4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
13 #if defined(sun) && defined(__SVR4)
17 #include "netinet/ipl.h"
19 # if defined(sun) && defined(__SVR4)
20 # include <sys/select.h>
22 # include <netinet/ip_var.h>
23 # include <netinet/tcp_fsm.h>
27 # if SOLARIS || defined(__NetBSD__)
37 #if defined(__NetBSD__)
42 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
43 static const char rcsid[] = "@(#)$Id$";
51 #define PRINTF (void)printf
52 #define FPRINTF (void)fprintf
53 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
54 "ipacct(in)", "ipacct(out)" };
55 static int state_logging = -1;
56 static wordtab_t *state_fields = NULL;
69 frgroup_t *grtop = NULL;
70 frgroup_t *grtail = NULL;
72 char *blockreasons[FRB_MAX_VALUE + 1] = {
79 "IP ID update failed",
80 "log-or-block failed",
81 "decapsulate failure",
82 "cannot create new auth entry",
83 "packet queued for auth",
84 "buffer coalesce failure",
85 "buffer pullup failure",
99 #define STSORT_BYTES 2
101 #define STSORT_SRCIP 4
102 #define STSORT_SRCPT 5
103 #define STSORT_DSTIP 6
104 #define STSORT_DSTPT 7
105 #define STSORT_MAX STSORT_DSTPT
106 #define STSORT_DEFAULT STSORT_BYTES
109 typedef struct statetop {
123 int main __P((int, char *[]));
125 static int fetchfrag __P((int, int, ipfr_t *));
126 static void showstats __P((friostat_t *, u_32_t));
127 static void showfrstates __P((ipfrstat_t *, u_long));
128 static void showlist __P((friostat_t *));
129 static void showstatestats __P((ips_stat_t *));
130 static void showipstates __P((ips_stat_t *, int *));
131 static void showauthstates __P((ipf_authstat_t *));
132 static void showtqtable_live __P((int));
133 static void showgroups __P((friostat_t *));
134 static void usage __P((char *));
135 static int state_matcharray __P((ipstate_t *, int *));
136 static int printlivelist __P((friostat_t *, int, int, frentry_t *,
138 static void printdeadlist __P((friostat_t *, int, int, frentry_t *,
140 static void printside __P((char *, ipf_statistics_t *));
141 static void parse_ipportstr __P((const char *, i6addr_t *, int *));
142 static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
143 ipfrstat_t **, ipf_authstat_t **, u_32_t *));
144 static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
145 ipfrstat_t **, ipf_authstat_t **, u_32_t *));
146 static ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *));
148 static void topipstates __P((i6addr_t, i6addr_t, int, int, int,
149 int, int, int, int *));
150 static void sig_break __P((int));
151 static void sig_resize __P((int));
152 static char *getip __P((int, i6addr_t *));
153 static char *ttl_to_string __P((long));
154 static int sort_p __P((const void *, const void *));
155 static int sort_pkts __P((const void *, const void *));
156 static int sort_bytes __P((const void *, const void *));
157 static int sort_ttl __P((const void *, const void *));
158 static int sort_srcip __P((const void *, const void *));
159 static int sort_srcpt __P((const void *, const void *));
160 static int sort_dstip __P((const void *, const void *));
161 static int sort_dstpt __P((const void *, const void *));
165 static void usage(name)
169 fprintf(stderr, "Usage: %s [-46aAdfghIilnoRsv]\n", name);
171 fprintf(stderr, "Usage: %s [-4aAdfghIilnoRsv]\n", name);
173 fprintf(stderr, " %s [-M corefile] [-N symbol-list]\n", name);
176 fprintf(stderr, " %s -t [-46C] ", name);
178 fprintf(stderr, " %s -t [-4C] ", name);
181 fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
190 ipf_authstat_t frauthst;
191 ipf_authstat_t *frauthstp = &frauthst;
193 friostat_t *fiop = &fio;
195 ips_stat_t *ipsstp = &ipsst;
197 ipfrstat_t *ifrstp = &ifrst;
205 int protocol = -1; /* -1 = wild card for any protocol */
206 int refreshtime = 1; /* default update time */
207 int sport = -1; /* -1 = wild card for any source port */
208 int dport = -1; /* -1 = wild card for any dest port */
209 int topclosed = 0; /* do not show closed tcp sessions */
210 i6addr_t saddr, daddr;
214 options = "46aACdfghIilnostvD:m:M:N:O:P:RS:T:";
216 options = "4aACdfghIilnostvD:m:M:N:O:P:RS:T:";
219 saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */
220 daddr.in4.s_addr = INADDR_ANY; /* default any v4 dest addr */
222 saddr.in6 = in6addr_any; /* default any v6 source addr */
223 daddr.in6 = in6addr_any; /* default any v6 dest addr */
226 /* Don't warn about invalid flags when we run getopt for the 1st time */
230 * Parse these two arguments now lest there be any buffer overflows
231 * in the parsing of the rest.
234 while ((c = getopt(argc, argv, options)) != -1) {
249 if (live_kernel == 1) {
250 if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) {
251 perror("open(IPSTATE_NAME)");
254 if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) {
255 perror("open(IPAUTH_NAME)");
258 if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
259 perror("open(IPAUTH_NAME)");
262 if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) {
263 fprintf(stderr, "open(%s)", IPL_NAME);
269 if (kern != NULL || memf != NULL) {
270 (void)setgid(getgid());
271 (void)setuid(getuid());
274 if (live_kernel == 1) {
275 (void) checkrev(IPL_NAME);
277 if (openkmem(kern, memf) == -1)
281 (void)setgid(getgid());
282 (void)setuid(getuid());
286 while ((c = getopt(argc, argv, options)) != -1)
299 opts |= OPT_ACCNT|OPT_SHOWLIST;
302 opts |= OPT_AUTHSTATS;
311 parse_ipportstr(optarg, &daddr, &dport);
314 opts |= OPT_FRSTATES;
323 opts |= OPT_INQUE|OPT_SHOWLIST;
326 opts |= OPT_INACTIVE;
329 opts |= OPT_SHOWLIST;
332 filter = parseipfexpr(optarg, NULL);
333 if (filter == NULL) {
334 fprintf(stderr, "Error parseing '%s'\n",
344 opts |= OPT_SHOWLINENO;
347 opts |= OPT_OUTQUE|OPT_SHOWLIST;
350 state_fields = parsefields(statefields, optarg);
353 protocol = getproto(optarg);
354 if (protocol == -1) {
355 fprintf(stderr, "%s: Invalid protocol: %s\n",
361 opts |= OPT_NORESOLVE;
364 opts |= OPT_IPSTATES;
367 parse_ipportstr(optarg, &saddr, &sport);
371 opts |= OPT_STATETOP;
375 "%s: state top facility not compiled in\n",
380 if (!sscanf(optarg, "%d", &refreshtime) ||
381 (refreshtime <= 0)) {
383 "%s: Invalid refreshtime < 1 : %s\n",
397 if ((use_inet4 || use_inet6) &&
398 !(opts & (OPT_INQUE | OPT_OUTQUE | OPT_STATETOP))) {
400 FPRINTF(stderr, "No -i, -o, or -t given with -4 or -6\n");
402 FPRINTF(stderr, "No -i or -o given with -4 or -6\n");
406 if (use_inet4 == 0 && use_inet6 == 0)
407 use_inet4 = use_inet6 = 1;
410 if (live_kernel == 1) {
411 bzero((char *)&fio, sizeof(fio));
412 bzero((char *)&ipsst, sizeof(ipsst));
413 bzero((char *)&ifrst, sizeof(ifrst));
415 ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp,
418 ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
421 if (opts & OPT_IPSTATES) {
422 showipstates(ipsstp, filter);
423 } else if (opts & OPT_SHOWLIST) {
425 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
429 } else if (opts & OPT_FRSTATES)
430 showfrstates(ifrstp, fiop->f_ticks);
432 else if (opts & OPT_STATETOP)
433 topipstates(saddr, daddr, sport, dport, protocol,
435 use_inet6 && use_inet4 ? 0 : use_inet6 && !use_inet4 ? 6 : 4,
440 refreshtime, topclosed, filter);
441 else if (opts & OPT_AUTHSTATS)
442 showauthstates(frauthstp);
443 else if (opts & OPT_GROUPS)
446 showstats(fiop, frf);
453 * Fill in the stats structures from the live kernel, using a combination
454 * of ioctl's and copying directly from kernel memory.
