Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/ipf/lib/common/printfr.c
+++ new/usr/src/cmd/ipf/lib/common/printfr.c
1 1 /*
2 2 * Copyright (C) 2000-2005 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * $Id: printfr.c,v 1.43.2.12 2005/06/12 07:18:42 darrenr Exp $
7 7 *
8 8 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
9 9 * Use is subject to license terms.
10 + * Copyright 2019 Joyent, Inc.
10 11 */
11 12
12 -#pragma ident "%Z%%M% %I% %E% SMI"
13 +#include <uuid/uuid.h>
13 14
14 15 #include "ipf.h"
15 16
16 17 /*
17 18 * print the filter structure in a useful way
18 19 */
19 20 void printfr(fp, iocfunc)
20 21 struct frentry *fp;
21 22 ioctlfunc_t iocfunc;
22 23 {
23 24 struct protoent *p;
24 25 u_short sec[2];
25 26 u_32_t type;
26 27 u_char *t;
27 28 char *s;
28 29 int pr;
29 30
30 31 pr = -2;
31 32 type = fp->fr_type & ~FR_T_BUILTIN;
32 33
33 34 if ((fp->fr_type & FR_T_BUILTIN) != 0)
34 35 printf("# Builtin: ");
35 36
36 37 if (fp->fr_collect != 0)
37 38 printf("%u ", fp->fr_collect);
38 39
39 40 if (fp->fr_type == FR_T_CALLFUNC) {
40 41 ;
41 42 } else if (fp->fr_func != NULL) {
42 43 printf("call");
43 44 if ((fp->fr_flags & FR_CALLNOW) != 0)
44 45 printf(" now");
45 46 s = kvatoname(fp->fr_func, iocfunc);
46 47 printf(" %s/%u", s ? s : "?", fp->fr_arg);
47 48 } else if (FR_ISPASS(fp->fr_flags))
48 49 printf("pass");
49 50 else if (FR_ISBLOCK(fp->fr_flags)) {
50 51 printf("block");
51 52 if (fp->fr_flags & FR_RETICMP) {
52 53 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
53 54 printf(" return-icmp-as-dest");
54 55 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
55 56 printf(" return-icmp");
56 57 if (fp->fr_icode) {
57 58 if (fp->fr_icode <= MAX_ICMPCODE)
58 59 printf("(%s)",
59 60 icmpcodes[(int)fp->fr_icode]);
60 61 else
61 62 printf("(%d)", fp->fr_icode);
62 63 }
63 64 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
64 65 printf(" return-rst");
65 66 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
66 67 printlog(fp);
67 68 } else if (FR_ISACCOUNT(fp->fr_flags))
68 69 printf("count");
69 70 else if (FR_ISAUTH(fp->fr_flags))
70 71 printf("auth");
71 72 else if (FR_ISPREAUTH(fp->fr_flags))
72 73 printf("preauth");
73 74 else if (FR_ISNOMATCH(fp->fr_flags))
74 75 printf("nomatch");
75 76 else if (FR_ISSKIP(fp->fr_flags))
76 77 printf("skip %u", fp->fr_arg);
77 78 else {
78 79 printf("%x", fp->fr_flags);
79 80 }
80 81
81 82 if (fp->fr_flags & FR_OUTQUE)
82 83 printf(" out ");
83 84 else
84 85 printf(" in ");
85 86
86 87 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
87 88 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
88 89 printlog(fp);
89 90 putchar(' ');
90 91 }
91 92
92 93 if (fp->fr_flags & FR_QUICK)
93 94 printf("quick ");
94 95
95 96 if (*fp->fr_ifname) {
96 97 printifname("on ", fp->fr_ifname, fp->fr_ifa);
97 98 if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
98 99 printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
99 100 putchar(' ');
100 101 }
101 102
102 103 if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP))
103 104 print_toif("dup-to", &fp->fr_dif);
104 105 if (*fp->fr_tif.fd_ifname)
