1 /* 2 * Copyright (C) 1993-2001 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * $Id: printfr.c,v 1.37 2003/06/03 16:01:12 darrenr Exp $ 7 * 8 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 9 * Use is subject to license terms. 10 */ 11 12 #pragma ident "%Z%%M% %I% %E% SMI" 13 14 #include "ipf.h" 15 16 17 void printlookup(addr, mask) 18 i6addr_t *addr, *mask; 19 { 20 switch (addr->iplookuptype) 21 { 22 case IPLT_POOL : 23 printf("pool/"); 24 break; 25 case IPLT_HASH : 26 printf("hash/"); 27 break; 28 default : 29 printf("lookup(%x)=", addr->iplookuptype); 30 break; 31 } 32 33 printf("%u", addr->iplookupnum); 34 if (opts & OPT_UNDEF) { 35 if (mask->iplookupptr == NULL) { 36 printf("(!)"); 37 } 38 } 39 } 40 41 42 /* 43 * print the filter structure in a useful way 44 */ 45 void printfr(fp, iocfunc) 46 struct frentry *fp; 47 ioctlfunc_t iocfunc; 48 { 49 struct protoent *p; 50 u_short sec[2]; 51 u_32_t type; 52 u_char *t; 53 char *s; 54 int pr; 55 56 pr = -2; 57 type = fp->fr_type & ~FR_T_BUILTIN; 58 59 if ((fp->fr_type & FR_T_BUILTIN) != 0) 60 printf("# Builtin: "); 61 62 if (fp->fr_type == FR_T_CALLFUNC) { 63 ; 64 } else if (fp->fr_func != NULL) { 65 printf("call"); 66 if ((fp->fr_flags & FR_CALLNOW) != 0) 67 printf(" now"); 68 s = kvatoname(fp->fr_func, iocfunc); 69 printf(" %s/%u", s ? s : "?", fp->fr_arg); 70 } else if (FR_ISPASS(fp->fr_flags)) 71 printf("pass"); 72 else if (FR_ISBLOCK(fp->fr_flags)) { 73 printf("block"); 74 if (fp->fr_flags & FR_RETICMP) { 75 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) 76 printf(" return-icmp-as-dest"); 77 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) 78 printf(" return-icmp"); 79 if (fp->fr_icode) { 80 if (fp->fr_icode <= MAX_ICMPCODE) 81 printf("(%s)", 82 icmpcodes[(int)fp->fr_icode]); 83 else 84 printf("(%d)", fp->fr_icode); 85 } 86 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) 87 printf(" return-rst"); 88 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { 89 printlog(fp); 90 } else if (FR_ISACCOUNT(fp->fr_flags)) 91 printf("count"); 92 else if (FR_ISAUTH(fp->fr_flags)) 93 printf("auth"); 94 else if (FR_ISPREAUTH(fp->fr_flags)) 95 printf("preauth"); 96 else if (FR_ISNOMATCH(fp->fr_flags)) 97 printf("nomatch"); 98 else if (FR_ISSKIP(fp->fr_flags)) 99 printf("skip %u", fp->fr_arg); 100 else { 101 printf("%x", fp->fr_flags); 102 } 103 104 if (fp->fr_flags & FR_OUTQUE) 105 printf(" out "); 106 else 107 printf(" in "); 108 109 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || 110 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { 111 printlog(fp); 112 putchar(' '); 113 } 114 115 if (fp->fr_flags & FR_QUICK) 116 printf("quick "); 117 118 if (*fp->fr_ifname) { 119 printifname("on ", fp->fr_ifname, fp->fr_ifa); 120 if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*")) 121 printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]); 122 putchar(' '); 123 124 if (*fp->fr_dif.fd_ifname) 125 print_toif("dup-to", &fp->fr_dif); 126 if (*fp->fr_tif.fd_ifname) 127 print_toif("to", &fp->fr_tif); 128 if (fp->fr_flags & FR_FASTROUTE) 129 printf("fastroute "); 130 131 