abd0900a99
4.1.34 - Release 11 March 2010
2964907 uninitialised use compile error
2959506 ipfstat does not display rules with compat
2949139 FR_T_BUILTIN masked out incorrectly
2937422
packets filtered with pools should not be cached
2935529 use of rules with tags leads to deadlock
2917501 whitespace cleanup required
2881514 in/out object functions not wired for compatibility
2841771 ipf/ippool rule maintenace bugs: memory leak, ref-counter bug
2839698 H.323 proxy does not clear fin_state/fin_nat
481 lines
11 KiB
C
481 lines
11 KiB
C
/* $NetBSD: printfr.c,v 1.1.1.9 2010/04/17 20:45:57 darrenr Exp $ */
|
|
|
|
/*
|
|
* Copyright (C) 2000-2006 by Darren Reed.
|
|
*
|
|
* See the IPFILTER.LICENCE file for details on licencing.
|
|
*
|
|
* Id: printfr.c,v 1.43.2.21 2009/12/27 06:58:06 darrenr Exp
|
|
*/
|
|
|
|
#include "ipf.h"
|
|
|
|
static void printaddr(int, int, char *, u_32_t *, u_32_t *);
|
|
|
|
static void printaddr(v, type, ifname, addr, mask)
|
|
int v, type;
|
|
char *ifname;
|
|
u_32_t *addr, *mask;
|
|
{
|
|
char *suffix;
|
|
|
|
switch (type)
|
|
{
|
|
case FRI_BROADCAST :
|
|
suffix = "bcast";
|
|
break;
|
|
|
|
case FRI_DYNAMIC :
|
|
printf("%s", ifname);
|
|
printmask(mask);
|
|
suffix = NULL;
|
|
break;
|
|
|
|
case FRI_NETWORK :
|
|
suffix = "net";
|
|
break;
|
|
|
|
case FRI_NETMASKED :
|
|
suffix = "netmasked";
|
|
break;
|
|
|
|
case FRI_PEERADDR :
|
|
suffix = "peer";
|
|
break;
|
|
|
|
case FRI_LOOKUP :
|
|
suffix = NULL;
|
|
printlookup((i6addr_t *)addr, (i6addr_t *)mask);
|
|
break;
|
|
|
|
case FRI_NORMAL :
|
|
printhostmask(v, addr, mask);
|
|
suffix = NULL;
|
|
break;
|
|
default :
|
|
printf("<%d>", type);
|
|
printmask(mask);
|
|
suffix = NULL;
|
|
break;
|
|
}
|
|
|
|
if (suffix != NULL) {
|
|
printf("%s/%s", ifname, suffix);
|
|
}
|
|
}
|
|
|
|
|
|
void printlookup(addr, mask)
|
|
i6addr_t *addr, *mask;
|
|
{
|
|
switch (addr->iplookuptype)
|
|
{
|
|
case IPLT_POOL :
|
|
printf("pool/");
|
|
break;
|
|
case IPLT_HASH :
|
|
printf("hash/");
|
|
break;
|
|
default :
|
|
printf("lookup(%x)=", addr->iplookuptype);
|
|
break;
|
|
}
|
|
|
|
printf("%u", addr->iplookupnum);
|
|
if (mask->iplookupptr == NULL)
|
|
printf("(!)");
|
|
}
|
|
|
|
|
|
/*
|
|
* print the filter structure in a useful way
|
|
*/
|
|
void printfr(fp, iocfunc)
|
|
struct frentry *fp;
|
|
ioctlfunc_t iocfunc;
|
|
{
|
|
struct protoent *p;
|
|
u_short sec[2];
|
|
u_32_t type;
|
|
u_char *t;
|
|
char *s;
|
|
int pr;
|
|
|
|
pr = -2;
|
|
type = fp->fr_type & ~FR_T_BUILTIN;
|
|
|
|
if ((fp->fr_type & FR_T_BUILTIN) != 0)
|
|
printf("# Builtin: ");
|
|
|
|
if (fp->fr_collect != 0)
|
|
printf("%u ", fp->fr_collect);
|
|
|
|
if (fp->fr_type == FR_T_CALLFUNC) {
|
|
;
|
|
} else if (fp->fr_func != NULL) {
|
|
printf("call");
|
|
if ((fp->fr_flags & FR_CALLNOW) != 0)
|
|
printf(" now");
|
|
s = kvatoname(fp->fr_func, iocfunc);
|
|
printf(" %s/%u", s ? s : "?", fp->fr_arg);
|
|
} else if (FR_ISPASS(fp->fr_flags))
|
|
printf("pass");
|
|
else if (FR_ISBLOCK(fp->fr_flags)) {
|
|
printf("block");
|
|
} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
|
|
printlog(fp);
|
|
