2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2002 Dag-Erling Smørgrav
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer
12 * in this position and unchanged.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 #include <sys/param.h>
33 #include <sys/socket.h>
34 #include <sys/socketvar.h>
35 #include <sys/sysctl.h>
38 #include <sys/queue.h>
42 #include <sys/unpcb.h>
44 #include <net/route.h>
46 #include <netinet/in.h>
47 #include <netinet/in_pcb.h>
48 #include <netinet/sctp.h>
49 #include <netinet/tcp.h>
50 #define TCPSTATES /* load state names */
51 #include <netinet/tcp_fsm.h>
52 #include <netinet/tcp_seq.h>
53 #include <netinet/tcp_var.h>
54 #include <arpa/inet.h>
56 #include <capsicum_helpers.h>
70 #include <libcasper.h>
71 #include <casper/cap_net.h>
72 #include <casper/cap_netdb.h>
73 #include <casper/cap_pwd.h>
74 #include <casper/cap_sysctl.h>
76 #define sstosin(ss) ((struct sockaddr_in *)(ss))
77 #define sstosin6(ss) ((struct sockaddr_in6 *)(ss))
78 #define sstosun(ss) ((struct sockaddr_un *)(ss))
79 #define sstosa(ss) ((struct sockaddr *)(ss))
81 static int opt_4; /* Show IPv4 sockets */
82 static int opt_6; /* Show IPv6 sockets */
83 static int opt_C; /* Show congestion control */
84 static int opt_c; /* Show connected sockets */
85 static int opt_i; /* Show inp_gencnt */
86 static int opt_j; /* Show specified jail */
87 static int opt_L; /* Don't show IPv4 or IPv6 loopback sockets */
88 static int opt_l; /* Show listening sockets */
89 static int opt_n; /* Don't resolve UIDs to user names */
90 static int opt_q; /* Don't show header */
91 static int opt_S; /* Show protocol stack if applicable */
92 static int opt_s; /* Show protocol state if applicable */
93 static int opt_U; /* Show remote UDP encapsulation port number */
94 static int opt_u; /* Show Unix domain sockets */
95 static int opt_v; /* Verbose mode */
96 static int opt_w; /* Wide print area for addresses */
99 * Default protocols to use if no -P was defined.
101 static const char *default_protos[] = {"sctp", "tcp", "udp", "divert" };
102 static size_t default_numprotos = nitems(default_protos);
104 static int *protos; /* protocols to use */
105 static size_t numprotos; /* allocated size of protos[] */
109 #define INT_BIT (sizeof(int)*CHAR_BIT)
110 #define SET_PORT(p) do { ports[p / INT_BIT] |= 1 << (p % INT_BIT); } while (0)
111 #define CHK_PORT(p) (ports[p / INT_BIT] & (1 << (p % INT_BIT)))
115 struct sockaddr_storage address;
116 struct { /* unix(4) faddr */
122 unsigned int encaps_port;
129 RB_ENTRY(sock) socket_tree; /* tree of pcbs with socket */
130 SLIST_ENTRY(sock) socket_list; /* list of pcbs w/o socket */
132 RB_ENTRY(sock) pcb_tree;
141 const char *protoname;
142 char stack[TCP_FUNCTION_NAME_LEN_MAX];
143 char cc[TCP_CA_NAME_MAX];
148 static RB_HEAD(socks_t, sock) socks = RB_INITIALIZER(&socks);
150 socket_compare(const struct sock *a, const struct sock *b)
152 return ((int64_t)(a->socket/2 - b->socket/2));
154 RB_GENERATE_STATIC(socks_t, sock, socket_tree, socket_compare);
156 static RB_HEAD(pcbs_t, sock) pcbs = RB_INITIALIZER(&pcbs);
158 pcb_compare(const struct sock *a, const struct sock *b)
160 return ((int64_t)(a->pcb/2 - b->pcb/2));
162 RB_GENERATE_STATIC(pcbs_t, sock, pcb_tree, pcb_compare);
164 static SLIST_HEAD(, sock) nosocks = SLIST_HEAD_INITIALIZER(&nosocks);
167 RB_ENTRY(file) file_tree;
174 static RB_HEAD(files_t, file) ftree = RB_INITIALIZER(&ftree);
176 file_compare(const struct file *a, const struct file *b)
178 return ((int64_t)(a->xf_data/2 - b->xf_data/2));
180 RB_GENERATE_STATIC(files_t, file, file_tree, file_compare);
182 static struct file *files;
185 static cap_channel_t *capnet;
186 static cap_channel_t *capnetdb;
187 static cap_channel_t *capsysctl;
188 static cap_channel_t *cappwd;
191 xprintf(const char *fmt, ...)
