1 1.23 rin /* $NetBSD: if_pfsync.c,v 1.23 2024/07/05 04:31:52 rin Exp $ */ 2 1.3 degroote /* $OpenBSD: if_pfsync.c,v 1.83 2007/06/26 14:44:12 mcbride Exp $ */ 3 1.1 itojun 4 1.1 itojun /* 5 1.1 itojun * Copyright (c) 2002 Michael Shalayeff 6 1.1 itojun * All rights reserved. 7 1.1 itojun * 8 1.1 itojun * Redistribution and use in source and binary forms, with or without 9 1.1 itojun * modification, are permitted provided that the following conditions 10 1.1 itojun * are met: 11 1.1 itojun * 1. Redistributions of source code must retain the above copyright 12 1.1 itojun * notice, this list of conditions and the following disclaimer. 13 1.1 itojun * 2. Redistributions in binary form must reproduce the above copyright 14 1.1 itojun * notice, this list of conditions and the following disclaimer in the 15 1.1 itojun * documentation and/or other materials provided with the distribution. 16 1.1 itojun * 17 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 1.1 itojun * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 1.1 itojun * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 1.1 itojun * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, 21 1.1 itojun * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 1.1 itojun * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 1.1 itojun * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 1.1 itojun * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 1.1 itojun * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 1.1 itojun * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 27 1.1 itojun * THE POSSIBILITY OF SUCH DAMAGE. 28 1.1 itojun */ 29 1.1 itojun 30 1.3 degroote #include <sys/cdefs.h> 31 1.23 rin __KERNEL_RCSID(0, "$NetBSD: if_pfsync.c,v 1.23 2024/07/05 04:31:52 rin Exp $"); 32 1.3 degroote 33 1.3 degroote #ifdef _KERNEL_OPT 34 1.3 degroote #include "opt_inet.h" 35 1.3 degroote #include "opt_inet6.h" 36 1.3 degroote #endif 37 1.1 itojun 38 1.1 itojun #include <sys/param.h> 39 1.1 itojun #include <sys/proc.h> 40 1.1 itojun #include <sys/systm.h> 41 1.1 itojun #include <sys/time.h> 42 1.1 itojun #include <sys/mbuf.h> 43 1.1 itojun #include <sys/socket.h> 44 1.1 itojun #include <sys/ioctl.h> 45 1.3 degroote #include <sys/callout.h> 46 1.3 degroote #include <sys/kernel.h> 47 1.1 itojun 48 1.1 itojun #include <net/if.h> 49 1.1 itojun #include <net/if_types.h> 50 1.1 itojun #include <net/route.h> 51 1.1 itojun #include <net/bpf.h> 52 1.3 degroote #include <netinet/in.h> 53 1.3 degroote #ifndef __NetBSD__ 54 1.3 degroote #include <netinet/if_ether.h> 55 1.3 degroote #else 56 1.3 degroote #include <net/if_ether.h> 57 1.3 degroote #endif /* __NetBSD__ */ 58 1.3 degroote #include <netinet/tcp.h> 59 1.3 degroote #include <netinet/tcp_seq.h> 60 1.1 itojun 61 1.1 itojun #ifdef INET 62 1.1 itojun #include <netinet/in_systm.h> 63 1.1 itojun #include <netinet/in_var.h> 64 1.1 itojun #include <netinet/ip.h> 