diff options
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/Makefile | 4 | ||||
| -rw-r--r-- | sbin/pfctl/pf_print_state.c | 244 | ||||
| -rw-r--r-- | sbin/pfctl/pf_print_state.h | 6 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 5 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 197 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 4 |
6 files changed, 258 insertions, 202 deletions
diff --git a/sbin/pfctl/Makefile b/sbin/pfctl/Makefile index 21c6b3289f4..40bac5a51fb 100644 --- a/sbin/pfctl/Makefile +++ b/sbin/pfctl/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.5 2001/07/16 22:30:47 mickey Exp $ +# $OpenBSD: Makefile,v 1.6 2002/06/06 22:22:44 mickey Exp $ PROG= pfctl -SRCS= pfctl.c parse.y pfctl_parser.c +SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c CFLAGS+= -Wall YFLAGS= MAN= pfctl.8 diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c new file mode 100644 index 00000000000..9f26045d160 --- /dev/null +++ b/sbin/pfctl/pf_print_state.c @@ -0,0 +1,244 @@ +/* $OpenBSD: pf_print_state.c,v 1.1 2002/06/06 22:22:44 mickey Exp $ */ + +/* + * Copyright (c) 2001 Daniel Hartmeier + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include <sys/types.h> +#include <sys/socket.h> +#include <net/if.h> +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/ip_icmp.h> +#include <netinet/icmp6.h> +#define TCPSTATES +#include <netinet/tcp_fsm.h> +#include <net/pfvar.h> +#include <arpa/inet.h> + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> +#include <netdb.h> +#include <stdarg.h> +#include <errno.h> +#include <err.h> + +#include "pfctl_parser.h" +#include "pf_print_state.h" + +int +unmask(struct pf_addr *m, u_int8_t af) +{ + int i = 31, j = 0, b = 0, msize; + u_int32_t tmp; + + if (af == AF_INET) + msize = 1; + else + msize = 4; + while (j < msize && m->addr32[j] == 0xffffffff) { + b += 32; + j++; + } + if (j < msize) { + tmp = ntohl(m->addr32[j]); + for (i = 31; tmp & (1 << i); --i) + b++; + } + return (b); +} + +void +print_addr(struct pf_addr_wrap *addr, struct pf_addr *mask, u_int8_t af) +{ + char buf[48]; + + if (addr->addr_dyn != NULL) + printf("(%s)", addr->addr.pfa.ifname); + else { + if (inet_ntop(af, &addr->addr, buf, sizeof(buf)) == NULL) + printf("?"); + else + printf("%s", buf); + } + if (mask != NULL) { + int bits = unmask(mask, af); + + if (bits != (af == AF_INET ? 32 : 128)) + printf("/%u", bits); + } +} + +void +print_name(struct pf_addr *addr, struct pf_addr *mask, int af) +{ + char buf[48]; + struct hostent *hp; + + if (inet_ntop(af, addr, buf, sizeof(buf)) == NULL) + printf("?"); + else { + hp = getpfhostname(buf); + printf("%s", hp->h_name); + } + if (mask != NULL) { + if (!PF_AZERO(mask, af)) + printf("/%u", unmask(mask, af)); + } +} + +void +print_host(struct pf_state_host *h, u_int8_t af, int opts) +{ + u_int16_t p = ntohs(h->port); + + if (opts & PF_OPT_USEDNS) + print_name(&h->addr, NULL, af); + else { + struct pf_addr_wrap aw; + + aw.addr = h->addr; + aw.addr_dyn = NULL; + print_addr(&aw, NULL, af); + } + + if (p) { + if (af == AF_INET) + printf(":%u", p); + else + printf("[%u]", p); + } +} + +void +print_seq(struct pf_state_peer *p) +{ + if (p->seqdiff) + printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, + p->seqdiff); + else + printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); +} + +void +print_state(struct pf_state *s, int opts) +{ + struct pf_state_peer *src, *dst; + struct protoent *p; + u_int8_t hrs, min, sec; + + if (s->direction == PF_OUT) { + src = &s->src; + dst = &s->dst; + } else { + src = &s->dst; + dst = &s->src; + } + if ((p = getprotobynumber(s->proto)) != NULL) + printf("%s ", p->p_name); + else + printf("%u ", s->proto); + if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || + (s->lan.port != s->gwy.port)) { + print_host(&s->lan, s->af, opts); + if (s->direction == PF_OUT) + printf(" -> "); + else + printf(" <- "); + } + print_host(&s->gwy, s->af, opts); + if (s->direction == PF_OUT) + printf(" -> "); + else + printf(" <- "); + print_host(&s->ext, s->af, opts); + + printf(" "); + if (s->proto == IPPROTO_TCP) { + if (src->state <= TCPS_TIME_WAIT && + dst->state <= TCPS_TIME_WAIT) { + printf(" %s:%s\n", tcpstates[src->state], + tcpstates[dst->state]); + } else { + printf(" <BAD STATE LEVELS>\n"); + } + if (opts & PF_OPT_VERBOSE) { + printf(" "); + print_seq(src); + printf(" "); + print_seq(dst); + printf("\n"); + } + } else { + printf(" %u:%u\n", src->state, dst->state); + } + + if (opts & PF_OPT_VERBOSE) { + sec = s->creation % 60; + s->creation /= 60; + min = s->creation % 60; + s->creation /= 60; + hrs = s->creation; + printf(" age %.2u:%.2u:%.2u", hrs, min, sec); + sec = s->expire % 60; + s->expire /= 60; + min = s->expire % 60; + s->expire /= 60; + hrs = s->expire; + printf(", expires in %.2u:%.2u:%.2u", hrs, min, sec); + printf(", %u pkts, %u bytes", s->packets, s->bytes); + if (s->rule.nr != USHRT_MAX) + printf(", rule %u", s->rule.nr); + printf("\n"); + } +} + +struct hostent * +getpfhostname(const char *addr_str) +{ + in_addr_t addr_num; + struct hostent *hp; + static struct hostent myhp; + + addr_num = inet_addr(addr_str); + if (addr_num == INADDR_NONE) { + myhp.h_name = (char *)addr_str; + hp = &myhp; + return (hp); + } + hp = gethostbyaddr((char *)&addr_num, sizeof(addr_num), AF_INET); + if (hp == NULL) { + myhp.h_name = (char *)addr_str; + hp = &myhp; + } + return (hp); +} diff --git a/sbin/pfctl/pf_print_state.h b/sbin/pfctl/pf_print_state.h new file mode 100644 index 00000000000..0fb2c1601b2 --- /dev/null +++ b/sbin/pfctl/pf_print_state.h @@ -0,0 +1,6 @@ +int unmask (struct pf_addr *, u_int8_t); +void print_addr (struct pf_addr_wrap *, struct pf_addr *, u_int8_t); +void print_host (struct pf_state_host *, u_int8_t, int); +void print_seq (struct pf_state_peer *); +void print_state(struct pf_state *s, int verbose); +struct hostent *getpfhostname(const char *addr_str); diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 1c53bd3dc71..81dd612d407 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.67 2002/06/03 16:13:17 kjell Exp $ */ +/* $OpenBSD: pfctl.c,v 1.68 2002/06/06 22:22:44 mickey Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -50,6 +50,7 @@ #include <unistd.h> #include "pfctl_parser.h" +#include "pf_print_state.h" void usage(void); int pfctl_enable(int, int); @@ -499,7 +500,7 @@ pfctl_show_states(int dev, u_int8_t proto, int opts) p = ps.ps_states; for (i = 0; i < ps.ps_len; i += sizeof(*p)) { if (!proto || (p->proto == proto)) - print_state(p, opts); + print_state(p, opts & PF_OPT_VERBOSE); p++; } return (0); diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index e3ae7944cf9..65bc1bdf4a9 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.75 2002/06/01 04:06:47 hugh Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.76 2002/06/06 22:22:44 mickey Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -38,8 +38,6 @@ #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/icmp6.h> -#define TCPSTATES -#include <netinet/tcp_fsm.h> #include <net/pfvar.h> #include <arpa/inet.h> @@ -53,11 +51,8 @@ #include <err.h> #include "pfctl_parser.h" +#include "pf_print_state.h" -int unmask (struct pf_addr *, u_int8_t); -void print_addr (struct pf_addr_wrap *, struct pf_addr *, u_int8_t); -void print_host (struct pf_state_host *, u_int8_t, int); -void print_seq (struct pf_state_peer *); void print_op (u_int8_t, const char *, const char *); void print_port (u_int8_t, u_int16_t, u_int16_t, char *); void print_uid (u_int8_t, uid_t, uid_t, const char *); @@ -255,100 +250,6 @@ geticmpcodebyname(u_long type, char *w, u_int8_t af) return (NULL); } -int -unmask(struct pf_addr *m, u_int8_t af) -{ - int i = 31, j = 0, b = 0, msize; - u_int32_t tmp; - - if (af == AF_INET) - msize = 1; - else - msize = 4; - while (j < msize && m->addr32[j] == 0xffffffff) { - b += 32; - j++; - } - if (j < msize) { - tmp = ntohl(m->addr32[j]); - for (i = 31; tmp & (1 << i); --i) - b++; - } - return (b); -} - -void -print_addr(struct pf_addr_wrap *addr, struct pf_addr *mask, u_int8_t af) -{ - char buf[48]; - - if (addr->addr_dyn != NULL) - printf("(%s)", addr->addr.pfa.ifname); - else { - if (inet_ntop(af, &addr->addr, buf, sizeof(buf)) == NULL) - printf("?"); - else - printf("%s", buf); - } - if (mask != NULL) { - int bits = unmask(mask, af); - - if (bits != (af == AF_INET ? 