197 len = vprintf(fmt, ap);
205 _check_ksize(size_t received_size, size_t expected_size, const char *struct_name)
207 if (received_size != expected_size) {
208 warnx("%s size mismatch: expected %zd, received %zd",
209 struct_name, expected_size, received_size);
214 #define check_ksize(_sz, _struct) (_check_ksize(_sz, sizeof(_struct), #_struct))
217 _enforce_ksize(size_t received_size, size_t expected_size, const char *struct_name)
219 if (received_size != expected_size) {
220 errx(1, "fatal: struct %s size mismatch: expected %zd, received %zd",
221 struct_name, expected_size, received_size);
224 #define enforce_ksize(_sz, _struct) (_enforce_ksize(_sz, sizeof(_struct), #_struct))
227 get_proto_type(const char *proto)
229 struct protoent *pent;
231 if (strlen(proto) == 0)
233 if (capnetdb != NULL)
234 pent = cap_getprotobyname(capnetdb, proto);
236 pent = getprotobyname(proto);
238 warn("cap_getprotobyname");
241 return (pent->p_proto);
252 /* Find the maximum number of possible protocols. */
253 while (getprotoent() != NULL)
258 if ((protos = malloc(sizeof(int) * proto_count)) == NULL)
260 numprotos = proto_count;
264 parse_protos(char *protospec)
267 int proto_type, proto_index;
269 if (protospec == NULL)
274 while ((prot = strsep(&protospec, ",")) != NULL) {
275 if (strlen(prot) == 0)
277 proto_type = get_proto_type(prot);
278 if (proto_type != -1)
279 protos[proto_index++] = proto_type;
281 numprotos = proto_index;
282 return (proto_index);
286 parse_ports(const char *portspec)
292 if ((ports = calloc(65536 / INT_BIT, sizeof(int))) == NULL)
297 errx(1, "syntax error in port range");
298 for (q = p; *q != '\0' && isdigit(*q); ++q)
300 for (port = 0; p < q; ++p)
301 port = port * 10 + digittoint(*p);
302 if (port < 0 || port > 65535)
303 errx(1, "invalid port number");
316 for (q = p; *q != '\0' && isdigit(*q); ++q)
318 for (end = 0; p < q; ++p)
319 end = end * 10 + digittoint(*p);
320 if (end < port || end > 65535)
321 errx(1, "invalid port number");
330 sockaddr(struct sockaddr_storage *ss, int af, void *addr, int port)
332 struct sockaddr_in *sin4;
333 struct sockaddr_in6 *sin6;
335 bzero(ss, sizeof(*ss));
339 sin4->sin_len = sizeof(*sin4);
340 sin4->sin_family = af;
341 sin4->sin_port = port;
342 sin4->sin_addr = *(struct in_addr *)addr;
346 sin6->sin6_len = sizeof(*sin6);
347 sin6->sin6_family = af;
348 sin6->sin6_port = port;
349 sin6->sin6_addr = *(struct in6_addr *)addr;
350 #define s6_addr16 __u6_addr.__u6_addr16
351 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
352 sin6->sin6_scope_id =
353 ntohs(sin6->sin6_addr.s6_addr16[1]);
354 sin6->sin6_addr.s6_addr16[1] = 0;
363 free_socket(struct sock *sock)
365 struct addr *cur, *next;
368 while (cur != NULL) {
374 while (cur != NULL) {
386 struct addr *laddr, *prev_laddr, *faddr, *prev_faddr;
387 struct xsctp_inpcb *xinpcb;
388 struct xsctp_tcb *xstcb;
389 struct xsctp_raddr *xraddr;
390 struct xsctp_laddr *xladdr;
395 int no_stcb, local_all_loopback, foreign_all_loopback;
403 varname = "net.inet.sctp.assoclist";
404 if (cap_sysctlbyname(capsysctl, varname, 0, &len, 0, 0) < 0) {
406 err(1, "cap_sysctlbyname()");
409 if ((buf = (char *)malloc(len)) == NULL) {
413 if (cap_sysctlbyname(capsysctl, varname, buf, &len, 0, 0) < 0) {
414 err(1, "cap_sysctlbyname()");
418 xinpcb = (struct xsctp_inpcb *)(void *)buf;
419 offset = sizeof(struct xsctp_inpcb);
420 while ((offset < len) && (xinpcb->last == 0)) {
421 if ((sock = calloc(1, sizeof *sock)) == NULL)
423 sock->socket = xinpcb->socket;
424 sock->proto = IPPROTO_SCTP;
425 sock->protoname = "sctp";
426 if (xinpcb->maxqlen == 0)
427 sock->state = SCTP_CLOSED;
429 sock->state = SCTP_LISTEN;
430 if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) {
431 sock->family = AF_INET6;
433 * Currently there is no way to distinguish between
434 * IPv6 only sockets or dual family sockets.
435 * So mark it as dual socket.
437 sock->vflag = INP_IPV6 | INP_IPV4;
439 sock->family = AF_INET;
440 sock->vflag = INP_IPV4;
443 local_all_loopback = 1;
444 while (offset < len) {
445 xladdr = (struct xsctp_laddr *)(void *)(buf + offset);
446 offset += sizeof(struct xsctp_laddr);
447 if (xladdr->last == 1)
449 if ((laddr = calloc(1, sizeof(struct addr))) == NULL)
451 switch (xladdr->address.sa.sa_family) {
453 #define __IN_IS_ADDR_LOOPBACK(pina) \
454 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
455 if (!__IN_IS_ADDR_LOOPBACK(
456 &xladdr->address.sin.sin_addr))
457 local_all_loopback = 0;
458 #undef __IN_IS_ADDR_LOOPBACK
459 sockaddr(&laddr->address, AF_INET,
460 &xladdr->address.sin.sin_addr,
461 htons(xinpcb->local_port));
464 if (!IN6_IS_ADDR_LOOPBACK(
465 &xladdr->address.sin6.sin6_addr))
466 local_all_loopback = 0;
467 sockaddr(&laddr->address, AF_INET6,
468 &xladdr->address.sin6.sin6_addr,
469 htons(xinpcb->local_port));
472 errx(1, "address family %d not supported",
473 xladdr->address.sa.sa_family);
476 if (prev_laddr == NULL)
479 prev_laddr->next = laddr;
482 if (sock->laddr == NULL) {
484 calloc(1, sizeof(struct addr))) == NULL)
486 sock->laddr->address.ss_family = sock->family;
487 if (sock->family == AF_INET)
488 sock->laddr->address.ss_len =
489 sizeof(struct sockaddr_in);
491 sock->laddr->address.ss_len =
492 sizeof(struct sockaddr_in6);
493 local_all_loopback = 0;
495 if ((sock->faddr = calloc(1, sizeof(struct addr))) == NULL)
497 sock->faddr->address.ss_family = sock->family;
498 if (sock->family == AF_INET)
499 sock->faddr->address.ss_len =
500 sizeof(struct sockaddr_in);
502 sock->faddr->address.ss_len =
503 sizeof(struct sockaddr_in6);
505 while (offset < len) {
506 xstcb = (struct xsctp_tcb *)(void *)(buf + offset);
507 offset += sizeof(struct xsctp_tcb);
509 if (opt_l && (sock->vflag & vflag) &&
510 (!opt_L || !local_all_loopback) &&
511 ((xinpcb->flags & SCTP_PCB_FLAGS_UDPTYPE) ||
512 (xstcb->last == 1))) {
513 RB_INSERT(socks_t, &socks, sock);
518 if (xstcb->last == 1)
522 if ((sock = calloc(1, sizeof *sock)) == NULL)
524 sock->socket = xinpcb->socket;
525 sock->proto = IPPROTO_SCTP;
526 sock->protoname = "sctp";
527 sock->state = (int)xstcb->state;
528 if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) {
529 sock->family = AF_INET6;
531 * Currently there is no way to distinguish
532 * between IPv6 only sockets or dual family
533 * sockets. So mark it as dual socket.
535 sock->vflag = INP_IPV6 | INP_IPV4;
537 sock->family = AF_INET;
538 sock->vflag = INP_IPV4;
542 local_all_loopback = 1;
543 while (offset < len) {
544 xladdr = (struct xsctp_laddr *)(void *)(buf +
546 offset += sizeof(struct xsctp_laddr);
547 if (xladdr->last == 1)
551 laddr = calloc(1, sizeof(struct addr));
554 switch (xladdr->address.sa.sa_family) {
556 #define __IN_IS_ADDR_LOOPBACK(pina) \
557 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
558 if (!__IN_IS_ADDR_LOOPBACK(
559 &xladdr->address.sin.sin_addr))
560 local_all_loopback = 0;
561 #undef __IN_IS_ADDR_LOOPBACK
562 sockaddr(&laddr->address, AF_INET,
563 &xladdr->address.sin.sin_addr,
564 htons(xstcb->local_port));
567 if (!IN6_IS_ADDR_LOOPBACK(
568 &xladdr->address.sin6.sin6_addr))
569 local_all_loopback = 0;
570 sockaddr(&laddr->address, AF_INET6,
571 &xladdr->address.sin6.sin6_addr,
572 htons(xstcb->local_port));
576 "address family %d not supported",
577 xladdr->address.sa.sa_family);
580 if (prev_laddr == NULL)
583 prev_laddr->next = laddr;
587 foreign_all_loopback = 1;
588 while (offset < len) {
589 xraddr = (struct xsctp_raddr *)(void *)(buf +
591 offset += sizeof(struct xsctp_raddr);
592 if (xraddr->last == 1)
596 faddr = calloc(1, sizeof(struct addr));
599 switch (xraddr->address.sa.sa_family) {
601 #define __IN_IS_ADDR_LOOPBACK(pina) \
602 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
603 if (!__IN_IS_ADDR_LOOPBACK(
604 &xraddr->address.sin.sin_addr))
605 foreign_all_loopback = 0;
606 #undef __IN_IS_ADDR_LOOPBACK
607 sockaddr(&faddr->address, AF_INET,
608 &xraddr->address.sin.sin_addr,
609 htons(xstcb->remote_port));
612 if (!IN6_IS_ADDR_LOOPBACK(
613 &xraddr->address.sin6.sin6_addr))
614 foreign_all_loopback = 0;
615 sockaddr(&faddr->address, AF_INET6,
616 &xraddr->address.sin6.sin6_addr,
617 htons(xstcb->remote_port));
621 "address family %d not supported",
622 xraddr->address.sa.sa_family);
624 faddr->encaps_port = xraddr->encaps_port;
625 faddr->state = xraddr->state;
627 if (prev_faddr == NULL)
630 prev_faddr->next = faddr;
634 if ((sock->vflag & vflag) &&
636 !(local_all_loopback ||
637 foreign_all_loopback))) {
638 RB_INSERT(socks_t, &socks, sock);
644 xinpcb = (struct xsctp_inpcb *)(void *)(buf + offset);
645 offset += sizeof(struct xsctp_inpcb);
651 gather_inet(int proto)
653 struct xinpgen *xig, *exig;
655 struct xtcpcb *xtp = NULL;
658 struct addr *laddr, *faddr;
659 const char *varname, *protoname;
672 varname = "net.inet.tcp.pcblist";
676 varname = "net.inet.udp.pcblist";
680 varname = "net.inet.divert.pcblist";
684 errx(1, "protocol %d not supported", proto);
692 if ((buf = realloc(buf, bufsize)) == NULL)
695 if (cap_sysctlbyname(capsysctl, varname, buf, &len,
700 if (errno != ENOMEM || len != bufsize)
701 err(1, "cap_sysctlbyname()");
704 xig = (struct xinpgen *)buf;
705 exig = (struct xinpgen *)(void *)
706 ((char *)buf + len - sizeof *exig);
707 enforce_ksize(xig->xig_len, struct xinpgen);
708 enforce_ksize(exig->xig_len, struct xinpgen);
709 } while (xig->xig_gen != exig->xig_gen && retry--);
711 if (xig->xig_gen != exig->xig_gen && opt_v)
712 warnx("warning: data may be inconsistent");
715 xig = (struct xinpgen *)(void *)((char *)xig + xig->xig_len);
720 xtp = (struct xtcpcb *)xig;
722 if (!check_ksize(xtp->xt_len, struct xtcpcb))
724 protoname = xtp->t_flags & TF_TOE ? "toe" : "tcp";
728 xip = (struct xinpcb *)xig;
729 if (!check_ksize(xip->xi_len, struct xinpcb))
733 errx(1, "protocol %d not supported", proto);
735 so = &xip->xi_socket;
736 if ((xip->inp_vflag & vflag) == 0)
738 if (xip->inp_vflag & INP_IPV4) {
739 if ((xip->inp_fport == 0 && !opt_l) ||
740 (xip->inp_fport != 0 && !opt_c))
742 #define __IN_IS_ADDR_LOOPBACK(pina) \
743 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
745 (__IN_IS_ADDR_LOOPBACK(&xip->inp_faddr) ||
746 __IN_IS_ADDR_LOOPBACK(&xip->inp_laddr)))
748 #undef __IN_IS_ADDR_LOOPBACK
749 } else if (xip->inp_vflag & INP_IPV6) {
750 if ((xip->inp_fport == 0 && !opt_l) ||
751 (xip->inp_fport != 0 && !opt_c))
754 (IN6_IS_ADDR_LOOPBACK(&xip->in6p_faddr) ||
755 IN6_IS_ADDR_LOOPBACK(&xip->in6p_laddr)))
759 warnx("invalid vflag 0x%x", xip->inp_vflag);
762 if ((sock = calloc(1, sizeof(*sock))) == NULL)
764 if ((laddr = calloc(1, sizeof *laddr)) == NULL)
766 if ((faddr = calloc(1, sizeof *faddr)) == NULL)
768 sock->socket = so->xso_so;
770 sock->inp_gencnt = xip->inp_gencnt;
771 if (xip->inp_vflag & INP_IPV4) {
772 sock->family = AF_INET;
773 sockaddr(&laddr->address, sock->family,
774 &xip->inp_laddr, xip->inp_lport);
775 sockaddr(&faddr->address, sock->family,
776 &xip->inp_faddr, xip->inp_fport);
777 } else if (xip->inp_vflag & INP_IPV6) {
778 sock->family = AF_INET6;
779 sockaddr(&laddr->address, sock->family,
780 &xip->in6p_laddr, xip->inp_lport);
781 sockaddr(&faddr->address, sock->family,
782 &xip->in6p_faddr, xip->inp_fport);
784 if (proto == IPPROTO_TCP)
785 faddr->encaps_port = xtp->xt_encaps_port;
790 sock->vflag = xip->inp_vflag;
791 if (proto == IPPROTO_TCP) {
792 sock->state = xtp->t_state;
793 memcpy(sock->stack, xtp->xt_stack,
794 TCP_FUNCTION_NAME_LEN_MAX);
795 memcpy(sock->cc, xtp->xt_cc, TCP_CA_NAME_MAX);
797 sock->protoname = protoname;
798 if (sock->socket != 0)
799 RB_INSERT(socks_t, &socks, sock);
801 SLIST_INSERT_HEAD(&nosocks, sock, socket_list);
808 gather_unix(int proto)
810 struct xunpgen *xug, *exug;
813 struct addr *laddr, *faddr;
814 const char *varname, *protoname;
821 varname = "net.local.stream.pcblist";
822 protoname = "stream";
825 varname = "net.local.dgram.pcblist";
829 varname = "net.local.seqpacket.pcblist";
830 protoname = "seqpac";
840 if ((buf = realloc(buf, bufsize)) == NULL)
843 if (cap_sysctlbyname(capsysctl, varname, buf, &len,
846 if (errno != ENOMEM || len != bufsize)
847 err(1, "cap_sysctlbyname()");
850 xug = (struct xunpgen *)buf;
851 exug = (struct xunpgen *)(void *)
852 ((char *)buf + len - sizeof(*exug));
853 if (!check_ksize(xug->xug_len, struct xunpgen) ||
854 !check_ksize(exug->xug_len, struct xunpgen))
856 } while (xug->xug_gen != exug->xug_gen && retry--);
858 if (xug->xug_gen != exug->xug_gen && opt_v)
859 warnx("warning: data may be inconsistent");
862 xug = (struct xunpgen *)(void *)((char *)xug + xug->xug_len);
865 xup = (struct xunpcb *)xug;
866 if (!check_ksize(xup->xu_len, struct xunpcb))
868 if ((xup->unp_conn == 0 && !opt_l) ||
869 (xup->unp_conn != 0 && !opt_c))
871 if ((sock = calloc(1, sizeof(*sock))) == NULL)
873 if ((laddr = calloc(1, sizeof *laddr)) == NULL)
875 if ((faddr = calloc(1, sizeof *faddr)) == NULL)
877 sock->socket = xup->xu_socket.xso_so;
878 sock->pcb = xup->xu_unpp;
880 sock->family = AF_UNIX;
881 sock->protoname = protoname;
882 if (xup->xu_addr.sun_family == AF_UNIX)
884 *(struct sockaddr_storage *)(void *)&xup->xu_addr;
885 faddr->conn = xup->unp_conn;
886 faddr->firstref = xup->xu_firstref;
887 faddr->nextref = xup->xu_nextref;
892 RB_INSERT(socks_t, &socks, sock);
893 RB_INSERT(pcbs_t, &pcbs, sock);
902 struct xfile *xfiles;
905 olen = len = sizeof(*xfiles);
906 if ((xfiles = malloc(len)) == NULL)
908 while (cap_sysctlbyname(capsysctl, "kern.file", xfiles, &len, 0, 0)
910 if (errno != ENOMEM || len != olen)
911 err(1, "cap_sysctlbyname()");
913 if ((xfiles = realloc(xfiles, len)) == NULL)
917 enforce_ksize(xfiles->xf_size, struct xfile);
918 nfiles = len / sizeof(*xfiles);
920 if ((files = malloc(nfiles * sizeof(struct file))) == NULL)
923 for (int i = 0; i < nfiles; i++) {
924 files[i].xf_data = xfiles[i].xf_data;
925 files[i].xf_pid = xfiles[i].xf_pid;
926 files[i].xf_uid = xfiles[i].xf_uid;
927 files[i].xf_fd = xfiles[i].xf_fd;
928 RB_INSERT(files_t, &ftree, &files[i]);
935 printaddr(struct sockaddr_storage *ss)
937 struct sockaddr_un *sun;
938 char addrstr[NI_MAXHOST] = { '\0', '\0' };
939 int error, off, port = 0;
941 switch (ss->ss_family) {
943 if (sstosin(ss)->sin_addr.s_addr == INADDR_ANY)
945 port = ntohs(sstosin(ss)->sin_port);
948 if (IN6_IS_ADDR_UNSPECIFIED(&sstosin6(ss)->sin6_addr))
950 port = ntohs(sstosin6(ss)->sin6_port);
954 off = (int)((char *)&sun->sun_path - (char *)sun);
955 return (xprintf("%.*s", sun->sun_len - off, sun->sun_path));
957 if (addrstr[0] == '\0') {
958 error = cap_getnameinfo(capnet, sstosa(ss), ss->ss_len,
959 addrstr, sizeof(addrstr), NULL, 0, NI_NUMERICHOST);
961 errx(1, "cap_getnameinfo()");
964 return xprintf("%s:*", addrstr);
