1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002 Dag-Erling Smørgrav
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer
12 * in this position and unchanged.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <sys/cdefs.h>
32 #include <sys/param.h>
33 #include <sys/file.h>
34 #include <sys/socket.h>
35 #include <sys/socketvar.h>
36 #include <sys/sysctl.h>
37 #include <sys/jail.h>
38 #include <sys/user.h>
39 #include <sys/queue.h>
40 #include <sys/tree.h>
41
42 #include <sys/un.h>
43 #include <sys/unpcb.h>
44
45 #include <net/route.h>
46
47 #include <netinet/in.h>
48 #include <netinet/in_pcb.h>
49 #include <netinet/sctp.h>
50 #include <netinet/tcp.h>
51 #define TCPSTATES /* load state names */
52 #include <netinet/tcp_fsm.h>
53 #include <netinet/tcp_seq.h>
54 #include <netinet/tcp_var.h>
55 #include <arpa/inet.h>
56
57 #include <capsicum_helpers.h>
58 #include <ctype.h>
59 #include <err.h>
60 #include <errno.h>
61 #include <inttypes.h>
62 #include <jail.h>
63 #include <netdb.h>
64 #include <pwd.h>
65 #include <stdarg.h>
66 #include <stdio.h>
67 #include <stdlib.h>
68 #include <string.h>
69 #include <unistd.h>
70
71 #include <libcasper.h>
72 #include <casper/cap_net.h>
73 #include <casper/cap_netdb.h>
74 #include <casper/cap_pwd.h>
75 #include <casper/cap_sysctl.h>
76
77 #define sstosin(ss) ((struct sockaddr_in *)(ss))
78 #define sstosin6(ss) ((struct sockaddr_in6 *)(ss))
79 #define sstosun(ss) ((struct sockaddr_un *)(ss))
80 #define sstosa(ss) ((struct sockaddr *)(ss))
81
82 static int opt_4; /* Show IPv4 sockets */
83 static int opt_6; /* Show IPv6 sockets */
84 static int opt_C; /* Show congestion control */
85 static int opt_c; /* Show connected sockets */
86 static int opt_f; /* Show FIB numbers */
87 static int opt_I; /* Show spliced socket addresses */
88 static int opt_i; /* Show inp_gencnt */
89 static int opt_j; /* Show specified jail */
90 static int opt_L; /* Don't show IPv4 or IPv6 loopback sockets */
91 static int opt_l; /* Show listening sockets */
92 static int opt_n; /* Don't resolve UIDs to user names */
93 static int opt_q; /* Don't show header */
94 static int opt_S; /* Show protocol stack if applicable */
95 static int opt_s; /* Show protocol state if applicable */
96 static int opt_U; /* Show remote UDP encapsulation port number */
97 static int opt_u; /* Show Unix domain sockets */
98 static int opt_v; /* Verbose mode */
99 static int opt_w; /* Wide print area for addresses */
100
101 /*
102 * Default protocols to use if no -P was defined.
103 */
104 static const char *default_protos[] = {"sctp", "tcp", "udp", "divert" };
105 static size_t default_numprotos = nitems(default_protos);
106
107 static int *protos; /* protocols to use */
108 static size_t numprotos; /* allocated size of protos[] */
109
110 static int *ports;
111
112 #define INT_BIT (sizeof(int)*CHAR_BIT)
113 #define SET_PORT(p) do { ports[p / INT_BIT] |= 1 << (p % INT_BIT); } while (0)
114 #define CHK_PORT(p) (ports[p / INT_BIT] & (1 << (p % INT_BIT)))
115
116 struct addr {
117 union {
118 struct sockaddr_storage address;
119 struct { /* unix(4) faddr */
120 kvaddr_t conn;
121 kvaddr_t firstref;
122 kvaddr_t nextref;
123 };
124 };
125 unsigned int encaps_port;
126 int state;
127 struct addr *next;
128 };
129
130 struct sock {
131 union {
132 RB_ENTRY(sock) socket_tree; /* tree of pcbs with socket */
133 SLIST_ENTRY(sock) socket_list; /* list of pcbs w/o socket */
134 };
135 RB_ENTRY(sock) pcb_tree;
136 kvaddr_t socket;
137 kvaddr_t pcb;
138 kvaddr_t splice_socket;
139 uint64_t inp_gencnt;
140 int shown;
141 int vflag;
142 int family;
143 int proto;
144 int state;
145 int fibnum;
146 const char *protoname;
147 char stack[TCP_FUNCTION_NAME_LEN_MAX];
148 char cc[TCP_CA_NAME_MAX];
149 struct addr *laddr;
150 struct addr *faddr;
151 };
152
153 static RB_HEAD(socks_t, sock) socks = RB_INITIALIZER(&socks);
154 static int64_t
socket_compare(const struct sock * a,const struct sock * b)155 socket_compare(const struct sock *a, const struct sock *b)
156 {
157 return ((int64_t)(a->socket/2 - b->socket/2));
158 }
159 RB_GENERATE_STATIC(socks_t, sock, socket_tree, socket_compare);
160
161 static RB_HEAD(pcbs_t, sock) pcbs = RB_INITIALIZER(&pcbs);
162 static int64_t
pcb_compare(const struct sock * a,const struct sock * b)163 pcb_compare(const struct sock *a, const struct sock *b)
164 {
165 return ((int64_t)(a->pcb/2 - b->pcb/2));
166 }
167 RB_GENERATE_STATIC(pcbs_t, sock, pcb_tree, pcb_compare);
168
169 static SLIST_HEAD(, sock) nosocks = SLIST_HEAD_INITIALIZER(&nosocks);
170
171 struct file {
172 RB_ENTRY(file) file_tree;
173 kvaddr_t xf_data;
174 pid_t xf_pid;
175 uid_t xf_uid;
176 int xf_fd;
177 };
178
179 static RB_HEAD(files_t, file) ftree = RB_INITIALIZER(&ftree);
180 static int64_t
file_compare(const struct file * a,const struct file * b)181 file_compare(const struct file *a, const struct file *b)
182 {
183 return ((int64_t)(a->xf_data/2 - b->xf_data/2));
184 }
185 RB_GENERATE_STATIC(files_t, file, file_tree, file_compare);
186
187 static struct file *files;
188 static int nfiles;
189
190 static cap_channel_t *capnet;
191 static cap_channel_t *capnetdb;
192 static cap_channel_t *capsysctl;
193 static cap_channel_t *cappwd;
194
195 static int
xprintf(const char * fmt,...)196 xprintf(const char *fmt, ...)
