1 /* 2 * Copyright (C) 2000-2005 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * $Id: printfr.c,v 1.43.2.12 2005/06/12 07:18:42 darrenr Exp $ 7 * 8 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 9 * Use is subject to license terms. 10 */ 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include "ipf.h" 15 16 /* 17 * print the filter structure in a useful way 18 */ 19 void printfr(fp, iocfunc) 20 struct frentry *fp; 21 ioctlfunc_t iocfunc; 22 { 23 struct protoent *p; 24 u_short sec[2]; 25 u_32_t type; 26 u_char *t; 27 char *s; 28 int pr; 29 30 pr = -2; 31 type = fp->fr_type & ~FR_T_BUILTIN; 32 33 if ((fp->fr_type & FR_T_BUILTIN) != 0) 34 printf("# Builtin: "); 35 36 if (fp->fr_collect != 0) 37 printf("%u ", fp->fr_collect); 38 39 if (fp->fr_type == FR_T_CALLFUNC) { 40 ; 41 } else if (fp->fr_func != NULL) { 42 printf("call"); 43 if ((fp->fr_flags & FR_CALLNOW) != 0) 44 printf(" now"); 45 s = kvatoname(fp->fr_func, iocfunc); 46 printf(" %s/%u", s ? s : "?", fp->fr_arg); 47 } else if (FR_ISPASS(fp->fr_flags)) 48 printf("pass"); 49 else if (FR_ISBLOCK(fp->fr_flags)) { 50 printf("block"); 51 if (fp->fr_flags & FR_RETICMP) { 52 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) 53 printf(" return-icmp-as-dest"); 54 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) 55 printf(" return-icmp"); 56 if (fp->fr_icode) { 57 if (fp->fr_icode <= MAX_ICMPCODE) 58 printf("(%s)", 59 icmpcodes[(int)fp->fr_icode]); 60 else 61 printf("(%d)", fp->fr_icode); 62 } 63 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) 64 printf(" return-rst"); 65 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { 66 printlog(fp); 67 } else if (FR_ISACCOUNT(fp->fr_flags)) 68 printf("count"); 69 else if (FR_ISAUTH(fp->fr_flags)) 70 printf("auth"); 71 else if (FR_ISPREAUTH(fp->fr_flags)) 72 printf("preauth"); 73 else if (FR_ISNOMATCH(fp->fr_flags)) 74 printf("nomatch"); 75 else if (FR_ISSKIP(fp->fr_flags)) 76 printf("skip %u", fp->fr_arg); 77 else { 78 printf("%x", fp->fr_flags); 79 } 80 81 if (fp->fr_flags & FR_OUTQUE) 82 printf(" out "); 83 else 84 printf(" in "); 85 86 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || 87 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { 88 printlog(fp); 89 putchar(' '); 90 } 91 92 if (fp->fr_flags & FR_QUICK) 93 printf("quick "); 94 95 if (*fp->fr_ifname) { 96 printifname("on ", fp->fr_ifname, fp->fr_ifa); 97 if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*")) 98 printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]); 99 putchar(' '); 100 } 101 102 if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP)) 103 print_toif("dup-to", &fp->fr_dif); 104 if (*fp->fr_tif.fd_ifname) 105 print_toif("to", &fp->fr_tif); 106 if (*fp->fr_rif.fd_ifname) 107 print_toif("reply-to", &fp->fr_rif); 108 if (fp->fr_flags & FR_FASTROUTE) 109 printf("fastroute "); 110 111 if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || 112 (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { 113 if (fp->fr_flags & FR_OUTQUE) 114 printf("in-via "); 115 else 116 printf("out-via "); 117 118 if (*fp->fr_ifnames[2]) { 119 printifname("", fp->fr_ifnames[2], 120 fp->fr_ifas[2]); 121 putchar(' '); 122 123 if (*fp->fr_ifnames[3]) { 124 printifname(",", fp->fr_ifnames[3], 125 fp->fr_ifas[3]); 126 } 127 } 128 } 129 130 if (type == FR_T_IPF) { 131 if (fp->fr_mip.fi_tos) 132 printf("tos %#x ", fp->fr_tos); 133 if (fp->fr_mip.fi_ttl) 134 printf("ttl %d ", fp->fr_ttl); 135 if (fp->fr_flx & FI_TCPUDP) { 136 printf("proto tcp/udp "); 137 pr = -1; 138 } else if (fp->fr_mip.fi_p) { 139 pr = fp->fr_ip.fi_p; 140 p = getprotobynumber(pr); 141 printf("proto "); 142 printproto(p, pr, NULL); 143 putchar(' '); 144 } 145 } 146 147 if (type == FR_T_NONE) { 148 printf("all"); 149 } else if (type == FR_T_IPF) { 150 printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); 151 printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname, 152 &fp->fr_src.s_addr, &fp->fr_smsk.s_addr); 153 if (fp->fr_scmp) 154 printportcmp(pr, &fp->fr_tuc.ftu_src); 155 156 printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); 157 printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname, 158 &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr); 159 if (fp->fr_dcmp) 160 printportcmp(pr, &fp->fr_tuc.ftu_dst); 161 162 if ((fp->fr_proto == IPPROTO_ICMP 163 #ifdef USE_INET6 164 || fp->fr_proto == IPPROTO_ICMPV6 165 #endif 166 ) && fp->fr_icmpm) { 167 int type = fp->fr_icmp, code; 168 169 type = ntohs(fp->fr_icmp); 170 code = type & 0xff; 171 type /= 256; 172 if (type < (sizeof(icmptypes) / sizeof(char *) - 1) && 173 icmptypes[type] && fp->fr_proto == IPPROTO_ICMP) 174 printf(" icmp-type %s", icmptypes[type]); 175 else 176 printf(" icmp-type %d", type); 177 if (ntohs(fp->fr_icmpm) & 0xff) 178 printf(" code %d", code); 179 } 180 if ((fp->fr_proto == IPPROTO_TCP) && 181 (fp->fr_tcpf || fp->fr_tcpfm)) { 182 printf(" flags "); 183 if (fp->fr_tcpf & ~TCPF_ALL) 184 printf("0x%x", fp->fr_tcpf); 185 else 186 for (s = flagset, t = flags; *s; s++, t++) 187 if (fp->fr_tcpf & *t) 188 (void)putchar(*s); 189 if (fp->fr_tcpfm) { 190 (void)putchar('/'); 191 if (fp->fr_tcpfm & ~TCPF_ALL) 192 printf("0x%x", fp->fr_tcpfm); 193 else 194 for (s = flagset, t = flags; *s; 195 s++, t++) 196 if (fp->fr_tcpfm & *t) 197 (void)putchar(*s); 198 } 199 } 200 } else if (type == FR_T_BPFOPC) { 201 fakebpf_t *fb; 202 int i; 203 204 printf("bpf-v%d { \"", fp->fr_v); 205 i = fp->fr_dsize / sizeof(*fb); 206 207 for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ") 208 printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t, 209 fb->fb_f, fb->fb_k); 210 211 printf("\" }"); 212 } else if (type == FR_T_COMPIPF) { 213 ; 214 } else if (type == FR_T_CALLFUNC) { 215 printf("call function at %p", fp->fr_data); 216 } else { 217 printf("[unknown filter type %#x]", fp->fr_type); 218 } 219 220 if ((type == FR_T_IPF) && 221 ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) || 222 fp->fr_optbits || fp->fr_optmask || 223 fp->fr_secbits || fp->fr_secmask)) { 224 char *comma = " "; 225 226 printf(" with"); 227 if (fp->fr_optbits || fp->fr_optmask || 228 fp->fr_secbits || fp->fr_secmask) { 229 sec[0] = fp->fr_secmask; 230 sec[1] = fp->fr_secbits; 231 if (fp->fr_v == 4) 232 optprint(sec, fp->fr_optmask, fp->fr_optbits); 233 #ifdef USE_INET6 234 else 235 optprintv6(sec, fp->fr_optmask, 236 fp->fr_optbits); 237 #endif 238 } else if (fp->fr_mflx & FI_OPTIONS) { 239 fputs(comma, stdout); 240 if (!(fp->fr_flx & FI_OPTIONS)) 241 printf("not "); 242 printf("ipopts"); 243 comma = ","; 244 } 245 if (fp->fr_mflx & FI_SHORT) { 246 fputs(comma, stdout); 247 if (!(fp->fr_flx & FI_SHORT)) 248 printf("not "); 249 printf("short"); 250 comma = ","; 251 } 252 if (fp->fr_mflx & FI_FRAG) { 253 fputs(comma, stdout); 254 if (!(fp->fr_flx & FI_FRAG)) 255 printf("not "); 256 printf("frag"); 257 comma = ","; 258 } 259 if (fp->fr_mflx & FI_FRAGBODY) { 260 fputs(comma, stdout); 261 if (!