2 * Copyright (C) 1993-1998 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 # include <osreldate.h>
13 #if !defined(__SVR4) && !defined(__svr4__)
16 #include <sys/types.h>
18 #include <sys/param.h>
25 #include <sys/socket.h>
26 #include <sys/ioctl.h>
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
29 #include <netinet/in_systm.h>
30 #include <netinet/ip.h>
32 #if __FreeBSD_version >= 300000
33 # include <net/if_var.h>
36 #include <arpa/nameser.h>
38 #include <netinet/tcp.h>
39 #include "netinet/ip_compat.h"
40 #include "netinet/ip_fil.h"
42 #include "netinet/ip_proxy.h"
43 #include "netinet/ip_nat.h"
44 #include "netinet/ip_frag.h"
45 #include "netinet/ip_state.h"
46 #include "netinet/ip_auth.h"
48 #if defined(__NetBSD__) || (__OpenBSD__)
53 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
54 static const char rcsid[] = "@(#)$Id: fils.c,v 2.2.2.4 1999/12/04 02:06:24 darrenr Exp $";
59 #define PRINTF (void)printf
60 #define FPRINTF (void)fprintf
64 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
65 "ipacct(in)", "ipacct(out)" };
69 extern int main __P((int, char *[]));
70 static void showstats __P((int, friostat_t *));
71 static void showfrstates __P((int, ipfrstat_t *));
72 static void showlist __P((friostat_t *));
73 static void showipstates __P((int, ips_stat_t *));
74 static void showauthstates __P((int, fr_authstat_t *));
75 static void showgroups __P((friostat_t *));
76 static void Usage __P((char *));
77 static void printlist __P((frentry_t *));
78 static char *get_ifname __P((void *));
81 static void Usage(name)
84 fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
93 fr_authstat_t frauthst;
97 char *name = NULL, *device = IPL_NAME;
100 if (openkmem() == -1)
103 (void)setuid(getuid());
104 (void)setgid(getgid());
106 while ((c = getopt(argc, argv, "aAfghIinosvd:")) != -1)
111 opts |= OPT_ACCNT|OPT_SHOWLIST;
114 opts |= OPT_AUTHSTATS;
120 opts |= OPT_FRSTATES;
129 opts |= OPT_INQUE|OPT_SHOWLIST;
132 opts |= OPT_INACTIVE;
135 opts |= OPT_SHOWLINENO;
138 opts |= OPT_OUTQUE|OPT_SHOWLIST;
141 opts |= OPT_IPSTATES;
152 if ((fd = open(device, O_RDONLY)) < 0) {
157 bzero((char *)&fio, sizeof(fio));
158 bzero((char *)&ipsst, sizeof(ipsst));
159 bzero((char *)&ifrst, sizeof(ifrst));
161 if (ioctl(fd, SIOCGETFS, &fio) == -1) {
162 perror("ioctl(SIOCGETFS)");
165 if ((opts & OPT_IPSTATES)) {
166 int sfd = open(IPL_STATE, O_RDONLY);
172 if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) {
173 perror("ioctl(SIOCGIPST)");
178 if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
179 perror("ioctl(SIOCGFRST)");
183 if (opts & OPT_VERBOSE)
184 PRINTF("opts %#x name %s\n", opts, name ? name : "<>");
186 if ((opts & OPT_AUTHSTATS) &&
187 (ioctl(fd, SIOCATHST, &frauthst) == -1)) {
188 perror("ioctl(SIOCATHST)");
192 if (opts & OPT_SHOWLIST) {
194 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
199 if (opts & OPT_IPSTATES)
200 showipstates(fd, &ipsst);
201 else if (opts & OPT_FRSTATES)
202 showfrstates(fd, &ifrst);
203 else if (opts & OPT_AUTHSTATS)
204 showauthstates(fd, &frauthst);
205 else if (opts & OPT_GROUPS)
215 * read the kernel stats for packets blocked and passed
217 static void showstats(fd, fp)
223 if (ioctl(fd, SIOCGETFF, &frf) == -1)
224 perror("ioctl(SIOCGETFF)");
227 PRINTF("dropped packets:\tin %lu\tout %lu\n",
228 fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
229 PRINTF("non-data packets:\tin %lu\tout %lu\n",
230 fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata);
231 PRINTF("no-data packets:\tin %lu\tout %lu\n",
232 fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata);
233 PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
234 fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
235 PRINTF(" bad packets:\t\tin %lu\tout %lu\n",
236 fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
238 PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
239 fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
241 PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
242 PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
243 fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
245 PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
246 PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
247 fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
