search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Optimizations, expanded comments, and accuracy fixes.
[dragonfly/port-amd64.git] / usr.sbin / pfctl / pfctl_parser.c
blob607f48f60871746f741ef455afa2b75af5aeebb2
1 /* $OpenBSD: pfctl_parser.c,v 1.194.2.1 2004/05/05 04:00:50 brad Exp $ */
2 /* $DragonFly: src/usr.sbin/pfctl/pfctl_parser.c,v 1.1 2004/09/21 21:25:28 joerg Exp $ */
3
4 /*
5 * Copyright (c) 2001 Daniel Hartmeier
6 * Copyright (c) 2002,2003 Henning Brauer
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * - Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * - Redistributions in binary form must reproduce the above
16 * copyright notice, this list of conditions and the following
17 * disclaimer in the documentation and/or other materials provided
18 * with the distribution.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE.
32 *
33 */
34
35 #include <sys/param.h>
36 #include <sys/ioctl.h>
37 #include <sys/socket.h>
38 #include <net/if.h>
39 #include <netinet/in.h>
40 #include <netinet/in_systm.h>
41 #include <netinet/ip.h>
42 #include <netinet/ip_icmp.h>
43 #include <netinet/icmp6.h>
44 #include <net/pf/pfvar.h>
45 #include <arpa/inet.h>
46
47 #include <stdio.h>
48 #include <stdlib.h>
49 #include <string.h>
50 #include <ctype.h>
51 #include <netdb.h>
52 #include <stdarg.h>
53 #include <errno.h>
54 #include <err.h>
55 #include <ifaddrs.h>
56
57 #include "pfctl_parser.h"
58 #include "pfctl.h"
59
60 void print_op (u_int8_t, const char *, const char *);
61 void print_port (u_int8_t, u_int16_t, u_int16_t, const char *);
62 void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);
63 void print_flags (u_int8_t);
64 void print_fromto(struct pf_rule_addr *, pf_osfp_t,
65 struct pf_rule_addr *, u_int8_t, u_int8_t, int);
66 int ifa_skip_if(const char *filter, struct node_host *p);
67
68 struct node_host *host_if(const char *, int);
69 static struct node_host *host_v4(const char *);
70 struct node_host *host_v6(const char *, int);
71 struct node_host *host_dns(const char *, int, int);
72
73 const char *tcpflags = "FSRPAUEW";
74
75 static const struct icmptypeent icmp_type[] = {
76 { "echoreq", ICMP_ECHO },
77 { "echorep", ICMP_ECHOREPLY },
78 { "unreach", ICMP_UNREACH },
79 { "squench", ICMP_SOURCEQUENCH },
80 { "redir", ICMP_REDIRECT },
81 { "althost", ICMP_ALTHOSTADDR },
82 { "routeradv", ICMP_ROUTERADVERT },
83 { "routersol", ICMP_ROUTERSOLICIT },
84 { "timex", ICMP_TIMXCEED },
85 { "paramprob", ICMP_PARAMPROB },
86 { "timereq", ICMP_TSTAMP },
87 { "timerep", ICMP_TSTAMPREPLY },
88 { "inforeq", ICMP_IREQ },
89 { "inforep", ICMP_IREQREPLY },
90 { "maskreq", ICMP_MASKREQ },
91 { "maskrep", ICMP_MASKREPLY },
92 { "trace", ICMP_TRACEROUTE },
93 { "dataconv", ICMP_DATACONVERR },
94 { "mobredir", ICMP_MOBILE_REDIRECT },
95 { "ipv6-where", ICMP_IPV6_WHEREAREYOU },
96 { "ipv6-here", ICMP_IPV6_IAMHERE },
97 { "mobregreq", ICMP_MOBILE_REGREQUEST },
98 { "mobregrep", ICMP_MOBILE_REGREPLY },
99 { "skip", ICMP_SKIP },
100 { "photuris", ICMP_PHOTURIS }
101 };
102
103 static const struct icmptypeent icmp6_type[] = {
104 { "unreach", ICMP6_DST_UNREACH },
105 { "toobig", ICMP6_PACKET_TOO_BIG },
106 { "timex", ICMP6_TIME_EXCEEDED },
107 { "paramprob", ICMP6_PARAM_PROB },
108 { "echoreq", ICMP6_ECHO_REQUEST },
109 { "echorep", ICMP6_ECHO_REPLY },
110 { "groupqry", ICMP6_MEMBERSHIP_QUERY },
111 { "listqry", MLD_LISTENER_QUERY },
112 { "grouprep", ICMP6_MEMBERSHIP_REPORT },
113 { "listenrep", MLD_LISTENER_REPORT },
114 { "groupterm", ICMP6_MEMBERSHIP_REDUCTION },
115 { "listendone", MLD_LISTENER_DONE },
116 { "routersol", ND_ROUTER_SOLICIT },
117 { "routeradv", ND_ROUTER_ADVERT },
118 { "neighbrsol", ND_NEIGHBOR_SOLICIT },
119 { "neighbradv", ND_NEIGHBOR_ADVERT },
120 { "redir", ND_REDIRECT },
121 { "routrrenum", ICMP6_ROUTER_RENUMBERING },
122 { "wrureq", ICMP6_WRUREQUEST },
123 { "wrurep", ICMP6_WRUREPLY },
124 { "fqdnreq", ICMP6_FQDN_QUERY },
125 { "fqdnrep", ICMP6_FQDN_REPLY },
126 { "niqry", ICMP6_NI_QUERY },
127 { "nirep", ICMP6_NI_REPLY },
128 { "mtraceresp", MLD_MTRACE_RESP },
129 { "mtrace", MLD_MTRACE }
130 };
131
132 static const struct icmpcodeent icmp_code[] = {
133 { "net-unr", ICMP_UNREACH, ICMP_UNREACH_NET },
134 { "host-unr", ICMP_UNREACH, ICMP_UNREACH_HOST },
135 { "proto-unr", ICMP_UNREACH, ICMP_UNREACH_PROTOCOL },
136 { "port-unr", ICMP_UNREACH, ICMP_UNREACH_PORT },
137 { "needfrag", ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG },
138 { "srcfail", ICMP_UNREACH, ICMP_UNREACH_SRCFAIL },
139 { "net-unk", ICMP_UNREACH, ICMP_UNREACH_NET_UNKNOWN },
140 { "host-unk", ICMP_UNREACH, ICMP_UNREACH_HOST_UNKNOWN },
141 { "isolate", ICMP_UNREACH, ICMP_UNREACH_ISOLATED },
142 { "net-prohib", ICMP_UNREACH, ICMP_UNREACH_NET_PROHIB },
143 { "host-prohib", ICMP_UNREACH, ICMP_UNREACH_HOST_PROHIB },
144 { "net-tos", ICMP_UNREACH, ICMP_UNREACH_TOSNET },
145 { "host-tos", ICMP_UNREACH, ICMP_UNREACH_TOSHOST },
146 { "filter-prohib", ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB },
147 { "host-preced", ICMP_UNREACH, ICMP_UNREACH_HOST_PRECEDENCE },
148 { "cutoff-preced", ICMP_UNREACH, ICMP_UNREACH_PRECEDENCE_CUTOFF },
149 { "redir-net", ICMP_REDIRECT, ICMP_REDIRECT_NET },
150 { "redir-host", ICMP_REDIRECT, ICMP_REDIRECT_HOST },
151 { "redir-tos-net", ICMP_REDIRECT, ICMP_REDIRECT_TOSNET },
152 { "redir-tos-host", ICMP_REDIRECT, ICMP_REDIRECT_TOSHOST },
153 { "normal-adv", ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NORMAL },
154 { "common-adv", ICMP_ROUTERADVERT, ICMP_ROUTERADVERT_NOROUTE_COMMON },
155 { "transit", ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS },
156 { "reassemb", ICMP_TIMXCEED, ICMP_TIMXCEED_REASS },
157 { "badhead", ICMP_PARAMPROB, ICMP_PARAMPROB_ERRATPTR },
158 { "optmiss", ICMP_PARAMPROB, ICMP_PARAMPROB_OPTABSENT },
159 { "badlen", ICMP_PARAMPROB, ICMP_PARAMPROB_LENGTH },
160 { "unknown-ind", ICMP_PHOTURIS, ICMP_PHOTURIS_UNKNOWN_INDEX },
161 { "auth-fail", ICMP_PHOTURIS, ICMP_PHOTURIS_AUTH_FAILED },
162 { "decrypt-fail", ICMP_PHOTURIS, ICMP_PHOTURIS_DECRYPT_FAILED }
163 };
164
165 static const struct icmpcodeent icmp6_code[] = {
166 { "admin-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADMIN },
167 { "noroute-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOROUTE },
168 { "notnbr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOTNEIGHBOR },
169 { "beyond-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_BEYONDSCOPE },
170 { "addr-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR },
171 { "port-unr", ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT },
172 { "transit", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_TRANSIT },
173 { "reassemb", ICMP6_TIME_EXCEEDED, ICMP6_TIME_EXCEED_REASSEMBLY },
174 { "badhead", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER },
175 { "nxthdr", ICMP6_PARAM_PROB, ICMP6_PARAMPROB_NEXTHEADER },
176 { "redironlink", ND_REDIRECT, ND_REDIRECT_ONLINK },
177 { "redirrouter", ND_REDIRECT, ND_REDIRECT_ROUTER }
178 };
179
180 const struct pf_timeout pf_timeouts[] = {
181 { "tcp.first", PFTM_TCP_FIRST_PACKET },
182 { "tcp.opening", PFTM_TCP_OPENING },
183 { "tcp.established", PFTM_TCP_ESTABLISHED },
184 { "tcp.closing", PFTM_TCP_CLOSING },
185 { "tcp.finwait", PFTM_TCP_FIN_WAIT },
186 { "tcp.closed", PFTM_TCP_CLOSED },
187 { "udp.first", PFTM_UDP_FIRST_PACKET },
188 { "udp.single", PFTM_UDP_SINGLE },
189 { "udp.multiple", PFTM_UDP_MULTIPLE },
190 { "icmp.first", PFTM_ICMP_FIRST_PACKET },
191 { "icmp.error", PFTM_ICMP_ERROR_REPLY },
192 { "other.first", PFTM_OTHER_FIRST_PACKET },
193 { "other.single", PFTM_OTHER_SINGLE },
194 { "other.multiple", PFTM_OTHER_MULTIPLE },
195 { "frag", PFTM_FRAG },
196 { "interval", PFTM_INTERVAL },
197 { "adaptive.start", PFTM_ADAPTIVE_START },
198 { "adaptive.end", PFTM_ADAPTIVE_END },
199 { "src.track", PFTM_SRC_NODE },
200 { NULL, 0 }
201 };
202
203 const struct icmptypeent *
204 geticmptypebynumber(u_int8_t type, sa_family_t af)
205 {
206 unsigned int i;
207
208 if (af != AF_INET6) {
209 for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0]));
210 i++) {
211 if (type == icmp_type[i].type)
212 return (&icmp_type[i]);
213 }
214 } else {
215 for (i=0; i < (sizeof (icmp6_type) /
216 sizeof(icmp6_type[0])); i++) {
217 if (type == icmp6_type[i].type)
218 return (&icmp6_type[i]);
219 }
220 }
221 return (NULL);
222 }
223
224 const struct icmptypeent *
225 geticmptypebyname(char *w, sa_family_t af)
226 {
227 unsigned int i;
228
229 if (af != AF_INET6) {
230 for (i=0; i < (sizeof (icmp_type) / sizeof(icmp_type[0]));
231 i++) {
232 if (!strcmp(w, icmp_type[i].name))
233 return (&icmp_type[i]);
234 }
235 } else {
236 for (i=0; i < (sizeof (icmp6_type) /
237 sizeof(icmp6_type[0])); i++) {
238 if (!strcmp(w, icmp6_type[i].name))
239 return (&icmp6_type[i]);
240 }
241 }
242 return (NULL);
243 }
244
245 const struct icmpcodeent *
246 geticmpcodebynumber(u_int8_t type, u_int8_t code, sa_family_t af)
247 {
248 unsigned int i;
249
250 if (af != AF_INET6) {
251 for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0]));
252 i++) {
253 if (type == icmp_code[i].type &&
254 code == icmp_code[i].code)
255 return (&icmp_code[i]);
256 }
257 } else {
258 for (i=0; i < (sizeof (icmp6_code) /
259 sizeof(icmp6_code[0])); i++) {
260 if (type == icmp6_code[i].type &&
261 code == icmp6_code[i].code)
262 return (&icmp6_code[i]);
263 }
264 }
265 return (NULL);
266 }
267
268 const struct icmpcodeent *
269 geticmpcodebyname(u_long type, char *w, sa_family_t af)
270 {
271 unsigned int i;
272
273 if (af != AF_INET6) {
274 for (i=0; i < (sizeof (icmp_code) / sizeof(icmp_code[0]));
275 i++) {
276 if (type == icmp_code[i].type &&
277 !strcmp(w, icmp_code[i].name))
278 return (&icmp_code[i]);
279 }
280 } else {
281 for (i=0; i < (sizeof (icmp6_code) /
282 sizeof(icmp6_code[0])); i++) {
283 if (type == icmp6_code[i].type &&
284 !strcmp(w, icmp6_code[i].name))
285 return (&icmp6_code[i]);
286 }
287 }
288 return (NULL);
289 }
290
291 void
292 print_op(u_int8_t op, const char *a1, const char *a2)
293 {
294 if (op == PF_OP_IRG)
295 printf(" %s >< %s", a1, a2);
296 else if (op == PF_OP_XRG)
297 printf(" %s <> %s", a1, a2);
298 else if (op == PF_OP_EQ)
299 printf(" = %s", a1);
300 else if (op == PF_OP_NE)
301 printf(" != %s", a1);
302 else if (op == PF_OP_LT)
303 printf(" < %s", a1);
304 else if (op == PF_OP_LE)
305 printf(" <= %s", a1);
306 else if (op == PF_OP_GT)
307 printf(" > %s", a1);
308 else if (op == PF_OP_GE)
309 printf(" >= %s", a1);
310 else if (op == PF_OP_RRG)
311 printf(" %s:%s", a1, a2);
312 }
313
314 void
315 print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
316 {
317 char a1[6], a2[6];
318 struct servent *s;
319
320 s = getservbyport(p1, proto);
321 p1 = ntohs(p1);
322 p2 = ntohs(p2);
323 snprintf(a1, sizeof(a1), "%u", p1);
324 snprintf(a2, sizeof(a2), "%u", p2);
325 printf(" port");
326 if (s != NULL && (op == PF_OP_EQ || op == PF_OP_NE))
327 print_op(op, s->s_name, a2);
328 else
329 print_op(op, a1, a2);
330 }
331
332 void
333 print_ugid(u_int8_t op, unsigned u1, unsigned u2, const char *t, unsigned umax)
334 {
335 char a1[11], a2[11];
336
337 snprintf(a1, sizeof(a1), "%u", u1);
338 snprintf(a2, sizeof(a2), "%u", u2);
339 printf(" %s", t);
