1 /* 2 * Copyright (C) 1993-2001, 2003 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 7 * Use is subject to license terms. 8 */ 9 10 #pragma ident "%Z%%M% %I% %E% SMI" 11 12 #ifdef __FreeBSD__ 13 # ifndef __FreeBSD_cc_version 14 # include <osreldate.h> 15 # else 16 # if __FreeBSD_cc_version < 430000 17 # include <osreldate.h> 18 # endif 19 # endif 20 #endif 21 #include <sys/ioctl.h> 22 #include <fcntl.h> 23 #include <nlist.h> 24 #include <ctype.h> 25 #include <stddef.h> 26 #include "ipf.h" 27 #include "ipl.h" 28 #if defined(STATETOP) 29 # if defined(_BSDI_VERSION) 30 # undef STATETOP) 31 # endif 32 # if defined(__FreeBSD__) && \ 33 (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000)) 34 # undef STATETOP 35 # endif 36 # if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000) 37 # undef STATETOP 38 # endif 39 # if defined(sun) 40 # if defined(__svr4__) || defined(__SVR4) 41 # include <sys/select.h> 42 # else 43 # undef STATETOP /* NOT supported on SunOS4 */ 44 # endif 45 # endif 46 #endif 47 #if defined(STATETOP) && !defined(linux) 48 # include <netinet/ip_var.h> 49 # include <netinet/tcp_fsm.h> 50 #endif 51 #ifdef STATETOP 52 #if SOLARIS2 >= 10 53 # include "ipl.h" 54 #else 55 # include "netinet/ipl.h" 56 #endif 57 # if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \ 58 defined(__sgi) 59 # ifdef ERR 60 # undef ERR 61 # endif 62 # include <curses.h> 63 # else /* SOLARIS */ 64 # include <ncurses.h> 65 # endif /* SOLARIS */ 66 #endif /* STATETOP */ 67 #include "kmem.h" 68 #if defined(__NetBSD__) || (__OpenBSD__) 69 # include <paths.h> 70 #endif 71 72 #if !defined(lint) 73 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; 74 static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.28 2003/07/01 01:03:04 darrenr Exp $"; 75 #endif 76 77 #ifdef __hpux 78 # define nlist nlist64 79 #endif 80 81 extern char *optarg; 82 extern int optind; 83 84 #define PRINTF (void)printf 85 #define FPRINTF (void)fprintf 86 #define F_IN 0 87 #define F_OUT 1 88 #define F_ACIN 2 89 #define F_ACOUT 3 90 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", 91 "ipacct(in)", "ipacct(out)" }; 92 static int state_logging = -1; 93 94 int opts = 0; 95 int use_inet6 = 0; 96 int live_kernel = 1; 97 int state_fd = -1; 98 int ipf_fd = -1; 99 100 #ifdef STATETOP 101 #define STSTRSIZE 80 102 #define STGROWSIZE 16 103 #define HOSTNMLEN 40 104 105 #define STSORT_PR 0 106 #define STSORT_PKTS 1 107 #define STSORT_BYTES 2 108 #define STSORT_TTL 3 109 #define STSORT_SRCIP 4 110 #define STSORT_DSTIP 5 111 #define STSORT_MAX STSORT_DSTIP 112 #define STSORT_DEFAULT STSORT_BYTES 113 114 115 typedef struct statetop { 116 i6addr_t st_src; 117 i6addr_t st_dst; 118 u_short st_sport; 119 u_short st_dport; 120 u_char st_p; 121 u_char st_state[2]; 122 U_QUAD_T st_pkts; 123 U_QUAD_T st_bytes; 124 u_long st_age; 125 } statetop_t; 126 #endif 127 128 extern int main __P((int, char *[])); 129 static void showstats __P((friostat_t *, u_32_t)); 130 static void showfrstates __P((ipfrstat_t *)); 131 static void showlist __P((friostat_t *)); 132 static void showipstates __P((ips_stat_t *)); 133 static void showauthstates __P((fr_authstat_t *)); 134 static void showgroups __P((friostat_t *)); 135 static void Usage __P((char *)); 136 static void printlist __P((frentry_t *, char *)); 137 static void parse_ipportstr __P((const char *, struct in_addr *, int *)); 138 static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **, 139 ipfrstat_t **, fr_authstat_t **, u_32_t *)); 140 static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **, 141 ipfrstat_t **, fr_authstat_t **, u_32_t *)); 142 #ifdef STATETOP 143 static void topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int)); 144 static char *ttl_to_string __P((long)); 145 static int sort_p __P((const void *, const void *)); 146 static int sort_pkts __P((const void *, const void *)); 147 static int sort_bytes __P((const void *, const void *)); 148 static int sort_ttl __P((const void *, const void *)); 149 static int sort_srcip __P((const void *, const void *)); 150 static int sort_dstip __P((const void *, const void *)); 151 #endif 152 153 154 static void Usage(name) 155 char *name; 156 { 157 #ifdef USE_INET6 158 fprintf(stderr, "Usage: %s [-6aAfhIinosv] [-d <device>]\n", name); 159 #else 160 fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name); 161 #endif 162 fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n"); 163 fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); 164 exit(1); 165 } 166 167 168 int main(argc,argv) 169 int argc; 170 char *argv[]; 171 { 172 fr_authstat_t frauthst; 173 fr_authstat_t *frauthstp = &frauthst; 174 friostat_t fio; 175 friostat_t *fiop = &fio; 176 ips_stat_t ipsst; 177 ips_stat_t *ipsstp = &ipsst; 178 ipfrstat_t ifrst; 179 ipfrstat_t *ifrstp = &ifrst; 180 char *device = IPL_NAME, *memf = NULL; 181 char *kern = NULL; 182 int c, myoptind; 183 struct protoent *proto; 184 185 int protocol = -1; /* -1 = wild card for any protocol */ 186 int refreshtime = 1; /* default update time */ 187 int sport = -1; /* -1 = wild card for any source port */ 188 int dport = -1; /* -1 = wild card for any dest port */ 189 int topclosed = 0; /* do not show closed