1 /* 2 * Copyright (C) 1993-2001 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * $Id: printfr.c,v 1.37 2003/06/03 16:01:12 darrenr Exp $ 7 * 8 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 9 * Use is subject to license terms. 10 */ 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include "ipf.h" 15 16 17 void printlookup(addr, mask) 18 i6addr_t *addr, *mask; 19 { 20 switch (addr->iplookuptype) 21 { 22 case IPLT_POOL : 23 printf("pool/"); 24 break; 25 case IPLT_HASH : 26 printf("hash/"); 27 break; 28 default : 29 printf("lookup(%x)=", addr->iplookuptype); 30 break; 31 } 32 33 printf("%u", addr->iplookupnum); 34 if (opts & OPT_UNDEF) { 35 if (mask->iplookupptr == NULL) { 36 printf("(!)"); 37 } 38 } 39 } 40 41 42 /* 43 * print the filter structure in a useful way 44 */ 45 void printfr(fp, iocfunc) 46 struct frentry *fp; 47 ioctlfunc_t iocfunc; 48 { 49 struct protoent *p; 50 u_short sec[2]; 51 u_32_t type; 52 u_char *t; 53 char *s; 54 int pr; 55 56 pr = -2; 57 type = fp->fr_type & ~FR_T_BUILTIN; 58 59 if ((fp->fr_type & FR_T_BUILTIN) != 0) 60 printf("# Builtin: "); 61 62 if (fp->fr_type == FR_T_CALLFUNC) { 63 ; 64 } else if (fp->fr_func != NULL) { 65 printf("call"); 66 if ((fp->fr_flags & FR_CALLNOW) != 0) 67 printf(" now"); 68 s = kvatoname(fp->fr_func, iocfunc); 69 printf(" %s/%u", s ? s : "?", fp->fr_arg); 70 } else if (FR_ISPASS(fp->fr_flags)) 71 printf("pass"); 72 else if (FR_ISBLOCK(fp->fr_flags)) { 73 printf("block"); 74 if (fp->fr_flags & FR_RETICMP) { 75 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) 76 printf(" return-icmp-as-dest"); 77 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) 78 printf(" return-icmp"); 79 if (fp->fr_icode) { 80 if (fp->fr_icode <= MAX_ICMPCODE) 81 printf("(%s)", 82 icmpcodes[(int)fp->fr_icode]); 83 else 84 printf("(%d)", fp->fr_icode); 85 } 86 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) 87 printf(" return-rst"); 88 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { 89 printlog(fp); 90 } else if (FR_ISACCOUNT(fp->fr_flags)) 91 printf("count"); 92 else if (FR_ISAUTH(fp->fr_flags)) 93 printf("auth"); 94 else if (FR_ISPREAUTH(fp->fr_flags)) 95 printf("preauth"); 96 else if (FR_ISNOMATCH(fp->fr_flags)) 97 printf("nomatch"); 98 else if (FR_ISSKIP(fp->fr_flags)) 99 printf("skip %u", fp->fr_arg); 100 else { 101 printf("%x", fp->fr_flags); 102 } 103 104 if (fp->fr_flags & FR_OUTQUE) 105 printf(" out "); 106 else 107 printf(" in "); 108 109 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || 110 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { 111 printlog(fp); 112 putchar(' '); 113 } 114 115 if (fp->fr_flags & FR_QUICK) 116 printf("quick "); 117 118 if (*fp->fr_ifname) { 119 printifname("on ", fp->fr_ifname, fp->fr_ifa); 120 if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*")) 121 printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]); 122 putchar(' '); 123 124 if (*fp->fr_dif.fd_ifname) 125 print_toif("dup-to", &fp->fr_dif); 126 if (*fp->fr_tif.fd_ifname) 127 print_toif("to", &fp->fr_tif); 128 if (fp->fr_flags & FR_FASTROUTE) 129 printf("fastroute "); 130 131 if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || 132 (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { 133 if (fp->fr_flags & FR_OUTQUE) 134 printf("in-via "); 135 else 136 printf("out-via "); 137 138 if (*fp->fr_ifnames[2]) { 139 printifname("", fp->fr_ifnames[2], 