| /* |
| * Copyright (C) 2011 by Darren Reed. |
| * |
| * See the IPFILTER.LICENCE file for details on licencing. |
| * |
| * $Id$ |
| */ |
| |
| #include "ipf.h" |
| |
| |
| /* |
| * print the filter structure in a useful way |
| */ |
| void |
| printfr(fp, iocfunc) |
| struct frentry *fp; |
| ioctlfunc_t iocfunc; |
| { |
| struct protoent *p; |
| u_short sec[2]; |
| u_32_t type; |
| int pr, af; |
| char *s; |
| int hash; |
| |
| pr = -2; |
| type = fp->fr_type & ~FR_T_BUILTIN; |
| |
| if ((fp->fr_type & FR_T_BUILTIN) != 0) |
| PRINTF("# Builtin: "); |
| |
| if (fp->fr_collect != 0) |
| PRINTF("%u ", fp->fr_collect); |
| |
| if (fp->fr_type == FR_T_CALLFUNC) { |
| ; |
| } else if (fp->fr_func != NULL) { |
| PRINTF("call"); |
| if ((fp->fr_flags & FR_CALLNOW) != 0) |
| PRINTF(" now"); |
| s = kvatoname(fp->fr_func, iocfunc); |
| PRINTF(" %s/%u", s ? s : "?", fp->fr_arg); |
| } else if (FR_ISPASS(fp->fr_flags)) |
| PRINTF("pass"); |
| else if (FR_ISBLOCK(fp->fr_flags)) { |
| PRINTF("block"); |
| } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { |
| printlog(fp); |
| } else if (FR_ISACCOUNT(fp->fr_flags)) |
| PRINTF("count"); |
| else if (FR_ISAUTH(fp->fr_flags)) |
| PRINTF("auth"); |
| else if (FR_ISPREAUTH(fp->fr_flags)) |
| PRINTF("preauth"); |
| else if (FR_ISNOMATCH(fp->fr_flags)) |
| PRINTF("nomatch"); |
| else if (FR_ISSKIP(fp->fr_flags)) |
| PRINTF("skip %u", fp->fr_arg); |
| else { |
| PRINTF("%x", fp->fr_flags); |
| } |
| if (fp->fr_flags & FR_RETICMP) { |
| if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) |
| PRINTF(" return-icmp-as-dest"); |
| else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) |
| PRINTF(" return-icmp"); |
| if (fp->fr_icode) { |
| if (fp->fr_icode <= MAX_ICMPCODE) |
| PRINTF("(%s)", |
| icmpcodes[(int)fp->fr_icode]); |
| else |
| PRINTF("(%d)", fp->fr_icode); |
| } |
| } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) |
| PRINTF(" return-rst"); |
| |
| if (fp->fr_flags & FR_OUTQUE) |
| PRINTF(" out "); |
| else if (fp->fr_flags & FR_INQUE) |
| PRINTF(" in "); |
| |
| if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || |
| ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { |
| printlog(fp); |
| putchar(' '); |
| } |
| |
| if (fp->fr_flags & FR_QUICK) |
| PRINTF("quick "); |
| |
| if (fp->fr_ifnames[0] != -1) { |
| printifname("on ", fp->fr_names + fp->fr_ifnames[0], |
| fp->fr_ifa); |
| if (fp->fr_ifnames[1] != -1 && |
| strcmp(fp->fr_names + fp->fr_ifnames[1], "*")) |
| printifname(",", fp->fr_names + fp->fr_ifnames[1], |
| fp->fr_ifas[1]); |
| putchar(' '); |
| } |
| |
| if (fp->fr_dif.fd_name != -1) |
| print_toif("dup-to", fp->fr_names, &fp->fr_dif); |
| if (fp->fr_tif.fd_name != -1) |
| print_toif("to", fp->fr_names, &fp->fr_tif); |
| if (fp->fr_rif.fd_name != -1) |
| print_toif("reply-to", fp->fr_names, &fp->fr_rif); |
| if (fp->fr_flags & FR_FASTROUTE) |
| PRINTF("fastroute "); |
| |
| if ((fp->fr_ifnames[2] != -1 && |
| strcmp(fp->fr_names + fp->fr_ifnames[2], "*")) || |
| (fp->fr_ifnames[3] != -1 && |
| strcmp(fp->fr_names + fp->fr_ifnames[3], "*"))) { |
| if (fp->fr_flags & FR_OUTQUE) |
| PRINTF("in-via "); |
| else |
| PRINTF("out-via "); |
| |
| if (fp->fr_ifnames[2] != -1) { |
| printifname("", fp->fr_names + fp->fr_ifnames[2], |
| fp->fr_ifas[2]); |
| if (fp->fr_ifnames[3] != -1) { |
| printifname(",", |
| fp->fr_names + fp->fr_ifnames[3], |
| fp->fr_ifas[3]); |
| } |
| putchar(' '); |
| } |
| } |
| |
| if (fp->fr_family == AF_INET) { |
| PRINTF("inet "); |
| af = AF_INET; |
| #ifdef USE_INET6 |
| } else if (fp->fr_family == AF_INET6) { |
| PRINTF("inet6 "); |
| af = AF_INET6; |
| #endif |
| } else { |
| af = -1; |
| } |
| |
| if (type == FR_T_IPF) { |
| if (fp->fr_mip.fi_tos) |
| PRINTF("tos %#x ", fp->fr_tos); |
| if (fp->fr_mip.fi_ttl) |
| PRINTF("ttl %d ", fp->fr_ttl); |
| if (fp->fr_flx & FI_TCPUDP) { |