tcp sessions */ 190 struct in_addr saddr, daddr; 191 u_32_t frf; 192 193 saddr.s_addr = INADDR_ANY; /* default any source addr */ 194 daddr.s_addr = INADDR_ANY; /* default any dest addr */ 195 196 /* 197 * Parse these two arguments now lest there be any buffer overflows 198 * in the parsing of the rest. 199 */ 200 myoptind = optind; 201 while ((c = getopt(argc, argv, "6aACdfghIilnostvD:M:N:P:S:T:")) != -1) 202 switch (c) 203 { 204 case 'M' : 205 memf = optarg; 206 live_kernel = 0; 207 break; 208 case 'N' : 209 kern = optarg; 210 live_kernel = 0; 211 break; 212 } 213 optind = myoptind; 214 215 if (live_kernel == 1) { 216 if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) { 217 perror("open"); 218 exit(-1); 219 } 220 if ((ipf_fd = open(device, O_RDONLY)) == -1) { 221 perror("open"); 222 exit(-1); 223 } 224 } 225 226 if (kern != NULL || memf != NULL) 227 { 228 (void)setgid(getgid()); 229 (void)setreuid(getuid(), getuid()); 230 } 231 232 if (openkmem(kern, memf) == -1) 233 exit(-1); 234 235 (void)setgid(getgid()); 236 (void)setreuid(getuid(), getuid()); 237 238 while ((c = getopt(argc, argv, "6aACdfghIilnostvD:M:N:P:S:T:")) != -1) 239 { 240 switch (c) 241 { 242 #ifdef USE_INET6 243 case '6' : 244 use_inet6 = 1; 245 break; 246 #endif 247 case 'a' : 248 opts |= OPT_ACCNT|OPT_SHOWLIST; 249 break; 250 case 'A' : 251 opts |= OPT_AUTHSTATS; 252 break; 253 case 'C' : 254 topclosed = 1; 255 break; 256 case 'd' : 257 opts |= OPT_DEBUG; 258 break; 259 case 'D' : 260 parse_ipportstr(optarg, &daddr, &dport); 261 break; 262 case 'f' : 263 opts |= OPT_FRSTATES; 264 break; 265 case 'g' : 266 opts |= OPT_GROUPS; 267 break; 268 case 'h' : 269 opts |= OPT_HITS; 270 break; 271 case 'i' : 272 opts |= OPT_INQUE|OPT_SHOWLIST; 273 break; 274 case 'I' : 275 opts |= OPT_INACTIVE; 276 break; 277 case 'l' : 278 opts |= OPT_SHOWLIST; 279 break; 280 case 'M' : 281 break; 282 case 'N' : 283 break; 284 case 'n' : 285 opts |= OPT_SHOWLINENO; 286 break; 287 case 'o' : 288 opts |= OPT_OUTQUE|OPT_SHOWLIST; 289 break; 290 case 'P' : 291 if ((proto = getprotobyname(optarg)) != NULL) { 292 protocol = proto->p_proto; 293 } else if (!sscanf(optarg, "%d", &protocol) || 294 (protocol < 0)) { 295 fprintf(stderr, "%s : Invalid protocol: %s\n", 296 argv[0], optarg); 297 exit(-2); 298 } 299 break; 300 case 's' : 301 opts |= OPT_IPSTATES; 302 break; 303 case 'S' : 304 parse_ipportstr(optarg, &saddr, &sport); 305 break; 306 case 't' : 307 #ifdef STATETOP 308 opts |= OPT_STATETOP; 309 break; 310 #else 311 fprintf(stderr, 312 "%s : state top facility not compiled in\n", 313 argv[0]); 314 exit(-2); 315 #endif 316 case 'T' : 317 if (!sscanf(optarg, "%d", &refreshtime) || 318 (refreshtime <= 0)) { 319 fprintf(stderr, 320 "%s : Invalid refreshtime < 1 : %s\n", 321 argv[0], optarg); 322 exit(-2); 323 } 324 break; 325 case 'v' : 326 opts |= OPT_VERBOSE; 327 opts |= OPT_UNDEF; 328 break; 329 default : 330 Usage(argv[0]); 331 break; 332 } 333 } 334 335 if (live_kernel == 1) { 336 bzero((char *)&fio, sizeof(fio)); 337 bzero((char *)&ipsst, sizeof(ipsst)); 338 bzero((char *)&ifrst, sizeof(ifrst)); 339 340 ipfstate_live(device, &fiop, &ipsstp, &ifrstp, 341 &frauthstp, &frf); 342 } else 343 ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); 344 345 if (opts & OPT_IPSTATES) { 346 showipstates(ipsstp); 347 } else if (opts & OPT_SHOWLIST) { 348 showlist(fiop); 349 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ 350 opts &= ~OPT_OUTQUE; 351 showlist(fiop); 352 } 353 } else { 354 if (opts & OPT_FRSTATES) 355 showfrstates(ifrstp); 356 #ifdef STATETOP 357 else if (opts & OPT_STATETOP) 358 topipstates(saddr, daddr, sport, dport, 359 protocol, refreshtime, topclosed); 360 #endif 361 else if (opts & OPT_AUTHSTATS) 362 showauthstates(frauthstp); 363 else if (opts & OPT_GROUPS) 364 showgroups(fiop); 365 else 366 showstats(fiop, frf); 367 } 368 return 0; 369 } 370 371 372 /* 373 * Fill in the stats structures from the live kernel, using a combination 374 * of ioctl's and copying directly from kernel memory. 375 */ 376 static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) 377 char *device; 378 friostat_t **fiopp; 379 ips_stat_t **ipsstpp; 380 ipfrstat_t **ifrstpp; 381 fr_authstat_t **frauthstpp; 382 u_32_t *frfp; 383 { 384 ipfobj_t ipfo; 385 386 if (checkrev(device) == -1) { 387 fprintf(stderr, "User/kernel version check failed\n"); 388 exit(1); 389 } 390 391 if ((opts & OPT_AUTHSTATS) == 0) { 392 bzero((caddr_t)&ipfo, sizeof(ipfo)); 393 ipfo.ipfo_rev = IPFILTER_VERSION; 394 ipfo.ipfo_size = sizeof(friostat_t); 395 ipfo.ipfo_ptr = (void *)*fiopp; 396 ipfo.ipfo_type = IPFOBJ_IPFSTAT; 397 398 if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) { 399 perror("ioctl(ipf:SIOCGETFS)"); 400 exit(-1); 401 } 402 403 if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1) 404 perror("ioctl(SIOCGETFF)"); 405 } 406 407 if ((opts & OPT_IPSTATES) != 0) { 408 409 bzero((caddr_t)&ipfo, sizeof(ipfo)); 410 ipfo.ipfo_rev = IPFILTER_VERSION; 411 ipfo.ipfo_size = sizeof(ips_stat_t); 412 ipfo.ipfo_ptr = (void *)*ipsstpp; 413 ipfo.ipfo_type = IPFOBJ_STATESTAT; 414 415 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { 416 perror("ioctl(state:SIOCGETFS)"); 417 exit(-1); 