140 fp->fr_ifas[2]); 141 putchar(' '); 142 143 if (*fp->fr_ifnames[3]) { 144 printifname(",", fp->fr_ifnames[3], 145 fp->fr_ifas[3]); 146 } 147 } 148 } 149 } 150 151 if (type == FR_T_IPF) { 152 if (fp->fr_mip.fi_tos) 153 printf("tos %#x ", fp->fr_tos); 154 if (fp->fr_mip.fi_ttl) 155 printf("ttl %d ", fp->fr_ttl); 156 if (fp->fr_flx & FI_TCPUDP) { 157 printf("proto tcp/udp "); 158 pr = -1; 159 } else if (fp->fr_mip.fi_p) { 160 pr = fp->fr_ip.fi_p; 161 if ((p = getprotobynumber(fp->fr_proto))) 162 printf("proto %s ", p->p_name); 163 else 164 printf("proto %d ", fp->fr_proto); 165 } 166 } 167 168 if (type == FR_T_NONE) { 169 printf("all"); 170 } else if (type == FR_T_IPF) { 171 printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); 172 if (fp->fr_satype != FRI_NORMAL) { 173 printf("%s", fp->fr_ifname); 174 if (fp->fr_satype == FRI_BROADCAST) 175 printf("/bcast"); 176 else if (fp->fr_satype == FRI_NETWORK) 177 printf("/net"); 178 else if (fp->fr_satype == FRI_NETMASKED) 179 printf("/netmasked"); 180 else if (fp->fr_satype == FRI_PEERADDR) 181 printf("/peer"); 182 else if (fp->fr_satype == FRI_LOOKUP) 183 printlookup(&fp->fr_ip.fi_src, 184 &fp->fr_mip.fi_src); 185 else 186 printmask((u_32_t *)&fp->fr_smsk.s_addr); 187 } else 188 printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr, 189 (u_32_t *)&fp->fr_smsk.s_addr); 190 if (fp->fr_scmp) 191 printportcmp(pr, &fp->fr_tuc.ftu_src); 192 193 printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); 194 if (fp->fr_datype != FRI_NORMAL) { 195 printf("%s", fp->fr_ifname); 196 if (fp->fr_datype == FRI_BROADCAST) 197 printf("/bcast"); 198 else if (fp->fr_datype == FRI_NETWORK) 199 printf("/net"); 200 else if (fp->fr_datype == FRI_NETMASKED) 201 printf("/netmasked"); 202 else if (fp->fr_datype == FRI_PEERADDR) 203 printf("/peer"); 204 else if (fp->fr_datype == FRI_LOOKUP) 205 printlookup(&fp->fr_ip.fi_dst, 206 &fp->fr_mip.fi_dst); 207 else 208 printmask((u_32_t *)&fp->fr_dmsk.s_addr); 209 } else 210 printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr, 211 (u_32_t *)&fp->fr_dmsk.s_addr); 212 if (fp->fr_dcmp) 213 printportcmp(pr, &fp->fr_tuc.ftu_dst); 214 215 if ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) || 216 fp->fr_optbits || fp->fr_optmask || 217 fp->fr_secbits || fp->fr_secmask) { 218 printf(" with"); 219 if (fp->fr_optbits || fp->fr_optmask || 220 fp->fr_secbits || fp->fr_secmask) { 221 sec[0] = fp->fr_secmask; 222 sec[1] = fp->fr_secbits; 223 if (fp->fr_v == 4) 224 optprint(sec, fp->fr_optmask, 225 fp->fr_optbits); 226 #ifdef USE_INET6 227 else 228 optprintv6(sec, fp->fr_optmask, 229 fp->fr_optbits); 230 #endif 231 } else if (fp->fr_mflx & FI_OPTIONS) { 232 if (!(fp->fr_flx & FI_OPTIONS)) 233 printf(" not"); 234 printf(" ipopts"); 235 } 236 if (fp->fr_mflx & FI_SHORT) { 237 if (!(fp->fr_flx & FI_SHORT)) 238 printf(" not"); 239 printf(" short"); 240 } 241 if (fp->fr_mflx & FI_FRAG) { 242 if (!(fp->fr_flx & FI_FRAG)) 243 printf(" not"); 244 printf(" frag"); 245 } 246 if (fp->fr_mflx & FI_NATED) { 247 if (!(fp->fr_flx & FI_NATED)) 248 printf(" not"); 249 printf(" nat"); 250 } 251 if (fp->fr_mflx & FI_MULTICAST) { 252 if (!(fp->fr_flx & FI_MULTICAST)) 253 printf(" not"); 254 printf(" multicast"); 255 } 256 if (fp->fr_mflx & FI_BROADCAST) { 257 if (!(fp->fr_flx & FI_BROADCAST)) 258 printf(" not"); 259 printf(" bcast"); 260 } 261 if (fp->fr_mflx & FI_MBCAST) { 262 if (!