xref: /freebsd/sbin/pfctl/pf_print_state.c (revision 9f0f30bc1f5f08d25243952bad3fdc6e13a75c2a) 
1 /*	$OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $	*/
2 
3 /*-
4  * SPDX-License-Identifier: BSD-2-Clause
5  *
6  * Copyright (c) 2001 Daniel Hartmeier
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  *    - Redistributions of source code must retain the above copyright
14  *      notice, this list of conditions and the following disclaimer.
15  *    - Redistributions in binary form must reproduce the above
16  *      copyright notice, this list of conditions and the following
17  *      disclaimer in the documentation and/or other materials provided
18  *      with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  *
33  */
34 
35 #include <sys/types.h>
36 #include <sys/socket.h>
37 #include <sys/endian.h>
38 #include <net/if.h>
39 #define TCPSTATES
40 #include <netinet/tcp_fsm.h>
41 #include <netinet/sctp.h>
42 #include <net/pfvar.h>
43 #include <arpa/inet.h>
44 #include <netdb.h>
45 
46 #include <stdint.h>
47 #include <stdio.h>
48 #include <string.h>
49 
50 #include "pfctl_parser.h"
51 #include "pfctl.h"
52 
53 void	print_name(struct pf_addr *, sa_family_t);
54 
55 void
56 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
57 {
58 	switch (addr->type) {
59 	case PF_ADDR_DYNIFTL:
60 		printf("(%s", addr->v.ifname);
61 		if (addr->iflags & PFI_AFLAG_NETWORK)
62 			printf(":network");
63 		if (addr->iflags & PFI_AFLAG_BROADCAST)
64 			printf(":broadcast");
65 		if (addr->iflags & PFI_AFLAG_PEER)
66 			printf(":peer");
67 		if (addr->iflags & PFI_AFLAG_NOALIAS)
68 			printf(":0");
69 		if (verbose) {
70 			if (addr->p.dyncnt <= 0)
71 				printf(":*");
72 			else
73 				printf(":%d", addr->p.dyncnt);
74 		}
75 		printf(")");
76 		break;
77 	case PF_ADDR_TABLE:
78 		if (verbose)
79 			if (addr->p.tblcnt == -1)
80 				printf("<%s:*>", addr->v.tblname);
81 			else
82 				printf("<%s:%d>", addr->v.tblname,
83 				    addr->p.tblcnt);
84 		else
85 			printf("<%s>", addr->v.tblname);
86 		return;
87 	case PF_ADDR_RANGE: {
88 		print_addr_str(af, &addr->v.a.addr);
89 		printf(" - ");
90 		print_addr_str(af, &addr->v.a.mask);
91 
92 		break;
93 	}
94 	case PF_ADDR_ADDRMASK:
95 		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
96 		    PF_AZERO(&addr->v.a.mask, AF_INET6))
97 			printf("any");
98 		else
99 			print_addr_str(af, &addr->v.a.addr);
100 		break;
101 	case PF_ADDR_NOROUTE:
102 		printf("no-route");
103 		return;
104 	case PF_ADDR_URPFFAILED:
105 		printf("urpf-failed");
106 		return;
107 	default:
108 		printf("?");
109 		return;
110 	}
111 
112 	/* mask if not _both_ address and mask are zero */
113 	if (addr->type != PF_ADDR_RANGE &&
114 	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
115 	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
116 		int bits = unmask(&addr->v.a.mask);
117 
118 		if (bits < (af == AF_INET ? 32 : 128))
119 			printf("/%d", bits);
120 	}
121 }
122 
123 void
124 print_addr_str(sa_family_t af, struct pf_addr *addr)
125 {
126 	static char buf[48];
127 
128 	if (inet_ntop(af, addr, buf, sizeof(buf)) == NULL)
129 		printf("?");
130 	else
131 		printf("%s", buf);
132 }
133 
134 void