65 1.1 itojun #include <netinet/ip_var.h> 66 1.1 itojun #endif 67 1.1 itojun 68 1.1 itojun #ifdef INET6 69 1.1 itojun #include <netinet6/nd6.h> 70 1.1 itojun #endif /* INET6 */ 71 1.1 itojun 72 1.3 degroote #include "carp.h" 73 1.3 degroote #if NCARP > 0 74 1.3 degroote extern int carp_suppress_preempt; 75 1.3 degroote #endif 76 1.3 degroote 77 1.1 itojun #include <net/pfvar.h> 78 1.1 itojun #include <net/if_pfsync.h> 79 1.1 itojun 80 1.3 degroote #ifdef __NetBSD__ 81 1.3 degroote #include <sys/conf.h> 82 1.3 degroote #include <sys/lwp.h> 83 1.3 degroote #include <sys/kauth.h> 84 1.3 degroote #include <sys/sysctl.h> 85 1.3 degroote 86 1.3 degroote #include <net/net_stats.h> 87 1.3 degroote 88 1.11 christos #include "ioconf.h" 89 1.11 christos 90 1.3 degroote percpu_t *pfsyncstat_percpu; 91 1.3 degroote 92 1.3 degroote #define PFSYNC_STATINC(x) _NET_STATINC(pfsyncstat_percpu, x) 93 1.3 degroote #endif /* __NetBSD__ */ 94 1.3 degroote 95 1.3 degroote #include "pfsync.h" 96 1.3 degroote 97 1.1 itojun #define PFSYNC_MINMTU \ 98 1.1 itojun (sizeof(struct pfsync_header) + sizeof(struct pf_state)) 99 1.1 itojun 100 1.1 itojun #ifdef PFSYNCDEBUG 101 1.1 itojun #define DPRINTF(x) do { if (pfsyncdebug) printf x ; } while (0) 102 1.1 itojun int pfsyncdebug; 103 1.1 itojun #else 104 1.1 itojun #define DPRINTF(x) 105 1.1 itojun #endif 106 1.1 itojun 107 1.3 degroote extern int ifqmaxlen; /* XXX */ 108 1.3 degroote 109 1.3 degroote struct pfsync_softc *pfsyncif = NULL; 110 1.1 itojun 111 1.3 degroote int pfsync_clone_create(struct if_clone *, int); 112 1.3 degroote int pfsync_clone_destroy(struct ifnet *); 113 1.1 itojun void pfsync_setmtu(struct pfsync_softc *, int); 114 1.3 degroote int pfsync_alloc_scrub_memory(struct pfsync_state_peer *, 115 1.3 degroote struct pf_state_peer *); 116 1.3 degroote int pfsync_insert_net_state(struct pfsync_state *, u_int8_t); 117 1.3 degroote void pfsync_update_net_tdb(struct pfsync_tdb *); 118 1.3 degroote int pfsyncoutput(struct ifnet *, struct mbuf *, const struct sockaddr *, 119 1.12 ozaki const struct rtentry *); 120 1.3 degroote int pfsyncioctl(struct ifnet *, u_long, void*); 121 1.1 itojun void pfsyncstart(struct ifnet *); 122 1.1 itojun 123 1.1 itojun struct mbuf *pfsync_get_mbuf(struct pfsync_softc *, u_int8_t, void **); 124 1.1 itojun int pfsync_request_update(struct pfsync_state_upd *, struct in_addr *); 125 1.1 itojun int pfsync_sendout(struct pfsync_softc *); 126 1.3 degroote int pfsync_tdb_sendout(struct pfsync_softc *); 127 1.3 degroote int pfsync_sendout_mbuf(struct pfsync_softc *, struct mbuf *); 128 1.1 itojun void pfsync_timeout(void *); 129 1.3 degroote void pfsync_tdb_timeout(void *); 130 1.1 itojun void pfsync_send_bus(struct pfsync_softc *, u_int8_t); 131 1.1 itojun void pfsync_bulk_update(void *); 132 1.1 itojun void pfsync_bulkfail(void *); 133 1.1 itojun 134 1.3 degroote int pfsync_sync_ok; 135 1.3 degroote 136 