1 /* $FreeBSD$ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 #include <sys/ioctl.h> 9 #include <ctype.h> 10 #include <fcntl.h> 11 # include <nlist.h> 12 #include <ctype.h> 13 #if defined(sun) && defined(__SVR4) 14 # include <stddef.h> 15 #endif 16 #include "ipf.h" 17 #include "netinet/ipl.h" 18 #if defined(STATETOP) 19 # if defined(sun) && defined(__SVR4) 20 # include <sys/select.h> 21 # endif 22 # include <netinet/ip_var.h> 23 # include <netinet/tcp_fsm.h> 24 # include <ctype.h> 25 # include <signal.h> 26 # include <time.h> 27 # if SOLARIS || defined(__NetBSD__) 28 # ifdef ERR 29 # undef ERR 30 # endif 31 # include <curses.h> 32 # else /* SOLARIS */ 33 # include <ncurses.h> 34 # endif /* SOLARIS */ 35 #endif /* STATETOP */ 36 #include "kmem.h" 37 #if defined(__NetBSD__) 38 # include <paths.h> 39 #endif 40 41 #if !defined(lint) 42 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; 43 static const char rcsid[] = "@(#)$Id$"; 44 #endif 45 46 47 extern char *optarg; 48 extern int optind; 49 extern int opterr; 50 51 #define PRINTF (void)printf 52 #define FPRINTF (void)fprintf 53 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", 54 "ipacct(in)", "ipacct(out)" }; 55 static int state_logging = -1; 56 static wordtab_t *state_fields = NULL; 57 58 int nohdrfields = 0; 59 int opts = 0; 60 #ifdef USE_INET6 61 int use_inet4 = 0; 62 int use_inet6 = 0; 63 #endif 64 int live_kernel = 1; 65 int state_fd = -1; 66 int ipf_fd = -1; 67 int auth_fd = -1; 68 int nat_fd = -1; 69 frgroup_t *grtop = NULL; 70 frgroup_t *grtail = NULL; 71 72 char *blockreasons[FRB_MAX_VALUE + 1] = { 73 "packet blocked", 74 "log rule failure", 75 "pps rate exceeded", 76 "jumbogram", 77 "makefrip failed", 78 "cannot add state", 79 "IP ID update failed", 80 "log-or-block failed", 81 "decapsulate failure", 82 "cannot create new auth entry", 83 "packet queued for auth", 84 "buffer coalesce failure", 85 "buffer pullup failure", 86 "auth feedback", 87 "bad fragment", 88 "IPv4 NAT failure", 89 "IPv6 NAT failure" 90 }; 91 92 #ifdef STATETOP 93 #define STSTRSIZE 80 94 #define STGROWSIZE 16 95 #define HOSTNMLEN 40 96 97 #define STSORT_PR 0 98 #define STSORT_PKTS 1 99 #define STSORT_BYTES 2 100 #define STSORT_TTL 3 101 #define STSORT_SRCIP 4 102 #define STSORT_SRCPT 5 103 #define STSORT_DSTIP 6 104 #define STSORT_DSTPT 7 105 #define STSORT_MAX STSORT_DSTPT 106 #define STSORT_DEFAULT STSORT_BYTES 107 108 109 typedef struct statetop { 110 i6addr_t st_src; 111 i6addr_t st_dst; 112 u_short st_sport; 113 u_short st_dport; 114 u_char st_p; 115 u_char st_v; 116 u_char st_state[2]; 117 U_QUAD_T st_pkts; 118 U_QUAD_T st_bytes; 119 u_long st_age; 120 } statetop_t; 121 #endif 122 123 int main(int, char *[]); 124 125 static int fetchfrag(int, int, ipfr_t *); 126 static void showstats(friostat_t *, u_32_t); 127 static void showfrstates(ipfrstat_t *, u_long); 128 static void showlist(friostat_t *); 129 static void showstatestats(ips_stat_t *); 130 static void showipstates(ips_stat_t *, int *); 131 static void showauthstates(ipf_authstat_t *); 132 static void showtqtable_live(int); 133 static void showgroups(friostat_t *); 134 static void usage(char *); 135 static int state_matcharray(ipstate_t *, int *); 136 static int printlivelist(friostat_t *, int, int, frentry_t *, 137 char *, char *); 138 static void printdeadlist(friostat_t *, int, int, frentry_t *, 139 char *, char *); 140 static void printside(char *, ipf_statistics_t *); 141 static void parse_ipportstr(const char *, i6addr_t *, int *); 142 static void ipfstate_live(char *, friostat_t **, ips_stat_t **, 143 ipfrstat_t **, ipf_authstat_t **, u_32_t *); 144 static void ipfstate_dead(char *, friostat_t **, ips_stat_t **, 145 ipfrstat_t **, ipf_authstat_t **, u_32_t *); 146 static ipstate_t *fetchstate(ipstate_t *, ipstate_t *); 147 #ifdef STATETOP 148 static void topipstates(i6addr_t, i6addr_t, int, int, int, 149 int, int, int, int *); 150 static void sig_break(int); 151 static void sig_resize(int); 152 static char *getip(int, i6addr_t *); 153 static char *ttl_to_string(long); 154 static int sort_p(const void *, const void *); 155 static int sort_pkts(const void *, const void *); 156 static int sort_bytes(const void *, const void *); 157 static int sort_ttl(const void *, const void *); 158 static int sort_srcip(const void *, const void *); 159 static int sort_srcpt(const void *, const void *); 160 static int sort_dstip(const void *, const void *); 161 static int sort_dstpt(const void *, const void *); 162 #endif 163 164 165 static void usage(char *name) 166 { 167 #ifdef USE_INET6 168 fprintf(stderr, "Usage: %s [-46aAdfghIilnoRsv]\n", name); 169 #else 170 fprintf(stderr, "Usage: %s [-4aAdfghIilnoRsv]\n", name); 171 #endif 172 fprintf(stderr, " %s [-M corefile] [-N symbol-list]\n", name); 173 #ifdef STATETOP 174 #ifdef USE_INET6 175 fprintf(stderr, " %s -t [-46C] ", name); 176 #else 177 fprintf(stderr, " %s -t [-4C] ", name); 178 #endif 179 #endif 180 fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n"); 181 exit(1); 182 } 183 184 185 int main(int argc, char *argv[]) 186 { 187 ipf_authstat_t frauthst; 188 ipf_authstat_t *frauthstp = &frauthst; 189 friostat_t fio; 190 friostat_t *fiop = &fio; 191 ips_stat_t ipsst; 192 ips_stat_t *ipsstp = &ipsst; 193 ipfrstat_t ifrst; 194 ipfrstat_t *ifrstp = &ifrst; 195 char *options; 196 char *kern = NULL; 197 char *memf = NULL; 198 int c; 199 int myoptind; 200 int *filter = NULL; 201 202 int protocol = -1; /* -1 = wild card for any protocol */ 203 int refreshtime = 1; /* default update time */ 204 int sport = -1; /* -1 = wild card for any source port */ 205 int dport = -1; /* -1 = wild card for any dest port */ 206 int topclosed = 0; /* do not show closed tcp sessions */ 207 i6addr_t saddr, daddr; 208 u_32_t frf; 209 210 #ifdef USE_INET6 211 options = "46aACdfghIilnostvD:m:M:N:O:P:RS:T:"; 212 #else 213 options = "4aACdfghIilnostvD:m:M:N:O:P:RS:T:"; 214 #endif 215 216 saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */ 217 daddr.in4.s_addr = INADDR_ANY; /* default any v4 dest addr */ 218 #ifdef USE_INET6 219 saddr.in6 = in6addr_any; /* default any v6 source addr */ 220 daddr.in6 = in6addr_any; /* default any v6 dest addr */ 221 #endif 222 223 /* Don't warn about invalid flags when we run getopt for the 1st time */ 224 opterr = 0; 225 226 /* 227 * Parse these two arguments now lest there be any buffer overflows 228 * in the parsing of the rest. 229 */ 230 myoptind = optind; 231 while ((c = getopt(argc, argv, options)) != -1) { 232 switch (c) 233 { 234 case 'M' : 235 memf = optarg; 236 live_kernel = 0; 237 break; 238 case 'N' : 239 kern = optarg; 240 live_kernel = 0; 241 break; 242 } 243 } 244 optind = myoptind; 245 246 if (live_kernel == 1) { 247 if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) { 248 perror("open(IPSTATE_NAME)"); 249 exit(-1); 250 } 251 if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) { 252 perror("open(IPAUTH_NAME)"); 253 exit(-1); 254 } 255 if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) { 256 perror("open(IPAUTH_NAME)"); 257 exit(-1); 258 } 259 if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) { 260 fprintf(stderr, "open(%s)", IPL_NAME); 261 perror(""); 262 exit(-1); 263 } 264 } 265 266 if (kern != NULL || memf != NULL) { 267 (void)setgid(getgid()); 268 (void)setuid(getuid()); 269 } 270 271 if (live_kernel == 1) { 272 (void) checkrev(IPL_NAME); 273 } else { 274 if (openkmem(kern, memf) == -1) 275 exit(-1); 276 } 277 278 (void)setgid(getgid()); 279 (void)setuid(getuid()); 280 281 opterr = 1; 282 283 while ((c = getopt(argc, argv, options)) != -1) 284 { 285 switch (c) 286 { 287 #ifdef USE_INET6 288 case '4' : 289 use_inet4 = 1; 290 break; 291 case '6' : 292 use_inet6 = 1; 293 break; 294 #endif 295 case 'a' : 296 opts |= OPT_ACCNT|OPT_SHOWLIST; 297 break; 298 case 'A' : 299 opts |= OPT_AUTHSTATS; 300 