4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
13 #if defined(sun) && defined(__SVR4)
17 #include "netinet/ipl.h"
19 # if defined(sun) && defined(__SVR4)
20 # include <sys/select.h>
22 # include <netinet/ip_var.h>
23 # include <netinet/tcp_fsm.h>
27 # if SOLARIS || defined(__NetBSD__)
37 #if defined(__NetBSD__)
42 static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
43 static const char rcsid[] = "@(#)$Id$";
51 #define PRINTF (void)printf
52 #define FPRINTF (void)fprintf
53 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
54 "ipacct(in)", "ipacct(out)" };
55 static int state_logging = -1;
56 static wordtab_t *state_fields = NULL;
66 frgroup_t *grtop = NULL;
67 frgroup_t *grtail = NULL;
69 char *blockreasons[FRB_MAX_VALUE + 1] = {
76 "IP ID update failed",
77 "log-or-block failed",
78 "decapsulate failure",
79 "cannot create new auth entry",
80 "packet queued for auth",
81 "buffer coalesce failure",
82 "buffer pullup failure",
96 #define STSORT_BYTES 2
98 #define STSORT_SRCIP 4
99 #define STSORT_SRCPT 5
100 #define STSORT_DSTIP 6
101 #define STSORT_DSTPT 7
102 #define STSORT_MAX STSORT_DSTPT
103 #define STSORT_DEFAULT STSORT_BYTES
106 typedef struct statetop {
120 int main __P((int, char *[]));
122 static int fetchfrag __P((int, int, ipfr_t *));
123 static void showstats __P((friostat_t *, u_32_t));
124 static void showfrstates __P((ipfrstat_t *, u_long));
125 static void showlist __P((friostat_t *));
126 static void showstatestats __P((ips_stat_t *));
127 static void showipstates __P((ips_stat_t *, int *));
128 static void showauthstates __P((ipf_authstat_t *));
129 static void showtqtable_live __P((int));
130 static void showgroups __P((friostat_t *));
131 static void usage __P((char *));
132 static int state_matcharray __P((ipstate_t *, int *));
133 static int printlivelist __P((friostat_t *, int, int, frentry_t *,
135 static void printdeadlist __P((friostat_t *, int, int, frentry_t *,
137 static void printside __P((char *, ipf_statistics_t *));
138 static void parse_ipportstr __P((const char *, i6addr_t *, int *));
139 static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
140 ipfrstat_t **, ipf_authstat_t **, u_32_t *));
141 static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
142 ipfrstat_t **, ipf_authstat_t **, u_32_t *));
143 static ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *));
145 static void topipstates __P((i6addr_t, i6addr_t, int, int, int,
146 int, int, int, int *));
147 static void sig_break __P((int));
148 static void sig_resize __P((int));
149 static char *getip __P((int, i6addr_t *));
150 static char *ttl_to_string __P((long));
151 static int sort_p __P((const void *, const void *));
152 static int sort_pkts __P((const void *, const void *));
153 static int sort_bytes __P((const void *, const void *));
154 static int sort_ttl __P((const void *, const void *));
155 static int sort_srcip __P((const void *, const void *));
156 static int sort_srcpt __P((const void *, const void *));
157 static int sort_dstip __P((const void *, const void *));
158 static int sort_dstpt __P((const void *, const void *));
162 static void usage(name)
166 fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name);
168 fprintf(stderr, "Usage: %s [-aAdfghIilnoRsv]\n", name);
170 fprintf(stderr, " %s [-M corefile] [-N symbol-list]\n", name);
172 fprintf(stderr, " %s -t [-6C] ", name);
174 fprintf(stderr, " %s -t [-C] ", name);
176 fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
185 ipf_authstat_t frauthst;
186 ipf_authstat_t *frauthstp = &frauthst;
188 friostat_t *fiop = &fio;
190 ips_stat_t *ipsstp = &ipsst;
192 ipfrstat_t *ifrstp = &ifrst;
200 int protocol = -1; /* -1 = wild card for any protocol */
201 int refreshtime = 1; /* default update time */
202 int sport = -1; /* -1 = wild card for any source port */
203 int dport = -1; /* -1 = wild card for any dest port */
204 int topclosed = 0; /* do not show closed tcp sessions */
205 i6addr_t saddr, daddr;
209 options = "6aACdfghIilnostvD:m:M:N:O:P:RS:T:";
211 options = "aACdfghIilnostvD:m:M:N:O:P:RS:T:";
214 saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */
215 daddr.in4.s_addr = INADDR_ANY; /* default any v4 dest addr */
217 saddr.in6 = in6addr_any; /* default any v6 source addr */
218 daddr.in6 = in6addr_any; /* default any v6 dest addr */
221 /* Don't warn about invalid flags when we run getopt for the 1st time */
225 * Parse these two arguments now lest there be any buffer overflows
226 * in the parsing of the rest.
229 while ((c = getopt(argc, argv, options)) != -1) {
244 if (live_kernel == 1) {
245 if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) {
246 perror("open(IPSTATE_NAME)");
249 if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) {
250 perror("open(IPAUTH_NAME)");
253 if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
254 perror("open(IPAUTH_NAME)");
257 if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) {
258 fprintf(stderr, "open(%s)", IPL_NAME);
264 if (kern != NULL || memf != NULL) {
265 (void)setgid(getgid());
266 (void)setuid(getuid());
269 if (live_kernel == 1) {
270 (void) checkrev(IPL_NAME);
272 if (openkmem(kern, memf) == -1)
276 (void)setgid(getgid());
277 (void)setuid(getuid());
281 while ((c = getopt(argc, argv, options)) != -1)
291 opts |= OPT_ACCNT|OPT_SHOWLIST;
294 opts |= OPT_AUTHSTATS;
303 parse_ipportstr(optarg, &daddr, &dport);
306 opts |= OPT_FRSTATES;
315 opts |= OPT_INQUE|OPT_SHOWLIST;
318 opts |= OPT_INACTIVE;
321 opts |= OPT_SHOWLIST;
324 filter = parseipfexpr(optarg, NULL);
325 if (filter == NULL) {
326 fprintf(stderr, "Error parseing '%s'\n",
336 opts |= OPT_SHOWLINENO;
339 opts |= OPT_OUTQUE|OPT_SHOWLIST;
342 state_fields = parsefields(statefields, optarg);
345 protocol = getproto(optarg);
346 if (protocol == -1) {
347 fprintf(stderr, "%s: Invalid protocol: %s\n",
353 opts |= OPT_NORESOLVE;
356 opts |= OPT_IPSTATES;
359 parse_ipportstr(optarg, &saddr, &sport);
363 opts |= OPT_STATETOP;
367 "%s: state top facility not compiled in\n",
372 if (!sscanf(optarg, "%d", &refreshtime) ||
373 (refreshtime <= 0)) {
375 "%s: Invalid refreshtime < 1 : %s\n",
389 if (live_kernel == 1) {
390 bzero((char *)&fio, sizeof(fio));
391 bzero((char *)&ipsst, sizeof(ipsst));
392 bzero((char *)&ifrst, sizeof(ifrst));
394 ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp,
397 ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
400 if (opts & OPT_IPSTATES) {
401 showipstates(ipsstp, filter);
402 } else if (opts & OPT_SHOWLIST) {
404 if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
408 } else if (opts & OPT_FRSTATES)
409 showfrstates(ifrstp, fiop->f_ticks);
411 else if (opts & OPT_STATETOP)
412 topipstates(saddr, daddr, sport, dport, protocol,
413 use_inet6 ? 6 : 4, refreshtime, topclosed, filter);
415 else if (opts & OPT_AUTHSTATS)
416 showauthstates(frauthstp);
417 else if (opts & OPT_GROUPS)
420 showstats(fiop, frf);
427 * Fill in the stats structures from the live kernel, using a combination
428 * of ioctl's and copying directly from kernel memory.
