diff options
Diffstat (limited to 'contrib/pf/pfctl')
-rw-r--r-- | contrib/pf/pfctl/pf_print_state.c | 39 | ||||
-rw-r--r-- | contrib/pf/pfctl/pfctl.8 | 138 | ||||
-rw-r--r-- | contrib/pf/pfctl/pfctl_osfp.c | 21 | ||||
-rw-r--r-- | contrib/pf/pfctl/pfctl_radix.c | 37 |
4 files changed, 161 insertions, 74 deletions
diff --git a/contrib/pf/pfctl/pf_print_state.c b/contrib/pf/pfctl/pf_print_state.c index 58ce23a..b7cf5ca 100644 --- a/contrib/pf/pfctl/pf_print_state.c +++ b/contrib/pf/pfctl/pf_print_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.33 2003/07/06 22:01:28 deraadt Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.39 2004/02/10 17:48:08 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -50,9 +50,24 @@ void print_name(struct pf_addr *, sa_family_t); void print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) { - switch(addr->type) { + switch (addr->type) { case PF_ADDR_DYNIFTL: - printf("(%s)", addr->v.ifname); + printf("(%s", addr->v.ifname); + if (addr->iflags & PFI_AFLAG_NETWORK) + printf(":network"); + if (addr->iflags & PFI_AFLAG_BROADCAST) + printf(":broadcast"); + if (addr->iflags & PFI_AFLAG_PEER) + printf(":peer"); + if (addr->iflags & PFI_AFLAG_NOALIAS) + printf(":0"); + if (verbose) { + if (addr->p.dyncnt <= 0) + printf(":*"); + else + printf(":%d", addr->p.dyncnt); + } + printf(")"); break; case PF_ADDR_TABLE: if (verbose) @@ -85,7 +100,10 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) printf("?"); return; } - if (! PF_AZERO(&addr->v.a.mask, af)) { + + /* mask if not _both_ address and mask are zero */ + if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) && + PF_AZERO(&addr->v.a.mask, AF_INET6))) { int bits = unmask(&addr->v.a.mask, af); if (bits != (af == AF_INET ? 32 : 128)) @@ -140,8 +158,10 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts) aw.v.a.addr = h->addr; if (af == AF_INET) aw.v.a.mask.addr32[0] = 0xffffffff; - else + else { memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); + af = AF_INET6; + } print_addr(&aw, af, opts & PF_OPT_VERBOSE2); } @@ -177,6 +197,7 @@ print_state(struct pf_state *s, int opts) src = &s->dst; dst = &s->src; } + printf("%s ", s->u.ifname); if ((p = getprotobynumber(s->proto)) != NULL) printf("%s ", p->p_name); else @@ -256,8 +277,16 @@ print_state(struct pf_state *s, int opts) printf(", anchor %u", s->anchor.nr); if (s->rule.nr != -1) printf(", rule %u", s->rule.nr); + if (s->src_node != NULL) + printf(", source-track"); + if (s->nat_src_node != NULL) + printf(", sticky-address"); printf("\n"); } + if (opts & PF_OPT_VERBOSE2) { + printf(" id: %016llx creatorid: %08x\n", + betoh64(s->id), ntohl(s->creatorid)); + } } int diff --git a/contrib/pf/pfctl/pfctl.8 b/contrib/pf/pfctl/pfctl.8 index fb73ce2..6fac2d5 100644 --- a/contrib/pf/pfctl/pfctl.8 +++ b/contrib/pf/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.102 2003/09/18 09:18:51 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.110 2004/03/20 09:31:42 david Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -33,15 +33,17 @@ .Sh SYNOPSIS .Nm pfctl .Bk -words -.Op Fl AdeghnNqrROvz +.Op Fl AdeghNnOqRrvz .Op Fl a Ar anchor Ns Op Ar :ruleset .Op Fl D Ar macro=value -.Op Fl f Ar file .Op Fl F Ar modifier +.Op Fl f Ar file +.Op Fl i Ar interface .Op Fl k Ar host +.Op Fl p Ar device .Op Fl s Ar modifier -.Op Fl t Ar table .Op Fl T Ar command Op Ar address ... +.Op Fl t Ar table .Op Fl x Ar level .Ek .Sh DESCRIPTION @@ -93,6 +95,9 @@ The utility provides several commands. The options are as follows: .Bl -tag -width Ds +.It Fl A +Load only the queue rules present in the rule file. +Other rules and options are ignored. .It Fl a Ar anchor Ns Op Ar :ruleset Apply flags .Fl f , @@ -134,11 +139,6 @@ This is similar to C rules for variables. It is possible to create distinct tables with the same name in the global ruleset and in an anchor, but this