break; 301 case 'C' : 302 topclosed = 1; 303 break; 304 case 'd' : 305 opts |= OPT_DEBUG; 306 break; 307 case 'D' : 308 parse_ipportstr(optarg, &daddr, &dport); 309 break; 310 case 'f' : 311 opts |= OPT_FRSTATES; 312 break; 313 case 'g' : 314 opts |= OPT_GROUPS; 315 break; 316 case 'h' : 317 opts |= OPT_HITS; 318 break; 319 case 'i' : 320 opts |= OPT_INQUE|OPT_SHOWLIST; 321 break; 322 case 'I' : 323 opts |= OPT_INACTIVE; 324 break; 325 case 'l' : 326 opts |= OPT_SHOWLIST; 327 break; 328 case 'm' : 329 filter = parseipfexpr(optarg, NULL); 330 if (filter == NULL) { 331 fprintf(stderr, "Error parseing '%s'\n", 332 optarg); 333 exit(1); 334 } 335 break; 336 case 'M' : 337 break; 338 case 'N' : 339 break; 340 case 'n' : 341 opts |= OPT_SHOWLINENO; 342 break; 343 case 'o' : 344 opts |= OPT_OUTQUE|OPT_SHOWLIST; 345 break; 346 case 'O' : 347 state_fields = parsefields(statefields, optarg); 348 break; 349 case 'P' : 350 protocol = getproto(optarg); 351 if (protocol == -1) { 352 fprintf(stderr, "%s: Invalid protocol: %s\n", 353 argv[0], optarg); 354 exit(-2); 355 } 356 break; 357 case 'R' : 358 opts |= OPT_NORESOLVE; 359 break; 360 case 's' : 361 opts |= OPT_IPSTATES; 362 break; 363 case 'S' : 364 parse_ipportstr(optarg, &saddr, &sport); 365 break; 366 case 't' : 367 #ifdef STATETOP 368 opts |= OPT_STATETOP; 369 break; 370 #else 371 fprintf(stderr, 372 "%s: state top facility not compiled in\n", 373 argv[0]); 374 exit(-2); 375 #endif 376 case 'T' : 377 if (!sscanf(optarg, "%d", &refreshtime) || 378 (refreshtime <= 0)) { 379 fprintf(stderr, 380 "%s: Invalid refreshtime < 1 : %s\n", 381 argv[0], optarg); 382 exit(-2); 383 } 384 break; 385 case 'v' : 386 opts |= OPT_VERBOSE; 387 break; 388 default : 389 usage(argv[0]); 390 break; 391 } 392 } 393 #ifdef USE_INET6 394 if ((use_inet4 || use_inet6) && 395 !(opts & (OPT_INQUE | OPT_OUTQUE | OPT_STATETOP))) { 396 #ifdef STATETOP 397 FPRINTF(stderr, "No -i, -o, or -t given with -4 or -6\n"); 398 #else 399 FPRINTF(stderr, "No -i or -o given with -4 or -6\n"); 400 #endif 401 exit(-2); 402 } 403 if (use_inet4 == 0 && use_inet6 == 0) 404 use_inet4 = use_inet6 = 1; 405 #endif 406 407 if (live_kernel == 1) { 408 bzero((char *)&fio, sizeof(fio)); 409 bzero((char *)&ipsst, sizeof(ipsst)); 410 bzero((char *)&ifrst, sizeof(ifrst)); 411 412 ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp, 413 &frauthstp, &frf); 414 } else { 415 ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); 416 } 417 418 if (opts & OPT_IPSTATES) { 419 showipstates(ipsstp, filter); 420 } else if (opts & OPT_SHOWLIST) { 421 showlist(fiop); 422 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ 423 opts &= ~OPT_OUTQUE; 424 showlist(fiop); 425 } 426 } else if (opts & OPT_FRSTATES) 427 showfrstates(ifrstp, fiop->f_ticks); 428 #ifdef STATETOP 429 else if (opts & OPT_STATETOP) 430 topipstates(saddr, daddr, sport, dport, protocol, 431 #ifdef USE_INET6 432 use_inet6 && use_inet4 ? 0 : use_inet6 && !use_inet4 ? 6 : 4, 433 #else 434 4, 435 #endif 436 #endif 437 refreshtime, topclosed, filter); 438 else if (opts & OPT_AUTHSTATS) 439 showauthstates(frauthstp); 440 else if (opts & OPT_GROUPS) 441 showgroups(fiop); 442 else 443 showstats(fiop, frf); 444 445 return (0); 446 } 447 448 449 /* 450 * Fill in the stats structures from the live kernel, using a combination 451 * of ioctl's and copying directly from kernel memory. 452 */ 453 static void ipfstate_live(char *device, friostat_t **fiopp, 454 ips_stat_t **ipsstpp, ipfrstat_t **ifrstpp, 455 ipf_authstat_t **frauthstpp, u_32_t *frfp) 456 { 457 ipfobj_t ipfo; 458 459 if (checkrev(device) == -1) { 460 fprintf(stderr, "User/kernel version check failed\n"); 461 exit(1); 462 } 463 464 if ((opts & OPT_AUTHSTATS) == 0) { 465 bzero((caddr_t)&ipfo, sizeof(ipfo)); 466 ipfo.ipfo_rev = IPFILTER_VERSION; 467 ipfo.ipfo_type = IPFOBJ_IPFSTAT; 468 ipfo.ipfo_size = sizeof(friostat_t); 469 ipfo.ipfo_ptr = (void *)*fiopp; 470 471 if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) { 472 ipferror(ipf_fd, "ioctl(ipf:SIOCGETFS)"); 473 exit(-1); 474 } 475 476 if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1) 477 ipferror(ipf_fd, "ioctl(SIOCGETFF)"); 478 } 479 480 if ((opts & OPT_IPSTATES) != 0) { 481 482 bzero((caddr_t)&ipfo, sizeof(ipfo)); 483 ipfo.ipfo_rev = IPFILTER_VERSION; 484 ipfo.ipfo_type = IPFOBJ_STATESTAT; 485 ipfo.ipfo_size = sizeof(ips_stat_t); 486 ipfo.ipfo_ptr = (void *)*ipsstpp; 487 488 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { 489 ipferror(state_fd, "ioctl(state:SIOCGETFS)"); 490 exit(-1); 491 } 492 if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) { 493 ipferror(state_fd, "ioctl(state:SIOCGETLG)"); 494 exit(-1); 495 } 496 } 497 498 if ((opts & OPT_FRSTATES) != 0) { 499 bzero((caddr_t)&ipfo, sizeof(ipfo)); 500 ipfo.ipfo_rev = IPFILTER_VERSION; 501 ipfo.ipfo_type = IPFOBJ_FRAGSTAT; 502 ipfo.ipfo_size = sizeof(ipfrstat_t); 503 ipfo.ipfo_ptr = (void *)*ifrstpp; 504 505 if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) { 506 ipferror(ipf_fd, "ioctl(SIOCGFRST)"); 507 exit(-1); 508 } 509 } 510 511 if (opts & OPT_DEBUG) 512 PRINTF("opts %#x name %s\n", opts, device); 513 514 if ((opts & OPT_AUTHSTATS) != 0) { 515 bzero((caddr_t)&ipfo, sizeof(ipfo)); 516 ipfo.ipfo_rev = IPFILTER_VERSION; 517 ipfo.ipfo_type = IPFOBJ_AUTHSTAT; 518 ipfo.ipfo_size = sizeof(ipf_authstat_t); 519 ipfo.ipfo_ptr = (void *)*frauthstpp; 520 521 if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) { 522 ipferror(auth_fd, "ioctl(SIOCATHST)"); 523 exit(-1); 524 } 525 } 526 } 527 528 529 /* 530 * Build up the stats structures from data held in the "core" memory. 531 * This is mainly useful when looking at data in crash dumps and ioctl's 532 * just won't work any more. 533 */ 534 static void ipfstate_dead( char *kernel, friostat_t **fiopp, 535 ips_stat_t **ipsstpp, ipfrstat_t **ifrstpp, 536 ipf_authstat_t **frauthstpp, u_32_t *frfp) 537 { 538 static ipf_authstat_t frauthst, *frauthstp; 539 static ipftq_t ipstcptab[IPF_TCP_NSTATES]; 540 static ips_stat_t ipsst, *ipsstp; 541 static ipfrstat_t ifrst, *ifrstp; 542 static friostat_t fio, *fiop; 543 int temp; 544 545 void *rules[2][2]; 546 struct nlist deadlist[44] = { 547 { "ipf_auth_stats", 0, 0, 0, 0 }, /* 0 */ 548 { "fae_list", 0, 0, 0, 0 }, 549 { "ipauth", 0, 0, 0, 0 }, 550 { "ipf_auth_list", 0, 0, 0, 0 }, 551 { "ipf_auth_start", 0, 0, 0, 0 }, 552 { "ipf_auth_end", 0, 0, 0, 0 }, /* 5 */ 553 { "ipf_auth_next", 0, 0, 0, 0 }, 554 { "ipf_auth", 0, 0, 0, 0 }, 555 { "ipf_auth_used", 0, 0, 0, 0 }, 556 { "ipf_auth_size", 0, 0, 0, 0 }, 557 { "ipf_auth_defaultage", 0, 0, 0, 0 }, /* 10 */ 558 { "ipf_auth_pkts", 0, 0, 0, 0 }, 559 { "ipf_auth_lock", 0, 0, 0, 0 }, 560 { "frstats", 0, 0, 0, 0 }, 561 { "ips_stats", 0, 0, 0, 0 }, 562 { "ips_num", 0, 0, 0, 0 }, /* 15 */ 563 { "ips_wild", 0, 0, 0, 0 }, 564 { "ips_list", 0, 0, 0, 0 }, 565 { "ips_table", 0, 0, 0, 0 }, 566 { "ipf_state_max", 0, 0, 0, 0 }, 567 { "ipf_state_size", 0, 0, 0, 0 }, /* 20 */ 568 { "ipf_state_doflush", 0, 0, 0, 0 }, 569 { "ipf_state_lock", 0, 0, 0, 0 }, 570 { "ipfr_heads", 0, 0, 0, 0 }, 571 { "ipfr_nattab", 0, 0, 0, 0 }, 572 { "ipfr_stats", 0, 0, 0, 0 }, /* 25 */ 573 { "ipfr_inuse", 0, 0, 0, 0 }, 574 { "ipf_ipfrttl", 0, 0, 0, 0 }, 575 { "ipf_frag_lock", 0, 0, 0, 0 }, 576 { "ipfr_timer_id", 0, 0, 0, 0 }, 577 { "ipf_nat_lock", 0, 0, 0, 0 }, /* 30 */ 578 { "ipf_rules", 0, 0, 0, 0 }, 579 { "ipf_acct", 0, 0, 0, 0 }, 580 { "ipl_frouteok", 0, 0, 0, 0 }, 581 { "ipf_running", 0, 0, 0, 0 }, 582 { "ipf_groups", 0, 0, 0, 0 }, /* 35 */ 583 { "ipf_active", 0, 0, 0, 0 }, 584 { "ipf_pass", 0, 0, 0, 0 }, 585 { "ipf_flags", 0, 0, 0, 0 }, 586 { "ipf_state_logging", 0, 0, 0, 0 }, 587 { "ips_tqtqb", 0, 0, 0, 0 }, /* 40 */ 588 { NULL, 0, 0, 0, 0 } 589 }; 590 591 592 frauthstp = &frauthst; 593 ipsstp = &ipsst; 594 ifrstp = &ifrst; 595 fiop = &fio; 596 597 *frfp = 0; 598 *fiopp = fiop; 599 *ipsstpp = ipsstp; 600 *ifrstpp = ifrstp; 601 *frauthstpp = frauthstp; 602 603 bzero((char *)fiop, sizeof(*fiop)); 604 bzero((char *)ipsstp, sizeof(*ipsstp)); 605 bzero((char *)ifrstp, sizeof(*ifrstp)); 606 bzero((char *)frauthstp, sizeof(*frauthstp)); 607 608 if (nlist(kernel, deadlist) == -1) { 609 fprintf(stderr, "nlist error\n"); 610 return; 611 } 612 613 /* 614 * This is for SIOCGETFF. 