430 static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
433 ips_stat_t **ipsstpp;
434 ipfrstat_t **ifrstpp;
435 ipf_authstat_t **frauthstpp;
440 if (checkrev(device) == -1) {
441 fprintf(stderr, "User/kernel version check failed\n");
445 if ((opts & OPT_AUTHSTATS) == 0) {
446 bzero((caddr_t)&ipfo, sizeof(ipfo));
447 ipfo.ipfo_rev = IPFILTER_VERSION;
448 ipfo.ipfo_type = IPFOBJ_IPFSTAT;
449 ipfo.ipfo_size = sizeof(friostat_t);
450 ipfo.ipfo_ptr = (void *)*fiopp;
452 if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
453 ipferror(ipf_fd, "ioctl(ipf:SIOCGETFS)");
457 if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
458 ipferror(ipf_fd, "ioctl(SIOCGETFF)");
461 if ((opts & OPT_IPSTATES) != 0) {
463 bzero((caddr_t)&ipfo, sizeof(ipfo));
464 ipfo.ipfo_rev = IPFILTER_VERSION;
465 ipfo.ipfo_type = IPFOBJ_STATESTAT;
466 ipfo.ipfo_size = sizeof(ips_stat_t);
467 ipfo.ipfo_ptr = (void *)*ipsstpp;
469 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
470 ipferror(state_fd, "ioctl(state:SIOCGETFS)");
473 if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) {
474 ipferror(state_fd, "ioctl(state:SIOCGETLG)");
479 if ((opts & OPT_FRSTATES) != 0) {
480 bzero((caddr_t)&ipfo, sizeof(ipfo));
481 ipfo.ipfo_rev = IPFILTER_VERSION;
482 ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
483 ipfo.ipfo_size = sizeof(ipfrstat_t);
484 ipfo.ipfo_ptr = (void *)*ifrstpp;
486 if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
487 ipferror(ipf_fd, "ioctl(SIOCGFRST)");
492 if (opts & OPT_DEBUG)
493 PRINTF("opts %#x name %s\n", opts, device);
495 if ((opts & OPT_AUTHSTATS) != 0) {
496 bzero((caddr_t)&ipfo, sizeof(ipfo));
497 ipfo.ipfo_rev = IPFILTER_VERSION;
498 ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
499 ipfo.ipfo_size = sizeof(ipf_authstat_t);
500 ipfo.ipfo_ptr = (void *)*frauthstpp;
502 if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) {
503 ipferror(auth_fd, "ioctl(SIOCATHST)");
511 * Build up the stats structures from data held in the "core" memory.
512 * This is mainly useful when looking at data in crash dumps and ioctl's
513 * just won't work any more.
515 static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
518 ips_stat_t **ipsstpp;
519 ipfrstat_t **ifrstpp;
520 ipf_authstat_t **frauthstpp;
523 static ipf_authstat_t frauthst, *frauthstp;
524 static ipftq_t ipstcptab[IPF_TCP_NSTATES];
525 static ips_stat_t ipsst, *ipsstp;
526 static ipfrstat_t ifrst, *ifrstp;
527 static friostat_t fio, *fiop;
531 struct nlist deadlist[44] = {
532 { "ipf_auth_stats", 0, 0, 0, 0 }, /* 0 */
533 { "fae_list", 0, 0, 0, 0 },
534 { "ipauth", 0, 0, 0, 0 },
535 { "ipf_auth_list", 0, 0, 0, 0 },
536 { "ipf_auth_start", 0, 0, 0, 0 },
537 { "ipf_auth_end", 0, 0, 0, 0 }, /* 5 */
538 { "ipf_auth_next", 0, 0, 0, 0 },
539 { "ipf_auth", 0, 0, 0, 0 },
540 { "ipf_auth_used", 0, 0, 0, 0 },
541 { "ipf_auth_size", 0, 0, 0, 0 },
542 { "ipf_auth_defaultage", 0, 0, 0, 0 }, /* 10 */
543 { "ipf_auth_pkts", 0, 0, 0, 0 },
544 { "ipf_auth_lock", 0, 0, 0, 0 },
545 { "frstats", 0, 0, 0, 0 },
546 { "ips_stats", 0, 0, 0, 0 },
547 { "ips_num", 0, 0, 0, 0 }, /* 15 */
548 { "ips_wild", 0, 0, 0, 0 },
549 { "ips_list", 0, 0, 0, 0 },
550 { "ips_table", 0, 0, 0, 0 },
551 { "ipf_state_max", 0, 0, 0, 0 },
552 { "ipf_state_size", 0, 0, 0, 0 }, /* 20 */
553 { "ipf_state_doflush", 0, 0, 0, 0 },
554 { "ipf_state_lock", 0, 0, 0, 0 },
555 { "ipfr_heads", 0, 0, 0, 0 },
556 { "ipfr_nattab", 0, 0, 0, 0 },
557 { "ipfr_stats", 0, 0, 0, 0 }, /* 25 */
558 { "ipfr_inuse", 0, 0, 0, 0 },
559 { "ipf_ipfrttl", 0, 0, 0, 0 },
560 { "ipf_frag_lock", 0, 0, 0, 0 },
561 { "ipfr_timer_id", 0, 0, 0, 0 },
562 { "ipf_nat_lock", 0, 0, 0, 0 }, /* 30 */
563 { "ipf_rules", 0, 0, 0, 0 },
564 { "ipf_acct", 0, 0, 0, 0 },
565 { "ipl_frouteok", 0, 0, 0, 0 },
566 { "ipf_running", 0, 0, 0, 0 },
567 { "ipf_groups", 0, 0, 0, 0 }, /* 35 */
568 { "ipf_active", 0, 0, 0, 0 },
569 { "ipf_pass", 0, 0, 0, 0 },
570 { "ipf_flags", 0, 0, 0, 0 },
571 { "ipf_state_logging", 0, 0, 0, 0 },
572 { "ips_tqtqb", 0, 0, 0, 0 }, /* 40 */
577 frauthstp = &frauthst;
586 *frauthstpp = frauthstp;
588 bzero((char *)fiop, sizeof(*fiop));
589 bzero((char *)ipsstp, sizeof(*ipsstp));
590 bzero((char *)ifrstp, sizeof(*ifrstp));
591 bzero((char *)frauthstp, sizeof(*frauthstp));
593 if (nlist(kernel, deadlist) == -1) {
594 fprintf(stderr, "nlist error\n");
599 * This is for SIOCGETFF.
601 kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
604 * f_locks is a combination of the lock variable from each part of
605 * ipfilter (state, auth, nat, fragments).
