static void print_entry(char *prefix, const struct ipt_policy_elem *e, int numeric) { if (e->match.reqid) { PRINT_INVERT(e->invert.reqid); printf("%sreqid %u ", prefix, e->reqid); } if (e->match.spi) { PRINT_INVERT(e->invert.spi); printf("%sspi 0x%x ", prefix, e->spi); } if (e->match.proto) { PRINT_INVERT(e->invert.proto); print_proto(prefix, e->proto, numeric); } if (e->match.mode) { PRINT_INVERT(e->invert.mode); print_mode(prefix, e->mode, numeric); } if (e->match.daddr) { PRINT_INVERT(e->invert.daddr); printf("%stunnel-dst %s%s ", prefix, addr_to_dotted((struct in_addr *)&e->daddr), mask_to_dotted((struct in_addr *)&e->dmask)); } if (e->match.saddr) { PRINT_INVERT(e->invert.saddr); printf("%stunnel-src %s%s ", prefix, addr_to_dotted((struct in_addr *)&e->saddr), mask_to_dotted((struct in_addr *)&e->smask)); } }
static void print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric) { char buf[BUFSIZ]; if (inv) printf("! "); if (mask->s_addr == 0L && !numeric) printf("%s ", "anywhere"); else { if (numeric) sprintf(buf, "%s", addr_to_dotted(addr)); else sprintf(buf, "%s", addr_to_anyname(addr)); strcat(buf, mask_to_dotted(mask)); printf("%s ", buf); } }
static void print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) { struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data; int i; if (arpinfo->bitmask & EBT_ARP_OPCODE) { int opcode = ntohs(arpinfo->opcode); printf("--arp-op "); if (arpinfo->invflags & EBT_ARP_OPCODE) printf("! "); if (opcode > 0 && opcode <= NUMOPCODES) printf("%s ", opcodes[opcode - 1]); else printf("%d ", opcode); } if (arpinfo->bitmask & EBT_ARP_HTYPE) { printf("--arp-htype "); if (arpinfo->invflags & EBT_ARP_HTYPE) printf("! "); printf("%d ", ntohs(arpinfo->htype)); } if (arpinfo->bitmask & EBT_ARP_PTYPE) { struct ethertypeent *ent; printf("--arp-ptype "); if (arpinfo->invflags & EBT_ARP_PTYPE) printf("! "); ent = getethertypebynumber(ntohs(arpinfo->ptype)); if (!ent) printf("0x%x ", ntohs(arpinfo->ptype)); else printf("%s ", ent->e_name); } if (arpinfo->bitmask & EBT_ARP_SRC_IP) { printf("--arp-ip-src "); if (arpinfo->invflags & EBT_ARP_SRC_IP) printf("! "); for (i = 0; i < 4; i++) printf("%d%s", ((unsigned char *)&arpinfo->saddr)[i], (i == 3) ? "" : "."); printf("%s ", mask_to_dotted(arpinfo->smsk)); } if (arpinfo->bitmask & EBT_ARP_DST_IP) { printf("--arp-ip-dst "); if (arpinfo->invflags & EBT_ARP_DST_IP) printf("! "); for (i = 0; i < 4; i++) printf("%d%s", ((unsigned char *)&arpinfo->daddr)[i], (i == 3) ? "" : "."); printf("%s ", mask_to_dotted(arpinfo->dmsk)); } if (arpinfo->bitmask & EBT_ARP_SRC_MAC) { printf("--arp-mac-src "); if (arpinfo->invflags & EBT_ARP_SRC_MAC) printf("! "); print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk); printf(" "); } if (arpinfo->bitmask & EBT_ARP_DST_MAC) { printf("--arp-mac-dst "); if (arpinfo->invflags & EBT_ARP_DST_MAC) printf("! "); print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk); printf(" "); } }