1.3 degroote struct if_clone pfsync_cloner = 137 1.3 degroote IF_CLONE_INITIALIZER("pfsync", pfsync_clone_create, pfsync_clone_destroy); 138 1.1 itojun 139 1.1 itojun void 140 1.1 itojun pfsyncattach(int npfsync) 141 1.1 itojun { 142 1.3 degroote if_clone_attach(&pfsync_cloner); 143 1.3 degroote 144 1.3 degroote pfsyncstat_percpu = percpu_alloc(sizeof(uint64_t) * PFSYNC_NSTATS); 145 1.3 degroote } 146 1.3 degroote 147 1.3 degroote int 148 1.3 degroote pfsync_clone_create(struct if_clone *ifc, int unit) 149 1.3 degroote { 150 1.1 itojun struct ifnet *ifp; 151 1.1 itojun 152 1.3 degroote if (unit != 0) 153 1.3 degroote return (EINVAL); 154 1.3 degroote 155 1.1 itojun pfsync_sync_ok = 1; 156 1.3 degroote if ((pfsyncif = malloc(sizeof(*pfsyncif), M_DEVBUF, M_NOWAIT)) == NULL) 157 1.3 degroote return (ENOMEM); 158 1.3 degroote memset(pfsyncif, 0, sizeof(*pfsyncif)); 159 1.3 degroote pfsyncif->sc_mbuf = NULL; 160 1.3 degroote pfsyncif->sc_mbuf_net = NULL; 161 1.3 degroote pfsyncif->sc_mbuf_tdb = NULL; 162 1.3 degroote pfsyncif->sc_statep.s = NULL; 163 1.3 degroote pfsyncif->sc_statep_net.s = NULL; 164 1.3 degroote pfsyncif->sc_statep_tdb.t = NULL; 165 1.3 degroote pfsyncif->sc_maxupdates = 128; 166 1.3 degroote pfsyncif->sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP; 167 1.3 degroote pfsyncif->sc_sendaddr.s_addr = INADDR_PFSYNC_GROUP; 168 1.3 degroote pfsyncif->sc_ureq_received = 0; 169 1.3 degroote pfsyncif->sc_ureq_sent = 0; 170 1.3 degroote pfsyncif->sc_bulk_send_next = NULL; 171 1.3 degroote pfsyncif->sc_bulk_terminator = NULL; 172 1.3 degroote ifp = &pfsyncif->sc_if; 173 1.3 degroote snprintf(ifp->if_xname, sizeof ifp->if_xname, "pfsync%d", unit); 174 1.3 degroote ifp->if_softc = pfsyncif; 175 1.1 itojun ifp->if_ioctl = pfsyncioctl; 176 1.1 itojun ifp->if_output = pfsyncoutput; 177 1.1 itojun ifp->if_start = pfsyncstart; 178 1.1 itojun ifp->if_type = IFT_PFSYNC; 179 1.1 itojun ifp->if_snd.ifq_maxlen = ifqmaxlen; 180 1.1 itojun ifp->if_hdrlen = PFSYNC_HDRLEN; 181 1.3 degroote pfsync_setmtu(pfsyncif, ETHERMTU); 182 1.3 degroote 183 1.3 degroote callout_init(&pfsyncif->sc_tmo, 0); 184 1.3 degroote callout_init(&pfsyncif->sc_tdb_tmo, 0); 185 1.3 degroote callout_init(&pfsyncif->sc_bulk_tmo, 0); 186 1.3 degroote callout_init(&pfsyncif->sc_bulkfail_tmo, 0); 187 1.3 degroote callout_setfunc(&pfsyncif->sc_tmo, pfsync_timeout, pfsyncif); 188 1.3 degroote callout_setfunc(&pfsyncif->sc_tdb_tmo, pfsync_tdb_timeout, pfsyncif); 189 1.3 degroote callout_setfunc(&pfsyncif->sc_bulk_tmo, pfsync_bulk_update, pfsyncif); 190 1.3 degroote callout_setfunc(&pfsyncif->sc_bulkfail_tmo, pfsync_bulkfail, pfsyncif); 191 1.3 degroote 192 1.1 itojun if_attach(ifp); 193 1.1 itojun if_alloc_sadl(ifp); 194 1.1 itojun 195 1.6 joerg bpf_attach(&pfsyncif->sc_if, DLT_PFSYNC, PFSYNC_HDRLEN); 196 1.3 degroote 197 1.3 degroote return (0); 198 1.3 degroote } 199 1.3 degroote 200 1.3 degroote int 201 1.3 degroote pfsync_clone_destroy(struct ifnet *ifp) 202 1.3 degroote { 203 1.6 joerg bpf_detach(ifp); 204 1.3 degroote if_detach(ifp); 205 1.3 degroote free(pfsyncif, M_DEVBUF); 206 1.3 degroote pfsyncif = NULL; 207 1.3 degroote return (0); 208 1.1 itojun } 209 1.1 itojun 210 1.1 itojun /* 211 1.1 itojun * Start output on the pfsync interface. 