607 kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
608 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
609 sizeof(fiop->f_locks[0]));
610 kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
611 sizeof(fiop->f_locks[1]));
612 kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
613 sizeof(fiop->f_locks[2]));
614 kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
615 sizeof(fiop->f_locks[3]));
618 * Get pointers to each list of rules (active, inactive, in, out)
620 kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
621 fiop->f_fin[0] = rules[0][0];
622 fiop->f_fin[1] = rules[0][1];
623 fiop->f_fout[0] = rules[1][0];
624 fiop->f_fout[1] = rules[1][1];
627 * Now get accounting rules pointers.
629 kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
630 fiop->f_acctin[0] = rules[0][0];
631 fiop->f_acctin[1] = rules[0][1];
632 fiop->f_acctout[0] = rules[1][0];
633 fiop->f_acctout[1] = rules[1][1];
636 * A collection of "global" variables used inside the kernel which
637 * are all collected in friostat_t via ioctl.
639 kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[33].n_value,
640 sizeof(fiop->f_froute));
641 kmemcpy((char *)&fiop->f_running, (u_long)deadlist[34].n_value,
642 sizeof(fiop->f_running));
643 kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[35].n_value,
644 sizeof(fiop->f_groups));
645 kmemcpy((char *)&fiop->f_active, (u_long)deadlist[36].n_value,
646 sizeof(fiop->f_active));
647 kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[37].n_value,
648 sizeof(fiop->f_defpass));
651 * Build up the state information stats structure.
653 kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
654 kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
655 kmemcpy((char *)ipstcptab, (u_long)deadlist[40].n_value,
657 ipsstp->iss_active = temp;
658 ipsstp->iss_table = (void *)deadlist[18].n_value;
659 ipsstp->iss_list = (void *)deadlist[17].n_value;
660 ipsstp->iss_tcptab = ipstcptab;
663 * Build up the authentiation information stats structure.
665 kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
667 frauthstp->fas_faelist = (void *)deadlist[1].n_value;
670 * Build up the fragment information stats structure.
672 kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
674 ifrstp->ifs_table = (void *)deadlist[23].n_value;
675 ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
676 kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
677 sizeof(ifrstp->ifs_inuse));
680 * Get logging on/off switches
682 kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value,
683 sizeof(state_logging));
687 static void printside(side, frs)
689 ipf_statistics_t *frs;
693 PRINTF("%lu\t%s bad packets\n", frs->fr_bad, side);
695 PRINTF("%lu\t%s IPv6 packets\n", frs->fr_ipv6, side);
697 PRINTF("%lu\t%s packets blocked\n", frs->fr_block, side);
698 PRINTF("%lu\t%s packets passed\n", frs->fr_pass, side);
699 PRINTF("%lu\t%s packets not matched\n", frs->fr_nom, side);
700 PRINTF("%lu\t%s packets counted\n", frs->fr_acct, side);
701 PRINTF("%lu\t%s packets short\n", frs->fr_short, side);
702 PRINTF("%lu\t%s packets logged and blocked\n", frs->fr_bpkl, side);
703 PRINTF("%lu\t%s packets logged and passed\n", frs->fr_ppkl, side);
704 PRINTF("%lu\t%s fragment state kept\n", frs->fr_nfr, side);
705 PRINTF("%lu\t%s fragment state lost\n", frs->fr_bnfr, side);
706 PRINTF("%lu\t%s packet state kept\n", frs->fr_ads, side);
707 PRINTF("%lu\t%s packet state lost\n", frs->fr_bads, side);
708 PRINTF("%lu\t%s invalid source\n", frs->fr_v4_badsrc, side);
709 PRINTF("%lu\t%s cache hits\n", frs->fr_chit, side);
710 PRINTF("%lu\t%s cache misses\n", frs->fr_cmiss, side);
711 PRINTF("%lu\t%s bad coalesces\n", frs->fr_badcoalesces, side);
712 PRINTF("%lu\t%s pullups succeeded\n", frs->fr_pull[0], side);
713 PRINTF("%lu\t%s pullups failed\n", frs->fr_pull[1], side);
714 PRINTF("%lu\t%s TCP checksum failures\n", frs->fr_tcpbad, side);
715 for (i = 0; i <= FRB_MAX_VALUE; i++)
716 PRINTF("%lu\t%s block reason %s\n",
717 frs->fr_blocked[i], side, blockreasons[i]);
722 * Display the kernel stats for packets blocked and passed and other
723 * associated running totals which are kept.
725 static void showstats(fp, frf)
729 printside("input", &fp->f_st[0]);
730 printside("output", &fp->f_st[1]);
732 PRINTF("%lu\tpackets logged\n", fp->f_log_ok);
733 PRINTF("%lu\tlog failures\n", fp->f_log_fail);
734 PRINTF("%lu\tred-black no memory\n", fp->f_rb_no_mem);
735 PRINTF("%lu\tred-black node maximum\n", fp->f_rb_node_max);
736 PRINTF("%lu\tICMP replies sent\n", fp->f_st[0].fr_ret);
737 PRINTF("%lu\tTCP RSTs sent\n", fp->f_st[1].fr_ret);
738 PRINTF("%lu\tfastroute successes\n", fp->f_froute[0]);
739 PRINTF("%lu\tfastroute failures\n", fp->f_froute[1]);
740 PRINTF("%u\tIPF Ticks\n", fp->f_ticks);
742 PRINTF("%x\tPacket log flags set:\n", frf);
743 if (frf & FF_LOGPASS)
744 PRINTF("\tpackets passed through filter\n");
745 if (frf & FF_LOGBLOCK)
746 PRINTF("\tpackets blocked by filter\n");
747 if (frf & FF_LOGNOMATCH)
748 PRINTF("\tpackets not matched by filter\n");
755 * Print out a list of rules from the kernel, starting at the one passed.
