATETOP */
72 #include "kmem.h"
73 #if defined(__NetBSD__) || (__OpenBSD__)
74 # include <paths.h>
75 #endif
76 #include "ipfzone.h"
77 
78 #if !defined(lint)
79 static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
80 static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.12 2005/06/12 07:18:46 darrenr Exp $";
81 #endif
82 
83 #ifdef __hpux
84 # define	nlist	nlist64
85 #endif
86 
87 extern	char	*optarg;
88 extern	int	optind;
89 extern	int	opterr;
90 
91 #define	PRINTF	(void)printf
92 #define	FPRINTF	(void)fprintf
93 static	char	*filters[4] = { "ipfilter(in)", "ipfilter(out)",
94 				"ipacct(in)", "ipacct(out)" };
95 static	int	state_logging = -1;
96 
97 int	opts = 0;
98 int	use_inet6 = 0;
99 int	live_kernel = 1;
100 int	state_fd = -1;
101 int	ipf_fd = -1;
102 
103 #ifdef STATETOP
104 #define	STSTRSIZE 	80
105 #define	STGROWSIZE	16
106 #define	HOSTNMLEN	40
107 
108 #define	STSORT_PR	0
109 #define	STSORT_PKTS	1
110 #define	STSORT_BYTES	2
111 #define	STSORT_TTL	3
112 #define	STSORT_SRCIP	4
113 #define	STSORT_SRCPT	5
114 #define	STSORT_DSTIP	6
115 #define	STSORT_DSTPT	7
116 #define	STSORT_MAX	STSORT_DSTPT
117 #define	STSORT_DEFAULT	STSORT_BYTES
118 
119 
120 typedef struct statetop {
121 	i6addr_t	st_src;
122 	i6addr_t	st_dst;
123 	u_short		st_sport;
124 	u_short 	st_dport;
125 	u_char		st_p;
126 	u_char		st_v;
127 	u_char		st_state[2];
128 	U_QUAD_T	st_pkts;
129 	U_QUAD_T	st_bytes;
130 	u_long		st_age;
131 } statetop_t;
132 #endif
133 
134 int	main __P((int, char *[]));
135 
136 static	void	showstats __P((friostat_t *, u_32_t));
137 static	void	showfrstates __P((ipfrstat_t *, u_long));
138 static	void	showlist __P((friostat_t *));
139 static	void	showipstates __P((ips_stat_t *));
140 static	void	showauthstates __P((fr_authstat_t *));
141 static	void	showgroups __P((friostat_t *));
142 static	void	usage __P((char *));
143 static	void	printlivelist __P((int, int, frentry_t *, char *, char *));
144 static	void	printdeadlist __P((int, int, frentry_t *, char *, char *));
145 static	void	printlist __P((frentry_t *, char *));
146 static	void	parse_ipportstr __P((const char *, i6addr_t *, int *));
147 static	void	ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
148 				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
149 static	void	ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
150 				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
151 #ifdef STATETOP
152 static	void	topipstates __P((i6addr_t, i6addr_t, int, int, int,
153 				 int, int, int));
154 static	void	sig_break __P((int));
155 static	void	sig_resize __P((int));
156 static	char	*getip __P((int, i6addr_t *));
157 static	char	*ttl_to_string __P((long));
158 static	int	sort_p __P((const void *, const void *));
159 static	int	sort_pkts __P((const void *, const void *));
160 static	int	sort_bytes __P((const void *, const void *));
161 static	int	sort_ttl __P((const void *, const void *));
162 static	int	sort_srcip __P((const void *, const void *));
163 static	int	sort_srcpt __P((const void *, const void *));
164 static	int	sort_dstip __P((const void *, const void *));
165 static	int	sort_dstpt __P((const void *, const void *));
166 #endif
167 
168 
usage(name)169 static void usage(name)
170 char *name;
171 {
172 #ifdef  USE_INET6
173 	fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name);
174 #else
175 	fprintf(stderr, "Usage: %s [-aAdfghIilnoRsv]\n", name);
176 #endif
177 	fprintf(stderr, "       %s [-M corefile] [-N symbol-list]\n", name);
178 #ifdef	USE_INET6
179 	fprintf(stderr, "       %s -t [-6C] ", name);
180 #else
181 	fprintf(stderr, "       %s -t [-C] ", name);
182 #endif
183 	fprintf(stderr, "[-G|-z zonename] ");
184 	fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
185 	exit(1);
186 }
187 
188 
main(argc,argv)189 int main(argc,argv)
190 int argc;
191 char *argv[];
192 {
193 	fr_authstat_t	frauthst;
194 	fr_authstat_t	*frauthstp = &frauthst;
195 	friostat_t fio;
196 	friostat_t *fiop = &fio;
197 	ips_stat_t ipsst;
198 	ips_stat_t *ipsstp = &ipsst;
199 	ipfrstat_t ifrst;
200 	ipfrstat_t *ifrstp = &ifrst;
201 	char	*device = IPL_NAME, *memf = NULL;
202 	char	*options, *kern = NULL;
203 	int	c, myoptind;
204 
205 	int protocol = -1;		/* -1 = wild card for any protocol */
206 	int refreshtime = 1; 		/* default update time */
207 	int sport = -1;			/* -1 = wild card for any source port */
208 	int dport = -1;			/* -1 = wild card for any dest port */
209 	int topclosed = 0;		/* do not show closed tcp sessions */
210 	i6addr_t saddr, daddr;
211 	u_32_t frf;
212 
213 #ifdef	USE_INET6
214 	options = "6aACdfgG:hIilnostvD:M:N:P:RS:T:z:";
215 #else
216 	options = "aACdfgG:hIilnostvD:M:N:P:RS:T:z:";
217 #endif
218 
219 	saddr.in4.s_addr = INADDR_ANY; 	/* default any v4 source addr */
220 	daddr.in4.s_addr = INADDR_ANY; 	/* default any v4 dest addr */
221 #ifdef	USE_INET6
222 	saddr.in6 = in6addr_any;	/* default any v6 source addr */
223 	daddr.in6 = in6addr_any;	/* default any v6 dest addr */
224 #endif
225 
226 	/* Don't warn about invalid flags when we run getopt for the 1st time */
227 	opterr = 0;
228 
229 	/*
230 	 * Parse these four arguments now lest there be any buffer overflows
231 	 * in the parsing of the rest.
