xref: /freebsd/sbin/pfctl/pf_print_state.c (revision bdd1243df58e60e85101c09001d9812a789b6bc4) 
1 /*	$OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $	*/
2 
3 /*-
4  * SPDX-License-Identifier: BSD-2-Clause
5  *
6  * Copyright (c) 2001 Daniel Hartmeier
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  *    - Redistributions of source code must retain the above copyright
14  *      notice, this list of conditions and the following disclaimer.
15  *    - Redistributions in binary form must reproduce the above
16  *      copyright notice, this list of conditions and the following
17  *      disclaimer in the documentation and/or other materials provided
18  *      with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  *
33  */
34 
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37 
38 #include <sys/types.h>
39 #include <sys/socket.h>
40 #include <sys/endian.h>
41 #include <net/if.h>
42 #define TCPSTATES
43 #include <netinet/tcp_fsm.h>
44 #include <net/pfvar.h>
45 #include <arpa/inet.h>
46 #include <netdb.h>
47 
48 #include <stdint.h>
49 #include <stdio.h>
50 #include <string.h>
51 
52 #include "pfctl_parser.h"
53 #include "pfctl.h"
54 
55 void	print_name(struct pf_addr *, sa_family_t);
56 
57 void
58 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
59 {
60 	switch (addr->type) {
61 	case PF_ADDR_DYNIFTL:
62 		printf("(%s", addr->v.ifname);
63 		if (addr->iflags & PFI_AFLAG_NETWORK)
64 			printf(":network");
65 		if (addr->iflags & PFI_AFLAG_BROADCAST)
66 			printf(":broadcast");
67 		if (addr->iflags & PFI_AFLAG_PEER)
68 			printf(":peer");
69 		if (addr->iflags & PFI_AFLAG_NOALIAS)
70 			printf(":0");
71 		if (verbose) {
72 			if (addr->p.dyncnt <= 0)
73 				printf(":*");
74 			else
75 				printf(":%d", addr->p.dyncnt);
76 		}
77 		printf(")");
78 		break;
79 	case PF_ADDR_TABLE:
80 		if (verbose)
81 			if (addr->p.tblcnt == -1)
82 				printf("<%s:*>", addr->v.tblname);
83 			else
84 				printf("<%s:%d>", addr->v.tblname,
85 				    addr->p.tblcnt);
86 		else
87 			printf("<%s>", addr->v.tblname);
88 		return;
89 	case PF_ADDR_RANGE: {
90 		char buf[48];
91 
92 		if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
93 			printf("?");
94 		else
95 			printf("%s", buf);
96 		if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
97 			printf(" - ?");
98 		else
99 			printf(" - %s", buf);
100 		break;
101 	}
102 	case PF_ADDR_ADDRMASK:
103 		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
104 		    PF_AZERO(&addr->v.a.mask, AF_INET6))
105 			printf("any");
106 		else {
107 			char buf[48];
108 
109 			if (inet_ntop(af, &addr->v.a.addr, buf,
110 			    sizeof(buf)) == NULL)
111 				printf("?");
112 			else
113 				printf("%s", buf);
114 		}
115 		break;
116 	case PF_ADDR_NOROUTE:
117 		printf("no-route");
118 		return;
119 	case PF_ADDR_URPFFAILED:
120 		printf("urpf-failed");
121 		return;
122 	default:
123 		printf("?");
124 		return;
125 	}
126 
127 	/* mask if not _both_ address and mask are zero */
128 	if (addr->type != PF_ADDR_RANGE &&
129 	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
130 	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
131 		int bits = unmask(&addr->v.a.mask, af);
132 
133 		if (bits != (af == AF_INET ? 32 : 128))
134 			printf("/%d", bits);
135 	}
136 }
137 
138 void
139 print_name(struct pf_addr *addr, sa_family_t af)
140 {
141 	char host[NI_MAXHOST];
142 
143 	strlcpy(host, "?", sizeof(host));
144 	switch (af) {
145 	case AF_INET: {
146 		struct sockaddr_in sin;
147 
148 		memset(&sin, 0, sizeof(sin));
149 		sin.sin_len = sizeof(sin);
150 		sin.sin_family = AF_INET;
151 		sin.sin_addr = addr->v4;
152 		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
153 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
154 		break;
155 	}
156 	case AF_INET6: {
157 		struct sockaddr_in6 sin6;
158 
159 		memset(&sin6, 0, sizeof(sin6));
160 		sin6.sin6_len = sizeof(sin6);
161 		sin6.sin6_family = AF_INET6;
