2 * Copyright (C) 2012 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
13 * print the filter structure in a useful way
28 type = fp->fr_type & ~FR_T_BUILTIN;
30 if ((fp->fr_type & FR_T_BUILTIN) != 0)
31 PRINTF("# Builtin: ");
33 if (fp->fr_collect != 0)
34 PRINTF("%u ", fp->fr_collect);
36 if (fp->fr_type == FR_T_CALLFUNC) {
38 } else if (fp->fr_func != NULL) {
40 if ((fp->fr_flags & FR_CALLNOW) != 0)
42 s = kvatoname(fp->fr_func, iocfunc);
43 PRINTF(" %s/%u", s ? s : "?", fp->fr_arg);
44 } else if (FR_ISPASS(fp->fr_flags))
46 else if (FR_ISBLOCK(fp->fr_flags)) {
48 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
50 } else if (FR_ISACCOUNT(fp->fr_flags))
52 else if (FR_ISAUTH(fp->fr_flags))
54 else if (FR_ISPREAUTH(fp->fr_flags))
56 else if (FR_ISNOMATCH(fp->fr_flags))
58 else if (FR_ISDECAPS(fp->fr_flags))
59 PRINTF("decapsulate");
60 else if (FR_ISSKIP(fp->fr_flags))
61 PRINTF("skip %u", fp->fr_arg);
63 PRINTF("%x", fp->fr_flags);
65 if (fp->fr_flags & FR_RETICMP) {
66 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
67 PRINTF(" return-icmp-as-dest");
68 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
69 PRINTF(" return-icmp");
71 if (fp->fr_icode <= MAX_ICMPCODE)
73 icmpcodes[(int)fp->fr_icode]);
75 PRINTF("(%d)", fp->fr_icode);
77 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
78 PRINTF(" return-rst");
80 if (fp->fr_flags & FR_OUTQUE)
82 else if (fp->fr_flags & FR_INQUE)
85 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
86 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
91 if (fp->fr_flags & FR_QUICK)
94 if (fp->fr_ifnames[0] != -1) {
95 printifname("on ", fp->fr_names + fp->fr_ifnames[0],
97 if (fp->fr_ifnames[1] != -1 &&
98 strcmp(fp->fr_names + fp->fr_ifnames[1], "*"))
99 printifname(",", fp->fr_names + fp->fr_ifnames[1],
104 if (fp->fr_tif.fd_name != -1)
105 print_toif(fp->fr_family, "to", fp->fr_names, &fp->fr_tif);
106 if (fp->fr_dif.fd_name != -1)
107 print_toif(fp->fr_family, "dup-to", fp->fr_names,
109 if (fp->fr_rif.fd_name != -1)
110 print_toif(fp->fr_family, "reply-to", fp->fr_names,
112 if (fp->fr_flags & FR_FASTROUTE)
113 PRINTF("fastroute ");
115 if ((fp->fr_ifnames[2] != -1 &&
116 strcmp(fp->fr_names + fp->fr_ifnames[2], "*")) ||
117 (fp->fr_ifnames[3] != -1 &&
118 strcmp(fp->fr_names + fp->fr_ifnames[3], "*"))) {
119 if (fp->fr_flags & FR_OUTQUE)
124 if (fp->fr_ifnames[2] != -1) {
125 printifname("", fp->fr_names + fp->fr_ifnames[2],
127 if (fp->fr_ifnames[3] != -1) {
129 fp->fr_names + fp->fr_ifnames[3],
136 if (fp->fr_family == AF_INET) {
140 } else if (fp->fr_family == AF_INET6) {
148 if (type == FR_T_IPF) {
149 if (fp->fr_mip.fi_tos)
150 PRINTF("tos %#x ", fp->fr_tos);
151 if (fp->fr_mip.fi_ttl)