197 {
198 va_list ap;
199 int len;
200
201 va_start(ap, fmt);
202 len = vprintf(fmt, ap);
203 va_end(ap);
204 if (len < 0)
205 err(1, "printf()");
206 return (len);
207 }
208
209 static bool
_check_ksize(size_t received_size,size_t expected_size,const char * struct_name)210 _check_ksize(size_t received_size, size_t expected_size, const char *struct_name)
211 {
212 if (received_size != expected_size) {
213 warnx("%s size mismatch: expected %zd, received %zd",
214 struct_name, expected_size, received_size);
215 return false;
216 }
217 return true;
218 }
219 #define check_ksize(_sz, _struct) (_check_ksize(_sz, sizeof(_struct), #_struct))
220
221 static void
_enforce_ksize(size_t received_size,size_t expected_size,const char * struct_name)222 _enforce_ksize(size_t received_size, size_t expected_size, const char *struct_name)
223 {
224 if (received_size != expected_size) {
225 errx(1, "fatal: struct %s size mismatch: expected %zd, received %zd",
226 struct_name, expected_size, received_size);
227 }
228 }
229 #define enforce_ksize(_sz, _struct) (_enforce_ksize(_sz, sizeof(_struct), #_struct))
230
231 static int
get_proto_type(const char * proto)232 get_proto_type(const char *proto)
233 {
234 struct protoent *pent;
235
236 if (strlen(proto) == 0)
237 return (0);
238 if (capnetdb != NULL)
239 pent = cap_getprotobyname(capnetdb, proto);
240 else
241 pent = getprotobyname(proto);
242 if (pent == NULL) {
243 warn("cap_getprotobyname");
244 return (-1);
245 }
246 return (pent->p_proto);
247 }
248
249 static void
init_protos(int num)250 init_protos(int num)
251 {
252 int proto_count = 0;
253
254 if (num > 0) {
255 proto_count = num;
256 } else {
257 /* Find the maximum number of possible protocols. */
258 while (getprotoent() != NULL)
259 proto_count++;
260 endprotoent();
261 }
262
263 if ((protos = malloc(sizeof(int) * proto_count)) == NULL)
264 err(1, "malloc");
265 numprotos = proto_count;
266 }
267
268 static int
parse_protos(char * protospec)269 parse_protos(char *protospec)
270 {
271 char *prot;
272 int proto_type, proto_index;
273
274 if (protospec == NULL)
275 return (-1);
276
277 init_protos(0);
278 proto_index = 0;
279 while ((prot = strsep(&protospec, ",")) != NULL) {
280 if (strlen(prot) == 0)
281 continue;
282 proto_type = get_proto_type(prot);
283 if (proto_type != -1)
284 protos[proto_index++] = proto_type;
285 }
286 numprotos = proto_index;
287 return (proto_index);
288 }
289
290 static void
parse_ports(const char * portspec)291 parse_ports(const char *portspec)
292 {
293 const char *p, *q;
294 int port, end;
295
296 if (ports == NULL)
297 if ((ports = calloc(65536 / INT_BIT, sizeof(int))) == NULL)
298 err(1, "calloc()");
299 p = portspec;
300 while (*p != '\0') {
301 if (!isdigit(*p))
302 errx(1, "syntax error in port range");
303 for (q = p; *q != '\0' && isdigit(*q); ++q)
304 /* nothing */ ;
305 for (port = 0; p < q; ++p)
306 port = port * 10 + digittoint(*p);
307 if (port < 0 || port > 65535)
308 errx(1, "invalid port number");
309 SET_PORT(port);
310 switch (*p) {
311 case '-':
312 ++p;
313 break;
314 case ',':
315 ++p;
316 /* fall through */
317 case '\0':
318 default:
319 continue;
320 }
321 for (q = p; *q != '\0' && isdigit(*q); ++q)
322 /* nothing */ ;
323 for (end = 0; p < q; ++p)
324 end = end * 10 + digittoint(*p);
325 if (end < port || end > 65535)
326 errx(1, "invalid port number");
327 while (port++ < end)
328 SET_PORT(port);
329 if (*p == ',')
330 ++p;
331 }
332 }
333
334 static void
sockaddr(struct sockaddr_storage * ss,int af,void * addr,int port)335 sockaddr(struct sockaddr_storage *ss, int af, void *addr, int port)
336 {
337 struct sockaddr_in *sin4;
338 struct sockaddr_in6 *sin6;
339
340 bzero(ss, sizeof(*ss));
341 switch (af) {
342 case AF_INET:
343 sin4 = sstosin(ss);
344 sin4->sin_len = sizeof(*sin4);
345 sin4->sin_family = af;
346 sin4->sin_port = port;
347 sin4->sin_addr = *(struct in_addr *)addr;
348 break;
349 case AF_INET6:
350 sin6 = sstosin6(ss);
351 sin6->sin6_len = sizeof(*sin6);
352 sin6->sin6_family = af;
353 sin6->sin6_port = port;
354 sin6->sin6_addr = *(struct in6_addr *)addr;
355 #define s6_addr16 __u6_addr.__u6_addr16
356 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
357 sin6->sin6_scope_id =
358 ntohs(sin6->sin6_addr.s6_addr16[1]);
359 sin6->sin6_addr.s6_addr16[1] = 0;
360 }
361 break;
362 default:
363 abort();
364 }
365 }
366
367 static void
free_socket(struct sock * sock)368 free_socket(struct sock *sock)
369 {
370 struct addr *cur, *next;
371
372 cur = sock->laddr;
373 while (cur != NULL) {
374 next = cur->next;
375 free(cur);
376 cur = next;
377 }
378 cur = sock->faddr;
379 while (cur != NULL) {
380 next = cur->next;
381 free(cur);
382 cur = next;
383 }
384 free(sock);
385 }
386
387 static void
gather_sctp(void)388 gather_sctp(void)
389 {
390 struct sock *sock;
391 struct addr *laddr, *prev_laddr, *faddr, *prev_faddr;
392 struct xsctp_inpcb *xinpcb;
393 struct xsctp_tcb *xstcb;
394 struct xsctp_raddr *xraddr;
395 struct xsctp_laddr *xladdr;
396 const char *varname;
397 size_t len, offset;
398 char *buf;
399 int vflag;
400 int no_stcb, local_all_loopback, foreign_all_loopback;
401
402 vflag = 0;
403 if (opt_4)
404 vflag |= INP_IPV4;
405 if (opt_6)
406 vflag |= INP_IPV6;
407
408 varname = "net.inet.sctp.assoclist";
409 if (cap_sysctlbyname(capsysctl, varname, 0, &len, 0, 0) < 0) {
410 if (errno != ENOENT)
411 err(1, "cap_sysctlbyname()");
412 return;
413 }
414 if ((buf = (char *)malloc(len)) == NULL) {
415 err(1, "malloc()");
416 return;
417 }
418 if (cap_sysctlbyname(capsysctl, varname, buf, &len, 0, 0) < 0) {
419 err(1, "cap_sysctlbyname()");
420 free(buf);
421 return;
422 }
423 xinpcb = (struct xsctp_inpcb *)(void *)buf;
424 offset = sizeof(struct xsctp_inpcb);
425 while ((offset < len) && (xinpcb->last == 0)) {
426 if ((sock = calloc(1, sizeof *sock)) == NULL)
427 err(1, "malloc()");
428 sock->socket = xinpcb->socket;
429 sock->proto = IPPROTO_SCTP;
430 sock->protoname = "sctp";
431 if (xinpcb->maxqlen == 0)
432 sock->state = SCTP_CLOSED;
433 else
434 sock->state = SCTP_LISTEN;
435 if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) {
436 sock->family = AF_INET6;
437 /*
438 * Currently there is no way to distinguish between
439 * IPv6 only sockets or dual family sockets.
440 * So mark it as dual socket.