615 */ 616 kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp)); 617 618 /* 619 * f_locks is a combination of the lock variable from each part of 620 * ipfilter (state, auth, nat, fragments). 621 */ 622 kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop)); 623 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value, 624 sizeof(fiop->f_locks[0])); 625 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value, 626 sizeof(fiop->f_locks[1])); 627 kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value, 628 sizeof(fiop->f_locks[2])); 629 kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value, 630 sizeof(fiop->f_locks[3])); 631 632 /* 633 * Get pointers to each list of rules (active, inactive, in, out) 634 */ 635 kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules)); 636 fiop->f_fin[0] = rules[0][0]; 637 fiop->f_fin[1] = rules[0][1]; 638 fiop->f_fout[0] = rules[1][0]; 639 fiop->f_fout[1] = rules[1][1]; 640 641 /* 642 * Now get accounting rules pointers. 643 */ 644 kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules)); 645 fiop->f_acctin[0] = rules[0][0]; 646 fiop->f_acctin[1] = rules[0][1]; 647 fiop->f_acctout[0] = rules[1][0]; 648 fiop->f_acctout[1] = rules[1][1]; 649 650 /* 651 * A collection of "global" variables used inside the kernel which 652 * are all collected in friostat_t via ioctl. 653 */ 654 kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[33].n_value, 655 sizeof(fiop->f_froute)); 656 kmemcpy((char *)&fiop->f_running, (u_long)deadlist[34].n_value, 657 sizeof(fiop->f_running)); 658 kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[35].n_value, 659 sizeof(fiop->f_groups)); 660 kmemcpy((char *)&fiop->f_active, (u_long)deadlist[36].n_value, 661 sizeof(fiop->f_active)); 662 kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[37].n_value, 663 sizeof(fiop->f_defpass)); 664 665 /* 666 * Build up the state information stats structure. 667 */ 668 kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp)); 669 kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp)); 670 kmemcpy((char *)ipstcptab, (u_long)deadlist[40].n_value, 671 sizeof(ipstcptab)); 672 ipsstp->iss_active = temp; 673 ipsstp->iss_table = (void *)deadlist[18].n_value; 674 ipsstp->iss_list = (void *)deadlist[17].n_value; 675 ipsstp->iss_tcptab = ipstcptab; 676 677 /* 678 * Build up the authentiation information stats structure. 679 */ 680 kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value, 681 sizeof(*frauthstp)); 682 frauthstp->fas_faelist = (void *)deadlist[1].n_value; 683 684 /* 685 * Build up the fragment information stats structure. 686 */ 687 kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value, 688 sizeof(*ifrstp)); 689 ifrstp->ifs_table = (void *)deadlist[23].n_value; 690 ifrstp->ifs_nattab = (void *)deadlist[24].n_value; 691 kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value, 692 sizeof(ifrstp->ifs_inuse)); 693 694 /* 695 * Get logging on/off switches 696 */ 697 kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value, 698 sizeof(state_logging)); 699 } 700 701 702 static void printside(char *side, ipf_statistics_t *frs) 703 { 704 int i; 705 706 PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side); 707 #ifdef USE_INET6 708 PRINTF("%lu\t%s IPv6 packets\n", frs->fr_ipv6, side); 709 #endif 710 PRINTF("%lu\t%s packets blocked\n", frs->fr_block, side); 711 PRINTF("%lu\t%s packets passed\n", frs->fr_pass, side); 712 PRINTF("%lu\t%s packets not matched\n", frs->fr_nom, side); 713 PRINTF("%lu\t%s packets counted\n", frs->fr_acct, side); 714 PRINTF("%lu\t%s packets short\n", frs->fr_short, side); 715 PRINTF("%lu\t%s packets logged and blocked\n", frs->fr_bpkl, side); 716 PRINTF("%lu\t%s packets logged and passed\n", frs->fr_ppkl, side); 717 PRINTF("%lu\t%s fragment state kept\n", frs->fr_nfr, side); 718 PRINTF("%lu\t%s fragment state lost\n", frs->fr_bnfr, side); 719 PRINTF("%lu\t%s packet state kept\n", frs->fr_ads, side); 720 PRINTF("%lu\t%s packet state lost\n", frs->fr_bads, side); 721 PRINTF("%lu\t%s invalid source\n", frs->fr_v4_badsrc, side); 722 PRINTF("%lu\t%s cache hits\n", frs->fr_chit, side); 723 PRINTF("%lu\t%s cache misses\n", frs->fr_cmiss, side); 724 PRINTF("%lu\t%s bad coalesces\n", frs->fr_badcoalesces, side); 725 PRINTF("%lu\t%s pullups succeeded\n", frs->fr_pull[0], side); 726 PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side); 727 PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side); 728 for (i = 0; i <= FRB_MAX_VALUE; i++) 729 PRINTF("%lu\t%s block reason %s\n", 730 frs->fr_blocked[i], side, blockreasons[i]); 731 } 732 733 734 /* 735 * Display the kernel stats for packets blocked and passed and other 736 * associated running totals which are kept. 737 */ 738 static void showstats( struct friostat *fp, u_32_t frf) 739 { 740 printside("input", &fp->f_st[0]); 741 printside("output", &fp->f_st[1]); 742 743 PRINTF("%lu\tpackets logged\n", fp->f_log_ok); 744 PRINTF("%lu\tlog failures\n", fp->f_log_fail); 745 PRINTF("%lu\tred-black no memory\n", fp->f_rb_no_mem); 746 PRINTF("%lu\tred-black node maximum\n", fp->f_rb_node_max); 747 PRINTF("%lu\tICMP replies sent\n", fp->f_st[0].fr_ret); 748 PRINTF("%lu\tTCP RSTs sent\n", fp->f_st[1].fr_ret); 749 PRINTF("%lu\tfastroute successes\n", fp->f_froute[0]); 750 PRINTF("%lu\tfastroute failures\n", fp->f_froute[1]); 751 PRINTF("%u\tIPF Ticks\n", fp->f_ticks); 752 753 PRINTF("%x\tPacket log flags set:\n", frf); 754 if (frf & FF_LOGPASS) 755 PRINTF("\tpackets passed through filter\n"); 756 if (frf & FF_LOGBLOCK) 757 PRINTF("\tpackets blocked by filter\n"); 758 if (frf & FF_LOGNOMATCH) 759 PRINTF("\tpackets not matched by filter\n"); 760 if (!frf) 761 PRINTF("\tnone\n"); 762 } 763 764 765 /* 766 * Print out a list of rules from the kernel, starting at the one passed. 767 */ 768 static int 769 printlivelist( struct friostat *fiop, int out, int set, frentry_t *fp, 770 char *group, char *comment) 771 { 772 struct frentry fb; 773 ipfruleiter_t rule; 774 frentry_t zero; 775 frgroup_t *g; 776 ipfobj_t obj; 777 int rules; 778 int num; 779 780 rules = 0; 781 782 rule.iri_inout = out; 783 rule.iri_active = set; 784 rule.iri_rule = &fb; 785 rule.iri_nrules = 1; 786 if (group != NULL) 787 strncpy(rule.iri_group, group, FR_GROUPLEN); 788 else 789 rule.iri_group[0] = '\0'; 790 791 bzero((char *)&zero, sizeof(zero)); 792 793 bzero((char *)&obj, sizeof(obj)); 794 obj.ipfo_rev = IPFILTER_VERSION; 795 obj.ipfo_type = IPFOBJ_IPFITER; 796 obj.ipfo_size = sizeof(rule); 797 obj.ipfo_ptr = &rule; 798 799 while (rule.iri_rule != NULL) { 800 u_long array[1000]; 801 802 memset(array, 0xff, sizeof(array)); 803 fp = (frentry_t *)array; 804 rule.iri_rule = fp; 805 if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) { 806 ipferror(ipf_fd, "ioctl(SIOCIPFITER)"); 807 num = IPFGENITER_IPF; 808 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num); 809 return (rules); 810 } 811 if (bcmp(fp, &zero, sizeof(zero)) == 0) 812 break; 813 if (rule.iri_rule == NULL) 814 break; 815 #ifdef USE_INET6 816 if (use_inet6 != 0 && use_inet4 == 0) { 817 if (fp->fr_family != 0 && fp->fr_family != AF_INET6) 818 continue; 819 } else if (use_inet4 != 0 && use_inet6 == 0) { 820 #endif 821 if (fp->fr_family != 0 && fp->fr_family != AF_INET) 822 continue; 823 #ifdef USE_INET6 824 } else { 825 if (fp->fr_family != 0 && 826 fp->fr_family != AF_INET && fp->fr_family != AF_INET6) 827 continue; 828 } 829 #endif 830 831 if (fp->fr_data != NULL) 832 fp->fr_data = (char *)fp + fp->fr_size; 833 834 rules++; 835 836 if (opts & (OPT_HITS|OPT_DEBUG)) 837 #ifdef USE_QUAD_T 838 PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits); 839 #else 840 PRINTF("%lu ", fp->fr_hits); 841 #endif 842 if (opts & (OPT_ACCNT|OPT_DEBUG)) 843 #ifdef USE_QUAD_T 844 PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes); 845 #else 846 PRINTF("%lu ", fp->fr_bytes); 847 #endif 848 if (opts & OPT_SHOWLINENO) 849 PRINTF("@%d ", rules); 850 851 if (fp->fr_die != 0) 852 fp->fr_die -= fiop->f_ticks; 853 854 printfr(fp, ioctl); 855 if (opts & OPT_DEBUG) { 856 binprint(fp, fp->fr_size); 857 if (fp->fr_data != NULL && fp->fr_dsize > 0) 858 binprint(fp->fr_data, fp->fr_dsize); 859 } 860 if (fp->fr_grhead != -1) { 861 for (g = grtop; g != NULL; g = g->fg_next) { 862 if (!strncmp(fp->fr_names + fp->fr_grhead, 863 g->fg_name, 864 FR_GROUPLEN)) 865 break; 866 } 867 if (g == NULL) { 868 g = calloc(1, sizeof(*g)); 869 870 if (g != NULL) { 871 strncpy(g->fg_name, 872 fp->fr_names + fp->fr_grhead, 873 FR_GROUPLEN); 874 if (grtop == NULL) { 875 grtop = g; 876 grtail = g; 877 } else { 878 grtail->fg_next = g; 879 grtail = g; 880 } 881 } 882 } 883 } 884 if (fp->fr_type == FR_T_CALLFUNC) { 885 rules += printlivelist(fiop, out, set, fp->fr_data, 886 group, "# callfunc: "); 887 } 888 } 889 890 num = IPFGENITER_IPF; 891 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num); 892 893 return (rules); 894 } 895 896 897 static void printdeadlist(friostat_t *fiop, int out, int set, frentry_t *fp, 898 char *group, char *comment) 899 { 900 frgroup_t *grtop, *grtail, *g; 901 struct frentry fb; 902 char *data; 903 u_32_t type; 904 int n; 905 906 fb.fr_next = fp; 907 n = 0; 908 grtop = NULL; 909 grtail = NULL; 910 911 for (n = 1; fp; fp = fb.fr_next, n++) { 912 if (kmemcpy((char *)&fb, (u_long)fb.fr_next, 913 fb.fr_size) == -1) { 914 perror("kmemcpy"); 915 return; 916 } 917 fp = &fb; 918 #ifdef USE_INET6 919 if (use_inet6 != 0 && use_inet4 == 0) { 920 if (fp->fr_family != 0 && fp->fr_family != AF_INET6) 921 continue; 922 } else if (use_inet4 != 0 && use_inet6 == 0) { 923 #endif 924 if (fp->fr_family != 0 && fp->fr_family != AF_INET) 925 continue; 926 #ifdef USE_INET6 927 } else { 928 if (fp->fr_family != 0 && 929 fp->fr_family != AF_INET && fp->fr_family != AF_INET6) 930 continue; 931 } 932 #endif 933 934 data = NULL; 935 type = fb.fr_type & ~FR_T_BUILTIN; 936 if (type == FR_T_IPF || type == FR_T_BPFOPC) { 937 if (fb.fr_dsize) { 938 data = malloc(fb.fr_dsize); 939 940 if (kmemcpy(data, (u_long)fb.fr_data, 941 fb.fr_dsize) == -1) { 942 perror("kmemcpy"); 943 return; 944 } 945 fb.fr_data = data; 946 } 947 } 948 949 if (opts & OPT_HITS) 950 #ifdef USE_QUAD_T 951 PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits); 952 #else 953 PRINTF("%lu ", fb.fr_hits); 954 #endif 955 if (opts & OPT_ACCNT) 956 #ifdef USE_QUAD_T 957 PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes); 958 #else 959 PRINTF("%lu ", fb.fr_bytes); 960 #endif 961 if (opts & OPT_SHOWLINENO) 962 PRINTF("@%d ", n); 963 964 printfr(fp, ioctl); 965 if (opts & OPT_DEBUG) { 966 binprint(fp, fp->fr_size); 967 if (fb.fr_data != NULL && fb.fr_dsize > 0) 968 binprint(fb.fr_data, fb.fr_dsize); 969 } 970 if (data != NULL) 971 free(data); 972 if (fb.fr_grhead != -1) { 973 g = calloc(1, sizeof(*g)); 974 975 if (g != NULL) { 976 strncpy(g->fg_name, fb.fr_names + fb.fr_grhead, 977 FR_GROUPLEN); 978 if (grtop == NULL) { 979 grtop = g; 980 grtail = g; 981 } else { 982 grtail->fg_next = g; 983 grtail = g; 984 } 985 } 986 } 987 if (type == FR_T_CALLFUNC) { 988 printdeadlist(fiop, out, set, fb.fr_data, group, 989 "# callfunc: "); 990 } 991 } 992 993 while ((g = grtop) != NULL) { 994 printdeadlist(fiop, out, set, NULL, g->fg_name, comment); 995 grtop = g->fg_next; 996 free(g); 997 } 998 } 999 1000 /* 1001 * print out all of the asked for rule sets, using the stats struct as 1002 * the base from which to get the pointers. 1003 */ 1004 static void showlist(struct friostat *fiop) 1005 { 1006 struct frentry *fp = NULL; 1007 int i, set; 1008 1009 set = fiop->f_active; 1010 if (opts & OPT_INACTIVE) 1011 set = 1 - set; 1012 if (opts & OPT_ACCNT) { 1013 if (opts & OPT_OUTQUE) { 1014 i = F_ACOUT; 1015 fp = (struct frentry *)fiop->f_acctout[set]; 1016 } else if (opts & OPT_INQUE) { 1017 i = F_ACIN; 1018 fp = (struct frentry *)fiop->f_acctin[set]; 1019 } else { 1020 FPRINTF(stderr, "No -i or -o given with -a\n"); 1021 return; 1022 } 1023 } else { 1024 if (opts & OPT_OUTQUE) { 1025 i = F_OUT; 1026 fp = (struct frentry *)fiop->f_fout[set]; 1027 } else if (opts & OPT_INQUE) { 1028 i = F_IN; 1029 fp = (struct frentry *)fiop->f_fin[set]; 1030 } else 1031 return; 1032 } 1033 if (opts & OPT_DEBUG) 1034 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i); 1035 1036 if (opts & OPT_DEBUG) 1037 PRINTF("fp %p set %d\n", fp, set); 1038 1039 if (live_kernel == 1) { 1040 int printed; 1041 1042 printed = printlivelist(fiop, i, set, fp, NULL, NULL); 1043 if (printed == 0) { 1044 FPRINTF(stderr, "# empty list for %s%s\n", 1045 (opts & OPT_INACTIVE) ? "inactive " : "", 1046 filters[i]); 1047 } 1048 } else { 1049 if (!fp) { 1050 FPRINTF(stderr, "# empty list for %s%s\n", 1051 (opts & OPT_INACTIVE) ? "inactive " : "", 1052 filters[i]); 1053 } else { 1054 printdeadlist(fiop, i, set, fp, NULL, NULL); 1055 } 1056 } 1057 } 1058 1059 1060 /* 1061 * Display ipfilter stateful filtering information 1062 */ 1063 static void showipstates(ips_stat_t *ipsp, int *filter) 1064 { 1065 ipstate_t *is; 1066 int i; 1067 1068 /* 1069 * If a list of states hasn't been asked for, only print out stats 1070 */ 1071 if (!(opts & OPT_SHOWLIST)) { 1072 showstatestats(ipsp); 1073 return; 1074 } 1075 1076 if ((state_fields != NULL) && (nohdrfields == 0)) { 1077 for (i = 0; state_fields[i].w_value != 0; i++) { 1078 printfieldhdr(statefields, state_fields + i); 1079 if (state_fields[i + 1].w_value != 0) 1080 printf("\t"); 1081 } 1082 printf("\n"); 1083 } 1084 1085 /* 1086 * Print out all the state information currently held in the kernel. 1087 */ 1088 for (is = ipsp->iss_list; is != NULL; ) { 1089 ipstate_t ips; 1090 1091 is = fetchstate(is, &ips); 1092 1093 if (is == NULL) 1094 break; 1095 1096 is = ips.is_next; 1097 if ((filter != NULL) && 1098 (state_matcharray(&ips, filter) == 0)) { 1099 continue; 1100 } 1101 if (state_fields != NULL) { 1102 for (i = 0; state_fields[i].w_value != 0; i++) { 1103 printstatefield(&ips, state_fields[i].w_value); 1104 if (state_fields[i + 1].w_value != 0) 1105 printf("\t"); 1106 } 1107 printf("\n"); 1108 } else { 1109 printstate(&ips, opts, ipsp->iss_ticks); 1110 } 1111 } 1112 } 1113 1114 1115 static void showstatestats(ips_stat_t *ipsp) 1116 { 1117 int minlen, maxlen, totallen; 1118 ipftable_t table; 1119 u_int *buckets; 1120 ipfobj_t obj; 1121 int i, sz; 1122 1123 /* 1124 * If a list of states hasn't been asked for, only print out stats 1125 */ 1126 1127 sz = sizeof(*buckets) * ipsp->iss_state_size; 1128 buckets = (u_int *)malloc(sz); 1129 1130 obj.ipfo_rev = IPFILTER_VERSION; 1131 obj.ipfo_type = IPFOBJ_GTABLE; 1132 obj.ipfo_size = sizeof(table); 1133 obj.ipfo_ptr = &table; 1134 1135 table.ita_type = IPFTABLE_BUCKETS; 1136 table.ita_table = buckets; 1137 1138 if (live_kernel == 1) { 1139 if (ioctl(state_fd, SIOCGTABL, &obj) != 0) { 1140 free(buckets); 1141 return; 1142 } 1143 } else { 1144 if (kmemcpy((char *)buckets, 1145 (u_long)ipsp->iss_bucketlen, sz)) { 1146 free(buckets); 1147 return; 1148 } 1149 } 1150 1151 PRINTF("%u\tactive state table entries\n",ipsp->iss_active); 1152 PRINTF("%lu\tadd bad\n", ipsp->iss_add_bad); 1153 PRINTF("%lu\tadd duplicate\n", ipsp->iss_add_dup); 1154 PRINTF("%lu\tadd locked\n", ipsp->iss_add_locked); 1155 PRINTF("%lu\tadd oow\n", ipsp->iss_add_oow); 1156 PRINTF("%lu\tbucket full\n", ipsp->iss_bucket_full); 1157 