232 	 */
233 	myoptind = optind;
234 	while ((c = getopt(argc, argv, options)) != -1) {
235 		switch (c)
236 		{
237 		case 'G' :
238 			setzonename_global(optarg);
239 			break;
240 		case 'M' :
241 			memf = optarg;
242 			live_kernel = 0;
243 			break;
244 		case 'N' :
245 			kern = optarg;
246 			live_kernel = 0;
247 			break;
248 		case 'z' :
249 			setzonename(optarg);
250 			break;
251 		}
252 	}
253 	optind = myoptind;
254 
255 	if (live_kernel == 1) {
256 		if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) {
257 			perror("open(IPSTATE_NAME)");
258 			exit(-1);
259 		}
260 
261 		if (setzone(state_fd) != 0) {
262 			close(state_fd);
263 			exit(-1);
264 		}
265 
266 		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
267 			fprintf(stderr, "open(%s)", device);
268 			perror("");
269 			exit(-1);
270 		}
271 
272 		if (setzone(ipf_fd) != 0) {
273 			close(ipf_fd);
274 			exit(-1);
275 		}
276 	}
277 
278 	if (kern != NULL || memf != NULL) {
279 		(void)setgid(getgid());
280 		(void)setreuid(getuid(), getuid());
281 		if (openkmem(kern, memf) == -1)
282 			exit(-1);
283 	}
284 
285 	if (live_kernel == 1)
286 		(void) checkrev(device);
287 	(void)setgid(getgid());
288 	(void)setreuid(getuid(), getuid());
289 
290 	opterr = 1;
291 
292 	while ((c = getopt(argc, argv, options)) != -1)
293 	{
294 		switch (c)
295 		{
296 #ifdef	USE_INET6
297 		case '6' :
298 			use_inet6 = 1;
299 			break;
300 #endif
301 		case 'a' :
302 			opts |= OPT_ACCNT|OPT_SHOWLIST;
303 			break;
304 		case 'A' :
305 			opts |= OPT_AUTHSTATS;
306 			break;
307 		case 'C' :
308 			topclosed = 1;
309 			break;
310 		case 'd' :
311 			opts |= OPT_DEBUG;
312 			break;
313 		case 'D' :
314 			parse_ipportstr(optarg, &daddr, &dport);
315 			break;
316 		case 'f' :
317 			opts |= OPT_FRSTATES;
318 			break;
319 		case 'g' :
320 			opts |= OPT_GROUPS;
321 			break;
322 		case 'G' :
323 			/* Already handled by getzoneopt() above */
324 			break;
325 		case 'h' :
326 			opts |= OPT_HITS;
327 			break;
328 		case 'i' :
329 			opts |= OPT_INQUE|OPT_SHOWLIST;
330 			break;
331 		case 'I' :
332 			opts |= OPT_INACTIVE;
333 			break;
334 		case 'l' :
335 			opts |= OPT_SHOWLIST;
336 			break;
337 		case 'M' :
338 			break;
339 		case 'N' :
340 			break;
341 		case 'n' :
342 			opts |= OPT_SHOWLINENO;
343 			break;
344 		case 'o' :
345 			opts |= OPT_OUTQUE|OPT_SHOWLIST;
346 			break;
347 		case 'P' :
348 			protocol = getproto(optarg);
349 			if (protocol == -1) {
350 				fprintf(stderr, "%s: Invalid protocol: %s\n",
351 					argv[0], optarg);
352 				exit(-2);
353 			}
354 			break;
355 		case 'R' :
356 			opts |= OPT_NORESOLVE;
357 			break;
358 		case 's' :
359 			opts |= OPT_IPSTATES;
360 			break;
361 		case 'S' :
362 			parse_ipportstr(optarg, &saddr, &sport);
363 			break;
364 		case 't' :
365 #ifdef STATETOP
366 			opts |= OPT_STATETOP;
367 			break;
368 #else
369 			fprintf(stderr,
370 				"%s: state top facility not compiled in\n",
371 				argv[0]);
372 			exit(-2);
373 #endif
374 		case 'T' :
375 			if (!sscanf(optarg, "%d", &refreshtime) ||
376 				    (refreshtime <= 0)) {
377 				fprintf(stderr,
378 					"%s: Invalid refreshtime < 1 : %s\n",
379 					argv[0], optarg);
380 				exit(-2);
381 			}
382 			break;
383 		case 'v' :
384 			opts |= OPT_VERBOSE;
385 			opts |= OPT_UNDEF;
386 			break;
387 		case 'z' :
388 			/* Already handled by getzoneopt() above */
389 			break;
390 		default :
391 			usage(argv[0]);
392 			break;
393 		}
394 	}
395 
396 	if (live_kernel == 1) {
397 		bzero((char *)&fio, sizeof(fio));
398 		bzero((char *)&ipsst, sizeof(ipsst));
399 		bzero((char *)&ifrst, sizeof(ifrst));
400 
401 		ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
402 			      &frauthstp, &frf);
403 	} else
404 		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
405 
406 	if (opts & OPT_IPSTATES) {
407 		showipstates(ipsstp);
408 	} else if (opts & OPT_SHOWLIST) {
409 		showlist(fiop);
410 		if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
411 			opts &= ~OPT_OUTQUE;
412 			showlist(fiop);
413 		}
414 	} else if (opts & OPT_FRSTATES)
415 		showfrstates(ifrstp, fiop->f_ticks);
416 #ifdef STATETOP
417 	else if (opts & OPT_STATETOP)
418 		topipstates(saddr, daddr, sport, dport, protocol,
419 			    use_inet6 ? 6 : 4, refreshtime, topclosed);
420 #endif
421 	else if (opts & OPT_AUTHSTATS)
422 		showauthstates(frauthstp);
423 	else if (opts & OPT_GROUPS)
424 		showgroups(fiop);
425 	else
426 		showstats(fiop, frf);
427 
428 	return 0;
429 }
430 
431 
432 /*
433  * Fill in the stats structures from the live kernel, using a combination
434  * of ioctl's and copying directly from kernel memory.
435  */
ipfstate_live(device,fiopp,ipsstpp,ifrstpp,frauthstpp,frfp)436 static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
437 char *device;
438 friostat_t **fiopp;
439 ips_stat_t **ipsstpp;
440 ipfrstat_t **ifrstpp;
441 fr_authstat_t **frauthstpp;
442 u_32_t *frfp;
443 {
444 	ipfobj_t ipfo;
445 
446 	if (checkrev(device) == -1) {
447 		fprintf(stderr, "User/kernel version check failed\n");
448 		exit(1);
449 	}
450 
451 	if ((opts & OPT_AUTHSTATS) == 0) {
452 		bzero((caddr_t)&ipfo, sizeof(ipfo));
453 		ipfo.ipfo_rev = IPFILTER_VERSION;
454 		ipfo.ipfo_size = sizeof(friostat_t);
455 		ipfo.ipfo_ptr = (void *)*fiopp;
456 		ipfo.ipfo_type = IPFOBJ_IPFSTAT;
457 
458 		if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
459 			perror("ioctl(ipf:SIOCGETFS)");
460 			exit(-1);
461 		}
462 
463 		if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
464 			perror("ioctl(SIOCGETFF)");
465 	}
466 
467 	if ((opts & OPT_IPSTATES) != 0) {
468 
469 		bzero((caddr_t)&ipfo, sizeof(ipfo));
470 		ipfo.ipfo_rev = IPFILTER_VERSION;
471 		ipfo.ipfo_size = sizeof(ips_stat_t);
472 		ipfo.ipfo_ptr = (void *)*ipsstpp;
473 		ipfo.ipfo_type = IPFOBJ_STATESTAT;
474 
475 		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
476 			perror("ioctl(state:SIOCGETFS)");
477 			exit(-1);
478 		}
479 		if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) {
480 			perror("ioctl(state:SIOCGETLG)");
481 			exit(-1);
482 		}
483 	}
484 
485 	if ((opts & OPT_FRSTATES) != 0) {
486 		bzero((caddr_t)&ipfo, sizeof(ipfo));
487 		ipfo.ipfo_rev = IPFILTER_VERSION;
488 		ipfo.ipfo_size = sizeof(ipfrstat_t);
489 		ipfo.ipfo_ptr = (void *)*ifrstpp;
490 		ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
491 
492 		if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
493 			perror("ioctl(SIOCGFRST)");
494 			exit(-1);
495 		}
496 	}
497 
498 	if (opts & OPT_VERBOSE)
499 		PRINTF("opts %#x name %s\n", opts, device);
500 
501 	if ((opts & OPT_AUTHSTATS) != 0) {
502 		if (ipf_fd >= 0) {
503 			close(ipf_fd);
504 			ipf_fd = -1;
505 		}
506 		device = IPAUTH_NAME;
507 		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
508 			perror("open");
509 			exit(-1);
510 		}
511 
512 		if (setzone(ipf_fd) != 0) {
513 			close(ipf_fd);
514 			exit(-1);
515 		}
516 
517 		bzero((caddr_t)&ipfo, sizeof(ipfo));
518 		ipfo.ipfo_rev = IPFILTER_VERSION;
519 		ipfo.ipfo_size = sizeof(fr_authstat_t);
520 		ipfo.ipfo_ptr = (void *)*frauthstpp;
521 		ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
522 
523 	    	if (ioctl(ipf_fd, SIOCATHST, &ipfo) == -1) {
524 			perror("ioctl(SIOCATHST)");
525 			exit(-1);
526 		}
527 	}
528 }
529 
530 
531 /*
532  * Build up the stats structures from data held in the "core" memory.
533  * This is mainly useful when looking at data in crash dumps and ioctl's
534  * just won't work any more.
