xref: /freebsd/sbin/pfctl/pf_print_state.c (revision f1ddb6fb8c4d051a205dae3a848776c9d56f86ff) 
1 /*	$OpenBSD: pf_print_state.c,v 1.52 2008/08/12 16:40:18 david Exp $	*/
2 
3 /*-
4  * SPDX-License-Identifier: BSD-2-Clause
5  *
6  * Copyright (c) 2001 Daniel Hartmeier
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  *    - Redistributions of source code must retain the above copyright
14  *      notice, this list of conditions and the following disclaimer.
15  *    - Redistributions in binary form must reproduce the above
16  *      copyright notice, this list of conditions and the following
17  *      disclaimer in the documentation and/or other materials provided
18  *      with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31  * POSSIBILITY OF SUCH DAMAGE.
32  *
33  */
34 
35 #include <sys/types.h>
36 #include <sys/socket.h>
37 #include <sys/endian.h>
38 #include <net/if.h>
39 #define TCPSTATES
40 #include <netinet/tcp_fsm.h>
41 #include <netinet/sctp.h>
42 #include <net/pfvar.h>
43 #include <arpa/inet.h>
44 #include <netdb.h>
45 
46 #include <stdint.h>
47 #include <stdio.h>
48 #include <string.h>
49 
50 #include "pfctl_parser.h"
51 #include "pfctl.h"
52 
53 void	print_name(struct pf_addr *, sa_family_t);
54 
55 void
56 print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
57 {
58 	switch (addr->type) {
59 	case PF_ADDR_DYNIFTL:
60 		printf("(%s", addr->v.ifname);
61 		if (addr->iflags & PFI_AFLAG_NETWORK)
62 			printf(":network");
63 		if (addr->iflags & PFI_AFLAG_BROADCAST)
64 			printf(":broadcast");
65 		if (addr->iflags & PFI_AFLAG_PEER)
66 			printf(":peer");
67 		if (addr->iflags & PFI_AFLAG_NOALIAS)
68 			printf(":0");
69 		if (verbose) {
70 			if (addr->p.dyncnt <= 0)
71 				printf(":*");
72 			else
73 				printf(":%d", addr->p.dyncnt);
74 		}
75 		printf(")");
76 		break;
77 	case PF_ADDR_TABLE:
78 		if (verbose)
79 			if (addr->p.tblcnt == -1)
80 				printf("<%s:*>", addr->v.tblname);
81 			else
82 				printf("<%s:%d>", addr->v.tblname,
83 				    addr->p.tblcnt);
84 		else
85 			printf("<%s>", addr->v.tblname);
86 		return;
87 	case PF_ADDR_RANGE: {
88 		char buf[48];
89 
90 		if (inet_ntop(af, &addr->v.a.addr, buf, sizeof(buf)) == NULL)
91 			printf("?");
92 		else
93 			printf("%s", buf);
94 		if (inet_ntop(af, &addr->v.a.mask, buf, sizeof(buf)) == NULL)
95 			printf(" - ?");
96 		else
97 			printf(" - %s", buf);
98 		break;
99 	}
100 	case PF_ADDR_ADDRMASK:
101 		if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
102 		    PF_AZERO(&addr->v.a.mask, AF_INET6))
103 			printf("any");
104 		else {
105 			char buf[48];
106 
107 			if (inet_ntop(af, &addr->v.a.addr, buf,
108 			    sizeof(buf)) == NULL)
109 				printf("?");
110 			else
111 				printf("%s", buf);
112 		}
113 		break;
114 	case PF_ADDR_NOROUTE:
115 		printf("no-route");
116 		return;
117 	case PF_ADDR_URPFFAILED:
118 		printf("urpf-failed");
119 		return;
120 	default:
121 		printf("?");
122 		return;
123 	}
124 
125 	/* mask if not _both_ address and mask are zero */
126 	if (addr->type != PF_ADDR_RANGE &&
127 	    !(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
128 	    PF_AZERO(&addr->v.a.mask, AF_INET6))) {
129 		int bits = unmask(&addr->v.a.mask, af);
130 
131 		if (bits < (af == AF_INET ? 32 : 128))