340 if (u1 == umax && (op == PF_OP_EQ || op == PF_OP_NE))
341 print_op(op, "unknown", a2);
342 else
343 print_op(op, a1, a2);
344 }
345
346 void
347 print_flags(u_int8_t f)
348 {
349 int i;
350
351 for (i = 0; tcpflags[i]; ++i)
352 if (f & (1 << i))
353 printf("%c", tcpflags[i]);
354 }
355
356 void
357 print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,
358 sa_family_t af, u_int8_t proto, int verbose)
359 {
360 char buf[PF_OSFP_LEN*3];
361 if (src->addr.type == PF_ADDR_ADDRMASK &&
362 dst->addr.type == PF_ADDR_ADDRMASK &&
363 PF_AZERO(&src->addr.v.a.addr, AF_INET6) &&
364 PF_AZERO(&src->addr.v.a.mask, AF_INET6) &&
365 PF_AZERO(&dst->addr.v.a.addr, AF_INET6) &&
366 PF_AZERO(&dst->addr.v.a.mask, AF_INET6) &&
367 !src->not && !dst->not &&
368 !src->port_op && !dst->port_op &&
369 osfp == PF_OSFP_ANY)
370 printf(" all");
371 else {
372 printf(" from ");
373 if (src->not)
374 printf("! ");
375 print_addr(&src->addr, af, verbose);
376 if (src->port_op)
377 print_port(src->port_op, src->port[0],
378 src->port[1],
379 proto == IPPROTO_TCP ? "tcp" : "udp");
380 if (osfp != PF_OSFP_ANY)
381 printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf,
382 sizeof(buf)));
383
384 printf(" to ");
385 if (dst->not)
386 printf("! ");
387 print_addr(&dst->addr, af, verbose);
388 if (dst->port_op)
389 print_port(dst->port_op, dst->port[0],
390 dst->port[1],
391 proto == IPPROTO_TCP ? "tcp" : "udp");
392 }
393 }
394
395 void
396 print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
397 sa_family_t af, int id)
398 {
399 struct pf_pooladdr *pooladdr;
400
401 if ((TAILQ_FIRST(&pool->list) != NULL) &&
402 TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
403 printf("{ ");
404 TAILQ_FOREACH(pooladdr, &pool->list, entries){
405 switch (id) {
406 case PF_NAT:
407 case PF_RDR:
408 case PF_BINAT:
409 print_addr(&pooladdr->addr, af, 0);
410 break;
411 case PF_PASS:
412 if (PF_AZERO(&pooladdr->addr.v.a.addr, af))
413 printf("%s", pooladdr->ifname);
414 else {
415 printf("(%s ", pooladdr->ifname);
416 print_addr(&pooladdr->addr, af, 0);
417 printf(")");
418 }
419 break;
420 default:
421 break;
422 }
423 if (TAILQ_NEXT(pooladdr, entries) != NULL)
424 printf(", ");
425 else if (TAILQ_NEXT(TAILQ_FIRST(&pool->list), entries) != NULL)
426 printf(" }");
427 }
428 switch (id) {
429 case PF_NAT:
430 if ((p1 != PF_NAT_PROXY_PORT_LOW ||
431 p2 != PF_NAT_PROXY_PORT_HIGH) && (p1 != 0 || p2 != 0)) {
432 if (p1 == p2)
433 printf(" port %u", p1);
434 else
435 printf(" port %u:%u", p1, p2);
436 }
437 break;
438 case PF_RDR:
439 if (p1) {
440 printf(" port %u", p1);
441 if (p2 && (p2 != p1))
442 printf(":%u", p2);
443 }
444 break;
445 default:
446 break;
447 }
448 switch (pool->opts & PF_POOL_TYPEMASK) {
449 case PF_POOL_NONE:
450 break;
451 case PF_POOL_BITMASK:
452 printf(" bitmask");
453 break;
454 case PF_POOL_RANDOM:
455 printf(" random");
456 break;
457 case PF_POOL_SRCHASH:
458 printf(" source-hash 0x%08x%08x%08x%08x",
459 pool->key.key32[0], pool->key.key32[1],
460 pool->key.key32[2], pool->key.key32[3]);
461 break;
462 case PF_POOL_ROUNDROBIN:
463 printf(" round-robin");
464 break;
465 }
466 if (pool->opts & PF_POOL_STICKYADDR)
467 printf(" sticky-address");
468 if (id == PF_NAT && p1 == 0 && p2 == 0)
469 printf(" static-port");
470 }
471
472 const char *pf_reasons[PFRES_MAX+1] = PFRES_NAMES;
473 const char *pf_fcounters[FCNT_MAX+1] = FCNT_NAMES;
474 const char *pf_scounters[FCNT_MAX+1] = FCNT_NAMES;
475
476 void
477 print_status(struct pf_status *s, int opts)
478 {
479 char statline[80];
480 const char *running;
481 time_t runtime;
482 int i;
483
484 runtime = time(NULL) - s->since;
485 running = s->running ? "Enabled" : "Disabled";
486
487 if (s->since) {
488 unsigned sec, min, hrs, day = runtime;
489
490 sec = day % 60;
491 day /= 60;
492 min = day % 60;
493 day /= 60;
494 hrs = day % 24;
495 day /= 24;
496 snprintf(statline, sizeof(statline),
497 "Status: %s for %u days %.2u:%.2u:%.2u",
498 running, day, hrs, min, sec);
499 } else
500 snprintf(statline, sizeof(statline), "Status: %s", running);
501 printf("%-44s", statline);
502 switch (s->debug) {
503 case PF_DEBUG_NONE:
504 printf("%15s\n\n", "Debug: None");
505 break;
506 case PF_DEBUG_URGENT:
507 printf("%15s\n\n", "Debug: Urgent");
508 break;
509 case PF_DEBUG_MISC:
510 printf("%15s\n\n", "Debug: Misc");
511 break;
512 case PF_DEBUG_NOISY:
513 printf("%15s\n\n", "Debug: Loud");
514 break;
515 }
516 printf("Hostid: 0x%08x\n\n", ntohl(s->hostid));
517 if (s->ifname[0] != 0) {
518 printf("Interface Stats for %-16s %5s %16s\n",
519 s->ifname, "IPv4", "IPv6");
520 printf(" %-25s %14llu %16llu\n", "Bytes In",
521 (unsigned long long)s->bcounters[0][0],
522 (unsigned long long)s->bcounters[1][0]);
523 printf(" %-25s %14llu %16llu\n", "Bytes Out",
524 (unsigned long long)s->bcounters[0][1],
525 (unsigned long long)s->bcounters[1][1]);
526 printf(" Packets In\n");
527 printf(" %-23s %14llu %16llu\n", "Passed",
528 (unsigned long long)s->pcounters[0][0][PF_PASS],
529 (unsigned long long)s->pcounters[1][0][PF_PASS]);
530 printf(" %-23s %14llu %16llu\n", "Blocked",
531 (unsigned long long)s->pcounters[0][0][PF_DROP],
532 (unsigned long long)s->pcounters[1][0][PF_DROP]);
533 printf(" Packets Out\n");
534 printf(" %-23s %14llu %16llu\n", "Passed",
535 (unsigned long long)s->pcounters[0][1][PF_PASS],
536 (unsigned long long)s->pcounters[1][1][PF_PASS]);
537 printf(" %-23s %14llu %16llu\n\n", "Blocked",
538 (unsigned long long)s->pcounters[0][1][PF_DROP],
539 (unsigned long long)s->pcounters[1][1][PF_DROP]);
540 }
541 printf("%-27s %14s %16s\n", "State Table", "Total", "Rate");