535  */
ipfstate_dead(kernel,fiopp,ipsstpp,ifrstpp,frauthstpp,frfp)536 static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
537 char *kernel;
538 friostat_t **fiopp;
539 ips_stat_t **ipsstpp;
540 ipfrstat_t **ifrstpp;
541 fr_authstat_t **frauthstpp;
542 u_32_t *frfp;
543 {
544 	static fr_authstat_t frauthst, *frauthstp;
545 	static ips_stat_t ipsst, *ipsstp;
546 	static ipfrstat_t ifrst, *ifrstp;
547 	static friostat_t fio, *fiop;
548 	int temp;
549 
550 	void *rules[2][2];
551 	struct nlist deadlist[43] = {
552 		{ "fr_authstats" },		/* 0 */
553 		{ "fae_list" },
554 		{ "ipauth" },
555 		{ "fr_authlist" },
556 		{ "fr_authstart" },
557 		{ "fr_authend" },		/* 5 */
558 		{ "fr_authnext" },
559 		{ "fr_auth" },
560 		{ "fr_authused" },
561 		{ "fr_authsize" },
562 		{ "fr_defaultauthage" },	/* 10 */
563 		{ "fr_authpkts" },
564 		{ "fr_auth_lock" },
565 		{ "frstats" },
566 		{ "ips_stats" },
567 		{ "ips_num" },			/* 15 */
568 		{ "ips_wild" },
569 		{ "ips_list" },
570 		{ "ips_table" },
571 		{ "fr_statemax" },
572 		{ "fr_statesize" },		/* 20 */
573 		{ "fr_state_doflush" },
574 		{ "fr_state_lock" },
575 		{ "ipfr_heads" },
576 		{ "ipfr_nattab" },
577 		{ "ipfr_stats" },		/* 25 */
578 		{ "ipfr_inuse" },
579 		{ "fr_ipfrttl" },
580 		{ "fr_frag_lock" },
581 		{ "ipfr_timer_id" },
582 		{ "fr_nat_lock" },		/* 30 */
583 		{ "ipfilter" },
584 		{ "ipfilter6" },
585 		{ "ipacct" },
586 		{ "ipacct6" },
587 		{ "ipl_frouteok" },		/* 35 */
588 		{ "fr_running" },
589 		{ "ipfgroups" },
590 		{ "fr_active" },
591 		{ "fr_pass" },
592 		{ "fr_flags" },			/* 40 */
593 		{ "ipstate_logging" },
594 		{ NULL }
595 	};
596 
597 
598 	frauthstp = &frauthst;
599 	ipsstp = &ipsst;
600 	ifrstp = &ifrst;
601 	fiop = &fio;
602 
603 	*frfp = 0;
604 	*fiopp = fiop;
605 	*ipsstpp = ipsstp;
606 	*ifrstpp = ifrstp;
607 	*frauthstpp = frauthstp;
608 
609 	bzero((char *)fiop, sizeof(*fiop));
610 	bzero((char *)ipsstp, sizeof(*ipsstp));
611 	bzero((char *)ifrstp, sizeof(*ifrstp));
612 	bzero((char *)frauthstp, sizeof(*frauthstp));
613 
614 	if (nlist(kernel, deadlist) == -1) {
615 		fprintf(stderr, "nlist error\n");
616 		return;
617 	}
618 
619 	/*
620 	 * This is for SIOCGETFF.
621 	 */
622 	kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
623 
624 	/*
625 	 * f_locks is a combination of the lock variable from each part of
626 	 * ipfilter (state, auth, nat, fragments).
627 	 */
628 	kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
629 	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
630 		sizeof(fiop->f_locks[0]));
631 	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
632 		sizeof(fiop->f_locks[1]));
633 	kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
634 		sizeof(fiop->f_locks[2]));
635 	kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
636 		sizeof(fiop->f_locks[3]));
637 
638 	/*
639 	 * Get pointers to each list of rules (active, inactive, in, out)
640 	 */
641 	kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
642 	fiop->f_fin[0] = rules[0][0];
643 	fiop->f_fin[1] = rules[0][1];
644 	fiop->f_fout[0] = rules[1][0];
645 	fiop->f_fout[1] = rules[1][1];
646 
647 	/*
648 	 * Same for IPv6, except make them null if support for it is not
649 	 * being compiled in.
650 	 */
651 #ifdef	USE_INET6
652 	kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
653 	fiop->f_fin6[0] = rules[0][0];
654 	fiop->f_fin6[1] = rules[0][1];
655 	fiop->f_fout6[0] = rules[1][0];
656 	fiop->f_fout6[1] = rules[1][1];
657 #else
658 	fiop->f_fin6[0] = NULL;
659 	fiop->f_fin6[1] = NULL;
660 	fiop->f_fout6[0] = NULL;
661 	fiop->f_fout6[1] = NULL;
662 #endif
663 
664 	/*
665 	 * Now get accounting rules pointers.
666 	 */
667 	kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
668 	fiop->f_acctin[0] = rules[0][0];
669 	fiop->f_acctin[1] = rules[0][1];
670 	fiop->f_acctout[0] = rules[1][0];
671 	fiop->f_acctout[1] = rules[1][1];
672 
673 #ifdef	USE_INET6
674 	kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
675 	fiop->f_acctin6[0] = rules[0][0];
676 	fiop->f_acctin6[1] = rules[0][1];
677 	fiop->f_acctout6[0] = rules[1][0];
678 	fiop->f_acctout6[1] = rules[1][1];
679 #else
680 	fiop->f_acctin6[0] = NULL;
681 	fiop->f_acctin6[1] = NULL;
682 	fiop->f_acctout6[0] = NULL;
683 	fiop->f_acctout6[1] = NULL;
684 #endif
685 
686 	/*
687 	 * A collection of "global" variables used inside the kernel which
688 	 * are all collected in friostat_t via ioctl.
689 	 */
690 	kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
691 		sizeof(fiop->f_froute));
692 	kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
693 		sizeof(fiop->f_running));
694 	kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
695 		sizeof(fiop->f_groups));
696 	kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
697 		sizeof(fiop->f_active));
698 	kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
699 		sizeof(fiop->f_defpass));
700 
701 	/*
702 	 * Build up the state information stats structure.
703 	 */
704 	kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
705 	kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
706 	ipsstp->iss_active = temp;
707 	ipsstp->iss_table = (void *)deadlist[18].n_value;
708 	ipsstp->iss_list = (void *)deadlist[17].n_value;
709 
710 	/*
711 	 * Build up the authentiation information stats structure.
712 	 */
713 	kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
714 		sizeof(*frauthstp));
715 	frauthstp->fas_faelist = (void *)deadlist[1].n_value;
716 
717 	/*
718 	 * Build up the fragment information stats structure.
719 	 */
720 	kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
721 		sizeof(*ifrstp));
722 	ifrstp->ifs_table = (void *)deadlist[23].n_value;
723 	ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
724 	kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
725 		sizeof(ifrstp->ifs_inuse));
726 
727 	/*
728 	 * Get logging on/off switches
729 	 */
730 	kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value,
731 		sizeof(state_logging));
732 }
733 
734 
735 /*
736  * Display the kernel stats for packets blocked and passed and other
737  * associated running totals which are kept.
738  */
showstats(fp,frf)739 static	void	showstats(fp, frf)
740 struct	friostat	*fp;
741 u_32_t frf;
742 {
743 
744 	PRINTF("bad packets:\t\tin %lu\tout %lu\n",
745 			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
746 #ifdef	USE_INET6
747 	PRINTF(" IPv6 packets:\t\tin %lu out %lu\n",
748 			fp->f_st[0].fr_ipv6, fp->f_st[1].fr_ipv6);
749 #endif
750 	PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
751 			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
752 			fp->f_st[0].fr_nom);
753 	PRINTF(" counted %lu short %lu\n",
754 			fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
755 	PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
756 			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
757 			fp->f_st[1].fr_nom);
758 	PRINTF(" counted %lu short %lu\n",
759 			fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
760 	PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
761 			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
762 	PRINTF("output packets logged:\tblocked %lu passed %lu\n",
763 			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
764 	PRINTF(" packets logged:\tinput %lu output %lu\n",
765 			fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
766 	PRINTF(" log failures:\t\tinput %lu output %lu\n",
767 			fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
768 	PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
769 			fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr,
770 			fp->f_st[0].fr_cfr);
771 	PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
772 			fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr,
773 			fp->f_st[0].fr_cfr);
774 	PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
775 			fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
776 	PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
777 			fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
778 	PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
779 			fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
780 	PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc);
781 	PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
782 			fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
783 	PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
784 			fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
785 	PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
786 			fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
787 	PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
788 			fp->f_froute[0], fp->f_froute[1]);
789 	PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
790 			fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
791 	PRINTF("IPF Ticks:\t%lu\n", fp->f_ticks);
792 
793 	PRINTF("Packet log flags set: (%#x)\n", frf);
794 	if (frf & FF_LOGPASS)
795 		PRINTF("\tpackets passed through filter\n");
796 	if (frf & FF_LOGBLOCK)
797 		PRINTF("\tpackets blocked by filter\n");
798 	if (frf & FF_LOGNOMATCH)
799 		PRINTF("\tpackets not matched by filter\n");
800 	if (!frf)
801 		PRINTF("\tnone\n");
802 }
803 
804 
805 /*
806  * Print out a list of rules from the kernel, starting at the one passed.
