e70dad7d7a
'gateway' addres/ports does not work (yet) due to the address handling changes in pf. Other functionality should work. Also fixes two minor bugs reported by many. Suggestions and ok naddy@
285 lines
6.4 KiB
Plaintext
285 lines
6.4 KiB
Plaintext
$OpenBSD: patch-pftop_c,v 1.10 2008/06/13 00:38:12 canacar Exp $
|
|
--- pftop.c.orig Tue Nov 6 23:36:46 2007
|
|
+++ pftop.c Thu Jun 12 17:51:33 2008
|
|
@@ -535,6 +535,8 @@ compare_addr(int af, const struct pf_addr *a, const st
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef HAVE_PFSYNC_KEY
|
|
+
|
|
#ifdef __GNUC__
|
|
__inline__
|
|
#endif
|
|
@@ -542,6 +544,113 @@ int
|
|
sort_addr_callback(const pf_state_t *s1,
|
|
const pf_state_t *s2, int dir)
|
|
{
|
|
+ const struct pf_addr *aa, *ab;
|
|
+ u_int16_t pa, pb;
|
|
+ int af, ret, ii, io;
|
|
+
|
|
+ af = s1->af;
|
|
+
|
|
+
|
|
+ if (af > s2->af)
|
|
+ return sortdir;
|
|
+ if (af < s2->af)
|
|
+ return -sortdir;
|
|
+
|
|
+ ii = io = 0;
|
|
+
|
|
+ if (dir == PF_OUT) /* looking for source addr */
|
|
+ io = 1;
|
|
+ else /* looking for dest addr */
|
|
+ ii = 1;
|
|
+
|
|
+ if (s1->direction == PF_IN) {
|
|
+ aa = &s1->key[PF_SK_STACK].addr[ii];
|
|
+ pa = s1->key[PF_SK_STACK].port[ii];
|
|
+ } else {
|
|
+ aa = &s1->key[PF_SK_WIRE].addr[io];
|
|
+ pa = s1->key[PF_SK_WIRE].port[io];
|
|
+ }
|
|
+
|
|
+ if (s2->direction == PF_IN) {
|
|
+ ab = &s2->key[PF_SK_STACK].addr[ii];;
|
|
+ pb = s2->key[PF_SK_STACK].port[ii];
|
|
+ } else {
|
|
+ ab = &s2->key[PF_SK_WIRE].addr[io];;
|
|
+ pb = s2->key[PF_SK_WIRE].port[io];
|
|
+ }
|
|
+
|
|
+ ret = compare_addr(af, aa, ab);
|
|
+ if (ret)
|
|
+ return ret * sortdir;
|
|
+
|
|
+ if (ntohs(pa) > ntohs(pb))
|
|
+ return sortdir;
|
|
+ return -sortdir;
|
|
+}
|
|
+
|
|
+#ifdef __GNUC__
|
|
+__inline__
|
|
+#endif
|
|
+int
|
|
+sort_port_callback(const pf_state_t *s1,
|
|
+ const pf_state_t *s2, int dir)
|
|
+{
|
|
+ const struct pf_addr *aa, *ab;
|
|
+ u_int16_t pa, pb;
|
|
+ int af, ret, ii, io;
|
|
+
|
|
+ af = s1->af;
|
|
+
|
|
+
|
|
+ if (af > s2->af)
|
|
+ return sortdir;
|
|
+ if (af < s2->af)
|
|
+ return -sortdir;
|
|
+
|
|
+ ii = io = 0;
|
|
+
|
|
+ if (dir == PF_OUT) /* looking for source addr */
|
|
+ io = 1;
|
|
+ else /* looking for dest addr */
|
|
+ ii = 1;
|
|
+
|
|
+ if (s1->direction == PF_IN) {
|
|
+ aa = &s1->key[PF_SK_STACK].addr[ii];
|
|
+ pa = s1->key[PF_SK_STACK].port[ii];
|
|
+ } else {
|
|
+ aa = &s1->key[PF_SK_WIRE].addr[io];
|
|
+ pa = s1->key[PF_SK_WIRE].port[io];
|
|
+ }
|
|
+
|
|
+ if (s2->direction == PF_IN) {
|
|
+ ab = &s2->key[PF_SK_STACK].addr[ii];;