542 printf(" %-25s %14u %14s\n", "current entries", s->states, "");
543 for (i = 0; i < FCNT_MAX; i++) {
544 printf(" %-25s %14llu ", pf_fcounters[i],
545 (unsigned long long)s->fcounters[i]);
546 if (runtime > 0)
547 printf("%14.1f/s\n",
548 (double)s->fcounters[i] / (double)runtime);
549 else
550 printf("%14s\n", "");
551 }
552 if (opts & PF_OPT_VERBOSE) {
553 printf("Source Tracking Table\n");
554 printf(" %-25s %14u %14s\n", "current entries",
555 s->src_nodes, "");
556 for (i = 0; i < SCNT_MAX; i++) {
557 printf(" %-25s %14lld ", pf_scounters[i],
558 s->scounters[i]);
559 if (runtime > 0)
560 printf("%14.1f/s\n",
561 (double)s->scounters[i] / (double)runtime);
562 else
563 printf("%14s\n", "");
564 }
565 }
566 printf("Counters\n");
567 for (i = 0; i < PFRES_MAX; i++) {
568 printf(" %-25s %14llu ", pf_reasons[i],
569 (unsigned long long)s->counters[i]);
570 if (runtime > 0)
571 printf("%14.1f/s\n",
572 (double)s->counters[i] / (double)runtime);
573 else
574 printf("%14s\n", "");
575 }
576 }
577
578 void
579 print_src_node(struct pf_src_node *sn, int opts)
580 {
581 struct pf_addr_wrap aw;
582 int min, sec;
583
584 memset(&aw, 0, sizeof(aw));
585 if (sn->af == AF_INET)
586 aw.v.a.mask.addr32[0] = 0xffffffff;
587 else
588 memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
589
590 aw.v.a.addr = sn->addr;
591 print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2);
592 printf(" -> ");
593 aw.v.a.addr = sn->raddr;
594 print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2);
595 printf(" (%d states)\n", sn->states);
596 if (opts & PF_OPT_VERBOSE) {
597 sec = sn->creation % 60;
598 sn->creation /= 60;
599 min = sn->creation % 60;
600 sn->creation /= 60;
601 printf(" age %.2u:%.2u:%.2u", sn->creation, min, sec);
602 if (sn->states == 0) {
603 sec = sn->expire % 60;
604 sn->expire /= 60;
605 min = sn->expire % 60;
606 sn->expire /= 60;
607 printf(", expires in %.2u:%.2u:%.2u",
608 sn->expire, min, sec);
609 }
610 printf(", %u pkts, %u bytes", sn->packets, sn->bytes);
611 switch (sn->ruletype) {
612 case PF_NAT:
613 if (sn->rule.nr != (uint32_t)(-1))
614 printf(", nat rule %u", sn->rule.nr);
615 break;
616 case PF_RDR:
617 if (sn->rule.nr != (uint32_t)(-1))
618 printf(", rdr rule %u", sn->rule.nr);
619 break;
620 case PF_PASS:
621 if (sn->rule.nr != (uint32_t)(-1))
622 printf(", filter rule %u", sn->rule.nr);
623 break;
624 }
625 printf("\n");
626 }
627 }
628
629 void
630 print_rule(struct pf_rule *r, int verbose)
631 {
632 static const char *actiontypes[] = { "pass", "block", "scrub", "nat",
633 "no nat", "binat", "no binat", "rdr", "no rdr" };
634 static const char *anchortypes[] = { "anchor", "anchor", "anchor",
635 "nat-anchor", "nat-anchor", "binat-anchor", "binat-anchor",
636 "rdr-anchor", "rdr-anchor" };
637 int i, opts;
638
639 if (verbose)
640 printf("@%d ", r->nr);
641 if (r->action > PF_NORDR)
642 printf("action(%d)", r->action);
643 else if (r->anchorname[0])
644 printf("%s %s", anchortypes[r->action], r->anchorname);
645 else {
646 printf("%s", actiontypes[r->action]);
647 if (r->natpass)
648 printf(" pass");
649 }
650 if (r->action == PF_DROP) {
651 if (r->rule_flag & PFRULE_RETURN)
652 printf(" return");
653 else if (r->rule_flag & PFRULE_RETURNRST) {
654 if (!r->return_ttl)
655 printf(" return-rst");
656 else
657 printf(" return-rst(ttl %d)", r->return_ttl);
658 } else if (r->rule_flag & PFRULE_RETURNICMP) {
659 const struct icmpcodeent *ic, *ic6;
660
661 ic = geticmpcodebynumber(r->return_icmp >> 8,
662 r->return_icmp & 255, AF_INET);
663 ic6 = geticmpcodebynumber(r->return_icmp6 >> 8,
664 r->return_icmp6 & 255, AF_INET6);
665
666 switch (r->af) {
667 case AF_INET:
668 printf(" return-icmp");
669 if (ic == NULL)
670 printf("(%u)", r->return_icmp & 255);
671 else
672 printf("(%s)", ic->name);
673 break;
674 case AF_INET6:
675 printf(" return-icmp6");
676 if (ic6 == NULL)
677 printf("(%u)", r->return_icmp6 & 255);
678 else
679 printf("(%s)", ic6->name);
680 break;
681 default:
682 printf(" return-icmp");
683 if (ic == NULL)
684 printf("(%u, ", r->return_icmp & 255);
685 else
686 printf("(%s, ", ic->name);
687 if (ic6 == NULL)
688 printf("%u)", r->return_icmp6 & 255);
689 else
690 printf("%s)", ic6->name);
691 break;
692 }
693 } else
694 printf(" drop");
695 }
696 if (r->direction == PF_IN)
697 printf(" in");
698 else if (r->direction == PF_OUT)
699 printf(" out");
700 if (r->log == 1)
701 printf(" log");
702 else if (r->log == 2)
703 printf(" log-all");
704 if (r->quick)
705 printf(" quick");
706 if (r->ifname[0]) {
707 if (r->ifnot)
708 printf(" on ! %s", r->ifname);
709 else
710 printf(" on %s", r->ifname);
711 }
712 if (r->rt) {
713 if (r->rt == PF_ROUTETO)
714 printf(" route-to");
715 else if (r->rt == PF_REPLYTO)
716 printf(" reply-to");
717 else if (r->rt == PF_DUPTO)
718 printf(" dup-to");
719 else if (r->rt == PF_FASTROUTE)
720 printf(" fastroute");
721 if (r->rt != PF_FASTROUTE) {
722 printf(" ");
723 print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
724 }
725 }
726 if (r->af) {
727 if (r->af == AF_INET)
728 printf(" inet");
729 else
730 printf(" inet6");
731 }
732 if (r->proto) {
733 struct protoent *p;
734
735 if ((p = getprotobynumber(r->proto)) != NULL)
736 printf(" proto %s", p->p_name);
737 else
738 printf(" proto %u", r->proto);
739 }
740 print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto,
741 verbose);
742 if (r->uid.op)
743 print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",
744 UID_MAX);
745 if (r->gid.op)
746 print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
747 GID_MAX);
748 if (r->flags || r->flagset) {
749 printf(" flags ");
750 print_flags(r->flags);