105 106 print_toif("to", &fp->fr_tif);
106 107 if (*fp->fr_rif.fd_ifname)
107 108 print_toif("reply-to", &fp->fr_rif);
108 109 if (fp->fr_flags & FR_FASTROUTE)
109 110 printf("fastroute ");
110 111
111 112 if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
112 113 (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
113 114 if (fp->fr_flags & FR_OUTQUE)
114 115 printf("in-via ");
115 116 else
116 117 printf("out-via ");
117 118
118 119 if (*fp->fr_ifnames[2]) {
119 120 printifname("", fp->fr_ifnames[2],
120 121 fp->fr_ifas[2]);
121 122 putchar(' ');
122 123
123 124 if (*fp->fr_ifnames[3]) {
124 125 printifname(",", fp->fr_ifnames[3],
125 126 fp->fr_ifas[3]);
126 127 }
127 128 }
128 129 }
129 130
130 131 if (type == FR_T_IPF) {
131 132 if (fp->fr_mip.fi_tos)
132 133 printf("tos %#x ", fp->fr_tos);
133 134 if (fp->fr_mip.fi_ttl)
134 135 printf("ttl %d ", fp->fr_ttl);
135 136 if (fp->fr_flx & FI_TCPUDP) {
136 137 printf("proto tcp/udp ");
137 138 pr = -1;
138 139 } else if (fp->fr_mip.fi_p) {
139 140 pr = fp->fr_ip.fi_p;
140 141 p = getprotobynumber(pr);
141 142 printf("proto ");
142 143 printproto(p, pr, NULL);
143 144 putchar(' ');
144 145 }
145 146 }
146 147
147 148 if (type == FR_T_NONE) {
148 149 printf("all");
149 150 } else if (type == FR_T_IPF) {
150 151 printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
151 152 printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname,
152 153 &fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
153 154 if (fp->fr_scmp)
154 155 printportcmp(pr, &fp->fr_tuc.ftu_src);
155 156
156 157 printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
157 158 printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname,
158 159 &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
159 160 if (fp->fr_dcmp)
160 161 printportcmp(pr, &fp->fr_tuc.ftu_dst);
161 162
162 163 if ((fp->fr_proto == IPPROTO_ICMP
163 164 #ifdef USE_INET6
164 165 || fp->fr_proto == IPPROTO_ICMPV6
165 166 #endif
166 167 ) && fp->fr_icmpm) {
167 168 int type = fp->fr_icmp, code;
168 169
169 170 type = ntohs(fp->fr_icmp);
170 171 code = type & 0xff;
171 172 type /= 256;
172 173 if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
173 174 icmptypes[type] && fp->fr_proto == IPPROTO_ICMP)
174 175 printf(" icmp-type %s", icmptypes[type]);
175 176 else
176 177 printf(" icmp-type %d", type);
177 178 if (ntohs(fp->fr_icmpm) & 0xff)
178 179 printf(" code %d", code);
179 180 }
180 181 if ((fp->fr_proto == IPPROTO_TCP) &&
181 182 (fp->fr_tcpf || fp->fr_tcpfm)) {
182 183 printf(" flags ");
183 184 if (fp->fr_tcpf & ~TCPF_ALL)
184 185 printf("0x%x", fp->fr_tcpf);
185 186 else
186 187 for (s = flagset, t = flags; *s; s++, t++)
187 188 if (fp->fr_tcpf & *t)
188 189 (void)putchar(*s);
189 190 if (fp->fr_tcpfm) {
190 191 (void)putchar('/');
191 192 if (fp->fr_tcpfm & ~TCPF_ALL)
192 193 printf("0x%x", fp->fr_tcpfm);
193 194 else
194 195 for (s = flagset, t = flags; *s;
195 196 s++, t++)
196 197 if (fp->fr_tcpfm & *t)
197 198 (void)putchar(*s);
198 199 }
199 200 }
200 201 } else if (type == FR_T_BPFOPC) {
201 202 fakebpf_t *fb;
202 203 int i;
203 204
204 205 printf("bpf-v%d { \"", fp->fr_v);