PRINTF("%lu\tcheck bad\n", ipsp->iss_check_bad); 1158 PRINTF("%lu\tcheck miss\n", ipsp->iss_check_miss); 1159 PRINTF("%lu\tcheck nattag\n", ipsp->iss_check_nattag); 1160 PRINTF("%lu\tclone nomem\n", ipsp->iss_clone_nomem); 1161 PRINTF("%lu\tcheck notag\n", ipsp->iss_check_notag); 1162 PRINTF("%lu\tcheck success\n", ipsp->iss_hits); 1163 PRINTF("%lu\tcloned\n", ipsp->iss_cloned); 1164 PRINTF("%lu\texpired\n", ipsp->iss_expire); 1165 PRINTF("%lu\tflush all\n", ipsp->iss_flush_all); 1166 PRINTF("%lu\tflush closing\n", ipsp->iss_flush_closing); 1167 PRINTF("%lu\tflush queue\n", ipsp->iss_flush_queue); 1168 PRINTF("%lu\tflush state\n", ipsp->iss_flush_state); 1169 PRINTF("%lu\tflush timeout\n", ipsp->iss_flush_timeout); 1170 PRINTF("%u\thash buckets in use\n", ipsp->iss_inuse); 1171 PRINTF("%lu\tICMP bad\n", ipsp->iss_icmp_bad); 1172 PRINTF("%lu\tICMP banned\n", ipsp->iss_icmp_banned); 1173 PRINTF("%lu\tICMP errors\n", ipsp->iss_icmp_icmperr); 1174 PRINTF("%lu\tICMP head block\n", ipsp->iss_icmp_headblock); 1175 PRINTF("%lu\tICMP hits\n", ipsp->iss_icmp_hits); 1176 PRINTF("%lu\tICMP not query\n", ipsp->iss_icmp_notquery); 1177 PRINTF("%lu\tICMP short\n", ipsp->iss_icmp_short); 1178 PRINTF("%lu\tICMP too many\n", ipsp->iss_icmp_toomany); 1179 PRINTF("%lu\tICMPv6 errors\n", ipsp->iss_icmp6_icmperr); 1180 PRINTF("%lu\tICMPv6 miss\n", ipsp->iss_icmp6_miss); 1181 PRINTF("%lu\tICMPv6 not info\n", ipsp->iss_icmp6_notinfo); 1182 PRINTF("%lu\tICMPv6 not query\n", ipsp->iss_icmp6_notquery); 1183 PRINTF("%lu\tlog fail\n", ipsp->iss_log_fail); 1184 PRINTF("%lu\tlog ok\n", ipsp->iss_log_ok); 1185 PRINTF("%lu\tlookup interface mismatch\n", ipsp->iss_lookup_badifp); 1186 PRINTF("%lu\tlookup mask mismatch\n", ipsp->iss_miss_mask); 1187 PRINTF("%lu\tlookup port mismatch\n", ipsp->iss_lookup_badport); 1188 PRINTF("%lu\tlookup miss\n", ipsp->iss_lookup_miss); 1189 PRINTF("%lu\tmaximum rule references\n", ipsp->iss_max_ref); 1190 PRINTF("%lu\tmaximum hosts per rule\n", ipsp->iss_max_track); 1191 PRINTF("%lu\tno memory\n", ipsp->iss_nomem); 1192 PRINTF("%lu\tout of window\n", ipsp->iss_oow); 1193 PRINTF("%lu\torphans\n", ipsp->iss_orphan); 1194 PRINTF("%lu\tscan block\n", ipsp->iss_scan_block); 1195 PRINTF("%lu\tstate table maximum reached\n", ipsp->iss_max); 1196 PRINTF("%lu\tTCP closing\n", ipsp->iss_tcp_closing); 1197 PRINTF("%lu\tTCP OOW\n", ipsp->iss_tcp_oow); 1198 PRINTF("%lu\tTCP RST add\n", ipsp->iss_tcp_rstadd); 1199 PRINTF("%lu\tTCP too small\n", ipsp->iss_tcp_toosmall); 1200 PRINTF("%lu\tTCP bad options\n", ipsp->iss_tcp_badopt); 1201 PRINTF("%lu\tTCP removed\n", ipsp->iss_fin); 1202 PRINTF("%lu\tTCP FSM\n", ipsp->iss_tcp_fsm); 1203 PRINTF("%lu\tTCP strict\n", ipsp->iss_tcp_strict); 1204 PRINTF("%lu\tTCP wild\n", ipsp->iss_wild); 1205 PRINTF("%lu\tMicrosoft Windows SACK\n", ipsp->iss_winsack); 1206 1207 PRINTF("State logging %sabled\n", state_logging ? "en" : "dis"); 1208 1209 PRINTF("IP states added:\n"); 1210 for (i = 0; i < 256; i++) { 1211 if (ipsp->iss_proto[i] != 0) { 1212 struct protoent *proto; 1213 1214 proto = getprotobynumber(i); 1215 PRINTF("%lu", ipsp->iss_proto[i]); 1216 if (proto != NULL) 1217 PRINTF("\t%s\n", proto->p_name); 1218 else 1219 PRINTF("\t%d\n", i); 1220 } 1221 } 1222 1223 PRINTF("\nState table bucket statistics:\n"); 1224 PRINTF("%u\tin use\n", ipsp->iss_inuse); 1225 1226 minlen = ipsp->iss_max; 1227 totallen = 0; 1228 maxlen = 0; 1229 1230 for (i = 0; i < ipsp->iss_state_size; i++) { 1231 if (buckets[i] > maxlen) 1232 maxlen = buckets[i]; 1233 if (buckets[i] < minlen) 1234 minlen = buckets[i]; 1235 totallen += buckets[i]; 1236 } 1237 1238 PRINTF("%d\thash efficiency\n", 1239 totallen ? ipsp->iss_inuse * 100 / totallen : 0); 1240 PRINTF("%2.2f%%\tbucket usage\n%u\tminimal length\n", 1241 ((float)ipsp->iss_inuse / ipsp->iss_state_size) * 100.0, 1242 minlen); 1243 PRINTF("%u\tmaximal length\n%.3f\taverage length\n", 1244 maxlen, 1245 ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse : 1246 0.0); 1247 1248 #define ENTRIES_PER_LINE 5 1249 1250 if (opts & OPT_VERBOSE) { 1251 PRINTF("\nCurrent bucket sizes :\n"); 1252 for (i = 0; i < ipsp->iss_state_size; i++) { 1253 if ((i % ENTRIES_PER_LINE) == 0) 1254 PRINTF("\t"); 1255 PRINTF("%4d -> %4u", i, buckets[i]); 1256 if ((i % ENTRIES_PER_LINE) == 1257 (ENTRIES_PER_LINE - 1)) 1258 PRINTF("\n"); 1259 else 1260 PRINTF(" "); 1261 } 1262 PRINTF("\n"); 1263 } 1264 PRINTF("\n"); 1265 1266 free(buckets); 1267 1268 if (live_kernel == 1) { 1269 showtqtable_live(state_fd); 1270 } else { 1271 printtqtable(ipsp->iss_tcptab); 1272 } 1273 } 1274 1275 1276 #ifdef STATETOP 1277 static int handle_resize = 0, handle_break = 0; 1278 1279 static void topipstates(i6addr_t saddr, i6addr_t daddr, int sport, int dport, 1280 int protocol, int ver, int refreshtime, int topclosed, int *filter) 1281 { 1282 char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; 1283 int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; 1284 int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0; 1285 int len, srclen, dstlen, forward = 1, c = 0; 1286 ips_stat_t ipsst, *ipsstp = &ipsst; 1287 int token_type = IPFGENITER_STATE; 1288 statetop_t *tstable = NULL, *tp; 1289 const char *errstr = ""; 1290 ipstate_t ips; 1291 ipfobj_t ipfo; 1292 struct timeval selecttimeout; 1293 char hostnm[HOSTNMLEN]; 1294 struct protoent *proto; 1295 fd_set readfd; 1296 time_t t; 1297 1298 /* install signal handlers */ 1299 signal(SIGINT, sig_break); 1300 signal(SIGQUIT, sig_break); 1301 signal(SIGTERM, sig_break); 1302 signal(SIGWINCH, sig_resize); 1303 1304 /* init ncurses stuff */ 1305 initscr(); 1306 cbreak(); 1307 noecho(); 1308 curs_set(0); 1309 timeout(0); 1310 getmaxyx(stdscr, maxy, maxx); 1311 1312 /* init hostname */ 1313 gethostname(hostnm, sizeof(hostnm) - 1); 1314 hostnm[sizeof(hostnm) - 1] = '\0'; 1315 1316 /* init ipfobj_t stuff */ 1317 bzero((caddr_t)&ipfo, sizeof(ipfo)); 1318 ipfo.ipfo_rev = IPFILTER_VERSION; 1319 ipfo.ipfo_type = IPFOBJ_STATESTAT; 1320 ipfo.ipfo_size = sizeof(*ipsstp); 1321 ipfo.ipfo_ptr = (void *)ipsstp; 1322 1323 /* repeat until user aborts */ 1324 while ( 1 ) { 1325 1326 /* get state table */ 1327 bzero((char *)&ipsst, sizeof(ipsst)); 1328 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { 1329 errstr = "ioctl(SIOCGETFS)"; 1330 ret = -1; 1331 goto out; 1332 } 1333 1334 /* clear the history */ 1335 tsentry = -1; 1336 1337 /* reset max str len */ 1338 srclen = dstlen = 0; 1339 1340 /* read the state table and store in tstable */ 1341 for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) { 1342 1343 ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips); 1344 if (ipsstp->iss_list == NULL) 1345 break; 1346 1347 if (ver != 0 && ips.is_v != ver) 1348 continue; 1349 1350 if ((filter != NULL) && 1351 (state_matcharray(&ips, filter) == 0)) 1352 continue; 1353 1354 /* check v4 src/dest addresses */ 1355 if (ips.is_v == 4) { 1356 if ((saddr.in4.s_addr != INADDR_ANY && 1357 saddr.in4.s_addr != ips.is_saddr) || 1358 (daddr.in4.s_addr != INADDR_ANY && 1359 daddr.in4.s_addr != ips.is_daddr)) 1360 continue; 1361 } 1362 #ifdef USE_INET6 1363 /* check v6 src/dest addresses */ 1364 if (ips.is_v == 6) { 1365 if ((IP6_NEQ(&saddr, &in6addr_any) && 1366 IP6_NEQ(&saddr, &ips.is_src)) || 1367 (IP6_NEQ(&daddr, &in6addr_any) && 1368 IP6_NEQ(&daddr, &ips.is_dst))) 1369 continue; 1370 } 1371 #endif 1372 /* check protocol */ 1373 if (protocol > 0 && protocol != ips.is_p) 1374 continue; 1375 1376 /* check ports if protocol is TCP or UDP */ 1377 if (((ips.is_p == IPPROTO_TCP) || 1378 (ips.is_p == IPPROTO_UDP)) && 1379 (((sport > 0) && (htons(sport) != ips.is_sport)) || 1380 ((dport > 0) && (htons(dport) != ips.is_dport)))) 1381 continue; 1382 1383 /* show closed TCP sessions ? */ 1384 if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) && 1385 (ips.is_state[0] >= IPF_TCPS_LAST_ACK) && 