135 print_name(struct pf_addr *addr, sa_family_t af)
136 {
137 	struct sockaddr_storage	 ss;
138 	struct sockaddr_in	*sin;
139 	struct sockaddr_in6	*sin6;
140 	char			 host[NI_MAXHOST];
141 
142 	memset(&ss, 0, sizeof(ss));
143 	ss.ss_family = af;
144 	if (ss.ss_family == AF_INET) {
145 		sin = (struct sockaddr_in *)&ss;
146 		sin->sin_len = sizeof(*sin);
147 		sin->sin_addr = addr->v4;
148 	} else {
149 		sin6 = (struct sockaddr_in6 *)&ss;
150 		sin6->sin6_len = sizeof(*sin6);
151 		sin6->sin6_addr = addr->v6;
152 	}
153 
154 	if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, sizeof(host),
155 		NULL, 0, NI_NOFQDN) != 0)
156 		printf("?");
157 	else
158 		printf("%s", host);
159 }
160 
161 void
162 print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts)
163 {
164 	struct pf_addr_wrap	 aw;
165 
166 	if (opts & PF_OPT_USEDNS)
167 		print_name(addr, af);
168 	else {
169 		memset(&aw, 0, sizeof(aw));
170 		aw.v.a.addr = *addr;
171 		memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
172 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
173 	}
174 
175 	if (port) {
176 		if (af == AF_INET)
177 			printf(":%u", ntohs(port));
178 		else
179 			printf("[%u]", ntohs(port));
180 	}
181 }
182 
183 void
184 print_seq(struct pfctl_state_peer *p)
185 {
186 	if (p->seqdiff)
187 		printf("[%u + %u](+%u)", p->seqlo,
188 		    p->seqhi - p->seqlo, p->seqdiff);
189 	else
190 		printf("[%u + %u]", p->seqlo,
191 		    p->seqhi - p->seqlo);
192 }
193 
194 
195 static const char *
196 sctp_state_name(int state)
197 {
198 	switch (state) {
199 	case SCTP_CLOSED:
200 		return ("CLOSED");
201 	case SCTP_BOUND:
202 		return ("BOUND");
203 	case SCTP_LISTEN:
204 		return ("LISTEN");
205 	case SCTP_COOKIE_WAIT:
206 		return ("COOKIE_WAIT");
207 	case SCTP_COOKIE_ECHOED:
208 		return ("COOKIE_ECHOED");
209 	case SCTP_ESTABLISHED:
210 		return ("ESTABLISHED");
211 	case SCTP_SHUTDOWN_SENT:
212 		return ("SHUTDOWN_SENT");
213 	case SCTP_SHUTDOWN_RECEIVED:
214 		return ("SHUTDOWN_RECEIVED");
215 	case SCTP_SHUTDOWN_ACK_SENT:
216 		return ("SHUTDOWN_ACK_SENT");
217 	case SCTP_SHUTDOWN_PENDING:
218 		return ("SHUTDOWN_PENDING");
219 	default:
220 		return ("?");
221 	}
222 }
223 
224 void
225 print_state(struct pfctl_state *s, int opts)
226 {
227 	struct pfctl_state_peer *src, *dst;
228 	struct pfctl_state_key *key, *sk, *nk;
229 	const char *protoname;
230 	int min, sec;
231 	sa_family_t af;
232 	uint8_t proto;
233 	int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
234 	int idx;
235 	const char *sn_type_names[] = PF_SN_TYPE_NAMES;
236 #ifndef __NO_STRICT_ALIGNMENT
237 	struct pfctl_state_key aligned_key[2];
238 
239 	bcopy(&s->key, aligned_key, sizeof(aligned_key));
240 	key = aligned_key;
241 #else
242 	key = s->key;
243 #endif
244 
245 	af = s->key[PF_SK_WIRE].af;
246 	proto = s->key[PF_SK_WIRE].proto;
247 
248 	if (s->direction == PF_OUT) {
249 		src = &s->src;
250 		dst = &s->dst;
251 		sk = &key[PF_SK_STACK];
252 		nk = &key[PF_SK_WIRE];
253 		if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
254 			sk->port[0] = nk->port[0];
255 	} else {
256 		src = &s->dst;
257 		dst = &s->src;
258 		sk = &key[PF_SK_WIRE];
259 		nk = &key[PF_SK_STACK];