205 206 i = fp->fr_dsize / sizeof(*fb);
206 207
207 208 for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ")
208 209 printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
209 210 fb->fb_f, fb->fb_k);
210 211
211 212 printf("\" }");
212 213 } else if (type == FR_T_COMPIPF) {
213 214 ;
214 215 } else if (type == FR_T_CALLFUNC) {
215 216 printf("call function at %p", fp->fr_data);
216 217 } else {
217 218 printf("[unknown filter type %#x]", fp->fr_type);
218 219 }
219 220
220 221 if ((type == FR_T_IPF) &&
221 222 ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) ||
222 223 fp->fr_optbits || fp->fr_optmask ||
223 224 fp->fr_secbits || fp->fr_secmask)) {
224 225 char *comma = " ";
225 226
226 227 printf(" with");
227 228 if (fp->fr_optbits || fp->fr_optmask ||
228 229 fp->fr_secbits || fp->fr_secmask) {
229 230 sec[0] = fp->fr_secmask;
230 231 sec[1] = fp->fr_secbits;
231 232 if (fp->fr_v == 4)
232 233 optprint(sec, fp->fr_optmask, fp->fr_optbits);
233 234 #ifdef USE_INET6
234 235 else
235 236 optprintv6(sec, fp->fr_optmask,
236 237 fp->fr_optbits);
237 238 #endif
238 239 } else if (fp->fr_mflx & FI_OPTIONS) {
239 240 fputs(comma, stdout);
240 241 if (!(fp->fr_flx & FI_OPTIONS))
241 242 printf("not ");
242 243 printf("ipopts");
243 244 comma = ",";
244 245 }
245 246 if (fp->fr_mflx & FI_SHORT) {
246 247 fputs(comma, stdout);
247 248 if (!(fp->fr_flx & FI_SHORT))
248 249 printf("not ");
249 250 printf("short");
250 251 comma = ",";
251 252 }
252 253 if (fp->fr_mflx & FI_FRAG) {
253 254 fputs(comma, stdout);
254 255 if (!(fp->fr_flx & FI_FRAG))
255 256 printf("not ");
256 257 printf("frag");
257 258 comma = ",";
258 259 }
259 260 if (fp->fr_mflx & FI_FRAGBODY) {
260 261 fputs(comma, stdout);
261 262 if (!(fp->fr_flx & FI_FRAGBODY))
262 263 printf("not ");
263 264 printf("frag-body");
264 265 comma = ",";
265 266 }
266 267 if (fp->fr_mflx & FI_NATED) {
267 268 fputs(comma, stdout);
268 269 if (!(fp->fr_flx & FI_NATED))
269 270 printf("not ");
270 271 printf("nat");
271 272 comma = ",";
272 273 }
273 274 if (fp->fr_mflx & FI_LOWTTL) {
274 275 fputs(comma, stdout);
275 276 if (!(fp->fr_flx & FI_LOWTTL))
276 277 printf("not ");
277 278 printf("lowttl");
278 279 comma = ",";
279 280 }
280 281 if (fp->fr_mflx & FI_BAD) {
281 282 fputs(comma, stdout);
282 283 if (!(fp->fr_flx & FI_BAD))
283 284 printf("not ");
284 285 printf("bad");
285 286 comma = ",";
286 287 }
287 288 if (fp->fr_mflx & FI_BADSRC) {
288 289 fputs(comma, stdout);
289 290 if (!(fp->fr_flx & FI_BADSRC))
290 291 printf("not ");
291 292 printf("bad-src");
292 293 comma = ",";
293 294 }
294 295 if (fp->fr_mflx & FI_BADNAT) {
295 296 fputs(comma, stdout);
296 297 if (!(fp->fr_flx & FI_BADNAT))
297 298 printf("not ");
298 299 printf("bad-nat");
299 300 comma = ",";
300 301 }
301 302 if (fp->fr_mflx & FI_OOW) {
302 303 fputs(comma, stdout);
303 304 if (!(fp->fr_flx & FI_OOW))
304 305 printf("not ");
305 306 printf("oow");
306 307 }
307 308 if (fp->fr_mflx & FI_MULTICAST) {
308 309 fputs(comma, stdout);
309 310 if (!(fp->fr_flx & FI_MULTICAST))
310 311 printf("not ");
311 312 printf("mcast");
312 313 comma = ",";
313 314 }
