xref: /freebsd/sbin/ipf/ipfstat/ipfstat.c (revision 1edb7116f450c1a1793f2fd25f6bdc16735ef888)
1 
2 /*
3  * Copyright (C) 2012 by Darren Reed.
4  *
5  * See the IPFILTER.LICENCE file for details on licencing.
6  */
7 #include <sys/ioctl.h>
8 #include <ctype.h>
9 #include <fcntl.h>
10 # include <nlist.h>
11 #include <ctype.h>
12 #if defined(sun) && defined(__SVR4)
13 # include <stddef.h>
14 #endif
15 #include "ipf.h"
16 #include "netinet/ipl.h"
17 #if defined(STATETOP)
18 # if defined(sun) && defined(__SVR4)
19 #   include <sys/select.h>
20 # endif
21 # include <netinet/ip_var.h>
22 # include <netinet/tcp_fsm.h>
23 # include <ctype.h>
24 # include <signal.h>
25 # include <time.h>
26 # if SOLARIS || defined(__NetBSD__)
27 #  ifdef ERR
28 #   undef ERR
29 #  endif
30 #  include <curses.h>
31 # else /* SOLARIS */
32 #  include <ncurses.h>
33 # endif /* SOLARIS */
34 #endif /* STATETOP */
35 #include "kmem.h"
36 #if defined(__NetBSD__)
37 # include <paths.h>
38 #endif
39 
40 
41 
42 extern	char	*optarg;
43 extern	int	optind;
44 extern	int	opterr;
45 
46 #define	PRINTF	(void)printf
47 #define	FPRINTF	(void)fprintf
48 static	char	*filters[4] = { "ipfilter(in)", "ipfilter(out)",
49 				"ipacct(in)", "ipacct(out)" };
50 static	int	state_logging = -1;
51 static	wordtab_t	*state_fields = NULL;
52 
53 int	nohdrfields = 0;
54 int	opts = 0;
55 #ifdef	USE_INET6
56 int	use_inet4 = 0;
57 int	use_inet6 = 0;
58 #endif
59 int	live_kernel = 1;
60 int	state_fd = -1;
61 int	ipf_fd = -1;
62 int	auth_fd = -1;
63 int	nat_fd = -1;
64 frgroup_t *grtop = NULL;
65 frgroup_t *grtail = NULL;
66 
67 char *blockreasons[FRB_MAX_VALUE + 1] = {
68 	"packet blocked",
69 	"log rule failure",
70 	"pps rate exceeded",
71 	"jumbogram",
72 	"makefrip failed",
73 	"cannot add state",
74 	"IP ID update failed",
75 	"log-or-block failed",
76 	"decapsulate failure",
77 	"cannot create new auth entry",
78 	"packet queued for auth",
79 	"buffer coalesce failure",
80 	"buffer pullup failure",
81 	"auth feedback",
82 	"bad fragment",
83 	"IPv4 NAT failure",
84 	"IPv6 NAT failure"
85 };
86 
87 #ifdef STATETOP
88 #define	STSTRSIZE 	80
89 #define	STGROWSIZE	16
90 #define	HOSTNMLEN	40
91 
92 #define	STSORT_PR	0
93 #define	STSORT_PKTS	1
94 #define	STSORT_BYTES	2
95 #define	STSORT_TTL	3
96 #define	STSORT_SRCIP	4
97 #define	STSORT_SRCPT	5
98 #define	STSORT_DSTIP	6
99 #define	STSORT_DSTPT	7
100 #define	STSORT_MAX	STSORT_DSTPT
101 #define	STSORT_DEFAULT	STSORT_BYTES
102 
103 
104 typedef struct statetop {
105 	i6addr_t	st_src;
106 	i6addr_t	st_dst;
107 	u_short		st_sport;
108 	u_short 	st_dport;
109 	u_char		st_p;
110 	u_char		st_v;
111 	u_char		st_state[2];
112 	U_QUAD_T	st_pkts;
113 	U_QUAD_T	st_bytes;
114 	u_long		st_age;
115 } statetop_t;
116 #endif
117 
118 int		main(int, char *[]);
119 
120 static	int	fetchfrag(int, int, ipfr_t *);
121 static	void	showstats(friostat_t *, u_32_t);
122 static	void	showfrstates(ipfrstat_t *, u_long);
123 static	void	showlist(friostat_t *);
124 static	void	showstatestats(ips_stat_t *);
125 static	void	showipstates(ips_stat_t *, int *);
126 static	void	showauthstates(ipf_authstat_t *);
127 static	void	showtqtable_live(int);
128 static	void	showgroups(friostat_t *);
129 static	void	usage(char *);
130 static	int	state_matcharray(ipstate_t *, int *);
131 static	int	printlivelist(friostat_t *, int, int, frentry_t *,
132 				   char *, char *);
133 static	void	printdeadlist(friostat_t *, int, int, frentry_t *,
134 				   char *, char *);
135 static	void	printside(char *, ipf_statistics_t *);
136 static	void	parse_ipportstr(const char *, i6addr_t *, int *);
137 static	void	ipfstate_live(char *, friostat_t **, ips_stat_t **,
138 				   ipfrstat_t **, ipf_authstat_t **, u_32_t *);
139 static	void	ipfstate_dead(char *, friostat_t **, ips_stat_t **,
140 				   ipfrstat_t **, ipf_authstat_t **, u_32_t *);
141 static	ipstate_t *fetchstate(ipstate_t *, ipstate_t *);
142 #ifdef STATETOP
143 static	void	topipstates(i6addr_t, i6addr_t, int, int, int,
144 				 int, int, int, int *);
145 static	void	sig_break(int);
146 static	void	sig_resize(int);
147 static	char	*getip(int, i6addr_t *);
148 static	char	*ttl_to_string(long);
149 static	int	sort_p(const void *, const void *);
150 static	int	sort_pkts(const void *, const void *);
151 static	int	sort_bytes(const void *, const void *);
152 static	int	sort_ttl(const void *, const void *);
153 static	int	sort_srcip(const void *, const void *);
154 static	int	sort_srcpt(const void *, const void *);
155 static	int	sort_dstip(const void *, const void *);
156 static	int	sort_dstpt(const void *, const void *);
157 #endif
158 
159 
160 static void usage(char *name)
161 {
162 #ifdef  USE_INET6
163 	fprintf(stderr, "Usage: %s [-46aAdfghIilnoRsv]\n", name);
164 #else
165 	fprintf(stderr, "Usage: %s [-4aAdfghIilnoRsv]\n", name);
166 #endif
167 	fprintf(stderr, "       %s [-M corefile] [-N symbol-list]\n", name);
168 #ifdef	STATETOP
169 #ifdef	USE_INET6
170 	fprintf(stderr, "       %s -t [-46C] ", name);
171 #else
172 	fprintf(stderr, "       %s -t [-4C] ", name);
173 #endif
174 #endif
175 	fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
176 	exit(1);
177 }
178 
179 
180 int main(int argc, char *argv[])
181 {
182 	ipf_authstat_t	frauthst;
183 	ipf_authstat_t	*frauthstp = &frauthst;
184 	friostat_t fio;
185 	friostat_t *fiop = &fio;
186 	ips_stat_t ipsst;
187 	ips_stat_t *ipsstp = &ipsst;
188 	ipfrstat_t ifrst;
189 	ipfrstat_t *ifrstp = &ifrst;
190 	char *options;
191 	char *kern = NULL;
192 	char *memf = NULL;
193 	int c;
194 	int myoptind;
195 	int *filter = NULL;
196 
197 	int protocol = -1;		/* -1 = wild card for any protocol */
198 	int refreshtime = 1; 		/* default update time */
199 	int sport = -1;			/* -1 = wild card for any source port */
200 	int dport = -1;			/* -1 = wild card for any dest port */
201 	int topclosed = 0;		/* do not show closed tcp sessions */
202 	i6addr_t saddr, daddr;
203 	u_32_t frf;
204 
205 #ifdef	USE_INET6
206 	options = "46aACdfghIilnostvD:m:M:N:O:P:RS:T:";
207 #else
208 	options = "4aACdfghIilnostvD:m:M:N:O:P:RS:T:";
209 #endif
210 
211 	saddr.in4.s_addr = INADDR_ANY; 	/* default any v4 source addr */
212 	daddr.in4.s_addr = INADDR_ANY; 	/* default any v4 dest addr */
213 #ifdef	USE_INET6
214 	saddr.in6 = in6addr_any;	/* default any v6 source addr */
215 	daddr.in6 = in6addr_any;	/* default any v6 dest addr */
216 #endif
217 
218 	/* Don't warn about invalid flags when we run getopt for the 1st time */
219 	opterr = 0;
220 
221 	/*
222 	 * Parse these two arguments now lest there be any buffer overflows
223 	 * in the parsing of the rest.