152 PRINTF("ttl %d ", fp->fr_ttl);
153 if (fp->fr_flx & FI_TCPUDP) {
154 PRINTF("proto tcp/udp ");
156 } else if (fp->fr_mip.fi_p) {
158 p = getprotobynumber(pr);
160 printproto(p, pr, NULL);
172 PRINTF("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
173 printaddr(af, fp->fr_satype, fp->fr_names, fp->fr_ifnames[0],
174 &fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
176 printportcmp(pr, &fp->fr_tuc.ftu_src);
178 PRINTF(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
179 printaddr(af, fp->fr_datype, fp->fr_names, fp->fr_ifnames[0],
180 &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
182 printportcmp(pr, &fp->fr_tuc.ftu_dst);
184 if (((fp->fr_proto == IPPROTO_ICMP) ||
185 (fp->fr_proto == IPPROTO_ICMPV6)) && fp->fr_icmpm) {
186 int type = fp->fr_icmp, code;
189 type = ntohs(fp->fr_icmp);
192 name = icmptypename(fp->fr_family, type);
194 PRINTF(" icmp-type %d", type);
196 PRINTF(" icmp-type %s", name);
197 if (ntohs(fp->fr_icmpm) & 0xff)
198 PRINTF(" code %d", code);
200 if ((fp->fr_proto == IPPROTO_TCP) &&
201 (fp->fr_tcpf || fp->fr_tcpfm)) {
203 printtcpflags(fp->fr_tcpf, fp->fr_tcpfm);
212 PRINTF("bpf-v%d { \"", fp->fr_family);
213 i = fp->fr_dsize / sizeof(*fb);
215 for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ")
216 PRINTF("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
227 PRINTF("call function at %p", fp->fr_data);
232 printipfexpr(fp->fr_data);
237 PRINTF("[unknown filter type %#x]", fp->fr_type);
241 if ((type == FR_T_IPF) &&
242 ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) ||
243 fp->fr_optbits || fp->fr_optmask ||
244 fp->fr_secbits || fp->fr_secmask)) {
248 if (fp->fr_optbits || fp->fr_optmask ||
249 fp->fr_secbits || fp->fr_secmask) {
250 sec[0] = fp->fr_secmask;
251 sec[1] = fp->fr_secbits;
252 if (fp->fr_family == AF_INET)
253 optprint(sec, fp->fr_optmask, fp->fr_optbits);
256 optprintv6(sec, fp->fr_optmask,
259 } else if (fp->fr_mflx & FI_OPTIONS) {
260 fputs(comma, stdout);
261 if (!(fp->fr_flx & FI_OPTIONS))
266 if (fp->fr_mflx & FI_SHORT) {
267 fputs(comma, stdout);
268 if (!(fp->fr_flx & FI_SHORT))
273 if (fp->fr_mflx & FI_FRAG) {
274 fputs(comma, stdout);
275 if (!(fp->fr_flx & FI_FRAG))
280 if (fp->fr_mflx & FI_FRAGBODY) {
281 fputs(comma, stdout);
282 if (!(fp->fr_flx & FI_FRAGBODY))
287 if (fp->fr_mflx & FI_NATED) {
288 fputs(comma, stdout);
289 if (!(fp->fr_flx & FI_NATED))
294 if (fp->fr_mflx & FI_LOWTTL) {
295 fputs(comma, stdout);
296 if (!(fp->fr_flx & FI_LOWTTL))
301 if (fp->fr_mflx & FI_BAD) {
302 fputs(comma, stdout);
303 if (!(fp->fr_flx & FI_BAD))
308 if (fp->fr_mflx & FI_BADSRC) {
309 fputs(comma, stdout);
310 if (!(fp->fr_flx & FI_BADSRC))
315 if (fp->fr_mflx & FI_BADNAT) {