807  */
printlivelist(out,set,fp,group,comment)808 static void printlivelist(out, set, fp, group, comment)
809 int out, set;
810 frentry_t *fp;
811 char *group, *comment;
812 {
813 	frgroup_t *grtop, *grtail, *g;
814 	struct	frentry	fb, *fg;
815 	int n;
816 	ipfruleiter_t rule;
817 	ipfobj_t obj;
818 
819 	fb.fr_next = fp;
820 	n = 0;
821 
822 	grtop = NULL;
823 	grtail = NULL;
824 	rule.iri_ver = use_inet6? AF_INET6 : AF_INET;
825 	rule.iri_inout = out;
826 	rule.iri_active = set;
827 	rule.iri_nrules = 1;
828 	rule.iri_rule = &fb;
829 	if (group != NULL)
830 		strncpy(rule.iri_group, group, FR_GROUPLEN);
831 	else
832 		rule.iri_group[0] = '\0';
833 
834 	bzero((char *)&obj, sizeof(obj));
835 	obj.ipfo_rev = IPFILTER_VERSION;
836 	obj.ipfo_type = IPFOBJ_IPFITER;
837 	obj.ipfo_size = sizeof(rule);
838 	obj.ipfo_ptr = &rule;
839 
840 	do {
841 		u_long array[1000];
842 
843 		memset(array, 0xff, sizeof(array));
844 		fp = (frentry_t *)array;
845 		rule.iri_rule = fp;
846 		if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
847 			perror("ioctl(SIOCIPFITER)");
848 			return;
849 		}
850 		if (fp->fr_data != NULL)
851 			fp->fr_data = (char *)fp + sizeof(*fp);
852 
853 		n++;
854 
855 		if (opts & (OPT_HITS|OPT_VERBOSE))
856 #ifdef	USE_QUAD_T
857 			PRINTF("%qu ", (unsigned long long) fp->fr_hits);
858 #else
859 			PRINTF("%lu ", fp->fr_hits);
860 #endif
861 		if (opts & (OPT_ACCNT|OPT_VERBOSE))
862 #ifdef	USE_QUAD_T
863 			PRINTF("%qu ", (unsigned long long) fp->fr_bytes);
864 #else
865 			PRINTF("%lu ", fp->fr_bytes);
866 #endif
867 		if (opts & OPT_SHOWLINENO)
868 			PRINTF("@%d ", n);
869 
870 		printfr(fp, ioctl);
871 		if (opts & OPT_DEBUG) {
872 			binprint(fp, sizeof(*fp));
873 			if (fp->fr_data != NULL && fp->fr_dsize > 0)
874 				binprint(fp->fr_data, fp->fr_dsize);
875 		}
876 
877 		if (fp->fr_grhead[0] != '\0') {
878 			g = calloc(1, sizeof(*g));
879 
880 			if (g != NULL) {
881 				strncpy(g->fg_name, fp->fr_grhead,
882 					FR_GROUPLEN);
883 				if (grtop == NULL) {
884 					grtop = g;
885 					grtail = g;
886 				} else {
887 					grtail->fg_next = g;
888 					grtail = g;
889 				}
890 			}
891 		}
892 	} while (fp->fr_next != NULL);
893 
894 	while ((g = grtop) != NULL) {
895 		printlivelist(out, set, NULL, g->fg_name, comment);
896 		grtop = g->fg_next;
897 		free(g);
898 	}
899 }
900 
901 
printdeadlist(out,set,fp,group,comment)902 static void printdeadlist(out, set, fp, group, comment)
903 int out, set;
904 frentry_t *fp;
905 char *group, *comment;
906 {
907 	frgroup_t *grtop, *grtail, *g;
908 	struct	frentry	fb, *fg;
909 	char	*data;
910 	u_32_t	type;
911 	int	n;
912 
913 	fb.fr_next = fp;
914 	n = 0;
915 	grtop = NULL;
916 	grtail = NULL;
917 
918 	do {
919 		fp = fb.fr_next;
920 		if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
921 			    sizeof(fb)) == -1) {
922 			perror("kmemcpy");
923 			return;
924 		}
925 
926 		data = NULL;
927 		type = fb.fr_type & ~FR_T_BUILTIN;
928 		if (type == FR_T_IPF || type == FR_T_BPFOPC) {
929 			if (fb.fr_dsize) {
930 				data = malloc(fb.fr_dsize);
931 
932 				if (kmemcpy(data, (u_long)fb.fr_data,
933 					    fb.fr_dsize) == -1) {
934 					perror("kmemcpy");
935 					return;
936 				}
937 				fb.fr_data = data;
938 			}
939 		}
940 
941 		n++;
942 
943 		if (opts & (OPT_HITS|OPT_VERBOSE))
944 #ifdef	USE_QUAD_T
945 			PRINTF("%qu ", (unsigned long long) fb.fr_hits);
946 #else
947 			PRINTF("%lu ", fb.fr_hits);
948 #endif
949 		if (opts & (OPT_ACCNT|OPT_VERBOSE))
950 #ifdef	USE_QUAD_T
951 			PRINTF("%qu ", (unsigned long long) fb.fr_bytes);
952 #else
953 			PRINTF("%lu ", fb.fr_bytes);
954 #endif
955 		if (opts & OPT_SHOWLINENO)
956 			PRINTF("@%d ", n);
957 
958 		printfr(fp, ioctl);
959 		if (opts & OPT_DEBUG) {
960 			binprint(fp, sizeof(*fp));
961 			if (fb.fr_data != NULL && fb.fr_dsize > 0)
962 				binprint(fb.fr_data, fb.fr_dsize);
963 		}
964 		if (data != NULL)
965 			free(data);
966 		if (fb.fr_grhead[0] != '\0') {
967 			g = calloc(1, sizeof(*g));
968 
969 			if (g != NULL) {
970 				strncpy(g->fg_name, fb.fr_grhead,
971 					FR_GROUPLEN);
972 				if (grtop == NULL) {
973 					grtop = g;
974 					grtail = g;
975 				} else {
976 					grtail->fg_next = g;
977 					grtail = g;
978 				}
979 			}
980 		}
981 		if (type == FR_T_CALLFUNC) {
982 			printdeadlist(out, set, fb.fr_data, group,
983 				      "# callfunc: ");
984 		}
985 	} while (fb.fr_next != NULL);
986 
987 	while ((g = grtop) != NULL) {
988 		printdeadlist(out, set, NULL, g->fg_name, comment);
989 		grtop = g->fg_next;
990 		free(g);
991 	}
992 }
993 
994 
995 /*
996  * print out all of the asked for rule sets, using the stats struct as
997  * the base from which to get the pointers.