224 	 */
225 	myoptind = optind;
226 	while ((c = getopt(argc, argv, options)) != -1) {
227 		switch (c)
228 		{
229 		case 'M' :
230 			memf = optarg;
231 			live_kernel = 0;
232 			break;
233 		case 'N' :
234 			kern = optarg;
235 			live_kernel = 0;
236 			break;
237 		}
238 	}
239 	optind = myoptind;
240 
241 	if (live_kernel == 1) {
242 		if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) {
243 			perror("open(IPSTATE_NAME)");
244 			exit(-1);
245 		}
246 		if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) {
247 			perror("open(IPAUTH_NAME)");
248 			exit(-1);
249 		}
250 		if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
251 			perror("open(IPAUTH_NAME)");
252 			exit(-1);
253 		}
254 		if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) {
255 			fprintf(stderr, "open(%s)", IPL_NAME);
256 			perror("");
257 			exit(-1);
258 		}
259 	}
260 
261 	if (kern != NULL || memf != NULL) {
262 		(void)setgid(getgid());
263 		(void)setuid(getuid());
264 	}
265 
266 	if (live_kernel == 1) {
267 		(void) checkrev(IPL_NAME);
268 	} else {
269 		if (openkmem(kern, memf) == -1)
270 			exit(-1);
271 	}
272 
273 	(void)setgid(getgid());
274 	(void)setuid(getuid());
275 
276 	opterr = 1;
277 
278 	while ((c = getopt(argc, argv, options)) != -1)
279 	{
280 		switch (c)
281 		{
282 #ifdef	USE_INET6
283 		case '4' :
284 			use_inet4 = 1;
285 			break;
286 		case '6' :
287 			use_inet6 = 1;
288 			break;
289 #endif
290 		case 'a' :
291 			opts |= OPT_ACCNT|OPT_SHOWLIST;
292 			break;
293 		case 'A' :
294 			opts |= OPT_AUTHSTATS;
295 			break;
296 		case 'C' :
297 			topclosed = 1;
298 			break;
299 		case 'd' :
300 			opts |= OPT_DEBUG;
301 			break;
302 		case 'D' :
303 			parse_ipportstr(optarg, &daddr, &dport);
304 			break;
305 		case 'f' :
306 			opts |= OPT_FRSTATES;
307 			break;
308 		case 'g' :
309 			opts |= OPT_GROUPS;
310 			break;
311 		case 'h' :
312 			opts |= OPT_HITS;
313 			break;
314 		case 'i' :
315 			opts |= OPT_INQUE|OPT_SHOWLIST;
316 			break;
317 		case 'I' :
318 			opts |= OPT_INACTIVE;
319 			break;
320 		case 'l' :
321 			opts |= OPT_SHOWLIST;
322 			break;
323 		case 'm' :
324 			filter = parseipfexpr(optarg, NULL);
325 			if (filter == NULL) {
326 				fprintf(stderr, "Error parsing '%s'\n",
327 					optarg);
328 				exit(1);
329 			}
330 			break;
331 		case 'M' :
332 			break;
333 		case 'N' :
334 			break;
335 		case 'n' :
336 			opts |= OPT_SHOWLINENO;
337 			break;
338 		case 'o' :
339 			opts |= OPT_OUTQUE|OPT_SHOWLIST;
340 			break;
341 		case 'O' :
342 			state_fields = parsefields(statefields, optarg);
343 			break;
344 		case 'P' :
345 			protocol = getproto(optarg);
346 			if (protocol == -1) {
347 				fprintf(stderr, "%s: Invalid protocol: %s\n",
348 					argv[0], optarg);
349 				exit(-2);
350 			}
351 			break;
352 		case 'R' :
353 			opts |= OPT_NORESOLVE;
354 			break;
355 		case 's' :
356 			opts |= OPT_IPSTATES;
357 			break;
358 		case 'S' :
359 			parse_ipportstr(optarg, &saddr, &sport);
360 			break;
361 		case 't' :
362 #ifdef STATETOP
363 			opts |= OPT_STATETOP;
364 			break;
365 #else
366 			fprintf(stderr,
367 				"%s: state top facility not compiled in\n",
368 				argv[0]);
369 			exit(-2);
370 #endif
371 		case 'T' :
372 			if (!sscanf(optarg, "%d", &refreshtime) ||
373 				    (refreshtime <= 0)) {
374 				fprintf(stderr,
375 					"%s: Invalid refreshtime < 1 : %s\n",
376 					argv[0], optarg);
377 				exit(-2);
378 			}
379 			break;
380 		case 'v' :
381 			opts |= OPT_VERBOSE;
382 			break;
383 		default :
384 			usage(argv[0]);
385 			break;
386 		}
387 	}
388 #ifdef	USE_INET6
389 	if ((use_inet4 || use_inet6) &&
390 	   !(opts & (OPT_INQUE | OPT_OUTQUE | OPT_STATETOP))) {
391 #ifdef	STATETOP
392 		FPRINTF(stderr, "No -i, -o, or -t given with -4 or -6\n");
393 #else
394 		FPRINTF(stderr, "No -i or -o given with -4 or -6\n");
395 #endif
396 		exit(-2);
397 	}
398 	if (use_inet4 == 0 && use_inet6 == 0)
399 		use_inet4 = use_inet6 = 1;
400 #endif
401 
402 	if (live_kernel == 1) {
403 		bzero((char *)&fio, sizeof(fio));
404 		bzero((char *)&ipsst, sizeof(ipsst));
405 		bzero((char *)&ifrst, sizeof(ifrst));
406 
407 		ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp,
408 			      &frauthstp, &frf);
409 	} else {
410 		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
411 	}
412 
413 	if (opts & OPT_IPSTATES) {
414 		showipstates(ipsstp, filter);
415 	} else if (opts & OPT_SHOWLIST) {
416 		showlist(fiop);
417 		if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
418 			opts &= ~OPT_OUTQUE;
419 			showlist(fiop);
420 		}
421 	} else if (opts & OPT_FRSTATES)
422 		showfrstates(ifrstp, fiop->f_ticks);
423 #ifdef STATETOP
424 	else if (opts & OPT_STATETOP)
425 		topipstates(saddr, daddr, sport, dport, protocol,
426 #ifdef	USE_INET6
427 		use_inet6 && use_inet4 ? 0 : use_inet6 && !use_inet4 ? 6 : 4,
428 #else
429 		4,
430 #endif
431 #endif
432 			    refreshtime, topclosed, filter);
433 	else if (opts & OPT_AUTHSTATS)
434 		showauthstates(frauthstp);
435 	else if (opts & OPT_GROUPS)
436 		showgroups(fiop);
437 	else
438 		showstats(fiop, frf);
439 
440 	return (0);
441 }
442 
443 
444 /*
445  * Fill in the stats structures from the live kernel, using a combination
446  * of ioctl's and copying directly from kernel memory.
447  */
448 static void ipfstate_live(char *device, friostat_t **fiopp,
449 	ips_stat_t **ipsstpp, ipfrstat_t **ifrstpp,
450 	ipf_authstat_t **frauthstpp, u_32_t *frfp)
451 {
452 	ipfobj_t ipfo;
453 
454 	if (checkrev(device) == -1) {
455 		fprintf(stderr, "User/kernel version check failed\n");
456 		exit(1);
457 	}
458 
459 	if ((opts & OPT_AUTHSTATS) == 0) {
460 		bzero((caddr_t)&ipfo, sizeof(ipfo));
461 		ipfo.ipfo_rev = IPFILTER_VERSION;
462 		ipfo.ipfo_type = IPFOBJ_IPFSTAT;
463 		ipfo.ipfo_size = sizeof(friostat_t);
464 		ipfo.ipfo_ptr = (void *)*fiopp;
465 
466 		if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
467 			ipferror(ipf_fd, "ioctl(ipf:SIOCGETFS)");
468 			exit(-1);
469 		}
470 
471 		if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
472 			ipferror(ipf_fd, "ioctl(SIOCGETFF)");
473 	}
474 
475 	if ((opts & OPT_IPSTATES) != 0) {
476 
477 		bzero((caddr_t)&ipfo, sizeof(ipfo));
478 		ipfo.ipfo_rev = IPFILTER_VERSION;
479 		ipfo.ipfo_type = IPFOBJ_STATESTAT;
480 		ipfo.ipfo_size = sizeof(ips_stat_t);
481 		ipfo.ipfo_ptr = (void *)*ipsstpp;
482 
483 		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
484 			ipferror(state_fd, "ioctl(state:SIOCGETFS)");
485 			exit(-1);
486 		}
487 		if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) {
488 			ipferror(state_fd, "ioctl(state:SIOCGETLG)");
489 			exit(-1);
490 		}
491 	}
492 
493 	if ((opts & OPT_FRSTATES) != 0) {
494 		bzero((caddr_t)&ipfo, sizeof(ipfo));
495 		ipfo.ipfo_rev = IPFILTER_VERSION;
496 		ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
497 		ipfo.ipfo_size = sizeof(ipfrstat_t);
498 		ipfo.ipfo_ptr = (void *)*ifrstpp;
499 
500 		if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
501 			ipferror(ipf_fd, "ioctl(SIOCGFRST)");
502 			exit(-1);
503 		}
504 	}
505 
506 	if (opts & OPT_DEBUG)
507 		PRINTF("opts %#x name %s\n", opts, device);
508 
509 	if ((opts & OPT_AUTHSTATS) != 0) {
510 		bzero((caddr_t)&ipfo, sizeof(ipfo));
511 		ipfo.ipfo_rev = IPFILTER_VERSION;
512 		ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
513 		ipfo.ipfo_size = sizeof(ipf_authstat_t);
514 		ipfo.ipfo_ptr = (void *)*frauthstpp;
515 
516 	    	if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) {
517 			ipferror(auth_fd, "ioctl(SIOCATHST)");
518 			exit(-1);
519 		}
520 	}
521 }
522 
523 
524 /*
525  * Build up the stats structures from data held in the "core" memory.
526  * This is mainly useful when looking at data in crash dumps and ioctl's
527  * just won't work any more.
528  */
529 static void ipfstate_dead( char *kernel, friostat_t **fiopp,
530 	ips_stat_t **ipsstpp, ipfrstat_t **ifrstpp,
531 	ipf_authstat_t **frauthstpp, u_32_t *frfp)
532 {
533 	static ipf_authstat_t frauthst, *frauthstp;
534 	static ipftq_t ipstcptab[IPF_TCP_NSTATES];
535 	static ips_stat_t ipsst, *ipsstp;
536 	static ipfrstat_t ifrst, *ifrstp;
537 	static friostat_t fio, *fiop;
538 	int temp;
539 
540 	void *rules[2][2];
541 	struct nlist deadlist[44] = {
542 		{ "ipf_auth_stats",	0, 0, 0, 0 },		/* 0 */
543 		{ "fae_list",		0, 0, 0, 0 },
544 		{ "ipauth",		0, 0, 0, 0 },
545 		{ "ipf_auth_list",		0, 0, 0, 0 },
546 		{ "ipf_auth_start",		0, 0, 0, 0 },
547 		{ "ipf_auth_end",		0, 0, 0, 0 },		/* 5 */
548 		{ "ipf_auth_next",		0, 0, 0, 0 },
549 		{ "ipf_auth",		0, 0, 0, 0 },
550 		{ "ipf_auth_used",		0, 0, 0, 0 },
551 		{ "ipf_auth_size",		0, 0, 0, 0 },
552 		{ "ipf_auth_defaultage",		0, 0, 0, 0 },	/* 10 */
553 		{ "ipf_auth_pkts",		0, 0, 0, 0 },
554 		{ "ipf_auth_lock",		0, 0, 0, 0 },
555 		{ "frstats",		0, 0, 0, 0 },
556 		{ "ips_stats",		0, 0, 0, 0 },
557 		{ "ips_num",		0, 0, 0, 0 },			/* 15 */
558 		{ "ips_wild",		0, 0, 0, 0 },
559 		{ "ips_list",		0, 0, 0, 0 },
560 		{ "ips_table",		0, 0, 0, 0 },
561 		{ "ipf_state_max",		0, 0, 0, 0 },
562 		{ "ipf_state_size",		0, 0, 0, 0 },		/* 20 */
563 		{ "ipf_state_doflush",		0, 0, 0, 0 },
564 		{ "ipf_state_lock",		0, 0, 0, 0 },
565 		{ "ipfr_heads",		0, 0, 0, 0 },
566 		{ "ipfr_nattab",		0, 0, 0, 0 },
567 		{ "ipfr_stats",		0, 0, 0, 0 },		/* 25 */
568 		{ "ipfr_inuse",		0, 0, 0, 0 },
569 		{ "ipf_ipfrttl",		0, 0, 0, 0 },
570 		{ "ipf_frag_lock",		0, 0, 0, 0 },
571 		{ "ipfr_timer_id",		0, 0, 0, 0 },
572 		{ "ipf_nat_lock",		0, 0, 0, 0 },		/* 30 */
573 		{ "ipf_rules",		0, 0, 0, 0 },
574 		{ "ipf_acct",		0, 0, 0, 0 },
575 		{ "ipl_frouteok",		0, 0, 0, 0 },
576 		{ "ipf_running",		0, 0, 0, 0 },
577 		{ "ipf_groups",		0, 0, 0, 0 },		/* 35 */
578 		{ "ipf_active",		0, 0, 0, 0 },
579 		{ "ipf_pass",		0, 0, 0, 0 },
580 		{ "ipf_flags",		0, 0, 0, 0 },
581 		{ "ipf_state_logging",		0, 0, 0, 0 },
582 		{ "ips_tqtqb",		0, 0, 0, 0 },		/* 40 */
583 		{ NULL,		0, 0, 0, 0 }
584 	};
585 
586 
587 	frauthstp = &frauthst;
588 	ipsstp = &ipsst;
589 	ifrstp = &ifrst;
590 	fiop = &fio;
591 
592 	*frfp = 0;
593 	*fiopp = fiop;
594 	*ipsstpp = ipsstp;
595 	*ifrstpp = ifrstp;
596 	*frauthstpp = frauthstp;
597 
598 	bzero((char *)fiop, sizeof(*fiop));
599 	bzero((char *)ipsstp, sizeof(*ipsstp));
600 	bzero((char *)ifrstp, sizeof(*ifrstp));
601 	bzero((char *)frauthstp, sizeof(*frauthstp));
602 
603 	if (nlist(kernel, deadlist) == -1) {
604 		fprintf(stderr, "nlist error\n");
605 		return;
606 	}
607 
608 	/*
609 	 * This is for SIOCGETFF.