|
|
+ pb = s2->key[PF_SK_STACK].port[ii];
|
|
+ } else {
|
|
+ ab = &s2->key[PF_SK_WIRE].addr[io];;
|
|
+ pb = s2->key[PF_SK_WIRE].port[io];
|
|
+ }
|
|
+
|
|
+
|
|
+ if (ntohs(pa) > ntohs(pb))
|
|
+ return sortdir;
|
|
+ if (ntohs(pa) < ntohs(pb))
|
|
+ return - sortdir;
|
|
+
|
|
+ ret = compare_addr(af, aa, ab);
|
|
+ if (ret)
|
|
+ return ret * sortdir;
|
|
+ return -sortdir;
|
|
+}
|
|
+
|
|
+#else /* HAVE_PFSYNC_KEY */
|
|
+
|
|
+#ifdef __GNUC__
|
|
+__inline__
|
|
+#endif
|
|
+int
|
|
+sort_addr_callback(const pf_state_t *s1,
|
|
+ const pf_state_t *s2, int dir)
|
|
+{
|
|
const pf_state_host_t *a, *b;
|
|
int af, ret;
|
|
|
|
@@ -573,20 +682,6 @@ sort_addr_callback(const pf_state_t *s1,
|
|
return -sortdir;
|
|
}
|
|
|
|
-int sort_sa_callback(const void *p1, const void *p2)
|
|
-{
|
|
- pf_state_t *s1 = state_buf + (* (u_int32_t *) p1);
|
|
- pf_state_t *s2 = state_buf + (* (u_int32_t *) p2);
|
|
- return sort_addr_callback(s1, s2, PF_OUT);
|
|
-}
|
|
-
|
|
-int sort_da_callback(const void *p1, const void *p2)
|
|
-{
|
|
- pf_state_t *s1 = state_buf + (* (u_int32_t *) p1);
|
|
- pf_state_t *s2 = state_buf + (* (u_int32_t *) p2);
|
|
- return sort_addr_callback(s1, s2, PF_IN);
|
|
-}
|
|
-
|
|
#ifdef __GNUC__
|
|
__inline__
|
|
#endif
|
|
@@ -625,7 +720,22 @@ sort_port_callback(const pf_state_t *s1,
|
|
return sortdir;
|
|
return -sortdir;
|
|
}
|
|
+#endif /* HAVE_PFSYNC_KEY */
|
|
|
|
+int sort_sa_callback(const void *p1, const void *p2)
|
|
+{
|
|
+ pf_state_t *s1 = state_buf + (* (u_int32_t *) p1);
|
|
+ pf_state_t *s2 = state_buf + (* (u_int32_t *) p2);
|
|
+ return sort_addr_callback(s1, s2, PF_OUT);
|
|
+}
|
|
+
|
|
+int sort_da_callback(const void *p1, const void *p2)
|
|
+{
|
|
+ pf_state_t *s1 = state_buf + (* (u_int32_t *) p1);
|
|
+ pf_state_t *s2 = state_buf + (* (u_int32_t *) p2);
|
|
+ return sort_addr_callback(s1, s2, PF_IN);
|
|
+}
|
|
+
|
|
int
|
|
sort_sp_callback(const void *p1, const void *p2)
|
|
{
|
|
@@ -865,7 +975,48 @@ tb_print_addr(struct pf_addr * addr, struct pf_addr *
|
|
tbprintf("/%u", unmask(mask, af));
|
|
}
|
|
}
|
|
+#ifdef HAVE_PFSYNC_KEY
|
|
+void
|
|
+print_fld_host2(field_def *fld, struct pfsync_state_key *ks,
|
|
+ struct pfsync_state_key *kn, int idx, int af)
|
|
+{
|
|
+ struct pf_addr *as = &ks->addr[idx];
|
|
+ struct pf_addr *an = &kn->addr[idx];
|
|
|
|
+ u_int16_t ps = ntohs(ks->port[idx]);
|
|
+ u_int16_t pn = ntohs(kn->port[idx]);
|
|
+
|
|
+ if (fld == NULL)
|
|
+ return;
|
|
+
|
|
+ if (fld->width < 3) {
|
|
+ print_fld_str(fld, "*");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ tb_start();