static void print(const struct ebt_u_entry *entry, const struct ebt_entry_match *match) { struct ebt_ip_info *ipinfo = (struct ebt_ip_info *)match->data; int j; if (ipinfo->bitmask & EBT_IP_SOURCE) { printf("--ip-src "); if (ipinfo->invflags & EBT_IP_SOURCE) printf("! "); for (j = 0; j < 4; j++) printf("%d%s",((unsigned char *)&ipinfo->saddr)[j], (j == 3) ? "" : "."); printf("%s ", mask_to_dotted(ipinfo->smsk)); } if (ipinfo->bitmask & EBT_IP_DEST) { printf("--ip-dst "); if (ipinfo->invflags & EBT_IP_DEST) printf("! "); for (j = 0; j < 4; j++) printf("%d%s", ((unsigned char *)&ipinfo->daddr)[j], (j == 3) ? "" : "."); printf("%s ", mask_to_dotted(ipinfo->dmsk)); } if (ipinfo->bitmask & EBT_IP_TOS) { printf("--ip-tos "); if (ipinfo->invflags & EBT_IP_TOS) printf("! "); printf("0x%02X ", ipinfo->tos); } if (ipinfo->bitmask & EBT_IP_PROTO) { struct protoent *pe; printf("--ip-proto "); if (ipinfo->invflags & EBT_IP_PROTO) printf("! "); pe = getprotobynumber(ipinfo->protocol); if (pe == NULL) { printf("%d ", ipinfo->protocol); } else { printf("%s ", pe->p_name); } } if (ipinfo->bitmask & EBT_IP_SPORT) { printf("--ip-sport "); if (ipinfo->invflags & EBT_IP_SPORT) { printf("! "); } print_port_range(ipinfo->sport); } if (ipinfo->bitmask & EBT_IP_DPORT) { printf("--ip-dport "); if (ipinfo->invflags & EBT_IP_DPORT) { printf("! "); } print_port_range(ipinfo->dport); } /* brcm */ if (ipinfo->bitmask & EBT_IP_DSCP) { printf("--ip-dscp "); if (ipinfo->invflags & EBT_IP_DSCP) printf("! "); printf("0x%02X ", ipinfo->dscp); } }
u_char * var_ipfwrules( struct variable *vp, oid *name, int *length, int exact, int *var_len, WriteMethod **write_method) { static char string_value[256]; static char buf[256]; static struct ipfwc_fwrule *rules; static int rules_initialized = 0; static unsigned int num_rules; static struct protoent *protocol; unsigned short flags; __u64 cnt, cntkb, cntmb, cntgb; /* if ( (!rules_initialized) ||( (name[*length-1]==1)&&(name[*length-2]==1)) ){ */ if ( (name[*length-1]==1)&&(name[*length-2]==1) ) { printf("Initialising ruletable...\n"); rules = ipfwc_get_rules(&num_rules,0); if (rules==NULL) return NULL; rules_initialized = 1; } if (!checkmib(vp,name,length,exact,var_len,write_method,num_rules)){ printf("Match failed...\n"); return NULL; } switch (vp->magic){ case IPFWRRULEINDEX: long_return = name[*length-1]; return (u_char *)&long_return; case IPFWRCHAIN: *var_len = strlen(rules[name[*length-1]-1].chain[0].label); return (u_char *) rules[name[*length-1]-1].chain[0].label; case IPFWRPKTS: printf ("case IPFWRPKTS\n"); cnt = rules[name[*length-1]-1].packets; if (cnt > 99999) { cntkb = (cnt + 500) / 1000; if (cntkb > 9999) { cntmb = (cnt + 500000) / 1000000; if (cntmb > 9999) { cntgb = (cntmb + 500) / 1000; sprintf(string_value, "%lluG", cntgb); } else sprintf(string_value, "%lluM", cntmb); } else sprintf(string_value, "%lluK", cntkb); } else sprintf(string_value, "%llu", cnt); *var_len = strlen (string_value); return (u_char *) string_value; case IPFWRBYTES: cnt = rules[name[*length-1]-1].bytes; if (cnt > 99999) { cntkb = (cnt + 500) / 1000; if (cntkb > 9999) { cntmb = (cnt + 500000) / 1000000; if (cntmb > 9999) { cntgb = (cntmb + 500) / 1000; sprintf(string_value, "%lluG", cntgb); } else sprintf(string_value, "%lluM", cntmb); } else sprintf(string_value, "%lluK", cntkb); } else sprintf(string_value, "%llu", cnt); *var_len = strlen (string_value); return (u_char *)string_value; case