1386 (ips.is_state[1] >= IPF_TCPS_LAST_ACK)) 1387 continue; 1388 1389 /* 1390 * if necessary make room for this state 1391 * entry 1392 */ 1393 tsentry++; 1394 if (!maxtsentries || tsentry == maxtsentries) { 1395 maxtsentries += STGROWSIZE; 1396 tstable = reallocarray(tstable, maxtsentries, 1397 sizeof(statetop_t)); 1398 if (tstable == NULL) { 1399 perror("realloc"); 1400 exit(-1); 1401 } 1402 } 1403 1404 /* get max src/dest address string length */ 1405 len = strlen(getip(ips.is_v, &ips.is_src)); 1406 if (srclen < len) 1407 srclen = len; 1408 len = strlen(getip(ips.is_v, &ips.is_dst)); 1409 if (dstlen < len) 1410 dstlen = len; 1411 1412 /* fill structure */ 1413 tp = tstable + tsentry; 1414 tp->st_src = ips.is_src; 1415 tp->st_dst = ips.is_dst; 1416 tp->st_p = ips.is_p; 1417 tp->st_v = ips.is_v; 1418 tp->st_state[0] = ips.is_state[0]; 1419 tp->st_state[1] = ips.is_state[1]; 1420 if (forward) { 1421 tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1]; 1422 tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1]; 1423 } else { 1424 tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3]; 1425 tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3]; 1426 } 1427 tp->st_age = ips.is_die - ipsstp->iss_ticks; 1428 if ((ips.is_p == IPPROTO_TCP) || 1429 (ips.is_p == IPPROTO_UDP)) { 1430 tp->st_sport = ips.is_sport; 1431 tp->st_dport = ips.is_dport; 1432 } 1433 } 1434 1435 (void) ioctl(state_fd, SIOCIPFDELTOK, &token_type); 1436 1437 /* sort the array */ 1438 if (tsentry != -1) { 1439 switch (sorting) 1440 { 1441 case STSORT_PR: 1442 qsort(tstable, tsentry + 1, 1443 sizeof(statetop_t), sort_p); 1444 break; 1445 case STSORT_PKTS: 1446 qsort(tstable, tsentry + 1, 1447 sizeof(statetop_t), sort_pkts); 1448 break; 1449 case STSORT_BYTES: 1450 qsort(tstable, tsentry + 1, 1451 sizeof(statetop_t), sort_bytes); 1452 break; 1453 case STSORT_TTL: 1454 qsort(tstable, tsentry + 1, 1455 sizeof(statetop_t), sort_ttl); 1456 break; 1457 case STSORT_SRCIP: 1458 qsort(tstable, tsentry + 1, 1459 sizeof(statetop_t), sort_srcip); 1460 break; 1461 case STSORT_SRCPT: 1462 qsort(tstable, tsentry +1, 1463 sizeof(statetop_t), sort_srcpt); 1464 break; 1465 case STSORT_DSTIP: 1466 qsort(tstable, tsentry + 1, 1467 sizeof(statetop_t), sort_dstip); 1468 break; 1469 case STSORT_DSTPT: 1470 qsort(tstable, tsentry + 1, 1471 sizeof(statetop_t), sort_dstpt); 1472 break; 1473 default: 1474 break; 1475 } 1476 } 1477 1478 /* handle window resizes */ 1479 if (handle_resize) { 1480 endwin(); 1481 initscr(); 1482 cbreak(); 1483 noecho(); 1484 curs_set(0); 1485 timeout(0); 1486 getmaxyx(stdscr, maxy, maxx); 1487 redraw = 1; 1488 handle_resize = 0; 1489 } 1490 1491 /* stop program? */ 1492 if (handle_break) 1493 break; 1494 1495 /* print title */ 1496 erase(); 1497 attron(A_BOLD); 1498 winy = 0; 1499 move(winy,0); 1500 snprintf(str1, sizeof(str1), "%s - %s - state top", hostnm, IPL_VERSION); 1501 for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) 1502 printw(" "); 1503 printw("%s", str1); 1504 attroff(A_BOLD); 1505 1506 /* just for fun add a clock */ 1507 move(winy, maxx - 8); 1508 t = time(NULL); 1509 strftime(str1, 80, "%T", localtime(&t)); 1510 printw("%s\n", str1); 1511 1512 /* 1513 * print the display filters, this is placed in the loop, 1514 * because someday I might add code for changing these 1515 * while the programming is running :-) 1516 */ 1517 if (sport >= 0) 1518 snprintf(str1, sizeof(str1), "%s,%d", getip(ver, &saddr), sport); 1519 else 1520 snprintf(str1, sizeof(str1), "%s", getip(ver, &saddr)); 1521 1522 if (dport >= 0) 1523 snprintf(str2, sizeof(str2), "%s,%d", getip(ver, &daddr), dport); 1524 else 1525 snprintf(str2, sizeof(str2), "%s", getip(ver, &daddr)); 1526 1527 if (protocol < 0) 1528 strcpy(str3, "any"); 1529 else if ((proto = getprotobynumber(protocol)) != NULL) 1530 snprintf(str3, sizeof(str3), "%s", proto->p_name); 1531 else 1532 snprintf(str3, sizeof(str3), "%d", protocol); 1533 1534 switch (sorting) 1535 { 1536 case STSORT_PR: 1537 snprintf(str4, sizeof(str4), "proto"); 1538 break; 1539 case STSORT_PKTS: 1540 snprintf(str4, sizeof(str4), "# pkts"); 1541 break; 1542 case STSORT_BYTES: 1543 snprintf(str4, sizeof(str4), "# bytes"); 1544 break; 1545 case STSORT_TTL: 1546 snprintf(str4, sizeof(str4), "ttl"); 1547 break; 1548 case STSORT_SRCIP: 1549 snprintf(str4, sizeof(str4), "src ip"); 1550 break; 1551 case STSORT_SRCPT: 1552 snprintf(str4, sizeof(str4), "src port"); 1553 break; 1554 case STSORT_DSTIP: 1555 snprintf(str4, sizeof(str4), "dest ip"); 1556 break; 1557 case STSORT_DSTPT: 1558 snprintf(str4, sizeof(str4), "dest port"); 1559 break; 1560 default: 1561 snprintf(str4, sizeof(str4), "unknown"); 1562 break; 1563 } 1564 1565 if (reverse) 1566 strcat(str4, " (reverse)"); 1567 1568 winy += 2; 1569 move(winy,0); 1570 printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n", 1571 str1, str2, str3, str4); 1572 1573 /* 1574 * For an IPv4 IP address we need at most 15 characters, 1575 * 4 tuples of 3 digits, separated by 3 dots. Enforce this 1576 * length, so the colums do not change positions based 1577 * on the size of the IP address. This length makes the 1578 * output fit in a 80 column terminal. 1579 * We are lacking a good solution for IPv6 addresses (that 1580 * can be longer that 15 characters), so we do not enforce 1581 * a maximum on the IP field size. 1582 */ 1583 if (srclen < 15) 1584 srclen = 15; 1585 if (dstlen < 15) 1586 dstlen = 15; 1587 1588 /* print column description */ 1589 winy += 2; 1590 move(winy,0); 1591 attron(A_BOLD); 1592 printw("%-*s %-*s %3s %4s %7s %9s %9s\n", 1593 srclen + 6, "Source IP", dstlen + 6, "Destination IP", 1594 "ST", "PR", "#pkts", "#bytes", "ttl"); 1595 attroff(A_BOLD); 1596 1597 /* print all the entries */ 1598 tp = tstable; 1599 if (reverse) 1600 tp += tsentry; 1601 1602 if (tsentry > maxy - 6) 1603 tsentry = maxy - 6; 1604 for (i = 0; i <= tsentry; i++) { 1605 /* print src/dest and port */ 1606 if ((tp->st_p == IPPROTO_TCP) || 1607 (tp->st_p == IPPROTO_UDP)) { 1608 snprintf(str1, sizeof(str1), "%s,%hu", 1609 getip(tp->st_v, &tp->st_src), 1610 ntohs(tp->st_sport)); 1611 snprintf(str2, sizeof(str2), "%s,%hu", 1612 getip(tp->st_v, &tp->st_dst), 1613 ntohs(tp->st_dport)); 1614 } else { 1615 snprintf(str1, sizeof(str1), "%s", getip(tp->st_v, 1616 &tp->st_src)); 1617 snprintf(str2, sizeof(str2), "%s", getip(tp->st_v, 1618 &tp->st_dst)); 1619 } 1620 winy++; 1621 move(winy, 0); 1622 printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2); 1623 1624 /* print state */ 1625 snprintf(str1, sizeof(str1), "%X/%X", tp->st_state[0], 1626 tp->st_state[1]); 1627 printw(" %3s", str1); 1628 1629 /* print protocol */ 1630 proto = getprotobynumber(tp->st_p); 1631 if (proto) { 1632 strncpy(str1, proto->p_name, 4); 1633 str1[4] = '\0'; 1634 } else { 1635 snprintf(str1, sizeof(str1), "%d", tp->st_p); 1636 } 1637 /* just print icmp for IPv6-ICMP */ 1638 if (tp->st_p == IPPROTO_ICMPV6) 1639 strcpy(str1, "icmp"); 1640 printw(" %4s", str1); 1641 1642 /* print #pkt/#bytes */ 1643 #ifdef USE_QUAD_T 1644 printw(" %7qu %9qu", (unsigned long long) tp->st_pkts, 1645 (unsigned long long) tp->st_bytes); 1646 #else 1647 printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes); 1648 #endif 1649 printw(" %9s", ttl_to_string(tp->st_age)); 1650 1651 if (reverse) 1652 tp--; 1653 else 1654 tp++; 1655 } 1656 1657 /* screen data structure is filled, now update the screen */ 1658 if (redraw) 1659 clearok(stdscr,1); 1660 1661 if (refresh() == ERR) 1662 break; 1663 if (redraw) { 1664 clearok(stdscr,0); 1665 redraw = 0; 1666 } 1667 1668 /* wait for key press or a 1 second time out period */ 1669 selecttimeout.tv_sec = refreshtime; 1670 selecttimeout.tv_usec = 0; 1671 FD_ZERO(&readfd); 1672 FD_SET(0, &readfd); 1673 select(1, &readfd, NULL, NULL, &selecttimeout); 1674 1675 /* if key pressed, read all waiting keys */ 1676 if (FD_ISSET(0, &readfd)) { 1677 c = wgetch(stdscr); 1678 if (c == ERR) 1679 continue; 1680 1681 if (ISALPHA(c) && ISUPPER(c)) 1682 c = TOLOWER(c); 1683 if (c == 'l') { 1684 redraw = 1; 1685 } else if (c == 'q') { 1686 break; 1687 } else if (c == 'r') { 1688 reverse = !reverse; 1689 } else if (c == 'b') { 1690 forward = 0; 1691 } else if (c == 'f') { 1692 forward = 1; 1693 } else if (c == 's') { 1694 if (++sorting > STSORT_MAX) 1695 sorting = 0; 1696 } 1697 } 1698 } /* while */ 1699 1700 out: 1701 printw("\n"); 1702 curs_set(1); 1703 /* nocbreak(); XXX - endwin() should make this redundant */ 1704 endwin(); 1705 1706 free(tstable); 1707 if (ret != 0) 1708 perror(errstr); 1709 } 1710 #endif 1711 1712 1713 /* 1714 * Show fragment cache information that's held in the kernel. 