610 	 */
611 	kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
612 
613 	/*
614 	 * f_locks is a combination of the lock variable from each part of
615 	 * ipfilter (state, auth, nat, fragments).
616 	 */
617 	kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
618 	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
619 		sizeof(fiop->f_locks[0]));
620 	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
621 		sizeof(fiop->f_locks[1]));
622 	kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
623 		sizeof(fiop->f_locks[2]));
624 	kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
625 		sizeof(fiop->f_locks[3]));
626 
627 	/*
628 	 * Get pointers to each list of rules (active, inactive, in, out)
629 	 */
630 	kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
631 	fiop->f_fin[0] = rules[0][0];
632 	fiop->f_fin[1] = rules[0][1];
633 	fiop->f_fout[0] = rules[1][0];
634 	fiop->f_fout[1] = rules[1][1];
635 
636 	/*
637 	 * Now get accounting rules pointers.
638 	 */
639 	kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
640 	fiop->f_acctin[0] = rules[0][0];
641 	fiop->f_acctin[1] = rules[0][1];
642 	fiop->f_acctout[0] = rules[1][0];
643 	fiop->f_acctout[1] = rules[1][1];
644 
645 	/*
646 	 * A collection of "global" variables used inside the kernel which
647 	 * are all collected in friostat_t via ioctl.
648 	 */
649 	kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[33].n_value,
650 		sizeof(fiop->f_froute));
651 	kmemcpy((char *)&fiop->f_running, (u_long)deadlist[34].n_value,
652 		sizeof(fiop->f_running));
653 	kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[35].n_value,
654 		sizeof(fiop->f_groups));
655 	kmemcpy((char *)&fiop->f_active, (u_long)deadlist[36].n_value,
656 		sizeof(fiop->f_active));
657 	kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[37].n_value,
658 		sizeof(fiop->f_defpass));
659 
660 	/*
661 	 * Build up the state information stats structure.
662 	 */
663 	kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
664 	kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
665 	kmemcpy((char *)ipstcptab, (u_long)deadlist[40].n_value,
666 		sizeof(ipstcptab));
667 	ipsstp->iss_active = temp;
668 	ipsstp->iss_table = (void *)deadlist[18].n_value;
669 	ipsstp->iss_list = (void *)deadlist[17].n_value;
670 	ipsstp->iss_tcptab = ipstcptab;
671 
672 	/*
673 	 * Build up the authentiation information stats structure.
674 	 */
675 	kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
676 		sizeof(*frauthstp));
677 	frauthstp->fas_faelist = (void *)deadlist[1].n_value;
678 
679 	/*
680 	 * Build up the fragment information stats structure.
681 	 */
682 	kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
683 		sizeof(*ifrstp));
684 	ifrstp->ifs_table = (void *)deadlist[23].n_value;
685 	ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
686 	kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
687 		sizeof(ifrstp->ifs_inuse));
688 
689 	/*
690 	 * Get logging on/off switches
691 	 */
692 	kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value,
693 		sizeof(state_logging));
694 }
695 
696 
697 static void printside(char *side, ipf_statistics_t *frs)
698 {
699 	int i;
700 
701 	PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side);
702 #ifdef	USE_INET6
703 	PRINTF("%lu\t%s IPv6 packets\n", frs->fr_ipv6, side);
704 #endif
705 	PRINTF("%lu\t%s packets blocked\n", frs->fr_block, side);
706 	PRINTF("%lu\t%s packets passed\n", frs->fr_pass, side);
707 	PRINTF("%lu\t%s packets not matched\n", frs->fr_nom, side);
708 	PRINTF("%lu\t%s packets counted\n", frs->fr_acct, side);
709 	PRINTF("%lu\t%s packets short\n", frs->fr_short, side);
710 	PRINTF("%lu\t%s packets logged and blocked\n", frs->fr_bpkl, side);
711 	PRINTF("%lu\t%s packets logged and passed\n", frs->fr_ppkl, side);
712 	PRINTF("%lu\t%s fragment state kept\n", frs->fr_nfr, side);
713 	PRINTF("%lu\t%s fragment state lost\n", frs->fr_bnfr, side);
714 	PRINTF("%lu\t%s packet state kept\n", frs->fr_ads, side);
715 	PRINTF("%lu\t%s packet state lost\n", frs->fr_bads, side);
716 	PRINTF("%lu\t%s invalid source\n", frs->fr_v4_badsrc, side);
717 	PRINTF("%lu\t%s cache hits\n", frs->fr_chit, side);
718 	PRINTF("%lu\t%s cache misses\n", frs->fr_cmiss, side);
719 	PRINTF("%lu\t%s bad coalesces\n", frs->fr_badcoalesces, side);
720 	PRINTF("%lu\t%s pullups succeeded\n", frs->fr_pull[0], side);
721 	PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side);
722 	PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side);
723 	for (i = 0; i <= FRB_MAX_VALUE; i++)
724 		PRINTF("%lu\t%s block reason %s\n",
725 			frs->fr_blocked[i], side, blockreasons[i]);
726 }
727 
728 
729 /*
730  * Display the kernel stats for packets blocked and passed and other
731  * associated running totals which are kept.
732  */
733 static	void	showstats( struct friostat *fp, u_32_t frf)
734 {
735 	printside("input", &fp->f_st[0]);
736 	printside("output", &fp->f_st[1]);
737 
738 	PRINTF("%lu\tpackets logged\n", fp->f_log_ok);
739 	PRINTF("%lu\tlog failures\n", fp->f_log_fail);
740 	PRINTF("%lu\tred-black no memory\n", fp->f_rb_no_mem);
741 	PRINTF("%lu\tred-black node maximum\n", fp->f_rb_node_max);
742 	PRINTF("%lu\tICMP replies sent\n", fp->f_st[0].fr_ret);
743 	PRINTF("%lu\tTCP RSTs sent\n", fp->f_st[1].fr_ret);
744 	PRINTF("%lu\tfastroute successes\n", fp->f_froute[0]);
745 	PRINTF("%lu\tfastroute failures\n", fp->f_froute[1]);
746 	PRINTF("%u\tIPF Ticks\n", fp->f_ticks);
747 
748 	PRINTF("%x\tPacket log flags set:\n", frf);
749 	if (frf & FF_LOGPASS)
750 		PRINTF("\tpackets passed through filter\n");
751 	if (frf & FF_LOGBLOCK)
752 		PRINTF("\tpackets blocked by filter\n");
753 	if (frf & FF_LOGNOMATCH)
754 		PRINTF("\tpackets not matched by filter\n");
755 	if (!frf)
756 		PRINTF("\tnone\n");
757 }
758 
759 
760 /*
761  * Print out a list of rules from the kernel, starting at the one passed.