} else if (FR_ISACCOUNT(fp->fr_flags))
|
|
printf("count");
|
|
else if (FR_ISAUTH(fp->fr_flags))
|
|
printf("auth");
|
|
else if (FR_ISPREAUTH(fp->fr_flags))
|
|
printf("preauth");
|
|
else if (FR_ISNOMATCH(fp->fr_flags))
|
|
printf("nomatch");
|
|
else if (FR_ISSKIP(fp->fr_flags))
|
|
printf("skip %u", fp->fr_arg);
|
|
else {
|
|
printf("%x", fp->fr_flags);
|
|
}
|
|
if (fp->fr_flags & FR_RETICMP) {
|
|
if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
|
|
printf(" return-icmp-as-dest");
|
|
else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
|
|
printf(" return-icmp");
|
|
if (fp->fr_icode) {
|
|
if (fp->fr_icode <= MAX_ICMPCODE)
|
|
printf("(%s)",
|
|
icmpcodes[(int)fp->fr_icode]);
|
|
else
|
|
printf("(%d)", fp->fr_icode);
|
|
}
|
|
} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
|
|
printf(" return-rst");
|
|
|
|
if (fp->fr_flags & FR_OUTQUE)
|
|
printf(" out ");
|
|
else
|
|
printf(" in ");
|
|
|
|
if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
|
|
((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
|
|
printlog(fp);
|
|
putchar(' ');
|
|
}
|
|
|
|
if (fp->fr_flags & FR_QUICK)
|
|
printf("quick ");
|
|
|
|
if (*fp->fr_ifname) {
|
|
printifname("on ", fp->fr_ifname, fp->fr_ifa);
|
|
if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
|
|
printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
|
|
putchar(' ');
|
|
}
|
|
|
|
if (*fp->fr_dif.fd_ifname && (fp->fr_flags & FR_DUP))
|
|
print_toif("dup-to", &fp->fr_dif);
|
|
if (*fp->fr_tif.fd_ifname)
|
|
print_toif("to", &fp->fr_tif);
|
|
if (*fp->fr_rif.fd_ifname)
|
|
print_toif("reply-to", &fp->fr_rif);
|
|
if (fp->fr_flags & FR_FASTROUTE)
|
|
printf("fastroute ");
|
|
|
|
if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
|
|
(*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
|
|
if (fp->fr_flags & FR_OUTQUE)
|
|
printf("in-via ");
|
|
else
|
|
printf("out-via ");
|
|
|
|
if (*fp->fr_ifnames[2]) {
|
|
printifname("", fp->fr_ifnames[2],
|
|
fp->fr_ifas[2]);
|
|
if (*fp->fr_ifnames[3]) {
|
|
printifname(",", fp->fr_ifnames[3],
|
|
fp->fr_ifas[3]);
|
|
}
|
|
putchar(' ');
|
|
}
|
|
}
|
|
|
|
if (type == FR_T_IPF) {
|
|
if (fp->fr_mip.fi_tos)
|
|
printf("tos %#x ", fp->fr_tos);
|
|
if (fp->fr_mip.fi_ttl)
|
|
printf("ttl %d ", fp->fr_ttl);
|
|
if (fp->fr_flx & FI_TCPUDP) {
|
|
printf("proto tcp/udp ");
|
|
pr = -1;
|
|
} else if (fp->fr_mip.fi_p) {
|
|
pr = fp->fr_ip.fi_p;
|
|
p = getprotobynumber(pr);
|
|
printf("proto ");
|
|
printproto(p, pr, NULL);
|
|
putchar(' ');
|
|
}
|
|
}
|
|
|
|
if (type == FR_T_NONE) {
|
|
printf("all");
|
|
} else if (type == FR_T_IPF) {
|
|
printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
|
|
printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname,
|
|
&fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
|
|
if (fp->fr_scmp)
|
|
printportcmp(pr, &fp->fr_tuc.ftu_src);
|
|
|
|
printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
|
|
printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname,
|
|
&fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
|
|
if (fp->fr_dcmp)
|
|
printportcmp(pr, &fp->fr_tuc.ftu_dst);
|
|
|
|