1715 */ 1716 static void showfrstates(ipfrstat_t *ifsp, u_long ticks) 1717 { 1718 struct ipfr *ipfrtab[IPFT_SIZE], ifr; 1719 int i; 1720 1721 /* 1722 * print out the numeric statistics 1723 */ 1724 PRINTF("IP fragment states:\n%lu\tnew\n%lu\texpired\n%lu\thits\n", 1725 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); 1726 PRINTF("%lu\tretrans\n%lu\ttoo short\n", 1727 ifsp->ifs_retrans0, ifsp->ifs_short); 1728 PRINTF("%lu\tno memory\n%lu\talready exist\n", 1729 ifsp->ifs_nomem, ifsp->ifs_exists); 1730 PRINTF("%lu\tinuse\n", ifsp->ifs_inuse); 1731 PRINTF("\n"); 1732 1733 if (live_kernel == 0) { 1734 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, 1735 sizeof(ipfrtab))) 1736 return; 1737 } 1738 1739 /* 1740 * Print out the contents (if any) of the fragment cache table. 1741 */ 1742 if (live_kernel == 1) { 1743 do { 1744 if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0) 1745 break; 1746 if (ifr.ipfr_ifp == NULL) 1747 break; 1748 ifr.ipfr_ttl -= ticks; 1749 printfraginfo("", &ifr); 1750 } while (ifr.ipfr_next != NULL); 1751 } else { 1752 for (i = 0; i < IPFT_SIZE; i++) 1753 while (ipfrtab[i] != NULL) { 1754 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], 1755 sizeof(ifr)) == -1) 1756 break; 1757 printfraginfo("", &ifr); 1758 ipfrtab[i] = ifr.ipfr_next; 1759 } 1760 } 1761 /* 1762 * Print out the contents (if any) of the NAT fragment cache table. 1763 */ 1764 1765 if (live_kernel == 0) { 1766 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab, 1767 sizeof(ipfrtab))) 1768 return; 1769 } 1770 1771 if (live_kernel == 1) { 1772 do { 1773 if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0) 1774 break; 1775 if (ifr.ipfr_ifp == NULL) 1776 break; 1777 ifr.ipfr_ttl -= ticks; 1778 printfraginfo("NAT: ", &ifr); 1779 } while (ifr.ipfr_next != NULL); 1780 } else { 1781 for (i = 0; i < IPFT_SIZE; i++) 1782 while (ipfrtab[i] != NULL) { 1783 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], 1784 sizeof(ifr)) == -1) 1785 break; 1786 printfraginfo("NAT: ", &ifr); 1787 ipfrtab[i] = ifr.ipfr_next; 1788 } 1789 } 1790 } 1791 1792 1793 /* 1794 * Show stats on how auth within IPFilter has been used 1795 */ 1796 static void showauthstates(ipf_authstat_t *asp) 1797 { 1798 frauthent_t *frap, fra; 1799 ipfgeniter_t auth; 1800 ipfobj_t obj; 1801 1802 obj.ipfo_rev = IPFILTER_VERSION; 1803 obj.ipfo_type = IPFOBJ_GENITER; 1804 obj.ipfo_size = sizeof(auth); 1805 obj.ipfo_ptr = &auth; 1806 1807 auth.igi_type = IPFGENITER_AUTH; 1808 auth.igi_nitems = 1; 1809 auth.igi_data = &fra; 1810 1811 #ifdef USE_QUAD_T 1812 printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n", 1813 (unsigned long long) asp->fas_hits, 1814 (unsigned long long) asp->fas_miss); 1815 #else 1816 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits, 1817 asp->fas_miss); 1818 #endif 1819 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n", 1820 asp->fas_nospace, asp->fas_added, asp->fas_sendfail, 1821 asp->fas_sendok); 1822 printf("queok %ld\nquefail %ld\nexpire %ld\n", 1823 asp->fas_queok, asp->fas_quefail, asp->fas_expire); 1824 1825 frap = asp->fas_faelist; 1826 while (frap) { 1827 if (live_kernel == 1) { 1828 if (ioctl(auth_fd, SIOCGENITER, &obj)) 1829 break; 1830 } else { 1831 if (kmemcpy((char *)&fra, (u_long)frap, 1832 sizeof(fra)) == -1) 1833 break; 1834 } 1835 printf("age %ld\t", fra.fae_age); 1836 printfr(&fra.fae_fr, ioctl); 1837 frap = fra.fae_next; 1838 } 1839 } 1840 1841 1842 /* 1843 * Display groups used for each of filter rules, accounting rules and 1844 * authentication, separately. 1845 */ 1846 static void showgroups(struct friostat *fiop) 1847 { 1848 static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; 1849 static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH }; 1850 frgroup_t *fp, grp; 1851 int on, off, i; 1852 1853 on = fiop->f_active; 1854 off = 1 - on; 1855 1856 for (i = 0; i < 3; i++) { 1857 printf("%s groups (active):\n", gnames[i]); 1858 for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL; 1859 fp = grp.fg_next) 1860 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) 1861 break; 1862 else 1863 printf("%s\n", grp.fg_name); 1864 printf("%s groups (inactive):\n", gnames[i]); 1865 for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL; 1866 fp = grp.fg_next) 1867 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) 1868 break; 1869 else 1870 printf("%s\n", grp.fg_name); 1871 } 1872 } 1873 1874 1875 static void parse_ipportstr(const char *argument, i6addr_t *ip, int *port) 1876 { 1877 char *s, *comma; 1878 int ok = 0; 1879 1880 /* make working copy of argument, Theoretically you must be able 1881 * to write to optarg, but that seems very ugly to me.... 1882 */ 1883 s = strdup(argument); 1884 if (s == NULL) 1885 return; 1886 1887 /* get port */ 1888 if ((comma = strchr(s, ',')) != NULL) { 1889 if (!strcasecmp(comma + 1, "any")) { 1890 *port = -1; 1891 } else if (!sscanf(comma + 1, "%d", port) || 1892 (*port < 0) || (*port > 65535)) { 1893 fprintf(stderr, "Invalid port specification in %s\n", 1894 argument); 1895 free(s); 1896 exit(-2); 1897 } 1898 *comma = '\0'; 1899 } 1900 1901 1902 /* get ip address */ 1903 if (!strcasecmp(s, "any")) { 1904 ip->in4.s_addr = INADDR_ANY; 1905 ok = 1; 1906 #ifdef USE_INET6 1907 ip->in6 = in6addr_any; 1908 } else if (use_inet6 && !use_inet4 && inet_pton(AF_INET6, s, &ip->in6)) { 1909 ok = 1; 1910 #endif 1911 } else if (inet_aton(s, &ip->in4)) 1912 ok = 1; 1913 1914 if (ok == 0) { 1915 fprintf(stderr, "Invalid IP address: %s\n", s); 1916 free(s); 1917 exit(-2); 1918 } 1919 1920 /* free allocated memory */ 1921 free(s); 1922 } 1923 1924 1925 #ifdef STATETOP 1926 static void sig_resize(int s) 1927 { 1928 handle_resize = 1; 1929 } 1930 1931 static void sig_break(int s) 1932 { 1933 handle_break = 1; 1934 } 1935 1936 static char *getip(int v, i6addr_t *addr) 1937 { 1938 #ifdef USE_INET6 1939 static char hostbuf[MAXHOSTNAMELEN+1]; 1940 #endif 1941 1942 if (v == 0) 1943 return ("any"); 1944 1945 if (v == 4) 1946 return (inet_ntoa(addr->in4)); 1947 1948 #ifdef USE_INET6 1949 (void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1); 1950 hostbuf[MAXHOSTNAMELEN] = '\0'; 1951 return (hostbuf); 1952 #else 1953 return ("IPv6"); 1954 #endif 1955 } 1956 1957 1958 static char *ttl_to_string(long int ttl) 1959 { 1960 static char ttlbuf[STSTRSIZE]; 1961 int hours, minutes, seconds; 1962 1963 /* ttl is in half seconds */ 1964 ttl /= 2; 1965 1966 hours = ttl / 3600; 1967 ttl = ttl % 3600; 1968 minutes = ttl / 60; 1969 seconds = ttl % 60; 1970 1971 if (hours > 0) 1972 snprintf(ttlbuf, sizeof(ttlbuf), "%2d:%02d:%02d", hours, minutes, seconds); 1973 else 1974 snprintf(ttlbuf, sizeof(ttlbuf), "%2d:%02d", minutes, seconds); 1975 return (ttlbuf); 1976 } 1977 1978 1979 static int sort_pkts(const void *a, const void *b) 1980 { 1981 1982 register const statetop_t *ap = a; 1983 register const statetop_t *bp = b; 1984 1985 if (ap->st_pkts == bp->st_pkts) 1986 return (0); 1987 else if (ap->st_pkts < bp->st_pkts) 1988 return (1); 1989 return (-1); 