xref: /openbsd/sys/net/if_pfsync.h (revision 2cc786cd) 
1 /*	$OpenBSD: if_pfsync.h,v 1.63 2024/10/12 23:10:07 jsg Exp $	*/
2 
3 /*
4  * Copyright (c) 2001 Michael Shalayeff
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22  * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26  * THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /*
30  * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
31  *
32  * Permission to use, copy, modify, and distribute this software for any
33  * purpose with or without fee is hereby granted, provided that the above
34  * copyright notice and this permission notice appear in all copies.
35  *
36  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
37  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
38  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
39  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
41  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
42  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43  */
44 
45 #ifndef _NET_IF_PFSYNC_H_
46 #define _NET_IF_PFSYNC_H_
47 
48 #define PFSYNC_VERSION		6
49 #define PFSYNC_DFLTTL		255
50 
51 #define PFSYNC_ACT_CLR		0	/* clear all states */
52 #define PFSYNC_ACT_OINS		1	/* old insert state */
53 #define PFSYNC_ACT_INS_ACK	2	/* ack of inserted state */
54 #define PFSYNC_ACT_OUPD		3	/* old update state */
55 #define PFSYNC_ACT_UPD_C	4	/* "compressed" update state */
56 #define PFSYNC_ACT_UPD_REQ	5	/* request "uncompressed" state */
57 #define PFSYNC_ACT_DEL		6	/* delete state */
58 #define PFSYNC_ACT_DEL_C	7	/* "compressed" delete state */
59 #define PFSYNC_ACT_INS_F	8	/* insert fragment */
60 #define PFSYNC_ACT_DEL_F	9	/* delete fragments */
61 #define PFSYNC_ACT_BUS		10	/* bulk update status */
62 #define PFSYNC_ACT_OTDB		11	/* old TDB replay counter update */
63 #define PFSYNC_ACT_EOF		12	/* end of frame - DEPRECATED */
64 #define PFSYNC_ACT_INS		13	/* insert state */
65 #define PFSYNC_ACT_UPD		14	/* update state */
66 #define PFSYNC_ACT_TDB		15	/* TDB replay counter update */
67 #define PFSYNC_ACT_MAX		16
68 
69 #define PFSYNC_ACTIONS		"CLR ST",		\
70 				"INS ST OLD",		\
71 				"INS ST ACK",		\
72 				"UPD ST OLD",		\
73 				"UPD ST COMP",		\
74 				"UPD ST REQ",		\
75 				"DEL ST",		\
76 				"DEL ST COMP",		\
77 				"INS FR",		\
78 				"DEL FR",		\
79 				"BULK UPD STAT",	\
80 				"UPD TDB OLD",		\
81 				"EOF",			\
82 				"INS ST",		\
83 				"UPD ST",		\
84 				"UPD TDB"
85 
86 /*
87  * A pfsync frame is built from a header followed by several sections which
88  * are all prefixed with their own subheaders.
89  *
90  * | ...			|
91  * | IP header			|
92  * +============================+
93  * | pfsync_header		|
94  * +----------------------------+
95  * | pfsync_subheader		|
96  * +----------------------------+
97  * | first action fields	|
98  * | ...			|
99  * +----------------------------+
100  * | pfsync_subheader		|
101  * +----------------------------+
102  * | second action fields	|
103  * | ...			|
104  * +============================+
105  */
106 
107 /*
108  * Frame header
109  */
110 
111 struct pfsync_header {
112 	u_int8_t			version;
113 	u_int8_t			_pad;
114 	u_int16_t			len; /* in bytes */
115 	u_int8_t			pfcksum[PF_MD5_DIGEST_LENGTH];
116 } __packed;
117 
118 /*
119  * Frame region subheader
120  */
121 
122 struct pfsync_subheader {
123 	u_int8_t			action;
124 	u_int8_t			len; /* in dwords */
125 	u_int16_t			count;
126 } __packed;
127 
128 /*
129  * CLR
130  */
131 
132 struct pfsync_clr {
133 	char				ifname[IFNAMSIZ];
134 	u_int32_t			creatorid;
135 } __packed;
136 
137 /*
138  * OINS, OUPD
139  */
140 
141 /* these messages are deprecated */
142 
143 /*
144  * INS, UPD, DEL
145  */
146 
147 /* these use struct pfsync_state in pfvar.h */
148 
149 /*
150  * INS_ACK
151  */
152 
153 struct pfsync_ins_ack {
154 	u_int64_t			id;
155 	u_int32_t			creatorid;
156 } __packed;
157 
158 /*
159  * UPD_C
160  */
161 
162 struct pfsync_upd_c {
163 	u_int64_t			id;
164 	struct pfsync_state_peer	src;
165 	struct pfsync_state_peer	dst;
166 	u_int32_t			creatorid;
167 	u_int32_t			expire;
168 	u_int8_t			timeout;
169 	u_int8_t			state_flags;
170 	u_int8_t			_pad[2];
171 } __packed;
172 
173 /*
174  * UPD_REQ
175  */
176 
177 struct pfsync_upd_req {
178 	u_int64_t			id;
179 	u_int32_t			creatorid;
180 } __packed __aligned(4);
181 
182 /*
183  * DEL_C
184  */
185 
186 struct pfsync_del_c {
187 	u_int64_t			id;
188 	u_int32_t			creatorid;
189 } __packed;
190 
191 /*
192  * INS_F, DEL_F
193  */
194 
195 /* not implemented (yet) */
196 
197 /*
198  * BUS
199  */
200 
201 struct pfsync_bus {
202 	u_int32_t			creatorid;
203 	u_int32_t			endtime;
204 	u_int8_t			status;
205 #define PFSYNC_BUS_START			1
206 #define PFSYNC_BUS_END				2
207 	u_int8_t			_pad[3];
208 } __packed;
209 
210 /*
211  * TDB
212  */
213 struct pfsync_tdb {
214 	u_int32_t			spi;
215 	union sockaddr_union		dst;
216 	u_int64_t			rpl;
217 	u_int64_t			cur_bytes;
218 	u_int8_t			sproto;
219 	u_int8_t			updates;
220 	u_int16_t			rdomain;
221 } __packed;
222 
223 /*
224  * EOF
225  */
226 
227 /* this message is deprecated */
228 
229 
230 #define PFSYNC_HDRLEN		sizeof(struct pfsync_header)
231 
232 
233 /*
234  * Names for PFSYNC sysctl objects
235  */
236 #define	PFSYNCCTL_STATS		1	/* PFSYNC stats */
237 #define	PFSYNCCTL_MAXID		2
238 
239 #define	PFSYNCCTL_NAMES { \
240 	{ 0, 0 }, \
241 	{ "stats", CTLTYPE_STRUCT }, \
242 }
243 
244 struct pfsyncstats {
245 	u_int64_t	pfsyncs_ipackets;	/* total input packets, IPv4 */
246 	u_int64_t	pfsyncs_ipackets6;	/* total input packets, IPv6 */
247 	u_int64_t	pfsyncs_badif;		/* not the right interface */
248 	u_int64_t	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
249 	u_int64_t	pfsyncs_hdrops;		/* packets shorter than hdr */
250 	u_int64_t	pfsyncs_badver;		/* bad (incl unsupp) version */
251 	u_int64_t	pfsyncs_badact;		/* bad action */
252 	u_int64_t	pfsyncs_badlen;		/* data length does not match */
253 	u_int64_t	pfsyncs_badauth;	/* bad authentication */
254 	u_int64_t	pfsyncs_stale;		/* stale state */
255 	u_int64_t	pfsyncs_badval;		/* bad values */
256 	u_int64_t	pfsyncs_badstate;	/* insert/lookup failed */
257 
258 	u_int64_t	pfsyncs_opackets;	/* total output packets, IPv4 */
259 	u_int64_t	pfsyncs_opackets6;	/* total output packets, IPv6 */
260 	u_int64_t	pfsyncs_onomem;		/* no memory for an mbuf */
261 	u_int64_t	pfsyncs_oerrors;	/* ip output error */
262 };
263 
264 /*
265  * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
266  */
267 struct pfsyncreq {
268 	char		 pfsyncr_syncdev[IFNAMSIZ];
269 	struct in_addr	 pfsyncr_syncpeer;
270 	int		 pfsyncr_maxupdates;
271 	int		 pfsyncr_defer;
272 };
273 
274 #ifdef _KERNEL
275 
276 enum pfsync_counters {
277 	pfsyncs_ipackets,
278 	pfsyncs_ipackets6,
279 	pfsyncs_badif,
280 	pfsyncs_badttl,
281 	pfsyncs_hdrops,
282 	pfsyncs_badver,
283 	pfsyncs_badact,
284 	pfsyncs_badlen,
285 	pfsyncs_badauth,
286 	pfsyncs_stale,
287 	pfsyncs_badval,
288 	pfsyncs_badstate,
289 	pfsyncs_opackets,
290 	pfsyncs_opackets6,
291 	pfsyncs_onomem,
292 	pfsyncs_oerrors,
293 	pfsyncs_ncounters,
294 };
295 
296 /*
297  * this shows where a pf state is with respect to the syncing.
298  */
299 #define PFSYNC_S_IACK	0x00
300 #define PFSYNC_S_UPD_C	0x01
301 #define PFSYNC_S_DEL	0x02
302 #define PFSYNC_S_INS	0x03
303 #define PFSYNC_S_UPD	0x04
304 #define PFSYNC_S_COUNT	0x05
305 
306 #define PFSYNC_S_NONE	0xd0
307 #define PFSYNC_S_SYNC	0xd1
308 #define PFSYNC_S_PFSYNC	0xd2
309 #define PFSYNC_S_DEAD	0xde
310 
311 int			pfsync_input4(struct mbuf **, int *, int, int);
312 int			pfsync_sysctl(int *, u_int,  void *, size_t *,
313 			    void *, size_t);
314 
315 #define	PFSYNC_SI_IOCTL		0x01
316 #define	PFSYNC_SI_CKSUM		0x02
317 #define	PFSYNC_SI_ACK		0x04
318 #define	PFSYNC_SI_PFSYNC	0x08
319 void			pfsync_state_export(struct pfsync_state *,
320 			    struct pf_state *);
321 
322 void			pfsync_init_state(struct pf_state *,
323 			    const struct pf_state_key *,
324 			    const struct pf_state_key *, int);
325 void			pfsync_insert_state(struct pf_state *);
326 void			pfsync_update_state(struct pf_state *);
327 void			pfsync_delete_state(struct pf_state *);
328 void			pfsync_clear_states(u_int32_t, const char *);
329 
330 void			pfsync_update_tdb(struct tdb *, int);
331 void			pfsync_delete_tdb(struct tdb *);
332 
333 int			pfsync_defer(struct pf_state *, struct mbuf *);
334 
335 int			pfsync_is_up(void);
336 int			pfsync_state_in_use(struct pf_state *);
337 #endif /* _KERNEL */
338 
339 #endif /* _NET_IF_PFSYNC_H_ */
340