418 } 419 if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) { 420 perror("ioctl(state:SIOCGETLG)"); 421 exit(-1); 422 } 423 } 424 425 if ((opts & OPT_FRSTATES) != 0) { 426 bzero((caddr_t)&ipfo, sizeof(ipfo)); 427 ipfo.ipfo_rev = IPFILTER_VERSION; 428 ipfo.ipfo_size = sizeof(ipfrstat_t); 429 ipfo.ipfo_ptr = (void *)*ifrstpp; 430 ipfo.ipfo_type = IPFOBJ_FRAGSTAT; 431 432 if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) { 433 perror("ioctl(SIOCGFRST)"); 434 exit(-1); 435 } 436 } 437 438 if (opts & OPT_VERBOSE) 439 PRINTF("opts %#x name %s\n", opts, device); 440 441 if ((opts & OPT_AUTHSTATS) != 0) { 442 if (ipf_fd >= 0) { 443 close(ipf_fd); 444 ipf_fd = -1; 445 } 446 device = IPAUTH_NAME; 447 if ((ipf_fd = open(device, O_RDONLY)) == -1) { 448 perror("open"); 449 exit(-1); 450 } 451 452 bzero((caddr_t)&ipfo, sizeof(ipfo)); 453 ipfo.ipfo_rev = IPFILTER_VERSION; 454 ipfo.ipfo_size = sizeof(fr_authstat_t); 455 ipfo.ipfo_ptr = (void *)*frauthstpp; 456 ipfo.ipfo_type = IPFOBJ_AUTHSTAT; 457 458 if (ioctl(ipf_fd, SIOCATHST, &ipfo) == -1) { 459 perror("ioctl(SIOCATHST)"); 460 exit(-1); 461 } 462 } 463 } 464 465 466 /* 467 * Build up the stats structures from data held in the "core" memory. 468 * This is mainly useful when looking at data in crash dumps and ioctl's 469 * just won't work any more. 470 */ 471 static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp) 472 char *kernel; 473 friostat_t **fiopp; 474 ips_stat_t **ipsstpp; 475 ipfrstat_t **ifrstpp; 476 fr_authstat_t **frauthstpp; 477 u_32_t *frfp; 478 { 479 static fr_authstat_t frauthst, *frauthstp; 480 static ips_stat_t ipsst, *ipsstp; 481 static ipfrstat_t ifrst, *ifrstp; 482 static friostat_t fio, *fiop; 483 int temp; 484 485 void *rules[2][2]; 486 struct nlist deadlist[43] = { 487 { "fr_authstats" }, /* 0 */ 488 { "fae_list" }, 489 { "ipauth" }, 490 { "fr_authlist" }, 491 { "fr_authstart" }, 492 { "fr_authend" }, /* 5 */ 493 { "fr_authnext" }, 494 { "fr_auth" }, 495 { "fr_authused" }, 496 { "fr_authsize" }, 497 { "fr_defaultauthage" }, /* 10 */ 498 { "fr_authpkts" }, 499 { "fr_auth_lock" }, 500 { "frstats" }, 501 { "ips_stats" }, 502 { "ips_num" }, /* 15 */ 503 { "ips_wild" }, 504 { "ips_list" }, 505 { "ips_table" }, 506 { "fr_statemax" }, 507 { "fr_statesize" }, /* 20 */ 508 { "fr_state_doflush" }, 509 { "fr_state_lock" }, 510 { "ipfr_heads" }, 511 { "ipfr_nattab" }, 512 { "ipfr_stats" }, /* 25 */ 513 { "ipfr_inuse" }, 514 { "fr_ipfrttl" }, 515 { "fr_frag_lock" }, 516 { "ipfr_timer_id" }, 517 { "fr_nat_lock" }, /* 30 */ 518 { "ipfilter" }, 519 { "ipfilter6" }, 520 { "ipacct" }, 521 { "ipacct6" }, 522 { "ipl_frouteok" }, /* 35 */ 523 { "fr_running" }, 524 { "ipfgroups" }, 525 { "fr_active" }, 526 { "fr_pass" }, 527 { "fr_flags" }, /* 40 */ 528 { "ipstate_logging" }, 529 { NULL } 530 }; 531 532 533 frauthstp = &frauthst; 534 ipsstp = &ipsst; 535 ifrstp = &ifrst; 536 fiop = &fio; 537 538 *frfp = 0; 539 *fiopp = fiop; 540 *ipsstpp = ipsstp; 541 *ifrstpp = ifrstp; 542 *frauthstpp = frauthstp; 543 544 bzero((char *)fiop, sizeof(*fiop)); 545 bzero((char *)ipsstp, sizeof(*ipsstp)); 546 bzero((char *)ifrstp, sizeof(*ifrstp)); 547 bzero((char *)frauthstp, sizeof(*frauthstp)); 548 549 if (nlist(kernel, deadlist) == -1) { 550 fprintf(stderr, "nlist error\n"); 551 return; 552 } 553 554 /* 555 * This is for SIOCGETFF. 556 */ 557 kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp)); 558 559 /* 560 * f_locks is a combination of the lock variable from each part of 561 * ipfilter (state, auth, nat, fragments). 562 */ 563 kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop)); 564 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value, 565 sizeof(fiop->f_locks[0])); 566 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value, 567 sizeof(fiop->f_locks[1])); 568 kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value, 569 sizeof(fiop->f_locks[2])); 570 kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value, 571 sizeof(fiop->f_locks[3])); 572 573 /* 574 * Get pointers to each list of rules (active, inactive, in, out) 575 */ 576 kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules)); 577 fiop->f_fin[0] = rules[0][0]; 578 fiop->f_fin[1] = rules[0][1]; 579 fiop->f_fout[0] = rules[1][0]; 580 fiop->f_fout[1] = rules[1][1]; 581 582 /* 583 * Same for IPv6, except make them null if support for it is not 584 * being compiled in. 585 */ 586 #ifdef USE_INET6 587 kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules)); 588 fiop->f_fin6[0] = rules[0][0]; 589 fiop->f_fin6[1] = rules[0][1]; 590 fiop->f_fout6[0] = rules[1][0]; 591 fiop->f_fout6[1] = rules[1][1]; 592 #else 593 fiop->f_fin6[0] = NULL; 594 fiop->f_fin6[1] = NULL; 595 fiop->f_fout6[0] = NULL; 596 fiop->f_fout6[1] = NULL; 597 #endif 598 599 /* 600 * Now get accounting rules pointers. 601 */ 602 kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules)); 603 fiop->f_acctin[0] = rules[0][0]; 604 fiop->f_acctin[1] = rules[0][1]; 605 fiop->f_acctout[0] = rules[1][0]; 606 fiop->f_acctout[1] = rules[1][1]; 607 608 #ifdef USE_INET6 609 kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules)); 610 fiop->f_acctin6[0] = rules[0][0]; 611 fiop->f_acctin6[1] = rules[0][1]; 612 fiop->f_acctout6[0] = rules[1][0]; 613 fiop->f_acctout6[1] = rules[1][1]; 614 #else 615 fiop->f_acctin6[0] = NULL; 616 fiop->f_acctin6[1] = NULL; 617 fiop->f_acctout6[0] = NULL; 618 fiop->f_acctout6[1] = NULL; 619 #endif 620 621 /* 622 * A collection of "global" variables used inside the kernel which 623 * are all collected in friostat_t via ioctl. 