998  */
showlist(fiop)999 static	void	showlist(fiop)
1000 struct	friostat	*fiop;
1001 {
1002 	struct	frentry	*fp = NULL;
1003 	int	i, set;
1004 
1005 	set = fiop->f_active;
1006 	if (opts & OPT_INACTIVE)
1007 		set = 1 - set;
1008 	if (opts & OPT_ACCNT) {
1009 #ifdef USE_INET6
1010 		if ((use_inet6) && (opts & OPT_OUTQUE)) {
1011 			i = F_ACOUT;
1012 			fp = (struct frentry *)fiop->f_acctout6[set];
1013 		} else if ((use_inet6) && (opts & OPT_INQUE)) {
1014 			i = F_ACIN;
1015 			fp = (struct frentry *)fiop->f_acctin6[set];
1016 		} else
1017 #endif
1018 		if (opts & OPT_OUTQUE) {
1019 			i = F_ACOUT;
1020 			fp = (struct frentry *)fiop->f_acctout[set];
1021 		} else if (opts & OPT_INQUE) {
1022 			i = F_ACIN;
1023 			fp = (struct frentry *)fiop->f_acctin[set];
1024 		} else {
1025 			FPRINTF(stderr, "No -i or -o given with -a\n");
1026 			return;
1027 		}
1028 	} else {
1029 #ifdef	USE_INET6
1030 		if ((use_inet6) && (opts & OPT_OUTQUE)) {
1031 			i = F_OUT;
1032 			fp = (struct frentry *)fiop->f_fout6[set];
1033 		} else if ((use_inet6) && (opts & OPT_INQUE)) {
1034 			i = F_IN;
1035 			fp = (struct frentry *)fiop->f_fin6[set];
1036 		} else
1037 #endif
1038 		if (opts & OPT_OUTQUE) {
1039 			i = F_OUT;
1040 			fp = (struct frentry *)fiop->f_fout[set];
1041 		} else if (opts & OPT_INQUE) {
1042 			i = F_IN;
1043 			fp = (struct frentry *)fiop->f_fin[set];
1044 		} else
1045 			return;
1046 	}
1047 	if (opts & OPT_VERBOSE)
1048 		FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
1049 
1050 	if (opts & OPT_VERBOSE)
1051 		PRINTF("fp %p set %d\n", fp, set);
1052 	if (!fp) {
1053 		FPRINTF(stderr, "empty list for %s%s\n",
1054 			(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
1055 		return;
1056 	}
1057 	if (live_kernel == 1)
1058 		printlivelist(i, set, fp, NULL, NULL);
1059 	else
1060 		printdeadlist(i, set, fp, NULL, NULL);
1061 }
1062 
1063 
1064 /*
1065  * Display ipfilter stateful filtering information
1066  */
showipstates(ipsp)1067 static void showipstates(ipsp)
1068 ips_stat_t *ipsp;
1069 {
1070 	u_long minlen, maxlen, totallen, *buckets;
1071 	int i, sz;
1072 
1073 	sz = sizeof(*buckets) * ipsp->iss_statesize;
1074 	buckets = (u_long *)malloc(sz);
1075 	if (buckets == NULL) {
1076 		perror("malloc");
1077 		exit(1);
1078 	}
1079 	if (kmemcpy((char *)buckets, (u_long)ipsp->iss_bucketlen, sz)) {
1080 		free(buckets);
1081 		return;
1082 	}
1083 
1084 	/*
1085 	 * If a list of states hasn't been asked for, only print out stats
1086 	 */
1087 	if (!(opts & OPT_SHOWLIST)) {
1088 		PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
1089 			ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
1090 		PRINTF("\t%lu hits\n\t%lu misses\n",
1091 			ipsp->iss_hits, ipsp->iss_miss);
1092 		PRINTF("\t%lu maximum\n\t%lu no memory\n", ipsp->iss_max,
1093 			ipsp->iss_nomem);
1094 		PRINTF("\t%lu active\n\t%lu expired\n",
1095 			ipsp->iss_active, ipsp->iss_expire);
1096 		PRINTF("\t%lu closed\n\t%u orphans\n",
1097 			ipsp->iss_fin, ipsp->iss_orphans);
1098 
1099 		PRINTF("State logging %sabled\n",
1100 			state_logging ? "en" : "dis");
1101 
1102 		PRINTF("\nState table bucket statistics:\n");
1103 		PRINTF("\t%lu in use\n\t%lu max bucket\n", ipsp->iss_inuse,
1104 			ipsp->iss_bucketfull);
1105 
1106 		minlen = ipsp->iss_max;
1107 		totallen = 0;
1108 		maxlen = 0;
1109 
1110 		for (i = 0; i < ipsp->iss_statesize; i++) {
1111 			if (buckets[i] > maxlen)
1112 				maxlen = buckets[i];
1113 			if (buckets[i] < minlen)
1114 					minlen = buckets[i];
1115 			totallen += buckets[i];
1116 		}
1117 
1118 		PRINTF("\t%2.2f%% bucket usage\n\t%lu minimal length\n",
1119 			((float)ipsp->iss_inuse / ipsp->iss_statesize) * 100.0,
1120 			minlen);
1121 		PRINTF("\t%lu maximal length\n\t%.3f average length\n",
1122 			maxlen,
1123 			ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
1124 					  0.0);
1125 
1126 #define ENTRIES_PER_LINE 5
1127 
1128 		if (opts & OPT_VERBOSE) {
1129 			PRINTF("\nCurrent bucket sizes :\n");
1130 			for (i = 0; i < ipsp->iss_statesize; i++) {
1131 				if ((i % ENTRIES_PER_LINE) == 0)
1132 					PRINTF("\t");
1133 				PRINTF("%4d -> %4lu", i, buckets[i]);
1134 				if ((i % ENTRIES_PER_LINE) ==
1135 				    (ENTRIES_PER_LINE - 1))
1136 					PRINTF("\n");
1137 				else
1138 					PRINTF("  ");
1139 			}
1140 			PRINTF("\n");
1141 		}
1142 		PRINTF("\n");
1143 
1144 		free(buckets);
1145 		return;
1146 	}
1147 
1148 	/*
1149 	 * Print out all the state information currently held in the kernel.
1150 	 */
1151 	while (ipsp->iss_list != NULL) {
1152 		ipsp->iss_list = printstate(ipsp->iss_list, opts,
1153 					    ipsp->iss_ticks);
1154 	}
1155 
1156 	free(buckets);
1157 }
1158 
1159 
1160 #ifdef STATETOP
1161 static int handle_resize = 0, handle_break = 0;
1162 
topipstates(saddr,daddr,sport,dport,protocol,ver,refreshtime,topclosed)1163 static void topipstates(saddr, daddr, sport, dport, protocol, ver,
1164 		        refreshtime, topclosed)
1165 i6addr_t saddr;
1166 i6addr_t daddr;
1167 int sport;
1168 int dport;
1169 int protocol;
1170 int ver;
1171 int refreshtime;
1172 int topclosed;
1173 {
1174 	char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
1175 	int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
1176 	int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0;
1177 	int len, srclen, dstlen, forward = 1, c = 0;
1178 	ips_stat_t ipsst, *ipsstp = &ipsst;
1179 	statetop_t *tstable = NULL, *tp;
1180 	const char *errstr = "";
1181 	ipstate_t ips;
1182 	ipfobj_t ipfo;
1183 	struct timeval selecttimeout;
1184 	char hostnm[HOSTNMLEN];
1185 	struct protoent *proto;
1186 	fd_set readfd;
1187 	time_t t;
1188 
1189 	/* install signal handlers */
1190 	signal(SIGINT, sig_break);
1191 	signal(SIGQUIT, sig_break);
1192 	signal(SIGTERM, sig_break);
1193 	signal(SIGWINCH, sig_resize);
1194 
1195 	/* init ncurses stuff */
1196   	initscr();
1197   	cbreak();
1198   	noecho();
1199 	curs_set(0);
1200 	timeout(0);
1201 	getmaxyx(stdscr, maxy, maxx);
1202 
1203 	/* init hostname */
1204 	gethostname(hostnm, sizeof(hostnm) - 1);
1205 	hostnm[sizeof(hostnm) - 1] = '\0';
1206 
1207 	/* init ipfobj_t stuff */
1208 	bzero((caddr_t)&ipfo, sizeof(ipfo));
1209 	ipfo.ipfo_rev = IPFILTER_VERSION;
1210 	ipfo.ipfo_size = sizeof(*ipsstp);
1211 	ipfo.ipfo_ptr = (void *)ipsstp;
1212 	ipfo.ipfo_type = IPFOBJ_STATESTAT;
1213 
1214 	/* repeat until user aborts */
1215 	while ( 1 ) {
1216 
1217 		/* get state table */
1218 		bzero((char *)&ipsst, sizeof(ipsst));
1219 		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
1220 			errstr = "ioctl(SIOCGETFS)";
1221 			ret = -1;
1222 			goto out;
1223 		}
1224 
1225 		/* clear the history */
1226 		tsentry = -1;
1227 
1228 		/* reset max str len */
1229 		srclen = dstlen = 0;
1230 
1231 		/* read the state table and store in tstable */
1232 		for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) {