132 			printf("/%d", bits);
133 	}
134 }
135 
136 void
137 print_name(struct pf_addr *addr, sa_family_t af)
138 {
139 	char host[NI_MAXHOST];
140 
141 	strlcpy(host, "?", sizeof(host));
142 	switch (af) {
143 	case AF_INET: {
144 		struct sockaddr_in sin;
145 
146 		memset(&sin, 0, sizeof(sin));
147 		sin.sin_len = sizeof(sin);
148 		sin.sin_family = AF_INET;
149 		sin.sin_addr = addr->v4;
150 		getnameinfo((struct sockaddr *)&sin, sin.sin_len,
151 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
152 		break;
153 	}
154 	case AF_INET6: {
155 		struct sockaddr_in6 sin6;
156 
157 		memset(&sin6, 0, sizeof(sin6));
158 		sin6.sin6_len = sizeof(sin6);
159 		sin6.sin6_family = AF_INET6;
160 		sin6.sin6_addr = addr->v6;
161 		getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
162 		    host, sizeof(host), NULL, 0, NI_NOFQDN);
163 		break;
164 	}
165 	}
166 	printf("%s", host);
167 }
168 
169 void
170 print_host(struct pf_addr *addr, u_int16_t port, sa_family_t af, int opts)
171 {
172 	if (opts & PF_OPT_USEDNS)
173 		print_name(addr, af);
174 	else {
175 		struct pf_addr_wrap aw;
176 
177 		memset(&aw, 0, sizeof(aw));
178 		aw.v.a.addr = *addr;
179 		if (af == AF_INET)
180 			aw.v.a.mask.addr32[0] = 0xffffffff;
181 		else {
182 			memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
183 			af = AF_INET6;
184 		}
185 		print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
186 	}
187 
188 	if (port) {
189 		if (af == AF_INET)
190 			printf(":%u", ntohs(port));
191 		else
192 			printf("[%u]", ntohs(port));
193 	}
194 }
195 
196 void
197 print_seq(struct pfctl_state_peer *p)
198 {
199 	if (p->seqdiff)
200 		printf("[%u + %u](+%u)", p->seqlo,
201 		    p->seqhi - p->seqlo, p->seqdiff);
202 	else
203 		printf("[%u + %u]", p->seqlo,
204 		    p->seqhi - p->seqlo);
205 }
206 
207 
208 static const char *
209 sctp_state_name(int state)
210 {
211 	switch (state) {
212 	case SCTP_CLOSED:
213 		return ("CLOSED");
214 	case SCTP_BOUND:
215 		return ("BOUND");
216 	case SCTP_LISTEN:
217 		return ("LISTEN");
218 	case SCTP_COOKIE_WAIT:
219 		return ("COOKIE_WAIT");
220 	case SCTP_COOKIE_ECHOED:
221 		return ("COOKIE_ECHOED");
222 	case SCTP_ESTABLISHED:
223 		return ("ESTABLISHED");
224 	case SCTP_SHUTDOWN_SENT:
225 		return ("SHUTDOWN_SENT");
226 	case SCTP_SHUTDOWN_RECEIVED:
227 		return ("SHUTDOWN_RECEIVED");
228 	case SCTP_SHUTDOWN_ACK_SENT:
229 		return ("SHUTDOWN_ACK_SENT");
230 	case SCTP_SHUTDOWN_PENDING:
231 		return ("SHUTDOWN_PENDING");
232 	default:
233 		return ("?");
234 	}
235 }
236 
237 void
238 print_state(struct pfctl_state *s, int opts)
239 {
240 	struct pfctl_state_peer *src, *dst;
241 	struct pfctl_state_key *key, *sk, *nk;
242 	const char *protoname;
243 	int min, sec;
244 	sa_family_t af;
245 	uint8_t proto;
246 	int afto = (s->key[PF_SK_STACK].af != s->key[PF_SK_WIRE].af);
247 	int idx;
248 #ifndef __NO_STRICT_ALIGNMENT
249 	struct pfctl_state_key aligned_key[2];
250 
251 	bcopy(&s->key, aligned_key, sizeof(aligned_key));
252 	key = aligned_key;
253 #else
254 	key = s->key;
255 #endif
256 
257 	af = s->key[PF_SK_WIRE].af;
258 	proto = s->key[PF_SK_WIRE].proto;
259 
260 	if (s->direction == PF_OUT) {
261 		src = &s->src;
262 		dst = &s->dst;
263 		sk = &key[PF_SK_STACK];