441 */
442 sock->vflag = INP_IPV6 | INP_IPV4;
443 } else {
444 sock->family = AF_INET;
445 sock->vflag = INP_IPV4;
446 }
447 prev_laddr = NULL;
448 local_all_loopback = 1;
449 while (offset < len) {
450 xladdr = (struct xsctp_laddr *)(void *)(buf + offset);
451 offset += sizeof(struct xsctp_laddr);
452 if (xladdr->last == 1)
453 break;
454 if ((laddr = calloc(1, sizeof(struct addr))) == NULL)
455 err(1, "malloc()");
456 switch (xladdr->address.sa.sa_family) {
457 case AF_INET:
458 #define __IN_IS_ADDR_LOOPBACK(pina) \
459 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
460 if (!__IN_IS_ADDR_LOOPBACK(
461 &xladdr->address.sin.sin_addr))
462 local_all_loopback = 0;
463 #undef __IN_IS_ADDR_LOOPBACK
464 sockaddr(&laddr->address, AF_INET,
465 &xladdr->address.sin.sin_addr,
466 htons(xinpcb->local_port));
467 break;
468 case AF_INET6:
469 if (!IN6_IS_ADDR_LOOPBACK(
470 &xladdr->address.sin6.sin6_addr))
471 local_all_loopback = 0;
472 sockaddr(&laddr->address, AF_INET6,
473 &xladdr->address.sin6.sin6_addr,
474 htons(xinpcb->local_port));
475 break;
476 default:
477 errx(1, "address family %d not supported",
478 xladdr->address.sa.sa_family);
479 }
480 laddr->next = NULL;
481 if (prev_laddr == NULL)
482 sock->laddr = laddr;
483 else
484 prev_laddr->next = laddr;
485 prev_laddr = laddr;
486 }
487 if (sock->laddr == NULL) {
488 if ((sock->laddr =
489 calloc(1, sizeof(struct addr))) == NULL)
490 err(1, "malloc()");
491 sock->laddr->address.ss_family = sock->family;
492 if (sock->family == AF_INET)
493 sock->laddr->address.ss_len =
494 sizeof(struct sockaddr_in);
495 else
496 sock->laddr->address.ss_len =
497 sizeof(struct sockaddr_in6);
498 local_all_loopback = 0;
499 }
500 if ((sock->faddr = calloc(1, sizeof(struct addr))) == NULL)
501 err(1, "malloc()");
502 sock->faddr->address.ss_family = sock->family;
503 if (sock->family == AF_INET)
504 sock->faddr->address.ss_len =
505 sizeof(struct sockaddr_in);
506 else
507 sock->faddr->address.ss_len =
508 sizeof(struct sockaddr_in6);
509 no_stcb = 1;
510 while (offset < len) {
511 xstcb = (struct xsctp_tcb *)(void *)(buf + offset);
512 offset += sizeof(struct xsctp_tcb);
513 if (no_stcb) {
514 if (opt_l && (sock->vflag & vflag) &&
515 (!opt_L || !local_all_loopback) &&
516 ((xinpcb->flags & SCTP_PCB_FLAGS_UDPTYPE) ||
517 (xstcb->last == 1))) {
518 RB_INSERT(socks_t, &socks, sock);
519 } else {
520 free_socket(sock);
521 }
522 }
523 if (xstcb->last == 1)
524 break;
525 no_stcb = 0;
526 if (opt_c) {
527 if ((sock = calloc(1, sizeof *sock)) == NULL)
528 err(1, "malloc()");
529 sock->socket = xinpcb->socket;
530 sock->proto = IPPROTO_SCTP;
531 sock->protoname = "sctp";
532 sock->state = (int)xstcb->state;
533 if (xinpcb->flags & SCTP_PCB_FLAGS_BOUND_V6) {
534 sock->family = AF_INET6;
535 /*
536 * Currently there is no way to distinguish
537 * between IPv6 only sockets or dual family
538 * sockets. So mark it as dual socket.
539 */
540 sock->vflag = INP_IPV6 | INP_IPV4;
541 } else {
542 sock->family = AF_INET;
543 sock->vflag = INP_IPV4;
544 }
545 }
546 prev_laddr = NULL;
547 local_all_loopback = 1;
548 while (offset < len) {
549 xladdr = (struct xsctp_laddr *)(void *)(buf +
550 offset);
551 offset += sizeof(struct xsctp_laddr);
552 if (xladdr->last == 1)
553 break;
554 if (!opt_c)
555 continue;
556 laddr = calloc(1, sizeof(struct addr));
557 if (laddr == NULL)
558 err(1, "malloc()");
559 switch (xladdr->address.sa.sa_family) {
560 case AF_INET:
561 #define __IN_IS_ADDR_LOOPBACK(pina) \
562 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
563 if (!__IN_IS_ADDR_LOOPBACK(
564 &xladdr->address.sin.sin_addr))
565 local_all_loopback = 0;
566 #undef __IN_IS_ADDR_LOOPBACK
567 sockaddr(&laddr->address, AF_INET,
568 &xladdr->address.sin.sin_addr,
569 htons(xstcb->local_port));
570 break;
571 case AF_INET6:
572 if (!IN6_IS_ADDR_LOOPBACK(
573 &xladdr->address.sin6.sin6_addr))
574 local_all_loopback = 0;
575 sockaddr(&laddr->address, AF_INET6,
576 &xladdr->address.sin6.sin6_addr,
577 htons(xstcb->local_port));
578 break;
579 default:
580 errx(1,
581 "address family %d not supported",
582 xladdr->address.sa.sa_family);
583 }
584 laddr->next = NULL;
585 if (prev_laddr == NULL)
586 sock->laddr = laddr;
587 else
588 prev_laddr->next = laddr;
589 prev_laddr = laddr;
590 }
591 prev_faddr = NULL;
592 foreign_all_loopback = 1;
593 while (offset < len) {
594 xraddr = (struct xsctp_raddr *)(void *)(buf +
595 offset);
596 offset += sizeof(struct xsctp_raddr);
597 if (xraddr->last == 1)
598 break;
599 if (!opt_c)
600 continue;
601 faddr = calloc(1, sizeof(struct addr));
602 if (faddr == NULL)
603 err(1, "malloc()");
604 switch (xraddr->address.sa.sa_family) {
605 case AF_INET:
606 #define __IN_IS_ADDR_LOOPBACK(pina) \
607 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
608 if (!__IN_IS_ADDR_LOOPBACK(
609 &xraddr->address.sin.sin_addr))
610 foreign_all_loopback = 0;
611 #undef __IN_IS_ADDR_LOOPBACK
612 sockaddr(&faddr->address, AF_INET,
613 &xraddr->address.sin.sin_addr,
614 htons(xstcb->remote_port));
615 break;
616 case AF_INET6:
617 if (!IN6_IS_ADDR_LOOPBACK(
618 &xraddr->address.sin6.sin6_addr))
619 foreign_all_loopback = 0;
620 sockaddr(&faddr->address, AF_INET6,
621 &xraddr->address.sin6.sin6_addr,
622 htons(xstcb->remote_port));