456 static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
459 ips_stat_t **ipsstpp;
460 ipfrstat_t **ifrstpp;
461 ipf_authstat_t **frauthstpp;
466 if (checkrev(device) == -1) {
467 fprintf(stderr, "User/kernel version check failed\n");
471 if ((opts & OPT_AUTHSTATS) == 0) {
472 bzero((caddr_t)&ipfo, sizeof(ipfo));
473 ipfo.ipfo_rev = IPFILTER_VERSION;
474 ipfo.ipfo_type = IPFOBJ_IPFSTAT;
475 ipfo.ipfo_size = sizeof(friostat_t);
476 ipfo.ipfo_ptr = (void *)*fiopp;
478 if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
479 ipferror(ipf_fd, "ioctl(ipf:SIOCGETFS)");
483 if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
484 ipferror(ipf_fd, "ioctl(SIOCGETFF)");
487 if ((opts & OPT_IPSTATES) != 0) {
489 bzero((caddr_t)&ipfo, sizeof(ipfo));
490 ipfo.ipfo_rev = IPFILTER_VERSION;
491 ipfo.ipfo_type = IPFOBJ_STATESTAT;
492 ipfo.ipfo_size = sizeof(ips_stat_t);
493 ipfo.ipfo_ptr = (void *)*ipsstpp;
495 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
496 ipferror(state_fd, "ioctl(state:SIOCGETFS)");
499 if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) {
500 ipferror(state_fd, "ioctl(state:SIOCGETLG)");
505 if ((opts & OPT_FRSTATES) != 0) {
506 bzero((caddr_t)&ipfo, sizeof(ipfo));
507 ipfo.ipfo_rev = IPFILTER_VERSION;
508 ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
509 ipfo.ipfo_size = sizeof(ipfrstat_t);
510 ipfo.ipfo_ptr = (void *)*ifrstpp;
512 if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
513 ipferror(ipf_fd, "ioctl(SIOCGFRST)");
518 if (opts & OPT_DEBUG)
519 PRINTF("opts %#x name %s\n", opts, device);
521 if ((opts & OPT_AUTHSTATS) != 0) {
522 bzero((caddr_t)&ipfo, sizeof(ipfo));
523 ipfo.ipfo_rev = IPFILTER_VERSION;
524 ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
525 ipfo.ipfo_size = sizeof(ipf_authstat_t);
526 ipfo.ipfo_ptr = (void *)*frauthstpp;
528 if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) {
529 ipferror(auth_fd, "ioctl(SIOCATHST)");
537 * Build up the stats structures from data held in the "core" memory.
538 * This is mainly useful when looking at data in crash dumps and ioctl's
539 * just won't work any more.
541 static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
544 ips_stat_t **ipsstpp;
545 ipfrstat_t **ifrstpp;
546 ipf_authstat_t **frauthstpp;
549 static ipf_authstat_t frauthst, *frauthstp;
550 static ipftq_t ipstcptab[IPF_TCP_NSTATES];
551 static ips_stat_t ipsst, *ipsstp;
552 static ipfrstat_t ifrst, *ifrstp;
553 static friostat_t fio, *fiop;
557 struct nlist deadlist[44] = {
558 { "ipf_auth_stats", 0, 0, 0, 0 }, /* 0 */
559 { "fae_list", 0, 0, 0, 0 },
560 { "ipauth", 0, 0, 0, 0 },
561 { "ipf_auth_list", 0, 0, 0, 0 },
562 { "ipf_auth_start", 0, 0, 0, 0 },
563 { "ipf_auth_end", 0, 0, 0, 0 }, /* 5 */
564 { "ipf_auth_next", 0, 0, 0, 0 },
565 { "ipf_auth", 0, 0, 0, 0 },
566 { "ipf_auth_used", 0, 0, 0, 0 },
567 { "ipf_auth_size", 0, 0, 0, 0 },
568 { "ipf_auth_defaultage", 0, 0, 0, 0 }, /* 10 */
569 { "ipf_auth_pkts", 0, 0, 0, 0 },
570 { "ipf_auth_lock", 0, 0, 0, 0 },
571 { "frstats", 0, 0, 0, 0 },
572 { "ips_stats", 0, 0, 0, 0 },
573 { "ips_num", 0, 0, 0, 0 }, /* 15 */
574 { "ips_wild", 0, 0, 0, 0 },
575 { "ips_list", 0, 0, 0, 0 },
576 { "ips_table", 0, 0, 0, 0 },
577 { "ipf_state_max", 0, 0, 0, 0 },
578 { "ipf_state_size", 0, 0, 0, 0 }, /* 20 */
579 { "ipf_state_doflush", 0, 0, 0, 0 },
580 { "ipf_state_lock", 0, 0, 0, 0 },
581 { "ipfr_heads", 0, 0, 0, 0 },
582 { "ipfr_nattab", 0, 0, 0, 0 },
583 { "ipfr_stats", 0, 0, 0, 0 }, /* 25 */
584 { "ipfr_inuse", 0, 0, 0, 0 },
585 { "ipf_ipfrttl", 0, 0, 0, 0 },
586 { "ipf_frag_lock", 0, 0, 0, 0 },
587 { "ipfr_timer_id", 0, 0, 0, 0 },
588 { "ipf_nat_lock", 0, 0, 0, 0 }, /* 30 */
589 { "ipf_rules", 0, 0, 0, 0 },
590 { "ipf_acct", 0, 0, 0, 0 },
591 { "ipl_frouteok", 0, 0, 0, 0 },
592 { "ipf_running", 0, 0, 0, 0 },
593 { "ipf_groups", 0, 0, 0, 0 }, /* 35 */
594 { "ipf_active", 0, 0, 0, 0 },
595 { "ipf_pass", 0, 0, 0, 0 },
596 { "ipf_flags", 0, 0, 0, 0 },
597 { "ipf_state_logging", 0, 0, 0, 0 },
598 { "ips_tqtqb", 0, 0, 0, 0 }, /* 40 */
603 frauthstp = &frauthst;
612 *frauthstpp = frauthstp;
614 bzero((char *)fiop, sizeof(*fiop));
615 bzero((char *)ipsstp, sizeof(*ipsstp));
616 bzero((char *)ifrstp, sizeof(*ifrstp));
617 bzero((char *)frauthstp, sizeof(*frauthstp));
619 if (nlist(kernel, deadlist) == -1) {
620 fprintf(stderr, "nlist error\n");
625 * This is for SIOCGETFF.
