2 * Copyright (C) 1993-1997 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
11 #if !defined(__SVR4) && !defined(__svr4__)
14 #include <sys/types.h>
16 #include <sys/param.h>
23 #include <sys/socket.h>
24 #include <sys/ioctl.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
27 #include <netinet/in_systm.h>
28 #include <netinet/ip.h>
31 #include <arpa/nameser.h>
33 #include <netinet/tcp.h>
34 #include "netinet/ip_compat.h"
35 #include "netinet/ip_fil.h"
37 #include "netinet/ip_proxy.h"
38 #include "netinet/ip_nat.h"
39 #include "netinet/ip_frag.h"
40 #include "netinet/ip_state.h"
41 #include "netinet/ip_auth.h"
43 #if defined(__NetBSD__) || (__OpenBSD__)
48 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
49 static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $";
52 #define VMUNIX _PATH_UNIX
54 #define VMUNIX "/vmunix"
59 #define PRINTF (void)printf
60 #define FPRINTF (void)fprintf
64 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
65 "ipacct(in)", "ipacct(out)" };
69 extern int main __P((int, char *[]));
70 static void showstats __P((int, friostat_t *));
71 static void showfrstates __P((int, ipfrstat_t *));
72 static void showlist __P((friostat_t *));
73 static void showipstates __P((int, ips_stat_t *));
74 static void showauthstates __P((int, fr_authstat_t *));
75 static void Usage __P((char *));
76 static void printlist __P((frentry_t *));
79 static void Usage(name)
82 fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
91 fr_authstat_t frauthst;
95 char *name = NULL, *device = IPL_NAME;
101 (void)setuid(getuid());
102 (void)setgid(getgid());
104 while ((c = getopt(argc, argv, "aAfhIinosvd:")) != -1)
109 opts |= OPT_ACCNT|OPT_SHOWLIST;
112 opts |= OPT_AUTHSTATS;
118 opts |= OPT_FRSTATES;
124 opts |= OPT_INQUE|OPT_SHOWLIST;
127 opts |= OPT_INACTIVE;
130 opts |= OPT_SHOWLINENO;
133 opts |= OPT_OUTQUE|OPT_SHOWLIST;
136 opts |= OPT_IPSTATES;
147 if ((fd = open(device, O_RDONLY)) < 0) {
152 bzero((char *)&fio, sizeof(fio));
153 bzero((char *)&ipsst, sizeof(ipsst));
154 bzero((char *)&ifrst, sizeof(ifrst));
156 if (ioctl(fd, SIOCGETFS, &fio) == -1) {
157 perror("ioctl(SIOCGETFS)");
160 if ((opts & OPT_IPSTATES)) {
161 int sfd = open(IPL_STATE, O_RDONLY);
167 if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) {
168 perror("ioctl(SIOCGIPST)");
173 if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
174 perror("ioctl(SIOCGFRST)");
178 if (opts & OPT_VERBOSE)
179 PRINTF("opts %#x name %s\n", opts, name ? name : "<>");
181 if ((opts & OPT_AUTHSTATS) &&
182 (ioctl(fd, SIOCATHST, &frauthst) == -1)) {
183 perror("ioctl(SIOCATHST)");
187 if (opts & OPT_SHOWLIST) {
189 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
194 if (opts & OPT_IPSTATES)
195 showipstates(fd, &ipsst);
196 else if (opts & OPT_FRSTATES)
197 showfrstates(fd, &ifrst);
198 else if (opts & OPT_AUTHSTATS)
199 showauthstates(fd, &frauthst);
208 * read the kernel stats for packets blocked and passed
210 static void showstats(fd, fp)
216 if (ioctl(fd, SIOCGETFF, &frf) == -1)
217 perror("ioctl(SIOCGETFF)");
220 PRINTF("dropped packets:\tin %lu\tout %lu\n",
221 fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
222 PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
223 fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
224 PRINTF(" bad packets:\t\tin %lu\tout %lu\n",
225 fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
227 PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
228 fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
230 PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
231 PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
232 fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
234 PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
235 PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
236 fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
237 PRINTF("output packets logged:\tblocked %lu passed %lu\n",
238 fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
239 PRINTF(" packets logged:\tinput %lu output %lu\n",
240 fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
241 PRINTF(" log failures:\t\tinput %lu output %lu\n",
242 fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
243 PRINTF("fragment state(in):\tkept %lu\tlost %lu\n",
244 fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr);
245 PRINTF("fragment state(out):\tkept %lu\tlost %lu\n",
246 fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr);
247 PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
248 fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
249 PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
250 fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
251 PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
252 fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
253 PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
254 fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
255 PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
256 fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
257 PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
258 fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