(fp->fr_flx & FI_MBCAST)) 263 printf(" not"); 264 printf(" mbcast"); 265 } 266 if (fp->fr_mflx & FI_STATE) { 267 if (!(fp->fr_flx & FI_STATE)) 268 printf(" not"); 269 printf(" state"); 270 } 271 if (fp->fr_mflx & FI_BADNAT) { 272 if (!(fp->fr_flx & FI_BADNAT)) 273 printf(" not"); 274 printf(" bad-nat"); 275 } 276 if (fp->fr_mflx & FI_BAD) { 277 if (!(fp->fr_flx & FI_BAD)) 278 printf(" not"); 279 printf(" bad"); 280 } 281 if (fp->fr_mflx & FI_OOW) { 282 if (!(fp->fr_flx & FI_OOW)) 283 printf(" not"); 284 printf(" oow"); 285 } 286 if (fp->fr_mflx & FI_LOWTTL) { 287 if (!(fp->fr_flx & FI_LOWTTL)) 288 printf(" not"); 289 printf(" lowttl"); 290 } 291 if (fp->fr_mflx & FI_BADSRC) { 292 if (!(fp->fr_flx & FI_BADSRC)) 293 printf(" not"); 294 printf(" bad-src"); 295 } 296 } 297 if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { 298 int type = fp->fr_icmp, code; 299 300 type = ntohs(fp->fr_icmp); 301 code = type & 0xff; 302 type /= 256; 303 if (type < (sizeof(icmptypes) / sizeof(char *) - 1) && 304 icmptypes[type]) 305 printf(" icmp-type %s", icmptypes[type]); 306 else 307 printf(" icmp-type %d", type); 308 if (ntohs(fp->fr_icmpm) & 0xff) 309 printf(" code %d", code); 310 } 311 if ((fp->fr_proto == IPPROTO_TCP) && 312 (fp->fr_tcpf || fp->fr_tcpfm)) { 313 printf(" flags "); 314 if (fp->fr_tcpf & ~TCPF_ALL) 315 printf("0x%x", fp->fr_tcpf); 316 else 317 for (s = flagset, t = flags; *s; s++, t++) 318 if (fp->fr_tcpf & *t) 319 (void)putchar(*s); 320 if (fp->fr_tcpfm) { 321 (void)putchar('/'); 322 if (fp->fr_tcpfm & ~TCPF_ALL) 323 printf("0x%x", fp->fr_tcpfm); 324 else 325 for (s = flagset, t = flags; *s; 326 s++, t++) 327 if (fp->fr_tcpfm & *t) 328 (void)putchar(*s); 329 } 330 } 331 #ifdef IPFILTER_BPF 332 } else if (type == FR_T_BPFOPC) { 333 u_32_t *bp; 334 int i; 335 336 printf("{"); 337 i = fp->fr_dsize / sizeof(*bp); 338 339 for (bp = fp->fr_data; i; i--, bp++) 340 printf(" 0x%08x", *bp); 341 342 printf(" }"); 343 #endif 344 } else if (type == FR_T_COMPIPF) { 345 ; 346 } else if (type == FR_T_CALLFUNC) { 347 printf("call function at %p", fp->fr_data); 348 } else { 349 printf("[unknown filter type %#x]", fp->fr_type); 350 } 351 352 if (fp->fr_flags & FR_KEEPSTATE) { 353 printf(" keep state"); 354 if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN)) || 355 (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { 356 printf(" ("); 357 if (fp->fr_statemax != 0) 358 printf(" limit %u", fp->fr_statemax); 359 if (fp->fr_flags & FR_FRSTRICT) 360 printf(" strict"); 361 if (fp->fr_flags & FR_NEWISN) 362 printf(" newisn"); 363 if (fp->fr_age[0] || fp->fr_age[1]) 364 printf(" age %d/%d", fp->fr_age[0], 365 fp->fr_age[1]); 366 printf(" )"); 367 } 368 } 369 if (fp->fr_flags & FR_KEEPFRAG) { 370 printf(" keep frags"); 371 if (fp->fr_flags & (FR_FRSTRICT)) { 372 printf(" ("); 373 if (fp->fr_flags & FR_FRSTRICT) 374 printf(" strict"); 375 printf(" )"); 376 377 } 378 } 379 if (fp->fr_isc != (struct ipscan *)-1) { 380 if (fp->fr_isctag[0]) 381 printf(" scan %s", fp->fr_isctag); 382 else 383 printf(" scan *"); 384 } 385 if (*fp->fr_grhead != '\0') 386 printf(" head %s", fp->fr_grhead); 387 if (*fp->fr_group != '\0') 388 printf(" group %s", fp->fr_group); 389 if (fp->fr_logtag != FR_NOLOGTAG) 390 printf(" log-tag %u", fp->fr_logtag); 391 if (fp->fr_pps) 392 printf(" pps %d", fp->fr_pps); 393 (void)putchar('\n'); 394 } 395