627 kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
630 * f_locks is a combination of the lock variable from each part of
631 * ipfilter (state, auth, nat, fragments).
633 kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
634 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
635 sizeof(fiop->f_locks[0]));
636 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
637 sizeof(fiop->f_locks[1]));
638 kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
639 sizeof(fiop->f_locks[2]));
640 kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
641 sizeof(fiop->f_locks[3]));
644 * Get pointers to each list of rules (active, inactive, in, out)
646 kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
647 fiop->f_fin[0] = rules[0][0];
648 fiop->f_fin[1] = rules[0][1];
649 fiop->f_fout[0] = rules[1][0];
650 fiop->f_fout[1] = rules[1][1];
653 * Now get accounting rules pointers.
655 kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
656 fiop->f_acctin[0] = rules[0][0];
657 fiop->f_acctin[1] = rules[0][1];
658 fiop->f_acctout[0] = rules[1][0];
659 fiop->f_acctout[1] = rules[1][1];
662 * A collection of "global" variables used inside the kernel which
663 * are all collected in friostat_t via ioctl.
665 kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[33].n_value,
666 sizeof(fiop->f_froute));
667 kmemcpy((char *)&fiop->f_running, (u_long)deadlist[34].n_value,
668 sizeof(fiop->f_running));
669 kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[35].n_value,
670 sizeof(fiop->f_groups));
671 kmemcpy((char *)&fiop->f_active, (u_long)deadlist[36].n_value,
672 sizeof(fiop->f_active));
673 kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[37].n_value,
674 sizeof(fiop->f_defpass));
677 * Build up the state information stats structure.
679 kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
680 kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
681 kmemcpy((char *)ipstcptab, (u_long)deadlist[40].n_value,
683 ipsstp->iss_active = temp;
684 ipsstp->iss_table = (void *)deadlist[18].n_value;
685 ipsstp->iss_list = (void *)deadlist[17].n_value;
686 ipsstp->iss_tcptab = ipstcptab;
689 * Build up the authentiation information stats structure.
691 kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
693 frauthstp->fas_faelist = (void *)deadlist[1].n_value;
696 * Build up the fragment information stats structure.
698 kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
700 ifrstp->ifs_table = (void *)deadlist[23].n_value;
701 ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
702 kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
703 sizeof(ifrstp->ifs_inuse));
706 * Get logging on/off switches
708 kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value,
709 sizeof(state_logging));
713 static void printside(side, frs)
715 ipf_statistics_t *frs;
719 PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side);
721 PRINTF("%lu\t%s IPv6 packets\n", frs->fr_ipv6, side);
723 PRINTF("%lu\t%s packets blocked\n", frs->fr_block, side);
724 PRINTF("%lu\t%s packets passed\n", frs->fr_pass, side);
725 PRINTF("%lu\t%s packets not matched\n", frs->fr_nom, side);
726 PRINTF("%lu\t%s packets counted\n", frs->fr_acct, side);
727 PRINTF("%lu\t%s packets short\n", frs->fr_short, side);
728 PRINTF("%lu\t%s packets logged and blocked\n", frs->fr_bpkl, side);
729 PRINTF("%lu\t%s packets logged and passed\n", frs->fr_ppkl, side);
730 PRINTF("%lu\t%s fragment state kept\n", frs->fr_nfr, side);
731 PRINTF("%lu\t%s fragment state lost\n", frs->fr_bnfr, side);
732 PRINTF("%lu\t%s packet state kept\n", frs->fr_ads, side);
733 PRINTF("%lu\t%s packet state lost\n", frs->fr_bads, side);
734 PRINTF("%lu\t%s invalid source\n", frs->fr_v4_badsrc, side);
735 PRINTF("%lu\t%s cache hits\n", frs->fr_chit, side);
736 PRINTF("%lu\t%s cache misses\n", frs->fr_cmiss, side);
737 PRINTF("%lu\t%s bad coalesces\n", frs->fr_badcoalesces, side);
738 PRINTF("%lu\t%s pullups succeeded\n", frs->fr_pull[0], side);
739 PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side);
740 PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side);
741 for (i = 0; i <= FRB_MAX_VALUE; i++)
742 PRINTF("%lu\t%s block reason %s\n",
743 frs->fr_blocked[i], side, blockreasons[i]);
748 * Display the kernel stats for packets blocked and passed and other
749 * associated running totals which are kept.
751 static void showstats(fp, frf)
755 printside("input", &fp->f_st[0]);
756 printside("output", &fp->f_st[1]);
758 PRINTF("%lu\tpackets logged\n", fp->f_log_ok);
759 PRINTF("%lu\tlog failures\n", fp->f_log_fail);
760 PRINTF("%lu\tred-black no memory\n", fp->f_rb_no_mem);
761 PRINTF("%lu\tred-black node maximum\n", fp->f_rb_node_max);
762 PRINTF("%lu\tICMP replies sent\n", fp->f_st[0].fr_ret);
763 PRINTF("%lu\tTCP RSTs sent\n", fp->f_st[1].fr_ret);
764 PRINTF("%lu\tfastroute successes\n", fp->f_froute[0]);
765 PRINTF("%lu\tfastroute failures\n", fp->f_froute[1]);
766 PRINTF("%u\tIPF Ticks\n", fp->f_ticks);
768 PRINTF("%x\tPacket log flags set:\n", frf);
769 if (frf & FF_LOGPASS)
770 PRINTF("\tpackets passed through filter\n");
771 if (frf & FF_LOGBLOCK)
772 PRINTF("\tpackets blocked by filter\n");
773 if (frf & FF_LOGNOMATCH)
774 PRINTF("\tpackets not matched by filter\n");
781 * Print out a list of rules from the kernel, starting at the one passed.