212 1.1 itojun */ 213 1.1 itojun void 214 1.1 itojun pfsyncstart(struct ifnet *ifp) 215 1.1 itojun { 216 1.1 itojun struct mbuf *m; 217 1.1 itojun int s; 218 1.1 itojun 219 1.1 itojun for (;;) { 220 1.3 degroote s = splnet(); 221 1.1 itojun IF_DROP(&ifp->if_snd); 222 1.1 itojun IF_DEQUEUE(&ifp->if_snd, m); 223 1.1 itojun splx(s); 224 1.1 itojun 225 1.1 itojun if (m == NULL) 226 1.1 itojun return; 227 1.1 itojun else 228 1.1 itojun m_freem(m); 229 1.1 itojun } 230 1.1 itojun } 231 1.1 itojun 232 1.1 itojun int 233 1.3 degroote pfsync_alloc_scrub_memory(struct pfsync_state_peer *s, 234 1.3 degroote struct pf_state_peer *d) 235 1.3 degroote { 236 1.3 degroote if (s->scrub.scrub_flag && d->scrub == NULL) { 237 1.3 degroote d->scrub = pool_get(&pf_state_scrub_pl, PR_NOWAIT); 238 1.3 degroote if (d->scrub == NULL) 239 1.3 degroote return (ENOMEM); 240 1.3 degroote memset(d->scrub, 0, sizeof(*d->scrub)); 241 1.3 degroote } 242 1.3 degroote 243 1.3 degroote return (0); 244 1.3 degroote } 245 1.3 degroote 246 1.3 degroote int 247 1.3 degroote pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag) 248 1.1 itojun { 249 1.1 itojun struct pf_state *st = NULL; 250 1.3 degroote struct pf_state_key *sk = NULL; 251 1.1 itojun struct pf_rule *r = NULL; 252 1.1 itojun struct pfi_kif *kif; 253 1.1 itojun 254 1.1 itojun if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) { 255 1.1 itojun printf("pfsync_insert_net_state: invalid creator id:" 256 1.1 itojun " %08x\n", ntohl(sp->creatorid)); 257 1.1 itojun return (EINVAL); 258 1.1 itojun } 259 1.1 itojun 260 1.3 degroote kif = pfi_kif_get(sp->ifname); 261 1.1 itojun if (kif == NULL) { 262 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 263 1.1 itojun printf("pfsync_insert_net_state: " 264 1.1 itojun "unknown interface: %s\n", sp->ifname); 265 1.1 itojun /* skip this state */ 266 1.1 itojun return (0); 267 1.1 itojun } 268 1.1 itojun 269 1.1 itojun /* 270 1.3 degroote * If the ruleset checksums match, it's safe to associate the state 271 1.3 degroote * with the rule of that number. 272 1.1 itojun */ 273 1.3 degroote if (sp->rule != htonl(-1) && sp->anchor == htonl(-1) && chksum_flag && 274 1.3 degroote ntohl(sp->rule) < 275 1.3 degroote pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount) 276 1.3 degroote r = pf_main_ruleset.rules[ 277 1.3 degroote PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)]; 278 1.3 degroote else 279 1.3 degroote r = &pf_default_rule; 280 1.1 itojun 281 1.1 itojun if (!r->max_states || r->states < r->max_states) 282 1.1 itojun st = pool_get(&pf_state_pl, PR_NOWAIT); 283 1.1 itojun if (st == NULL) { 284 1.3 degroote pfi_kif_unref(kif, PFI_KIF_REF_NONE); 285 1.3 degroote return (ENOMEM); 286 1.3 degroote } 287 1.3 degroote memset(st, 0, sizeof(*st)); 288 1.3 degroote 289 1.3 degroote if ((sk = pf_alloc_state_key(st)) == NULL) { 290 1.3 degroote pool_put(&pf_state_pl, st); 291 1.3 degroote pfi_kif_unref(kif, PFI_KIF_REF_NONE); 292 1.3 degroote return (ENOMEM); 293 1.3 degroote } 294 1.3 degroote 295 1.3 degroote /* allocate memory for scrub info */ 296 1.3 degroote if (pfsync_alloc_scrub_memory(&sp->src, &st->src) || 297 1.3 degroote pfsync_alloc_scrub_memory(&sp->dst, &st->dst)) { 298 1.3 degroote pfi_kif_unref(kif, PFI_KIF_REF_NONE); 299 1.3 degroote if (st->src.scrub) 300 1.3 degroote pool_put(&pf_state_scrub_pl, st->src.scrub); 301 1.3 degroote pool_put(&pf_state_pl, st); 302 1.3 degroote pool_put(&pf_state_key_pl, sk); 303 1.1 itojun return (ENOMEM); 304 1.1 itojun } 305 1.1 itojun 306 1.1 itojun st->rule.ptr = r; 307 1.1 itojun /* XXX get pointers to nat_rule and anchor */ 308 1.1 itojun 309 1.3 degroote /* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */ 310 1.3 degroote r->states++; 311 1.3 degroote 312 1.1 itojun /* fill in the rest of the state entry */ 313 1.3 degroote pf_state_host_ntoh(&sp->lan, &sk->lan); 314 1.3 degroote pf_state_host_ntoh(&sp->gwy, &sk->gwy); 315 1.3 degroote pf_state_host_ntoh(&sp->ext, &sk->ext); 316 1.1 itojun 317 1.1 itojun pf_state_peer_ntoh(&sp->src, &st->src); 318 1.1 itojun pf_state_peer_ntoh(&sp->dst, &st->dst); 319 1.1 itojun 320 1.3 degroote memcpy(&st->rt_addr, &sp->rt_addr, sizeof(st->rt_addr)); 321 1.3 degroote st->creation = time_second - ntohl(sp->creation); 322 1.3 degroote st->expire = ntohl(sp->expire) + time_second; 323 1.3 degroote 324 1.3 degroote sk->af = sp->af; 325 1.3 degroote sk->proto = sp->proto; 326 1.3 degroote sk->direction = sp->direction; 327 1.1 itojun st->log = sp->log; 328 1.1 itojun st->timeout = sp->timeout; 329 1.1 itojun st->allow_opts = sp->allow_opts; 330 1.1 itojun 331 1.3 degroote memcpy(&st->id, sp->id, sizeof(st->id)); 332 1.1 itojun st->creatorid = sp->creatorid; 333 1.3 degroote st->sync_flags = PFSTATE_FROMSYNC; 334 1.1 itojun 335 1.1 itojun if (pf_insert_state(kif, st)) { 336 1.3 degroote pfi_kif_unref(kif, PFI_KIF_REF_NONE); 337 1.3 degroote /* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */ 338 1.3 degroote r->states--; 339 1.3 degroote if (st->dst.scrub) 340 1.3 degroote pool_put(&pf_state_scrub_pl, st->dst.scrub); 341 1.3 degroote if (st->src.scrub) 342 1.3 degroote pool_put(&pf_state_scrub_pl, st->src.scrub); 343 1.1 itojun pool_put(&pf_state_pl, st); 344 1.1 itojun return (EINVAL); 345 1.1 itojun } 346 1.1 itojun 347 1.1 itojun return (0); 348 1.1 itojun } 349 1.1 itojun 350 1.1 itojun void 351 1.18 maxv pfsync_input(struct mbuf *m, int off, int proto) 352 1.1 itojun { 353 1.1 itojun struct