623 break;
624 default:
625 errx(1,
626 "address family %d not supported",
627 xraddr->address.sa.sa_family);
628 }
629 faddr->encaps_port = xraddr->encaps_port;
630 faddr->state = xraddr->state;
631 faddr->next = NULL;
632 if (prev_faddr == NULL)
633 sock->faddr = faddr;
634 else
635 prev_faddr->next = faddr;
636 prev_faddr = faddr;
637 }
638 if (opt_c) {
639 if ((sock->vflag & vflag) &&
640 (!opt_L ||
641 !(local_all_loopback ||
642 foreign_all_loopback))) {
643 RB_INSERT(socks_t, &socks, sock);
644 } else {
645 free_socket(sock);
646 }
647 }
648 }
649 xinpcb = (struct xsctp_inpcb *)(void *)(buf + offset);
650 offset += sizeof(struct xsctp_inpcb);
651 }
652 free(buf);
653 }
654
655 static void
gather_inet(int proto)656 gather_inet(int proto)
657 {
658 struct xinpgen *xig, *exig;
659 struct xinpcb *xip;
660 struct xtcpcb *xtp = NULL;
661 struct xsocket *so;
662 struct sock *sock;
663 struct addr *laddr, *faddr;
664 const char *varname, *protoname;
665 size_t len, bufsize;
666 void *buf;
667 int retry, vflag;
668
669 vflag = 0;
670 if (opt_4)
671 vflag |= INP_IPV4;
672 if (opt_6)
673 vflag |= INP_IPV6;
674
675 switch (proto) {
676 case IPPROTO_TCP:
677 varname = "net.inet.tcp.pcblist";
678 protoname = "tcp";
679 break;
680 case IPPROTO_UDP:
681 varname = "net.inet.udp.pcblist";
682 protoname = "udp";
683 break;
684 case IPPROTO_DIVERT:
685 varname = "net.inet.divert.pcblist";
686 protoname = "div";
687 break;
688 default:
689 errx(1, "protocol %d not supported", proto);
690 }
691
692 buf = NULL;
693 bufsize = 8192;
694 retry = 5;
695 do {
696 for (;;) {
697 if ((buf = realloc(buf, bufsize)) == NULL)
698 err(1, "realloc()");
699 len = bufsize;
700 if (cap_sysctlbyname(capsysctl, varname, buf, &len,
701 NULL, 0) == 0)
702 break;
703 if (errno == ENOENT)
704 goto out;
705 if (errno != ENOMEM || len != bufsize)
706 err(1, "cap_sysctlbyname()");
707 bufsize *= 2;
708 }
709 xig = (struct xinpgen *)buf;
710 exig = (struct xinpgen *)(void *)
711 ((char *)buf + len - sizeof *exig);
712 enforce_ksize(xig->xig_len, struct xinpgen);
713 enforce_ksize(exig->xig_len, struct xinpgen);
714 } while (xig->xig_gen != exig->xig_gen && retry--);
715
716 if (xig->xig_gen != exig->xig_gen && opt_v)
717 warnx("warning: data may be inconsistent");
718
719 for (;;) {
720 xig = (struct xinpgen *)(void *)((char *)xig + xig->xig_len);
721 if (xig >= exig)
722 break;
723 switch (proto) {
724 case IPPROTO_TCP:
725 xtp = (struct xtcpcb *)xig;
726 xip = &xtp->xt_inp;
727 if (!check_ksize(xtp->xt_len, struct xtcpcb))
728 goto out;
729 protoname = xtp->t_flags & TF_TOE ? "toe" : "tcp";
730 break;
731 case IPPROTO_UDP:
732 case IPPROTO_DIVERT:
733 xip = (struct xinpcb *)xig;
734 if (!check_ksize(xip->xi_len, struct xinpcb))
735 goto out;
736 break;
737 default:
738 errx(1, "protocol %d not supported", proto);
739 }
740 so = &xip->xi_socket;
741 if ((xip->inp_vflag & vflag) == 0)
742 continue;
743 if (xip->inp_vflag & INP_IPV4) {
744 if ((xip->inp_fport == 0 && !opt_l) ||
745 (xip->inp_fport != 0 && !opt_c))
746 continue;
747 #define __IN_IS_ADDR_LOOPBACK(pina) \
748 ((ntohl((pina)->s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
749 if (opt_L &&
750 (__IN_IS_ADDR_LOOPBACK(&xip->inp_faddr) ||
751 __IN_IS_ADDR_LOOPBACK(&xip->inp_laddr)))
752 continue;
753 #undef __IN_IS_ADDR_LOOPBACK
754 } else if (xip->inp_vflag & INP_IPV6) {
755 if ((xip->inp_fport == 0 && !opt_l) ||
756 (xip->inp_fport != 0 && !opt_c))
757 continue;
758 if (opt_L &&
759 (IN6_IS_ADDR_LOOPBACK(&xip->in6p_faddr) ||
760 IN6_IS_ADDR_LOOPBACK(&xip->in6p_laddr)))
761 continue;
762 } else {
763 if (opt_v)
764 warnx("invalid vflag 0x%x", xip->inp_vflag);
765 continue;
766 }
767 if ((sock = calloc(1, sizeof(*sock))) == NULL)
768 err(1, "malloc()");
769 if ((laddr = calloc(1, sizeof *laddr)) == NULL)
770 err(1, "malloc()");
771 if ((faddr = calloc(1, sizeof *faddr)) == NULL)
772 err(1, "malloc()");
773 sock->socket = so->xso_so;
774 sock->splice_socket = so->so_splice_so;
775 sock->proto = proto;
776 sock->inp_gencnt = xip->inp_gencnt;
777 sock->fibnum = so->so_fibnum;
778 if (xip->inp_vflag & INP_IPV4) {
779 sock->family = AF_INET;
780 sockaddr(&laddr->address, sock->family,
781 &xip->inp_laddr, xip->inp_lport);
782 sockaddr(&faddr->address, sock->family,
783 &xip->inp_faddr, xip->inp_fport);
784 } else if (xip->inp_vflag & INP_IPV6) {
785 sock->family = AF_INET6;
786 sockaddr(&laddr->address, sock->family,
787 &xip->in6p_laddr, xip->inp_lport);
788 sockaddr(&faddr->address, sock->family,
789 &xip->in6p_faddr, xip->inp_fport);
790 }
791 if (proto == IPPROTO_TCP)
792 faddr->encaps_port = xtp->xt_encaps_port;
793 laddr->next = NULL;
794 faddr->next = NULL;
795 sock->laddr = laddr;
796 sock->faddr = faddr;
797 sock->vflag = xip->inp_vflag;
798 if (proto == IPPROTO_TCP) {
799 sock->state = xtp->t_state;
800 memcpy(sock->stack, xtp->xt_stack,
801 TCP_FUNCTION_NAME_LEN_MAX);
802 memcpy(sock->cc, xtp->xt_cc, TCP_CA_NAME_MAX);
803 }
804 sock->protoname = protoname;
805 if (sock->socket != 0)
806 RB_INSERT(socks_t, &socks, sock);
807 else
808 SLIST_INSERT_HEAD(&nosocks, sock, socket_list);
809 }
810 out:
811 free(buf);
812 }
813
814 static void
gather_unix(int proto)815 gather_unix(int proto)
816 {
817 struct xunpgen *xug, *exug;
818 struct xunpcb *xup;