784 printlivelist(fiop, out, set, fp, group, comment)
785 struct friostat *fiop;
788 char *group, *comment;
800 rule.iri_inout = out;
801 rule.iri_active = set;
805 strncpy(rule.iri_group, group, FR_GROUPLEN);
807 rule.iri_group[0] = '\0';
809 bzero((char *)&zero, sizeof(zero));
811 bzero((char *)&obj, sizeof(obj));
812 obj.ipfo_rev = IPFILTER_VERSION;
813 obj.ipfo_type = IPFOBJ_IPFITER;
814 obj.ipfo_size = sizeof(rule);
815 obj.ipfo_ptr = &rule;
817 while (rule.iri_rule != NULL) {
820 memset(array, 0xff, sizeof(array));
821 fp = (frentry_t *)array;
823 if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
824 ipferror(ipf_fd, "ioctl(SIOCIPFITER)");
825 num = IPFGENITER_IPF;
826 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
829 if (bcmp(fp, &zero, sizeof(zero)) == 0)
831 if (rule.iri_rule == NULL)
834 if (use_inet6 != 0 && use_inet4 == 0) {
835 if (fp->fr_family != 0 && fp->fr_family != AF_INET6)
837 } else if (use_inet4 != 0 && use_inet6 == 0) {
839 if (fp->fr_family != 0 && fp->fr_family != AF_INET)
843 if (fp->fr_family != 0 &&
844 fp->fr_family != AF_INET && fp->fr_family != AF_INET6)
849 if (fp->fr_data != NULL)
850 fp->fr_data = (char *)fp + fp->fr_size;
854 if (opts & (OPT_HITS|OPT_DEBUG))
856 PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits);
858 PRINTF("%lu ", fp->fr_hits);
860 if (opts & (OPT_ACCNT|OPT_DEBUG))
862 PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes);
864 PRINTF("%lu ", fp->fr_bytes);
866 if (opts & OPT_SHOWLINENO)
867 PRINTF("@%d ", rules);
870 fp->fr_die -= fiop->f_ticks;
873 if (opts & OPT_DEBUG) {
874 binprint(fp, fp->fr_size);
875 if (fp->fr_data != NULL && fp->fr_dsize > 0)
876 binprint(fp->fr_data, fp->fr_dsize);
878 if (fp->fr_grhead != -1) {
879 for (g = grtop; g != NULL; g = g->fg_next) {
880 if (!strncmp(fp->fr_names + fp->fr_grhead,
886 g = calloc(1, sizeof(*g));
890 fp->fr_names + fp->fr_grhead,
902 if (fp->fr_type == FR_T_CALLFUNC) {
903 rules += printlivelist(fiop, out, set, fp->fr_data,
904 group, "# callfunc: ");
908 num = IPFGENITER_IPF;
909 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
915 static void printdeadlist(fiop, out, set, fp, group, comment)
919 char *group, *comment;
921 frgroup_t *grtop, *grtail, *g;
932 for (n = 1; fp; fp = fb.fr_next, n++) {
933 if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
940 if (use_inet6 != 0 && use_inet4 == 0) {
941 if (fp->fr_family != 0 && fp->fr_family != AF_INET6)
943 } else if (use_inet4 != 0 && use_inet6 == 0) {
945 if (fp->fr_family != 0 && fp->fr_family != AF_INET)
949 if (fp->fr_family != 0 &&
950 fp->fr_family != AF_INET && fp->fr_family != AF_INET6)
956 type = fb.fr_type & ~FR_T_BUILTIN;
957 if (type == FR_T_IPF || type == FR_T_BPFOPC) {
959 data = malloc(fb.fr_dsize);
961 if (kmemcpy(data, (u_long)fb.fr_data,
962 fb.fr_dsize) == -1) {
972 PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits);
974 PRINTF("%lu ", fb.fr_hits);
976 if (opts & OPT_ACCNT)
978 PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes);
980 PRINTF("%lu ", fb.fr_bytes);
982 if (opts & OPT_SHOWLINENO)
986 if (opts & OPT_DEBUG) {
987 binprint(fp, fp->fr_size);
988 if (fb.fr_data != NULL && fb.fr_dsize > 0)
989 binprint(fb.fr_data, fb.fr_dsize);
993 if (fb.fr_grhead != -1) {
994 g = calloc(1, sizeof(*g));
997 strncpy(g->fg_name, fb.fr_names + fb.fr_grhead,
1003 grtail->fg_next = g;
1008 if (type == FR_T_CALLFUNC) {
1009 printdeadlist(fiop, out, set, fb.fr_data, group,
1014 while ((g = grtop) != NULL) {
1015 printdeadlist(fiop, out, set, NULL, g->fg_name, comment);
1022 * print out all of the asked for rule sets, using the stats struct as
1023 * the base from which to get the pointers.
1025 static void showlist(fiop)
1026 struct friostat *fiop;
1028 struct frentry *fp = NULL;
1031 set = fiop->f_active;
1032 if (opts & OPT_INACTIVE)
1034 if (opts & OPT_ACCNT) {
1035 if (opts & OPT_OUTQUE) {
1037 fp = (struct frentry *)fiop->f_acctout[set];
1038 } else if (opts & OPT_INQUE) {
1040 fp = (struct frentry *)fiop->f_acctin[set];
1042 FPRINTF(stderr, "No -i or -o given with -a\n");
1046 if (opts & OPT_OUTQUE) {
1048 fp = (struct frentry *)fiop->f_fout[set];
1049 } else if (opts & OPT_INQUE) {
1051 fp = (struct frentry *)fiop->f_fin[set];
1055 if (opts & OPT_DEBUG)
1056 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
1058 if (opts & OPT_DEBUG)
1059 PRINTF("fp %p set %d\n", fp, set);
1061 if (live_kernel == 1) {
1064 printed = printlivelist(fiop, i, set, fp, NULL, NULL);
1066 FPRINTF(stderr, "# empty list for %s%s\n",
1067 (opts & OPT_INACTIVE) ? "inactive " : "",
1072 FPRINTF(stderr, "# empty list for %s%s\n",
1073 (opts & OPT_INACTIVE) ? "inactive " : "",
1076 printdeadlist(fiop, i, set, fp, NULL, NULL);
1083 * Display ipfilter stateful filtering information
1085 static void showipstates(ipsp, filter)
1093 * If a list of states hasn't been asked for, only print out stats
1095 if (!(opts & OPT_SHOWLIST)) {
1096 showstatestats(ipsp);
1100 if ((state_fields != NULL) && (nohdrfields == 0)) {
1101 for (i = 0; state_fields[i].w_value != 0; i++) {
1102 printfieldhdr(statefields, state_fields + i);
1103 if (state_fields[i + 1].w_value != 0)
1110 * Print out all the state information currently held in the kernel.