264 		nk = &key[PF_SK_WIRE];
265 		if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
266 			sk->port[0] = nk->port[0];
267 	} else {
268 		src = &s->dst;
269 		dst = &s->src;
270 		sk = &key[PF_SK_WIRE];
271 		nk = &key[PF_SK_STACK];
272 		if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
273 			sk->port[1] = nk->port[1];
274 	}
275 	printf("%s ", s->ifname);
276 	if ((protoname = pfctl_proto2name(proto)) != NULL)
277 		printf("%s ", protoname);
278 	else
279 		printf("%u ", proto);
280 
281 	print_host(&nk->addr[1], nk->port[1], nk->af, opts);
282 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[1], &sk->addr[1], nk->af) ||
283 	    nk->port[1] != sk->port[1]) {
284 		idx = afto ? 0 : 1;
285 		printf(" (");
286 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
287 		    opts);
288 		printf(")");
289 	}
290 	if (s->direction == PF_OUT || (afto && s->direction == PF_IN))
291 		printf(" -> ");
292 	else
293 		printf(" <- ");
294 	print_host(&nk->addr[0], nk->port[0], nk->af, opts);
295 	if (nk->af != sk->af || PF_ANEQ(&nk->addr[0], &sk->addr[0], nk->af) ||
296 	    nk->port[0] != sk->port[0]) {
297 		idx = afto ? 1 : 0;
298 		printf(" (");
299 		print_host(&sk->addr[idx], sk->port[idx], sk->af,
300 		    opts);
301 		printf(")");
302 	}
303 
304 	printf("    ");
305 	if (proto == IPPROTO_TCP) {
306 		if (src->state <= TCPS_TIME_WAIT &&
307 		    dst->state <= TCPS_TIME_WAIT)
308 			printf("   %s:%s\n", tcpstates[src->state],
309 			    tcpstates[dst->state]);
310 		else if (src->state == PF_TCPS_PROXY_SRC ||
311 		    dst->state == PF_TCPS_PROXY_SRC)
312 			printf("   PROXY:SRC\n");
313 		else if (src->state == PF_TCPS_PROXY_DST ||
314 		    dst->state == PF_TCPS_PROXY_DST)
315 			printf("   PROXY:DST\n");
316 		else
317 			printf("   <BAD STATE LEVELS %u:%u>\n",
318 			    src->state, dst->state);
319 		if (opts & PF_OPT_VERBOSE) {
320 			printf("   ");
321 			print_seq(src);
322 			if (src->wscale && dst->wscale)
323 				printf(" wscale %u",
324 				    src->wscale & PF_WSCALE_MASK);
325 			printf("  ");
326 			print_seq(dst);
327 			if (src->wscale && dst->wscale)
328 				printf(" wscale %u",
329 				    dst->wscale & PF_WSCALE_MASK);
330 			printf("\n");
331 		}
332 	} else if (proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
333 	    dst->state < PFUDPS_NSTATES) {
334 		const char *states[] = PFUDPS_NAMES;
335 
336 		printf("   %s:%s\n", states[src->state], states[dst->state]);
337 	} else if (proto == IPPROTO_SCTP) {
338 		printf("   %s:%s\n", sctp_state_name(src->state),
339 		    sctp_state_name(dst->state));
340 #ifndef INET6
341 	} else if (proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
342 	    dst->state < PFOTHERS_NSTATES) {
343 #else
344 	} else if (proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6 &&
345 	    src->state < PFOTHERS_NSTATES && dst->state < PFOTHERS_NSTATES) {
346 #endif
347 		/* XXX ICMP doesn't really have state levels */
348 		const char *states[] = PFOTHERS_NAMES;
349 
350 		printf("   %s:%s\n", states[src->state], states[dst->state]);
351 	} else {
352 		printf("   %u:%u\n", src->state, dst->state);
353 	}
354 
355 	if (opts & PF_OPT_VERBOSE) {
356 		u_int32_t creation = s->creation;
357 		u_int32_t expire = s->expire;
358 
