2 * Copyright (C) 1993-1998 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 # include <osreldate.h>
13 #if !defined(__SVR4) && !defined(__svr4__)
16 #include <sys/types.h>
18 #include <sys/param.h>
25 #include <sys/socket.h>
26 #include <sys/ioctl.h>
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
29 #include <netinet/in_systm.h>
30 #include <netinet/ip.h>
32 #if __FreeBSD_version >= 300000
33 # include <net/if_var.h>
36 #include <arpa/nameser.h>
38 #include <netinet/tcp.h>
39 #include "netinet/ip_compat.h"
40 #include "netinet/ip_fil.h"
42 #include "netinet/ip_proxy.h"
43 #include "netinet/ip_nat.h"
44 #include "netinet/ip_frag.h"
45 #include "netinet/ip_state.h"
46 #include "netinet/ip_auth.h"
48 #if defined(__NetBSD__) || (__OpenBSD__)
53 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
54 static const char rcsid[] = "@(#)$Id: fils.c,v 2.2.2.5 2000/01/27 08:49:40 darrenr Exp $";
59 #define PRINTF (void)printf
60 #define FPRINTF (void)fprintf
64 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
65 "ipacct(in)", "ipacct(out)" };
69 extern int main __P((int, char *[]));
70 static void showstats __P((int, friostat_t *));
71 static void showfrstates __P((int, ipfrstat_t *));
72 static void showlist __P((friostat_t *));
73 static void showipstates __P((int, ips_stat_t *));
74 static void showauthstates __P((int, fr_authstat_t *));
75 static void showgroups __P((friostat_t *));
76 static void Usage __P((char *));
77 static void printlist __P((frentry_t *));
78 static char *get_ifname __P((void *));
81 static void Usage(name)
84 fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
93 fr_authstat_t frauthst;
97 char *name = NULL, *device = IPL_NAME;
100 if (openkmem() == -1)
103 (void)setuid(getuid());
104 (void)setgid(getgid());
106 while ((c = getopt(argc, argv, "aAfghIinosvd:")) != -1)
111 opts |= OPT_ACCNT|OPT_SHOWLIST;
114 opts |= OPT_AUTHSTATS;
120 opts |= OPT_FRSTATES;
129 opts |= OPT_INQUE|OPT_SHOWLIST;
132 opts |= OPT_INACTIVE;
135 opts |= OPT_SHOWLINENO;
138 opts |= OPT_OUTQUE|OPT_SHOWLIST;
141 opts |= OPT_IPSTATES;
152 if ((fd = open(device, O_RDONLY)) < 0) {
157 bzero((char *)&fio, sizeof(fio));
158 bzero((char *)&ipsst, sizeof(ipsst));
159 bzero((char *)&ifrst, sizeof(ifrst));
161 if (ioctl(fd, SIOCGETFS, &fio) == -1) {
162 perror("ioctl(SIOCGETFS)");
165 if ((opts & OPT_IPSTATES)) {
166 int sfd = open(IPL_STATE, O_RDONLY);
172 if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) {
173 perror("ioctl(SIOCGIPST)");
178 if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
179 perror("ioctl(SIOCGFRST)");
183 if (opts & OPT_VERBOSE)
184 PRINTF("opts %#x name %s\n", opts, name ? name : "<>");
186 if ((opts & OPT_AUTHSTATS) &&
187 (ioctl(fd, SIOCATHST, &frauthst) == -1)) {
188 perror("ioctl(SIOCATHST)");
192 if (opts & OPT_SHOWLIST) {
194 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
199 if (opts & OPT_IPSTATES)
200 showipstates(fd, &ipsst);
201 else if (opts & OPT_FRSTATES)
202 showfrstates(fd, &ifrst);
203 else if (opts & OPT_AUTHSTATS)
204 showauthstates(fd, &frauthst);
205 else if (opts & OPT_GROUPS)
215 * read the kernel stats for packets blocked and passed
217 static void showstats(fd, fp)
223 if (ioctl(fd, SIOCGETFF, &frf) == -1)
224 perror("ioctl(SIOCGETFF)");
227 PRINTF("dropped packets:\tin %lu\tout %lu\n",
228 fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
229 PRINTF("non-data packets:\tin %lu\tout %lu\n",
230 fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata);
231 PRINTF("no-data packets:\tin %lu\tout %lu\n",
232 fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata);
233 PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
234 fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
235 PRINTF(" bad packets:\t\tin %lu\tout %lu\n",
236 fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
238 PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
239 fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
241 PRINTF(" counted %lu short %lu\n",
242 fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
243 PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
244 fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
246 PRINTF(" counted %lu short %lu\n",
247 fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
248 PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