1112 for (is = ipsp->iss_list; is != NULL; ) {
1115 is = fetchstate(is, &ips);
1121 if ((filter != NULL) &&
1122 (state_matcharray(&ips, filter) == 0)) {
1125 if (state_fields != NULL) {
1126 for (i = 0; state_fields[i].w_value != 0; i++) {
1127 printstatefield(&ips, state_fields[i].w_value);
1128 if (state_fields[i + 1].w_value != 0)
1133 printstate(&ips, opts, ipsp->iss_ticks);
1139 static void showstatestats(ipsp)
1142 int minlen, maxlen, totallen;
1149 * If a list of states hasn't been asked for, only print out stats
1152 sz = sizeof(*buckets) * ipsp->iss_state_size;
1153 buckets = (u_int *)malloc(sz);
1155 obj.ipfo_rev = IPFILTER_VERSION;
1156 obj.ipfo_type = IPFOBJ_GTABLE;
1157 obj.ipfo_size = sizeof(table);
1158 obj.ipfo_ptr = &table;
1160 table.ita_type = IPFTABLE_BUCKETS;
1161 table.ita_table = buckets;
1163 if (live_kernel == 1) {
1164 if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
1169 if (kmemcpy((char *)buckets,
1170 (u_long)ipsp->iss_bucketlen, sz)) {
1176 PRINTF("%u\tactive state table entries\n",ipsp->iss_active);
1177 PRINTF("%lu\tadd bad\n", ipsp->iss_add_bad);
1178 PRINTF("%lu\tadd duplicate\n", ipsp->iss_add_dup);
1179 PRINTF("%lu\tadd locked\n", ipsp->iss_add_locked);
1180 PRINTF("%lu\tadd oow\n", ipsp->iss_add_oow);
1181 PRINTF("%lu\tbucket full\n", ipsp->iss_bucket_full);
1182 PRINTF("%lu\tcheck bad\n", ipsp->iss_check_bad);
1183 PRINTF("%lu\tcheck miss\n", ipsp->iss_check_miss);
1184 PRINTF("%lu\tcheck nattag\n", ipsp->iss_check_nattag);
1185 PRINTF("%lu\tclone nomem\n", ipsp->iss_clone_nomem);
1186 PRINTF("%lu\tcheck notag\n", ipsp->iss_check_notag);
1187 PRINTF("%lu\tcheck success\n", ipsp->iss_hits);
1188 PRINTF("%lu\tcloned\n", ipsp->iss_cloned);
1189 PRINTF("%lu\texpired\n", ipsp->iss_expire);
1190 PRINTF("%lu\tflush all\n", ipsp->iss_flush_all);
1191 PRINTF("%lu\tflush closing\n", ipsp->iss_flush_closing);
1192 PRINTF("%lu\tflush queue\n", ipsp->iss_flush_queue);
1193 PRINTF("%lu\tflush state\n", ipsp->iss_flush_state);
1194 PRINTF("%lu\tflush timeout\n", ipsp->iss_flush_timeout);
1195 PRINTF("%u\thash buckets in use\n", ipsp->iss_inuse);
1196 PRINTF("%lu\tICMP bad\n", ipsp->iss_icmp_bad);
1197 PRINTF("%lu\tICMP banned\n", ipsp->iss_icmp_banned);
1198 PRINTF("%lu\tICMP errors\n", ipsp->iss_icmp_icmperr);
1199 PRINTF("%lu\tICMP head block\n", ipsp->iss_icmp_headblock);
1200 PRINTF("%lu\tICMP hits\n", ipsp->iss_icmp_hits);
1201 PRINTF("%lu\tICMP not query\n", ipsp->iss_icmp_notquery);
1202 PRINTF("%lu\tICMP short\n", ipsp->iss_icmp_short);
1203 PRINTF("%lu\tICMP too many\n", ipsp->iss_icmp_toomany);
1204 PRINTF("%lu\tICMPv6 errors\n", ipsp->iss_icmp6_icmperr);
1205 PRINTF("%lu\tICMPv6 miss\n", ipsp->iss_icmp6_miss);
1206 PRINTF("%lu\tICMPv6 not info\n", ipsp->iss_icmp6_notinfo);
1207 PRINTF("%lu\tICMPv6 not query\n", ipsp->iss_icmp6_notquery);
1208 PRINTF("%lu\tlog fail\n", ipsp->iss_log_fail);
1209 PRINTF("%lu\tlog ok\n", ipsp->iss_log_ok);
1210 PRINTF("%lu\tlookup interface mismatch\n", ipsp->iss_lookup_badifp);
1211 PRINTF("%lu\tlookup mask mismatch\n", ipsp->iss_miss_mask);
1212 PRINTF("%lu\tlookup port mismatch\n", ipsp->iss_lookup_badport);
1213 PRINTF("%lu\tlookup miss\n", ipsp->iss_lookup_miss);
1214 PRINTF("%lu\tmaximum rule references\n", ipsp->iss_max_ref);
1215 PRINTF("%lu\tmaximum hosts per rule\n", ipsp->iss_max_track);
1216 PRINTF("%lu\tno memory\n", ipsp->iss_nomem);
1217 PRINTF("%lu\tout of window\n", ipsp->iss_oow);
1218 PRINTF("%lu\torphans\n", ipsp->iss_orphan);
1219 PRINTF("%lu\tscan block\n", ipsp->iss_scan_block);
1220 PRINTF("%lu\tstate table maximum reached\n", ipsp->iss_max);
1221 PRINTF("%lu\tTCP closing\n", ipsp->iss_tcp_closing);
1222 PRINTF("%lu\tTCP OOW\n", ipsp->iss_tcp_oow);
1223 PRINTF("%lu\tTCP RST add\n", ipsp->iss_tcp_rstadd);
1224 PRINTF("%lu\tTCP too small\n", ipsp->iss_tcp_toosmall);
1225 PRINTF("%lu\tTCP bad options\n", ipsp->iss_tcp_badopt);
1226 PRINTF("%lu\tTCP removed\n", ipsp->iss_fin);
1227 PRINTF("%lu\tTCP FSM\n", ipsp->iss_tcp_fsm);
1228 PRINTF("%lu\tTCP strict\n", ipsp->iss_tcp_strict);
1229 PRINTF("%lu\tTCP wild\n", ipsp->iss_wild);
1230 PRINTF("%lu\tMicrosoft Windows SACK\n", ipsp->iss_winsack);
1232 PRINTF("State logging %sabled\n", state_logging ? "en" : "dis");
1234 PRINTF("IP states added:\n");
1235 for (i = 0; i < 256; i++) {
1236 if (ipsp->iss_proto[i] != 0) {
1237 struct protoent *proto;
1239 proto = getprotobynumber(i);
1240 PRINTF("%lu", ipsp->iss_proto[i]);
1242 PRINTF("\t%s\n", proto->p_name);
1244 PRINTF("\t%d\n", i);
1248 PRINTF("\nState table bucket statistics:\n");
1249 PRINTF("%u\tin use\n", ipsp->iss_inuse);
1251 minlen = ipsp->iss_max;
1255 for (i = 0; i < ipsp->iss_state_size; i++) {
1256 if (buckets[i] > maxlen)
1257 maxlen = buckets[i];
1258 if (buckets[i] < minlen)
1259 minlen = buckets[i];
1260 totallen += buckets[i];
1263 PRINTF("%d\thash efficiency\n",
1264 totallen ? ipsp->iss_inuse * 100 / totallen : 0);
1265 PRINTF("%2.2f%%\tbucket usage\n%u\tminimal length\n",
1266 ((float)ipsp->iss_inuse / ipsp->iss_state_size) * 100.0,
1268 PRINTF("%u\tmaximal length\n%.3f\taverage length\n",
1270 ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
1273 #define ENTRIES_PER_LINE 5
1275 if (opts & OPT_VERBOSE) {
1276 PRINTF("\nCurrent bucket sizes :\n");
1277 for (i = 0; i < ipsp->iss_state_size; i++) {
1278 if ((i % ENTRIES_PER_LINE) == 0)
1280 PRINTF("%4d -> %4u", i, buckets[i]);
1281 if ((i % ENTRIES_PER_LINE) ==
1282 (ENTRIES_PER_LINE - 1))
1293 if (live_kernel == 1) {
1294 showtqtable_live(state_fd);
1296 printtqtable(ipsp->iss_tcptab);
1302 static int handle_resize = 0, handle_break = 0;
1304 static void topipstates(saddr, daddr, sport, dport, protocol, ver,
1305 refreshtime, topclosed, filter)
1316 char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
1317 int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
1318 int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0;