(fp->fr_flx & FI_FRAGBODY)) 262 printf("not "); 263 printf("frag-body"); 264 comma = ","; 265 } 266 if (fp->fr_mflx & FI_NATED) { 267 fputs(comma, stdout); 268 if (!(fp->fr_flx & FI_NATED)) 269 printf("not "); 270 printf("nat"); 271 comma = ","; 272 } 273 if (fp->fr_mflx & FI_LOWTTL) { 274 fputs(comma, stdout); 275 if (!(fp->fr_flx & FI_LOWTTL)) 276 printf("not "); 277 printf("lowttl"); 278 comma = ","; 279 } 280 if (fp->fr_mflx & FI_BAD) { 281 fputs(comma, stdout); 282 if (!(fp->fr_flx & FI_BAD)) 283 printf("not "); 284 printf("bad"); 285 comma = ","; 286 } 287 if (fp->fr_mflx & FI_BADSRC) { 288 fputs(comma, stdout); 289 if (!(fp->fr_flx & FI_BADSRC)) 290 printf("not "); 291 printf("bad-src"); 292 comma = ","; 293 } 294 if (fp->fr_mflx & FI_BADNAT) { 295 fputs(comma, stdout); 296 if (!(fp->fr_flx & FI_BADNAT)) 297 printf("not "); 298 printf("bad-nat"); 299 comma = ","; 300 } 301 if (fp->fr_mflx & FI_OOW) { 302 fputs(comma, stdout); 303 if (!(fp->fr_flx & FI_OOW)) 304 printf("not "); 305 printf("oow"); 306 } 307 if (fp->fr_mflx & FI_MULTICAST) { 308 fputs(comma, stdout); 309 if (!(fp->fr_flx & FI_MULTICAST)) 310 printf("not "); 311 printf("mcast"); 312 comma = ","; 313 } 314 if (fp->fr_mflx & FI_BROADCAST) { 315 fputs(comma, stdout); 316 if (!(fp->fr_flx & FI_BROADCAST)) 317 printf("not "); 318 printf("bcast"); 319 comma = ","; 320 } 321 if (fp->fr_mflx & FI_MBCAST) { 322 fputs(comma, stdout); 323 if (!(fp->fr_flx & FI_MBCAST)) 324 printf("not "); 325 printf("mbcast"); 326 comma = ","; 327 } 328 if (fp->fr_mflx & FI_STATE) { 329 fputs(comma, stdout); 330 if (!(fp->fr_flx & FI_STATE)) 331 printf("not "); 332 printf("state"); 333 comma = ","; 334 } 335 } 336 337 if (fp->fr_flags & FR_KEEPSTATE) { 338 printf(" keep state"); 339 if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) || 340 (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { 341 char *comma = ""; 342 printf(" ("); 343 if (fp->fr_statemax != 0) { 344 printf("limit %u", fp->fr_statemax); 345 comma = ","; 346 } 347 if (fp->fr_flags & FR_STSTRICT) { 348 printf("%sstrict", comma); 349 comma = ","; 350 } 351 if (fp->fr_flags & FR_NEWISN) { 352 printf("%snewisn", comma); 353 comma = ","; 354 } 355 if (fp->fr_flags & FR_NOICMPERR) { 356 printf("%sno-icmp-err", comma); 357 comma = ","; 358 } 359 if (fp->fr_flags & FR_STATESYNC) { 360 printf("%ssync", comma); 361 comma = ","; 362 } 363 if (fp->fr_age[0] || fp->fr_age[1]) 364 printf("%sage %d/%d", comma, fp->fr_age[0], 365 fp->fr_age[1]); 366 printf(")"); 367 } 368 } 369 if (fp->fr_flags & FR_KEEPFRAG) { 370 printf(" keep frags"); 371 if (fp->fr_flags & (FR_FRSTRICT)) { 372 printf(" ("); 373 if (fp->fr_flags & FR_FRSTRICT) 374 printf(" strict"); 375 printf(" )"); 376 377 } 378 } 379 if (fp->fr_isc != (struct ipscan *)-1) { 380 if (fp->fr_isctag[0]) 381 printf(" scan %s", fp->fr_isctag); 382 else 383 printf(" scan *"); 384 } 385 if (*fp->fr_grhead != '\0') 386 printf(" head %s", fp->fr_grhead); 387 if (*fp->fr_group != '\0') 388 printf(" group %s", fp->fr_group); 389 if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) { 390 char *s = ""; 391 392 printf(" set-tag("); 393 if (fp->fr_logtag != FR_NOLOGTAG) { 394 printf("log=%u", fp->fr_logtag); 395 s = ", "; 396 } 397 if (*fp->fr_nattag.ipt_tag) { 398 printf("%snat=%-.*s", s, IPFTAG_LEN, 399 fp->fr_nattag.ipt_tag); 400 } 401 printf(")"); 402 } 403 if (fp->fr_pps) 404 printf(" pps %d", fp->fr_pps); 405 (void)putchar('\n'); 406 } 407