249 fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
250 PRINTF("output packets logged:\tblocked %lu passed %lu\n",
251 fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
252 PRINTF(" packets logged:\tinput %lu output %lu\n",
253 fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
254 PRINTF(" log failures:\t\tinput %lu output %lu\n",
255 fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
256 PRINTF("fragment state(in):\tkept %lu\tlost %lu\n",
257 fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr);
258 PRINTF("fragment state(out):\tkept %lu\tlost %lu\n",
259 fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr);
260 PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
261 fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
262 PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
263 fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
264 PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
265 fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
266 PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
267 fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
268 PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
269 fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
270 PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
271 fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
272 PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
273 fp->f_froute[0], fp->f_froute[1]);
274 PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
275 fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
277 PRINTF("Packet log flags set: (%#x)\n", frf);
278 if (frf & FF_LOGPASS)
279 PRINTF("\tpackets passed through filter\n");
280 if (frf & FF_LOGBLOCK)
281 PRINTF("\tpackets blocked by filter\n");
282 if (frf & FF_LOGNOMATCH)
283 PRINTF("\tpackets not matched by filter\n");
289 static void printlist(fp)
295 for (n = 1; fp; n++) {
296 if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
301 if (opts & OPT_OUTQUE)
302 fp->fr_flags |= FR_OUTQUE;
303 if (opts & (OPT_HITS|OPT_VERBOSE))
305 PRINTF("%qd ", fp->fr_hits);
307 PRINTF("%ld ", fp->fr_hits);
309 if (opts & (OPT_ACCNT|OPT_VERBOSE))
311 PRINTF("%qd ", fp->fr_bytes);
313 PRINTF("%ld ", fp->fr_bytes);
315 if (opts & OPT_SHOWLINENO)
318 if (opts & OPT_VERBOSE)
321 printlist(fp->fr_grp);
327 * print out filter rule list
329 static void showlist(fiop)
330 struct friostat *fiop;
332 struct frentry *fp = NULL;
335 set = fiop->f_active;
336 if (opts & OPT_INACTIVE)
338 if (opts & OPT_ACCNT) {
340 if (opts & OPT_OUTQUE) {
341 fp = (struct frentry *)fiop->f_acctout[set];
343 } else if (opts & OPT_INQUE)
344 fp = (struct frentry *)fiop->f_acctin[set];
346 FPRINTF(stderr, "No -i or -o given with -a\n");
349 } else if (opts & OPT_OUTQUE) {
351 fp = (struct frentry *)fiop->f_fout[set];
352 } else if (opts & OPT_INQUE) {
354 fp = (struct frentry *)fiop->f_fin[set];
357 if (opts & OPT_VERBOSE)
358 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
360 if (opts & OPT_VERBOSE)
361 PRINTF("fp %p set %d\n", fp, set);
363 FPRINTF(stderr, "empty list for %s%s\n",
364 (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
371 static void showipstates(fd, ipsp)
375 ipstate_t *istab[IPSTATE_SIZE], ips;
378 PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
379 ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
380 PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss);
381 PRINTF("\t%lu maximum\n\t%lu no memory\n\tbuckets in use\t%lu\n",
382 ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
383 PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
384 ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
385 if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
387 for (i = 0; i < IPSTATE_SIZE; i++) {
389 if (kmemcpy((char *)&ips, (u_long)istab[i],
392 PRINTF("%s -> ", inet_ntoa(ips.is_src));
393 PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
394 inet_ntoa(ips.is_dst), ips.is_age,
395 ips.is_pass, ips.is_p, ips.is_state[0],
398 PRINTF("\tpkts %qd bytes %qd",
399 ips.is_pkts, ips.is_bytes);
401 PRINTF("\tpkts %ld bytes %ld",
402 ips.is_pkts, ips.is_bytes);
404 if (ips.is_p == IPPROTO_TCP)
405 #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
406 (__FreeBSD_version >= 220000) || defined(__OpenBSD__)
407 PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