758 printlivelist(fiop, out, set, fp, group, comment)
759 struct friostat *fiop;
762 char *group, *comment;
774 rule.iri_inout = out;
775 rule.iri_active = set;
779 strncpy(rule.iri_group, group, FR_GROUPLEN);
781 rule.iri_group[0] = '\0';
783 bzero((char *)&zero, sizeof(zero));
785 bzero((char *)&obj, sizeof(obj));
786 obj.ipfo_rev = IPFILTER_VERSION;
787 obj.ipfo_type = IPFOBJ_IPFITER;
788 obj.ipfo_size = sizeof(rule);
789 obj.ipfo_ptr = &rule;
791 while (rule.iri_rule != NULL) {
794 memset(array, 0xff, sizeof(array));
795 fp = (frentry_t *)array;
797 if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
798 ipferror(ipf_fd, "ioctl(SIOCIPFITER)");
799 num = IPFGENITER_IPF;
800 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
803 if (bcmp(fp, &zero, sizeof(zero)) == 0)
805 if (rule.iri_rule == NULL)
808 if (use_inet6 != 0) {
809 if (fp->fr_family != 0 && fp->fr_family != AF_INET6)
814 if (fp->fr_family != 0 && fp->fr_family != AF_INET)
817 if (fp->fr_data != NULL)
818 fp->fr_data = (char *)fp + fp->fr_size;
822 if (opts & (OPT_HITS|OPT_DEBUG))
824 PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits);
826 PRINTF("%lu ", fp->fr_hits);
828 if (opts & (OPT_ACCNT|OPT_DEBUG))
830 PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes);
832 PRINTF("%lu ", fp->fr_bytes);
834 if (opts & OPT_SHOWLINENO)
835 PRINTF("@%d ", rules);
838 fp->fr_die -= fiop->f_ticks;
841 if (opts & OPT_DEBUG) {
842 binprint(fp, fp->fr_size);
843 if (fp->fr_data != NULL && fp->fr_dsize > 0)
844 binprint(fp->fr_data, fp->fr_dsize);
846 if (fp->fr_grhead != -1) {
847 for (g = grtop; g != NULL; g = g->fg_next) {
848 if (!strncmp(fp->fr_names + fp->fr_grhead,
854 g = calloc(1, sizeof(*g));
858 fp->fr_names + fp->fr_grhead,
870 if (fp->fr_type == FR_T_CALLFUNC) {
871 rules += printlivelist(fiop, out, set, fp->fr_data,
872 group, "# callfunc: ");
876 num = IPFGENITER_IPF;
877 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &num);
883 static void printdeadlist(fiop, out, set, fp, group, comment)
887 char *group, *comment;
889 frgroup_t *grtop, *grtail, *g;
900 for (n = 1; fp; fp = fb.fr_next, n++) {
901 if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
907 if (use_inet6 != 0) {
908 if (fp->fr_family != 0 && fp->fr_family != 6)
911 if (fp->fr_family != 0 && fp->fr_family != 4)
916 type = fb.fr_type & ~FR_T_BUILTIN;
917 if (type == FR_T_IPF || type == FR_T_BPFOPC) {
919 data = malloc(fb.fr_dsize);
921 if (kmemcpy(data, (u_long)fb.fr_data,
922 fb.fr_dsize) == -1) {
932 PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits);
934 PRINTF("%lu ", fb.fr_hits);
936 if (opts & OPT_ACCNT)
938 PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes);
940 PRINTF("%lu ", fb.fr_bytes);
942 if (opts & OPT_SHOWLINENO)
946 if (opts & OPT_DEBUG) {
947 binprint(fp, fp->fr_size);
948 if (fb.fr_data != NULL && fb.fr_dsize > 0)
949 binprint(fb.fr_data, fb.fr_dsize);
953 if (fb.fr_grhead != -1) {
954 g = calloc(1, sizeof(*g));
957 strncpy(g->fg_name, fb.fr_names + fb.fr_grhead,
968 if (type == FR_T_CALLFUNC) {
969 printdeadlist(fiop, out, set, fb.fr_data, group,
974 while ((g = grtop) != NULL) {
975 printdeadlist(fiop, out, set, NULL, g->fg_name, comment);
982 * print out all of the asked for rule sets, using the stats struct as
983 * the base from which to get the pointers.
985 static void showlist(fiop)
986 struct friostat *fiop;
988 struct frentry *fp = NULL;
991 set = fiop->f_active;
992 if (opts & OPT_INACTIVE)
994 if (opts & OPT_ACCNT) {
995 if (opts & OPT_OUTQUE) {
997 fp = (struct frentry *)fiop->f_acctout[set];
998 } else if (opts & OPT_INQUE) {
1000 fp = (struct frentry *)fiop->f_acctin[set];
1002 FPRINTF(stderr, "No -i or -o given with -a\n");
1006 if (opts & OPT_OUTQUE) {
1008 fp = (struct frentry *)fiop->f_fout[set];
1009 } else if (opts & OPT_INQUE) {
1011 fp = (struct frentry *)fiop->f_fin[set];
1015 if (opts & OPT_DEBUG)
1016 FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
1018 if (opts & OPT_DEBUG)
1019 PRINTF("fp %p set %d\n", fp, set);
1021 if (live_kernel == 1) {
1024 printed = printlivelist(fiop, i, set, fp, NULL, NULL);
1026 FPRINTF(stderr, "# empty list for %s%s\n",
1027 (opts & OPT_INACTIVE) ? "inactive " : "",
1032 FPRINTF(stderr, "# empty list for %s%s\n",
1033 (opts & OPT_INACTIVE) ? "inactive " : "",
1036 printdeadlist(fiop, i, set, fp, NULL, NULL);
1043 * Display ipfilter stateful filtering information
1045 static void showipstates(ipsp, filter)
1053 * If a list of states hasn't been asked for, only print out stats
1055 if (!(opts & OPT_SHOWLIST)) {
1056 showstatestats(ipsp);
1060 if ((state_fields != NULL) && (nohdrfields == 0)) {
1061 for (i = 0; state_fields[i].w_value != 0; i++) {
1062 printfieldhdr(statefields, state_fields + i);
1063 if (state_fields[i + 1].w_value != 0)
1070 * Print out all the state information currently held in the kernel.
1072 for (is = ipsp->iss_list; is != NULL; ) {
1075 is = fetchstate(is, &ips);
1081 if ((filter != NULL) &&
1082 (state_matcharray(&ips, filter) == 0)) {
1085 if (state_fields != NULL) {
1086 for (i = 0; state_fields[i].w_value != 0; i++) {
1087 printstatefield(&ips, state_fields[i].w_value);
1088 if (state_fields[i + 1].w_value != 0)
1093 printstate(&ips, opts, ipsp->iss_ticks);
1099 static void showstatestats(ipsp)
1102 int minlen, maxlen, totallen;
1109 * If a list of states hasn't been asked for, only print out stats
1112 sz = sizeof(*buckets) * ipsp->iss_state_size;
1113 buckets = (u_int *)malloc(sz);
1115 obj.ipfo_rev = IPFILTER_VERSION;
1116 obj.ipfo_type = IPFOBJ_GTABLE;