ip *ip = mtod(m, struct ip *); 354 1.1 itojun struct pfsync_header *ph; 355 1.3 degroote struct pfsync_softc *sc = pfsyncif; 356 1.3 degroote struct pf_state *st; 357 1.3 degroote struct pf_state_key *sk; 358 1.3 degroote struct pf_state_cmp id_key; 359 1.1 itojun struct pfsync_state *sp; 360 1.1 itojun struct pfsync_state_upd *up; 361 1.1 itojun struct pfsync_state_del *dp; 362 1.1 itojun struct pfsync_state_clr *cp; 363 1.1 itojun struct pfsync_state_upd_req *rup; 364 1.1 itojun struct pfsync_state_bus *bus; 365 1.1 itojun struct in_addr src; 366 1.1 itojun struct mbuf *mp; 367 1.3 degroote int iplen, action, error, i, s, count, offp, sfail, stale = 0; 368 1.3 degroote u_int8_t chksum_flag = 0; 369 1.1 itojun 370 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_IPACKETS); 371 1.1 itojun 372 1.1 itojun /* verify that we have a sync interface configured */ 373 1.3 degroote if (!sc || !sc->sc_sync_ifp || !pf_status.running) 374 1.1 itojun goto done; 375 1.1 itojun 376 1.1 itojun /* verify that the packet came in on the right interface */ 377 1.14 ozaki if (sc->sc_sync_ifp->if_index != m->m_pkthdr.rcvif_index) { 378 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADIF); 379 1.1 itojun goto done; 380 1.1 itojun } 381 1.1 itojun 382 1.1 itojun /* verify that the IP TTL is 255. */ 383 1.1 itojun if (ip->ip_ttl != PFSYNC_DFLTTL) { 384 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADTTL); 385 1.1 itojun goto done; 386 1.1 itojun } 387 1.1 itojun 388 1.1 itojun iplen = ip->ip_hl << 2; 389 1.1 itojun 390 1.1 itojun if (m->m_pkthdr.len < iplen + sizeof(*ph)) { 391 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_HDROPS); 392 1.1 itojun goto done; 393 1.1 itojun } 394 1.1 itojun 395 1.1 itojun if (iplen + sizeof(*ph) > m->m_len) { 396 1.1 itojun if ((m = m_pullup(m, iplen + sizeof(*ph))) == NULL) { 397 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_HDROPS); 398 1.1 itojun goto done; 399 1.1 itojun } 400 1.1 itojun ip = mtod(m, struct ip *); 401 1.1 itojun } 402 1.1 itojun ph = (struct pfsync_header *)((char *)ip + iplen); 403 1.1 itojun 404 1.1 itojun /* verify the version */ 405 1.1 itojun if (ph->version != PFSYNC_VERSION) { 406 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADVER); 407 1.1 itojun goto done; 408 1.1 itojun } 409 1.1 itojun 410 1.1 itojun action = ph->action; 411 1.1 itojun count = ph->count; 412 1.1 itojun 413 1.1 itojun /* make sure it's a valid action code */ 414 1.1 itojun if (action >= PFSYNC_ACT_MAX) { 415 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADACT); 416 1.1 itojun goto done; 417 1.1 itojun } 418 1.1 itojun 419 1.1 itojun /* Cheaper to grab this now than having to mess with mbufs later */ 420 1.1 itojun src = ip->ip_src; 421 1.1 itojun 422 1.3 degroote if (!bcmp(&ph->pf_chksum, &pf_status.pf_chksum, PF_MD5_DIGEST_LENGTH)) 423 1.3 degroote chksum_flag++; 424 1.3 degroote 425 1.1 itojun switch (action) { 