|
|
+ tb_print_addr(as, NULL, af);
|
|
+
|
|
+ if (af == AF_INET)
|
|
+ tbprintf(":%u", ps);
|
|
+ else
|
|
+ tbprintf("[%u]", ps);
|
|
+
|
|
+ print_fld_tb(fld);
|
|
+
|
|
+ if (PF_ANEQ(as, an, af) || ps != pn) {
|
|
+ tb_start();
|
|
+ tb_print_addr(an, NULL, af);
|
|
+
|
|
+ if (af == AF_INET)
|
|
+ tbprintf(":%u", pn);
|
|
+ else
|
|
+ tbprintf("[%u]", pn);
|
|
+ print_fld_tb(FLD_GW);
|
|
+ }
|
|
+
|
|
+}
|
|
+#else
|
|
void
|
|
print_fld_host(field_def *fld, pf_state_host_t * h, int af)
|
|
{
|
|
@@ -889,6 +1040,7 @@ print_fld_host(field_def *fld, pf_state_host_t * h, in
|
|
|
|
print_fld_tb(fld);
|
|
}
|
|
+#endif
|
|
|
|
void
|
|
print_fld_state(field_def *fld, unsigned int proto,
|
|
@@ -960,7 +1112,20 @@ print_state(pf_state_t * s, struct sc_ent * ent)
|
|
else
|
|
print_fld_uint(FLD_PROTO, s->proto);
|
|
|
|
+#ifdef HAVE_PFSYNC_KEY
|
|
if (s->direction == PF_OUT) {
|
|
+ print_fld_host2(FLD_SRC, &s->key[PF_SK_WIRE],
|
|
+ &s->key[PF_SK_STACK], 1, s->af);
|
|
+ print_fld_host2(FLD_DEST, &s->key[PF_SK_WIRE],
|
|
+ &s->key[PF_SK_STACK], 0, s->af);
|
|
+ } else {
|
|
+ print_fld_host2(FLD_SRC, &s->key[PF_SK_STACK],
|
|
+ &s->key[PF_SK_WIRE], 0, s->af);
|
|
+ print_fld_host2(FLD_DEST, &s->key[PF_SK_STACK],
|
|
+ &s->key[PF_SK_WIRE], 1, s->af);
|
|
+ }
|
|
+#else
|
|
+ if (s->direction == PF_OUT) {
|
|
print_fld_host(FLD_SRC, &s->lan, s->af);
|
|
print_fld_host(FLD_DEST, &s->ext, s->af);
|
|
} else {
|
|
@@ -972,6 +1137,7 @@ print_state(pf_state_t * s, struct sc_ent * ent)
|
|
(s->lan.port != s->gwy.port)) {
|
|
print_fld_host(FLD_GW, &s->gwy, s->af);
|
|
}
|
|
+#endif
|
|
|
|
if (s->direction == PF_OUT)
|
|
print_fld_str(FLD_DIR, "Out");
|
|
@@ -1475,8 +1641,12 @@ print_rule(struct pf_rule *pr)
|
|
print_fld_str(FLD_LABEL, pr->label);
|
|
#endif
|
|
#ifdef HAVE_RULE_STATES
|
|
+#ifdef HAVE_PFSYNC_KEY
|
|
+ print_fld_size(FLD_STATS, pr->states_tot);
|
|
+#else
|
|
print_fld_size(FLD_STATS, pr->states);
|
|
#endif
|
|
+#endif
|
|
|
|
#ifdef HAVE_INOUT_COUNT_RULES
|
|
print_fld_size(FLD_PKTS, pr->packets[0] + pr->packets[1]);
|
|
@@ -1486,7 +1656,13 @@ print_rule(struct pf_rule *pr)
|
|
print_fld_size(FLD_BYTES, pr->bytes);
|
|
#endif
|
|
print_fld_uint(FLD_RULE, pr->nr);
|
|
- print_fld_str(FLD_DIR, pr->direction == PF_OUT ? "Out" : "In");
|
|
+ if (pr->direction == PF_OUT)
|
|
+ print_fld_str(FLD_DIR, "Out");
|
|
+ else if (pr->direction == PF_IN)
|
|
+ print_fld_str(FLD_DIR, "In");
|
|
+ else
|
|
+ print_fld_str(FLD_DIR, "Any");
|
|
+
|
|
if (pr->quick)
|
|
print_fld_str(FLD_QUICK, "Quick");
|
|
|