1117 obj.ipfo_size = sizeof(table);
1118 obj.ipfo_ptr = &table;
1120 table.ita_type = IPFTABLE_BUCKETS;
1121 table.ita_table = buckets;
1123 if (live_kernel == 1) {
1124 if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
1129 if (kmemcpy((char *)buckets,
1130 (u_long)ipsp->iss_bucketlen, sz)) {
1136 PRINTF("%u\tactive state table entries\n",ipsp->iss_active);
1137 PRINTF("%lu\tadd bad\n", ipsp->iss_add_bad);
1138 PRINTF("%lu\tadd duplicate\n", ipsp->iss_add_dup);
1139 PRINTF("%lu\tadd locked\n", ipsp->iss_add_locked);
1140 PRINTF("%lu\tadd oow\n", ipsp->iss_add_oow);
1141 PRINTF("%lu\tbucket full\n", ipsp->iss_bucket_full);
1142 PRINTF("%lu\tcheck bad\n", ipsp->iss_check_bad);
1143 PRINTF("%lu\tcheck miss\n", ipsp->iss_check_miss);
1144 PRINTF("%lu\tcheck nattag\n", ipsp->iss_check_nattag);
1145 PRINTF("%lu\tclone nomem\n", ipsp->iss_clone_nomem);
1146 PRINTF("%lu\tcheck notag\n", ipsp->iss_check_notag);
1147 PRINTF("%lu\tcheck success\n", ipsp->iss_hits);
1148 PRINTF("%lu\tcloned\n", ipsp->iss_cloned);
1149 PRINTF("%lu\texpired\n", ipsp->iss_expire);
1150 PRINTF("%lu\tflush all\n", ipsp->iss_flush_all);
1151 PRINTF("%lu\tflush closing\n", ipsp->iss_flush_closing);
1152 PRINTF("%lu\tflush queue\n", ipsp->iss_flush_queue);
1153 PRINTF("%lu\tflush state\n", ipsp->iss_flush_state);
1154 PRINTF("%lu\tflush timeout\n", ipsp->iss_flush_timeout);
1155 PRINTF("%u\thash buckets in use\n", ipsp->iss_inuse);
1156 PRINTF("%lu\tICMP bad\n", ipsp->iss_icmp_bad);
1157 PRINTF("%lu\tICMP banned\n", ipsp->iss_icmp_banned);
1158 PRINTF("%lu\tICMP errors\n", ipsp->iss_icmp_icmperr);
1159 PRINTF("%lu\tICMP head block\n", ipsp->iss_icmp_headblock);
1160 PRINTF("%lu\tICMP hits\n", ipsp->iss_icmp_hits);
1161 PRINTF("%lu\tICMP not query\n", ipsp->iss_icmp_notquery);
1162 PRINTF("%lu\tICMP short\n", ipsp->iss_icmp_short);
1163 PRINTF("%lu\tICMP too many\n", ipsp->iss_icmp_toomany);
1164 PRINTF("%lu\tICMPv6 errors\n", ipsp->iss_icmp6_icmperr);
1165 PRINTF("%lu\tICMPv6 miss\n", ipsp->iss_icmp6_miss);
1166 PRINTF("%lu\tICMPv6 not info\n", ipsp->iss_icmp6_notinfo);
1167 PRINTF("%lu\tICMPv6 not query\n", ipsp->iss_icmp6_notquery);
1168 PRINTF("%lu\tlog fail\n", ipsp->iss_log_fail);
1169 PRINTF("%lu\tlog ok\n", ipsp->iss_log_ok);
1170 PRINTF("%lu\tlookup interface mismatch\n", ipsp->iss_lookup_badifp);
1171 PRINTF("%lu\tlookup mask mismatch\n", ipsp->iss_miss_mask);
1172 PRINTF("%lu\tlookup port mismatch\n", ipsp->iss_lookup_badport);
1173 PRINTF("%lu\tlookup miss\n", ipsp->iss_lookup_miss);
1174 PRINTF("%lu\tmaximum rule references\n", ipsp->iss_max_ref);
1175 PRINTF("%lu\tmaximum hosts per rule\n", ipsp->iss_max_track);
1176 PRINTF("%lu\tno memory\n", ipsp->iss_nomem);
1177 PRINTF("%lu\tout of window\n", ipsp->iss_oow);
1178 PRINTF("%lu\torphans\n", ipsp->iss_orphan);
1179 PRINTF("%lu\tscan block\n", ipsp->iss_scan_block);
1180 PRINTF("%lu\tstate table maximum reached\n", ipsp->iss_max);
1181 PRINTF("%lu\tTCP closing\n", ipsp->iss_tcp_closing);
1182 PRINTF("%lu\tTCP OOW\n", ipsp->iss_tcp_oow);
1183 PRINTF("%lu\tTCP RST add\n", ipsp->iss_tcp_rstadd);
1184 PRINTF("%lu\tTCP too small\n", ipsp->iss_tcp_toosmall);
1185 PRINTF("%lu\tTCP bad options\n", ipsp->iss_tcp_badopt);
1186 PRINTF("%lu\tTCP removed\n", ipsp->iss_fin);
1187 PRINTF("%lu\tTCP FSM\n", ipsp->iss_tcp_fsm);
1188 PRINTF("%lu\tTCP strict\n", ipsp->iss_tcp_strict);
1189 PRINTF("%lu\tTCP wild\n", ipsp->iss_wild);
1190 PRINTF("%lu\tMicrosoft Windows SACK\n", ipsp->iss_winsack);
1192 PRINTF("State logging %sabled\n", state_logging ? "en" : "dis");
1194 PRINTF("IP states added:\n");
1195 for (i = 0; i < 256; i++) {
1196 if (ipsp->iss_proto[i] != 0) {
1197 struct protoent *proto;
1199 proto = getprotobynumber(i);
1200 PRINTF("%lu", ipsp->iss_proto[i]);
1202 PRINTF("\t%s\n", proto->p_name);
1204 PRINTF("\t%d\n", i);
1208 PRINTF("\nState table bucket statistics:\n");
1209 PRINTF("%u\tin use\n", ipsp->iss_inuse);
1211 minlen = ipsp->iss_max;
1215 for (i = 0; i < ipsp->iss_state_size; i++) {
1216 if (buckets[i] > maxlen)
1217 maxlen = buckets[i];
1218 if (buckets[i] < minlen)
1219 minlen = buckets[i];
1220 totallen += buckets[i];
1223 PRINTF("%d\thash efficiency\n",
1224 totallen ? ipsp->iss_inuse * 100 / totallen : 0);
1225 PRINTF("%2.2f%%\tbucket usage\n%u\tminimal length\n",
1226 ((float)ipsp->iss_inuse / ipsp->iss_state_size) * 100.0,
1228 PRINTF("%u\tmaximal length\n%.3f\taverage length\n",
1230 ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
1233 #define ENTRIES_PER_LINE 5
1235 if (opts & OPT_VERBOSE) {
1236 PRINTF("\nCurrent bucket sizes :\n");
1237 for (i = 0; i < ipsp->iss_state_size; i++) {
1238 if ((i % ENTRIES_PER_LINE) == 0)
1240 PRINTF("%4d -> %4u", i, buckets[i]);
1241 if ((i % ENTRIES_PER_LINE) ==
1242 (ENTRIES_PER_LINE - 1))
1253 if (live_kernel == 1) {
1254 showtqtable_live(state_fd);
1256 printtqtable(ipsp->iss_tcptab);
1262 static int handle_resize = 0, handle_break = 0;
1264 static void topipstates(saddr, daddr, sport, dport, protocol, ver,
1265 refreshtime, topclosed, filter)
1276 char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
1277 int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
1278 int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0;
1279 int len, srclen, dstlen, forward = 1, c = 0;
1280 ips_stat_t ipsst, *ipsstp = &ipsst;
1281 int token_type = IPFGENITER_STATE;
1282 statetop_t *tstable = NULL, *tp;
1283 const char *errstr = "";
1286 struct timeval selecttimeout;
1287 char hostnm[HOSTNMLEN];
1288 struct protoent *proto;
1292 /* install signal handlers */