751 printf("/");
752 print_flags(r->flagset);
753 }
754 if (r->type) {
755 const struct icmptypeent *it;
756
757 it = geticmptypebynumber(r->type-1, r->af);
758 if (r->af != AF_INET6)
759 printf(" icmp-type");
760 else
761 printf(" icmp6-type");
762 if (it != NULL)
763 printf(" %s", it->name);
764 else
765 printf(" %u", r->type-1);
766 if (r->code) {
767 const struct icmpcodeent *ic;
768
769 ic = geticmpcodebynumber(r->type-1, r->code-1, r->af);
770 if (ic != NULL)
771 printf(" code %s", ic->name);
772 else
773 printf(" code %u", r->code-1);
774 }
775 }
776 if (r->tos)
777 printf(" tos 0x%2.2x", r->tos);
778 if (r->keep_state == PF_STATE_NORMAL)
779 printf(" keep state");
780 else if (r->keep_state == PF_STATE_MODULATE)
781 printf(" modulate state");
782 else if (r->keep_state == PF_STATE_SYNPROXY)
783 printf(" synproxy state");
784 opts = 0;
785 if (r->max_states || r->max_src_nodes || r->max_src_states)
786 opts = 1;
787 if (r->rule_flag & PFRULE_NOSYNC)
788 opts = 1;
789 if (r->rule_flag & PFRULE_SRCTRACK)
790 opts = 1;
791 if (r->rule_flag & (PFRULE_IFBOUND | PFRULE_GRBOUND))
792 opts = 1;
793 for (i = 0; !opts && i < PFTM_MAX; ++i)
794 if (r->timeout[i])
795 opts = 1;
796 if (opts) {
797 printf(" (");
798 if (r->max_states) {
799 printf("max %u", r->max_states);
800 opts = 0;
801 }
802 if (r->rule_flag & PFRULE_NOSYNC) {
803 if (!opts)
804 printf(", ");
805 printf("no-sync");
806 opts = 0;
807 }
808 if (r->rule_flag & PFRULE_SRCTRACK) {
809 if (!opts)
810 printf(", ");
811 printf("source-track");
812 if (r->rule_flag & PFRULE_RULESRCTRACK)
813 printf(" rule");
814 else
815 printf(" global");
816 opts = 0;
817 }
818 if (r->max_src_states) {
819 if (!opts)
820 printf(", ");
821 printf("max-src-states %u", r->max_src_states);
822 opts = 0;
823 }
824 if (r->max_src_nodes) {
825 if (!opts)
826 printf(", ");
827 printf("max-src-nodes %u", r->max_src_nodes);
828 opts = 0;
829 }
830 if (r->rule_flag & PFRULE_IFBOUND) {
831 if (!opts)
832 printf(", ");
833 printf("if-bound");
834 opts = 0;
835 }
836 if (r->rule_flag & PFRULE_GRBOUND) {
837 if (!opts)
838 printf(", ");
839 printf("group-bound");
840 opts = 0;
841 }
842 for (i = 0; i < PFTM_MAX; ++i)
843 if (r->timeout[i]) {
844 if (!opts)
845 printf(", ");
846 opts = 0;
847 printf("%s %u", pf_timeouts[i].name,
848 r->timeout[i]);
849 }
850 printf(")");
851 }
852 if (r->rule_flag & PFRULE_FRAGMENT)
853 printf(" fragment");
854 if (r->rule_flag & PFRULE_NODF)
855 printf(" no-df");
856 if (r->rule_flag & PFRULE_RANDOMID)
857 printf(" random-id");
858 if (r->min_ttl)
859 printf(" min-ttl %d", r->min_ttl);
860 if (r->max_mss)
861 printf(" max-mss %d", r->max_mss);
862 if (r->allow_opts)
863 printf(" allow-opts");
864 if (r->action == PF_SCRUB) {
865 if (r->rule_flag & PFRULE_REASSEMBLE_TCP)
866 printf(" reassemble tcp");
867
868 if (r->rule_flag & PFRULE_FRAGDROP)
869 printf(" fragment drop-ovl");
870 else if (r->rule_flag & PFRULE_FRAGCROP)
871 printf(" fragment crop");
872 else
873 printf(" fragment reassemble");
874 }
875 if (r->label[0])
876 printf(" label \"%s\"", r->label);
877 if (r->qname[0] && r->pqname[0])
878 printf(" queue(%s, %s)", r->qname, r->pqname);
879 else if (r->qname[0])
880 printf(" queue %s", r->qname);
881 if (r->tagname[0])
882 printf(" tag %s", r->tagname);
883 if (r->match_tagname[0]) {
884 if (r->match_tag_not)
885 printf(" !");
886 printf(" tagged %s", r->match_tagname);
887 }
888 if (!r->anchorname[0] && (r->action == PF_NAT ||
889 r->action == PF_BINAT || r->action == PF_RDR)) {
890 printf(" -> ");
891 print_pool(&r->rpool, r->rpool.proxy_port[0],
892 r->rpool.proxy_port[1], r->af, r->action);
893 }
894 printf("\n");
895 }
896
897 void
898 print_tabledef(const char *name, int flags, int addrs,
899 struct node_tinithead *nodes)
900 {
901 struct node_tinit *ti, *nti;
902 struct node_host *h;
903
904 printf("table <%s>", name);
905 if (flags & PFR_TFLAG_CONST)
906 printf(" const");
907 if (flags & PFR_TFLAG_PERSIST)
908 printf(" persist");
909 SIMPLEQ_FOREACH(ti, nodes, entries) {
910 if (ti->file) {
911 printf(" file \"%s\"", ti->file);
912 continue;
913 }
914 printf(" {");
915 for (;;) {
916 for (h = ti->host; h != NULL; h = h->next) {
917 printf(h->not ? " !" : " ");
918 print_addr(&h->addr, h->af, 0);
919 }
920 nti = SIMPLEQ_NEXT(ti, entries);
921 if (nti != NULL && nti->file == NULL)
922 ti = nti; /* merge lists */
923 else
924 break;
925 }
926 printf(" }");
927 }
928 if (addrs && SIMPLEQ_EMPTY(nodes))
929 printf(" { }");
930 printf("\n");
931 }
932
933 int
934 parse_flags(char *s)
935 {
936 char *p, *q;
937 u_int8_t f = 0;
938
939 for (p = s; *p; p++) {
940 if ((q = strchr(tcpflags, *p)) == NULL)
941 return -1;
942 else
943 f |= 1 << (q - tcpflags);
944 }
945 return (f ? f : PF_TH_ALL);
946 }
947
948 void
949 set_ipmask(struct node_host *h, u_int8_t b)
950 {
951 struct pf_addr *m, *n;
952 int i, j = 0;
953
954 m = &h->addr.v.a.mask;
955
956 for (i = 0; i < 4; i++)
957 m->addr32[i] = 0;
958
959 while (b >= 32) {
960 m->addr32[j++] = 0xffffffff;
961 b -= 32;
962 }
963 for (i = 31; i > 31-b; --i)
964 m->addr32[j] |= (1 << i);
965 if (b)
966 m->addr32[j] = htonl(m->addr32[j]);
967
968 /* Mask off bits of the address that will never be used. */
969 n = &h->addr.v.a.addr;
970 if (h->addr.type == PF_ADDR_ADDRMASK)
971 for (i = 0; i < 4; i++)
972 n->addr32[i] = n->addr32[i] & m->addr32[i];
973 }
974
975 int
976 check_netmask(struct node_host *h, sa_family_t af)
977 {
978 struct node_host *n = NULL;
979 struct pf_addr *m;
980
981 for (n = h; n != NULL; n = n->next) {
982 if (h->addr.type == PF_ADDR_TABLE)
983 continue;
984 m = &h->addr.v.a.mask;