1233 
1234 			if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list,
1235 				    sizeof(ips)))
1236 				break;
1237 
1238 			if (ips.is_v != ver)
1239 				continue;
1240 
1241 			/* check v4 src/dest addresses */
1242 			if (ips.is_v == 4) {
1243 				if ((saddr.in4.s_addr != INADDR_ANY &&
1244 				     saddr.in4.s_addr != ips.is_saddr) ||
1245 				    (daddr.in4.s_addr != INADDR_ANY &&
1246 				     daddr.in4.s_addr != ips.is_daddr))
1247 					continue;
1248 			}
1249 #ifdef	USE_INET6
1250 			/* check v6 src/dest addresses */
1251 			if (ips.is_v == 6) {
1252 				if ((IP6_NEQ(&saddr, &in6addr_any) &&
1253 				     IP6_NEQ(&saddr, &ips.is_src)) ||
1254 				    (IP6_NEQ(&daddr, &in6addr_any) &&
1255 				     IP6_NEQ(&daddr, &ips.is_dst)))
1256 					continue;
1257 			}
1258 #endif
1259 			/* check protocol */
1260 			if (protocol > 0 && protocol != ips.is_p)
1261 				continue;
1262 
1263 			/* check ports if protocol is TCP or UDP */
1264 			if (((ips.is_p == IPPROTO_TCP) ||
1265 			     (ips.is_p == IPPROTO_UDP)) &&
1266 			   (((sport > 0) && (htons(sport) != ips.is_sport)) ||
1267 			    ((dport > 0) && (htons(dport) != ips.is_dport))))
1268 				continue;
1269 
1270 			/* show closed TCP sessions ? */
1271 			if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) &&
1272 			    (ips.is_state[0] >= IPF_TCPS_LAST_ACK) &&
1273 			    (ips.is_state[1] >= IPF_TCPS_LAST_ACK))
1274 				continue;
1275 
1276 			/*
1277 			 * if necessary make room for this state
1278 			 * entry
1279 			 */
1280 			tsentry++;
1281 			if (!maxtsentries || tsentry == maxtsentries) {
1282 				maxtsentries += STGROWSIZE;
1283 				tstable = realloc(tstable,
1284 				    maxtsentries * sizeof(statetop_t));
1285 				if (tstable == NULL) {
1286 					perror("realloc");
1287 					exit(-1);
1288 				}
1289 			}
1290 
1291 			/* get max src/dest address string length */
1292 			len = strlen(getip(ips.is_v, &ips.is_src));
1293 			if (srclen < len)
1294 				srclen = len;
1295 			len = strlen(getip(ips.is_v, &ips.is_dst));
1296 			if (dstlen < len)
1297 				dstlen = len;
1298 
1299 			/* fill structure */
1300 			tp = tstable + tsentry;
1301 			tp->st_src = ips.is_src;
1302 			tp->st_dst = ips.is_dst;
1303 			tp->st_p = ips.is_p;
1304 			tp->st_v = ips.is_v;
1305 			tp->st_state[0] = ips.is_state[0];
1306 			tp->st_state[1] = ips.is_state[1];
1307 			if (forward) {
1308 				tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1];
1309 				tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1];
1310 			} else {
1311 				tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3];
1312 				tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3];
1313 			}
1314 			tp->st_age = ips.is_die - ipsstp->iss_ticks;
1315 			if ((ips.is_p == IPPROTO_TCP) ||
1316 			    (ips.is_p == IPPROTO_UDP)) {
1317 				tp->st_sport = ips.is_sport;
1318 				tp->st_dport = ips.is_dport;
1319 			}
1320 		}
1321 
1322 
1323 		/* sort the array */
1324 		if (tsentry != -1) {
1325 			switch (sorting)
1326 			{
1327 			case STSORT_PR:
1328 				qsort(tstable, tsentry + 1,
1329 				      sizeof(statetop_t), sort_p);
1330 				break;
1331 			case STSORT_PKTS:
1332 				qsort(tstable, tsentry + 1,
1333 				      sizeof(statetop_t), sort_pkts);
1334 				break;
1335 			case STSORT_BYTES:
1336 				qsort(tstable, tsentry + 1,
1337 				      sizeof(statetop_t), sort_bytes);
1338 				break;
1339 			case STSORT_TTL:
1340 				qsort(tstable, tsentry + 1,
1341 				      sizeof(statetop_t), sort_ttl);
1342 				break;
1343 			case STSORT_SRCIP:
1344 				qsort(tstable, tsentry + 1,
1345 				      sizeof(statetop_t), sort_srcip);
1346 				break;
1347 			case STSORT_SRCPT:
1348 				qsort(tstable, tsentry +1,
1349 					sizeof(statetop_t), sort_srcpt);
1350 				break;
1351 			case STSORT_DSTIP:
1352 				qsort(tstable, tsentry + 1,
1353 				      sizeof(statetop_t), sort_dstip);
1354 				break;
1355 			case STSORT_DSTPT:
1356 				qsort(tstable, tsentry + 1,
1357 				      sizeof(statetop_t), sort_dstpt);
1358 				break;
1359 			default:
1360 				break;
1361 			}
1362 		}
1363 
1364 		/* handle window resizes */
1365 		if (handle_resize) {
1366 			endwin();
1367 			initscr();
1368 			cbreak();
1369 			noecho();
1370 			curs_set(0);
1371 			timeout(0);
1372 			getmaxyx(stdscr, maxy, maxx);
1373 			redraw = 1;
1374 			handle_resize = 0;
1375                 }
1376 
1377 		/* stop program? */
1378 		if (handle_break)
1379 			break;
1380 
1381 		/* print title */
1382 		erase();
1383 		attron(A_BOLD);
1384 		winy = 0;
1385 		move(winy,0);
1386 		sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
1387 		for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
1388 			printw(" ");
1389 		printw("%s", str1);
1390 		attroff(A_BOLD);
1391 
1392 		/* just for fun add a clock */
1393 		move(winy, maxx - 8);
1394 		t = time(NULL);
1395 		strftime(str1, 80, "%T", localtime(&t));
1396 		printw("%s\n", str1);
1397 
1398 		/*
1399 		 * print the display filters, this is placed in the loop,
1400 		 * because someday I might add code for changing these
1401 		 * while the programming is running :-)
1402 		 */
1403 		if (sport >= 0)
1404 			sprintf(str1, "%s,%d", getip(ver, &saddr), sport);
1405 		else
1406 			sprintf(str1, "%s", getip(ver, &saddr));
1407 
1408 		if (dport >= 0)
1409 			sprintf(str2, "%s,%d", getip(ver, &daddr), dport);
1410 		else
1411 			sprintf(str2, "%s", getip(ver, &daddr));
1412 
1413 		if (protocol < 0)
1414 			strcpy(str3, "any");
1415 		else if ((proto = getprotobynumber(protocol)) != NULL)
1416 			sprintf(str3, "%s", proto->p_name);
1417 		else
1418 			sprintf(str3, "%d", protocol);
1419 
1420 		switch (sorting)
1421 		{
1422 		case STSORT_PR:
1423 			sprintf(str4, "proto");
1424 			break;
1425 		case STSORT_PKTS:
1426 			sprintf(str4, "# pkts");
1427 			break;
1428 		case STSORT_BYTES:
1429 			sprintf(str4, "# bytes");
1430 			break;
1431 		case STSORT_TTL:
1432 			sprintf(str4, "ttl");
1433 			break;
1434 		case STSORT_SRCIP:
1435 			sprintf(str4, "src ip");
1436 			break;
1437 		case STSORT_SRCPT:
1438 			sprintf(str4, "src port");
1439 			break;
1440 		case STSORT_DSTIP:
1441 			sprintf(str4, "dest ip");
1442 			break;
1443 		case STSORT_DSTPT:
1444 			sprintf(str4, "dest port");
1445 			break;
1446 		default:
1447 			sprintf(str4, "unknown");
1448 			break;
1449 		}
1450 
1451 		if (reverse)
1452 			strcat(str4, " (reverse)");
1453 
1454 		winy += 2;
1455 		move(winy,0);
1456 		printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n",
1457 		       str1, str2, str3, str4);
1458 
1459 		/*
1460 		 * For an IPv4 IP address we need at most 15 characters,
1461 		 * 4 tuples of 3 digits, separated by 3 dots. Enforce this
1462 		 * length, so the colums do not change positions based
1463 		 * on the size of the IP address. This length makes the
1464 		 * output fit in a 80 column terminal.