is often bad design and a warning will be issued in that case. -.It Fl A -Load only the queue rules present in the rule file. -Other rules and options are ignored. -.It Fl d -Disable the packet filter. .It Fl D Ar macro=value Define .Ar macro @@ -148,17 +148,10 @@ on the command line. Overrides the definition of .Ar macro in the ruleset. +.It Fl d +Disable the packet filter. .It Fl e Enable the packet filter. -.It Fl f Ar file -Load the rules contained in -.Ar file . -This -.Ar file -may contain macros, tables, options, and normalization, queueing, -translation, and filtering rules. -With the exception of macros and tables, the statements must appear in that -order. .It Fl F Ar modifier Flush the filter parameters specified by .Ar modifier @@ -173,6 +166,8 @@ Flush the queue rules. Flush the filter rules. .It Fl F Ar state Flush the state table (NAT and filter). +.It Fl F Ar Sources +Flush the source tracking table. .It Fl F Ar info Flush the filter information (statistics that are not bound to rules). .It Fl F Ar Tables @@ -182,8 +177,22 @@ Flush the passive operating system fingerprints. .It Fl F Ar all Flush all of the above. .El +.It Fl f Ar file +Load the rules contained in +.Ar file . +This +.Ar file +may contain macros, tables, options, and normalization, queueing, +translation, and filtering rules. +With the exception of macros and tables, the statements must appear in that +order. .It Fl g Include output helpful for debugging. +.It Fl h +Help. +.It Fl i Ar interface +Restrict the operation to the given +.Ar interface . .It Fl k Ar host Kill all of the state entries originating from the specified .Ar host . @@ -207,29 +216,32 @@ to .Bd -literal -offset indent # pfctl -k host1 -k host2 .Ed -.It Fl h -Help. -.It Fl n -Do not actually load rules, just parse them. .It Fl N Load only the NAT rules present in the rule file. Other rules and options are ignored. +.It Fl n +Do not actually load rules, just parse them. +.It Fl O +Load only the options present in the rule file. +Other rules and options are ignored. +.It Fl p Ar device +Use the device file +.Ar device +instead of the default +.Pa /dev/pf . .It Fl q Only print errors and warnings. -.It Fl r -Perform reverse DNS lookups on states when displaying them. .It Fl R Load only the filter rules present in the rule file. Other rules and options are ignored. -.It Fl O -Load only the options present in the rule file. -Other rules and options are ignored. +.It Fl r +Perform reverse DNS lookups on states when displaying them. .It Fl s Ar modifier Show the filter parameters specified by .Ar modifier (may be abbreviated): .Pp -.Bl -tag -width xxxxxxxxxxxx -compact +.Bl -tag -width xxxxxxxxxxxxx -compact .It Fl s Ar nat Show the currently loaded NAT rules. .It Fl s Ar queue @@ -261,8 +273,13 @@ is specified as well, the named rulesets currently loaded in the specified anchor are shown instead. .It Fl s Ar state Show the contents of the state table. +.It Fl s Ar Sources +Show the contents of the source tracking table. .It Fl s Ar info Show filter information (statistics and counters). +When used together with +.Fl v , +source tracking statistics are also shown. .It Fl s Ar labels Show per-rule statistics (label, evaluations, packets, bytes) of filter rules with labels, useful for accounting. @@ -274,16 +291,17 @@ Show the current pool memory hard limits. Show the list of tables. .It Fl s Ar osfp Show the list of operating system fingerprints. -Can be used in combination with -.Fl o Ar file -to list the fingerprints in a -.Xr pf.os 5 -file. +.It Fl s Ar Interfaces +Show the list of interfaces and interface drivers available to PF. +When used together with a double +.Fl v , +interface statistics are also shown. +.Fl i +can be used to select an interface or a group of interfaces. .It Fl s Ar all -Show all of the above. +Show all of the above, except for