985 /* fix up netmask for dynaddr */
986 if (af == AF_INET && h->addr.type == PF_ADDR_DYNIFTL &&
987 unmask(m, AF_INET6) > 32)
988 set_ipmask(n, 32);
989 /* netmasks > 32 bit are invalid on v4 */
990 if (af == AF_INET &&
991 (m->addr32[1] || m->addr32[2] || m->addr32[3])) {
992 fprintf(stderr, "netmask %u invalid for IPv4 address\n",
993 unmask(m, AF_INET6));
994 return (1);
995 }
996 }
997 return (0);
998 }
999
1000 /* interface lookup routines */
1001
1002 struct node_host *iftab;
1003
1004 void
1005 ifa_load(void)
1006 {
1007 struct ifaddrs *ifap, *ifa;
1008 struct node_host *n = NULL, *h = NULL;
1009 struct pfr_buffer b;
1010 const struct pfi_if *p;
1011
1012 if (getifaddrs(&ifap) < 0)
1013 err(1, "getifaddrs");
1014
1015 for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
1016 if (!(ifa->ifa_addr->sa_family == AF_INET ||
1017 ifa->ifa_addr->sa_family == AF_INET6 ||
1018 ifa->ifa_addr->sa_family == AF_LINK))
1019 continue;
1020 n = calloc(1, sizeof(struct node_host));
1021 if (n == NULL)
1022 err(1, "address: calloc");
1023 n->af = ifa->ifa_addr->sa_family;
1024 n->ifa_flags = ifa->ifa_flags;
1025 #ifdef __KAME__
1026 if (n->af == AF_INET6 &&
1027 IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)
1028 ifa->ifa_addr)->sin6_addr) &&
1029 ((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_scope_id ==
1030 0) {
1031 struct sockaddr_in6 *sin6;
1032
1033 sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
1034 sin6->sin6_scope_id = sin6->sin6_addr.s6_addr[2] << 8 |
1035 sin6->sin6_addr.s6_addr[3];
1036 sin6->sin6_addr.s6_addr[2] = 0;
1037 sin6->sin6_addr.s6_addr[3] = 0;
1038 }
1039 #endif
1040 n->ifindex = 0;
1041 if (n->af == AF_INET) {
1042 memcpy(&n->addr.v.a.addr, &((struct sockaddr_in *)
1043 ifa->ifa_addr)->sin_addr.s_addr,
1044 sizeof(struct in_addr));
1045 memcpy(&n->addr.v.a.mask, &((struct sockaddr_in *)
1046 ifa->ifa_netmask)->sin_addr.s_addr,
1047 sizeof(struct in_addr));
1048 if (ifa->ifa_broadaddr != NULL)
1049 memcpy(&n->bcast, &((struct sockaddr_in *)
1050 ifa->ifa_broadaddr)->sin_addr.s_addr,
1051 sizeof(struct in_addr));
1052 if (ifa->ifa_dstaddr != NULL)
1053 memcpy(&n->peer, &((struct sockaddr_in *)
1054 ifa->ifa_dstaddr)->sin_addr.s_addr,
1055 sizeof(struct in_addr));
1056 } else if (n->af == AF_INET6) {
1057 memcpy(&n->addr.v.a.addr, &((struct sockaddr_in6 *)
1058 ifa->ifa_addr)->sin6_addr.s6_addr,
1059 sizeof(struct in6_addr));
1060 memcpy(&n->addr.v.a.mask, &((struct sockaddr_in6 *)
1061 ifa->ifa_netmask)->sin6_addr.s6_addr,
1062 sizeof(struct in6_addr));
1063 if (ifa->ifa_broadaddr != NULL)
1064 memcpy(&n->bcast, &((struct sockaddr_in6 *)
1065 ifa->ifa_broadaddr)->sin6_addr.s6_addr,
1066 sizeof(struct in6_addr));
1067 if (ifa->ifa_dstaddr != NULL)
1068 memcpy(&n->peer, &((struct sockaddr_in6 *)
1069 ifa->ifa_dstaddr)->sin6_addr.s6_addr,
1070 sizeof(struct in6_addr));
1071 n->ifindex = ((struct sockaddr_in6 *)
1072 ifa->ifa_addr)->sin6_scope_id;
1073 }
1074 if ((n->ifname = strdup(ifa->ifa_name)) == NULL)
1075 err(1, "ifa_load: strdup");
1076 n->next = NULL;
1077 n->tail = n;
1078 if (h == NULL)
1079 h = n;
1080 else {
1081 h->tail->next = n;
1082 h->tail = n;
1083 }
1084 }
1085
1086 /* add interface groups, including clonable and dynamic stuff */
1087 bzero(&b, sizeof(b));
1088 b.pfrb_type = PFRB_IFACES;
1089 for (;;) {
1090 if (pfr_buf_grow(&b, b.pfrb_size))
1091 err(1, "ifa_load: pfr_buf_grow");
1092 b.pfrb_size = b.pfrb_msize;
1093 if (pfi_get_ifaces(NULL, b.pfrb_caddr, &b.pfrb_size,
1094 PFI_FLAG_GROUP))
1095 err(1, "ifa_load: pfi_get_ifaces");
1096 if (b.pfrb_size <= b.pfrb_msize)
1097 break;
1098 }
1099 PFRB_FOREACH(p, &b) {
1100 n = calloc(1, sizeof(struct node_host));
1101 if (n == NULL)
1102 err(1, "address: calloc");
1103 n->af = AF_LINK;
1104 n->ifa_flags = PF_IFA_FLAG_GROUP;
1105 if (p->pfif_flags & PFI_IFLAG_DYNAMIC)
1106 n->ifa_flags |= PF_IFA_FLAG_DYNAMIC;
1107 if (p->pfif_flags & PFI_IFLAG_CLONABLE)
1108 n->ifa_flags |= PF_IFA_FLAG_CLONABLE;
1109 if (!strcmp(p->pfif_name, "lo"))
1110 n->ifa_flags |= IFF_LOOPBACK;
1111 if ((n->ifname = strdup(p->pfif_name)) == NULL)
1112 err(1, "ifa_load: strdup");
1113 n->next = NULL;
1114 n->tail = n;
1115 if (h == NULL)
1116 h = n;
1117 else {
1118 h->tail->next = n;
1119 h->tail = n;
1120 }
1121 }
1122
1123 iftab = h;
1124 freeifaddrs(ifap);
1125 }
1126
1127 struct node_host *
1128 ifa_exists(const char *ifa_name, int group_ok)
1129 {
1130 struct node_host *n;
1131 char *p, buf[IFNAMSIZ];
1132 int group;
1133
1134 group = !isdigit(ifa_name[strlen(ifa_name) - 1]);
1135 if (group && !group_ok)
1136 return (NULL);
1137 if (iftab == NULL)
1138 ifa_load();
1139
1140 for (n = iftab; n; n = n->next) {
1141 if (n->af == AF_LINK && !strncmp(n->ifname, ifa_name, IFNAMSIZ))
1142 return (n);
1143 }
1144 if (!group) {
1145 /* look for clonable and/or dynamic interface */
1146 strlcpy(buf, ifa_name, sizeof(buf));
1147 for (p = buf + strlen(buf) - 1; p > buf && isdigit(*p); p--)
1148 *p = '\0';
1149 for (n = iftab; n != NULL; n = n->next)
1150 if (n->af == AF_LINK &&
1151 !strncmp(n->ifname, buf, IFNAMSIZ))
1152 break;
1153 if (n != NULL && n->ifa_flags &
1154 (PF_IFA_FLAG_DYNAMIC | PF_IFA_FLAG_CLONABLE))
1155 return (n); /* XXX */
1156 }
1157 return (NULL);
1158 }
1159
1160 struct node_host *
1161 ifa_lookup(const char *ifa_name, int flags)
1162 {
1163 struct node_host *p = NULL, *h = NULL, *n = NULL;
1164 int got4 = 0, got6 = 0;
1165 const char *last_if = NULL;
1166
1167 if (!strncmp(ifa_name, "self", IFNAMSIZ))
1168 ifa_name = NULL;
1169
1170 if (iftab == NULL)
1171 ifa_load();
1172
1173 for (p = iftab; p; p = p->next) {