762  */
763 static int
764 printlivelist( struct friostat *fiop, int out, int set, frentry_t *fp,
765 	char *group, char *comment)
766 {
767 	struct	frentry	fb;
768 	ipfruleiter_t rule;
769 	frentry_t zero;
770 	frgroup_t *g;
771 	ipfobj_t obj;
772 	int rules;
773 	int num;
774 
775 	rules = 0;
776 
777 	rule.iri_inout = out;
778 	rule.iri_active = set;
779 	rule.iri_rule = &fb;
780 	rule.iri_nrules = 1;
781 	if (group != NULL)
782 		strncpy(rule.iri_group, group, FR_GROUPLEN);
783 	else
784 		rule.iri_group[0] = '\0';
785 
786 	bzero((char *)&zero, sizeof(zero));
787 
788 	bzero((char *)&obj, sizeof(obj));
789 	obj.ipfo_rev = IPFILTER_VERSION;
790 	obj.ipfo_type = IPFOBJ_IPFITER;
791 	obj.ipfo_size = sizeof(rule);
792 	obj.ipfo_ptr = &rule;
793 
794 	while (rule.iri_rule != NULL) {
795 		u_long array[1000];
796 
797 		memset(array, 0xff, sizeof(array));
798 		fp = (frentry_t *)array;
799 		rule.iri_rule = fp;
800 		if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
801 			ipferror(ipf_fd, "ioctl(SIOCIPFITER)");
802 			num = IPFGENITER_IPF;
803 			(void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
804 			return (rules);
805 		}
806 		if (bcmp(fp, &zero, sizeof(zero)) == 0)
807 			break;
808 		if (rule.iri_rule == NULL)
809 			break;
810 #ifdef USE_INET6
811 		if (use_inet6 != 0 && use_inet4 == 0) {
812 			if (fp->fr_family != 0 && fp->fr_family != AF_INET6)
813 				continue;
814 		} else if (use_inet4 != 0 && use_inet6 == 0) {
815 #endif
816 			if (fp->fr_family != 0 && fp->fr_family != AF_INET)
817 				continue;
818 #ifdef USE_INET6
819 		} else {
820 			if (fp->fr_family != 0 &&
821 			   fp->fr_family != AF_INET && fp->fr_family != AF_INET6)
822 				continue;
823 		}
824 #endif
825 
826 		if (fp->fr_data != NULL)
827 			fp->fr_data = (char *)fp + fp->fr_size;
828 
829 		rules++;
830 
831 		if (opts & (OPT_HITS|OPT_DEBUG))
832 #ifdef	USE_QUAD_T
833 			PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits);
834 #else
835 			PRINTF("%lu ", fp->fr_hits);
836 #endif
837 		if (opts & (OPT_ACCNT|OPT_DEBUG))
838 #ifdef	USE_QUAD_T
839 			PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes);
840 #else
841 			PRINTF("%lu ", fp->fr_bytes);
842 #endif
843 		if (opts & OPT_SHOWLINENO)
844 			PRINTF("@%d ", rules);
845 
846 		if (fp->fr_die != 0)
847 			fp->fr_die -= fiop->f_ticks;
848 
849 		printfr(fp, ioctl);
850 		if (opts & OPT_DEBUG) {
851 			binprint(fp, fp->fr_size);
852 			if (fp->fr_data != NULL && fp->fr_dsize > 0)
853 				binprint(fp->fr_data, fp->fr_dsize);
854 		}
855 		if (fp->fr_grhead != -1) {
856 			for (g = grtop; g != NULL; g = g->fg_next) {
857 				if (!strncmp(fp->fr_names + fp->fr_grhead,
858 					     g->fg_name,
859 					     FR_GROUPLEN))
860 					break;
861 			}
862 			if (g == NULL) {
863 				g = calloc(1, sizeof(*g));
864 
865 				if (g != NULL) {
866 					strncpy(g->fg_name,
867 						fp->fr_names + fp->fr_grhead,
868 						FR_GROUPLEN);
869 					if (grtop == NULL) {
870 						grtop = g;
871 						grtail = g;
872 					} else {
873 						grtail->fg_next = g;
874 						grtail = g;
875 					}
876 				}
877 			}
878 		}
879 		if (fp->fr_type == FR_T_CALLFUNC) {
880 			rules += printlivelist(fiop, out, set, fp->fr_data,
881 					       group, "# callfunc: ");
882 		}
883 	}
884 
885 	num = IPFGENITER_IPF;
886 	(void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
887 
888 	return (rules);
889 }
890 
891 
892 static void printdeadlist(friostat_t *fiop, int out, int set, frentry_t *fp,
893 	char *group, char *comment)
894 {
895 	frgroup_t *grtop, *grtail, *g;
896 	struct	frentry	fb;
897 	char	*data;
898 	u_32_t	type;
899 	int	n;
900 
901 	fb.fr_next = fp;
902 	n = 0;
903 	grtop = NULL;
904 	grtail = NULL;
905 
906 	for (n = 1; fp; fp = fb.fr_next, n++) {
907 		if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
908 			    fb.fr_size) == -1) {
909 			perror("kmemcpy");
910 			return;
911 		}
912 		fp = &fb;
913 #ifdef	USE_INET6
914 		if (use_inet6 != 0 && use_inet4 == 0) {
915 			if (fp->fr_family != 0 && fp->fr_family != AF_INET6)
916 				continue;
917 		} else if (use_inet4 != 0 && use_inet6 == 0) {
918 #endif
919 			if (fp->fr_family != 0 && fp->fr_family != AF_INET)
920 				continue;
921 #ifdef	USE_INET6
922 		} else {
923 			if (fp->fr_family != 0 &&
924 			   fp->fr_family != AF_INET && fp->fr_family != AF_INET6)
925 				continue;
926 		}
927 #endif
928 
929 		data = NULL;
930 		type = fb.fr_type & ~FR_T_BUILTIN;
931 		if (type == FR_T_IPF || type == FR_T_BPFOPC) {
932 			if (fb.fr_dsize) {
933 				data = malloc(fb.fr_dsize);
934 
935 				if (kmemcpy(data, (u_long)fb.fr_data,
936 					    fb.fr_dsize) == -1) {
937 					perror("kmemcpy");
938 					return;
939 				}
940 				fb.fr_data = data;
941 			}
942 		}
943 
944 		if (opts & OPT_HITS)
945 #ifdef	USE_QUAD_T
946 			PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits);
947 #else
948 			PRINTF("%lu ", fb.fr_hits);
949 #endif
950 		if (opts & OPT_ACCNT)
951 #ifdef	USE_QUAD_T
952 			PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes);
953 #else
954 			PRINTF("%lu ", fb.fr_bytes);
955 #endif
956 		if (opts & OPT_SHOWLINENO)
957 			PRINTF("@%d ", n);
958 
959 		printfr(fp, ioctl);
960 		if (opts & OPT_DEBUG) {
961 			binprint(fp, fp->fr_size);
962 			if (fb.fr_data != NULL && fb.fr_dsize > 0)
963 				binprint(fb.fr_data, fb.fr_dsize);
964 		}
965 		if (data != NULL)
966 			free(data);
967 		if (fb.fr_grhead != -1) {
968 			g = calloc(1, sizeof(*g));
969 
970 			if (g != NULL) {
971 				strncpy(g->fg_name, fb.fr_names + fb.fr_grhead,
972 					FR_GROUPLEN);
973 				if (grtop == NULL) {
974 					grtop = g;
975 					grtail = g;
976 				} else {
977 					grtail->fg_next = g;
978 					grtail = g;
979 				}
980 			}
981 		}
982 		if (type == FR_T_CALLFUNC) {
983 			printdeadlist(fiop, out, set, fb.fr_data, group,
984 				      "# callfunc: ");
985 		}
986 	}
987 
988 	while ((g = grtop) != NULL) {
989 		printdeadlist(fiop, out, set, NULL, g->fg_name, comment);
990 		grtop = g->fg_next;
991 		free(g);
992 	}
993 }
994 
995 /*
996  * print out all of the asked for rule sets, using the stats struct as
997  * the base from which to get the pointers.
998  */
999 static	void	showlist(struct friostat *fiop)
1000 {
1001 	struct	frentry	*fp = NULL;
1002 	int	i, set;
1003 
1004 	set = fiop->f_active;
1005 	if (opts & OPT_INACTIVE)
1006 		set = 1 - set;
1007 	if (opts & OPT_ACCNT) {
1008 		if (opts & OPT_OUTQUE) {
1009 			i = F_ACOUT;
1010 			fp = (struct frentry *)fiop->f_acctout[set];
1011 		} else if (opts & OPT_INQUE) {
1012 			i = F_ACIN;
1013 			fp = (struct frentry *)fiop->f_acctin[set];
1014 		} else {
1015 			FPRINTF(stderr, "No -i or -o given with -a\n");
1016 			return;
1017 		}
1018 	} else {
1019 		if (opts & OPT_OUTQUE) {
1020 			i = F_OUT;
1021 			fp = (struct frentry *)fiop->f_fout[set];
1022 		} else if (opts & OPT_INQUE) {
1023 			i = F_IN;
1024 			fp = (struct frentry *)fiop->f_fin[set];
1025 		} else
1026 			return;
1027 	}
1028 	if (opts & OPT_DEBUG)
1029 		FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
1030 
1031 	if (opts & OPT_DEBUG)
1032 		PRINTF("fp %p set %d\n", fp, set);
1033 
1034 	if (live_kernel == 1) {
1035 		int printed;
1036 
1037 		printed = printlivelist(fiop, i, set, fp, NULL, NULL);
1038 		if (printed == 0) {
1039 			FPRINTF(stderr, "# empty list for %s%s\n",
1040 			        (opts & OPT_INACTIVE) ? "inactive " : "",
1041 							filters[i]);
1042 		}
1043 	} else {
1044 		if (!fp) {
1045 			FPRINTF(stderr, "# empty list for %s%s\n",
1046 			        (opts & OPT_INACTIVE) ? "inactive " : "",
1047 							filters[i]);
1048 		} else {
1049 			printdeadlist(fiop, i, set, fp, NULL, NULL);
1050 		}
1051 	}
1052 }
1053 
1054 
1055 /*
1056  * Display ipfilter stateful filtering information
1057  */
1058 static void showipstates(ips_stat_t *ipsp, int *filter)
1059 {
1060 	ipstate_t *is;
1061 	int i;
1062 
1063 	/*
1064 	 * If a list of states hasn't been asked for, only print out stats
1065 	 */
1066 	if (!(opts & OPT_SHOWLIST)) {
1067 		showstatestats(ipsp);
1068 		return;
1069 	}
1070 
1071 	if ((state_fields != NULL) && (nohdrfields == 0)) {
1072 		for (i = 0; state_fields[i].w_value != 0; i++) {
1073 			printfieldhdr(statefields, state_fields + i);
1074 			if (state_fields[i + 1].w_value != 0)
1075 				printf("\t");
1076 		}
1077 		printf("\n");
1078 	}
1079 
1080 	/*
1081 	 * Print out all the state information currently held in the kernel.