966 return xprintf("%s:%d", addrstr, port);
970 getprocname(pid_t pid)
972 static struct kinfo_proc proc;
978 mib[2] = KERN_PROC_PID;
981 if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0)
983 /* Do not warn if the process exits before we get its name. */
985 warn("cap_sysctl()");
988 return (proc.ki_comm);
992 getprocjid(pid_t pid)
994 static struct kinfo_proc proc;
1000 mib[2] = KERN_PROC_PID;
1003 if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0)
1005 /* Do not warn if the process exits before we get its jid. */
1007 warn("cap_sysctl()");
1010 return (proc.ki_jid);
1014 check_ports(struct sock *s)
1021 if ((s->family != AF_INET) && (s->family != AF_INET6))
1023 for (addr = s->laddr; addr != NULL; addr = addr->next) {
1024 if (s->family == AF_INET)
1025 port = ntohs(sstosin(&addr->address)->sin_port);
1027 port = ntohs(sstosin6(&addr->address)->sin6_port);
1031 for (addr = s->faddr; addr != NULL; addr = addr->next) {
1032 if (s->family == AF_INET)
1033 port = ntohs(sstosin(&addr->address)->sin_port);
1035 port = ntohs(sstosin6(&addr->address)->sin6_port);
1043 sctp_conn_state(int state)
1055 case SCTP_COOKIE_WAIT:
1056 return "COOKIE_WAIT";
1058 case SCTP_COOKIE_ECHOED:
1059 return "COOKIE_ECHOED";
1061 case SCTP_ESTABLISHED:
1062 return "ESTABLISHED";
1064 case SCTP_SHUTDOWN_SENT:
1065 return "SHUTDOWN_SENT";
1067 case SCTP_SHUTDOWN_RECEIVED:
1068 return "SHUTDOWN_RECEIVED";
1070 case SCTP_SHUTDOWN_ACK_SENT:
1071 return "SHUTDOWN_ACK_SENT";
1073 case SCTP_SHUTDOWN_PENDING:
1074 return "SHUTDOWN_PENDING";
1083 sctp_path_state(int state)
1086 case SCTP_UNCONFIRMED:
1087 return "UNCONFIRMED";
1102 displaysock(struct sock *s, int pos)
1105 struct addr *laddr, *faddr;
1108 pos += xprintf(" ");
1109 pos += xprintf("%s", s->protoname);
1110 if (s->vflag & INP_IPV4)
1111 pos += xprintf("4");
1112 if (s->vflag & INP_IPV6)
1113 pos += xprintf("6");
1114 if (s->vflag & (INP_IPV4 | INP_IPV6))
1115 pos += xprintf(" ");
1119 while (laddr != NULL || faddr != NULL) {
1121 while (pos < offset)
1122 pos += xprintf(" ");
1123 switch (s->family) {
1126 if (laddr != NULL) {
1127 pos += printaddr(&laddr->address);
1128 if (s->family == AF_INET6 && pos >= 58)
1129 pos += xprintf(" ");
1131 offset += opt_w ? 46 : 22;
1132 while (pos < offset)
1133 pos += xprintf(" ");
1135 pos += printaddr(&faddr->address);
1136 offset += opt_w ? 46 : 22;
1139 if ((laddr == NULL) || (faddr == NULL))
1140 errx(1, "laddr = %p or faddr = %p is NULL",
1141 (void *)laddr, (void *)faddr);
1142 if (laddr->address.ss_len == 0 && faddr->conn == 0) {
1143 pos += xprintf("(not connected)");
1144 offset += opt_w ? 92 : 44;
1147 /* Local bind(2) address, if any. */
1148 if (laddr->address.ss_len > 0)
1149 pos += printaddr(&laddr->address);
1150 /* Remote peer we connect(2) to, if any. */
1151 if (faddr->conn != 0) {
1154 pos += xprintf("%s-> ",
1155 laddr->address.ss_len > 0 ? " " : "");
1156 p = RB_FIND(pcbs_t, &pcbs,
1157 &(struct sock){ .pcb = faddr->conn });
1158 if (__predict_false(p == NULL)) {
1159 /* XXGL: can this happen at all? */
1160 pos += xprintf("??");
1161 } else if (p->laddr->address.ss_len == 0) {
1164 f = RB_FIND(files_t, &ftree,
1165 &(struct file){ .xf_data =
1167 pos += xprintf("[%lu %d]",
1168 (u_long)f->xf_pid, f->xf_fd);
1170 pos += printaddr(&p->laddr->address);
1172 /* Remote peer(s) connect(2)ed to us, if any. */
1173 if (faddr->firstref != 0) {
1176 kvaddr_t ref = faddr->firstref;
1179 pos += xprintf(" <- ");
1181 while ((p = RB_FIND(pcbs_t, &pcbs,
1182 &(struct sock){ .pcb = ref })) != 0) {
1183 f = RB_FIND(files_t, &ftree,