359 		sec = creation % 60;
360 		creation /= 60;
361 		min = creation % 60;
362 		creation /= 60;
363 		printf("   age %.2u:%.2u:%.2u", creation, min, sec);
364 		sec = expire % 60;
365 		expire /= 60;
366 		min = expire % 60;
367 		expire /= 60;
368 		printf(", expires in %.2u:%.2u:%.2u", expire, min, sec);
369 
370 		printf(", %ju:%ju pkts, %ju:%ju bytes",
371 		    s->packets[0],
372 		    s->packets[1],
373 		    s->bytes[0],
374 		    s->bytes[1]);
375 		if (s->anchor != -1)
376 			printf(", anchor %u", s->anchor);
377 		if (s->rule != -1)
378 			printf(", rule %u", s->rule);
379 		if (s->state_flags & PFSTATE_ALLOWOPTS)
380 			printf(", allow-opts");
381 		if (s->state_flags & PFSTATE_SLOPPY)
382 			printf(", sloppy");
383 		if (s->state_flags & PFSTATE_NOSYNC)
384 			printf(", no-sync");
385 		if (s->state_flags & PFSTATE_PFLOW)
386 			printf(", pflow");
387 		if (s->state_flags & PFSTATE_ACK)
388 			printf(", psync-ack");
389 		if (s->state_flags & PFSTATE_NODF)
390 			printf(", no-df");
391 		if (s->state_flags & PFSTATE_SETTOS)
392 			printf(", set-tos 0x%2.2x", s->set_tos);
393 		if (s->state_flags & PFSTATE_RANDOMID)
394 			printf(", random-id");
395 		if (s->state_flags & PFSTATE_SCRUB_TCP)
396 			printf(", reassemble-tcp");
397 		if (s->state_flags & PFSTATE_SETPRIO)
398 			printf(", set-prio (0x%02x 0x%02x)",
399 			    s->set_prio[0], s->set_prio[1]);
400 		if (s->dnpipe || s->dnrpipe) {
401 			if (s->state_flags & PFSTATE_DN_IS_PIPE)
402 				printf(", dummynet pipe (%d %d)",
403 				s->dnpipe, s->dnrpipe);
404 			if (s->state_flags & PFSTATE_DN_IS_QUEUE)
405 				printf(", dummynet queue (%d %d)",
406 				s->dnpipe, s->dnrpipe);
407 		}
408 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
409 			printf(", source-track");
410 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
411 			printf(", sticky-address");
412 		if (s->log)
413 			printf(", log");
414 		if (s->log & PF_LOG_ALL)
415 			printf(" (all)");
416 		if (s->min_ttl)
417 			printf(", min-ttl %d", s->min_ttl);
418 		if (s->max_mss)
419 			printf(", max-mss %d", s->max_mss);
420 		printf("\n");
421 	}
422 	if (opts & PF_OPT_VERBOSE2) {
423 		u_int64_t id;
424 
425 		bcopy(&s->id, &id, sizeof(u_int64_t));
426 		printf("   id: %016jx creatorid: %08x", id, s->creatorid);
427 		if (s->rt) {
428 			switch (s->rt) {
429 				case PF_ROUTETO:
430 					printf(" route-to: ");
431 					break;
432 				case PF_DUPTO:
433 					printf(" dup-to: ");
434 					break;
435 				case PF_REPLYTO:
436 					printf(" reply-to: ");
437 					break;
438 				default:
439 					printf(" gateway: ");
440 			}
441 			print_host(&s->rt_addr, 0, af, opts);
442 			if (s->rt_ifname[0])
443 				printf("@%s", s->rt_ifname);
444 		}
445 		if (s->rtableid != -1)
446 			printf(" rtable: %d", s->rtableid);
447 		printf("\n");
448 
449 		if (strcmp(s->ifname, s->orig_ifname) != 0)
450 			printf("   origif: %s\n", s->orig_ifname);
451 	}
452 }
453 
454 int
455 unmask(struct pf_addr *m, sa_family_t af)
456 {
457 	int i = 31, j = 0, b = 0;
458 	u_int32_t tmp;
459 
460 	while (j < 4 && m->addr32[j] == 0xffffffff) {
461 		b += 32;
462 		j++;
463 	}
464 	if (j < 4) {
465 		tmp = ntohl(m->addr32[j]);
466 		for (i = 31; tmp & (1 << i); --i)
467 			b++;
468 	}
469 	return (b);
470 }
471