1174 if (ifa_skip_if(ifa_name, p))
1175 continue;
1176 if ((flags & PFI_AFLAG_BROADCAST) && p->af != AF_INET)
1177 continue;
1178 if ((flags & PFI_AFLAG_BROADCAST) &&
1179 !(p->ifa_flags & IFF_BROADCAST))
1180 continue;
1181 if ((flags & PFI_AFLAG_PEER) &&
1182 !(p->ifa_flags & IFF_POINTOPOINT))
1183 continue;
1184 if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0)
1185 continue;
1186 if (last_if == NULL || strcmp(last_if, p->ifname))
1187 got4 = got6 = 0;
1188 last_if = p->ifname;
1189 if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET && got4)
1190 continue;
1191 if ((flags & PFI_AFLAG_NOALIAS) && p->af == AF_INET6 && got6)
1192 continue;
1193 if (p->af == AF_INET)
1194 got4 = 1;
1195 else
1196 got6 = 1;
1197 n = calloc(1, sizeof(struct node_host));
1198 if (n == NULL)
1199 err(1, "address: calloc");
1200 n->af = p->af;
1201 if (flags & PFI_AFLAG_BROADCAST)
1202 memcpy(&n->addr.v.a.addr, &p->bcast,
1203 sizeof(struct pf_addr));
1204 else if (flags & PFI_AFLAG_PEER)
1205 memcpy(&n->addr.v.a.addr, &p->peer,
1206 sizeof(struct pf_addr));
1207 else
1208 memcpy(&n->addr.v.a.addr, &p->addr.v.a.addr,
1209 sizeof(struct pf_addr));
1210 if (flags & PFI_AFLAG_NETWORK)
1211 set_ipmask(n, unmask(&p->addr.v.a.mask, n->af));
1212 else {
1213 if (n->af == AF_INET) {
1214 if (p->ifa_flags & IFF_LOOPBACK &&
1215 p->ifa_flags & IFF_LINK1)
1216 memcpy(&n->addr.v.a.mask,
1217 &p->addr.v.a.mask,
1218 sizeof(struct pf_addr));
1219 else
1220 set_ipmask(n, 32);
1221 } else
1222 set_ipmask(n, 128);
1223 }
1224 n->ifindex = p->ifindex;
1225
1226 n->next = NULL;
1227 n->tail = n;
1228 if (h == NULL)
1229 h = n;
1230 else {
1231 h->tail->next = n;
1232 h->tail = n;
1233 }
1234 }
1235 return (h);
1236 }
1237
1238 int
1239 ifa_skip_if(const char *filter, struct node_host *p)
1240 {
1241 int n;
1242
1243 if (p->af != AF_INET && p->af != AF_INET6)
1244 return (1);
1245 if (filter == NULL || !*filter)
1246 return (0);
1247 if (!strcmp(p->ifname, filter))
1248 return (0); /* exact match */
1249 n = strlen(filter);
1250 if (n < 1 || n >= IFNAMSIZ)
1251 return (1); /* sanity check */
1252 if (filter[n-1] >= '0' && filter[n-1] <= '9')
1253 return (1); /* only do exact match in that case */
1254 if (strncmp(p->ifname, filter, n))
1255 return (1); /* prefix doesn't match */
1256 return (p->ifname[n] < '0' || p->ifname[n] > '9');
1257 }
1258
1259
1260 struct node_host *
1261 host(const char *s)
1262 {
1263 struct node_host *h = NULL;
1264 int mask, v4mask, v6mask, cont = 1;
1265 char *p, *q, *ps;
1266
1267 if ((p = strrchr(s, '/')) != NULL) {
1268 mask = strtol(p+1, &q, 0);
1269 if (!q || *q || mask > 128 || q == (p+1)) {
1270 fprintf(stderr, "invalid netmask\n");
1271 return (NULL);
1272 }
1273 if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL)
1274 err(1, "host: malloc");
1275 strlcpy(ps, s, strlen(s) - strlen(p) + 1);
1276 v4mask = v6mask = mask;
1277 } else {
1278 if ((ps = strdup(s)) == NULL)
1279 err(1, "host: strdup");
1280 v4mask = 32;
1281 v6mask = 128;
1282 mask = -1;
1283 }
1284
1285 /* interface with this name exists? */
1286 if (cont && (h = host_if(ps, mask)) != NULL)
1287 cont = 0;
1288
1289 /* IPv4 address? */
1290 if (cont && (h = host_v4(s)) != NULL)
1291 cont = 0;
1292
1293 /* IPv6 address? */
1294 if (cont && (h = host_v6(ps, v6mask)) != NULL)
1295 cont = 0;
1296
1297 /* dns lookup */
1298 if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL)
1299 cont = 0;
1300 free(ps);
1301
1302 if (h == NULL || cont == 1) {
1303 fprintf(stderr, "no IP address found for %s\n", s);
1304 return (NULL);
1305 }
1306 return (h);
1307 }
1308
1309 struct node_host *
1310 host_if(const char *s, int mask)
1311 {
1312 struct node_host *n, *h = NULL;
1313 char *p, *ps;
1314 int flags = 0;
1315
1316 if ((ps = strdup(s)) == NULL)
1317 err(1, "host_if: strdup");
1318 while ((p = strrchr(ps, ':')) != NULL) {
1319 if (!strcmp(p+1, "network"))
1320 flags |= PFI_AFLAG_NETWORK;
1321 else if (!strcmp(p+1, "broadcast"))
1322 flags |= PFI_AFLAG_BROADCAST;
1323 else if (!strcmp(p+1, "peer"))
1324 flags |= PFI_AFLAG_PEER;
1325 else if (!strcmp(p+1, "0"))
1326 flags |= PFI_AFLAG_NOALIAS;
1327 else {
1328 free(ps);
1329 return (NULL);
1330 }
1331 *p = '\0';
1332 }
1333 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) { /* Yep! */
1334 fprintf(stderr, "illegal combination of interface modifiers\n");
1335 free(ps);
1336 return (NULL);
1337 }
1338 if ((flags & (PFI_AFLAG_NETWORK|PFI_AFLAG_BROADCAST)) && mask > -1) {
1339 fprintf(stderr, "network or broadcast lookup, but "
1340 "extra netmask given\n");
1341 free(ps);
1342 return (NULL);
1343 }
1344 if (ifa_exists(ps, 1) || !strncmp(ps, "self", IFNAMSIZ)) {
1345 /* interface with this name exists */
1346 h = ifa_lookup(ps, flags);
1347 for (n = h; n != NULL && mask > -1; n = n->next)
1348 set_ipmask(n, mask);
1349 }
1350
1351 free(ps);
1352 return (h);
1353 }
1354
1355 static struct node_host *
1356 host_v4(const char *s)
1357 {
1358 struct node_host *h = NULL;
1359 struct in_addr ina;
1360 int bits = 32;
1361
1362 memset(&ina, 0, sizeof(struct in_addr));
1363 if (strrchr(s, '/') != NULL) {
1364 if ((bits = inet_net_pton(AF_INET, s, &ina, sizeof(ina))) == -1)
1365 return (NULL);
1366 } else {
1367 if (inet_pton(AF_INET, s, &ina) != 1)
1368 return (NULL);
1369 }
1370
1371 h = calloc(1, sizeof(struct node_host));
1372 if (h == NULL)
1373 err(1, "address: calloc");
1374 h->ifname = NULL;
1375 h->af = AF_INET;
1376 h->addr.v.a.addr.addr32[0] = ina.s_addr;
1377 set_ipmask(h, bits);
1378 h->next = NULL;
1379 h->tail = h;
1380
1381 return (h);
1382 }
1383
1384 struct node_host *