1465 		 * We are lacking a good solution for IPv6 addresses (that
1466 		 * can be longer that 15 characters), so we do not enforce
1467 		 * a maximum on the IP field size.
1468 		 */
1469 		if (srclen < 15)
1470 			srclen = 15;
1471 		if (dstlen < 15)
1472 			dstlen = 15;
1473 
1474 		/* print column description */
1475 		winy += 2;
1476 		move(winy,0);
1477 		attron(A_BOLD);
1478 		printw("%-*s %-*s %3s %4s %7s %9s %9s\n",
1479 		       srclen + 6, "Source IP", dstlen + 6, "Destination IP",
1480 		       "ST", "PR", "#pkts", "#bytes", "ttl");
1481 		attroff(A_BOLD);
1482 
1483 		/* print all the entries */
1484 		tp = tstable;
1485 		if (reverse)
1486 			tp += tsentry;
1487 
1488 		if (tsentry > maxy - 6)
1489 			tsentry = maxy - 6;
1490 		for (i = 0; i <= tsentry; i++) {
1491 			/* print src/dest and port */
1492 			if ((tp->st_p == IPPROTO_TCP) ||
1493 			    (tp->st_p == IPPROTO_UDP)) {
1494 				sprintf(str1, "%s,%hu",
1495 					getip(tp->st_v, &tp->st_src),
1496 					ntohs(tp->st_sport));
1497 				sprintf(str2, "%s,%hu",
1498 					getip(tp->st_v, &tp->st_dst),
1499 					ntohs(tp->st_dport));
1500 			} else {
1501 				sprintf(str1, "%s", getip(tp->st_v,
1502 				    &tp->st_src));
1503 				sprintf(str2, "%s", getip(tp->st_v,
1504 				    &tp->st_dst));
1505 			}
1506 			winy++;
1507 			move(winy, 0);
1508 			printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2);
1509 
1510 			/* print state */
1511 			sprintf(str1, "%X/%X", tp->st_state[0],
1512 				tp->st_state[1]);
1513 			printw(" %3s", str1);
1514 
1515 			/* print protocol */
1516 			proto = getprotobynumber(tp->st_p);
1517 			if (proto) {
1518 				strncpy(str1, proto->p_name, 4);
1519 				str1[4] = '\0';
1520 			} else {
1521 				sprintf(str1, "%d", tp->st_p);
1522 			}
1523 			/* just print icmp for IPv6-ICMP */
1524 			if (tp->st_p == IPPROTO_ICMPV6)
1525 				strcpy(str1, "icmp");
1526 			printw(" %4s", str1);
1527 
1528 			/* print #pkt/#bytes */
1529 #ifdef	USE_QUAD_T
1530 			printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
1531 				(unsigned long long) tp->st_bytes);
1532 #else
1533 			printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
1534 #endif
1535 			printw(" %9s", ttl_to_string(tp->st_age));
1536 
1537 			if (reverse)
1538 				tp--;
1539 			else
1540 				tp++;
1541 		}
1542 
1543 		/* screen data structure is filled, now update the screen */
1544 		if (redraw)
1545 			clearok(stdscr,1);
1546 
1547 		if (refresh() == ERR)
1548 			break;
1549 		if (redraw) {
1550 			clearok(stdscr,0);
1551 			redraw = 0;
1552 		}
1553 
1554 		/* wait for key press or a 1 second time out period */
1555 		selecttimeout.tv_sec = refreshtime;
1556 		selecttimeout.tv_usec = 0;
1557 		FD_ZERO(&readfd);
1558 		FD_SET(0, &readfd);
1559 		select(1, &readfd, NULL, NULL, &selecttimeout);
1560 
1561 		/* if key pressed, read all waiting keys */
1562 		if (FD_ISSET(0, &readfd)) {
1563 			c = wgetch(stdscr);
1564 			if (c == ERR)
1565 				continue;
1566 
1567 			if (ISALPHA(c) && ISUPPER(c))
1568 				c = TOLOWER(c);
1569 			if (c == 'l') {
1570 				redraw = 1;
1571 			} else if (c == 'q') {
1572 				break;
1573 			} else if (c == 'r') {
1574 				reverse = !reverse;
1575 			} else if (c == 'b') {
1576 				forward = 0;
1577 			} else if (c == 'f') {
1578 				forward = 1;
1579 			} else if (c == 's') {
1580 				if (++sorting > STSORT_MAX)
1581 					sorting = 0;
1582 			}
1583 		}
1584 	} /* while */
1585 
1586 out:
1587 	printw("\n");
1588 	refresh();
1589 	endwin();
1590 	free(tstable);
1591 	if (ret != 0)
1592 		perror(errstr);
1593 }
1594 #endif
1595 
1596 
1597 /*
1598  * Show fragment cache information that's held in the kernel.
1599  */
showfrstates(ifsp,ticks)1600 static void showfrstates(ifsp, ticks)
1601 ipfrstat_t *ifsp;
1602 u_long ticks;
1603 {
1604 	struct ipfr *ipfrtab[IPFT_SIZE], ifr;
1605 	int i;
1606 
1607 	/*
1608 	 * print out the numeric statistics
1609 	 */
1610 	PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
1611 		ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
1612 	PRINTF("\t%lu retrans\n\t%lu too short\n",
1613 		ifsp->ifs_retrans0, ifsp->ifs_short);
1614 	PRINTF("\t%lu no memory\n\t%lu already exist\n",
1615 		ifsp->ifs_nomem, ifsp->ifs_exists);
1616 	PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
1617 	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
1618 		return;
1619 
1620 	/*
1621 	 * Print out the contents (if any) of the fragment cache table.
1622 	 */
1623 	PRINTF("\n");
1624 	for (i = 0; i < IPFT_SIZE; i++)
1625 		while (ipfrtab[i] != NULL) {
1626 			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1627 				    sizeof(ifr)) == -1)
1628 				break;
1629 			ifr.ipfr_ttl -= ticks;
1630 			printfraginfo("", &ifr);
1631 			ipfrtab[i] = ifr.ipfr_next;
1632 		}
1633 	/*
1634 	 * Print out the contents (if any) of the NAT fragment cache table.
1635 	 */
1636 	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
1637 		return;
1638 	for (i = 0; i < IPFT_SIZE; i++)
1639 		while (ipfrtab[i] != NULL) {
1640 			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1641 				    sizeof(ifr)) == -1)
1642 				break;
1643 			ifr.ipfr_ttl -= ticks;
1644 			printfraginfo("NAT: ", &ifr);
1645 			ipfrtab[i] = ifr.ipfr_next;
1646 		}
1647 }
1648 
1649 
1650 /*
1651  * Show stats on how auth within IPFilter has been used
1652  */
showauthstates(asp)1653 static void showauthstates(asp)
1654 fr_authstat_t *asp;
1655 {
1656 	frauthent_t *frap, fra;
1657 
1658 #ifdef	USE_QUAD_T
1659 	printf("Authorisation hits: %qu\tmisses %qu\n",
1660 		(unsigned long long) asp->fas_hits,
1661 		(unsigned long long) asp->fas_miss);
1662 #else
1663 	printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
1664 		asp->fas_miss);
1665 #endif
1666 	printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
1667 		asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
1668 		asp->fas_sendok);
1669 	printf("queok %ld\nquefail %ld\nexpire %ld\n",
1670 		asp->fas_queok, asp->fas_quefail, asp->fas_expire);
1671 
1672 	frap = asp->fas_faelist;
1673 	while (frap) {
1674 		if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
1675 			break;
1676 
1677 		printf("age %ld\t", fra.fae_age);
1678 		printfr(&fra.fae_fr, ioctl);
1679 		frap = fra.fae_next;
1680 	}
1681 }
1682 
1683 
1684 /*
1685  * Display groups used for each of filter rules, accounting rules and
1686  * authentication, separately.