819 struct sock *sock;
820 struct addr *laddr, *faddr;
821 const char *varname, *protoname;
822 size_t len, bufsize;
823 void *buf;
824 int retry;
825
826 switch (proto) {
827 case SOCK_STREAM:
828 varname = "net.local.stream.pcblist";
829 protoname = "stream";
830 break;
831 case SOCK_DGRAM:
832 varname = "net.local.dgram.pcblist";
833 protoname = "dgram";
834 break;
835 case SOCK_SEQPACKET:
836 varname = "net.local.seqpacket.pcblist";
837 protoname = "seqpac";
838 break;
839 default:
840 abort();
841 }
842 buf = NULL;
843 bufsize = 8192;
844 retry = 5;
845 do {
846 for (;;) {
847 if ((buf = realloc(buf, bufsize)) == NULL)
848 err(1, "realloc()");
849 len = bufsize;
850 if (cap_sysctlbyname(capsysctl, varname, buf, &len,
851 NULL, 0) == 0)
852 break;
853 if (errno != ENOMEM || len != bufsize)
854 err(1, "cap_sysctlbyname()");
855 bufsize *= 2;
856 }
857 xug = (struct xunpgen *)buf;
858 exug = (struct xunpgen *)(void *)
859 ((char *)buf + len - sizeof(*exug));
860 if (!check_ksize(xug->xug_len, struct xunpgen) ||
861 !check_ksize(exug->xug_len, struct xunpgen))
862 goto out;
863 } while (xug->xug_gen != exug->xug_gen && retry--);
864
865 if (xug->xug_gen != exug->xug_gen && opt_v)
866 warnx("warning: data may be inconsistent");
867
868 for (;;) {
869 xug = (struct xunpgen *)(void *)((char *)xug + xug->xug_len);
870 if (xug >= exug)
871 break;
872 xup = (struct xunpcb *)xug;
873 if (!check_ksize(xup->xu_len, struct xunpcb))
874 goto out;
875 if ((xup->unp_conn == 0 && !opt_l) ||
876 (xup->unp_conn != 0 && !opt_c))
877 continue;
878 if ((sock = calloc(1, sizeof(*sock))) == NULL)
879 err(1, "malloc()");
880 if ((laddr = calloc(1, sizeof *laddr)) == NULL)
881 err(1, "malloc()");
882 if ((faddr = calloc(1, sizeof *faddr)) == NULL)
883 err(1, "malloc()");
884 sock->socket = xup->xu_socket.xso_so;
885 sock->pcb = xup->xu_unpp;
886 sock->proto = proto;
887 sock->family = AF_UNIX;
888 sock->protoname = protoname;
889 if (xup->xu_addr.sun_family == AF_UNIX)
890 laddr->address =
891 *(struct sockaddr_storage *)(void *)&xup->xu_addr;
892 faddr->conn = xup->unp_conn;
893 faddr->firstref = xup->xu_firstref;
894 faddr->nextref = xup->xu_nextref;
895 laddr->next = NULL;
896 faddr->next = NULL;
897 sock->laddr = laddr;
898 sock->faddr = faddr;
899 RB_INSERT(socks_t, &socks, sock);
900 RB_INSERT(pcbs_t, &pcbs, sock);
901 }
902 out:
903 free(buf);
904 }
905
906 static void
getfiles(void)907 getfiles(void)
908 {
909 struct xfile *xfiles;
910 size_t len, olen;
911
912 olen = len = sizeof(*xfiles);
913 if ((xfiles = malloc(len)) == NULL)
914 err(1, "malloc()");
915 while (cap_sysctlbyname(capsysctl, "kern.file", xfiles, &len, 0, 0)
916 == -1) {
917 if (errno != ENOMEM || len != olen)
918 err(1, "cap_sysctlbyname()");
919 olen = len *= 2;
920 if ((xfiles = realloc(xfiles, len)) == NULL)
921 err(1, "realloc()");
922 }
923 if (len > 0)
924 enforce_ksize(xfiles->xf_size, struct xfile);
925 nfiles = len / sizeof(*xfiles);
926
927 if ((files = malloc(nfiles * sizeof(struct file))) == NULL)
928 err(1, "malloc()");
929
930 for (int i = 0; i < nfiles; i++) {
931 files[i].xf_data = xfiles[i].xf_data;
932 files[i].xf_pid = xfiles[i].xf_pid;
933 files[i].xf_uid = xfiles[i].xf_uid;
934 files[i].xf_fd = xfiles[i].xf_fd;
935 RB_INSERT(files_t, &ftree, &files[i]);
936 }
937
938 free(xfiles);
939 }
940
941 static int
printaddr(struct sockaddr_storage * ss)942 printaddr(struct sockaddr_storage *ss)
943 {
944 struct sockaddr_un *sun;
945 char addrstr[NI_MAXHOST] = { '\0', '\0' };
946 int error, off, port = 0;
947
948 switch (ss->ss_family) {
949 case AF_INET:
950 if (sstosin(ss)->sin_addr.s_addr == INADDR_ANY)
951 addrstr[0] = '*';
952 port = ntohs(sstosin(ss)->sin_port);
953 break;
954 case AF_INET6:
955 if (IN6_IS_ADDR_UNSPECIFIED(&sstosin6(ss)->sin6_addr))
956 addrstr[0] = '*';
957 port = ntohs(sstosin6(ss)->sin6_port);
958 break;
959 case AF_UNIX:
960 sun = sstosun(ss);
961 off = (int)((char *)&sun->sun_path - (char *)sun);
962 return (xprintf("%.*s", sun->sun_len - off, sun->sun_path));
963 }
964 if (addrstr[0] == '\0') {
965 error = cap_getnameinfo(capnet, sstosa(ss), ss->ss_len,
966 addrstr, sizeof(addrstr), NULL, 0, NI_NUMERICHOST);
967 if (error)
968 errx(1, "cap_getnameinfo()");
969 }
970 if (port == 0)
971 return xprintf("%s:*", addrstr);
972 else
973 return xprintf("%s:%d", addrstr, port);
974 }
975
976 static const char *
getprocname(pid_t pid)977 getprocname(pid_t pid)
978 {
979 static struct kinfo_proc proc;
980 size_t len;
981 int mib[4];
982
983 mib[0] = CTL_KERN;
984 mib[1] = KERN_PROC;
985 mib[2] = KERN_PROC_PID;
986 mib[3] = (int)pid;
987 len = sizeof(proc);
988 if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0)
989 == -1) {
990 /* Do not warn if the process exits before we get its name. */
991 if (errno != ESRCH)
992 warn("cap_sysctl()");
993 return ("??");
994 }
995 return (proc.ki_comm);
996 }
997
998 static int
getprocjid(pid_t pid)999 getprocjid(pid_t pid)
1000 {
1001 static struct kinfo_proc proc;
1002 size_t len;
1003 int mib[4];
1004
1005 mib[0] = CTL_KERN;
1006 mib[1] = KERN_PROC;
1007 mib[2] = KERN_PROC_PID;
1008 mib[3] = (int)pid;
1009 len = sizeof(proc);
1010 if (cap_sysctl(capsysctl, mib, nitems(mib), &proc, &len, NULL, 0)
1011 == -1) {