162 		sin6.sin6_addr = addr->v6;
163 		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
164 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
165 		break;
166 	}
167 	}
168 	printf("%s", host);
169 }
170 
171 void
172 print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts)
173 {
174 	if (opts & PF_OPT_USEDNS)
175 		print_name(addr, af);
176 	else {
177 		struct pf_addr_wrap aw;
178 
179 		memset(&aw, 0, sizeof(aw));
180 		aw.v.a.addr = *addr;
181 		if (af == AF_INET)
182 			aw.v.a.mask.addr32[0] = 0xffffffff;
183 		else {
184 			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
185 			af = AF_INET6;
186 		}
187 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
188 	}
189 
190 	if (port) {
191 		if (af == AF_INET)
192 			printf(":%u", ntohs(port));
193 		else
194 			printf("[%u]", ntohs(port));
195 	}
196 }
197 
198 void
199 print_seq(struct pfctl_state_peer *p)
200 {
201 	if (p->seqdiff)
202 		printf("[%u + %u](+%u)", p->seqlo,
203 		    p->seqhi - p->seqlo, p->seqdiff);
204 	else
205 		printf("[%u + %u]", p->seqlo,
206 		    p->seqhi - p->seqlo);
207 }
208 
209 void
210 print_state(struct pfctl_state *s, int opts)
211 {
212 	struct pfctl_state_peer *src, *dst;
213 	struct pfctl_state_key *key, *sk, *nk;
214 	const char *protoname;
215 	int min, sec;
216 	sa_family_t af;
217 	uint8_t proto;
218 #ifndef __NO_STRICT_ALIGNMENT
219 	struct pfctl_state_key aligned_key[2];
220 
221 	bcopy(&s->key, aligned_key, sizeof(aligned_key));
222 	key = aligned_key;
223 #else
224 	key = s->key;
225 #endif
226 
227 	af = s->key[PF_SK_WIRE].af;
228 	proto = s->key[PF_SK_WIRE].proto;
229 
230 	if (s->direction == PF_OUT) {
231 		src = &s->src;
232 		dst = &s->dst;
233 		sk = &key[PF_SK_STACK];
234 		nk = &key[PF_SK_WIRE];
235 		if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
236 			sk->port[0] = nk->port[0];
237 	} else {
238 		src = &s->dst;
239 		dst = &s->src;
240 		sk = &key[PF_SK_WIRE];
241 		nk = &key[PF_SK_STACK];
242 		if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
243 			sk->port[1] = nk->port[1];
244 	}
245 	printf("%s ", s->ifname);
246 	if ((protoname = pfctl_proto2name(proto)) != NULL)
247 		printf("%s ", protoname);
248 	else
249 		printf("%u ", proto);
250 
251 	print_host(&nk->addr[1], nk->port[1], af, opts);
252 	if (PF_ANEQ(&nk->addr[1], &sk->addr[1], af) ||
253 	    nk->port[1] != sk->port[1]) {
254 		printf(" (");
255 		print_host(&sk->addr[1], sk->port[1], af, opts);
256 		printf(")");
257 	}
258 	if (s->direction == PF_OUT)
259 		printf(" -> ");
260 	else
261 		printf(" <- ");
262 	print_host(&nk->addr[0], nk->port[0], af, opts);
263 	if (PF_ANEQ(&nk->addr[0], &sk->addr[0], af) ||
264 	    nk->port[0] != sk->port[0]) {
265 		printf(" (");
266 		print_host(&sk->addr[0], sk->port[0], af, opts);
267 		printf(")");
268 	}
269 
270 	printf("    ");
271 	if (proto == IPPROTO_TCP) {
272 		if (src->state <= TCPS_TIME_WAIT &&
273 		    dst->state <= TCPS_TIME_WAIT)
274 			printf("   %s:%s\n", tcpstates[src->state],
275 			    tcpstates[dst->state]);
276 		else if (src->state == PF_TCPS_PROXY_SRC ||
277 		    dst->state == PF_TCPS_PROXY_SRC)
278 			printf("   PROXY:SRC\n");
279 		else if (src->state == PF_TCPS_PROXY_DST ||
280 		    dst->state == PF_TCPS_PROXY_DST)
281 			printf("   PROXY:DST\n");
282 		else
283 			printf("   <BAD STATE LEVELS %u:%u>\n",
284 			    src->state, dst->state);
285 		if (opts & PF_OPT_VERBOSE) {
286 			printf("   ");
287 			print_seq(src);
288 			if (src->wscale && dst->wscale)
289 				printf(" wscale %u",
290 				    src->wscale & PF_WSCALE_MASK);
291 			printf("  ");
292 			print_seq(dst);
293 			if (src->wscale && dst->wscale)
294 				printf(" wscale %u",
295 				    dst->wscale & PF_WSCALE_MASK);
296 			printf("\n");
297 		}
298 	} else if (proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
299 	    dst->state < PFUDPS_NSTATES) {
300 		const char *states[] = PFUDPS_NAMES;
301 