259 PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
260 fp->f_froute[0], fp->f_froute[1]);
261 PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
262 fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
264 PRINTF("Packet log flags set: (%#x)\n", frf);
265 if (frf & FF_LOGPASS)
266 PRINTF("\tpackets passed through filter\n");
267 if (frf & FF_LOGBLOCK)
268 PRINTF("\tpackets blocked by filter\n");
269 if (frf & FF_LOGNOMATCH)
270 PRINTF("\tpackets not matched by filter\n");
276 static void printlist(fp)
282 for (n = 1; fp; n++) {
283 if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
288 if (opts & OPT_OUTQUE)
289 fp->fr_flags |= FR_OUTQUE;
290 if (opts & (OPT_HITS|OPT_VERBOSE))
292 PRINTF("%qd ", fp->fr_hits);
294 PRINTF("%ld ", fp->fr_hits);
296 if (opts & (OPT_ACCNT|OPT_VERBOSE))
298 PRINTF("%qd ", fp->fr_bytes);
300 PRINTF("%ld ", fp->fr_bytes);
302 if (opts & OPT_SHOWLINENO)
305 if (opts & OPT_VERBOSE)
308 printlist(fp->fr_grp);
314 * print out filter rule list
316 static void showlist(fiop)
317 struct friostat *fiop;
319 struct frentry *fp = NULL;
322 set = fiop->f_active;
323 if (opts & OPT_INACTIVE)
325 if (opts & OPT_ACCNT) {
327 if (opts & OPT_OUTQUE) {
328 fp = (struct frentry *)fiop->f_acctout[set];
330 } else if (opts & OPT_INQUE)
331 fp = (struct frentry *)fiop->f_acctin[set];
333 FPRINTF(stderr, "No -i or -o given with -a\n");
336 } else if (opts & OPT_OUTQUE) {
338 fp = (struct frentry *)fiop->f_fout[set];
339 } else if (opts & OPT_INQUE) {
341 fp = (struct frentry *)fiop->f_fin[set];
344 if (opts & OPT_VERBOSE)
345 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
347 if (opts & OPT_VERBOSE)
348 PRINTF("fp %p set %d\n", fp, set);
350 FPRINTF(stderr, "empty list for %s%s\n",
351 (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
358 static void showipstates(fd, ipsp)
362 ipstate_t *istab[IPSTATE_SIZE], ips;
365 PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
366 ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
367 PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss);
368 PRINTF("\t%lu maximum\n\t%lu no memory\n",
369 ipsp->iss_max, ipsp->iss_nomem);
370 PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
371 ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
372 if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
374 for (i = 0; i < IPSTATE_SIZE; i++)
376 if (kmemcpy((char *)&ips, (u_long)istab[i],
379 PRINTF("%s -> ", inet_ntoa(ips.is_src));
380 PRINTF("%s ttl %ld pass %d pr %d state %d/%d\n",
381 inet_ntoa(ips.is_dst), ips.is_age,
382 ips.is_pass, ips.is_p, ips.is_state[0],
385 PRINTF("\tpkts %qd bytes %qd",
386 ips.is_pkts, ips.is_bytes);
388 PRINTF("\tpkts %ld bytes %ld",
389 ips.is_pkts, ips.is_bytes);
391 if (ips.is_p == IPPROTO_TCP)
392 PRINTF("\t%hu -> %hu %lu:%lu %hu:%hu\n",
395 ips.is_seq, ips.is_ack,
396 ips.is_swin, ips.is_dwin);
397 else if (ips.is_p == IPPROTO_UDP)
398 PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport),
399 ntohs(ips.is_dport));
400 else if (ips.is_p == IPPROTO_ICMP)
401 PRINTF(" %hu %hu %d\n", ips.is_icmp.ics_id,
403 ips.is_icmp.ics_type);
405 /* phil@ultimate.com ... */
407 /* from "printfr()" */
408 if (ips.is_pass & FR_PASS) {
410 } else if (ips.is_pass & FR_BLOCK) {
412 if (ips.is_pass & FR_RETICMP)
413 PRINTF(" return-icmp");
414 if (ips.is_pass & FR_RETRST)
415 PRINTF(" return-rst");
416 } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
418 if (ips.is_pass & FR_LOGBODY)
420 if (ips.is_pass & FR_LOGFIRST)
422 } else if (ips.is_pass & FR_ACCOUNT)
425 if (ips.is_pass & FR_OUTQUE)
430 if ((ips.is_pass & (FR_LOGB|FR_LOGP)) != 0) {
432 if (ips.is_pass & FR_LOGBODY)
434 if (ips.is_pass & FR_LOGFIRST)
436 if (ips.is_pass & FR_LOGORBLOCK)
439 if (ips.is_pass & FR_QUICK)
441 if (ips.is_pass & FR_KEEPFRAG)
442 PRINTF(" keep frags");
444 if (ips.is_pass & FR_KEEPSTATE)
445 PRINTF(" keep state");
447 /* ... phil@ultimate.com */
449 istab[i] = ips.is_next;
454 static void showfrstates(fd, ifsp)
458 struct ipfr *ipfrtab[IPFT_SIZE], ifr;
461 PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
462 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
463 PRINTF("\t%lu no memory\n\t%lu already exist\n",
464 ifsp->ifs_nomem, ifsp->ifs_exists);
465 PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
466 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
468 for (i = 0; i < IPFT_SIZE; i++)
470 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
473 PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src));
474 PRINTF("%s %d %d %d %#02x = %#x\n",
475 inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id,
476 ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
478 ipfrtab[i] = ifr.ipfr_next;
483 static void showauthstates(fd, asp)
488 printf("Authorisation hits: %qd\tmisses %qd\n", asp->fas_hits,
491 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
494 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
495 asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
497 printf("queok %ld\nquefail %ld\nexpire %ld\n",
498 asp->fas_queok, asp->fas_quefail, asp->fas_expire);
projects / FreeBSD / FreeBSD.git / blob