314 315 if (fp->fr_mflx & FI_BROADCAST) {
315 316 fputs(comma, stdout);
316 317 if (!(fp->fr_flx & FI_BROADCAST))
317 318 printf("not ");
318 319 printf("bcast");
319 320 comma = ",";
320 321 }
321 322 if (fp->fr_mflx & FI_MBCAST) {
322 323 fputs(comma, stdout);
323 324 if (!(fp->fr_flx & FI_MBCAST))
324 325 printf("not ");
325 326 printf("mbcast");
326 327 comma = ",";
327 328 }
328 329 if (fp->fr_mflx & FI_STATE) {
329 330 fputs(comma, stdout);
330 331 if (!(fp->fr_flx & FI_STATE))
331 332 printf("not ");
332 333 printf("state");
333 334 comma = ",";
334 335 }
335 336 }
336 337
337 338 if (fp->fr_flags & FR_KEEPSTATE) {
338 339 printf(" keep state");
339 340 if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) ||
340 341 (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) {
341 342 char *comma = "";
342 343 printf(" (");
343 344 if (fp->fr_statemax != 0) {
344 345 printf("limit %u", fp->fr_statemax);
345 346 comma = ",";
346 347 }
347 348 if (fp->fr_flags & FR_STSTRICT) {
348 349 printf("%sstrict", comma);
349 350 comma = ",";
350 351 }
351 352 if (fp->fr_flags & FR_NEWISN) {
352 353 printf("%snewisn", comma);
353 354 comma = ",";
354 355 }
355 356 if (fp->fr_flags & FR_NOICMPERR) {
356 357 printf("%sno-icmp-err", comma);
357 358 comma = ",";
358 359 }
359 360 if (fp->fr_flags & FR_STATESYNC) {
360 361 printf("%ssync", comma);
361 362 comma = ",";
362 363 }
363 364 if (fp->fr_age[0] || fp->fr_age[1])
364 365 printf("%sage %d/%d", comma, fp->fr_age[0],
365 366 fp->fr_age[1]);
366 367 printf(")");
367 368 }
368 369 }
369 370 if (fp->fr_flags & FR_KEEPFRAG) {
370 371 printf(" keep frags");
371 372 if (fp->fr_flags & (FR_FRSTRICT)) {
372 373 printf(" (");
373 374 if (fp->fr_flags & FR_FRSTRICT)
374 375 printf(" strict");
375 376 printf(" )");
376 377
377 378 }
378 379 }
|
↓ open down ↓ |
356 lines elided |
↑ open up ↑ |
379 380 if (fp->fr_isc != (struct ipscan *)-1) {
380 381 if (fp->fr_isctag[0])
381 382 printf(" scan %s", fp->fr_isctag);
382 383 else
383 384 printf(" scan *");
384 385 }
385 386 if (*fp->fr_grhead != '\0')
386 387 printf(" head %s", fp->fr_grhead);
387 388 if (*fp->fr_group != '\0')
388 389 printf(" group %s", fp->fr_group);
389 - if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
390 + if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag ||
391 + (fp->fr_flags & FR_CFWLOG) || !uuid_is_null(fp->fr_uuid)) {
390 392 char *s = "";
391 393
392 394 printf(" set-tag(");
393 395 if (fp->fr_logtag != FR_NOLOGTAG) {
394 396 printf("log=%u", fp->fr_logtag);
395 397 s = ", ";
396 398 }
397 399 if (*fp->fr_nattag.ipt_tag) {
398 400 printf("%snat=%-.*s", s, IPFTAG_LEN,
399 401 fp->fr_nattag.ipt_tag);
402 + s = ", ";
400 403 }
404 + if (fp->fr_flags & FR_CFWLOG) {
405 + printf("cfwlog");
406 + s = ", ";
407 + }
408 +
409 + if (!uuid_is_null(fp->fr_uuid)) {
410 + char uuid[UUID_PRINTABLE_STRING_LENGTH];
411 +
412 + uuid_unparse(fp->fr_uuid, uuid);
413 + printf("%suuid=%s", s, uuid);
414 + }
401 415 printf(")");
402 416 }
403 417 if (fp->fr_pps)
404 418 printf(" pps %d", fp->fr_pps);
405 419 (void)putchar('\n');
406 420 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX