4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
15 * print the filter structure in a useful way
30 type = fp->fr_type & ~FR_T_BUILTIN;
32 if ((fp->fr_type & FR_T_BUILTIN) != 0)
33 PRINTF("# Builtin: ");
35 if (fp->fr_collect != 0)
36 PRINTF("%u ", fp->fr_collect);
38 if (fp->fr_type == FR_T_CALLFUNC) {
40 } else if (fp->fr_func != NULL) {
42 if ((fp->fr_flags & FR_CALLNOW) != 0)
44 s = kvatoname(fp->fr_func, iocfunc);
45 PRINTF(" %s/%u", s ? s : "?", fp->fr_arg);
46 } else if (FR_ISPASS(fp->fr_flags))
48 else if (FR_ISBLOCK(fp->fr_flags)) {
50 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
52 } else if (FR_ISACCOUNT(fp->fr_flags))
54 else if (FR_ISAUTH(fp->fr_flags))
56 else if (FR_ISPREAUTH(fp->fr_flags))
58 else if (FR_ISNOMATCH(fp->fr_flags))
60 else if (FR_ISDECAPS(fp->fr_flags))
61 PRINTF("decapsulate");
62 else if (FR_ISSKIP(fp->fr_flags))
63 PRINTF("skip %u", fp->fr_arg);
65 PRINTF("%x", fp->fr_flags);
67 if (fp->fr_flags & FR_RETICMP) {
68 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
69 PRINTF(" return-icmp-as-dest");
70 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
71 PRINTF(" return-icmp");
73 if (fp->fr_icode <= MAX_ICMPCODE)
75 icmpcodes[(int)fp->fr_icode]);
77 PRINTF("(%d)", fp->fr_icode);
79 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
80 PRINTF(" return-rst");
82 if (fp->fr_flags & FR_OUTQUE)
84 else if (fp->fr_flags & FR_INQUE)
87 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
88 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
93 if (fp->fr_flags & FR_QUICK)
96 if (fp->fr_ifnames[0] != -1) {
97 printifname("on ", fp->fr_names + fp->fr_ifnames[0],
99 if (fp->fr_ifnames[1] != -1 &&
100 strcmp(fp->fr_names + fp->fr_ifnames[1], "*"))
101 printifname(",", fp->fr_names + fp->fr_ifnames[1],
106 if (fp->fr_tif.fd_name != -1)
107 print_toif(fp->fr_family, "to", fp->fr_names, &fp->fr_tif);
108 if (fp->fr_dif.fd_name != -1)
109 print_toif(fp->fr_family, "dup-to", fp->fr_names,
111 if (fp->fr_rif.fd_name != -1)
112 print_toif(fp->fr_family, "reply-to", fp->fr_names,
114 if (fp->fr_flags & FR_FASTROUTE)
115 PRINTF("fastroute ");
117 if ((fp->fr_ifnames[2] != -1 &&
118 strcmp(fp->fr_names + fp->fr_ifnames[2], "*")) ||
119 (fp->fr_ifnames[3] != -1 &&
120 strcmp(fp->fr_names + fp->fr_ifnames[3], "*"))) {
121 if (fp->fr_flags & FR_OUTQUE)
126 if (fp->fr_ifnames[2] != -1) {
127 printifname("", fp->fr_names + fp->fr_ifnames[2],
129 if (fp->fr_ifnames[3] != -1) {
131 fp->fr_names + fp->fr_ifnames[3],
138 if (fp->fr_family == AF_INET) {
142 } else if (fp->fr_family == AF_INET6) {
150 if (type == FR_T_IPF) {
151 if (fp->fr_mip.fi_tos)
152 PRINTF("tos %#x ", fp->fr_tos);
153 if (fp->fr_mip.fi_ttl)
154 PRINTF("ttl %d ", fp->fr_ttl);