1082 	 */
1083 	for (is = ipsp->iss_list; is != NULL; ) {
1084 		ipstate_t ips;
1085 
1086 		is = fetchstate(is, &ips);
1087 
1088 		if (is == NULL)
1089 			break;
1090 
1091 		is = ips.is_next;
1092 		if ((filter != NULL) &&
1093 		    (state_matcharray(&ips, filter) == 0)) {
1094 			continue;
1095 		}
1096 		if (state_fields != NULL) {
1097 			for (i = 0; state_fields[i].w_value != 0; i++) {
1098 				printstatefield(&ips, state_fields[i].w_value);
1099 				if (state_fields[i + 1].w_value != 0)
1100 					printf("\t");
1101 			}
1102 			printf("\n");
1103 		} else {
1104 			printstate(&ips, opts, ipsp->iss_ticks);
1105 		}
1106 	}
1107 }
1108 
1109 
1110 static void showstatestats(ips_stat_t *ipsp)
1111 {
1112 	int minlen, maxlen, totallen;
1113 	ipftable_t table;
1114 	u_int *buckets;
1115 	ipfobj_t obj;
1116 	int i, sz;
1117 
1118 	/*
1119 	 * If a list of states hasn't been asked for, only print out stats
1120 	 */
1121 
1122 	sz = sizeof(*buckets) * ipsp->iss_state_size;
1123 	buckets = (u_int *)malloc(sz);
1124 
1125 	obj.ipfo_rev = IPFILTER_VERSION;
1126 	obj.ipfo_type = IPFOBJ_GTABLE;
1127 	obj.ipfo_size = sizeof(table);
1128 	obj.ipfo_ptr = &table;
1129 
1130 	table.ita_type = IPFTABLE_BUCKETS;
1131 	table.ita_table = buckets;
1132 
1133 	if (live_kernel == 1) {
1134 		if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
1135 			free(buckets);
1136 			return;
1137 		}
1138 	} else {
1139 		if (kmemcpy((char *)buckets,
1140 			    (u_long)ipsp->iss_bucketlen, sz)) {
1141 			free(buckets);
1142 			return;
1143 		}
1144 	}
1145 
1146 	PRINTF("%u\tactive state table entries\n",ipsp->iss_active);
1147 	PRINTF("%lu\tadd bad\n", ipsp->iss_add_bad);
1148 	PRINTF("%lu\tadd duplicate\n", ipsp->iss_add_dup);
1149 	PRINTF("%lu\tadd locked\n", ipsp->iss_add_locked);
1150 	PRINTF("%lu\tadd oow\n", ipsp->iss_add_oow);
1151 	PRINTF("%lu\tbucket full\n", ipsp->iss_bucket_full);
1152 	PRINTF("%lu\tcheck bad\n", ipsp->iss_check_bad);
1153 	PRINTF("%lu\tcheck miss\n", ipsp->iss_check_miss);
1154 	PRINTF("%lu\tcheck nattag\n", ipsp->iss_check_nattag);
1155 	PRINTF("%lu\tclone nomem\n", ipsp->iss_clone_nomem);
1156 	PRINTF("%lu\tcheck notag\n", ipsp->iss_check_notag);
1157 	PRINTF("%lu\tcheck success\n", ipsp->iss_hits);
1158 	PRINTF("%lu\tcloned\n", ipsp->iss_cloned);
1159 	PRINTF("%lu\texpired\n", ipsp->iss_expire);
1160 	PRINTF("%lu\tflush all\n", ipsp->iss_flush_all);
1161 	PRINTF("%lu\tflush closing\n", ipsp->iss_flush_closing);
1162 	PRINTF("%lu\tflush queue\n", ipsp->iss_flush_queue);
1163 	PRINTF("%lu\tflush state\n", ipsp->iss_flush_state);
1164 	PRINTF("%lu\tflush timeout\n", ipsp->iss_flush_timeout);
1165 	PRINTF("%u\thash buckets in use\n", ipsp->iss_inuse);
1166 	PRINTF("%lu\tICMP bad\n", ipsp->iss_icmp_bad);
1167 	PRINTF("%lu\tICMP banned\n", ipsp->iss_icmp_banned);
1168 	PRINTF("%lu\tICMP errors\n", ipsp->iss_icmp_icmperr);
1169 	PRINTF("%lu\tICMP head block\n", ipsp->iss_icmp_headblock);
1170 	PRINTF("%lu\tICMP hits\n", ipsp->iss_icmp_hits);
1171 	PRINTF("%lu\tICMP not query\n",	ipsp->iss_icmp_notquery);
1172 	PRINTF("%lu\tICMP short\n", ipsp->iss_icmp_short);
1173 	PRINTF("%lu\tICMP too many\n", ipsp->iss_icmp_toomany);
1174 	PRINTF("%lu\tICMPv6 errors\n", ipsp->iss_icmp6_icmperr);
1175 	PRINTF("%lu\tICMPv6 miss\n", ipsp->iss_icmp6_miss);
1176 	PRINTF("%lu\tICMPv6 not info\n", ipsp->iss_icmp6_notinfo);
1177 	PRINTF("%lu\tICMPv6 not query\n", ipsp->iss_icmp6_notquery);
1178 	PRINTF("%lu\tlog fail\n", ipsp->iss_log_fail);
1179 	PRINTF("%lu\tlog ok\n", ipsp->iss_log_ok);
1180 	PRINTF("%lu\tlookup interface mismatch\n", ipsp->iss_lookup_badifp);
1181 	PRINTF("%lu\tlookup mask mismatch\n", ipsp->iss_miss_mask);
1182 	PRINTF("%lu\tlookup port mismatch\n", ipsp->iss_lookup_badport);
1183 	PRINTF("%lu\tlookup miss\n", ipsp->iss_lookup_miss);
1184 	PRINTF("%lu\tmaximum rule references\n", ipsp->iss_max_ref);
1185 	PRINTF("%lu\tmaximum hosts per rule\n", ipsp->iss_max_track);
1186 	PRINTF("%lu\tno memory\n", ipsp->iss_nomem);
1187 	PRINTF("%lu\tout of window\n", ipsp->iss_oow);
1188 	PRINTF("%lu\torphans\n", ipsp->iss_orphan);
1189 	PRINTF("%lu\tscan block\n", ipsp->iss_scan_block);
1190 	PRINTF("%lu\tstate table maximum reached\n", ipsp->iss_max);
1191 	PRINTF("%lu\tTCP closing\n", ipsp->iss_tcp_closing);
1192 	PRINTF("%lu\tTCP OOW\n", ipsp->iss_tcp_oow);
1193 	PRINTF("%lu\tTCP RST add\n", ipsp->iss_tcp_rstadd);
1194 	PRINTF("%lu\tTCP too small\n", ipsp->iss_tcp_toosmall);
1195 	PRINTF("%lu\tTCP bad options\n", ipsp->iss_tcp_badopt);
1196 	PRINTF("%lu\tTCP removed\n", ipsp->iss_fin);
1197 	PRINTF("%lu\tTCP FSM\n", ipsp->iss_tcp_fsm);
1198 	PRINTF("%lu\tTCP strict\n", ipsp->iss_tcp_strict);
1199 	PRINTF("%lu\tTCP wild\n", ipsp->iss_wild);
1200 	PRINTF("%lu\tMicrosoft Windows SACK\n", ipsp->iss_winsack);
1201 
1202 	PRINTF("State logging %sabled\n", state_logging ? "en" : "dis");
1203 
1204 	PRINTF("IP states added:\n");
1205 	for (i = 0; i < 256; i++) {
1206 		if (ipsp->iss_proto[i] != 0) {
1207 			struct protoent *proto;
1208 
1209 			proto = getprotobynumber(i);
1210 			PRINTF("%lu", ipsp->iss_proto[i]);
1211 			if (proto != NULL)
1212 				PRINTF("\t%s\n", proto->p_name);
1213 			else
1214 				PRINTF("\t%d\n", i);
1215 		}
1216 	}
1217 
1218 	PRINTF("\nState table bucket statistics:\n");
1219 	PRINTF("%u\tin use\n", ipsp->iss_inuse);
1220 
1221 	minlen = ipsp->iss_max;
1222 	totallen = 0;
1223 	maxlen = 0;
1224 
1225 	for (i = 0; i < ipsp->iss_state_size; i++) {
1226 		if (buckets[i] > maxlen)
1227 			maxlen = buckets[i];
1228 		if (buckets[i] < minlen)
1229 			minlen = buckets[i];
1230 		totallen += buckets[i];
1231 	}
1232 
1233 	PRINTF("%d\thash efficiency\n",
1234 		totallen ? ipsp->iss_inuse * 100 / totallen : 0);
1235 	PRINTF("%2.2f%%\tbucket usage\n%u\tminimal length\n",
1236 		((float)ipsp->iss_inuse / ipsp->iss_state_size) * 100.0,
1237 		minlen);
1238 	PRINTF("%u\tmaximal length\n%.3f\taverage length\n",
1239 		maxlen,
1240 		ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
1241 				  0.0);
1242 
1243 #define ENTRIES_PER_LINE 5
1244 
1245 	if (opts & OPT_VERBOSE) {
1246 		PRINTF("\nCurrent bucket sizes :\n");
1247 		for (i = 0; i < ipsp->iss_state_size; i++) {
1248 			if ((i % ENTRIES_PER_LINE) == 0)
1249 				PRINTF("\t");
1250 			PRINTF("%4d -> %4u", i, buckets[i]);
1251 			if ((i % ENTRIES_PER_LINE) ==
1252 			    (ENTRIES_PER_LINE - 1))
1253 				PRINTF("\n");
1254 			else
1255 				PRINTF("  ");
1256 		}
1257 		PRINTF("\n");
1258 	}
1259 	PRINTF("\n");
1260 
1261 	free(buckets);
1262 
1263 	if (live_kernel == 1) {
1264 		showtqtable_live(state_fd);
1265 	} else {
1266 		printtqtable(ipsp->iss_tcptab);
1267 	}
1268 }
1269 
1270 
1271 #ifdef STATETOP
1272 static int handle_resize = 0, handle_break = 0;
1273 
1274 static void topipstates(i6addr_t saddr, i6addr_t daddr, int sport, int dport,
1275 	int protocol, int ver, int refreshtime, int topclosed, int *filter)
1276 {
1277 	char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
1278 	int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
1279 	int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0;
1280 	int len, srclen, dstlen, forward = 1, c = 0;
1281 	ips_stat_t ipsst, *ipsstp = &ipsst;
1282 	int token_type = IPFGENITER_STATE;
1283 	statetop_t *tstable = NULL, *tp;
1284 	const char *errstr = "";
1285 	ipstate_t ips;
1286 	ipfobj_t ipfo;
1287 	struct timeval selecttimeout;
1288 	char hostnm[HOSTNMLEN];
1289 	struct protoent *proto;
1290 	fd_set readfd;
1291 	time_t t;
1292 
1293 	/* install signal handlers */
1294 	signal(SIGINT, sig_break);
1295 	signal(SIGQUIT, sig_break);
1296 	signal(SIGTERM, sig_break);
1297 	signal(SIGWINCH, sig_resize);
1298 
1299 	/* init ncurses stuff */
1300   	initscr();
1301   	cbreak();
1302   	noecho();
1303 	curs_set(0);
1304 	timeout(0);
1305 	getmaxyx(stdscr, maxy, maxx);
1306 
1307 	/* init hostname */
1308 	gethostname(hostnm, sizeof(hostnm) - 1);
1309 	hostnm[sizeof(hostnm) - 1] = '\0';
1310 
1311 	/* init ipfobj_t stuff */
1312 	bzero((caddr_t)&ipfo, sizeof(ipfo));
1313 	ipfo.ipfo_rev = IPFILTER_VERSION;
1314 	ipfo.ipfo_type = IPFOBJ_STATESTAT;
1315 	ipfo.ipfo_size = sizeof(*ipsstp);
1316 	ipfo.ipfo_ptr = (void *)ipsstp;
1317 
1318 	/* repeat until user aborts */
1319 	while ( 1 ) {
1320 
1321 		/* get state table */
1322 		bzero((char *)&ipsst, sizeof(ipsst));
1323 		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
1324 			errstr = "ioctl(SIOCGETFS)";
1325 			ret = -1;
1326 			goto out;
1327 		}
1328 
1329 		/* clear the history */
1330 		tsentry = -1;
1331 
1332 		/* reset max str len */
1333 		srclen = dstlen = 0;
1334 
1335 		/* read the state table and store in tstable */
1336 		for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) {
1337 
1338 			ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips);
1339 			if (ipsstp->iss_list == NULL)
1340 				break;
1341 
1342 			if (ver != 0 && ips.is_v != ver)
1343 				continue;
1344 
1345 			if ((filter != NULL) &&
1346 			    (state_matcharray(&ips, filter) == 0))
1347 				continue;
1348 
1349 			/* check v4 src/dest addresses */
1350 			if (ips.is_v == 4) {
1351 				if ((saddr.in4.s_addr != INADDR_ANY &&
1352 				     saddr.in4.s_addr != ips.is_saddr) ||
1353 				    (daddr.in4.s_addr != INADDR_ANY &&
1354 				     daddr.in4.s_addr != ips.is_daddr))
1355 					continue;
1356 			}
1357 #ifdef	USE_INET6
1358 			/* check v6 src/dest addresses */
1359 			if (ips.is_v == 6) {
1360 				if ((IP6_NEQ(&saddr, &in6addr_any) &&
1361 				     IP6_NEQ(&saddr, &ips.is_src)) ||
1362 				    (IP6_NEQ(&daddr, &in6addr_any) &&
1363 				     IP6_NEQ(&daddr, &ips.is_dst)))
1364 					continue;
1365 			}
1366 #endif
1367 			/* check protocol */
1368 			if (protocol > 0 && protocol != ips.is_p)
1369 				continue;
1370 
1371 			/* check ports if protocol is TCP or UDP */
1372 			if (((ips.is_p == IPPROTO_TCP) ||
1373 			     (ips.is_p == IPPROTO_UDP)) &&