if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || 132 (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { 133 if (fp->fr_flags & FR_OUTQUE) 134 printf("in-via "); 135 else 136 printf("out-via "); 137 138 if (*fp->fr_ifnames[2]) { 139 printifname("", fp->fr_ifnames[2], 140 fp->fr_ifas[2]); 141 putchar(' '); 142 143 if (*fp->fr_ifnames[3]) { 144 printifname(",", fp->fr_ifnames[3], 145 fp->fr_ifas[3]); 146 } 147 } 148 } 149 } 150 151 if (type == FR_T_IPF) { 152 if (fp->fr_mip.fi_tos) 153 printf("tos %#x ", fp->fr_tos); 154 if (fp->fr_mip.fi_ttl) 155 printf("ttl %d ", fp->fr_ttl); 156 if (fp->fr_flx & FI_TCPUDP) { 157 printf("proto tcp/udp "); 158 pr = -1; 159 } else if (fp->fr_mip.fi_p) { 160 pr = fp->fr_ip.fi_p; 161 if ((p = getprotobynumber(fp->fr_proto))) 162 printf("proto %s ", p->p_name); 163 else 164 printf("proto %d ", fp->fr_proto); 165 } 166 } 167 168 if (type == FR_T_NONE) { 169 printf("all"); 170 } else if (type == FR_T_IPF) { 171 printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); 172 if (fp->fr_satype != FRI_NORMAL) { 173 printf("%s", fp->fr_ifname); 174 if (fp->fr_satype == FRI_BROADCAST) 175 printf("/bcast"); 176 else if (fp->fr_satype == FRI_NETWORK) 177 printf("/net"); 178 else if (fp->fr_satype == FRI_NETMASKED) 179 printf("/netmasked"); 180 else if (fp->fr_satype == FRI_PEERADDR) 181 printf("/peer"); 182 else if (fp->fr_satype == FRI_LOOKUP) 183 printlookup(&fp->fr_ip.fi_src, 184 &fp->fr_mip.fi_src); 185 else 186 printmask((u_32_t *)&fp->fr_smsk.s_addr); 187 } else 188 printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr, 189 (u_32_t *)&fp->fr_smsk.s_addr); 190 if (fp->fr_scmp) 191 printportcmp(pr, &fp->fr_tuc.ftu_src); 192 193 printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); 194 if (fp->fr_datype != FRI_NORMAL) { 195 printf("%s", fp->fr_ifname); 196 if (fp->fr_datype == FRI_BROADCAST) 197 printf("/bcast"); 198 else if (fp->fr_datype == FRI_NETWORK) 199 printf("/net"); 200 else if (fp->fr_datype == FRI_NETMASKED) 201 printf("/netmasked"); 202 else if (fp->fr_datype == FRI_PEERADDR) 203 printf("/peer"); 204 else if (fp->fr_datype == FRI_LOOKUP) 205 printlookup(&fp->fr_ip.fi_dst, 206 &fp->fr_mip.fi_dst); 207 else 208 printmask((u_32_t *)&fp->fr_dmsk.s_addr); 209 } else 210 printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr, 211 (u_32_t *)&fp->fr_dmsk.s_addr); 212 if (fp->fr_dcmp) 213 printportcmp(pr, &fp->fr_tuc.ftu_dst); 214 215 if ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) || 216 fp->fr_optbits || fp->fr_optmask || 217 fp->fr_secbits || fp->fr_secmask) { 218 printf(" with"); 219 if (fp->fr_optbits || fp->fr_optmask || 220 fp->fr_secbits || fp->fr_secmask) { 221 sec[0] = fp->fr_secmask; 222 sec[1] = fp->fr_secbits; 223 if (fp->fr_v == 4) 224 optprint(sec, fp->fr_optmask, 225 fp->fr_optbits); 226 #ifdef USE_INET6 227 else 228 optprintv6(sec, fp->fr_optmask, 229 fp->fr_optbits); 230 #endif 231 } else if (fp->fr_mflx & FI_OPTIONS) { 232 if (!(fp->fr_flx & FI_OPTIONS)) 233 printf(" not"); 234 printf(" ipopts"); 235 } 236 if (fp->fr_mflx & FI_SHORT) { 237 if (!