1293 signal(SIGINT, sig_break);
1294 signal(SIGQUIT, sig_break);
1295 signal(SIGTERM, sig_break);
1296 signal(SIGWINCH, sig_resize);
1298 /* init ncurses stuff */
1304 getmaxyx(stdscr, maxy, maxx);
1307 gethostname(hostnm, sizeof(hostnm) - 1);
1308 hostnm[sizeof(hostnm) - 1] = '\0';
1310 /* init ipfobj_t stuff */
1311 bzero((caddr_t)&ipfo, sizeof(ipfo));
1312 ipfo.ipfo_rev = IPFILTER_VERSION;
1313 ipfo.ipfo_type = IPFOBJ_STATESTAT;
1314 ipfo.ipfo_size = sizeof(*ipsstp);
1315 ipfo.ipfo_ptr = (void *)ipsstp;
1317 /* repeat until user aborts */
1320 /* get state table */
1321 bzero((char *)&ipsst, sizeof(ipsst));
1322 if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
1323 errstr = "ioctl(SIOCGETFS)";
1328 /* clear the history */
1331 /* reset max str len */
1332 srclen = dstlen = 0;
1334 /* read the state table and store in tstable */
1335 for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) {
1337 ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips);
1338 if (ipsstp->iss_list == NULL)
1341 if (ips.is_v != ver)
1344 if ((filter != NULL) &&
1345 (state_matcharray(&ips, filter) == 0))
1348 /* check v4 src/dest addresses */
1349 if (ips.is_v == 4) {
1350 if ((saddr.in4.s_addr != INADDR_ANY &&
1351 saddr.in4.s_addr != ips.is_saddr) ||
1352 (daddr.in4.s_addr != INADDR_ANY &&
1353 daddr.in4.s_addr != ips.is_daddr))
1357 /* check v6 src/dest addresses */
1358 if (ips.is_v == 6) {
1359 if ((IP6_NEQ(&saddr, &in6addr_any) &&
1360 IP6_NEQ(&saddr, &ips.is_src)) ||
1361 (IP6_NEQ(&daddr, &in6addr_any) &&
1362 IP6_NEQ(&daddr, &ips.is_dst)))
1366 /* check protocol */
1367 if (protocol > 0 && protocol != ips.is_p)
1370 /* check ports if protocol is TCP or UDP */
1371 if (((ips.is_p == IPPROTO_TCP) ||
1372 (ips.is_p == IPPROTO_UDP)) &&
1373 (((sport > 0) && (htons(sport) != ips.is_sport)) ||
1374 ((dport > 0) && (htons(dport) != ips.is_dport))))
1377 /* show closed TCP sessions ? */
1378 if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) &&
1379 (ips.is_state[0] >= IPF_TCPS_LAST_ACK) &&
1380 (ips.is_state[1] >= IPF_TCPS_LAST_ACK))
1384 * if necessary make room for this state
1388 if (!maxtsentries || tsentry == maxtsentries) {
1389 maxtsentries += STGROWSIZE;
1390 tstable = reallocarray(tstable, maxtsentries,
1391 sizeof(statetop_t));
1392 if (tstable == NULL) {
1398 /* get max src/dest address string length */
1399 len = strlen(getip(ips.is_v, &ips.is_src));
1402 len = strlen(getip(ips.is_v, &ips.is_dst));
1406 /* fill structure */
1407 tp = tstable + tsentry;
1408 tp->st_src = ips.is_src;
1409 tp->st_dst = ips.is_dst;
1410 tp->st_p = ips.is_p;
1411 tp->st_v = ips.is_v;
1412 tp->st_state[0] = ips.is_state[0];
1413 tp->st_state[1] = ips.is_state[1];
1415 tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1];
1416 tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1];
1418 tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3];
1419 tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3];
1421 tp->st_age = ips.is_die - ipsstp->iss_ticks;
1422 if ((ips.is_p == IPPROTO_TCP) ||
1423 (ips.is_p == IPPROTO_UDP)) {
1424 tp->st_sport = ips.is_sport;
1425 tp->st_dport = ips.is_dport;
1429 (void) ioctl(state_fd, SIOCIPFDELTOK, &token_type);
1431 /* sort the array */
1432 if (tsentry != -1) {
1436 qsort(tstable, tsentry + 1,
1437 sizeof(statetop_t), sort_p);
1440 qsort(tstable, tsentry + 1,
1441 sizeof(statetop_t), sort_pkts);
1444 qsort(tstable, tsentry + 1,
1445 sizeof(statetop_t), sort_bytes);
1448 qsort(tstable, tsentry + 1,
1449 sizeof(statetop_t), sort_ttl);
1452 qsort(tstable, tsentry + 1,
1453 sizeof(statetop_t), sort_srcip);
1456 qsort(tstable, tsentry +1,
1457 sizeof(statetop_t), sort_srcpt);
1460 qsort(tstable, tsentry + 1,
1461 sizeof(statetop_t), sort_dstip);
1464 qsort(tstable, tsentry + 1,
1465 sizeof(statetop_t), sort_dstpt);
1472 /* handle window resizes */
1473 if (handle_resize) {
1480 getmaxyx(stdscr, maxy, maxx);
1494 sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
1495 for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
1500 /* just for fun add a clock */
1501 move(winy, maxx - 8);
1503 strftime(str1, 80, "%T", localtime(&t));
1504 printw("%s\n", str1);
1507 * print the display filters, this is placed in the loop,
1508 * because someday I might add code for changing these
1509 * while the programming is running :-)
1512 sprintf(str1, "%s,%d", getip(ver, &saddr), sport);
1514 sprintf(str1, "%s", getip(ver, &saddr));
1517 sprintf(str2, "%s,%d", getip(ver, &daddr), dport);
1519 sprintf(str2, "%s", getip(ver, &daddr));
1522 strcpy(str3, "any");
1523 else if ((proto = getprotobynumber(protocol)) != NULL)
1524 sprintf(str3, "%s", proto->p_name);
1526 sprintf(str3, "%d", protocol);
1531 sprintf(str4, "proto");
1534 sprintf(str4, "# pkts");
1537 sprintf(str4, "# bytes");
1540 sprintf(str4, "ttl");
1543 sprintf(str4, "src ip");
1546 sprintf(str4, "src port");
1549 sprintf(str4, "dest ip");
1552 sprintf(str4, "dest port");
1555 sprintf(str4, "unknown");
1560 strcat(str4, " (reverse)");
1564 printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n",
1565 str1, str2, str3, str4);
1568 * For an IPv4 IP address we need at most 15 characters,
1569 * 4 tuples of 3 digits, separated by 3 dots. Enforce this
1570 * length, so the colums do not change positions based
1571 * on the size of the IP address. This length makes the
1572 * output fit in a 80 column terminal.
1573 * We are lacking a good solution for IPv6 addresses (that
1574 * can be longer that 15 characters), so we do not enforce
1575 * a maximum on the IP field size.