248 PRINTF("output packets logged:\tblocked %lu passed %lu\n",
249 fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
250 PRINTF(" packets logged:\tinput %lu output %lu\n",
251 fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
252 PRINTF(" log failures:\t\tinput %lu output %lu\n",
253 fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
254 PRINTF("fragment state(in):\tkept %lu\tlost %lu\n",
255 fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr);
256 PRINTF("fragment state(out):\tkept %lu\tlost %lu\n",
257 fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr);
258 PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
259 fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
260 PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
261 fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
262 PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
263 fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
264 PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
265 fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
266 PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
267 fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
268 PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
269 fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
270 PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
271 fp->f_froute[0], fp->f_froute[1]);
272 PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
273 fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
275 PRINTF("Packet log flags set: (%#x)\n", frf);
276 if (frf & FF_LOGPASS)
277 PRINTF("\tpackets passed through filter\n");
278 if (frf & FF_LOGBLOCK)
279 PRINTF("\tpackets blocked by filter\n");
280 if (frf & FF_LOGNOMATCH)
281 PRINTF("\tpackets not matched by filter\n");
287 static void printlist(fp)
293 for (n = 1; fp; n++) {
294 if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
299 if (opts & OPT_OUTQUE)
300 fp->fr_flags |= FR_OUTQUE;
301 if (opts & (OPT_HITS|OPT_VERBOSE))
303 PRINTF("%qd ", fp->fr_hits);
305 PRINTF("%ld ", fp->fr_hits);
307 if (opts & (OPT_ACCNT|OPT_VERBOSE))
309 PRINTF("%qd ", fp->fr_bytes);
311 PRINTF("%ld ", fp->fr_bytes);
313 if (opts & OPT_SHOWLINENO)
316 if (opts & OPT_VERBOSE)
319 printlist(fp->fr_grp);
325 * print out filter rule list
327 static void showlist(fiop)
328 struct friostat *fiop;
330 struct frentry *fp = NULL;
333 set = fiop->f_active;
334 if (opts & OPT_INACTIVE)
336 if (opts & OPT_ACCNT) {
338 if (opts & OPT_OUTQUE) {
339 fp = (struct frentry *)fiop->f_acctout[set];
341 } else if (opts & OPT_INQUE)
342 fp = (struct frentry *)fiop->f_acctin[set];
344 FPRINTF(stderr, "No -i or -o given with -a\n");
347 } else if (opts & OPT_OUTQUE) {
349 fp = (struct frentry *)fiop->f_fout[set];
350 } else if (opts & OPT_INQUE) {
352 fp = (struct frentry *)fiop->f_fin[set];
355 if (opts & OPT_VERBOSE)
356 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
358 if (opts & OPT_VERBOSE)
359 PRINTF("fp %p set %d\n", fp, set);
361 FPRINTF(stderr, "empty list for %s%s\n",
362 (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
369 static void showipstates(fd, ipsp)
373 ipstate_t *istab[IPSTATE_SIZE], ips;
376 PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
377 ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
378 PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss);
379 PRINTF("\t%lu maximum\n\t%lu no memory\n\tbuckets in use\t%lu\n",
380 ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
381 PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
382 ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
383 if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
385 for (i = 0; i < IPSTATE_SIZE; i++) {
387 if (kmemcpy((char *)&ips, (u_long)istab[i],
390 PRINTF("%s -> ", inet_ntoa(ips.is_src));
391 PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
392 inet_ntoa(ips.is_dst), ips.is_age,
393 ips.is_pass, ips.is_p, ips.is_state[0],
396 PRINTF("\tpkts %qd bytes %qd",
397 ips.is_pkts, ips.is_bytes);
399 PRINTF("\tpkts %ld bytes %ld",
400 ips.is_pkts, ips.is_bytes);
402 if (ips.is_p == IPPROTO_TCP)
403 #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
404 (__FreeBSD_version >= 220000) || defined(__OpenBSD__)
405 PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
408 ips.is_send, ips.is_dend,
409 ips.is_maxswin, ips.is_maxdwin);
411 PRINTF("\t%hu -> %hu %lx:%lx %hu:%hu",
414 ips.is_send, ips.is_dend,
415 ips.is_maxswin, ips.is_maxdwin);
417 else if (ips.is_p == IPPROTO_UDP)
418 PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
419 ntohs(ips.is_dport));
420 else if (ips.is_p == IPPROTO_ICMP)
421 PRINTF(" %hu %hu %d", ips.is_icmp.ics_id,
423 ips.is_icmp.ics_type);
427 if (ips.is_pass & FR_PASS) {
429 } else if (ips.is_pass & FR_BLOCK) {
431 switch (ips.is_pass & FR_RETMASK)
434 PRINTF(" return-icmp");
437 PRINTF(" return-icmp-as-dest");
440 PRINTF(" return-rst");
445 } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
447 if (ips.is_pass & FR_LOGBODY)
449 if (ips.is_pass & FR_LOGFIRST)
451 } else if (ips.is_pass & FR_ACCOUNT)
454 if (ips.is_pass & FR_OUTQUE)
459 if ((ips.is_pass & FR_LOG) != 0) {
461 if (ips.is_pass & FR_LOGBODY)
463 if (ips.is_pass & FR_LOGFIRST)
465 if (ips.is_pass & FR_LOGORBLOCK)
468 if (ips.is_pass & FR_QUICK)
470 if (ips.is_pass & FR_KEEPFRAG)
471 PRINTF(" keep frags");
473 if (ips.is_pass & FR_KEEPSTATE)
474 PRINTF(" keep state");
477 PRINTF("\tpkt_flags & %x(%x) = %x,\t",
478 ips.is_flags & 0xf, ips.is_flags,
480 PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
482 PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
483 ips.is_secmsk, ips.is_sec, ips.is_authmsk,
485 istab[i] = ips.is_next;
486 PRINTF("interfaces: in %s[%p] ",
487 get_ifname(ips.is_ifpin), ips.is_ifpin);
488 PRINTF("out %s[%p]\n",
489 get_ifname(ips.is_ifpout), ips.is_ifpout);
495 static void showfrstates(fd, ifsp)
499 struct ipfr *ipfrtab[IPFT_SIZE], ifr;
503 PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
504 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
505 PRINTF("\t%lu no memory\n\t%lu already exist\n",
506 ifsp->ifs_nomem, ifsp->ifs_exists);
507 PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
508 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
510 for (i = 0; i < IPFT_SIZE; i++)
512 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
515 PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src));
516 if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
519 PRINTF("%s %d %d %d %#02x = %#x\n",
520 inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id,
521 ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
523 ipfrtab[i] = ifr.ipfr_next;
528 static void showauthstates(fd, asp)
532 frauthent_t *frap, fra;
535 printf("Authorisation hits: %qd\tmisses %qd\n", asp->fas_hits,
538 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
541 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
542 asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
544 printf("queok %ld\nquefail %ld\nexpire %ld\n",
545 asp->fas_queok, asp->fas_quefail, asp->fas_expire);
547 frap = asp->fas_faelist;
549 if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
552 printf("age %ld\t", fra.fae_age);
553 printfr(&fra.fae_fr);
559 static char *get_ifname(ptr)
566 if (ptr == (void *)-1)
571 if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
573 ifname = malloc(ill.ill_name_length + 1);
574 if (kmemcpy(ifname, (u_long)ill.ill_name,
575 ill.ill_name_length) == -1)
579 # if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
587 if (ptr == (void *)-1)
592 if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
594 # if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
596 return strdup(netif.if_xname);
598 if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
600 if (netif.if_unit < 10)
602 else if (netif.if_unit < 1000)
604 else if (netif.if_unit < 10000)
608 buf[sizeof(buf) - len] = '\0';
609 sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
616 static void showgroups(fiop)
617 struct friostat *fiop;
619 static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
626 for (i = 0; i < 3; i++) {
627 printf("%s groups (active):\n", gnames[i]);
628 for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next)
629 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
632 printf("%hu\n", grp.fg_num);
633 printf("%s groups (inactive):\n", gnames[i]);
634 for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next)
635 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
638 printf("%hu\n", grp.fg_num);