1184 &(struct file){ .xf_data =
1186 pos += xprintf("%s[%lu %d]",
1188 (u_long)f->xf_pid, f->xf_fd);
1189 ref = p->faddr->nextref;
1193 offset += opt_w ? 92 : 44;
1199 if (s->proto == IPPROTO_TCP ||
1200 s->proto == IPPROTO_UDP) {
1201 while (pos < offset)
1202 pos += xprintf(" ");
1203 pos += xprintf("%" PRIu64, s->inp_gencnt);
1208 if (faddr != NULL &&
1209 ((s->proto == IPPROTO_SCTP &&
1210 s->state != SCTP_CLOSED &&
1211 s->state != SCTP_BOUND &&
1212 s->state != SCTP_LISTEN) ||
1213 (s->proto == IPPROTO_TCP &&
1214 s->state != TCPS_CLOSED &&
1215 s->state != TCPS_LISTEN))) {
1216 while (pos < offset)
1217 pos += xprintf(" ");
1218 pos += xprintf("%u",
1219 ntohs(faddr->encaps_port));
1224 if (faddr != NULL &&
1225 s->proto == IPPROTO_SCTP &&
1226 s->state != SCTP_CLOSED &&
1227 s->state != SCTP_BOUND &&
1228 s->state != SCTP_LISTEN) {
1229 while (pos < offset)
1230 pos += xprintf(" ");
1231 pos += xprintf("%s",
1232 sctp_path_state(faddr->state));
1238 if (s->proto == IPPROTO_SCTP ||
1239 s->proto == IPPROTO_TCP) {
1240 while (pos < offset)
1241 pos += xprintf(" ");
1244 pos += xprintf("%s",
1245 sctp_conn_state(s->state));
1248 if (s->state >= 0 &&
1249 s->state < TCP_NSTATES)
1250 pos += xprintf("%s",
1251 tcpstates[s->state]);
1253 pos += xprintf("?");
1260 if (s->proto == IPPROTO_TCP) {
1261 while (pos < offset)
1262 pos += xprintf(" ");
1263 pos += xprintf("%.*s",
1264 TCP_FUNCTION_NAME_LEN_MAX,
1267 offset += TCP_FUNCTION_NAME_LEN_MAX + 1;
1270 if (s->proto == IPPROTO_TCP) {
1271 while (pos < offset)
1272 pos += xprintf(" ");
1273 xprintf("%.*s", TCP_CA_NAME_MAX, s->cc);
1275 offset += TCP_CA_NAME_MAX + 1;
1279 laddr = laddr->next;
1281 faddr = faddr->next;
1282 if ((laddr != NULL) || (faddr != NULL)) {
1300 printf("%-8s %-10s %-5s %-3s %-6s %-*s %-*s",
1301 "USER", "COMMAND", "PID", "FD", "PROTO",
1302 opt_w ? 45 : 21, "LOCAL ADDRESS",
1303 opt_w ? 45 : 21, "FOREIGN ADDRESS");
1305 printf(" %-8s", "ID");
1307 printf(" %-6s", "ENCAPS");
1309 printf(" %-12s", "PATH STATE");
1310 printf(" %-12s", "CONN STATE");
1313 printf(" %-*.*s", TCP_FUNCTION_NAME_LEN_MAX,
1314 TCP_FUNCTION_NAME_LEN_MAX, "STACK");
1316 printf(" %-.*s", TCP_CA_NAME_MAX, "CC");
1319 cap_setpassent(cappwd, 1);
1320 for (xf = files, n = 0; n < nfiles; ++n, ++xf) {
1321 if (xf->xf_data == 0)
1323 if (opt_j >= 0 && opt_j != getprocjid(xf->xf_pid))
1325 s = RB_FIND(socks_t, &socks,
1326 &(struct sock){ .socket = xf->xf_data});
1327 if (s != NULL && check_ports(s)) {
1331 (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL)
1332 pos += xprintf("%lu ", (u_long)xf->xf_uid);
1334 pos += xprintf("%s ", pwd->pw_name);
1336 pos += xprintf(" ");
1337 pos += xprintf("%.10s", getprocname(xf->xf_pid));
1339 pos += xprintf(" ");
1340 pos += xprintf("%5lu ", (u_long)xf->xf_pid);
1342 pos += xprintf(" ");
1343 pos += xprintf("%-3d ", xf->xf_fd);
1344 displaysock(s, pos);
1349 SLIST_FOREACH(s, &nosocks, socket_list) {
1350 if (!check_ports(s))
1352 pos = xprintf("%-8s %-10s %-5s %-2s ",
1353 "?", "?", "?", "?");
1354 displaysock(s, pos);
1356 RB_FOREACH(s, socks_t, &socks) {
1359 if (!check_ports(s))
1361 pos = xprintf("%-8s %-10s %-5s %-2s ",
1362 "?", "?", "?", "?");
1363 displaysock(s, pos);
1368 set_default_protos(void)
1370 struct protoent *prot;
1374 init_protos(default_numprotos);
1376 for (pindex = 0; pindex < default_numprotos; pindex++) {
1377 pname = default_protos[pindex];
1378 prot = cap_getprotobyname(capnetdb, pname);
1380 err(1, "cap_getprotobyname: %s", pname);
1381 protos[pindex] = prot->p_proto;
1388 * Return the vnet property of the jail, or -1 on error.