1582 /* print column description */
1586 printw("%-*s %-*s %3s %4s %7s %9s %9s\n",
1587 srclen + 6, "Source IP", dstlen + 6, "Destination IP",
1588 "ST", "PR", "#pkts", "#bytes", "ttl");
1591 /* print all the entries */
1596 if (tsentry > maxy - 6)
1598 for (i = 0; i <= tsentry; i++) {
1599 /* print src/dest and port */
1600 if ((tp->st_p == IPPROTO_TCP) ||
1601 (tp->st_p == IPPROTO_UDP)) {
1602 sprintf(str1, "%s,%hu",
1603 getip(tp->st_v, &tp->st_src),
1604 ntohs(tp->st_sport));
1605 sprintf(str2, "%s,%hu",
1606 getip(tp->st_v, &tp->st_dst),
1607 ntohs(tp->st_dport));
1609 sprintf(str1, "%s", getip(tp->st_v,
1611 sprintf(str2, "%s", getip(tp->st_v,
1616 printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2);
1619 sprintf(str1, "%X/%X", tp->st_state[0],
1621 printw(" %3s", str1);
1623 /* print protocol */
1624 proto = getprotobynumber(tp->st_p);
1626 strncpy(str1, proto->p_name, 4);
1629 sprintf(str1, "%d", tp->st_p);
1631 /* just print icmp for IPv6-ICMP */
1632 if (tp->st_p == IPPROTO_ICMPV6)
1633 strcpy(str1, "icmp");
1634 printw(" %4s", str1);
1636 /* print #pkt/#bytes */
1638 printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
1639 (unsigned long long) tp->st_bytes);
1641 printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
1643 printw(" %9s", ttl_to_string(tp->st_age));
1651 /* screen data structure is filled, now update the screen */
1655 if (refresh() == ERR)
1662 /* wait for key press or a 1 second time out period */
1663 selecttimeout.tv_sec = refreshtime;
1664 selecttimeout.tv_usec = 0;
1667 select(1, &readfd, NULL, NULL, &selecttimeout);
1669 /* if key pressed, read all waiting keys */
1670 if (FD_ISSET(0, &readfd)) {
1675 if (ISALPHA(c) && ISUPPER(c))
1679 } else if (c == 'q') {
1681 } else if (c == 'r') {
1683 } else if (c == 'b') {
1685 } else if (c == 'f') {
1687 } else if (c == 's') {
1688 if (++sorting > STSORT_MAX)
1697 /* nocbreak(); XXX - endwin() should make this redundant */
1708 * Show fragment cache information that's held in the kernel.
1710 static void showfrstates(ifsp, ticks)
1714 struct ipfr *ipfrtab[IPFT_SIZE], ifr;
1718 * print out the numeric statistics
1720 PRINTF("IP fragment states:\n%lu\tnew\n%lu\texpired\n%lu\thits\n",
1721 ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
1722 PRINTF("%lu\tretrans\n%lu\ttoo short\n",
1723 ifsp->ifs_retrans0, ifsp->ifs_short);
1724 PRINTF("%lu\tno memory\n%lu\talready exist\n",
1725 ifsp->ifs_nomem, ifsp->ifs_exists);
1726 PRINTF("%lu\tinuse\n", ifsp->ifs_inuse);
1729 if (live_kernel == 0) {
1730 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table,
1736 * Print out the contents (if any) of the fragment cache table.
1738 if (live_kernel == 1) {
1740 if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0)
1742 if (ifr.ipfr_ifp == NULL)
1744 ifr.ipfr_ttl -= ticks;
1745 printfraginfo("", &ifr);
1746 } while (ifr.ipfr_next != NULL);
1748 for (i = 0; i < IPFT_SIZE; i++)
1749 while (ipfrtab[i] != NULL) {
1750 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1753 printfraginfo("", &ifr);
1754 ipfrtab[i] = ifr.ipfr_next;
1758 * Print out the contents (if any) of the NAT fragment cache table.
1761 if (live_kernel == 0) {
1762 if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,
1767 if (live_kernel == 1) {
1769 if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0)
1771 if (ifr.ipfr_ifp == NULL)
1773 ifr.ipfr_ttl -= ticks;
1774 printfraginfo("NAT: ", &ifr);
1775 } while (ifr.ipfr_next != NULL);
1777 for (i = 0; i < IPFT_SIZE; i++)
1778 while (ipfrtab[i] != NULL) {
1779 if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
1782 printfraginfo("NAT: ", &ifr);
1783 ipfrtab[i] = ifr.ipfr_next;
1790 * Show stats on how auth within IPFilter has been used
1792 static void showauthstates(asp)
1793 ipf_authstat_t *asp;
1795 frauthent_t *frap, fra;
1799 obj.ipfo_rev = IPFILTER_VERSION;
1800 obj.ipfo_type = IPFOBJ_GENITER;
1801 obj.ipfo_size = sizeof(auth);
1802 obj.ipfo_ptr = &auth;
1804 auth.igi_type = IPFGENITER_AUTH;
1805 auth.igi_nitems = 1;
1806 auth.igi_data = &fra;
1809 printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n",
1810 (unsigned long long) asp->fas_hits,
1811 (unsigned long long) asp->fas_miss);
1813 printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
1816 printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
1817 asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
1819 printf("queok %ld\nquefail %ld\nexpire %ld\n",
1820 asp->fas_queok, asp->fas_quefail, asp->fas_expire);
1822 frap = asp->fas_faelist;
1824 if (live_kernel == 1) {
1825 if (ioctl(auth_fd, SIOCGENITER, &obj))
1828 if (kmemcpy((char *)&fra, (u_long)frap,
1832 printf("age %ld\t", fra.fae_age);
1833 printfr(&fra.fae_fr, ioctl);
1834 frap = fra.fae_next;
1840 * Display groups used for each of filter rules, accounting rules and
1841 * authentication, separately.
1843 static void showgroups(fiop)
1844 struct friostat *fiop;
1846 static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
1847 static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
1851 on = fiop->f_active;
1854 for (i = 0; i < 3; i++) {
1855 printf("%s groups (active):\n", gnames[i]);
1856 for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL;
1858 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1861 printf("%s\n", grp.fg_name);
1862 printf("%s groups (inactive):\n", gnames[i]);
1863 for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL;
1865 if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
1868 printf("%s\n", grp.fg_name);
1873 static void parse_ipportstr(argument, ip, port)
1874 const char *argument;
1881 /* make working copy of argument, Theoretically you must be able
1882 * to write to optarg, but that seems very ugly to me....