1374 			   (((sport > 0) && (htons(sport) != ips.is_sport)) ||
1375 			    ((dport > 0) && (htons(dport) != ips.is_dport))))
1376 				continue;
1377 
1378 			/* show closed TCP sessions ? */
1379 			if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) &&
1380 			    (ips.is_state[0] >= IPF_TCPS_LAST_ACK) &&
1381 			    (ips.is_state[1] >= IPF_TCPS_LAST_ACK))
1382 				continue;
1383 
1384 			/*
1385 			 * if necessary make room for this state
1386 			 * entry
1387 			 */
1388 			tsentry++;
1389 			if (!maxtsentries || tsentry == maxtsentries) {
1390 				maxtsentries += STGROWSIZE;
1391 				tstable = reallocarray(tstable, maxtsentries,
1392 				    sizeof(statetop_t));
1393 				if (tstable == NULL) {
1394 					perror("realloc");
1395 					exit(-1);
1396 				}
1397 			}
1398 
1399 			/* get max src/dest address string length */
1400 			len = strlen(getip(ips.is_v, &ips.is_src));
1401 			if (srclen < len)
1402 				srclen = len;
1403 			len = strlen(getip(ips.is_v, &ips.is_dst));
1404 			if (dstlen < len)
1405 				dstlen = len;
1406 
1407 			/* fill structure */
1408 			tp = tstable + tsentry;
1409 			tp->st_src = ips.is_src;
1410 			tp->st_dst = ips.is_dst;
1411 			tp->st_p = ips.is_p;
1412 			tp->st_v = ips.is_v;
1413 			tp->st_state[0] = ips.is_state[0];
1414 			tp->st_state[1] = ips.is_state[1];
1415 			if (forward) {
1416 				tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1];
1417 				tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1];
1418 			} else {
1419 				tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3];
1420 				tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3];
1421 			}
1422 			tp->st_age = ips.is_die - ipsstp->iss_ticks;
1423 			if ((ips.is_p == IPPROTO_TCP) ||
1424 			    (ips.is_p == IPPROTO_UDP)) {
1425 				tp->st_sport = ips.is_sport;
1426 				tp->st_dport = ips.is_dport;
1427 			}
1428 		}
1429 
1430 		(void) ioctl(state_fd, SIOCIPFDELTOK, &token_type);
1431 
1432 		/* sort the array */
1433 		if (tsentry != -1) {
1434 			switch (sorting)
1435 			{
1436 			case STSORT_PR:
1437 				qsort(tstable, tsentry + 1,
1438 				      sizeof(statetop_t), sort_p);
1439 				break;
1440 			case STSORT_PKTS:
1441 				qsort(tstable, tsentry + 1,
1442 				      sizeof(statetop_t), sort_pkts);
1443 				break;
1444 			case STSORT_BYTES:
1445 				qsort(tstable, tsentry + 1,
1446 				      sizeof(statetop_t), sort_bytes);
1447 				break;
1448 			case STSORT_TTL:
1449 				qsort(tstable, tsentry + 1,
1450 				      sizeof(statetop_t), sort_ttl);
1451 				break;
1452 			case STSORT_SRCIP:
1453 				qsort(tstable, tsentry + 1,
1454 				      sizeof(statetop_t), sort_srcip);
1455 				break;
1456 			case STSORT_SRCPT:
1457 				qsort(tstable, tsentry +1,
1458 					sizeof(statetop_t), sort_srcpt);
1459 				break;
1460 			case STSORT_DSTIP:
1461 				qsort(tstable, tsentry + 1,
1462 				      sizeof(statetop_t), sort_dstip);
1463 				break;
1464 			case STSORT_DSTPT:
1465 				qsort(tstable, tsentry + 1,
1466 				      sizeof(statetop_t), sort_dstpt);
1467 				break;
1468 			default:
1469 				break;
1470 			}
1471 		}
1472 
1473 		/* handle window resizes */
1474 		if (handle_resize) {
1475 			endwin();
1476 			initscr();
1477 			cbreak();
1478 			noecho();
1479 			curs_set(0);
1480 			timeout(0);
1481 			getmaxyx(stdscr, maxy, maxx);
1482 			redraw = 1;
1483 			handle_resize = 0;
1484 		}
1485 
1486 		/* stop program? */
1487 		if (handle_break)
1488 			break;
1489 
1490 		/* print title */
1491 		erase();
1492 		attron(A_BOLD);
1493 		winy = 0;
1494 		move(winy,0);
1495 		snprintf(str1, sizeof(str1), "%s - %s - state top", hostnm, IPL_VERSION);
1496 		for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
1497 			printw(" ");
1498 		printw("%s", str1);
1499 		attroff(A_BOLD);
1500 
1501 		/* just for fun add a clock */
1502 		move(winy, maxx - 8);
1503 		t = time(NULL);
1504 		strftime(str1, 80, "%T", localtime(&t));
1505 		printw("%s\n", str1);
1506 
1507 		/*
1508 		 * print the display filters, this is placed in the loop,
1509 		 * because someday I might add code for changing these
1510 		 * while the programming is running :-)
1511 		 */
1512 		if (sport >= 0)
1513 			snprintf(str1, sizeof(str1), "%s,%d", getip(ver, &saddr), sport);
1514 		else
1515 			snprintf(str1, sizeof(str1), "%s", getip(ver, &saddr));
1516 
1517 		if (dport >= 0)
1518 			snprintf(str2, sizeof(str2), "%s,%d", getip(ver, &daddr), dport);
1519 		else
1520 			snprintf(str2, sizeof(str2), "%s", getip(ver, &daddr));
1521 
1522 		if (protocol < 0)
1523 			strcpy(str3, "any");
1524 		else if ((proto = getprotobynumber(protocol)) != NULL)
1525 			snprintf(str3, sizeof(str3), "%s", proto->p_name);
1526 		else
1527 			snprintf(str3, sizeof(str3), "%d", protocol);
1528 
1529 		switch (sorting)
1530 		{
1531 		case STSORT_PR:
1532 			snprintf(str4, sizeof(str4), "proto");
1533 			break;
1534 		case STSORT_PKTS:
1535 			snprintf(str4, sizeof(str4), "# pkts");
1536 			break;
1537 		case STSORT_BYTES:
1538 			snprintf(str4, sizeof(str4), "# bytes");
1539 			break;
1540 		case STSORT_TTL:
1541 			snprintf(str4, sizeof(str4), "ttl");
1542 			break;
1543 		case STSORT_SRCIP:
1544 			snprintf(str4, sizeof(str4), "src ip");
1545 			break;
1546 		case STSORT_SRCPT:
1547 			snprintf(str4, sizeof(str4), "src port");
1548 			break;
1549 		case STSORT_DSTIP:
1550 			snprintf(str4, sizeof(str4), "dest ip");
1551 			break;
1552 		case STSORT_DSTPT:
1553 			snprintf(str4, sizeof(str4), "dest port");
1554 			break;
1555 		default:
1556 			snprintf(str4, sizeof(str4), "unknown");
1557 			break;
1558 		}
1559 
1560 		if (reverse)
1561 			strcat(str4, " (reverse)");
1562 
1563 		winy += 2;
1564 		move(winy,0);
1565 		printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n",
1566 		       str1, str2, str3, str4);
1567 
1568 		/*
1569 		 * For an IPv4 IP address we need at most 15 characters,
1570 		 * 4 tuples of 3 digits, separated by 3 dots. Enforce this
1571 		 * length, so the columns do not change positions based
1572 		 * on the size of the IP address. This length makes the
1573 		 * output fit in a 80 column terminal.
1574 		 * We are lacking a good solution for IPv6 addresses (that
1575 		 * can be longer that 15 characters), so we do not enforce
1576 		 * a maximum on the IP field size.
1577 		 */
1578 		if (srclen < 15)
1579 			srclen = 15;
1580 		if (dstlen < 15)
1581 			dstlen = 15;
1582 
1583 		/* print column description */
1584 		winy += 2;
1585 		move(winy,0);
1586 		attron(A_BOLD);
1587 		printw("%-*s %-*s %3s %4s %7s %9s %9s\n",
1588 		       srclen + 6, "Source IP", dstlen + 6, "Destination IP",
1589 		       "ST", "PR", "#pkts", "#bytes", "ttl");
1590 		attroff(A_BOLD);
1591 
1592 		/* print all the entries */
1593 		tp = tstable;
1594 		if (reverse)
1595 			tp += tsentry;
1596 
1597 		if (tsentry > maxy - 6)
1598 			tsentry = maxy - 6;
1599 		for (i = 0; i <= tsentry; i++) {
1600 			/* print src/dest and port */
1601 			if ((tp->st_p == IPPROTO_TCP) ||
1602 			    (tp->st_p == IPPROTO_UDP)) {
1603 				snprintf(str1, sizeof(str1), "%s,%hu",
1604 					getip(tp->st_v, &tp->st_src),
1605 					ntohs(tp->st_sport));
1606 				snprintf(str2, sizeof(str2), "%s,%hu",
1607 					getip(tp->st_v, &tp->st_dst),
1608 					ntohs(tp->st_dport));
1609 			} else {
1610 				snprintf(str1, sizeof(str1), "%s", getip(tp->st_v,
1611 				    &tp->st_src));
1612 				snprintf(str2, sizeof(str2), "%s", getip(tp->st_v,
1613 				    &tp->st_dst));
1614 			}
1615 			winy++;
1616 			move(winy, 0);
1617 			printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2);
1618 
1619 			/* print state */
1620 			snprintf(str1, sizeof(str1), "%X/%X", tp->st_state[0],
1621 				tp->st_state[1]);
1622 			printw(" %3s", str1);
1623 
1624 			/* print protocol */
1625 			proto = getprotobynumber(tp->st_p);
1626 			if (proto) {
1627 				strncpy(str1, proto->p_name, 4);
1628 				str1[4] = '\0';
1629 			} else {
1630 				snprintf(str1, sizeof(str1), "%d", tp->st_p);
1631 			}
1632 			/* just print icmp for IPv6-ICMP */
1633 			if (tp->st_p == IPPROTO_ICMPV6)
1634 				strcpy(str1, "icmp");
1635 			printw(" %4s", str1);
1636 
1637 			/* print #pkt/#bytes */
1638 #ifdef	USE_QUAD_T
1639 			printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
1640 				(unsigned long long) tp->st_bytes);
1641 #else
1642 			printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
1643 #endif
1644 			printw(" %9s", ttl_to_string(tp->st_age));
1645 
1646 			if (reverse)
1647 				tp--;
1648 			else
1649 				tp++;
1650 		}
1651 
1652 		/* screen data structure is filled, now update the screen */
1653 		if (redraw)
1654 			clearok(stdscr,1);
1655 
1656 		if (refresh() == ERR)
1657 			break;
1658 		if (redraw) {
1659 			clearok(stdscr,0);
1660 			redraw = 0;
1661 		}
1662 
1663 		/* wait for key press or a 1 second time out period */
1664 		selecttimeout.tv_sec = refreshtime;
1665 		selecttimeout.tv_usec = 0;
1666 		FD_ZERO(&readfd);
1667 		FD_SET(0, &readfd);
1668 		select(1, &readfd, NULL, NULL, &selecttimeout);
1669 
1670 		/* if key pressed, read all waiting keys */
1671 		if (FD_ISSET(0, &readfd)) {
1672 			c = wgetch(stdscr);
1673 			if (c == ERR)
1674 				continue;
1675 
1676 			if (ISALPHA(c) && ISUPPER(c))
1677 				c = TOLOWER(c);
1678 			if (c == 'l') {
1679 				redraw = 1;
1680 			} else if (c == 'q') {
1681 				break;
1682 			} else if (c == 'r') {
1683 				reverse = !reverse;
1684 			} else if (c == 'b') {
1685 				forward = 0;
1686 			} else if (c == 'f') {
1687 				forward = 1;
1688 			} else if (c == 's') {
1689 				if (++sorting > STSORT_MAX)
1690 					sorting = 0;
1691 			}
1692 		}
1693 	} /* while */
1694 
1695 out:
1696 	printw("\n");
1697 	curs_set(1);
1698 	/* nocbreak(); XXX - endwin() should make this redundant */
1699 	endwin();
1700 
1701 	free(tstable);
1702 	if (ret != 0)
1703 		perror(errstr);
1704 }
1705 #endif
1706 
1707 
1708 /*
1709  * Show fragment cache information that's held in the kernel.