1012 /* Do not warn if the process exits before we get its jid. */
1013 if (errno != ESRCH)
1014 warn("cap_sysctl()");
1015 return (-1);
1016 }
1017 return (proc.ki_jid);
1018 }
1019
1020 static int
check_ports(struct sock * s)1021 check_ports(struct sock *s)
1022 {
1023 int port;
1024 struct addr *addr;
1025
1026 if (ports == NULL)
1027 return (1);
1028 if ((s->family != AF_INET) && (s->family != AF_INET6))
1029 return (1);
1030 for (addr = s->laddr; addr != NULL; addr = addr->next) {
1031 if (s->family == AF_INET)
1032 port = ntohs(sstosin(&addr->address)->sin_port);
1033 else
1034 port = ntohs(sstosin6(&addr->address)->sin6_port);
1035 if (CHK_PORT(port))
1036 return (1);
1037 }
1038 for (addr = s->faddr; addr != NULL; addr = addr->next) {
1039 if (s->family == AF_INET)
1040 port = ntohs(sstosin(&addr->address)->sin_port);
1041 else
1042 port = ntohs(sstosin6(&addr->address)->sin6_port);
1043 if (CHK_PORT(port))
1044 return (1);
1045 }
1046 return (0);
1047 }
1048
1049 static const char *
sctp_conn_state(int state)1050 sctp_conn_state(int state)
1051 {
1052 switch (state) {
1053 case SCTP_CLOSED:
1054 return "CLOSED";
1055 break;
1056 case SCTP_BOUND:
1057 return "BOUND";
1058 break;
1059 case SCTP_LISTEN:
1060 return "LISTEN";
1061 break;
1062 case SCTP_COOKIE_WAIT:
1063 return "COOKIE_WAIT";
1064 break;
1065 case SCTP_COOKIE_ECHOED:
1066 return "COOKIE_ECHOED";
1067 break;
1068 case SCTP_ESTABLISHED:
1069 return "ESTABLISHED";
1070 break;
1071 case SCTP_SHUTDOWN_SENT:
1072 return "SHUTDOWN_SENT";
1073 break;
1074 case SCTP_SHUTDOWN_RECEIVED:
1075 return "SHUTDOWN_RECEIVED";
1076 break;
1077 case SCTP_SHUTDOWN_ACK_SENT:
1078 return "SHUTDOWN_ACK_SENT";
1079 break;
1080 case SCTP_SHUTDOWN_PENDING:
1081 return "SHUTDOWN_PENDING";
1082 break;
1083 default:
1084 return "UNKNOWN";
1085 break;
1086 }
1087 }
1088
1089 static const char *
sctp_path_state(int state)1090 sctp_path_state(int state)
1091 {
1092 switch (state) {
1093 case SCTP_UNCONFIRMED:
1094 return "UNCONFIRMED";
1095 break;
1096 case SCTP_ACTIVE:
1097 return "ACTIVE";
1098 break;
1099 case SCTP_INACTIVE:
1100 return "INACTIVE";
1101 break;
1102 default:
1103 return "UNKNOWN";
1104 break;
1105 }
1106 }
1107
1108 static void
displaysock(struct sock * s,int pos)1109 displaysock(struct sock *s, int pos)
1110 {
1111 int first, offset;
1112 struct addr *laddr, *faddr;
1113
1114 while (pos < 30)
1115 pos += xprintf(" ");
1116 pos += xprintf("%s", s->protoname);
1117 if (s->vflag & INP_IPV4)
1118 pos += xprintf("4");
1119 if (s->vflag & INP_IPV6)
1120 pos += xprintf("6");
1121 if (s->vflag & (INP_IPV4 | INP_IPV6))
1122 pos += xprintf(" ");
1123 laddr = s->laddr;
1124 faddr = s->faddr;
1125 first = 1;
1126 while (laddr != NULL || faddr != NULL) {
1127 offset = 37;
1128 while (pos < offset)
1129 pos += xprintf(" ");
1130 switch (s->family) {
1131 case AF_INET:
1132 case AF_INET6:
1133 if (laddr != NULL)
1134 pos += printaddr(&laddr->address);
1135 offset += opt_w ? 46 : 22;
1136 do
1137 pos += xprintf(" ");
1138 while (pos < offset);
1139 if (faddr != NULL)
1140 pos += printaddr(&faddr->address);
1141 offset += opt_w ? 46 : 22;
1142 break;
1143 case AF_UNIX:
1144 if ((laddr == NULL) || (faddr == NULL))
1145 errx(1, "laddr = %p or faddr = %p is NULL",
1146 (void *)laddr, (void *)faddr);
1147 if (laddr->address.ss_len == 0 && faddr->conn == 0) {
1148 pos += xprintf("(not connected)");
1149 offset += opt_w ? 92 : 44;
1150 break;
1151 }
1152 /* Local bind(2) address, if any. */
1153 if (laddr->address.ss_len > 0)
1154 pos += printaddr(&laddr->address);
1155 /* Remote peer we connect(2) to, if any. */
1156 if (faddr->conn != 0) {
1157 struct sock *p;
1158
1159 pos += xprintf("%s-> ",
1160 laddr->address.ss_len > 0 ? " " : "");
1161 p = RB_FIND(pcbs_t, &pcbs,
1162 &(struct sock){ .pcb = faddr->conn });
1163 if (__predict_false(p == NULL)) {
1164 /* XXGL: can this happen at all? */
1165 pos += xprintf("??");
1166 } else if (p->laddr->address.ss_len == 0) {
1167 struct file *f;
1168
1169 f = RB_FIND(files_t, &ftree,
1170 &(struct file){ .xf_data =
1171 p->socket });
1172 if (f != NULL) {
1173 pos += xprintf("[%lu %d]",
1174 (u_long)f->xf_pid,
1175 f->xf_fd);
1176 }
1177 } else
1178 pos += printaddr(&p->laddr->address);
1179 }
1180 /* Remote peer(s) connect(2)ed to us, if any. */
1181 if (faddr->firstref != 0) {
1182 struct sock *p;
1183 struct file *f;
1184 kvaddr_t ref = faddr->firstref;
1185 bool fref = true;
1186
1187 pos += xprintf(" <- ");
1188
1189 while ((p = RB_FIND(pcbs_t, &pcbs,
1190 &(struct sock){ .pcb = ref })) != 0) {
1191 f = RB_FIND(files_t, &ftree,
1192 &(struct file){ .xf_data =
1193 p->socket });
1194 if (f != NULL) {
1195 pos += xprintf("%s[%lu %d]",
1196 fref ? "" : ",",
1197 (u_long)f->xf_pid,
1198 f->xf_fd);
1199 }
1200 ref = p->faddr->nextref;
1201 fref = false;
1202 }
1203 }
1204 offset += opt_w ? 92 : 44;
1205 break;
1206 default:
1207 abort();
1208 }
1209 if (opt_f) {
1210 do
1211 pos += xprintf(" ");
1212 while (pos < offset);
1213 pos += xprintf("%d", s->fibnum);
1214 offset += 7;
1215 }
1216 if (opt_I) {
1217 if (s->splice_socket != 0) {
1218 struct sock *sp;
1219
1220 sp = RB_FIND(socks_t, &socks, &(struct sock)
1221 { .socket = s->splice_socket });
1222 if (sp != NULL) {
1223 do
1224 pos += xprintf(" ");