624 */ 625 kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value, 626 sizeof(fiop->f_froute)); 627 kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value, 628 sizeof(fiop->f_running)); 629 kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value, 630 sizeof(fiop->f_groups)); 631 kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value, 632 sizeof(fiop->f_active)); 633 kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value, 634 sizeof(fiop->f_defpass)); 635 636 /* 637 * Build up the state information stats structure. 638 */ 639 kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp)); 640 kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp)); 641 ipsstp->iss_active = temp; 642 ipsstp->iss_table = (void *)deadlist[18].n_value; 643 ipsstp->iss_list = (void *)deadlist[17].n_value; 644 645 /* 646 * Build up the authentiation information stats structure. 647 */ 648 kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value, 649 sizeof(*frauthstp)); 650 frauthstp->fas_faelist = (void *)deadlist[1].n_value; 651 652 /* 653 * Build up the fragment information stats structure. 654 */ 655 kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value, 656 sizeof(*ifrstp)); 657 ifrstp->ifs_table = (void *)deadlist[23].n_value; 658 ifrstp->ifs_nattab = (void *)deadlist[24].n_value; 659 kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value, 660 sizeof(ifrstp->ifs_inuse)); 661 662 /* 663 * Get logging on/off switches 664 */ 665 kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value, 666 sizeof(state_logging)); 667 } 668 669 670 /* 671 * Display the kernel stats for packets blocked and passed and other 672 * associated running totals which are kept. 673 */ 674 static void showstats(fp, frf) 675 struct friostat *fp; 676 u_32_t frf; 677 { 678 679 PRINTF("bad packets:\t\tin %lu\tout %lu\n", 680 fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); 681 #ifdef USE_INET6 682 PRINTF(" IPv6 packets:\t\tin %lu out %lu\n", 683 fp->f_st[0].fr_ipv6, fp->f_st[1].fr_ipv6); 684 #endif 685 PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu", 686 fp->f_st[0].fr_block, fp->f_st[0].fr_pass, 687 fp->f_st[0].fr_nom); 688 PRINTF(" counted %lu short %lu\n", 689 fp->f_st[0].fr_acct, fp->f_st[0].fr_short); 690 PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu", 691 fp->f_st[1].fr_block, fp->f_st[1].fr_pass, 692 fp->f_st[1].fr_nom); 693 PRINTF(" counted %lu short %lu\n", 694 fp->f_st[1].fr_acct, fp->f_st[1].fr_short); 695 PRINTF(" input packets logged:\tblocked %lu passed %lu\n", 696 fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); 697 PRINTF("output packets logged:\tblocked %lu passed %lu\n", 698 fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); 699 PRINTF(" packets logged:\tinput %lu output %lu\n", 700 fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl); 701 PRINTF(" log failures:\t\tinput %lu output %lu\n", 702 fp->f_st[0].fr_skip, fp->f_st[1].fr_skip); 703 PRINTF("fragment state(in):\tkept %lu\tlost %lu\n", 704 fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr); 705 PRINTF("fragment state(out):\tkept %lu\tlost %lu\n", 706 fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr); 707 PRINTF("packet state(in):\tkept %lu\tlost %lu\n", 708 fp->f_st[0].fr_ads, fp->f_st[0].fr_bads); 709 PRINTF("packet state(out):\tkept %lu\tlost %lu\n", 710 fp->f_st[1].fr_ads, fp->f_st[1].fr_bads); 711 PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n", 712 fp->f_st[0].fr_ret, fp->f_st[1].fr_ret); 713 PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc); 714 PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n", 715 fp->f_st[0].fr_chit, fp->f_st[1].fr_chit); 716 PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n", 717 fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]); 718 PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n", 719 fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); 720 PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", 721 fp->f_froute[0], fp->f_froute[1]); 722 PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", 723 fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); 724 PRINTF("IPF Ticks:\t%lu\n", fp->f_ticks); 725 726 PRINTF("Packet log flags set: (%#x)\n", frf); 727 if (frf & FF_LOGPASS) 728 PRINTF("\tpackets passed through filter\n"); 729 if (frf & FF_LOGBLOCK) 730 PRINTF("\tpackets blocked by filter\n"); 731 if (frf & FF_LOGNOMATCH) 732 PRINTF("\tpackets not matched by filter\n"); 733 if (!frf) 734 PRINTF("\tnone\n"); 735 } 736 737 738 /* 739 * Print out a list of rules from the kernel, starting at the one passed. 740 */ 741 static void printlist(fp, comment) 742 frentry_t *fp; 743 char *comment; 744 { 745 struct frentry fb, *fg; 746 char *data; 747 u_32_t type; 748 int n; 749 750 for (n = 1; fp; n++) { 751 if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) { 752 perror("kmemcpy"); 753 return; 754 } 755 fp = &fb; 756 if (opts & (OPT_HITS|OPT_VERBOSE)) 757 #ifdef USE_QUAD_T 758 PRINTF("%qu ", (unsigned long long) fp->fr_hits); 759 #else 760 PRINTF("%lu ", fp->fr_hits); 761 #endif 762 if (opts & (OPT_ACCNT|OPT_VERBOSE)) 763 #ifdef USE_QUAD_T 764 PRINTF("%qu ", (unsigned long long) fp->fr_bytes); 765 #else 766 PRINTF("%lu ", fp->fr_bytes); 767 #endif 768 if (opts & OPT_SHOWLINENO) 769 PRINTF("@%d ", n); 770 data = NULL; 771 type = fp->fr_type & ~FR_T_BUILTIN; 772 if (type == FR_T_IPF || type == FR_T_BPFOPC) { 773 if (fp->fr_dsize) { 774 data = malloc(fp->fr_dsize); 775 776 if (kmemcpy(data, (u_long)fp->fr_data, 777 fp->fr_dsize) == -1) { 778 perror("kmemcpy"); 779 return; 780 } 781 fp->fr_data = data; 782 } 783 } 784 785 printfr(fp, ioctl); 786 if (opts & OPT_VERBOSE) { 787 binprint(fp, sizeof(*fp)); 788 if (fp->fr_data != NULL && fp->fr_dsize > 0) 789 binprint(fp->fr_data, fp->fr_dsize); 790 } 791 if (data != NULL) 792 free(data); 793 if (fp->fr_grp != NULL) { 794 if (!kmemcpy((char *)&fg, (u_long)fp->fr_grp, 795 sizeof(fg))) 796 printlist(fg, comment); 797 } 798 if (type == FR_T_CALLFUNC) { 799 printlist(fp->fr_data, "# callfunc: "); 800 } 801 fp = fp->fr_next; 802 } 803 } 804 805 /* 806 * print out all of the asked for rule sets, using the stats struct as 807 * the base from which to get the pointers. 808 */ 809 static void showlist(fiop) 810 struct friostat *fiop; 811 { 812 struct frentry *fp = NULL; 813 int i, set; 814 815 set = fiop->f_active; 816 if (opts & OPT_INACTIVE) 817 set = 1 - set; 818 if (opts & OPT_ACCNT) { 819 #ifdef USE_INET6 820 if ((use_inet6) && (opts & OPT_OUTQUE)) { 821 i = F_ACOUT; 822 fp = (struct frentry *)fiop->f_acctout6[set]; 823 } else if ((use_inet6) && (opts & OPT_INQUE)) { 824 i = F_ACIN; 825 fp = (struct frentry *)fiop->f_acctin6[set]; 826 } else 827 #endif 828 if (opts & OPT_OUTQUE) { 829 i = F_ACOUT; 830 fp = (struct frentry *)fiop->f_acctout[set]; 831 } else if (opts & OPT_INQUE) { 832 i = F_ACIN; 833 fp = (struct frentry *)fiop->f_acctin[set]; 834 } else { 835 FPRINTF(stderr, "No -i or -o given with -a\n"); 836 return; 837 } 838 } else { 839 #ifdef USE_INET6 840 if ((use_inet6) && (opts & OPT_OUTQUE)) { 841 i = F_OUT; 842 fp = (struct frentry *)fiop->f_fout6[set]; 843 } else if ((use_inet6) && (opts & OPT_INQUE)) { 844 i = F_IN; 845 fp = (struct frentry *)fiop->f_fin6[set]; 846 } else 847 #endif 848 if (opts & OPT_OUTQUE) { 849 i = F_OUT; 850 fp = (struct frentry *)fiop->f_fout[set]; 851 } else if (opts & OPT_INQUE) { 852 i = F_IN; 853 fp = (struct frentry *)fiop->f_fin[set]; 854 } else 855 return; 856 } 857 if (opts & OPT_VERBOSE) 858 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i); 859 860 if (opts & OPT_VERBOSE) 861 PRINTF("fp %p set %d\n", fp, set); 862 if (!fp) { 863 FPRINTF(stderr, "empty list for %s%s\n", 864 (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); 865 return; 866 } 867 printlist(fp, NULL); 868 } 869 870 871 /* 872 * Display ipfilter stateful filtering information 873 */ 874 static void showipstates(ipsp) 875 ips_stat_t *ipsp; 876 { 877 u_long minlen, maxlen, totallen, *buckets; 878 int i, sz; 879 880 sz = sizeof(*buckets) * ipsp->iss_statesize; 881 buckets = (u_long *)malloc(sz); 882 if (kmemcpy((char *)buckets, (u_long)ipsp->iss_bucketlen, sz)) { 883 free(buckets); 884 return; 885 } 886 887 /* 888 * If a list of states hasn't been asked for, only print out stats 889 */ 890 if (!(opts & OPT_SHOWLIST)) { 891 PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", 892 ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); 893 PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, 894 ipsp->iss_miss); 895 PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n", 896 ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull); 897 PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", 898 ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); 899 900 PRINTF("State logging %sabled\n", 901 state_logging ? "en" : "dis"); 902 903 PRINTF("\nState table bucket statistics:\n"); 904 PRINTF("\t%lu in use\t\n", ipsp->iss_inuse); 905 906 minlen = ipsp->iss_max; 907 totallen = 0; 908 maxlen = 0; 909 910 for (i = 0; i < ipsp->iss_statesize; i++) { 911 if (buckets[i] > maxlen) 912 maxlen = buckets[i]; 913 if (buckets[i] < minlen) 914 minlen = buckets[i]; 915 totallen += buckets[i]; 916 } 917 918 PRINTF("\t%2.2f%% bucket usage\n\t%lu minimal length\n", 919 ((float)ipsp->iss_inuse / ipsp->iss_statesize) * 100.0, 920 minlen); 921 PRINTF("\t%lu maximal length\n\t%.3f average length\n", 922 maxlen, 923 ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse : 924 0.0); 925 926 #define ENTRIES_PER_LINE 5 927 928 if (opts & OPT_VERBOSE) { 929 PRINTF("\nCurrent bucket sizes :\n"); 930 for (i = 0; i < ipsp->iss_statesize; i++) { 931 if ((i % ENTRIES_PER_LINE) == 0) 932 PRINTF("\t"); 933 PRINTF("%4d -> %4lu", i, buckets[i]); 934 if ((i % ENTRIES_PER_LINE) == 935 (ENTRIES_PER_LINE - 1)) 936 PRINTF("\n"); 937 else 938 PRINTF(" "); 939 } 940 PRINTF("\n"); 941 } 942 PRINTF("\n"); 943 944 free(buckets); 945 return; 946 } 947 948 /* 949 * Print out all the state information currently held in the kernel. 