1391 jail_getvnet(int jid)
1393 struct iovec jiov[6];
1395 size_t len = sizeof(vnet);
1397 if (sysctlbyname("kern.features.vimage", &vnet, &len, NULL, 0) != 0)
1401 jiov[0].iov_base = __DECONST(char *, "jid");
1402 jiov[0].iov_len = sizeof("jid");
1403 jiov[1].iov_base = &jid;
1404 jiov[1].iov_len = sizeof(jid);
1405 jiov[2].iov_base = __DECONST(char *, "vnet");
1406 jiov[2].iov_len = sizeof("vnet");
1407 jiov[3].iov_base = &vnet;
1408 jiov[3].iov_len = sizeof(vnet);
1409 jiov[4].iov_base = __DECONST(char *, "errmsg");
1410 jiov[4].iov_len = sizeof("errmsg");
1411 jiov[5].iov_base = jail_errmsg;
1412 jiov[5].iov_len = JAIL_ERRMSGLEN;
1413 jail_errmsg[0] = '\0';
1414 if (jail_get(jiov, nitems(jiov), 0) < 0) {
1415 if (!jail_errmsg[0])
1416 snprintf(jail_errmsg, JAIL_ERRMSGLEN,
1417 "jail_get: %s", strerror(errno));
1427 "usage: sockstat [-46CciLlnqSsUuvw] [-j jid] [-p ports] [-P protocols]\n");
1432 main(int argc, char *argv[])
1434 cap_channel_t *capcas;
1435 cap_net_limit_t *limit;
1436 const char *pwdcmds[] = { "setpassent", "getpwuid" };
1437 const char *pwdfields[] = { "pw_name" };
1438 int protos_defined = -1;
1442 while ((o = getopt(argc, argv, "46Ccij:Llnp:P:qSsUuvw")) != -1)
1460 opt_j = jail_getid(optarg);
1462 errx(1, "jail_getid: %s", jail_errmsg);
1474 parse_ports(optarg);
1477 protos_defined = parse_protos(optarg);
1511 switch (jail_getvnet(opt_j)) {
1513 errx(2, "jail_getvnet: %s", jail_errmsg);
1515 if (jail_attach(opt_j) < 0)
1516 err(3, "jail_attach()");
1517 /* Set back to -1 for normal output in vnet jail. */
1525 capcas = cap_init();
1527 err(1, "Unable to contact Casper");
1528 if (caph_enter_casper() < 0)
1529 err(1, "Unable to enter capability mode");
1530 capnet = cap_service_open(capcas, "system.net");
1532 err(1, "Unable to open system.net service");
1533 capnetdb = cap_service_open(capcas, "system.netdb");
1534 if (capnetdb == NULL)
1535 err(1, "Unable to open system.netdb service");
1536 capsysctl = cap_service_open(capcas, "system.sysctl");
1537 if (capsysctl == NULL)
1538 err(1, "Unable to open system.sysctl service");
1539 cappwd = cap_service_open(capcas, "system.pwd");
1541 err(1, "Unable to open system.pwd service");
1543 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
1545 err(1, "Unable to init cap_net limits");
1546 if (cap_net_limit(limit) < 0)
1547 err(1, "Unable to apply limits");
1548 if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0)
1549 err(1, "Unable to apply pwd commands limits");
1550 if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0)
1551 err(1, "Unable to apply pwd commands limits");
1553 if ((!opt_4 && !opt_6) && protos_defined != -1)
1555 if (!opt_4 && !opt_6 && !opt_u)
1556 opt_4 = opt_6 = opt_u = 1;
1557 if ((opt_4 || opt_6) && protos_defined == -1)
1558 protos_defined = set_default_protos();
1559 if (!opt_c && !opt_l)
1562 if (opt_4 || opt_6) {
1563 for (i = 0; i < protos_defined; i++)
1564 if (protos[i] == IPPROTO_SCTP)
1567 gather_inet(protos[i]);
1570 if (opt_u || (protos_defined == -1 && !opt_4 && !opt_6)) {
1571 gather_unix(SOCK_STREAM);
1572 gather_unix(SOCK_DGRAM);
1573 gather_unix(SOCK_SEQPACKET);