1225 while (pos < offset);
1226 pos += printaddr(&sp->laddr->address);
1227 } else {
1228 do
1229 pos += xprintf(" ");
1230 while (pos < offset);
1231 pos += xprintf("??");
1232 offset += opt_w ? 46 : 22;
1233 }
1234 }
1235 offset += opt_w ? 46 : 22;
1236 }
1237 if (opt_i) {
1238 if (s->proto == IPPROTO_TCP ||
1239 s->proto == IPPROTO_UDP) {
1240 do
1241 pos += xprintf(" ");
1242 while (pos < offset);
1243 pos += xprintf("%" PRIu64, s->inp_gencnt);
1244 }
1245 offset += 9;
1246 }
1247 if (opt_U) {
1248 if (faddr != NULL &&
1249 ((s->proto == IPPROTO_SCTP &&
1250 s->state != SCTP_CLOSED &&
1251 s->state != SCTP_BOUND &&
1252 s->state != SCTP_LISTEN) ||
1253 (s->proto == IPPROTO_TCP &&
1254 s->state != TCPS_CLOSED &&
1255 s->state != TCPS_LISTEN))) {
1256 do
1257 pos += xprintf(" ");
1258 while (pos < offset);
1259 pos += xprintf("%u",
1260 ntohs(faddr->encaps_port));
1261 }
1262 offset += 7;
1263 }
1264 if (opt_s) {
1265 if (faddr != NULL &&
1266 s->proto == IPPROTO_SCTP &&
1267 s->state != SCTP_CLOSED &&
1268 s->state != SCTP_BOUND &&
1269 s->state != SCTP_LISTEN) {
1270 do
1271 pos += xprintf(" ");
1272 while (pos < offset);
1273 pos += xprintf("%s",
1274 sctp_path_state(faddr->state));
1275 }
1276 offset += 13;
1277 }
1278 if (first) {
1279 if (opt_s) {
1280 if (s->proto == IPPROTO_SCTP ||
1281 s->proto == IPPROTO_TCP) {
1282 do
1283 pos += xprintf(" ");
1284 while (pos < offset);
1285 switch (s->proto) {
1286 case IPPROTO_SCTP:
1287 pos += xprintf("%s",
1288 sctp_conn_state(s->state));
1289 break;
1290 case IPPROTO_TCP:
1291 if (s->state >= 0 &&
1292 s->state < TCP_NSTATES)
1293 pos += xprintf("%s",
1294 tcpstates[s->state]);
1295 else
1296 pos += xprintf("?");
1297 break;
1298 }
1299 }
1300 offset += 13;
1301 }
1302 if (opt_S) {
1303 if (s->proto == IPPROTO_TCP) {
1304 do
1305 pos += xprintf(" ");
1306 while (pos < offset);
1307 pos += xprintf("%.*s",
1308 TCP_FUNCTION_NAME_LEN_MAX,
1309 s->stack);
1310 }
1311 offset += TCP_FUNCTION_NAME_LEN_MAX + 1;
1312 }
1313 if (opt_C) {
1314 if (s->proto == IPPROTO_TCP) {
1315 do
1316 pos += xprintf(" ");
1317 while (pos < offset);
1318 xprintf("%.*s", TCP_CA_NAME_MAX, s->cc);
1319 }
1320 offset += TCP_CA_NAME_MAX + 1;
1321 }
1322 }
1323 if (laddr != NULL)
1324 laddr = laddr->next;
1325 if (faddr != NULL)
1326 faddr = faddr->next;
1327 if ((laddr != NULL) || (faddr != NULL)) {
1328 xprintf("\n");
1329 pos = 0;
1330 }
1331 first = 0;
1332 }
1333 xprintf("\n");
1334 }
1335
1336 static void
display(void)1337 display(void)
1338 {
1339 struct passwd *pwd;
1340 struct file *xf;
1341 struct sock *s;
1342 int n, pos;
1343
1344 if (opt_q != 1) {
1345 printf("%-8s %-10s %-5s %-3s %-6s %-*s %-*s",
1346 "USER", "COMMAND", "PID", "FD", "PROTO",
1347 opt_w ? 45 : 21, "LOCAL ADDRESS",
1348 opt_w ? 45 : 21, "FOREIGN ADDRESS");
1349 if (opt_f)
1350 /* RT_MAXFIBS is 65535. */
1351 printf(" %-6s", "FIB");
1352 if (opt_I)
1353 printf(" %-*s", opt_w ? 45 : 21, "SPLICE ADDRESS");
1354 if (opt_i)
1355 printf(" %-8s", "ID");
1356 if (opt_U)
1357 printf(" %-6s", "ENCAPS");
1358 if (opt_s) {
1359 printf(" %-12s", "PATH STATE");
1360 printf(" %-12s", "CONN STATE");
1361 }
1362 if (opt_S)
1363 printf(" %-*.*s", TCP_FUNCTION_NAME_LEN_MAX,
1364 TCP_FUNCTION_NAME_LEN_MAX, "STACK");
1365 if (opt_C)
1366 printf(" %-.*s", TCP_CA_NAME_MAX, "CC");
1367 printf("\n");
1368 }
1369 cap_setpassent(cappwd, 1);
1370 for (xf = files, n = 0; n < nfiles; ++n, ++xf) {
1371 if (xf->xf_data == 0)
1372 continue;
1373 if (opt_j >= 0 && opt_j != getprocjid(xf->xf_pid))
1374 continue;
1375 s = RB_FIND(socks_t, &socks,
1376 &(struct sock){ .socket = xf->xf_data});
1377 if (s != NULL && check_ports(s)) {
1378 s->shown = 1;
1379 pos = 0;
1380 if (opt_n ||
1381 (pwd = cap_getpwuid(cappwd, xf->xf_uid)) == NULL)
1382 pos += xprintf("%lu", (u_long)xf->xf_uid);
1383 else
1384 pos += xprintf("%s", pwd->pw_name);
1385 do
1386 pos += xprintf(" ");
1387 while (pos < 9);
1388 pos += xprintf("%.10s", getprocname(xf->xf_pid));
1389 do
1390 pos += xprintf(" ");
1391 while (pos < 20);
1392 pos += xprintf("%5lu", (u_long)xf->xf_pid);
1393 do
1394 pos += xprintf(" ");
1395 while (pos < 26);
1396 pos += xprintf("%-3d", xf->xf_fd);
1397 displaysock(s, pos);
1398 }
1399 }
1400 if (opt_j >= 0)
1401 return;
1402 SLIST_FOREACH(s, &nosocks, socket_list) {
1403 if (!check_ports(s))
1404 continue;
1405 pos = xprintf("%-8s %-10s %-5s %-3s",
1406 "?", "?", "?", "?");
1407 displaysock(s, pos);
1408 }
1409 RB_FOREACH(s, socks_t, &socks) {
1410 if (s->shown)
1411 continue;
1412 if (!check_ports(s))
1413 continue;
1414 pos = xprintf("%-8s %-10s %-5s %-3s",
1415 "?", "?", "?", "?");
1416 displaysock(s, pos);
1417 }
1418 }
1419
1420 static int
set_default_protos(void)1421 set_default_protos(void)
1422 {
1423 struct protoent *prot;
1424 const char *pname;
1425 size_t pindex;
1426
1427 init_protos(default_numprotos);
1428
1429 for (pindex = 0; pindex < default_numprotos; pindex++) {
1430 pname = default_protos[pindex];
1431 prot = cap_getprotobyname(capnetdb, pname);
1432 if (prot == NULL)
1433 err(1, "cap_getprotobyname: %s", pname);
1434 protos[pindex] = prot->p_proto;
1435 }
1436 numprotos = pindex;
1437 return (pindex);
1438 }
1439
1440 /*
1441 * Return the vnet property of the jail, or -1 on error.
1442 */
1443 static int
jail_getvnet(int jid)1444 jail_getvnet(int jid)
1445 {
1446 struct iovec jiov[6];
1447 int vnet;
1448 size_t len = sizeof(vnet);
1449
1450 if (sysctlbyname("kern.features.vimage", &vnet, &len, NULL, 0) != 0)
1451 return (0);
1452
1453 vnet = -1;
1454 jiov[0].iov_base = __DECONST(char *, "jid");
1455 jiov[0].iov_len = sizeof("jid");
1456 jiov[1].iov_base = &jid;
1457 jiov[1].iov_len = sizeof(jid);
1458 jiov[2].iov_base = __DECONST(char *, "vnet");
1459 jiov[2].iov_len = sizeof("vnet");
1460 jiov[3].iov_base = &vnet;
1461 jiov[3].iov_len = sizeof(vnet);
1462 jiov[4].iov_base = __DECONST(char *, "errmsg");
1463 jiov[4].iov_len = sizeof("errmsg");
1464 jiov[5].iov_base = jail_errmsg;
1465 jiov[5].iov_len = JAIL_ERRMSGLEN;
1466 jail_errmsg[0] = '\0';
1467 if (jail_get(jiov, nitems(jiov), 0) < 0) {
1468 if (!jail_errmsg[0])
1469 snprintf(jail_errmsg, JAIL_ERRMSGLEN,
1470 "jail_get: %s", strerror(errno));
1471 return (-1);
1472 }
1473 return (vnet);
1474 }
1475
1476 static void
usage(void)1477 usage(void)
1478 {
1479 errx(1,
1480 "usage: sockstat [-46CcfIiLlnqSsUuvw] [-j jid] [-p ports] [-P protocols]");
1481 }
1482
1483 int
main(int argc,char * argv[])1484 main(int argc, char *argv[])
1485 {
1486 cap_channel_t *capcas;
1487 cap_net_limit_t *limit;
1488 const char *pwdcmds[] = { "setpassent", "getpwuid" };
1489 const char *pwdfields[] = { "pw_name" };
1490 int protos_defined = -1;
1491 int o, i;
1492
1493 opt_j = -1;
1494 while ((o = getopt(argc, argv, "46CcfIij:Llnp:P:qSsUuvw")) != -1)
1495 switch (o) {
1496 case '4':
1497 opt_4 = 1;
1498 break;
1499 case '6':
1500 opt_6 = 1;
1501 break;
1502 case 'C':
1503 opt_C = 1;
1504 break;
1505 case 'c':
1506 opt_c = 1;
1507 break;
1508 case 'f':
1509 opt_f = 1;
1510 break;
1511 case 'I':
1512 opt_I = 1;
1513 break;
1514 case 'i':
1515 opt_i = 1;
1516 break;
1517 case 'j':
1518 opt_j = jail_getid(optarg);
1519 if (opt_j < 0)
1520 errx(1, "jail_getid: %s", jail_errmsg);
1521 break;
1522 case 'L':
1523 opt_L = 1;
1524 break;
1525 case 'l':
1526 opt_l = 1;
1527 break;
1528 case 'n':
1529 opt_n = 1;
1530 break;
1531 case 'p':
1532 parse_ports(optarg);
1533 break;
1534 case 'P':
1535 protos_defined = parse_protos(optarg);
1536 break;
1537 case 'q':
1538 opt_q = 1;
1539 break;
1540 case 'S':
1541 opt_S = 1;
1542 break;
1543 case 's':
1544 opt_s = 1;
1545 break;
1546 case 'U':
1547 opt_U = 1;
1548 break;
1549 case 'u':
1550 opt_u = 1;
1551 break;
1552 case 'v':
1553 ++opt_v;
1554 break;
1555 case 'w':
1556 opt_w = 1;
1557 break;
1558 default:
1559 usage();
1560 }
1561
1562 argc -= optind;
1563 argv += optind;
1564
1565 if (argc > 0)
1566 usage();
1567
1568 if (opt_j > 0) {
1569 switch (jail_getvnet(opt_j)) {
1570 case -1:
1571 errx(2, "jail_getvnet: %s", jail_errmsg);
1572 case JAIL_SYS_NEW:
1573 if (jail_attach(opt_j) < 0)
1574 err(3, "jail_attach()");
1575 /* Set back to -1 for normal output in vnet jail. */
1576 opt_j = -1;
1577 break;
1578 default:
1579 break;
1580 }
1581 }
1582
1583 capcas = cap_init();
1584 if (capcas == NULL)
1585 err(1, "Unable to contact Casper");
1586 if (caph_enter_casper() < 0)
1587 err(1, "Unable to enter capability mode");
1588 capnet = cap_service_open(capcas, "system.net");
1589 if (capnet == NULL)
1590 err(1, "Unable to open system.net service");
1591 capnetdb = cap_service_open(capcas, "system.netdb");
1592 if (capnetdb == NULL)
1593 err(1, "Unable to open system.netdb service");
1594 capsysctl = cap_service_open(capcas, "system.sysctl");
1595 if (capsysctl == NULL)
1596 err(1, "Unable to open system.sysctl service");
1597 cappwd = cap_service_open(capcas, "system.pwd");
1598 if (cappwd == NULL)
1599 err(1, "Unable to open system.pwd service");
1600 cap_close(capcas);
1601 limit = cap_net_limit_init(capnet, CAPNET_ADDR2NAME);
1602 if (limit == NULL)
1603 err(1, "Unable to init cap_net limits");
1604 if (cap_net_limit(limit) < 0)
1605 err(1, "Unable to apply limits");
1606 if (cap_pwd_limit_cmds(cappwd, pwdcmds, nitems(pwdcmds)) < 0)
1607 err(1, "Unable to apply pwd commands limits");
1608 if (cap_pwd_limit_fields(cappwd, pwdfields, nitems(pwdfields)) < 0)
1609 err(1, "Unable to apply pwd commands limits");
1610
1611 if ((!opt_4 && !opt_6) && protos_defined != -1)
1612 opt_4 = opt_6 = 1;
1613 if (!opt_4 && !opt_6 && !opt_u)
1614 opt_4 = opt_6 = opt_u = 1;
1615 if ((opt_4 || opt_6) && protos_defined == -1)
1616 protos_defined = set_default_protos();
1617 if (!opt_c && !opt_l)
1618 opt_c = opt_l = 1;
1619
1620 if (opt_4 || opt_6) {
1621 for (i = 0; i < protos_defined; i++)
1622 if (protos[i] == IPPROTO_SCTP)
1623 gather_sctp();
1624 else
1625 gather_inet(protos[i]);
1626 }
1627
1628 if (opt_u || (protos_defined == -1 && !opt_4 && !opt_6)) {
1629 gather_unix(SOCK_STREAM);
1630 gather_unix(SOCK_DGRAM);
1631 gather_unix(SOCK_SEQPACKET);
1632 }
1633 getfiles();
1634 display();
1635 exit(0);
1636 }
1637