950 */ 951 while (ipsp->iss_list != NULL) { 952 ipsp->iss_list = printstate(ipsp->iss_list, opts); 953 } 954 955 free(buckets); 956 } 957 958 959 #ifdef STATETOP 960 static void topipstates(saddr, daddr, sport, dport, protocol, 961 refreshtime, topclosed) 962 struct in_addr saddr; 963 struct in_addr daddr; 964 int sport; 965 int dport; 966 int protocol; 967 int refreshtime; 968 int topclosed; 969 { 970 char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; 971 int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; 972 int i, j, winx, tsentry, maxx, maxy, redraw = 0; 973 ips_stat_t ipsst, *ipsstp = &ipsst; 974 statetop_t *tstable = NULL, *tp; 975 ipstate_t ips; 976 ipfobj_t ipfo; 977 struct timeval selecttimeout; 978 char hostnm[HOSTNMLEN]; 979 struct protoent *proto; 980 fd_set readfd; 981 int c = 0; 982 time_t t; 983 984 /* init ncurses stuff */ 985 initscr(); 986 cbreak(); 987 noecho(); 988 989 /* init hostname */ 990 gethostname(hostnm, sizeof(hostnm) - 1); 991 hostnm[sizeof(hostnm) - 1] = '\0'; 992 993 /* init ipfobj_t stuff */ 994 bzero((caddr_t)&ipfo, sizeof(ipfo)); 995 ipfo.ipfo_rev = IPFILTER_VERSION; 996 ipfo.ipfo_size = sizeof(*ipsstp); 997 ipfo.ipfo_ptr = (void *)ipsstp; 998 ipfo.ipfo_type = IPFOBJ_STATESTAT; 999 1000 /* repeat until user aborts */ 1001 while ( 1 ) { 1002 1003 /* get state table */ 1004 bzero((char *)&ipsst, sizeof(ipsst)); 1005 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { 1006 perror("ioctl(SIOCGETFS)"); 1007 exit(-1); 1008 } 1009 1010 /* clear the history */ 1011 tsentry = -1; 1012 1013 /* read the state table and store in tstable */ 1014 while (ipsstp->iss_list) { 1015 if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list, 1016 sizeof(ips))) 1017 break; 1018 ipsstp->iss_list = ips.is_next; 1019 1020 if (((saddr.s_addr == INADDR_ANY) || 1021 (saddr.s_addr == ips.is_saddr)) && 1022 ((daddr.s_addr == INADDR_ANY) || 1023 (daddr.s_addr == ips.is_daddr)) && 1024 ((protocol < 0) || (protocol == ips.is_p)) && 1025 (((ips.is_p != IPPROTO_TCP) && 1026 (ips.is_p != IPPROTO_UDP)) || 1027 (((sport < 0) || 1028 (htons(sport) == ips.is_sport)) && 1029 ((dport < 0) || 1030 (htons(dport) == ips.is_dport)))) && 1031 (topclosed || (ips.is_p != IPPROTO_TCP) || 1032 (ips.is_state[0] < TCPS_LAST_ACK) || 1033 (ips.is_state[1] < TCPS_LAST_ACK))) { 1034 /* 1035 * if necessary make room for this state 1036 * entry 1037 */ 1038 tsentry++; 1039 if (!maxtsentries || 1040 (tsentry == maxtsentries)) { 1041 1042 maxtsentries += STGROWSIZE; 1043 tstable = realloc(tstable, maxtsentries * sizeof(statetop_t)); 1044 if (!tstable) { 1045 perror("malloc"); 1046 exit(-1); 1047 } 1048 } 1049 1050 /* fill structure */ 1051 tp = tstable + tsentry; 1052 tp->st_src = ips.is_src; 1053 tp->st_dst = ips.is_dst; 1054 tp->st_p = ips.is_p; 1055 tp->st_state[0] = ips.is_state[0]; 1056 tp->st_state[1] = ips.is_state[1]; 1057 tp->st_pkts = ips.is_pkts[0] + ips.is_pkts[1]; 1058 tp->st_bytes = ips.is_bytes[0] + 1059 ips.is_bytes[1]; 1060 if ((ips.is_p == IPPROTO_TCP) || 1061 (ips.is_p == IPPROTO_UDP)) { 1062 tp->st_sport = ips.is_sport; 1063 tp->st_dport = ips.is_dport; 1064 } 1065 1066 } 1067 } 1068 1069 1070 /* sort the array */ 1071 if (tsentry != -1) 1072 switch (sorting) 1073 { 1074 case STSORT_PR: 1075 qsort(tstable, tsentry + 1, 1076 sizeof(statetop_t), sort_p); 1077 break; 1078 case STSORT_PKTS: 1079 qsort(tstable, tsentry + 1, 1080 sizeof(statetop_t), sort_pkts); 1081 break; 1082 case STSORT_BYTES: 1083 qsort(tstable, tsentry + 1, 1084 sizeof(statetop_t), sort_bytes); 1085 break; 1086 case STSORT_TTL: 1087 qsort(tstable, tsentry + 1, 1088 sizeof(statetop_t), sort_ttl); 1089 break; 1090 case STSORT_SRCIP: 1091 qsort(tstable, tsentry + 1, 1092 sizeof(statetop_t), sort_srcip); 1093 break; 1094 case STSORT_DSTIP: 1095 qsort(tstable, tsentry + 1, 1096 sizeof(statetop_t), sort_dstip); 1097 break; 1098 default: 1099 break; 1100 } 1101 1102 /* print title */ 1103 erase(); 1104 getmaxyx(stdscr, maxy, maxx); 1105 attron(A_BOLD); 1106 winx = 0; 1107 move(winx,0); 1108 sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION); 1109 for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) 1110 printw(" "); 1111 printw("%s", str1); 1112 attroff(A_BOLD); 1113 1114 /* just for fun add a clock */ 1115 move(winx, maxx - 8); 1116 t = time(NULL); 1117 strftime(str1, 80, "%T", localtime(&t)); 1118 printw("%s\n", str1); 1119 1120 /* 1121 * print the display filters, this is placed in the loop, 1122 * because someday I might add code for changing these 1123 * while the programming is running :-) 1124 */ 1125 if (sport >= 0) 1126 sprintf(str1, "%s,%d", inet_ntoa(saddr), sport); 1127 else 1128 sprintf(str1, "%s", inet_ntoa(saddr)); 1129 1130 if (dport >= 0) 1131 sprintf(str2, "%s,%d", inet_ntoa(daddr), dport); 1132 else 1133 sprintf(str2, "%s", inet_ntoa(daddr)); 1134 1135 if (protocol < 0) 1136 strcpy(str3, "any"); 1137 else if ((proto = getprotobynumber(protocol)) != NULL) 1138 sprintf(str3, "%s", proto->p_name); 1139 else 1140 sprintf(str3, "%d", protocol); 1141 1142 switch (sorting) 1143 { 1144 case STSORT_PR: 1145 sprintf(str4, "proto"); 1146 break; 1147 case STSORT_PKTS: 1148 sprintf(str4, "# pkts"); 1149 break; 1150 case STSORT_BYTES: 1151 