1319 int len, srclen, dstlen, forward = 1, c = 0;
1320 ips_stat_t ipsst, *ipsstp = &ipsst;
1321 int token_type = IPFGENITER_STATE;
1322 statetop_t *tstable = NULL, *tp;
1323 const char *errstr = "";
1326 struct timeval selecttimeout;
1327 char hostnm[HOSTNMLEN];
1328 struct protoent *proto;
1332 /* install signal handlers */
1333 signal(SIGINT, sig_break);
1334 signal(SIGQUIT, sig_break);
1335 signal(SIGTERM, sig_break);
1336 signal(SIGWINCH, sig_resize);
1338 /* init ncurses stuff */
1344 getmaxyx(stdscr, maxy, maxx);
1347 gethostname(hostnm, sizeof(hostnm) - 1);
1348 hostnm[sizeof(hostnm) - 1] = '\0';
1350 /* init ipfobj_t stuff */
1351 bzero((caddr_t)&ipfo, sizeof(ipfo));
1352 ipfo.ipfo_rev = IPFILTER_VERSION;
1353 ipfo.ipfo_type = IPFOBJ_STATESTAT;
1354 ipfo.ipfo_size = sizeof(*ipsstp);
1355 ipfo.ipfo_ptr = (void *)ipsstp;
1357 /* repeat until user aborts */
1360 /* get state table */
1361 bzero((char *)&ipsst, sizeof(ipsst));
1362 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
1363 errstr = "ioctl(SIOCGETFS)";
1368 /* clear the history */
1371 /* reset max str len */
1372 srclen = dstlen = 0;
1374 /* read the state table and store in tstable */
1375 for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) {
1377 ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips);
1378 if (ipsstp->iss_list == NULL)
1381 if (ver != 0 && ips.is_v != ver)
1384 if ((filter != NULL) &&
1385 (state_matcharray(&ips, filter) == 0))
1388 /* check v4 src/dest addresses */
1389 if (ips.is_v == 4) {
1390 if ((saddr.in4.s_addr != INADDR_ANY &&
1391 saddr.in4.s_addr != ips.is_saddr) ||
1392 (daddr.in4.s_addr != INADDR_ANY &&
1393 daddr.in4.s_addr != ips.is_daddr))
1397 /* check v6 src/dest addresses */
1398 if (ips.is_v == 6) {
1399 if ((IP6_NEQ(&saddr, &in6addr_any) &&
1400 IP6_NEQ(&saddr, &ips.is_src)) ||
1401 (IP6_NEQ(&daddr, &in6addr_any) &&
1402 IP6_NEQ(&daddr, &ips.is_dst)))
1406 /* check protocol */
1407 if (protocol > 0 && protocol != ips.is_p)
1410 /* check ports if protocol is TCP or UDP */
1411 if (((ips.is_p == IPPROTO_TCP) ||
1412 (ips.is_p == IPPROTO_UDP)) &&
1413 (((sport > 0) && (htons(sport) != ips.is_sport)) ||
1414 ((dport > 0) && (htons(dport) != ips.is_dport))))
1417 /* show closed TCP sessions ? */
1418 if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) &&
1419 (ips.is_state[0] >= IPF_TCPS_LAST_ACK) &&
1420 (ips.is_state[1] >= IPF_TCPS_LAST_ACK))
1424 * if necessary make room for this state
1428 if (!maxtsentries || tsentry == maxtsentries) {
1429 maxtsentries += STGROWSIZE;
1430 tstable = reallocarray(tstable, maxtsentries,
1431 sizeof(statetop_t));
1432 if (tstable == NULL) {
1438 /* get max src/dest address string length */
1439 len = strlen(getip(ips.is_v, &ips.is_src));
1442 len = strlen(getip(ips.is_v, &ips.is_dst));
1446 /* fill structure */
1447 tp = tstable + tsentry;
1448 tp->st_src = ips.is_src;
1449 tp->st_dst = ips.is_dst;
1450 tp->st_p = ips.is_p;
1451 tp->st_v = ips.is_v;
1452 tp->st_state[0] = ips.is_state[0];
1453 tp->st_state[1] = ips.is_state[1];
1455 tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1];
1456 tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1];
1458 tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3];
1459 tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3];
1461 tp->st_age = ips.is_die - ipsstp->iss_ticks;
1462 if ((ips.is_p == IPPROTO_TCP) ||
1463 (ips.is_p == IPPROTO_UDP)) {
1464 tp->st_sport = ips.is_sport;
1465 tp->st_dport = ips.is_dport;
1469 (void) ioctl(state_fd, SIOCIPFDELTOK, &token_type);
1471 /* sort the array */
1472 if (tsentry != -1) {
1476 qsort(tstable, tsentry + 1,
1477 sizeof(statetop_t), sort_p);
1480 qsort(tstable, tsentry + 1,
1481 sizeof(statetop_t), sort_pkts);
1484 qsort(tstable, tsentry + 1,
1485 sizeof(statetop_t), sort_bytes);
1488 qsort(tstable, tsentry + 1,
1489 sizeof(statetop_t), sort_ttl);
1492 qsort(tstable, tsentry + 1,
1493 sizeof(statetop_t), sort_srcip);
1496 qsort(tstable, tsentry +1,
1497 sizeof(statetop_t), sort_srcpt);
1500 qsort(tstable, tsentry + 1,
1501 sizeof(statetop_t), sort_dstip);
1504 qsort(tstable, tsentry + 1,
1505 sizeof(statetop_t), sort_dstpt);
1512 /* handle window resizes */
1513 if (handle_resize) {
1520 getmaxyx(stdscr, maxy, maxx);
1534 sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
1535 for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
1540 /* just for fun add a clock */
1541 move(winy, maxx - 8);
1543 strftime(str1, 80, "%T", localtime(&t));
1544 printw("%s\n", str1);
1547 * print the display filters, this is placed in the loop,
1548 * because someday I might add code for changing these
1549 * while the programming is running :-)
1552 sprintf(str1, "%s,%d", getip(ver, &saddr), sport);
1554 sprintf(str1, "%s", getip(ver, &saddr));
1557 sprintf(str2, "%s,%d", getip(ver, &daddr), dport);
1559 sprintf(str2, "%s", getip(ver, &daddr));
1562 strcpy(str3, "any");
1563 else if ((proto = getprotobynumber(protocol)) != NULL)
1564 sprintf(str3, "%s", proto->p_name);
1566 sprintf(str3, "%d", protocol);
1571 sprintf(str4, "proto");
1574 sprintf(str4, "# pkts");
1577 sprintf(str4, "# bytes");
1580 sprintf(str4, "ttl");
1583 sprintf(str4, "src ip");
1586 sprintf(str4, "src port");
1589 sprintf(str4, "dest ip");
1592 sprintf(str4, "dest port");
1595 sprintf(str4, "unknown");
1600 strcat(str4, " (reverse)");
1604 printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n",
1605 str1, str2, str3, str4);
1608 * For an IPv4 IP address we need at most 15 characters,
1609 * 4 tuples of 3 digits, separated by 3 dots. Enforce this
1610 * length, so the colums do not change positions based
1611 * on the size of the IP address. This length makes the
1612 * output fit in a 80 column terminal.
1613 * We are lacking a good solution for IPv6 addresses (that
1614 * can be longer that 15 characters), so we do not enforce
1615 * a maximum on the IP field size.