32 : 128)) - printf("/%u", bits); - } -} - -void -print_name(struct pf_addr *addr, struct pf_addr *mask, int af) -{ - char buf[48]; - struct hostent *hp; - - if (inet_ntop(af, addr, buf, sizeof(buf)) == NULL) - printf("?"); - else { - hp = getpfhostname(buf); - printf("%s", hp->h_name); - } - if (mask != NULL) { - if (!PF_AZERO(mask, af)) - printf("/%u", unmask(mask, af)); - } -} - -void -print_host(struct pf_state_host *h, u_int8_t af, int opts) -{ - u_int16_t p = ntohs(h->port); - - if (opts & PF_OPT_USEDNS) - print_name(&h->addr, NULL, af); - else { - struct pf_addr_wrap aw; - - aw.addr = h->addr; - aw.addr_dyn = NULL; - print_addr(&aw, NULL, af); - } - - if (p) { - if (af == AF_INET) - printf(":%u", p); - else - printf("[%u]", p); - } -} - -void -print_seq(struct pf_state_peer *p) -{ - if (p->seqdiff) - printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo, - p->seqdiff); - else - printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo); -} - void print_op(u_int8_t op, const char *a1, const char *a2) { @@ -627,79 +528,6 @@ print_status(struct pf_status *s) } void -print_state(struct pf_state *s, int opts) -{ - struct pf_state_peer *src, *dst; - struct protoent *p; - u_int8_t hrs, min, sec; - - if (s->direction == PF_OUT) { - src = &s->src; - dst = &s->dst; - } else { - src = &s->dst; - dst = &s->src; - } - if ((p = getprotobynumber(s->proto)) != NULL) - printf("%s ", p->p_name); - else - printf("%u ", s->proto); - if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) || - (s->lan.port != s->gwy.port)) { - print_host(&s->lan, s->af, opts); - if (s->direction == PF_OUT) - printf(" -> "); - else - printf(" <- "); - } - print_host(&s->gwy, s->af, opts); - if (s->direction == PF_OUT) - printf(" -> "); - else - printf(" <- "); - print_host(&s->ext, s->af, opts); - - printf(" "); - if (s->proto == IPPROTO_TCP) { - if (src->state <= TCPS_TIME_WAIT && - dst->state <= TCPS_TIME_WAIT) { - printf(" %s:%s\n", tcpstates[src->state], - tcpstates[dst->state]); - } else { - printf(" <BAD STATE LEVELS>\n"); - } - if (opts & PF_OPT_VERBOSE) { - printf(" "); - print_seq(src); - printf(" "); - print_seq(dst); - printf("\n"); - } - } else { - printf(" %u:%u\n", src->state, dst->state); - } - - if (opts & PF_OPT_VERBOSE) { - sec = s->creation % 60; - s->creation /= 60; - min = s->creation % 60; - s->creation /= 60; - hrs = s->creation; - printf(" age %.2u:%.2u:%.2u", hrs, min, sec); - sec = s->expire % 60; - s->expire /= 60; - min = s->expire % 60; - s->expire /= 60; - hrs = s->expire; - printf(", expires in %.2u:%.2u:%.2u", hrs, min, sec); - printf(", %u pkts, %u bytes", s->packets, s->bytes); - if (s->rule.nr != USHRT_MAX) - printf(", rule %u", s->rule.nr); - printf("\n"); - } -} - -void print_rule(struct pf_rule *r) { printf("@%d ", r->nr); @@ -884,24 +712,3 @@ parse_flags(char *s) } return (f ? f : PF_TH_ALL); } - -struct hostent * -getpfhostname(const char *addr_str) -{ - in_addr_t addr_num; - struct hostent *hp; - static struct hostent myhp; - - addr_num = inet_addr(addr_str); - if (addr_num == INADDR_NONE) { - myhp.h_name = (char *)addr_str; - hp = &myhp; - return (hp); - } - hp = gethostbyaddr((char *)&addr_num, sizeof(addr_num), AF_INET); - if (hp == NULL) { - myhp.h_name = (char *)addr_str; - hp = &myhp; - } - return (hp); -} diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 29d4b67b759..06c8e79ff51 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.16 2002/06/01 04:06:47 hugh Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.17 2002/06/06 22:22:44 mickey Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -66,7 +66,6 @@ void print_rule(struct pf_rule *); void print_nat(struct pf_nat *); void print_binat(struct pf_binat *); void print_rdr(struct pf_rdr *); -void print_state(struct pf_state *, int); void print_status(struct pf_status *); struct icmptypeent { @@ -84,6 +83,5 @@ struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t); struct icmptypeent *geticmptypebyname(char *, u_int8_t); struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); -struct hostent *getpfhostname(const char *); #endif /* _PFCTL_PARSER_H_ */ |