1990 } 1991 1992 1993 static int sort_bytes(const void *a, const void *b) 1994 { 1995 register const statetop_t *ap = a; 1996 register const statetop_t *bp = b; 1997 1998 if (ap->st_bytes == bp->st_bytes) 1999 return (0); 2000 else if (ap->st_bytes < bp->st_bytes) 2001 return (1); 2002 return (-1); 2003 } 2004 2005 2006 static int sort_p(const void *a, const void *b) 2007 { 2008 register const statetop_t *ap = a; 2009 register const statetop_t *bp = b; 2010 2011 if (ap->st_p == bp->st_p) 2012 return (0); 2013 else if (ap->st_p < bp->st_p) 2014 return (1); 2015 return (-1); 2016 } 2017 2018 2019 static int sort_ttl(const void *a, const void *b) 2020 { 2021 register const statetop_t *ap = a; 2022 register const statetop_t *bp = b; 2023 2024 if (ap->st_age == bp->st_age) 2025 return (0); 2026 else if (ap->st_age < bp->st_age) 2027 return (1); 2028 return (-1); 2029 } 2030 2031 static int sort_srcip(const void *a, const void *b) 2032 { 2033 register const statetop_t *ap = a; 2034 register const statetop_t *bp = b; 2035 2036 #ifdef USE_INET6 2037 if (use_inet6 && !use_inet4) { 2038 if (IP6_EQ(&ap->st_src, &bp->st_src)) 2039 return (0); 2040 else if (IP6_GT(&ap->st_src, &bp->st_src)) 2041 return (1); 2042 } else 2043 #endif 2044 { 2045 if (ntohl(ap->st_src.in4.s_addr) == 2046 ntohl(bp->st_src.in4.s_addr)) 2047 return (0); 2048 else if (ntohl(ap->st_src.in4.s_addr) > 2049 ntohl(bp->st_src.in4.s_addr)) 2050 return (1); 2051 } 2052 return (-1); 2053 } 2054 2055 static int sort_srcpt(const void *a, const void *b) 2056 { 2057 register const statetop_t *ap = a; 2058 register const statetop_t *bp = b; 2059 2060 if (htons(ap->st_sport) == htons(bp->st_sport)) 2061 return (0); 2062 else if (htons(ap->st_sport) > htons(bp->st_sport)) 2063 return (1); 2064 return (-1); 2065 } 2066 2067 static int sort_dstip(const void *a, const void *b) 2068 { 2069 register const statetop_t *ap = a; 2070 register const statetop_t *bp = b; 2071 2072 #ifdef USE_INET6 2073 if (use_inet6 && !use_inet4) { 2074 if (IP6_EQ(&ap->st_dst, &bp->st_dst)) 2075 return (0); 2076 else if (IP6_GT(&ap->st_dst, &bp->st_dst)) 2077 return (1); 2078 } else 2079 #endif 2080 { 2081 if (ntohl(ap->st_dst.in4.s_addr) == 2082 ntohl(bp->st_dst.in4.s_addr)) 2083 return (0); 2084 else if (ntohl(ap->st_dst.in4.s_addr) > 2085 ntohl(bp->st_dst.in4.s_addr)) 2086 return (1); 2087 } 2088 return (-1); 2089 } 2090 2091 static int sort_dstpt(const void *a, const void *b) 2092 { 2093 register const statetop_t *ap = a; 2094 register const statetop_t *bp = b; 2095 2096 if (htons(ap->st_dport) == htons(bp->st_dport)) 2097 return (0); 2098 else if (htons(ap->st_dport) > htons(bp->st_dport)) 2099 return (1); 2100 return (-1); 2101 } 2102 2103 #endif 2104 2105 2106 ipstate_t *fetchstate(ipstate_t *src, ipstate_t *dst) 2107 { 2108 2109 if (live_kernel == 1) { 2110 ipfgeniter_t state; 2111 ipfobj_t obj; 2112 2113 obj.ipfo_rev = IPFILTER_VERSION; 2114 obj.ipfo_type = IPFOBJ_GENITER; 2115 obj.ipfo_size = sizeof(state); 2116 obj.ipfo_ptr = &state; 2117 2118 state.igi_type = IPFGENITER_STATE; 2119 state.igi_nitems = 1; 2120 state.igi_data = dst; 2121 2122 if (ioctl(state_fd, SIOCGENITER, &obj) != 0) 2123 return (NULL); 2124 if (dst->is_next == NULL) { 2125 int n = IPFGENITER_STATE; 2126 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &n); 2127 } 2128 } else { 2129 if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst))) 2130 return (NULL); 2131 } 2132 return (dst); 2133 } 2134 2135 2136 static int fetchfrag( int fd, int type, ipfr_t *frp) 2137 { 2138 ipfgeniter_t frag; 2139 ipfobj_t obj; 2140 2141 obj.ipfo_rev = IPFILTER_VERSION; 2142 obj.ipfo_type = IPFOBJ_GENITER; 2143 obj.ipfo_size = sizeof(frag); 2144 obj.ipfo_ptr = &frag; 2145 2146 frag.igi_type = type; 2147 frag.igi_nitems = 1; 2148 frag.igi_data = frp; 2149 2150 if (ioctl(fd, SIOCGENITER, &obj)) 2151 return (EFAULT); 2152 return (0); 2153 } 2154 2155 2156 static int state_matcharray(ipstate_t *stp, int *array) 2157 { 2158 int i, n, *x, rv, p; 2159 ipfexp_t *e; 2160 2161 rv = 0; 2162 2163 for (n = array[0], x = array + 1; n > 0; x += e->ipfe_size) { 2164 e = (ipfexp_t *)x; 2165 if (e->ipfe_cmd == IPF_EXP_END) 2166 break; 2167 n -= e->ipfe_size; 2168 2169 rv = 0; 2170 /* 2171 * The upper 16 bits currently store the protocol value. 2172 * This is currently used with TCP and UDP port compares and 2173 * allows "tcp.port = 80" without requiring an explicit 2174 " "ip.pr = tcp" first. 2175 */ 2176 p = e->ipfe_cmd >> 16; 2177 if ((p != 0) && (p != stp->is_p)) 2178 break; 2179 2180 switch (e->ipfe_cmd) 2181 { 2182 case IPF_EXP_IP_PR : 2183 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2184 rv |= (stp->is_p == e->ipfe_arg0[i]); 2185 } 2186 break; 2187 2188 case IPF_EXP_IP_SRCADDR : 2189 if (stp->is_v != 4) 2190 break; 2191 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2192 rv |= ((stp->is_saddr & 2193 e->ipfe_arg0[i * 2 + 1]) == 2194 e->ipfe_arg0[i * 2]); 2195 } 2196 break; 2197 2198 case IPF_EXP_IP_DSTADDR : 2199 if (stp->is_v != 4) 2200 break; 2201 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2202 rv |= ((stp->is_daddr & 2203 e->ipfe_arg0[i * 2 + 1]) == 2204 e->ipfe_arg0[i * 2]); 2205 } 2206 break; 2207 2208 case IPF_EXP_IP_ADDR : 2209 if (stp->is_v != 4) 2210 break; 2211 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2212 rv |= ((stp->is_saddr & 2213 e->ipfe_arg0[i * 2 + 1]) == 2214 e->ipfe_arg0[i * 2]) || 2215 ((stp->is_daddr & 2216 e->ipfe_arg0[i * 2 + 1]) == 2217 e->ipfe_arg0[i * 2]); 2218 } 2219 break; 2220 2221 #ifdef USE_INET6 2222 case IPF_EXP_IP6_SRCADDR : 2223 if (stp->is_v != 6) 2224 break; 2225 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2226 rv |= IP6_MASKEQ(&stp->is_src, 2227 &e->ipfe_arg0[i * 8 + 4], 2228 &e->ipfe_arg0[i * 8]); 2229 } 2230 break; 2231 2232 case IPF_EXP_IP6_DSTADDR : 2233 if (stp->is_v != 6) 2234 break; 2235 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2236 rv |= IP6_MASKEQ(&stp->is_dst, 2237 &e->ipfe_arg0[i * 8 + 4], 2238 &e->ipfe_arg0[i * 8]); 2239 } 2240 break; 2241 2242 case IPF_EXP_IP6_ADDR : 2243 if (stp->is_v != 6) 2244 break; 2245 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2246 rv |= IP6_MASKEQ(&stp->is_src, 2247 &e->ipfe_arg0[i * 8 + 4], 2248 &e->ipfe_arg0[i * 8]) || 2249 IP6_MASKEQ(&stp->is_dst, 2250 &e->ipfe_arg0[i * 8 + 4], 2251 &e->ipfe_arg0[i * 8]); 2252 } 2253 break; 2254 #endif 2255 2256 case IPF_EXP_UDP_PORT : 2257 case IPF_EXP_TCP_PORT : 2258 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2259 rv |= (stp->is_sport == e->ipfe_arg0[i]) || 2260 (stp->is_dport == e->ipfe_arg0[i]); 2261 } 2262 break; 2263 2264 case IPF_EXP_UDP_SPORT : 2265 case IPF_EXP_TCP_SPORT : 2266 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2267 rv |= (stp->is_sport == e->ipfe_arg0[i]); 2268 } 2269 break; 2270 2271 case IPF_EXP_UDP_DPORT : 2272 case IPF_EXP_TCP_DPORT : 2273 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2274 rv |= (stp->is_dport == e->ipfe_arg0[i]); 2275 } 2276 break; 2277 2278 case IPF_EXP_IDLE_GT : 2279 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2280 rv |= (stp->is_die < e->ipfe_arg0[i]); 2281 } 2282 break; 2283 2284 case IPF_EXP_TCP_STATE : 2285 for (i = 0; !rv && i < e->ipfe_narg; i++) { 2286 rv |= (stp->is_state[0] == e->ipfe_arg0[i]) || 2287 (stp->is_state[1] == e->ipfe_arg0[i]); 2288 } 2289 break; 2290 } 2291 rv ^= e->ipfe_not; 2292 2293 if (rv == 0) 2294 break; 2295 } 2296 2297 return (rv); 2298 } 2299 2300 2301 static void showtqtable_live(int fd) 2302 { 2303 ipftq_t table[IPF_TCP_NSTATES]; 2304 ipfobj_t obj; 2305 2306 bzero((char *)&obj, sizeof(obj)); 2307 obj.ipfo_rev = IPFILTER_VERSION; 2308 obj.ipfo_size = sizeof(table); 2309 obj.ipfo_ptr = (void *)table; 2310 obj.ipfo_type = IPFOBJ_STATETQTAB; 2311 2312 if (ioctl(fd, SIOCGTQTAB, &obj) == 0) { 2313 printtqtable(table); 2314 } 2315 } 2316