1622 /* print column description */
1626 printw("%-*s %-*s %3s %4s %7s %9s %9s\n",
1627 srclen + 6, "Source IP", dstlen + 6, "Destination IP",
1628 "ST", "PR", "#pkts", "#bytes", "ttl");
1631 /* print all the entries */
1636 if (tsentry > maxy - 6)
1638 for (i = 0; i <= tsentry; i++) {
1639 /* print src/dest and port */
1640 if ((tp->st_p == IPPROTO_TCP) ||
1641 (tp->st_p == IPPROTO_UDP)) {
1642 sprintf(str1, "%s,%hu",
1643 getip(tp->st_v, &tp->st_src),
1644 ntohs(tp->st_sport));
1645 sprintf(str2, "%s,%hu",
1646 getip(tp->st_v, &tp->st_dst),
1647 ntohs(tp->st_dport));
1649 sprintf(str1, "%s", getip(tp->st_v,
1651 sprintf(str2, "%s", getip(tp->st_v,
1656 printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2);
1659 sprintf(str1, "%X/%X", tp->st_state[0],
1661 printw(" %3s", str1);
1663 /* print protocol */
1664 proto = getprotobynumber(tp->st_p);
1666 strncpy(str1, proto->p_name, 4);
1669 sprintf(str1, "%d", tp->st_p);
1671 /* just print icmp for IPv6-ICMP */
1672 if (tp->st_p == IPPROTO_ICMPV6)
1673 strcpy(str1, "icmp");
1674 printw(" %4s", str1);
1676 /* print #pkt/#bytes */
1678 printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
1679 (unsigned long long) tp->st_bytes);
1681 printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
1683 printw(" %9s", ttl_to_string(tp->st_age));
1691 /* screen data structure is filled, now update the screen */
1695 if (refresh() == ERR)
1702 /* wait for key press or a 1 second time out period */
1703 selecttimeout.tv_sec = refreshtime;
1704 selecttimeout.tv_usec = 0;
1707 select(1, &readfd, NULL, NULL, &selecttimeout);
1709 /* if key pressed, read all waiting keys */
1710 if (FD_ISSET(0, &readfd)) {
1715 if (ISALPHA(c) && ISUPPER(c))
1719 } else if (c == 'q') {
1721 } else if (c == 'r') {
1723 } else if (c == 'b') {
1725 } else if (c == 'f') {
1727 } else if (c == 's') {
1728 if (++sorting > STSORT_MAX)
1737 /* nocbreak(); XXX - endwin() should make this redundant */
1748 * Show fragment cache information that's held in the kernel.
1750 static void showfrstates(ifsp, ticks)
1754 struct ipfr *ipfrtab[IPFT_SIZE], ifr;
1758 * print out the numeric statistics
1760 PRINTF("IP fragment states:\n%lu\tnew\n%lu\texpired\n%lu\thits\n",
1761 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
1762 PRINTF("%lu\tretrans\n%lu\ttoo short\n",
1763 ifsp->ifs_retrans0, ifsp->ifs_short);
1764 PRINTF("%lu\tno memory\n%lu\talready exist\n",
1765 ifsp->ifs_nomem, ifsp->ifs_exists);
1766 PRINTF("%lu\tinuse\n", ifsp->ifs_inuse);
1769 if (live_kernel == 0) {
1770 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table,
1776 * Print out the contents (if any) of the fragment cache table.
1778 if (live_kernel == 1) {
1780 if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0)
1782 if (ifr.ipfr_ifp == NULL)
1784 ifr.ipfr_ttl -= ticks;
1785 printfraginfo("", &ifr);
1786 } while (ifr.ipfr_next != NULL);
1788 for (i = 0; i < IPFT_SIZE; i++)
1789 while (ipfrtab[i] != NULL) {
1790 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1793 printfraginfo("", &ifr);
1794 ipfrtab[i] = ifr.ipfr_next;
1798 * Print out the contents (if any) of the NAT fragment cache table.
1801 if (live_kernel == 0) {
1802 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,
1807 if (live_kernel == 1) {
1809 if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0)
1811 if (ifr.ipfr_ifp == NULL)
1813 ifr.ipfr_ttl -= ticks;
1814 printfraginfo("NAT: ", &ifr);
1815 } while (ifr.ipfr_next != NULL);
1817 for (i = 0; i < IPFT_SIZE; i++)
1818 while (ipfrtab[i] != NULL) {
1819 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1822 printfraginfo("NAT: ", &ifr);
1823 ipfrtab[i] = ifr.ipfr_next;
1830 * Show stats on how auth within IPFilter has been used
1832 static void showauthstates(asp)
1833 ipf_authstat_t *asp;
1835 frauthent_t *frap, fra;
1839 obj.ipfo_rev = IPFILTER_VERSION;
1840 obj.ipfo_type = IPFOBJ_GENITER;
1841 obj.ipfo_size = sizeof(auth);
1842 obj.ipfo_ptr = &auth;
1844 auth.igi_type = IPFGENITER_AUTH;
1845 auth.igi_nitems = 1;
1846 auth.igi_data = &fra;
1849 printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n",
1850 (unsigned long long) asp->fas_hits,
1851 (unsigned long long) asp->fas_miss);
1853 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
1856 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
1857 asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
1859 printf("queok %ld\nquefail %ld\nexpire %ld\n",
1860 asp->fas_queok, asp->fas_quefail, asp->fas_expire);
1862 frap = asp->fas_faelist;
1864 if (live_kernel == 1) {
1865 if (ioctl(auth_fd, SIOCGENITER, &obj))
1868 if (kmemcpy((char *)&fra, (u_long)frap,
1872 printf("age %ld\t", fra.fae_age);
1873 printfr(&fra.fae_fr, ioctl);
1874 frap = fra.fae_next;
1880 * Display groups used for each of filter rules, accounting rules and
1881 * authentication, separately.
1883 static void showgroups(fiop)
1884 struct friostat *fiop;
1886 static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
1887 static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
1891 on = fiop->f_active;
1894 for (i = 0; i < 3; i++) {
1895 printf("%s groups (active):\n", gnames[i]);
1896 for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL;
1898 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1901 printf("%s\n", grp.fg_name);
1902 printf("%s groups (inactive):\n", gnames[i]);
1903 for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL;
1905 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1908 printf("%s\n", grp.fg_name);
1913 static void parse_ipportstr(argument, ip, port)
1914 const char *argument;
1921 /* make working copy of argument, Theoretically you must be able
1922 * to write to optarg, but that seems very ugly to me....