1687  */
showgroups(fiop)1688 static void showgroups(fiop)
1689 struct friostat	*fiop;
1690 {
1691 	static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
1692 	static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
1693 	frgroup_t *fp, grp;
1694 	int on, off, i;
1695 
1696 	on = fiop->f_active;
1697 	off = 1 - on;
1698 
1699 	for (i = 0; i < 3; i++) {
1700 		printf("%s groups (active):\n", gnames[i]);
1701 		for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL;
1702 		     fp = grp.fg_next)
1703 			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1704 				break;
1705 			else
1706 				printf("%s\n", grp.fg_name);
1707 		printf("%s groups (inactive):\n", gnames[i]);
1708 		for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL;
1709 		     fp = grp.fg_next)
1710 			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1711 				break;
1712 			else
1713 				printf("%s\n", grp.fg_name);
1714 	}
1715 }
1716 
parse_ipportstr(argument,ip,port)1717 static void parse_ipportstr(argument, ip, port)
1718 const char *argument;
1719 i6addr_t *ip;
1720 int *port;
1721 {
1722 	char *s, *comma;
1723 	int ok = 0;
1724 
1725 	/* make working copy of argument, Theoretically you must be able
1726 	 * to write to optarg, but that seems very ugly to me....
1727 	 */
1728 	s = strdup(argument);
1729 	if (s == NULL)
1730 		return;
1731 
1732 	/* get port */
1733 	if ((comma = strchr(s, ',')) != NULL) {
1734 		if (!strcasecmp(comma + 1, "any")) {
1735 			*port = -1;
1736 		} else if (!sscanf(comma + 1, "%d", port) ||
1737 			   (*port < 0) || (*port > 65535)) {
1738 			fprintf(stderr, "Invalid port specfication in %s\n",
1739 				argument);
1740 			free(s);
1741 			exit(-2);
1742 		}
1743 		*comma = '\0';
1744 	}
1745 
1746 
1747 	/* get ip address */
1748 	if (!strcasecmp(s, "any")) {
1749 		ip->in4.s_addr = INADDR_ANY;
1750 #ifdef	USE_INET6
1751 		ip->in6 = in6addr_any;
1752 	} else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) {
1753 		ok = 1;
1754 #endif
1755 	} else if (inet_aton(s, &ip->in4))
1756 		ok = 1;
1757 
1758 	if (ok == 0) {
1759 		fprintf(stderr, "Invalid IP address: %s\n", s);
1760 		free(s);
1761 		exit(-2);
1762 	}
1763 
1764 	/* free allocated memory */
1765 	free(s);
1766 }
1767 
1768 
1769 #ifdef STATETOP
sig_resize(s)1770 static void sig_resize(s)
1771 int s;
1772 {
1773 	handle_resize = 1;
1774 }
1775 
sig_break(s)1776 static void sig_break(s)
1777 int s;
1778 {
1779 	handle_break = 1;
1780 }
1781 
getip(v,addr)1782 static char *getip(v, addr)
1783 int v;
1784 i6addr_t *addr;
1785 {
1786 #ifdef  USE_INET6
1787 	static char hostbuf[MAXHOSTNAMELEN+1];
1788 #endif
1789 
1790 	if (v == 4)
1791 		return inet_ntoa(addr->in4);
1792 
1793 #ifdef  USE_INET6
1794 	(void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1);
1795 	hostbuf[MAXHOSTNAMELEN] = '\0';
1796 	return hostbuf;
1797 #else
1798 	return "IPv6";
1799 #endif
1800 }
1801 
1802 
ttl_to_string(ttl)1803 static char *ttl_to_string(ttl)
1804 long int ttl;
1805 {
1806 	static char ttlbuf[STSTRSIZE];
1807 	int hours, minutes, seconds;
1808 
1809 	/* ttl is in half seconds */
1810 	ttl /= 2;
1811 
1812 	hours = ttl / 3600;
1813 	ttl = ttl % 3600;
1814 	minutes = ttl / 60;
1815 	seconds = ttl % 60;
1816 
1817 	if (hours > 0)
1818 		sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
1819 	else
1820 		sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
1821 	return ttlbuf;
1822 }
1823 
1824 
sort_pkts(a,b)1825 static int sort_pkts(a, b)
1826 const void *a;
1827 const void *b;
1828 {
1829 
1830 	register const statetop_t *ap = a;
1831 	register const statetop_t *bp = b;
1832 
1833 	if (ap->st_pkts == bp->st_pkts)
1834 		return 0;
1835 	else if (ap->st_pkts < bp->st_pkts)
1836 		return 1;
1837 	return -1;
1838 }
1839 
1840 
sort_bytes(a,b)1841 static int sort_bytes(a, b)
1842 const void *a;
1843 const void *b;
1844 {
1845 	register const statetop_t *ap = a;
1846 	register const statetop_t *bp = b;
1847 
1848 	if (ap->st_bytes == bp->st_bytes)
1849 		return 0;
1850 	else if (ap->st_bytes < bp->st_bytes)
1851 		return 1;
1852 	return -1;
1853 }
1854 
1855 
sort_p(a,b)1856 static int sort_p(a, b)
1857 const void *a;
1858 const void *b;
1859 {
1860 	register const statetop_t *ap = a;
1861 	register const statetop_t *bp = b;
1862 
1863 	if (ap->st_p == bp->st_p)
1864 		return 0;
1865 	else if (ap->st_p < bp->st_p)
1866 		return 1;
1867 	return -1;
1868 }
1869 
1870 
sort_ttl(a,b)1871 static int sort_ttl(a, b)
1872 const void *a;
1873 const void *b;
1874 {
1875 	register const statetop_t *ap = a;
1876 	register const statetop_t *bp = b;
1877 
1878 	if (ap->st_age == bp->st_age)
1879 		return 0;
1880 	else if (ap->st_age < bp->st_age)
1881 		return 1;
1882 	return -1;
1883 }
1884 
sort_srcip(a,b)1885 static int sort_srcip(a, b)
1886 const void *a;
1887 const void *b;
1888 {
1889 	register const statetop_t *ap = a;
1890 	register const statetop_t *bp = b;
1891 
1892 #ifdef USE_INET6
1893 	if (use_inet6) {
1894 		if (IP6_EQ(&ap->st_src, &bp->st_src))
1895 			return 0;
1896 		else if (IP6_GT(&ap->st_src, &bp->st_src))
1897 			return 1;
1898 	} else
1899 #endif
1900 	{
1901 		if (ntohl(ap->st_src.in4.s_addr) ==
1902 		    ntohl(bp->st_src.in4.s_addr))
1903 			return 0;
1904 		else if (ntohl(ap->st_src.in4.s_addr) >
1905 		         ntohl(bp->st_src.in4.s_addr))
1906 			return 1;
1907 	}
1908 	return -1;
1909 }
1910 
sort_srcpt(a,b)1911 static int sort_srcpt(a, b)
1912 const void *a;
1913 const void *b;
1914 {
1915 	register const statetop_t *ap = a;
1916 	register const statetop_t *bp = b;
1917 
1918 	if (htons(ap->st_sport) == htons(bp->st_sport))
1919 		return 0;
1920 	else if (htons(ap->st_sport) > htons(bp->st_sport))
1921 		return 1;
1922 	return -1;
1923 }
1924 
sort_dstip(a,b)1925 static int sort_dstip(a, b)
1926 const void *a;
1927 const void *b;
1928 {
1929 	register const statetop_t *ap = a;
1930 	register const statetop_t *bp = b;
1931 
1932 #ifdef USE_INET6
1933 	if (use_inet6) {
1934 		if (IP6_EQ(&ap->st_dst, &bp->st_dst))
1935 			return 0;
1936 		else if (IP6_GT(&ap->st_dst, &bp->st_dst))
1937 			return 1;
1938 	} else
1939 #endif
1940 	{
1941 		if (ntohl(ap->st_dst.in4.s_addr) ==
1942 		    ntohl(bp->st_dst.in4.s_addr))
1943 			return 0;
1944 		else if (ntohl(ap->st_dst.in4.s_addr) >
1945 		         ntohl(bp->st_dst.in4.s_addr))
1946 			return 1;
1947 	}
1948 	return -1;
1949 }
1950 
sort_dstpt(a,b)1951 static int sort_dstpt(a, b)
1952 const void *a;
1953 const void *b;
1954 {
1955 	register const statetop_t *ap = a;
1956 	register const statetop_t *bp = b;
1957 
1958 	if (htons(ap->st_dport) == htons(bp->st_dport))
1959 		return 0;
1960 	else if (htons(ap->st_dport) > htons(bp->st_dport))
1961 		return 1;
1962 	return -1;
1963 }
1964 
1965 #endif
1966