the lists of interfaces and operating +system fingerprints. .El -.It Fl t Ar table -Specify the name of the table. .It Fl T Ar command Op Ar address ... Specify the .Ar command @@ -334,7 +352,7 @@ Comments starting with a "#" are allowed in the text file. With these commands, the .Fl v flag can also be used once or twice, in which case -.Nm pfctl +.Nm will print the detailed result of the operation for each individual address, prefixed by one of the following letters: @@ -359,7 +377,7 @@ The address/network has been cleared (statistics). Each table maintains a set of counters that can be retrieved using the .Fl v flag of -.Nm pfctl . +.Nm . For example, the following commands define a wide open firewall which will keep track of packets going to or coming from the .Ox @@ -367,8 +385,8 @@ ftp server. The following commands configure the firewall and send 10 pings to the ftp server: .Bd -literal -offset indent -# printf \&"table <test> { ftp.openbsd.org }\en \e -\ \ pass out to <test> keep state\en" \&| pfctl -f- +# printf "table <test> { ftp.openbsd.org }\en \e + pass out to <test> keep state\en" | pfctl -f- # ping -qc10 ftp.openbsd.org .Ed .Pp @@ -381,12 +399,12 @@ The time at which the current accounting started is also shown with the line. .Bd -literal -offset indent # pfctl -t test -vTshow -\ \ \ 129.128.5.191 -\ \ \ \ Cleared: \ \ \ \ Thu Feb 13 18:55:18 2003 -\ \ \ \ In/Block: \ \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ] -\ \ \ \ In/Pass: \ \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ] -\ \ \ \ Out/Block: \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ] -\ \ \ \ Out/Pass: \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ] + 129.128.5.191 + Cleared: Thu Feb 13 18:55:18 2003 + In/Block: [ Packets: 0 Bytes: 0 ] + In/Pass: [ Packets: 10 Bytes: 840 ] + Out/Block: [ Packets: 0 Bytes: 0 ] + Out/Pass: [ Packets: 10 Bytes: 840 ] .Ed .Pp Similarly, it is possible to view global information about the tables @@ -401,19 +419,19 @@ packet statistics for the whole table: .Bd -literal -offset indent # pfctl -vvsTables --a-r- test -\ \ \ \ Addresses: \ \ 1 -\ \ \ \ Cleared: \ \ \ \ Thu Feb 13 18:55:18 2003 -\ \ \ \ References: \ [ Anchors: 0 \ \ \ \ \ \ \ Rules: 1 \ \ \ \ \ \ \ ] -\ \ \ \ Evaluations: [ NoMatch: 3496 \ \ \ \ Match: 1 \ \ \ \ \ \ \ ] -\ \ \ \ In/Block: \ \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ] -\ \ \ \ In/Pass: \ \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ] -\ \ \ \ In/XPass: \ \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ] -\ \ \ \ Out/Block: \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ] -\ \ \ \ Out/Pass: \ \ \ [ Packets: 10 \ \ \ \ \ \ Bytes: 840 \ \ \ \ \ ] -\ \ \ \ Out/XPass: \ \ [ Packets: 0 \ \ \ \ \ \ \ Bytes: 0 \ \ \ \ \ \ \ ] + Addresses: 1 + Cleared: Thu Feb 13 18:55:18 2003 + References: [ Anchors: 0 Rules: 1 ] + Evaluations: [ NoMatch: 3496 Match: 1 ] + In/Block: [ Packets: 0 Bytes: 0 ] + In/Pass: [ Packets: 10 Bytes: 840 ] + In/XPass: [ Packets: 0 Bytes: 0 ] + Out/Block: [ Packets: 0 Bytes: 0 ] + Out/Pass: [ Packets: 10 Bytes: 840 ] + Out/XPass: [ Packets: 0 Bytes: 0 ] .Ed .Pp -As we can see here, only one packet - the initial ping request - matched the +As we can see here, only one packet \- the initial ping request \- matched the table; but all packets passing as the result of the state are correctly accounted for. Reloading the table(s) or ruleset will not affect packet accounting in any way. @@ -421,14 +439,14 @@ The two .Ar XPass counters are incremented instead of the .Ar Pass -counters when a \&"stateful\&" packet is passed but doesn't match the table +counters when a "stateful" packet is passed but doesn't match the table anymore. This will happen in our example if someone flushes the table while the ping command is running. .Pp When used with a single .Fl v , -.Nm pfctl +.Nm will only display