1924 s = strdup(argument);
1929 if ((comma = strchr(s, ',')) != NULL) {
1930 if (!strcasecmp(comma + 1, "any")) {
1932 } else if (!sscanf(comma + 1, "%d", port) ||
1933 (*port < 0) || (*port > 65535)) {
1934 fprintf(stderr, "Invalid port specification in %s\n",
1943 /* get ip address */
1944 if (!strcasecmp(s, "any")) {
1945 ip->in4.s_addr = INADDR_ANY;
1948 ip->in6 = in6addr_any;
1949 } else if (use_inet6 && !use_inet4 && inet_pton(AF_INET6, s, &ip->in6)) {
1952 } else if (inet_aton(s, &ip->in4))
1956 fprintf(stderr, "Invalid IP address: %s\n", s);
1961 /* free allocated memory */
1967 static void sig_resize(s)
1973 static void sig_break(s)
1979 static char *getip(v, addr)
1984 static char hostbuf[MAXHOSTNAMELEN+1];
1991 return inet_ntoa(addr->in4);
1994 (void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1);
1995 hostbuf[MAXHOSTNAMELEN] = '\0';
2003 static char *ttl_to_string(ttl)
2006 static char ttlbuf[STSTRSIZE];
2007 int hours, minutes, seconds;
2009 /* ttl is in half seconds */
2018 sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
2020 sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
2025 static int sort_pkts(a, b)
2030 register const statetop_t *ap = a;
2031 register const statetop_t *bp = b;
2033 if (ap->st_pkts == bp->st_pkts)
2035 else if (ap->st_pkts < bp->st_pkts)
2041 static int sort_bytes(a, b)
2045 register const statetop_t *ap = a;
2046 register const statetop_t *bp = b;
2048 if (ap->st_bytes == bp->st_bytes)
2050 else if (ap->st_bytes < bp->st_bytes)
2056 static int sort_p(a, b)
2060 register const statetop_t *ap = a;
2061 register const statetop_t *bp = b;
2063 if (ap->st_p == bp->st_p)
2065 else if (ap->st_p < bp->st_p)
2071 static int sort_ttl(a, b)
2075 register const statetop_t *ap = a;
2076 register const statetop_t *bp = b;
2078 if (ap->st_age == bp->st_age)
2080 else if (ap->st_age < bp->st_age)
2085 static int sort_srcip(a, b)
2089 register const statetop_t *ap = a;
2090 register const statetop_t *bp = b;
2093 if (use_inet6 && !use_inet4) {
2094 if (IP6_EQ(&ap->st_src, &bp->st_src))
2096 else if (IP6_GT(&ap->st_src, &bp->st_src))
2101 if (ntohl(ap->st_src.in4.s_addr) ==
2102 ntohl(bp->st_src.in4.s_addr))
2104 else if (ntohl(ap->st_src.in4.s_addr) >
2105 ntohl(bp->st_src.in4.s_addr))
2111 static int sort_srcpt(a, b)
2115 register const statetop_t *ap = a;
2116 register const statetop_t *bp = b;
2118 if (htons(ap->st_sport) == htons(bp->st_sport))
2120 else if (htons(ap->st_sport) > htons(bp->st_sport))
2125 static int sort_dstip(a, b)
2129 register const statetop_t *ap = a;
2130 register const statetop_t *bp = b;
2133 if (use_inet6 && !use_inet4) {
2134 if (IP6_EQ(&ap->st_dst, &bp->st_dst))
2136 else if (IP6_GT(&ap->st_dst, &bp->st_dst))
2141 if (ntohl(ap->st_dst.in4.s_addr) ==
2142 ntohl(bp->st_dst.in4.s_addr))
2144 else if (ntohl(ap->st_dst.in4.s_addr) >
2145 ntohl(bp->st_dst.in4.s_addr))
2151 static int sort_dstpt(a, b)
2155 register const statetop_t *ap = a;
2156 register const statetop_t *bp = b;
2158 if (htons(ap->st_dport) == htons(bp->st_dport))
2160 else if (htons(ap->st_dport) > htons(bp->st_dport))
2168 ipstate_t *fetchstate(src, dst)
2169 ipstate_t *src, *dst;
2172 if (live_kernel == 1) {
2176 obj.ipfo_rev = IPFILTER_VERSION;
2177 obj.ipfo_type = IPFOBJ_GENITER;
2178 obj.ipfo_size = sizeof(state);
2179 obj.ipfo_ptr = &state;
2181 state.igi_type = IPFGENITER_STATE;
2182 state.igi_nitems = 1;
2183 state.igi_data = dst;
2185 if (ioctl(state_fd, SIOCGENITER, &obj) != 0)
2187 if (dst->is_next == NULL) {
2188 int n = IPFGENITER_STATE;
2189 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &n);
2192 if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst)))
2199 static int fetchfrag(fd, type, frp)
2206 obj.ipfo_rev = IPFILTER_VERSION;
2207 obj.ipfo_type = IPFOBJ_GENITER;
2208 obj.ipfo_size = sizeof(frag);
2209 obj.ipfo_ptr = &frag;
2211 frag.igi_type = type;
2212 frag.igi_nitems = 1;
2213 frag.igi_data = frp;
2215 if (ioctl(fd, SIOCGENITER, &obj))
2221 static int state_matcharray(stp, array)
2225 int i, n, *x, rv, p;
2230 for (n = array[0], x = array + 1; n > 0; x += e->ipfe_size) {
2232 if (e->ipfe_cmd == IPF_EXP_END)
2238 * The upper 16 bits currently store the protocol value.
2239 * This is currently used with TCP and UDP port compares and
2240 * allows "tcp.port = 80" without requiring an explicit
2241 " "ip.pr = tcp" first.
2243 p = e->ipfe_cmd >> 16;
2244 if ((p != 0) && (p != stp->is_p))
2247 switch (e->ipfe_cmd)
2249 case IPF_EXP_IP_PR :
2250 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2251 rv |= (stp->is_p == e->ipfe_arg0[i]);
2255 case IPF_EXP_IP_SRCADDR :
2258 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2259 rv |= ((stp->is_saddr &
2260 e->ipfe_arg0[i * 2 + 1]) ==
2261 e->ipfe_arg0[i * 2]);
2265 case IPF_EXP_IP_DSTADDR :
2268 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2269 rv |= ((stp->is_daddr &
2270 e->ipfe_arg0[i * 2 + 1]) ==
2271 e->ipfe_arg0[i * 2]);
2275 case IPF_EXP_IP_ADDR :
2278 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2279 rv |= ((stp->is_saddr &
2280 e->ipfe_arg0[i * 2 + 1]) ==
2281 e->ipfe_arg0[i * 2]) ||
2283 e->ipfe_arg0[i * 2 + 1]) ==
2284 e->ipfe_arg0[i * 2]);
2289 case IPF_EXP_IP6_SRCADDR :
2292 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2293 rv |= IP6_MASKEQ(&stp->is_src,
2294 &e->ipfe_arg0[i * 8 + 4],
2295 &e->ipfe_arg0[i * 8]);
2299 case IPF_EXP_IP6_DSTADDR :
2302 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2303 rv |= IP6_MASKEQ(&stp->is_dst,
2304 &e->ipfe_arg0[i * 8 + 4],
2305 &e->ipfe_arg0[i * 8]);
2309 case IPF_EXP_IP6_ADDR :
2312 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2313 rv |= IP6_MASKEQ(&stp->is_src,
2314 &e->ipfe_arg0[i * 8 + 4],
2315 &e->ipfe_arg0[i * 8]) ||
2316 IP6_MASKEQ(&stp->is_dst,
2317 &e->ipfe_arg0[i * 8 + 4],
2318 &e->ipfe_arg0[i * 8]);
2323 case IPF_EXP_UDP_PORT :
2324 case IPF_EXP_TCP_PORT :
2325 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2326 rv |= (stp->is_sport == e->ipfe_arg0[i]) ||
2327 (stp->is_dport == e->ipfe_arg0[i]);
2331 case IPF_EXP_UDP_SPORT :
2332 case IPF_EXP_TCP_SPORT :
2333 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2334 rv |= (stp->is_sport == e->ipfe_arg0[i]);
2338 case IPF_EXP_UDP_DPORT :
2339 case IPF_EXP_TCP_DPORT :
2340 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2341 rv |= (stp->is_dport == e->ipfe_arg0[i]);
2345 case IPF_EXP_IDLE_GT :
2346 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2347 rv |= (stp->is_die < e->ipfe_arg0[i]);
2351 case IPF_EXP_TCP_STATE :
2352 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2353 rv |= (stp->is_state[0] == e->ipfe_arg0[i]) ||
2354 (stp->is_state[1] == e->ipfe_arg0[i]);
2368 static void showtqtable_live(fd)
2371 ipftq_t table[IPF_TCP_NSTATES];
2374 bzero((char *)&obj, sizeof(obj));
2375 obj.ipfo_rev = IPFILTER_VERSION;
2376 obj.ipfo_size = sizeof(table);
2377 obj.ipfo_ptr = (void *)table;
2378 obj.ipfo_type = IPFOBJ_STATETQTAB;
2380 if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
2381 printtqtable(table);