302 		printf("   %s:%s\n", states[src->state], states[dst->state]);
303 #ifndef INET6
304 	} else if (proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
305 	    dst->state < PFOTHERS_NSTATES) {
306 #else
307 	} else if (proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6 &&
308 	    src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
309 #endif
310 		/* XXX ICMP doesn't really have state levels */
311 		const char *states[] = PFOTHERS_NAMES;
312 
313 		printf("   %s:%s\n", states[src->state], states[dst->state]);
314 	} else {
315 		printf("   %u:%u\n", src->state, dst->state);
316 	}
317 
318 	if (opts & PF_OPT_VERBOSE) {
319 		u_int32_t creation = s->creation;
320 		u_int32_t expire = s->expire;
321 
322 		sec = creation % 60;
323 		creation /= 60;
324 		min = creation % 60;
325 		creation /= 60;
326 		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
327 		sec = expire % 60;
328 		expire /= 60;
329 		min = expire % 60;
330 		expire /= 60;
331 		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
332 
333 		printf(", %ju:%ju pkts, %ju:%ju bytes",
334 		    s->packets[0],
335 		    s->packets[1],
336 		    s->bytes[0],
337 		    s->bytes[1]);
338 		if (s->anchor != -1)
339 			printf(", anchor %u", s->anchor);
340 		if (s->rule != -1)
341 			printf(", rule %u", s->rule);
342 		if (s->state_flags & PFSTATE_ALLOWOPTS)
343 			printf(", allow-opts");
344 		if (s->state_flags & PFSTATE_SLOPPY)
345 			printf(", sloppy");
346 		if (s->state_flags & PFSTATE_NOSYNC)
347 			printf(", no-sync");
348 		if (s->state_flags & PFSTATE_ACK)
349 			printf(", psync-ack");
350 		if (s->state_flags & PFSTATE_NODF)
351 			printf(", no-df");
352 		if (s->state_flags & PFSTATE_SETTOS)
353 			printf(", set-tos 0x%2.2x", s->set_tos);
354 		if (s->state_flags & PFSTATE_RANDOMID)
355 			printf(", random-id");
356 		if (s->state_flags & PFSTATE_SCRUB_TCP)
357 			printf(", reassemble-tcp");
358 		if (s->state_flags & PFSTATE_SETPRIO)
359 			printf(", set-prio (0x%02x 0x%02x)",
360 			    s->set_prio[0], s->set_prio[1]);
361 		if (s->dnpipe || s->dnrpipe) {
362 			if (s->state_flags & PFSTATE_DN_IS_PIPE)
363 				printf(", dummynet pipe (%d %d)",
364 				s->dnpipe, s->dnrpipe);
365 			if (s->state_flags & PFSTATE_DN_IS_QUEUE)
366 				printf(", dummynet queue (%d %d)",
367 				s->dnpipe, s->dnrpipe);
368 		}
369 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
370 			printf(", source-track");
371 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
372 			printf(", sticky-address");
373 		if (s->log)
374 			printf(", log");
375 		if (s->log & PF_LOG_ALL)
376 			printf(" (all)");
377 		if (s->min_ttl)
378 			printf(", min-ttl %d", s->min_ttl);
379 		if (s->max_mss)
380 			printf(", max-mss %d", s->max_mss);
381 		printf("\n");
382 	}
383 	if (opts & PF_OPT_VERBOSE2) {
384 		u_int64_t id;
385 
386 		bcopy(&s->id, &id, sizeof(u_int64_t));
387 		printf("   id: %016jx creatorid: %08x", id, s->creatorid);
388 		if (s->rt) {
389 			switch (s->rt) {
390 				case PF_ROUTETO:
391 					printf(" route-to: ");
392 					break;
393 				case PF_DUPTO:
394 					printf(" dup-to: ");
395 					break;
396 				case PF_REPLYTO:
397 					printf(" reply-to: ");
398 					break;
399 				default:
400 					printf(" gateway: ");
401 			}
402 			print_host(&s->rt_addr, 0, af, opts);
403 			if (s->rt_ifname[0])
404 				printf("@%s", s->rt_ifname);
405 		}
406 		if (s->rtableid != -1)
407 			printf(" rtable: %d", s->rtableid);
408 		printf("\n");
409 
410 		if (strcmp(s->ifname, s->orig_ifname) != 0)
411 			printf("   origif: %s\n", s->orig_ifname);
412 	}
413 }
414 
415 int
416 unmask(struct pf_addr *m, sa_family_t af)
417 {
418 	int i = 31, j = 0, b = 0;
419 	u_int32_t tmp;
420 
421 	while (j < 4 && m->addr32[j] == 0xffffffff) {
422 		b += 32;
423 		j++;
424 	}
425 	if (j < 4) {
426 		tmp = ntohl(m->addr32[j]);
427 		for (i = 31; tmp & (1 << i); --i)
428 			b++;
429 	}
430 	return (b);
431 }
432