if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
|
|
int type = fp->fr_icmp, code;
|
|
|
|
type = ntohs(fp->fr_icmp);
|
|
code = type & 0xff;
|
|
type /= 256;
|
|
if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
|
|
icmptypes[type])
|
|
printf(" icmp-type %s", icmptypes[type]);
|
|
else
|
|
printf(" icmp-type %d", type);
|
|
if (ntohs(fp->fr_icmpm) & 0xff)
|
|
printf(" code %d", code);
|
|
}
|
|
if ((fp->fr_proto == IPPROTO_TCP) &&
|
|
(fp->fr_tcpf || fp->fr_tcpfm)) {
|
|
printf(" flags ");
|
|
if (fp->fr_tcpf & ~TCPF_ALL)
|
|
printf("0x%x", fp->fr_tcpf);
|
|
else
|
|
for (s = flagset, t = flags; *s; s++, t++)
|
|
if (fp->fr_tcpf & *t)
|
|
(void)putchar(*s);
|
|
if (fp->fr_tcpfm) {
|
|
(void)putchar('/');
|
|
if (fp->fr_tcpfm & ~TCPF_ALL)
|
|
printf("0x%x", fp->fr_tcpfm);
|
|
else
|
|
for (s = flagset, t = flags; *s;
|
|
s++, t++)
|
|
if (fp->fr_tcpfm & *t)
|
|
(void)putchar(*s);
|
|
}
|
|
}
|
|
} else if (type == FR_T_BPFOPC) {
|
|
fakebpf_t *fb;
|
|
int i;
|
|
|
|
printf("bpf-v%d { \"", fp->fr_v);
|
|
i = fp->fr_dsize / sizeof(*fb);
|
|
|
|
for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ")
|
|
printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
|
|
fb->fb_f, fb->fb_k);
|
|
|
|
printf("\" }");
|
|
} else if (type == FR_T_COMPIPF) {
|
|
;
|
|
} else if (type == FR_T_CALLFUNC) {
|
|
printf("call function at %p", fp->fr_data);
|
|
} else {
|
|
printf("[unknown filter type %#x]", fp->fr_type);
|
|
}
|
|
|
|
if ((type == FR_T_IPF) &&
|
|
((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) ||
|
|
fp->fr_optbits || fp->fr_optmask ||
|
|
fp->fr_secbits || fp->fr_secmask)) {
|
|
char *comma = " ";
|
|
|
|
printf(" with");
|
|
if (fp->fr_optbits || fp->fr_optmask ||
|
|
fp->fr_secbits || fp->fr_secmask) {
|
|
sec[0] = fp->fr_secmask;
|
|
sec[1] = fp->fr_secbits;
|
|
if (fp->fr_v == 4)
|
|
optprint(sec, fp->fr_optmask, fp->fr_optbits);
|
|
#ifdef USE_INET6
|
|
else
|
|
optprintv6(sec, fp->fr_optmask,
|
|
fp->fr_optbits);
|
|
#endif
|
|
} else if (fp->fr_mflx & FI_OPTIONS) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_OPTIONS))
|
|
printf("not ");
|
|
printf("ipopts");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_SHORT) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_SHORT))
|
|
printf("not ");
|
|
printf("short");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_FRAG) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_FRAG))
|
|
printf("not ");
|
|
printf("frag");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_FRAGBODY) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_FRAGBODY))
|
|
printf("not ");
|
|
printf("frag-body");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_NATED) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_NATED))
|
|
printf("not ");
|
|
printf("nat");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_LOWTTL) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_LOWTTL))
|
|
printf("not ");
|
|
printf("lowttl");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_BAD) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_BAD))
|
|
printf("not ");
|
|