the first line containing the table flags and name. The flags are defined as follows: .Pp @@ -459,6 +477,8 @@ For tables which are referenced (used) by rules. This flag is set when a table in the main ruleset is hidden by one or more tables of the same name in sub-rulesets (anchors). .El +.It Fl t Ar table +Specify the name of the table. .It Fl v Produce more verbose output. A second use of diff --git a/contrib/pf/pfctl/pfctl_osfp.c b/contrib/pf/pfctl/pfctl_osfp.c index 9585314..6d1fb99 100644 --- a/contrib/pf/pfctl/pfctl_osfp.c +++ b/contrib/pf/pfctl/pfctl_osfp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_osfp.c,v 1.4 2003/08/27 17:42:00 frantzen Exp $ */ +/* $OpenBSD: pfctl_osfp.c,v 1.8 2004/02/27 10:42:00 henning Exp $ */ /* * Copyright (c) 2003 Mike Frantzen <frantzen@openbsd.org> @@ -31,6 +31,7 @@ #include <string.h> #include "pfctl_parser.h" +#include "pfctl.h" #ifndef MIN # define MIN(a,b) (((a) < (b)) ? (a) : (b)) @@ -308,11 +309,17 @@ pfctl_load_fingerprints(int dev, int opts) void pfctl_show_fingerprints(int opts) { - printf("Passive OS Fingerprints:\n"); - printf("\tClass\tVersion\tSubtype(subversion)\n"); - printf("\t-----\t-------\t-------------------\n"); - sort_name_list(opts, &classes); - print_name_list(opts, &classes, "\t"); + if (LIST_FIRST(&classes) != NULL) { + if (opts & PF_OPT_SHOWALL) { + pfctl_print_title("OS FINGERPRINTS:"); + printf("%u fingerprints loaded\n", fingerprint_count); + } else { + printf("Class\tVersion\tSubtype(subversion)\n"); + printf("-----\t-------\t-------------------\n"); + sort_name_list(opts, &classes); + print_name_list(opts, &classes, ""); + } + } } /* Lookup a fingerprint */ @@ -825,7 +832,7 @@ get_int(char **line, size_t *len, int *var, int *mod, } for (; i < fieldlen; i++) { - if (field[i] < '0' || field[i] > '9') { + if (field[i] < '0' || field[i] > '9') { fprintf(stderr, "%s:%d non-digit character in %s\n", filename, lineno, name); return (1); diff --git a/contrib/pf/pfctl/pfctl_radix.c b/contrib/pf/pfctl/pfctl_radix.c index 788522c..04fb487 100644 --- a/contrib/pf/pfctl/pfctl_radix.c +++ b/contrib/pf/pfctl/pfctl_radix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_radix.c,v 1.21 2003/09/24 09:12:35 cedric Exp $ */ +/* $OpenBSD: pfctl_radix.c,v 1.24 2004/02/10 18:29:30 henning Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -259,7 +259,8 @@ pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size, { struct pfioc_table io; - if (tbl == NULL || size == NULL || *size < 0 || (*size && addr == NULL)) { + if (tbl == NULL || size == NULL || *size < 0 || + (*size && addr == NULL)) { errno = EINVAL; return (-1); } @@ -281,7 +282,8 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size, { struct pfioc_table io; - if (tbl == NULL || size == NULL || *size < 0 || (*size && addr == NULL)) { + if (tbl == NULL || size == NULL || *size < 0 || + (*size && addr == NULL)) { errno = EINVAL; return (-1); } @@ -454,11 +456,40 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size, return (0); } +/* interface management code */ + +int +pfi_get_ifaces(const char *filter, struct pfi_if *buf, int *size, int flags) +{ + struct pfioc_iface io; + + if (size == NULL || *size < 0 || (*size && buf == NULL)) { + errno = EINVAL; + return (-1); + } + bzero(&io, sizeof io); + io.pfiio_flags = flags; + if (filter != NULL) + if (strlcpy(io.pfiio_name, filter, sizeof(io.pfiio_name)) >= + sizeof(io.pfiio_name)) { + errno = EINVAL; + return (-1); + } + io.pfiio_buffer = buf; + io.pfiio_esize = sizeof(*buf); + io.pfiio_size = *size; + if (ioctl(dev, DIOCIGETIFACES, &io)) + return (-1); + *size = io.pfiio_size; + return (0); +} + /* buffer management code */ size_t buf_esize[PFRB_MAX] = { 0, sizeof(struct pfr_table), sizeof(struct pfr_tstats), sizeof(struct pfr_addr), sizeof(struct pfr_astats), + sizeof(struct pfi_if), sizeof(struct pfioc_trans_e) }; /* |