1 /* $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ */ 2 3 /* 4 * Copyright (c) 2001 Michael Shalayeff 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, 20 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 26 * THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #ifndef _NET_IF_PFSYNC_H_ 30 #define _NET_IF_PFSYNC_H_ 31 32 #include <sys/ioccom.h> 33 34 /* 35 * pfvar.h is required to get struct pf_addr. Also kdump and other utilities 36 * blindly include header files to try to get all the ioctl constants and 37 * buildworld will fail without this. We need a better way XXX 38 */ 39 #ifndef _NET_PFVAR_H_ 40 #include "pfvar.h" 41 #endif 42 43 /* Reserved SPI numbers */ 44 #define SPI_LOCAL_USE 0 45 #define SPI_RESERVED_MIN 1 46 #define SPI_RESERVED_MAX 255 47 48 49 #define PFSYNC_ID_LEN sizeof(u_int64_t) 50 51 #define PFSYNC_FLAG_COMPRESS 0x01 52 #define PFSYNC_FLAG_STALE 0x02 53 54 struct pfsync_tdb { 55 u_int32_t spi; 56 union sockaddr_union dst; 57 u_int32_t rpl; 58 u_int64_t cur_bytes; 59 u_int8_t sproto; 60 u_int8_t updates; 61 u_int8_t pad[2]; 62 } __packed; 63 64 struct pfsync_state_upd { 65 u_int32_t id[2]; 66 struct pfsync_state_peer src; 67 struct pfsync_state_peer dst; 68 u_int32_t creatorid; 69 u_int32_t expire; 70 u_int8_t timeout; 71 u_int8_t updates; 72 u_int8_t pad[6]; 73 } __packed; 74 75 struct pfsync_state_del { 76 u_int32_t id[2]; 77 u_int32_t creatorid; 78 struct { 79 u_int8_t state; 80 } src; 81 struct { 82 u_int8_t state; 83 } dst; 84 u_int8_t pad[2]; 85 } __packed; 86 87 struct pfsync_state_upd_req { 88 u_int32_t id[2]; 89 u_int32_t creatorid; 90 u_int32_t pad; 91 } __packed; 92 93 struct pfsync_state_clr { 94 char ifname[IFNAMSIZ]; 95 u_int32_t creatorid; 96 u_int32_t pad; 97 } __packed; 98 99 struct pfsync_state_bus { 100 u_int32_t creatorid; 101 u_int32_t endtime; 102 u_int8_t status; 103 #define PFSYNC_BUS_START 1 104 #define PFSYNC_BUS_END 2 105 u_int8_t pad[7]; 106 } __packed; 107 108 /* 109 * Names for PFSYNC sysctl objects 110 */ 111 #define PFSYNCCTL_STATS 1 /* PFSYNC stats */ 112 #define PFSYNCCTL_MAXID 2 113 114 #define PFSYNCCTL_NAMES { \ 115 { 0, 0 }, \ 116 { "stats", CTLTYPE_STRUCT }, \ 117 } 118 119 #ifdef _KERNEL 120 121 union sc_statep { 122 struct pfsync_state *s; 123 struct pfsync_state_upd *u; 124 struct pfsync_state_del *d; 125 struct pfsync_state_clr *c; 126 struct pfsync_state_bus *b; 127 struct pfsync_state_upd_req *r; 128 }; 129 130 union sc_tdb_statep { 131 struct pfsync_tdb *t; 132 }; 133 134 extern int pfsync_sync_ok; 135 136 struct pfsync_softc { 137 struct ifnet sc_if; 138 struct ifnet *sc_sync_ifp; 139 140 struct ip_moptions sc_imo; 141 struct callout sc_tmo; 142 struct callout sc_tdb_tmo; 143 struct callout sc_bulk_tmo; 144 struct callout sc_bulkfail_tmo; 145 struct in_addr sc_sync_peer; 146 struct in_addr sc_sendaddr; 147 struct mbuf *sc_mbuf; /* current cumulative mbuf */ 148 struct mbuf *sc_mbuf_net; /* current cumulative mbuf */ 149 struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */ 150 union sc_statep sc_statep; 151 union sc_statep sc_statep_net; 152 union sc_tdb_statep sc_statep_tdb; 153 u_int32_t sc_ureq_received; 154 u_int32_t sc_ureq_sent; 155 struct pf_state *sc_bulk_send_next; 156 struct pf_state *sc_bulk_terminator; 157 int sc_bulk_tries; 158 int sc_maxcount; /* number of states in mtu */ 159 int sc_maxupdates; /* number of updates/state */ 160 LIST_ENTRY(pfsync_softc) sc_next; 161 }; 162 163 extern struct pfsync_softc *pfsyncif; 164 #endif 165 166 167 struct pfsync_header { 168 u_int8_t version; 169 #define PFSYNC_VERSION 4 170 u_int8_t af; 171 u_int8_t action; 172 #define PFSYNC_ACT_CLR 0 /* clear all states */ 173 #define PFSYNC_ACT_INS 1 /* insert state */ 174 #define PFSYNC_ACT_UPD 2 /* update state */ 175 #define PFSYNC_ACT_DEL 3 /* delete state */ 176 #define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */ 177 #define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */ 178 #define PFSYNC_ACT_INS_F 6 /* insert fragment */ 179 #define PFSYNC_ACT_DEL_F 7 /* delete fragments */ 180 #define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */ 181 #define PFSYNC_ACT_BUS 9 /* Bulk Update Status */ 182 #define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */ 183 #define PFSYNC_ACT_MAX 11 184 u_int8_t count; 185 u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 186 } __packed; 187 188 #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */ 189 #define PFSYNC_MAX_BULKTRIES 12 190 #define PFSYNC_HDRLEN sizeof(struct pfsync_header) 191 #define PFSYNC_ACTIONS \ 192 "CLR ST", "INS ST", "UPD ST", "DEL ST", \ 193 "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \ 194 "UPD REQ", "BLK UPD STAT", "TDB UPD" 195 196 #define PFSYNC_DFLTTL 255 197 198 struct pfsyncstats { 199 u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */ 200 u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */ 201 u_int64_t pfsyncs_badif; /* not the right interface */ 202 u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */ 203 u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */ 204 u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */ 205 u_int64_t pfsyncs_badact; /* bad action */ 206 u_int64_t pfsyncs_badlen; /* data length does not match */ 207 u_int64_t pfsyncs_badauth; /* bad authentication */ 208 u_int64_t pfsyncs_stale; /* stale state */ 209 u_int64_t pfsyncs_badval; /* bad values */ 210 u_int64_t pfsyncs_badstate; /* insert/lookup failed */ 211 212 u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */ 213 u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */ 214 u_int64_t pfsyncs_onomem; /* no memory for an mbuf */ 215 u_int64_t pfsyncs_oerrors; /* ip output error */ 216 }; 217 218 /* 219 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC 220 */ 221 struct pfsyncreq { 222 char pfsyncr_syncdev[IFNAMSIZ]; 223 struct in_addr pfsyncr_syncpeer; 224 int pfsyncr_maxupdates; 225 int pfsyncr_authlevel; 226 }; 227 #define SIOCSETPFSYNC _IOW('i', 247, struct ifreq) 228 #define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq) 229 230 #ifdef _KERNEL 231 void pfsync_input(struct mbuf *, ...); 232 int pfsync_clear_states(u_int32_t, char *); 233 int pfsync_pack_state(u_int8_t, struct pf_state *, int); 234 int pfsync_sysctl(int *, u_int, void *, size_t *, 235 void *, size_t); 236 void pfsync_state_export(struct pfsync_state *, 237 struct pf_state *); 238 239 #define PFSYNC_SI_IOCTL 0x01 240 #define PFSYNC_SI_CKSUM 0x02 241 int pfsync_state_import(struct pfsync_state *, u_int8_t); 242 243 #define pfsync_insert_state(st) do { \ 244 if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \ 245 (st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC)) \ 246 st->sync_flags |= PFSTATE_NOSYNC; \ 247 else if (!st->sync_flags) \ 248 pfsync_pack_state(PFSYNC_ACT_INS, (st), \ 249 PFSYNC_FLAG_COMPRESS); \ 250 st->sync_flags &= ~PFSTATE_FROMSYNC; \ 251 } while (0) 252 #define pfsync_update_state(st) do { \ 253 if (!st->sync_flags) \ 254 pfsync_pack_state(PFSYNC_ACT_UPD, (st), \ 255 PFSYNC_FLAG_COMPRESS); \ 256 st->sync_flags &= ~PFSTATE_FROMSYNC; \ 257 } while (0) 258 #define pfsync_delete_state(st) do { \ 259 if (!st->sync_flags) \ 260 pfsync_pack_state(PFSYNC_ACT_DEL, (st), \ 261 PFSYNC_FLAG_COMPRESS); \ 262 } while (0) 263 #endif 264 265 #endif /* _NET_IF_PFSYNC_H_ */ 266