printf("bad");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_BADSRC) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_BADSRC))
|
|
printf("not ");
|
|
printf("bad-src");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_BADNAT) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_BADNAT))
|
|
printf("not ");
|
|
printf("bad-nat");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_OOW) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_OOW))
|
|
printf("not ");
|
|
printf("oow");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_MBCAST) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_MBCAST))
|
|
printf("not ");
|
|
printf("mbcast");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_BROADCAST) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_BROADCAST))
|
|
printf("not ");
|
|
printf("bcast");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_MULTICAST) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_MULTICAST))
|
|
printf("not ");
|
|
printf("mcast");
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_mflx & FI_STATE) {
|
|
fputs(comma, stdout);
|
|
if (!(fp->fr_flx & FI_STATE))
|
|
printf("not ");
|
|
printf("state");
|
|
comma = ",";
|
|
}
|
|
}
|
|
|
|
if (fp->fr_flags & FR_KEEPSTATE) {
|
|
printf(" keep state");
|
|
if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) ||
|
|
(fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) {
|
|
char *comma = "";
|
|
printf(" (");
|
|
if (fp->fr_statemax != 0) {
|
|
printf("limit %u", fp->fr_statemax);
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_flags & FR_STSTRICT) {
|
|
printf("%sstrict", comma);
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_flags & FR_NEWISN) {
|
|
printf("%snewisn", comma);
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_flags & FR_NOICMPERR) {
|
|
printf("%sno-icmp-err", comma);
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_flags & FR_STATESYNC) {
|
|
printf("%ssync", comma);
|
|
comma = ",";
|
|
}
|
|
if (fp->fr_age[0] || fp->fr_age[1])
|
|
printf("%sage %d/%d", comma, fp->fr_age[0],
|
|
fp->fr_age[1]);
|
|
printf(")");
|
|
}
|
|
}
|
|
if (fp->fr_flags & FR_KEEPFRAG) {
|
|
printf(" keep frags");
|
|
if (fp->fr_flags & (FR_FRSTRICT)) {
|
|
printf(" (");
|
|
if (fp->fr_flags & FR_FRSTRICT)
|
|
printf("strict");
|
|
printf(")");
|
|
}
|
|
}
|
|
if (fp->fr_isc != (struct ipscan *)-1) {
|
|
if (fp->fr_isctag[0])
|
|
printf(" scan %s", fp->fr_isctag);
|
|
else
|
|
printf(" scan *");
|
|
}
|
|
if (*fp->fr_grhead != '\0')
|
|
printf(" head %s", fp->fr_grhead);
|
|
if (*fp->fr_group != '\0')
|
|
printf(" group %s", fp->fr_group);
|
|
if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
|
|
char *s = "";
|
|
|
|
printf(" set-tag(");
|
|
if (fp->fr_logtag != FR_NOLOGTAG) {
|
|
printf("log=%u", fp->fr_logtag);
|
|
s = ", ";
|
|
}
|
|
if (*fp->fr_nattag.ipt_tag) {
|
|
printf("%snat=%-.*s", s, IPFTAG_LEN,
|
|
fp->fr_nattag.ipt_tag);
|
|
}
|
|
printf(")");
|
|
}
|
|
|
|
if (fp->fr_pps)
|
|
printf(" pps %d", fp->fr_pps);
|
|
|
|
if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) {
|
|
printf(" # count %d", fp->fr_statecnt);
|
|
}
|
|
(void)putchar('\n');
|
|
}
|