155 if (fp->fr_flx & FI_TCPUDP) {
156 PRINTF("proto tcp/udp ");
158 } else if (fp->fr_mip.fi_p) {
160 p = getprotobynumber(pr);
162 printproto(p, pr, NULL);
174 PRINTF("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
175 printaddr(af, fp->fr_satype, fp->fr_names, fp->fr_ifnames[0],
176 &fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
178 printportcmp(pr, &fp->fr_tuc.ftu_src);
180 PRINTF(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
181 printaddr(af, fp->fr_datype, fp->fr_names, fp->fr_ifnames[0],
182 &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
184 printportcmp(pr, &fp->fr_tuc.ftu_dst);
186 if (((fp->fr_proto == IPPROTO_ICMP) ||
187 (fp->fr_proto == IPPROTO_ICMPV6)) && fp->fr_icmpm) {
188 int type = fp->fr_icmp, code;
191 type = ntohs(fp->fr_icmp);
194 name = icmptypename(fp->fr_family, type);
196 PRINTF(" icmp-type %d", type);
198 PRINTF(" icmp-type %s", name);
199 if (ntohs(fp->fr_icmpm) & 0xff)
200 PRINTF(" code %d", code);
202 if ((fp->fr_proto == IPPROTO_TCP) &&
203 (fp->fr_tcpf || fp->fr_tcpfm)) {
205 printtcpflags(fp->fr_tcpf, fp->fr_tcpfm);
214 PRINTF("bpf-v%d { \"", fp->fr_family);
215 i = fp->fr_dsize / sizeof(*fb);
217 for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ")
218 PRINTF("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
229 PRINTF("call function at %p", fp->fr_data);
234 printipfexpr(fp->fr_data);
239 PRINTF("[unknown filter type %#x]", fp->fr_type);
243 if ((type == FR_T_IPF) &&
244 ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) ||
245 fp->fr_optbits || fp->fr_optmask ||
246 fp->fr_secbits || fp->fr_secmask)) {
250 if (fp->fr_optbits || fp->fr_optmask ||
251 fp->fr_secbits || fp->fr_secmask) {
252 sec[0] = fp->fr_secmask;
253 sec[1] = fp->fr_secbits;
254 if (fp->fr_family == AF_INET)
255 optprint(sec, fp->fr_optmask, fp->fr_optbits);
258 optprintv6(sec, fp->fr_optmask,
261 } else if (fp->fr_mflx & FI_OPTIONS) {
262 fputs(comma, stdout);
263 if (!(fp->fr_flx & FI_OPTIONS))
268 if (fp->fr_mflx & FI_SHORT) {
269 fputs(comma, stdout);
270 if (!(fp->fr_flx & FI_SHORT))
275 if (fp->fr_mflx & FI_FRAG) {
276 fputs(comma, stdout);
277 if (!(fp->fr_flx & FI_FRAG))
282 if (fp->fr_mflx & FI_FRAGBODY) {
283 fputs(comma, stdout);
284 if (!(fp->fr_flx & FI_FRAGBODY))
289 if (fp->fr_mflx & FI_NATED) {
290 fputs(comma, stdout);
291 if (!(fp->fr_flx & FI_NATED))
296 if (fp->fr_mflx & FI_LOWTTL) {
297 fputs(comma, stdout);
298 if (!(fp->fr_flx & FI_LOWTTL))
303 if (fp->fr_mflx & FI_BAD) {
304 fputs(comma, stdout);
305 if (!(fp->fr_flx & FI_BAD))
310 if (fp->fr_mflx & FI_BADSRC) {
311 fputs(comma, stdout);
312 if (!(fp->fr_flx & FI_BADSRC))
317 if (fp->fr_mflx & FI_BADNAT) {
318 fputs(comma, stdout);