260 		if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
261 			sk->port[1] = nk->port[1];
262 	}
263 	printf("%s ", s->ifname);
264 	if ((protoname = pfctl_proto2name(proto)) != NULL)
265 		printf("%s ", protoname);
266 	else
267 		printf("%u ", proto);
268 
269 	print_host(&nk->addr[1], nk->port[1], nk->af, opts);
270 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
271 	    nk->port[1] != sk->port[1]) {
272 		idx = afto ? 0 : 1;
273 		printf(" (");
274 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
275 		    opts);
276 		printf(")");
277 	}
278 	if (s->direction == PF_OUT || (afto && s->direction == PF_IN))
279 		printf(" -> ");
280 	else
281 		printf(" <- ");
282 	print_host(&nk->addr[0], nk->port[0], nk->af, opts);
283 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
284 	    nk->port[0] != sk->port[0]) {
285 		idx = afto ? 1 : 0;
286 		printf(" (");
287 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
288 		    opts);
289 		printf(")");
290 	}
291 
292 	printf("    ");
293 	if (proto == IPPROTO_TCP) {
294 		if (src->state <= TCPS_TIME_WAIT &&
295 		    dst->state <= TCPS_TIME_WAIT)
296 			printf("   %s:%s\n", tcpstates[src->state],
297 			    tcpstates[dst->state]);
298 		else if (src->state == PF_TCPS_PROXY_SRC ||
299 		    dst->state == PF_TCPS_PROXY_SRC)
300 			printf("   PROXY:SRC\n");
301 		else if (src->state == PF_TCPS_PROXY_DST ||
302 		    dst->state == PF_TCPS_PROXY_DST)
303 			printf("   PROXY:DST\n");
304 		else
305 			printf("   <BAD STATE LEVELS %u:%u>\n",
306 			    src->state, dst->state);
307 		if (opts & PF_OPT_VERBOSE) {
308 			printf("   ");
309 			print_seq(src);
310 			if (src->wscale && dst->wscale)
311 				printf(" wscale %u",
312 				    src->wscale & PF_WSCALE_MASK);
313 			printf("  ");
314 			print_seq(dst);
315 			if (src->wscale && dst->wscale)
316 				printf(" wscale %u",
317 				    dst->wscale & PF_WSCALE_MASK);
318 			printf("\n");
319 		}
320 	} else if (proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
321 	    dst->state < PFUDPS_NSTATES) {
322 		const char *states[] = PFUDPS_NAMES;
323 
324 		printf("   %s:%s\n", states[src->state], states[dst->state]);
325 	} else if (proto == IPPROTO_SCTP) {
326 		printf("   %s:%s\n", sctp_state_name(src->state),
327 		    sctp_state_name(dst->state));
328 #ifndef INET6
329 	} else if (proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
330 	    dst->state < PFOTHERS_NSTATES) {
331 #else
332 	} else if (proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6 &&
333 	    src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
334 #endif
335 		/* XXX ICMP doesn't really have state levels */
336 		const char *states[] = PFOTHERS_NAMES;
337 
338 		printf("   %s:%s\n", states[src->state], states[dst->state]);
339 	} else {
340 		printf("   %u:%u\n", src->state, dst->state);
341 	}
342 
343 	if (opts & PF_OPT_VERBOSE) {
344 		u_int32_t creation = s->creation;
345 		u_int32_t expire = s->expire;
346 
347 		sec = creation % 60;
348 		creation /= 60;
349 		min = creation % 60;
350 		creation /= 60;
351 		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
352 		sec = expire % 60;
353 		expire /= 60;
354 		min = expire % 60;
355 		expire /= 60;