| PRINTF("proto tcp/udp "); |
| pr = -1; |
| } else if (fp->fr_mip.fi_p) { |
| pr = fp->fr_ip.fi_p; |
| p = getprotobynumber(pr); |
| PRINTF("proto "); |
| printproto(p, pr, NULL); |
| putchar(' '); |
| } |
| } |
| |
| switch (type) |
| { |
| case FR_T_NONE : |
| PRINTF("all"); |
| break; |
| |
| case FR_T_IPF : |
| PRINTF("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); |
| printaddr(af, fp->fr_satype, fp->fr_names, fp->fr_ifnames[0], |
| &fp->fr_src.s_addr, &fp->fr_smsk.s_addr); |
| if (fp->fr_scmp) |
| printportcmp(pr, &fp->fr_tuc.ftu_src); |
| |
| PRINTF(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); |
| printaddr(af, fp->fr_datype, fp->fr_names, fp->fr_ifnames[0], |
| &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr); |
| if (fp->fr_dcmp) |
| printportcmp(pr, &fp->fr_tuc.ftu_dst); |
| |
| if (((fp->fr_proto == IPPROTO_ICMP) || |
| (fp->fr_proto == IPPROTO_ICMPV6)) && fp->fr_icmpm) { |
| int type = fp->fr_icmp, code; |
| char *name; |
| |
| type = ntohs(fp->fr_icmp); |
| code = type & 0xff; |
| type /= 256; |
| name = icmptypename(fp->fr_family, type); |
| if (name == NULL) |
| PRINTF(" icmp-type %d", type); |
| else |
| PRINTF(" icmp-type %s", name); |
| if (ntohs(fp->fr_icmpm) & 0xff) |
| PRINTF(" code %d", code); |
| } |
| if ((fp->fr_proto == IPPROTO_TCP) && |
| (fp->fr_tcpf || fp->fr_tcpfm)) { |
| PRINTF(" flags "); |
| printtcpflags(fp->fr_tcpf, fp->fr_tcpfm); |
| } |
| break; |
| |
| case FR_T_BPFOPC : |
| { |
| fakebpf_t *fb; |
| int i; |
| |
| PRINTF("bpf-v%d { \"", fp->fr_family); |
| i = fp->fr_dsize / sizeof(*fb); |
| |
| for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ") |
| PRINTF("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t, |
| fb->fb_f, fb->fb_k); |
| |
| PRINTF("\" }"); |
| break; |
| } |
| |
| case FR_T_COMPIPF : |
| break; |
| |
| case FR_T_CALLFUNC : |
| PRINTF("call function at %p", fp->fr_data); |
| break; |
| |
| case FR_T_IPFEXPR : |
| PRINTF("exp { \""); |
| printipfexpr(fp->fr_data); |
| PRINTF("\" } "); |
| break; |
| |
| default : |
| PRINTF("[unknown filter type %#x]", fp->fr_type); |
| break; |
| } |
| |
| if ((type == FR_T_IPF) && |
| ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) || |
| fp->fr_optbits || fp->fr_optmask || |
| fp->fr_secbits || fp->fr_secmask)) { |
| char *comma = " "; |
| |
| PRINTF(" with"); |
| if (fp->fr_optbits || fp->fr_optmask || |
| fp->fr_secbits || fp->fr_secmask) { |
| sec[0] = fp->fr_secmask; |
| sec[1] = fp->fr_secbits; |
| if (fp->fr_family == AF_INET) |
| optprint(sec, fp->fr_optmask, fp->fr_optbits); |
| #ifdef USE_INET6 |
| else |
| optprintv6(sec, fp->fr_optmask, |
| fp->fr_optbits); |
| #endif |
| } else if (fp->fr_mflx & FI_OPTIONS) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_OPTIONS)) |
| PRINTF("not "); |
| PRINTF("ipopts"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_SHORT) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_SHORT)) |
| PRINTF("not "); |
| PRINTF("short"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_FRAG) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_FRAG)) |
| PRINTF("not "); |
| PRINTF("frag"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_FRAGBODY) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_FRAGBODY)) |
| PRINTF("not "); |
| PRINTF("frag-body"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_NATED) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_NATED)) |
| PRINTF("not "); |
| PRINTF("nat"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_LOWTTL) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_LOWTTL)) |
| PRINTF("not "); |
| PRINTF("lowttl"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_BAD) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_BAD)) |
| PRINTF("not "); |
| PRINTF("bad"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_BADSRC) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_BADSRC)) |