1710  */
1711 static void showfrstates(ipfrstat_t *ifsp, u_long ticks)
1712 {
1713 	struct ipfr *ipfrtab[IPFT_SIZE], ifr;
1714 	int i;
1715 
1716 	/*
1717 	 * print out the numeric statistics
1718 	 */
1719 	PRINTF("IP fragment states:\n%lu\tnew\n%lu\texpired\n%lu\thits\n",
1720 		ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
1721 	PRINTF("%lu\tretrans\n%lu\ttoo short\n",
1722 		ifsp->ifs_retrans0, ifsp->ifs_short);
1723 	PRINTF("%lu\tno memory\n%lu\talready exist\n",
1724 		ifsp->ifs_nomem, ifsp->ifs_exists);
1725 	PRINTF("%lu\tinuse\n", ifsp->ifs_inuse);
1726 	PRINTF("\n");
1727 
1728 	if (live_kernel == 0) {
1729 		if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table,
1730 			    sizeof(ipfrtab)))
1731 			return;
1732 	}
1733 
1734 	/*
1735 	 * Print out the contents (if any) of the fragment cache table.
1736 	 */
1737 	if (live_kernel == 1) {
1738 		do {
1739 			if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0)
1740 				break;
1741 			if (ifr.ipfr_ifp == NULL)
1742 				break;
1743 			ifr.ipfr_ttl -= ticks;
1744 			printfraginfo("", &ifr);
1745 		} while (ifr.ipfr_next != NULL);
1746 	} else {
1747 		for (i = 0; i < IPFT_SIZE; i++)
1748 			while (ipfrtab[i] != NULL) {
1749 				if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1750 					    sizeof(ifr)) == -1)
1751 					break;
1752 				printfraginfo("", &ifr);
1753 				ipfrtab[i] = ifr.ipfr_next;
1754 			}
1755 	}
1756 	/*
1757 	 * Print out the contents (if any) of the NAT fragment cache table.
1758 	 */
1759 
1760 	if (live_kernel == 0) {
1761 		if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,
1762 			    sizeof(ipfrtab)))
1763 			return;
1764 	}
1765 
1766 	if (live_kernel == 1) {
1767 		do {
1768 			if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0)
1769 				break;
1770 			if (ifr.ipfr_ifp == NULL)
1771 				break;
1772 			ifr.ipfr_ttl -= ticks;
1773 			printfraginfo("NAT: ", &ifr);
1774 		} while (ifr.ipfr_next != NULL);
1775 	} else {
1776 		for (i = 0; i < IPFT_SIZE; i++)
1777 			while (ipfrtab[i] != NULL) {
1778 				if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1779 					    sizeof(ifr)) == -1)
1780 					break;
1781 				printfraginfo("NAT: ", &ifr);
1782 				ipfrtab[i] = ifr.ipfr_next;
1783 			}
1784 	}
1785 }
1786 
1787 
1788 /*
1789  * Show stats on how auth within IPFilter has been used
1790  */
1791 static void showauthstates(ipf_authstat_t *asp)
1792 {
1793 	frauthent_t *frap, fra;
1794 	ipfgeniter_t auth;
1795 	ipfobj_t obj;
1796 
1797 	obj.ipfo_rev = IPFILTER_VERSION;
1798 	obj.ipfo_type = IPFOBJ_GENITER;
1799 	obj.ipfo_size = sizeof(auth);
1800 	obj.ipfo_ptr = &auth;
1801 
1802 	auth.igi_type = IPFGENITER_AUTH;
1803 	auth.igi_nitems = 1;
1804 	auth.igi_data = &fra;
1805 
1806 #ifdef	USE_QUAD_T
1807 	printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n",
1808 		(unsigned long long) asp->fas_hits,
1809 		(unsigned long long) asp->fas_miss);
1810 #else
1811 	printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
1812 		asp->fas_miss);
1813 #endif
1814 	printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
1815 		asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
1816 		asp->fas_sendok);
1817 	printf("queok %ld\nquefail %ld\nexpire %ld\n",
1818 		asp->fas_queok, asp->fas_quefail, asp->fas_expire);
1819 
1820 	frap = asp->fas_faelist;
1821 	while (frap) {
1822 		if (live_kernel == 1) {
1823 			if (ioctl(auth_fd, SIOCGENITER, &obj))
1824 				break;
1825 		} else {
1826 			if (kmemcpy((char *)&fra, (u_long)frap,
1827 				    sizeof(fra)) == -1)
1828 				break;
1829 		}
1830 		printf("age %ld\t", fra.fae_age);
1831 		printfr(&fra.fae_fr, ioctl);
1832 		frap = fra.fae_next;
1833 	}
1834 }
1835 
1836 
1837 /*
1838  * Display groups used for each of filter rules, accounting rules and
1839  * authentication, separately.
1840  */
1841 static void showgroups(struct friostat	*fiop)
1842 {
1843 	static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
1844 	static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
1845 	frgroup_t *fp, grp;
1846 	int on, off, i;
1847 
1848 	on = fiop->f_active;
1849 	off = 1 - on;
1850 
1851 	for (i = 0; i < 3; i++) {
1852 		printf("%s groups (active):\n", gnames[i]);
1853 		for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL;
1854 		     fp = grp.fg_next)
1855 			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1856 				break;
1857 			else
1858 				printf("%s\n", grp.fg_name);
1859 		printf("%s groups (inactive):\n", gnames[i]);
1860 		for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL;
1861 		     fp = grp.fg_next)
1862 			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1863 				break;
1864 			else
1865 				printf("%s\n", grp.fg_name);
1866 	}
1867 }
1868 
1869 
1870 static void parse_ipportstr(const char *argument, i6addr_t *ip, int *port)
1871 {
1872 	char *s, *comma;
1873 	int ok = 0;
1874 
1875 	/* make working copy of argument, Theoretically you must be able
1876 	 * to write to optarg, but that seems very ugly to me....
1877 	 */
1878 	s = strdup(argument);
1879 	if (s == NULL)
1880 		return;
1881 
1882 	/* get port */
1883 	if ((comma = strchr(s, ',')) != NULL) {
1884 		if (!strcasecmp(comma + 1, "any")) {
1885 			*port = -1;
1886 		} else if (!sscanf(comma + 1, "%d", port) ||
1887 			   (*port < 0) || (*port > 65535)) {
1888 			fprintf(stderr, "Invalid port specification in %s\n",
1889 				argument);
1890 			free(s);
1891 			exit(-2);
1892 		}
1893 		*comma = '\0';
1894 	}
1895 
1896 
1897 	/* get ip address */
1898 	if (!strcasecmp(s, "any")) {
1899 		ip->in4.s_addr = INADDR_ANY;
1900 		ok = 1;
1901 #ifdef	USE_INET6
1902 		ip->in6 = in6addr_any;
1903 	} else if (use_inet6 && !use_inet4 && inet_pton(AF_INET6, s, &ip->in6)) {
1904 		ok = 1;
1905 #endif
1906 	} else if (inet_aton(s, &ip->in4))
1907 		ok = 1;
1908 
1909 	if (ok == 0) {
1910 		fprintf(stderr, "Invalid IP address: %s\n", s);
1911 		free(s);
1912 		exit(-2);
1913 	}
1914 
1915 	/* free allocated memory */
1916 	free(s);
1917 }
1918 
1919 
1920 #ifdef STATETOP
1921 static void sig_resize(int s)
1922 {
1923 	handle_resize = 1;
1924 }
1925 
1926 static void sig_break(int s)
1927 {
1928 	handle_break = 1;
1929 }
1930 
1931 static char *getip(int v, i6addr_t *addr)
1932 {
1933 #ifdef  USE_INET6
1934 	static char hostbuf[MAXHOSTNAMELEN+1];
1935 #endif
1936 
1937 	if (v == 0)
1938 		return ("any");
1939 
1940 	if (v == 4)
1941 		return (inet_ntoa(addr->in4));
1942 
1943 #ifdef  USE_INET6
1944 	(void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1);
1945 	hostbuf[MAXHOSTNAMELEN] = '\0';
1946 	return (hostbuf);
1947 #else
1948 	return ("IPv6");
1949 #endif
1950 }
1951 
1952 
1953 static char *ttl_to_string(long int ttl)
1954 {
1955 	static char ttlbuf[STSTRSIZE];
1956 	int hours, minutes, seconds;
1957 
1958 	/* ttl is in half seconds */
1959 	ttl /= 2;
1960 
1961 	hours = ttl / 3600;
1962 	ttl = ttl % 3600;
1963 	minutes = ttl / 60;
1964 	seconds = ttl % 60;
1965 
1966 	if (hours > 0)
1967 		snprintf(ttlbuf, sizeof(ttlbuf), "%2d:%02d:%02d", hours, minutes, seconds);
1968 	else
1969 		snprintf(ttlbuf, sizeof(ttlbuf), "%2d:%02d", minutes, seconds);
1970 	return (ttlbuf);
1971 }
1972 
1973 
1974 static int sort_pkts(const void *a, const void *b)
1975 {
1976 
1977 	register const statetop_t *ap = a;
1978 	register const statetop_t *bp = b;
1979 
1980 	if (ap->st_pkts == bp->st_pkts)
1981 		return (0);
1982 	else if (ap->st_pkts < bp->st_pkts)
1983 		return (1);
1984 	return (-1);
1985 }
1986 
1987 
1988 static int sort_bytes(const void *a, const void *b)
1989 {
1990 	register const statetop_t *ap = a;
1991 	register const statetop_t *bp = b;
1992 
1993 	if (ap->st_bytes == bp->st_bytes)
1994 		return (0);
1995 	else if (ap->st_bytes < bp->st_bytes)
1996 		return (1);
1997 	return (-1);
1998 }
1999 
2000 
2001 static int sort_p(const void *a, const void *b)
2002 {
2003 	register const statetop_t *ap = a;
2004 	register const statetop_t *bp = b;
2005 
2006 	if (ap->st_p == bp->st_p)