1385 host_v6(const char *s, int mask)
1386 {
1387 struct addrinfo hints, *res;
1388 struct node_host *h = NULL;
1389
1390 memset(&hints, 0, sizeof(hints));
1391 hints.ai_family = AF_INET6;
1392 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1393 hints.ai_flags = AI_NUMERICHOST;
1394 if (getaddrinfo(s, "0", &hints, &res) == 0) {
1395 h = calloc(1, sizeof(struct node_host));
1396 if (h == NULL)
1397 err(1, "address: calloc");
1398 h->ifname = NULL;
1399 h->af = AF_INET6;
1400 memcpy(&h->addr.v.a.addr,
1401 &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
1402 sizeof(h->addr.v.a.addr));
1403 h->ifindex =
1404 ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id;
1405 set_ipmask(h, mask);
1406 freeaddrinfo(res);
1407 h->next = NULL;
1408 h->tail = h;
1409 }
1410
1411 return (h);
1412 }
1413
1414 struct node_host *
1415 host_dns(const char *s, int v4mask, int v6mask)
1416 {
1417 struct addrinfo hints, *res0, *res;
1418 struct node_host *n, *h = NULL;
1419 int error, noalias = 0;
1420 int got4 = 0, got6 = 0;
1421 char *p, *ps;
1422
1423 if ((ps = strdup(s)) == NULL)
1424 err(1, "host_if: strdup");
1425 if ((p = strrchr(ps, ':')) != NULL && !strcmp(p, ":0")) {
1426 noalias = 1;
1427 *p = '\0';
1428 }
1429 memset(&hints, 0, sizeof(hints));
1430 hints.ai_family = PF_UNSPEC;
1431 hints.ai_socktype = SOCK_STREAM; /* DUMMY */
1432 error = getaddrinfo(ps, NULL, &hints, &res0);
1433 if (error)
1434 return (h);
1435
1436 for (res = res0; res; res = res->ai_next) {
1437 if (res->ai_family != AF_INET &&
1438 res->ai_family != AF_INET6)
1439 continue;
1440 if (noalias) {
1441 if (res->ai_family == AF_INET) {
1442 if (got4)
1443 continue;
1444 got4 = 1;
1445 } else {
1446 if (got6)
1447 continue;
1448 got6 = 1;
1449 }
1450 }
1451 n = calloc(1, sizeof(struct node_host));
1452 if (n == NULL)
1453 err(1, "host_dns: calloc");
1454 n->ifname = NULL;
1455 n->af = res->ai_family;
1456 if (res->ai_family == AF_INET) {
1457 memcpy(&n->addr.v.a.addr,
1458 &((struct sockaddr_in *)
1459 res->ai_addr)->sin_addr.s_addr,
1460 sizeof(struct in_addr));
1461 set_ipmask(n, v4mask);
1462 } else {
1463 memcpy(&n->addr.v.a.addr,
1464 &((struct sockaddr_in6 *)
1465 res->ai_addr)->sin6_addr.s6_addr,
1466 sizeof(struct in6_addr));
1467 n->ifindex =
1468 ((struct sockaddr_in6 *)
1469 res->ai_addr)->sin6_scope_id;
1470 set_ipmask(n, v6mask);
1471 }
1472 n->next = NULL;
1473 n->tail = n;
1474 if (h == NULL)
1475 h = n;
1476 else {
1477 h->tail->next = n;
1478 h->tail = n;
1479 }
1480 }
1481 freeaddrinfo(res0);
1482 free(ps);
1483
1484 return (h);
1485 }
1486
1487 /*
1488 * convert a hostname to a list of addresses and put them in the given buffer.
1489 * test:
1490 * if set to 1, only simple addresses are accepted (no netblock, no "!").
1491 */
1492 int
1493 append_addr(struct pfr_buffer *b, char *s, int test)
1494 {
1495 char *r;
1496 struct node_host *h, *n;
1497 int rv, not = 0;
1498
1499 for (r = s; *r == '!'; r++)
1500 not = !not;
1501 if ((n = host(r)) == NULL) {
1502 errno = 0;
1503 return (-1);
1504 }
1505 rv = append_addr_host(b, n, test, not);
1506 do {
1507 h = n;
1508 n = n->next;
1509 free(h);
1510 } while (n != NULL);
1511 return (rv);
1512 }
1513
1514 /*
1515 * same as previous function, but with a pre-parsed input and the ability
1516 * to "negate" the result. Does not free the node_host list.
1517 * not:
1518 * setting it to 1 is equivalent to adding "!" in front of parameter s.
1519 */
1520 int
1521 append_addr_host(struct pfr_buffer *b, struct node_host *n, int test, int not)
1522 {
1523 int bits;
1524 struct pfr_addr addr;
1525
1526 do {
1527 bzero(&addr, sizeof(addr));
1528 addr.pfra_not = n->not ^ not;
1529 addr.pfra_af = n->af;
1530 addr.pfra_net = unmask(&n->addr.v.a.mask, n->af);
1531 switch (n->af) {
1532 case AF_INET:
1533 addr.pfra_ip4addr.s_addr = n->addr.v.a.addr.addr32[0];
1534 bits = 32;
1535 break;
1536 case AF_INET6:
1537 memcpy(&addr.pfra_ip6addr, &n->addr.v.a.addr.v6,
1538 sizeof(struct in6_addr));
1539 bits = 128;
1540 break;
1541 default:
1542 errno = EINVAL;
1543 return (-1);
1544 }
1545 if ((test && (not || addr.pfra_net != bits)) ||
1546 addr.pfra_net > bits) {
1547 errno = EINVAL;
1548 return (-1);
1549 }
1550 if (pfr_buf_add(b, &addr))
1551 return (-1);
1552 } while ((n = n->next) != NULL);
1553
1554 return (0);
1555 }
1556
1557 int
1558 pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor,
1559 const char *ruleset)
1560 {
1561 struct pfioc_trans_e trans;
1562
1563 bzero(&trans, sizeof(trans));
1564 trans.rs_num = rs_num;
1565 if (strlcpy(trans.anchor, anchor,
1566 sizeof(trans.anchor)) >= sizeof(trans.anchor) ||
1567 strlcpy(trans.ruleset, ruleset,
1568 sizeof(trans.ruleset)) >= sizeof(trans.ruleset))
1569 errx(1, "pfctl_add_trans: strlcpy");
1570
1571 return pfr_buf_add(buf, &trans);
1572 }
1573
1574 u_int32_t
1575 pfctl_get_ticket(struct pfr_buffer *buf, int rs_num, const char *anchor,
1576 const char *ruleset)
1577 {
1578 const struct pfioc_trans_e *p;
1579
1580 PFRB_FOREACH(p, buf)
1581 if (rs_num == p->rs_num && !strcmp(anchor, p->anchor) &&
1582 !strcmp(ruleset, p->ruleset))
1583 return (p->ticket);
1584 errx(1, "pfr_get_ticket: assertion failed");
1585 }
1586
1587 int
1588 pfctl_trans(int dev, struct pfr_buffer *buf, u_long cmd, int from)
1589 {
1590 struct pfioc_trans trans;
1591
1592 bzero(&trans, sizeof(trans));
1593 trans.size = buf->pfrb_size - from;
1594 trans.esize = sizeof(struct pfioc_trans_e);
1595 trans.array = ((struct pfioc_trans_e *)buf->pfrb_caddr) + from;
1596 return ioctl(dev, cmd, &trans);
1597 }
A repo for keeping AMD64 port code before merging with the master