410 ips.is_send, ips.is_dend,
411 ips.is_maxswin, ips.is_maxdwin);
413 PRINTF("\t%hu -> %hu %lx:%lx %hu:%hu",
416 ips.is_send, ips.is_dend,
417 ips.is_maxswin, ips.is_maxdwin);
419 else if (ips.is_p == IPPROTO_UDP)
420 PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
421 ntohs(ips.is_dport));
422 else if (ips.is_p == IPPROTO_ICMP)
423 PRINTF(" %hu %hu %d", ips.is_icmp.ics_id,
425 ips.is_icmp.ics_type);
429 if (ips.is_pass & FR_PASS) {
431 } else if (ips.is_pass & FR_BLOCK) {
433 switch (ips.is_pass & FR_RETMASK)
436 PRINTF(" return-icmp");
439 PRINTF(" return-icmp-as-dest");
442 PRINTF(" return-rst");
447 } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
449 if (ips.is_pass & FR_LOGBODY)
451 if (ips.is_pass & FR_LOGFIRST)
453 } else if (ips.is_pass & FR_ACCOUNT)
456 if (ips.is_pass & FR_OUTQUE)
461 if ((ips.is_pass & FR_LOG) != 0) {
463 if (ips.is_pass & FR_LOGBODY)
465 if (ips.is_pass & FR_LOGFIRST)
467 if (ips.is_pass & FR_LOGORBLOCK)
470 if (ips.is_pass & FR_QUICK)
472 if (ips.is_pass & FR_KEEPFRAG)
473 PRINTF(" keep frags");
475 if (ips.is_pass & FR_KEEPSTATE)
476 PRINTF(" keep state");
479 PRINTF("\tpkt_flags & %x(%x) = %x,\t",
480 ips.is_flags & 0xf, ips.is_flags,
482 PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
484 PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
485 ips.is_secmsk, ips.is_sec, ips.is_authmsk,
487 istab[i] = ips.is_next;
488 PRINTF("interfaces: in %s[%p] ",
489 get_ifname(ips.is_ifpin), ips.is_ifpin);
490 PRINTF("out %s[%p]\n",
491 get_ifname(ips.is_ifpout), ips.is_ifpout);
497 static void showfrstates(fd, ifsp)
501 struct ipfr *ipfrtab[IPFT_SIZE], ifr;
505 PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
506 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
507 PRINTF("\t%lu no memory\n\t%lu already exist\n",
508 ifsp->ifs_nomem, ifsp->ifs_exists);
509 PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
510 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
512 for (i = 0; i < IPFT_SIZE; i++)
514 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
517 PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src));
518 if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
521 PRINTF("%s %d %d %d %#02x = %#x\n",
522 inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id,
523 ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
525 ipfrtab[i] = ifr.ipfr_next;
530 static void showauthstates(fd, asp)
534 frauthent_t *frap, fra;
537 printf("Authorisation hits: %qd\tmisses %qd\n", asp->fas_hits,
540 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
543 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
544 asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
546 printf("queok %ld\nquefail %ld\nexpire %ld\n",
547 asp->fas_queok, asp->fas_quefail, asp->fas_expire);
549 frap = asp->fas_faelist;
551 if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
554 printf("age %ld\t", fra.fae_age);
555 printfr(&fra.fae_fr);
561 static char *get_ifname(ptr)
568 if (ptr == (void *)-1)
573 if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
575 ifname = malloc(ill.ill_name_length + 1);
576 if (kmemcpy(ifname, (u_long)ill.ill_name,
577 ill.ill_name_length) == -1)
581 # if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
589 if (ptr == (void *)-1)
594 if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
596 # if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
598 return strdup(netif.if_xname);
600 if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
602 if (netif.if_unit < 10)
604 else if (netif.if_unit < 1000)
606 else if (netif.if_unit < 10000)
610 buf[sizeof(buf) - len] = '\0';
611 sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
618 static void showgroups(fiop)
619 struct friostat *fiop;
621 static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
628 for (i = 0; i < 3; i++) {
629 printf("%s groups (active):\n", gnames[i]);
630 for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next)
631 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
634 printf("%hu\n", grp.fg_num);
635 printf("%s groups (inactive):\n", gnames[i]);
636 for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next)
637 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
640 printf("%hu\n", grp.fg_num);
projects / FreeBSD / FreeBSD.git / blob