316 fputs(comma, stdout);
317 if (!(fp->fr_flx & FI_BADNAT))
322 if (fp->fr_mflx & FI_OOW) {
323 fputs(comma, stdout);
324 if (!(fp->fr_flx & FI_OOW))
329 if (fp->fr_mflx & FI_MBCAST) {
330 fputs(comma, stdout);
331 if (!(fp->fr_flx & FI_MBCAST))
336 if (fp->fr_mflx & FI_BROADCAST) {
337 fputs(comma, stdout);
338 if (!(fp->fr_flx & FI_BROADCAST))
343 if (fp->fr_mflx & FI_MULTICAST) {
344 fputs(comma, stdout);
345 if (!(fp->fr_flx & FI_MULTICAST))
350 if (fp->fr_mflx & FI_STATE) {
351 fputs(comma, stdout);
352 if (!(fp->fr_flx & FI_STATE))
357 if (fp->fr_mflx & FI_V6EXTHDR) {
358 fputs(comma, stdout);
359 if (!(fp->fr_flx & FI_V6EXTHDR))
366 if (fp->fr_flags & FR_KEEPSTATE) {
367 host_track_t *src = &fp->fr_srctrack;
368 PRINTF(" keep state");
369 if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|
370 FR_NOICMPERR|FR_STATESYNC)) ||
371 (fp->fr_statemax != 0) || (fp->fr_age[0] != 0) ||
372 (src->ht_max_nodes != 0)) {
375 if (fp->fr_statemax != 0) {
376 PRINTF("limit %u", fp->fr_statemax);
379 if (src->ht_max_nodes != 0) {
380 PRINTF("%smax-nodes %d", comma,
382 if (src->ht_max_per_node)
383 PRINTF(", max-per-src %d/%d",
384 src->ht_max_per_node,
388 if (fp->fr_flags & FR_STSTRICT) {
389 PRINTF("%sstrict", comma);
392 if (fp->fr_flags & FR_STLOOSE) {
393 PRINTF("%sloose", comma);
396 if (fp->fr_flags & FR_NEWISN) {
397 PRINTF("%snewisn", comma);
400 if (fp->fr_flags & FR_NOICMPERR) {
401 PRINTF("%sno-icmp-err", comma);
404 if (fp->fr_flags & FR_STATESYNC) {
405 PRINTF("%ssync", comma);
408 if (fp->fr_age[0] || fp->fr_age[1])
409 PRINTF("%sage %d/%d", comma, fp->fr_age[0],
414 if (fp->fr_flags & FR_KEEPFRAG) {
415 PRINTF(" keep frags");
416 if (fp->fr_flags & (FR_FRSTRICT)) {
418 if (fp->fr_flags & FR_FRSTRICT)
424 if (fp->fr_isc != (struct ipscan *)-1) {
425 if (fp->fr_isctag != -1)
426 PRINTF(" scan %s", fp->fr_isctag + fp->fr_names);
430 if (fp->fr_grhead != -1)
431 PRINTF(" head %s", fp->fr_names + fp->fr_grhead);
432 if (fp->fr_group != -1)
433 PRINTF(" group %s", fp->fr_names + fp->fr_group);
434 if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
438 if (fp->fr_logtag != FR_NOLOGTAG) {
439 PRINTF("log=%u", fp->fr_logtag);
442 if (*fp->fr_nattag.ipt_tag) {
443 PRINTF("%snat=%-.*s", s, IPFTAG_LEN,
444 fp->fr_nattag.ipt_tag);
450 PRINTF(" pps %d", fp->fr_pps);
452 if (fp->fr_comment != -1)
453 PRINTF(" comment \"%s\"", fp->fr_names + fp->fr_comment);
456 if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) {
457 PRINTF(" # count %d", fp->fr_statecnt);
459 PRINTF(" rule-ttl %u", fp->fr_die);
461 } else if (fp->fr_die != 0) {
462 PRINTF(" # rule-ttl %u", fp->fr_die);
465 if (opts & OPT_DEBUG) {
468 PRINTF(" ref %d", fp->fr_ref);
projects / FreeBSD / FreeBSD.git / blob