1884 s = strdup(argument);
1889 if ((comma = strchr(s, ',')) != NULL) {
1890 if (!strcasecmp(comma + 1, "any")) {
1892 } else if (!sscanf(comma + 1, "%d", port) ||
1893 (*port < 0) || (*port > 65535)) {
1894 fprintf(stderr, "Invalid port specification in %s\n",
1903 /* get ip address */
1904 if (!strcasecmp(s, "any")) {
1905 ip->in4.s_addr = INADDR_ANY;
1908 ip->in6 = in6addr_any;
1909 } else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) {
1912 } else if (inet_aton(s, &ip->in4))
1916 fprintf(stderr, "Invalid IP address: %s\n", s);
1921 /* free allocated memory */
1927 static void sig_resize(s)
1933 static void sig_break(s)
1939 static char *getip(v, addr)
1944 static char hostbuf[MAXHOSTNAMELEN+1];
1948 return inet_ntoa(addr->in4);
1951 (void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1);
1952 hostbuf[MAXHOSTNAMELEN] = '\0';
1960 static char *ttl_to_string(ttl)
1963 static char ttlbuf[STSTRSIZE];
1964 int hours, minutes, seconds;
1966 /* ttl is in half seconds */
1975 sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
1977 sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
1982 static int sort_pkts(a, b)
1987 register const statetop_t *ap = a;
1988 register const statetop_t *bp = b;
1990 if (ap->st_pkts == bp->st_pkts)
1992 else if (ap->st_pkts < bp->st_pkts)
1998 static int sort_bytes(a, b)
2002 register const statetop_t *ap = a;
2003 register const statetop_t *bp = b;
2005 if (ap->st_bytes == bp->st_bytes)
2007 else if (ap->st_bytes < bp->st_bytes)
2013 static int sort_p(a, b)
2017 register const statetop_t *ap = a;
2018 register const statetop_t *bp = b;
2020 if (ap->st_p == bp->st_p)
2022 else if (ap->st_p < bp->st_p)
2028 static int sort_ttl(a, b)
2032 register const statetop_t *ap = a;
2033 register const statetop_t *bp = b;
2035 if (ap->st_age == bp->st_age)
2037 else if (ap->st_age < bp->st_age)
2042 static int sort_srcip(a, b)
2046 register const statetop_t *ap = a;
2047 register const statetop_t *bp = b;
2051 if (IP6_EQ(&ap->st_src, &bp->st_src))
2053 else if (IP6_GT(&ap->st_src, &bp->st_src))
2058 if (ntohl(ap->st_src.in4.s_addr) ==
2059 ntohl(bp->st_src.in4.s_addr))
2061 else if (ntohl(ap->st_src.in4.s_addr) >
2062 ntohl(bp->st_src.in4.s_addr))
2068 static int sort_srcpt(a, b)
2072 register const statetop_t *ap = a;
2073 register const statetop_t *bp = b;
2075 if (htons(ap->st_sport) == htons(bp->st_sport))
2077 else if (htons(ap->st_sport) > htons(bp->st_sport))
2082 static int sort_dstip(a, b)
2086 register const statetop_t *ap = a;
2087 register const statetop_t *bp = b;
2091 if (IP6_EQ(&ap->st_dst, &bp->st_dst))
2093 else if (IP6_GT(&ap->st_dst, &bp->st_dst))
2098 if (ntohl(ap->st_dst.in4.s_addr) ==
2099 ntohl(bp->st_dst.in4.s_addr))
2101 else if (ntohl(ap->st_dst.in4.s_addr) >
2102 ntohl(bp->st_dst.in4.s_addr))
2108 static int sort_dstpt(a, b)
2112 register const statetop_t *ap = a;
2113 register const statetop_t *bp = b;
2115 if (htons(ap->st_dport) == htons(bp->st_dport))
2117 else if (htons(ap->st_dport) > htons(bp->st_dport))
2125 ipstate_t *fetchstate(src, dst)
2126 ipstate_t *src, *dst;
2129 if (live_kernel == 1) {
2133 obj.ipfo_rev = IPFILTER_VERSION;
2134 obj.ipfo_type = IPFOBJ_GENITER;
2135 obj.ipfo_size = sizeof(state);
2136 obj.ipfo_ptr = &state;
2138 state.igi_type = IPFGENITER_STATE;
2139 state.igi_nitems = 1;
2140 state.igi_data = dst;
2142 if (ioctl(state_fd, SIOCGENITER, &obj) != 0)
2144 if (dst->is_next == NULL) {
2145 int n = IPFGENITER_STATE;
2146 (void) ioctl(ipf_fd,SIOCIPFDELTOK, &n);
2149 if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst)))
2156 static int fetchfrag(fd, type, frp)
2163 obj.ipfo_rev = IPFILTER_VERSION;
2164 obj.ipfo_type = IPFOBJ_GENITER;
2165 obj.ipfo_size = sizeof(frag);
2166 obj.ipfo_ptr = &frag;
2168 frag.igi_type = type;
2169 frag.igi_nitems = 1;
2170 frag.igi_data = frp;
2172 if (ioctl(fd, SIOCGENITER, &obj))
2178 static int state_matcharray(stp, array)
2182 int i, n, *x, rv, p;
2187 for (n = array[0], x = array + 1; n > 0; x += e->ipfe_size) {
2189 if (e->ipfe_cmd == IPF_EXP_END)
2195 * The upper 16 bits currently store the protocol value.
2196 * This is currently used with TCP and UDP port compares and
2197 * allows "tcp.port = 80" without requiring an explicit
2198 " "ip.pr = tcp" first.
2200 p = e->ipfe_cmd >> 16;
2201 if ((p != 0) && (p != stp->is_p))
2204 switch (e->ipfe_cmd)
2206 case IPF_EXP_IP_PR :
2207 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2208 rv |= (stp->is_p == e->ipfe_arg0[i]);
2212 case IPF_EXP_IP_SRCADDR :
2215 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2216 rv |= ((stp->is_saddr &
2217 e->ipfe_arg0[i * 2 + 1]) ==
2218 e->ipfe_arg0[i * 2]);
2222 case IPF_EXP_IP_DSTADDR :
2225 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2226 rv |= ((stp->is_daddr &
2227 e->ipfe_arg0[i * 2 + 1]) ==
2228 e->ipfe_arg0[i * 2]);
2232 case IPF_EXP_IP_ADDR :
2235 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2236 rv |= ((stp->is_saddr &
2237 e->ipfe_arg0[i * 2 + 1]) ==
2238 e->ipfe_arg0[i * 2]) ||
2240 e->ipfe_arg0[i * 2 + 1]) ==
2241 e->ipfe_arg0[i * 2]);
2246 case IPF_EXP_IP6_SRCADDR :
2249 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2250 rv |= IP6_MASKEQ(&stp->is_src,
2251 &e->ipfe_arg0[i * 8 + 4],
2252 &e->ipfe_arg0[i * 8]);
2256 case IPF_EXP_IP6_DSTADDR :
2259 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2260 rv |= IP6_MASKEQ(&stp->is_dst,
2261 &e->ipfe_arg0[i * 8 + 4],
2262 &e->ipfe_arg0[i * 8]);
2266 case IPF_EXP_IP6_ADDR :
2269 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2270 rv |= IP6_MASKEQ(&stp->is_src,
2271 &e->ipfe_arg0[i * 8 + 4],
2272 &e->ipfe_arg0[i * 8]) ||
2273 IP6_MASKEQ(&stp->is_dst,
2274 &e->ipfe_arg0[i * 8 + 4],
2275 &e->ipfe_arg0[i * 8]);
2280 case IPF_EXP_UDP_PORT :
2281 case IPF_EXP_TCP_PORT :
2282 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2283 rv |= (stp->is_sport == e->ipfe_arg0[i]) ||
2284 (stp->is_dport == e->ipfe_arg0[i]);
2288 case IPF_EXP_UDP_SPORT :
2289 case IPF_EXP_TCP_SPORT :
2290 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2291 rv |= (stp->is_sport == e->ipfe_arg0[i]);
2295 case IPF_EXP_UDP_DPORT :
2296 case IPF_EXP_TCP_DPORT :
2297 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2298 rv |= (stp->is_dport == e->ipfe_arg0[i]);
2302 case IPF_EXP_IDLE_GT :
2303 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2304 rv |= (stp->is_die < e->ipfe_arg0[i]);
2308 case IPF_EXP_TCP_STATE :
2309 for (i = 0; !rv && i < e->ipfe_narg; i++) {
2310 rv |= (stp->is_state[0] == e->ipfe_arg0[i]) ||
2311 (stp->is_state[1] == e->ipfe_arg0[i]);
2325 static void showtqtable_live(fd)
2328 ipftq_t table[IPF_TCP_NSTATES];
2331 bzero((char *)&obj, sizeof(obj));
2332 obj.ipfo_rev = IPFILTER_VERSION;
2333 obj.ipfo_size = sizeof(table);
2334 obj.ipfo_ptr = (void *)table;
2335 obj.ipfo_type = IPFOBJ_STATETQTAB;
2337 if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
2338 printtqtable(table);