sprintf(str4, "# bytes"); 1152 break; 1153 case STSORT_TTL: 1154 sprintf(str4, "ttl"); 1155 break; 1156 case STSORT_SRCIP: 1157 sprintf(str4, "srcip"); 1158 break; 1159 case STSORT_DSTIP: 1160 sprintf(str4, "dstip"); 1161 break; 1162 default: 1163 sprintf(str4, "unknown"); 1164 break; 1165 } 1166 1167 if (reverse) 1168 strcat(str4, " (reverse)"); 1169 1170 winx += 2; 1171 move(winx,0); 1172 printw("Src = %s Dest = %s Proto = %s Sorted by = %s\n\n", 1173 str1, str2, str3, str4); 1174 1175 /* print column description */ 1176 winx += 2; 1177 move(winx,0); 1178 attron(A_BOLD); 1179 printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP", 1180 "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl"); 1181 attroff(A_BOLD); 1182 1183 /* print all the entries */ 1184 tp = tstable; 1185 if (reverse) 1186 tp += tsentry; 1187 1188 if (tsentry > maxy - 6) 1189 tsentry = maxy - 6; 1190 for (i = 0; i <= tsentry; i++) { 1191 /* print src/dest and port */ 1192 if ((tp->st_p == IPPROTO_TCP) || 1193 (tp->st_p == IPPROTO_UDP)) { 1194 sprintf(str1, "%s,%hu", 1195 inet_ntoa(tp->st_src.in4), 1196 ntohs(tp->st_sport)); 1197 sprintf(str2, "%s,%hu", 1198 inet_ntoa(tp->st_dst.in4), 1199 ntohs(tp->st_dport)); 1200 } else { 1201 sprintf(str1, "%s", inet_ntoa(tp->st_src.in4)); 1202 sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4)); 1203 } 1204 winx++; 1205 move(winx, 0); 1206 printw("%-21s %-21s", str1, str2); 1207 1208 /* print state */ 1209 sprintf(str1, "%X/%X", tp->st_state[0], 1210 tp->st_state[1]); 1211 printw(" %3s", str1); 1212 1213 /* print proto */ 1214 proto = getprotobynumber(tp->st_p); 1215 if (proto) { 1216 strncpy(str1, proto->p_name, 4); 1217 str1[4] = '\0'; 1218 } else { 1219 sprintf(str1, "%d", tp->st_p); 1220 } 1221 printw(" %4s", str1); 1222 /* print #pkt/#bytes */ 1223 #ifdef USE_QUAD_T 1224 printw(" %7qu %9qu", (unsigned long long) tp->st_pkts, 1225 (unsigned long long) tp->st_bytes); 1226 #else 1227 printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes); 1228 #endif 1229 printw(" %9s", ttl_to_string(tp->st_age)); 1230 1231 if (reverse) 1232 tp--; 1233 else 1234 tp++; 1235 } 1236 1237 /* screen data structure is filled, now update the screen */ 1238 if (redraw) 1239 clearok(stdscr,1); 1240 1241 refresh(); 1242 if (redraw) { 1243 clearok(stdscr,0); 1244 redraw = 0; 1245 } 1246 1247 /* wait for key press or a 1 second time out period */ 1248 selecttimeout.tv_sec = refreshtime; 1249 selecttimeout.tv_usec = 0; 1250 FD_ZERO(&readfd); 1251 FD_SET(0, &readfd); 1252 select(1, &readfd, NULL, NULL, &selecttimeout); 1253 1254 /* if key pressed, read all waiting keys */ 1255 if (FD_ISSET(0, &readfd)) { 1256 c = wgetch(stdscr); 1257 if (c == ERR) 1258 continue; 1259 1260 if (tolower(c) == 'l') { 1261 redraw = 1; 1262 } else if (tolower(c) == 'q') { 1263 nocbreak(); 1264 endwin(); 1265 exit(0); 1266 } else if (tolower(c) == 'r') { 1267 reverse = !reverse; 1268 } else if (tolower(c) == 's') { 1269 sorting++; 1270 if (sorting > STSORT_MAX) 1271 sorting = 0; 1272 } 1273 } 1274 } /* while */ 1275 1276 printw("\n"); 1277 nocbreak(); 1278 endwin(); 1279 1280 free(tstable); 1281 } 1282 #endif 1283 1284 1285 /* 1286 * Show fragment cache information that's held in the kernel. 1287 */ 1288 static void showfrstates(ifsp) 1289 ipfrstat_t *ifsp; 1290 { 1291 struct ipfr *ipfrtab[IPFT_SIZE], ifr; 1292 frentry_t fr; 1293 int i; 1294 1295 /* 1296 * print out the numeric statistics 1297 */ 1298 PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", 1299 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); 1300 PRINTF("\t%lu retrans\n\t%lu too short\n", ifsp->ifs_retrans0, ifsp->ifs_short); 1301 PRINTF("\t%lu no memory\n\t%lu already exist\n", 1302 ifsp->ifs_nomem, ifsp->ifs_exists); 1303 PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); 1304 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab))) 1305 return; 1306 1307 /* 1308 * Print out the contents (if any) of the fragment cache table. 1309 */ 1310 for (i = 0; i < IPFT_SIZE; i++) 1311 while (ipfrtab[i]) { 1312 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], 1313 sizeof(ifr)) == -1) 1314 break; 1315 PRINTF("%s -> ", hostname(4, &ifr.ipfr_src)); 1316 if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, 1317 sizeof(fr)) == -1) 1318 break; 1319 PRINTF("%s %d %d %d %#02x = %#x\n", 1320 hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, 1321 ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, 1322 fr.fr_flags); 1323 ipfrtab[i] = ifr.ipfr_next; 1324 } 1325 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) 1326 return; 1327 for (i = 0; i < IPFT_SIZE; i++) 1328 while (ipfrtab[i]) { 1329 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], 1330 sizeof(ifr)) == -1) 1331 break; 1332 PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src)); 1333 if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, 1334 sizeof(fr)) == -1) 1335 break; 1336 PRINTF("%s %d %d %d %#02x = %#x\n", 1337 hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, 1338 ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, 1339 fr.fr_flags); 1340 ipfrtab[i] = ifr.ipfr_next; 1341 } 1342 } 1343 1344 1345 /* 1346 * Show stats on how auth within IPFilter has been used 1347 */ 1348 static void showauthstates(asp) 1349 fr_authstat_t *asp; 1350 { 1351 frauthent_t *frap, fra; 1352 1353 #ifdef USE_QUAD_T 1354 printf("Authorisation hits: %qu\tmisses %qu\n", 1355 (unsigned long long) asp->fas_hits, 1356 (unsigned long long) asp->fas_miss); 1357 #else 1358 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits, 1359 asp->fas_miss); 1360 #endif 1361 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n", 1362 asp->fas_nospace, asp->fas_added, asp->fas_sendfail, 1363 asp->fas_sendok); 1364 printf("queok %ld\nquefail %ld\nexpire %ld\n", 1365 asp->fas_queok, asp->fas_quefail, asp->fas_expire); 1366 1367 frap = asp->fas_faelist; 1368 while (frap) { 1369 if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1) 1370 break; 1371 1372 printf("age %ld\t", fra.fae_age); 1373 printfr(&fra.fae_fr, ioctl); 1374 frap = fra.fae_next; 1375 } 1376 } 1377 1378 1379 /* 1380 * Display groups used for each of filter rules, accounting rules and 1381 * authentication, separately. 1382 */ 1383 static void showgroups(fiop) 1384 struct friostat *fiop; 1385 { 1386 static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; 1387 frgroup_t *fp, grp; 1388 int on, off, i; 1389 1390 on = fiop->f_active; 1391 off = 1 - on; 1392 1393 for (i = 0; i < 3; i++) { 1394 printf("%s groups (active):\n", gnames[i]); 1395 for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next) 1396 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) 1397 break; 1398 else 1399 printf("%s\n", grp.fg_name); 1400 printf("%s groups (inactive):\n", gnames[i]); 1401 for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next) 1402 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) 1403 break; 1404 else 1405 printf("%s\n", grp.fg_name); 1406 } 1407 } 1408 1409 static void parse_ipportstr(argument, ip, port) 1410 const char *argument; 1411 struct in_addr *ip; 1412 int *port; 1413 { 1414 1415 char *s, *comma; 1416 1417 /* make working copy of argument, Theoretically you must be able 1418 * to write to optarg, but that seems very ugly to me.... 1419 */ 1420 s = strdup(argument); 1421 if (s == NULL) 1422 return; 1423 1424 /* get port */ 1425 if ((comma = strchr(s, ',')) != NULL) { 1426 if (!strcasecmp(comma + 1, "any")) { 1427 *port = -1; 1428 } else if (!sscanf(comma + 1, "%d", port) || 1429 (*port < 0) || (*port > 65535)) { 1430 fprintf(stderr, "Invalid port specfication in %s\n", 1431 argument); 1432 free(s); 1433 exit(-2); 1434 } 1435 *comma = '\0'; 1436 } 1437 1438 1439 /* get ip address */ 1440 if (!strcasecmp(s, "any")) { 1441 ip->s_addr = INADDR_ANY; 1442 } else if (!inet_aton(s, ip)) { 1443 fprintf(stderr, "Invalid IP address: %s\n", s); 1444 free(s); 1445 exit(-2); 1446 } 1447 1448 /* free allocated memory */ 1449 free(s); 1450 } 1451 1452 1453 #ifdef STATETOP 1454 static char ttlbuf[STSTRSIZE]; 1455 1456 static char *ttl_to_string(ttl) 1457 long int ttl; 1458 { 1459 1460 int hours, minutes, seconds; 1461 1462 /* ttl is in half seconds */ 1463 ttl /= 2; 1464 1465 hours = ttl / 3600; 1466 ttl = ttl % 3600; 1467 minutes = ttl / 60; 1468 seconds = ttl % 60; 1469 1470 if (hours > 0 ) 1471 sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds); 1472 else 1473 sprintf(ttlbuf, "%2d:%02d", minutes, seconds); 1474 return ttlbuf; 1475 } 1476 1477 1478 static int sort_pkts(a, b) 1479 const void *a; 1480 const void *b; 1481 { 1482 1483 register const statetop_t *ap = a; 1484 register const statetop_t *bp = b; 1485 1486 if (ap->st_pkts == bp->st_pkts) 1487 return 0; 1488 else if (ap->st_pkts < bp->st_pkts) 1489 return 1; 1490 return -1; 1491 } 1492 1493 1494 static int sort_bytes(a, b) 1495 const void *a; 1496 const void *b; 1497 { 1498 register const statetop_t *ap = a; 1499 register const statetop_t *bp = b; 1500 1501 if (ap->st_bytes == bp->st_bytes) 1502 return 0; 1503 else if (ap->st_bytes < bp->st_bytes) 1504 return 1; 1505 return -1; 1506 } 1507 1508 1509 static int sort_p(a, b) 1510 const void *a; 1511 const void *b; 1512 { 1513 register const statetop_t *ap = a; 1514 register const statetop_t *bp = b; 1515 1516 if (ap->st_p == bp->st_p) 1517 return 0; 1518 else if (ap->st_p < bp->st_p) 1519 return 1; 1520 return -1; 1521 } 1522 1523 1524 static int sort_ttl(a, b) 1525 const void *a; 1526 const void *b; 1527 { 1528 register const statetop_t *ap = a; 1529 register const statetop_t *bp = b; 1530 1531 if (ap->st_age == bp->st_age) 1532 return 0; 1533 else if (ap->st_age < bp->st_age) 1534 return 1; 1535 return -1; 1536 } 1537 1538 static int sort_srcip(a, b) 1539 const void *a; 1540 const void *b; 1541 { 1542 register const statetop_t *ap = a; 1543 register const statetop_t *bp = b; 1544 1545 if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr)) 1546 return 0; 1547 else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr)) 1548 return 1; 1549 return -1; 1550 } 1551 1552 static int sort_dstip(a, b) 1553 const void *a; 1554 const void *b; 1555 { 1556 register const statetop_t *ap = a; 1557 register const statetop_t *bp = b; 1558 1559 if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr)) 1560 return 0; 1561 else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr)) 1562 return 1; 1563 return -1; 1564 } 1565 #endif 1566