2007 		return (0);
2008 	else if (ap->st_p < bp->st_p)
2009 		return (1);
2010 	return (-1);
2011 }
2012 
2013 
2014 static int sort_ttl(const void *a, const void *b)
2015 {
2016 	register const statetop_t *ap = a;
2017 	register const statetop_t *bp = b;
2018 
2019 	if (ap->st_age == bp->st_age)
2020 		return (0);
2021 	else if (ap->st_age < bp->st_age)
2022 		return (1);
2023 	return (-1);
2024 }
2025 
2026 static int sort_srcip(const void *a, const void *b)
2027 {
2028 	register const statetop_t *ap = a;
2029 	register const statetop_t *bp = b;
2030 
2031 #ifdef USE_INET6
2032 	if (use_inet6 && !use_inet4) {
2033 		if (IP6_EQ(&ap->st_src, &bp->st_src))
2034 			return (0);
2035 		else if (IP6_GT(&ap->st_src, &bp->st_src))
2036 			return (1);
2037 	} else
2038 #endif
2039 	{
2040 		if (ntohl(ap->st_src.in4.s_addr) ==
2041 		    ntohl(bp->st_src.in4.s_addr))
2042 			return (0);
2043 		else if (ntohl(ap->st_src.in4.s_addr) >
2044 		         ntohl(bp->st_src.in4.s_addr))
2045 			return (1);
2046 	}
2047 	return (-1);
2048 }
2049 
2050 static int sort_srcpt(const void *a, const void *b)
2051 {
2052 	register const statetop_t *ap = a;
2053 	register const statetop_t *bp = b;
2054 
2055 	if (htons(ap->st_sport) == htons(bp->st_sport))
2056 		return (0);
2057 	else if (htons(ap->st_sport) > htons(bp->st_sport))
2058 		return (1);
2059 	return (-1);
2060 }
2061 
2062 static int sort_dstip(const void *a, const void *b)
2063 {
2064 	register const statetop_t *ap = a;
2065 	register const statetop_t *bp = b;
2066 
2067 #ifdef USE_INET6
2068 	if (use_inet6 && !use_inet4) {
2069 		if (IP6_EQ(&ap->st_dst, &bp->st_dst))
2070 			return (0);
2071 		else if (IP6_GT(&ap->st_dst, &bp->st_dst))
2072 			return (1);
2073 	} else
2074 #endif
2075 	{
2076 		if (ntohl(ap->st_dst.in4.s_addr) ==
2077 		    ntohl(bp->st_dst.in4.s_addr))
2078 			return (0);
2079 		else if (ntohl(ap->st_dst.in4.s_addr) >
2080 		         ntohl(bp->st_dst.in4.s_addr))
2081 			return (1);
2082 	}
2083 	return (-1);
2084 }
2085 
2086 static int sort_dstpt(const void *a, const void *b)
2087 {
2088 	register const statetop_t *ap = a;
2089 	register const statetop_t *bp = b;
2090 
2091 	if (htons(ap->st_dport) == htons(bp->st_dport))
2092 		return (0);
2093 	else if (htons(ap->st_dport) > htons(bp->st_dport))
2094 		return (1);
2095 	return (-1);
2096 }
2097 
2098 #endif
2099 
2100 
2101 ipstate_t *fetchstate(ipstate_t *src, ipstate_t *dst)
2102 {
2103 
2104 	if (live_kernel == 1) {
2105 		ipfgeniter_t state;
2106 		ipfobj_t obj;
2107 
2108 		obj.ipfo_rev = IPFILTER_VERSION;
2109 		obj.ipfo_type = IPFOBJ_GENITER;
2110 		obj.ipfo_size = sizeof(state);
2111 		obj.ipfo_ptr = &state;
2112 
2113 		state.igi_type = IPFGENITER_STATE;
2114 		state.igi_nitems = 1;
2115 		state.igi_data = dst;
2116 
2117 		if (ioctl(state_fd, SIOCGENITER, &obj) != 0)
2118 			return (NULL);
2119 		if (dst->is_next == NULL) {
2120 			int n = IPFGENITER_STATE;
2121 			(void) ioctl(ipf_fd,SIOCIPFDELTOK, &n);
2122 		}
2123 	} else {
2124 		if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst)))
2125 			return (NULL);
2126 	}
2127 	return (dst);
2128 }
2129 
2130 
2131 static int fetchfrag( int fd, int type, ipfr_t *frp)
2132 {
2133 	ipfgeniter_t frag;
2134 	ipfobj_t obj;
2135 
2136 	obj.ipfo_rev = IPFILTER_VERSION;
2137 	obj.ipfo_type = IPFOBJ_GENITER;
2138 	obj.ipfo_size = sizeof(frag);
2139 	obj.ipfo_ptr = &frag;
2140 
2141 	frag.igi_type = type;
2142 	frag.igi_nitems = 1;
2143 	frag.igi_data = frp;
2144 
2145 	if (ioctl(fd, SIOCGENITER, &obj))
2146 		return (EFAULT);
2147 	return (0);
2148 }
2149 
2150 
2151 static int state_matcharray(ipstate_t *stp, int *array)
2152 {
2153 	int i, n, *x, rv, p;
2154 	ipfexp_t *e;
2155 
2156 	rv = 0;
2157 
2158 	for (n = array[0], x = array + 1; n > 0; x += e->ipfe_size) {
2159 		e = (ipfexp_t *)x;
2160 		if (e->ipfe_cmd == IPF_EXP_END)
2161 			break;
2162 		n -= e->ipfe_size;
2163 
2164 		rv = 0;
2165 		/*
2166 		 * The upper 16 bits currently store the protocol value.
2167 		 * This is currently used with TCP and UDP port compares and
2168 		 * allows "tcp.port = 80" without requiring an explicit
2169 		 " "ip.pr = tcp" first.
2170 		 */
2171 		p = e->ipfe_cmd >> 16;
2172 		if ((p != 0) && (p != stp->is_p))
2173 			break;
2174 
2175 		switch (e->ipfe_cmd)
2176 		{
2177 		case IPF_EXP_IP_PR :
2178 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2179 				rv |= (stp->is_p == e->ipfe_arg0[i]);
2180 			}
2181 			break;
2182 
2183 		case IPF_EXP_IP_SRCADDR :
2184 			if (stp->is_v != 4)
2185 				break;
2186 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2187 				rv |= ((stp->is_saddr &
2188 					e->ipfe_arg0[i * 2 + 1]) ==
2189 				       e->ipfe_arg0[i * 2]);
2190 			}
2191 			break;
2192 
2193 		case IPF_EXP_IP_DSTADDR :
2194 			if (stp->is_v != 4)
2195 				break;
2196 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2197 				rv |= ((stp->is_daddr &
2198 					e->ipfe_arg0[i * 2 + 1]) ==
2199 				       e->ipfe_arg0[i * 2]);
2200 			}
2201 			break;
2202 
2203 		case IPF_EXP_IP_ADDR :
2204 			if (stp->is_v != 4)
2205 				break;
2206 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2207 				rv |= ((stp->is_saddr &
2208 					e->ipfe_arg0[i * 2 + 1]) ==
2209 				       e->ipfe_arg0[i * 2]) ||
2210 				      ((stp->is_daddr &
2211 					e->ipfe_arg0[i * 2 + 1]) ==
2212 				       e->ipfe_arg0[i * 2]);
2213 			}
2214 			break;
2215 
2216 #ifdef USE_INET6
2217 		case IPF_EXP_IP6_SRCADDR :
2218 			if (stp->is_v != 6)
2219 				break;
2220 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2221 				rv |= IP6_MASKEQ(&stp->is_src,
2222 						 &e->ipfe_arg0[i * 8 + 4],
2223 						 &e->ipfe_arg0[i * 8]);
2224 			}
2225 			break;
2226 
2227 		case IPF_EXP_IP6_DSTADDR :
2228 			if (stp->is_v != 6)
2229 				break;
2230 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2231 				rv |= IP6_MASKEQ(&stp->is_dst,
2232 						 &e->ipfe_arg0[i * 8 + 4],
2233 						 &e->ipfe_arg0[i * 8]);
2234 			}
2235 			break;
2236 
2237 		case IPF_EXP_IP6_ADDR :
2238 			if (stp->is_v != 6)
2239 				break;
2240 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2241 				rv |= IP6_MASKEQ(&stp->is_src,
2242 						 &e->ipfe_arg0[i * 8 + 4],
2243 						 &e->ipfe_arg0[i * 8]) ||
2244 				      IP6_MASKEQ(&stp->is_dst,
2245 						 &e->ipfe_arg0[i * 8 + 4],
2246 						 &e->ipfe_arg0[i * 8]);
2247 			}
2248 			break;
2249 #endif
2250 
2251 		case IPF_EXP_UDP_PORT :
2252 		case IPF_EXP_TCP_PORT :
2253 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2254 				rv |= (stp->is_sport == e->ipfe_arg0[i]) ||
2255 				      (stp->is_dport == e->ipfe_arg0[i]);
2256 			}
2257 			break;
2258 
2259 		case IPF_EXP_UDP_SPORT :
2260 		case IPF_EXP_TCP_SPORT :
2261 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2262 				rv |= (stp->is_sport == e->ipfe_arg0[i]);
2263 			}
2264 			break;
2265 
2266 		case IPF_EXP_UDP_DPORT :
2267 		case IPF_EXP_TCP_DPORT :
2268 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2269 				rv |= (stp->is_dport == e->ipfe_arg0[i]);
2270 			}
2271 			break;
2272 
2273 		case IPF_EXP_IDLE_GT :
2274 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2275 				rv |= (stp->is_die < e->ipfe_arg0[i]);
2276 			}
2277 			break;
2278 
2279 		case IPF_EXP_TCP_STATE :
2280 			for (i = 0; !rv && i < e->ipfe_narg; i++) {
2281 				rv |= (stp->is_state[0] == e->ipfe_arg0[i]) ||
2282 				      (stp->is_state[1] == e->ipfe_arg0[i]);
2283 			}
2284 			break;
2285 		}
2286 		rv ^= e->ipfe_not;
2287 
2288 		if (rv == 0)
2289 			break;
2290 	}
2291 
2292 	return (rv);
2293 }
2294 
2295 
2296 static void showtqtable_live(int fd)
2297 {
2298 	ipftq_t table[IPF_TCP_NSTATES];
2299 	ipfobj_t obj;
2300 
2301 	bzero((char *)&obj, sizeof(obj));
2302 	obj.ipfo_rev = IPFILTER_VERSION;
2303 	obj.ipfo_size = sizeof(table);
2304 	obj.ipfo_ptr = (void *)table;
2305 	obj.ipfo_type = IPFOBJ_STATETQTAB;
2306 
2307 	if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
2308 		printtqtable(table);
2309 	}
2310 }
2311