319 if (!(fp->fr_flx & FI_BADNAT))
324 if (fp->fr_mflx & FI_OOW) {
325 fputs(comma, stdout);
326 if (!(fp->fr_flx & FI_OOW))
331 if (fp->fr_mflx & FI_MBCAST) {
332 fputs(comma, stdout);
333 if (!(fp->fr_flx & FI_MBCAST))
338 if (fp->fr_mflx & FI_BROADCAST) {
339 fputs(comma, stdout);
340 if (!(fp->fr_flx & FI_BROADCAST))
345 if (fp->fr_mflx & FI_MULTICAST) {
346 fputs(comma, stdout);
347 if (!(fp->fr_flx & FI_MULTICAST))
352 if (fp->fr_mflx & FI_STATE) {
353 fputs(comma, stdout);
354 if (!(fp->fr_flx & FI_STATE))
359 if (fp->fr_mflx & FI_V6EXTHDR) {
360 fputs(comma, stdout);
361 if (!(fp->fr_flx & FI_V6EXTHDR))
368 if (fp->fr_flags & FR_KEEPSTATE) {
369 host_track_t *src = &fp->fr_srctrack;
370 PRINTF(" keep state");
371 if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|
372 FR_NOICMPERR|FR_STATESYNC)) ||
373 (fp->fr_statemax != 0) || (fp->fr_age[0] != 0) ||
374 (src->ht_max_nodes != 0)) {
377 if (fp->fr_statemax != 0) {
378 PRINTF("limit %u", fp->fr_statemax);
381 if (src->ht_max_nodes != 0) {
382 PRINTF("%smax-nodes %d", comma,
384 if (src->ht_max_per_node)
385 PRINTF(", max-per-src %d/%d",
386 src->ht_max_per_node,
390 if (fp->fr_flags & FR_STSTRICT) {
391 PRINTF("%sstrict", comma);
394 if (fp->fr_flags & FR_STLOOSE) {
395 PRINTF("%sloose", comma);
398 if (fp->fr_flags & FR_NEWISN) {
399 PRINTF("%snewisn", comma);
402 if (fp->fr_flags & FR_NOICMPERR) {
403 PRINTF("%sno-icmp-err", comma);
406 if (fp->fr_flags & FR_STATESYNC) {
407 PRINTF("%ssync", comma);
410 if (fp->fr_age[0] || fp->fr_age[1])
411 PRINTF("%sage %d/%d", comma, fp->fr_age[0],
416 if (fp->fr_flags & FR_KEEPFRAG) {
417 PRINTF(" keep frags");
418 if (fp->fr_flags & (FR_FRSTRICT)) {
420 if (fp->fr_flags & FR_FRSTRICT)
426 if (fp->fr_isc != (struct ipscan *)-1) {
427 if (fp->fr_isctag != -1)
428 PRINTF(" scan %s", fp->fr_isctag + fp->fr_names);
432 if (fp->fr_grhead != -1)
433 PRINTF(" head %s", fp->fr_names + fp->fr_grhead);
434 if (fp->fr_group != -1)
435 PRINTF(" group %s", fp->fr_names + fp->fr_group);
436 if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
440 if (fp->fr_logtag != FR_NOLOGTAG) {
441 PRINTF("log=%u", fp->fr_logtag);
444 if (*fp->fr_nattag.ipt_tag) {
445 PRINTF("%snat=%-.*s", s, IPFTAG_LEN,
446 fp->fr_nattag.ipt_tag);
452 PRINTF(" pps %d", fp->fr_pps);
454 if (fp->fr_comment != -1)
455 PRINTF(" comment \"%s\"", fp->fr_names + fp->fr_comment);
458 if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) {
459 PRINTF(" # count %d", fp->fr_statecnt);
461 PRINTF(" rule-ttl %u", fp->fr_die);
463 } else if (fp->fr_die != 0) {
464 PRINTF(" # rule-ttl %u", fp->fr_die);
467 if (opts & OPT_DEBUG) {
470 PRINTF(" ref %d", fp->fr_ref);
projects / FreeBSD / releng / 10.2.git / blob