356 		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
357 
358 		printf(", %ju:%ju pkts, %ju:%ju bytes",
359 		    s->packets[0],
360 		    s->packets[1],
361 		    s->bytes[0],
362 		    s->bytes[1]);
363 		if (s->anchor != -1)
364 			printf(", anchor %u", s->anchor);
365 		if (s->rule != -1)
366 			printf(", rule %u", s->rule);
367 		if (s->state_flags & PFSTATE_ALLOWOPTS)
368 			printf(", allow-opts");
369 		if (s->state_flags & PFSTATE_SLOPPY)
370 			printf(", sloppy");
371 		if (s->state_flags & PFSTATE_NOSYNC)
372 			printf(", no-sync");
373 		if (s->state_flags & PFSTATE_PFLOW)
374 			printf(", pflow");
375 		if (s->state_flags & PFSTATE_ACK)
376 			printf(", psync-ack");
377 		if (s->state_flags & PFSTATE_NODF)
378 			printf(", no-df");
379 		if (s->state_flags & PFSTATE_SETTOS)
380 			printf(", set-tos 0x%2.2x", s->set_tos);
381 		if (s->state_flags & PFSTATE_RANDOMID)
382 			printf(", random-id");
383 		if (s->state_flags & PFSTATE_SCRUB_TCP)
384 			printf(", reassemble-tcp");
385 		if (s->state_flags & PFSTATE_SETPRIO)
386 			printf(", set-prio (0x%02x 0x%02x)",
387 			    s->set_prio[0], s->set_prio[1]);
388 		if (s->dnpipe || s->dnrpipe) {
389 			if (s->state_flags & PFSTATE_DN_IS_PIPE)
390 				printf(", dummynet pipe (%d %d)",
391 				s->dnpipe, s->dnrpipe);
392 			if (s->state_flags & PFSTATE_DN_IS_QUEUE)
393 				printf(", dummynet queue (%d %d)",
394 				s->dnpipe, s->dnrpipe);
395 		}
396 		if (s->src_node_flags & PFSTATE_SRC_NODE_LIMIT)
397 			printf(", %s", sn_type_names[PF_SN_LIMIT]);
398 		if (s->src_node_flags & PFSTATE_SRC_NODE_LIMIT_GLOBAL)
399 			printf(" global");
400 		if (s->src_node_flags & PFSTATE_SRC_NODE_NAT)
401 			printf(", %s", sn_type_names[PF_SN_NAT]);
402 		if (s->src_node_flags & PFSTATE_SRC_NODE_ROUTE)
403 			printf(", %s", sn_type_names[PF_SN_ROUTE]);
404 		if (s->log)
405 			printf(", log");
406 		if (s->log & PF_LOG_ALL)
407 			printf(" (all)");
408 		if (s->min_ttl)
409 			printf(", min-ttl %d", s->min_ttl);
410 		if (s->max_mss)
411 			printf(", max-mss %d", s->max_mss);
412 		printf("\n");
413 	}
414 	if (opts & PF_OPT_VERBOSE2) {
415 		u_int64_t id;
416 
417 		bcopy(&s->id, &id, sizeof(u_int64_t));
418 		printf("   id: %016jx creatorid: %08x", id, s->creatorid);
419 		if (s->rt) {
420 			switch (s->rt) {
421 				case PF_ROUTETO:
422 					printf(" route-to: ");
423 					break;
424 				case PF_DUPTO:
425 					printf(" dup-to: ");
426 					break;
427 				case PF_REPLYTO:
428 					printf(" reply-to: ");
429 					break;
430 				default:
431 					printf(" gateway: ");
432 			}
433 			print_host(&s->rt_addr, 0, af, opts);
434 			if (s->rt_ifname[0])
435 				printf("@%s", s->rt_ifname);
436 		}
437 		if (s->rtableid != -1)
438 			printf(" rtable: %d", s->rtableid);
439 		printf("\n");
440 
441 		if (strcmp(s->ifname, s->orig_ifname) != 0)
442 			printf("   origif: %s\n", s->orig_ifname);
443 	}
444 }
445 
446 int
447 unmask(struct pf_addr *m)
448 {
449 	int i = 31, j = 0, b = 0;
450 	u_int32_t tmp;
451 
452 	while (j < 4 && m->addr32[j] == 0xffffffff) {
453 		b += 32;
454 		j++;
455 	}
456 	if (j < 4) {
457 		tmp = ntohl(m->addr32[j]);
458 		for (i = 31; tmp & (1 << i); --i)
459 			b++;
460 	}
461 	return (b);
462 }
463