| PRINTF("not "); |
| PRINTF("bad-src"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_BADNAT) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_BADNAT)) |
| PRINTF("not "); |
| PRINTF("bad-nat"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_OOW) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_OOW)) |
| PRINTF("not "); |
| PRINTF("oow"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_MBCAST) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_MBCAST)) |
| PRINTF("not "); |
| PRINTF("mbcast"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_BROADCAST) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_BROADCAST)) |
| PRINTF("not "); |
| PRINTF("bcast"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_MULTICAST) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_MULTICAST)) |
| PRINTF("not "); |
| PRINTF("mcast"); |
| comma = ","; |
| } |
| if (fp->fr_mflx & FI_STATE) { |
| fputs(comma, stdout); |
| if (!(fp->fr_flx & FI_STATE)) |
| PRINTF("not "); |
| PRINTF("state"); |
| comma = ","; |
| } |
| } |
| |
| if (fp->fr_flags & FR_KEEPSTATE) { |
| host_track_t *src = &fp->fr_srctrack; |
| PRINTF(" keep state"); |
| if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN| |
| FR_NOICMPERR|FR_STATESYNC)) || |
| (fp->fr_statemax != 0) || (fp->fr_age[0] != 0) || |
| (src->ht_max_nodes != 0)) { |
| char *comma = ""; |
| PRINTF(" ("); |
| if (fp->fr_statemax != 0) { |
| PRINTF("limit %u", fp->fr_statemax); |
| comma = ","; |
| } |
| if (src->ht_max_nodes != 0) { |
| PRINTF("%smax-nodes %d", comma, |
| src->ht_max_nodes); |
| if (src->ht_max_per_node) |
| PRINTF(", max-per-src %d/%d", |
| src->ht_max_per_node, |
| src->ht_netmask); |
| comma = ","; |
| } |
| if (fp->fr_flags & FR_STSTRICT) { |
| PRINTF("%sstrict", comma); |
| comma = ","; |
| } |
| if (fp->fr_flags & FR_STLOOSE) { |
| PRINTF("%sloose", comma); |
| comma = ","; |
| } |
| if (fp->fr_flags & FR_NEWISN) { |
| PRINTF("%snewisn", comma); |
| comma = ","; |
| } |
| if (fp->fr_flags & FR_NOICMPERR) { |
| PRINTF("%sno-icmp-err", comma); |
| comma = ","; |
| } |
| if (fp->fr_flags & FR_STATESYNC) { |
| PRINTF("%ssync", comma); |
| comma = ","; |
| } |
| if (fp->fr_age[0] || fp->fr_age[1]) |
| PRINTF("%sage %d/%d", comma, fp->fr_age[0], |
| fp->fr_age[1]); |
| PRINTF(")"); |
| } |
| } |
| if (fp->fr_flags & FR_KEEPFRAG) { |
| PRINTF(" keep frags"); |
| if (fp->fr_flags & (FR_FRSTRICT)) { |
| PRINTF(" ("); |
| if (fp->fr_flags & FR_FRSTRICT) |
| PRINTF("strict"); |
| PRINTF(")"); |
| |
| } |
| } |
| if (fp->fr_isc != (struct ipscan *)-1) { |
| if (fp->fr_isctag != -1) |
| PRINTF(" scan %s", fp->fr_isctag + fp->fr_names); |
| else |
| PRINTF(" scan *"); |
| } |
| if (fp->fr_grhead != -1) |
| PRINTF(" head %s", fp->fr_names + fp->fr_grhead); |
| if (fp->fr_group != -1) |
| PRINTF(" group %s", fp->fr_names + fp->fr_group); |
| if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) { |
| char *s = ""; |
| |
| PRINTF(" set-tag("); |
| if (fp->fr_logtag != FR_NOLOGTAG) { |
| PRINTF("log=%u", fp->fr_logtag); |
| s = ", "; |
| } |
| if (*fp->fr_nattag.ipt_tag) { |
| PRINTF("%snat=%-.*s", s, IPFTAG_LEN, |
| fp->fr_nattag.ipt_tag); |
| } |
| PRINTF(")"); |
| } |
| |
| if (fp->fr_pps) |
| PRINTF(" pps %d", fp->fr_pps); |
| |
| if (fp->fr_comment != -1) |
| PRINTF(" comment \"%s\"", fp->fr_names + fp->fr_comment); |
| |
| hash = 0; |
| if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) { |
| PRINTF(" # count %d", fp->fr_statecnt); |
| if (fp->fr_die != 0) |
| PRINTF(" rule-ttl %u", fp->fr_die); |
| hash = 1; |
| } else if (fp->fr_die != 0) { |
| PRINTF(" # rule-ttl %u", fp->fr_die); |
| hash = 1; |
| } |
| if (opts & OPT_DEBUG) { |
| if (hash == 0) |
| putchar('#'); |
| PRINTF(" ref %d", fp->fr_ref); |
| } |
| (void)putchar('\n'); |
| } |