(fp->fr_flx & FI_SHORT)) 238 printf(" not"); 239 printf(" short"); 240 } 241 if (fp->fr_mflx & FI_FRAG) { 242 if (!(fp->fr_flx & FI_FRAG)) 243 printf(" not"); 244 printf(" frag"); 245 } 246 if (fp->fr_mflx & FI_NATED) { 247 if (!(fp->fr_flx & FI_NATED)) 248 printf(" not"); 249 printf(" nat"); 250 } 251 if (fp->fr_mflx & FI_LOWTTL) { 252 if (!(fp->fr_flx & FI_LOWTTL)) 253 printf(" not"); 254 printf(" lowttl"); 255 } 256 if (fp->fr_mflx & FI_BADSRC) { 257 if (!(fp->fr_flx & FI_BADSRC)) 258 printf(" not"); 259 printf(" bad-src"); 260 } 261 } 262 if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { 263 int type = fp->fr_icmp, code; 264 265 type = ntohs(fp->fr_icmp); 266 code = type & 0xff; 267 type /= 256; 268 if (type < (sizeof(icmptypes) / sizeof(char *) - 1) && 269 icmptypes[type]) 270 printf(" icmp-type %s", icmptypes[type]); 271 else 272 printf(" icmp-type %d", type); 273 if (ntohs(fp->fr_icmpm) & 0xff) 274 printf(" code %d", code); 275 } 276 if ((fp->fr_proto == IPPROTO_TCP) && 277 (fp->fr_tcpf || fp->fr_tcpfm)) { 278 printf(" flags "); 279 if (fp->fr_tcpf & ~TCPF_ALL) 280 printf("0x%x", fp->fr_tcpf); 281 else 282 for (s = flagset, t = flags; *s; s++, t++) 283 if (fp->fr_tcpf & *t) 284 (void)putchar(*s); 285 if (fp->fr_tcpfm) { 286 (void)putchar('/'); 287 if (fp->fr_tcpfm & ~TCPF_ALL) 288 printf("0x%x", fp->fr_tcpfm); 289 else 290 for (s = flagset, t = flags; *s; 291 s++, t++) 292 if (fp->fr_tcpfm & *t) 293 (void)putchar(*s); 294 } 295 } 296 #ifdef IPFILTER_BPF 297 } else if (type == FR_T_BPFOPC) { 298 u_32_t *bp; 299 int i; 300 301 printf("{"); 302 i = fp->fr_dsize / sizeof(*bp); 303 304 for (bp = fp->fr_data; i; i--, bp++) 305 printf(" 0x%08x", *bp); 306 307 printf(" }"); 308 #endif 309 } else if (type == FR_T_COMPIPF) { 310 ; 311 } else if (type == FR_T_CALLFUNC) { 312 printf("call function at %p", fp->fr_data); 313 } else { 314 printf("[unknown filter type %#x]", fp->fr_type); 315 } 316 317 if (fp->fr_flags & FR_KEEPSTATE) { 318 printf(" keep state"); 319 if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN)) || 320 (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { 321 printf(" ("); 322 if (fp->fr_statemax != 0) 323 printf(" limit %u", fp->fr_statemax); 324 if (fp->fr_flags & FR_FRSTRICT) 325 printf(" strict"); 326 if (fp->fr_flags & FR_NEWISN) 327 printf(" newisn"); 328 if (fp->fr_age[0] || fp->fr_age[1]) 329 printf(" age %d/%d", fp->fr_age[0], 330 fp->fr_age[1]); 331 printf(" )"); 332 } 333 } 334 if (fp->fr_flags & FR_KEEPFRAG) { 335 printf(" keep frags"); 336 if (fp->fr_flags & (FR_FRSTRICT)) { 337 printf(" ("); 338 if (fp->fr_flags & FR_FRSTRICT) 339 printf(" strict"); 340 printf(" )"); 341 342 } 343 } 344 if (fp->fr_isc != (struct ipscan *)-1) { 345 if (fp->fr_isctag[0]) 346 printf(" scan %s", fp->fr_isctag); 347 else 348 printf(" scan *"); 349 } 350 if (*fp->fr_grhead != '\0') 351 printf(" head %s", fp->fr_grhead); 352 if (*fp->fr_group != '\0') 353 printf(" group %s", fp->fr_group); 354 if (fp->fr_logtag != FR_NOLOGTAG) 355 printf(" log-tag %u", fp->fr_logtag); 356 if (fp->fr_pps) 357 printf(" pps %d", fp->fr_pps); 358 (void)putchar('\n'); 359 } 360