IPFWRTARGET: *var_len = strlen(rules[name[*length-1]-1].ipfw.label); return (u_char *) rules[name[*length-1]-1].ipfw.label; case IPFWRPROT: protocol = getprotobynumber( (int) rules[name[*length-1]-1].ipfw.ipfw.fw_proto); if (!strcmp(protocol->p_name,"ip" )) strcpy (protocol->p_name,"all"); *var_len = strlen (protocol->p_name); return (u_char *) protocol->p_name; case IPFWRSOURCE: if (rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_SRCIP) sprintf(string_value,"!"); else strcpy(string_value,""); if (rules[name[*length-1]-1].ipfw.ipfw.fw_smsk.s_addr == 0L) strcat(string_value,"anywhere"); else { sprintf(buf, "%s", addr_to_anyname(&(rules[name[*length-1]-1].ipfw.ipfw.fw_src))); strcat(buf, mask_to_dotted(&(rules[name[*length-1]-1].ipfw.ipfw.fw_smsk))); strcat(string_value,buf); } printf("%s\n",string_value); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWRDESTINATION: if (rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_DSTIP) sprintf(string_value,"!"); else strcpy(string_value,""); if (rules[name[*length-1]-1].ipfw.ipfw.fw_dmsk.s_addr == 0L) strcat(string_value,"anywhere"); else { sprintf(buf, "%s", addr_to_anyname(&(rules[name[*length-1]-1].ipfw.ipfw.fw_dst))); strcat(buf, mask_to_dotted(&(rules[name[*length-1]-1].ipfw.ipfw.fw_dmsk))); strcat(string_value,buf); } printf("%s\n",string_value); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWRPORTS: if (rules[name[*length-1]-1].ipfw.ipfw.fw_proto != IPPROTO_TCP && rules[name[*length-1]-1].ipfw.ipfw.fw_proto != IPPROTO_UDP && rules[name[*length-1]-1].ipfw.ipfw.fw_proto != IPPROTO_ICMP) { sprintf(string_value,"n/a"); *var_len = strlen(string_value); return (u_char *) string_value; } /* ICMP handled specially. */ if (rules[name[*length-1]-1].ipfw.ipfw.fw_proto == IPPROTO_ICMP && !(rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_SRCPT) && !(rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_DSTPT)) { unsigned int i; for (i = 0; i < sizeof(icmp_codes)/sizeof(struct icmp_names); i++) { if (icmp_codes[i].type == rules[name[*length-1]-1].ipfw.ipfw.fw_spts[0] && icmp_codes[i].type == rules[name[*length-1]-1].ipfw.ipfw.fw_spts[1] && icmp_codes[i].code_min == rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[0] && icmp_codes[i].code_max == rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[1]) { sprintf(string_value, "%s", icmp_codes[i].name); *var_len = strlen(string_value); return (u_char *) string_value; } } } sprintf(string_value, rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_SRCPT ? "!" : ""); if (rules[name[*length-1]-1].ipfw.ipfw.fw_spts[0] == 0 && rules[name[*length-1]-1].ipfw.ipfw.fw_spts[1] == 0xFFFF) strcat(string_value, "any"); else if (rules[name[*length-1]-1].ipfw.ipfw.fw_spts[0] == rules[name[*length-1]-1].ipfw.ipfw.fw_spts[1]) { strcat(string_value, service_to_string(rules[name[*length-1]-1].ipfw.ipfw.fw_spts[0], rules[name[*length-1]-1].ipfw.ipfw.fw_proto)); } else { strcat(string_value, service_to_string(rules[name[*length-1]-1].ipfw.ipfw.fw_spts[0], rules[name[*length-1]-1].ipfw.ipfw.fw_proto)); strcat(string_value,":"); strcat(string_value, service_to_string(rules[name[*length-1]-1].ipfw.ipfw.fw_spts[1], rules[name[*length-1]-1].ipfw.ipfw.fw_proto)); } strcat (string_value," -> "); strcat(string_value, rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_DSTPT ? "!" : ""); if (rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[0] == 0 && rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[1] == 0xFFFF) strcat(string_value, "any"); else if (rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[0] == rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[1]) { strcat(string_value, service_to_string(rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[0], rules[name[*length-1]-1].ipfw.ipfw.fw_proto)); } else { strcat(string_value, service_to_string(rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[0], rules[name[*length-1]-1].ipfw.ipfw.fw_proto)); strcat(string_value,":"); strcat(string_value, service_to_string(rules[name[*length-1]-1].ipfw.ipfw.fw_dpts[1], rules[name[*length-1]-1].ipfw.ipfw.fw_proto)); } *var_len = strlen(string_value); return (u_char *) string_value; case IPFWROPT: flags = rules[name[*length-1]-1].ipfw.ipfw.fw_flg; sprintf(string_value, (rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_SYN) ? "!" : "-"); strcat(string_value, (flags & IP_FW_F_TCPSYN) ? "y" : "-"); strcat(string_value, (rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_FRAG) ? "!" : "-"); strcat(string_value, (flags & IP_FW_F_FRAG) ? "f" : "-"); strcat(string_value, (flags & IP_FW_F_PRN) ? "l" : "-"); strcat(string_value, (flags & IP_FW_F_NETLINK) ? "o" : "-"); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWRIFNAME: sprintf(string_value, rules[name[*length-1]-1].ipfw.ipfw.fw_invflg & IP_FW_INV_VIA ? "!" : ""); if (rules[name[*length-1]-1].ipfw.ipfw.fw_flg & IP_FW_F_WILDIF && (rules[name[*length-1]-1].ipfw.ipfw.fw_vianame)[0]) { rules[name[*length-1]-1].ipfw.ipfw.fw_vianame[strlen(rules[name[*length-1]-1].ipfw.ipfw.fw_vianame)+1]='\0'; rules[name[*length-1]-1].ipfw.ipfw.fw_vianame[strlen(rules[name[*length-1]-1].ipfw.ipfw.fw_vianame)]='+'; } strcat(string_value, (rules[name[*length-1]-1].ipfw.ipfw.fw_vianame)[0] ? rules[name[*length-1]-1].ipfw.ipfw.fw_vianame : "any"); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWRTOSA: sprintf(string_value, "0x%02hX", (unsigned short) rules[name[*length-1]-1].ipfw.ipfw.fw_tosand); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWRTOSX: sprintf(string_value, "0x%02hX", (unsigned short) rules[name[*length-1]-1].ipfw.ipfw.fw_tosxor); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWRMARK: if (rules[name[*length-1]-1].ipfw.ipfw.fw_flg & IP_FW_F_MARKABS) sprintf(string_value, "0x%x",rules[name[*length-1]-1].ipfw.ipfw.fw_mark); else if (rules[name[*length-1]-1].ipfw.ipfw.fw_mark == 0) strcpy(string_value,""); else sprintf(string_value, "0x%x", (int)rules[name[*length-1]-1].ipfw.ipfw.fw_mark); *var_len = strlen(string_value); return (u_char *) string_value; case IPFWROUTSIZE: if ((rules[name[*length-1]-1].ipfw.ipfw.fw_flg & IP_FW_F_NETLINK) && (rules[name[*length-1]-1].ipfw.ipfw.fw_outputsize != 0xFFFF)) sprintf(string_value, "%hu", rules[name[*length-1]-1].ipfw.ipfw.fw_outputsize); else strcpy(string_value,""); *var_len = strlen(string_value); return (u_char *)string_value; default: ERROR_MSG("Oops...\n"); } return NULL; }