426 1.1 itojun case PFSYNC_ACT_CLR: { 427 1.3 degroote struct pf_state *nexts; 428 1.3 degroote struct pf_state_key *nextsk; 429 1.3 degroote struct pfi_kif *kif; 430 1.1 itojun u_int32_t creatorid; 431 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 432 1.1 itojun sizeof(*cp), &offp)) == NULL) { 433 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 434 1.1 itojun return; 435 1.1 itojun } 436 1.1 itojun cp = (struct pfsync_state_clr *)(mp->m_data + offp); 437 1.1 itojun creatorid = cp->creatorid; 438 1.1 itojun 439 1.1 itojun s = splsoftnet(); 440 1.1 itojun if (cp->ifname[0] == '\0') { 441 1.3 degroote for (st = RB_MIN(pf_state_tree_id, &tree_id); 442 1.3 degroote st; st = nexts) { 443 1.3 degroote nexts = RB_NEXT(pf_state_tree_id, &tree_id, st); 444 1.3 degroote if (st->creatorid == creatorid) { 445 1.3 degroote st->sync_flags |= PFSTATE_FROMSYNC; 446 1.3 degroote pf_unlink_state(st); 447 1.3 degroote } 448 1.1 itojun } 449 1.1 itojun } else { 450 1.3 degroote if ((kif = pfi_kif_get(cp->ifname)) == NULL) { 451 1.1 itojun splx(s); 452 1.3 degroote return; 453 1.1 itojun } 454 1.3 degroote for (sk = RB_MIN(pf_state_tree_lan_ext, 455 1.3 degroote &pf_statetbl_lan_ext); sk; sk = nextsk) { 456 1.3 degroote nextsk = RB_NEXT(pf_state_tree_lan_ext, 457 1.3 degroote &pf_statetbl_lan_ext, sk); 458 1.3 degroote TAILQ_FOREACH(st, &sk->states, next) { 459 1.3 degroote if (st->creatorid == creatorid) { 460 1.3 degroote st->sync_flags |= 461 1.3 degroote PFSTATE_FROMSYNC; 462 1.3 degroote pf_unlink_state(st); 463 1.3 degroote } 464 1.3 degroote } 465 1.1 itojun } 466 1.1 itojun } 467 1.1 itojun splx(s); 468 1.1 itojun 469 1.1 itojun break; 470 1.1 itojun } 471 1.1 itojun case PFSYNC_ACT_INS: 472 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 473 1.1 itojun count * sizeof(*sp), &offp)) == NULL) { 474 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 475 1.1 itojun return; 476 1.1 itojun } 477 1.1 itojun 478 1.1 itojun s = splsoftnet(); 479 1.1 itojun for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp); 480 1.1 itojun i < count; i++, sp++) { 481 1.1 itojun /* check for invalid values */ 482 1.1 itojun if (sp->timeout >= PFTM_MAX || 483 1.1 itojun sp->src.state > PF_TCPS_PROXY_DST || 484 1.1 itojun sp->dst.state > PF_TCPS_PROXY_DST || 485 1.1 itojun sp->direction > PF_OUT || 486 1.1 itojun (sp->af != AF_INET && sp->af != AF_INET6)) { 487 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 488 1.1 itojun printf("pfsync_insert: PFSYNC_ACT_INS: " 489 1.1 itojun "invalid value\n"); 490 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 491 1.1 itojun continue; 492 1.1 itojun } 493 1.1 itojun 494 1.3 degroote if ((error = pfsync_insert_net_state(sp, 495 1.3 degroote chksum_flag))) { 496 1.1 itojun if (error == ENOMEM) { 497 1.1 itojun splx(s); 498 1.1 itojun goto done; 499 1.1 itojun } 500 1.1 itojun continue; 501 1.1 itojun } 502 1.1 itojun } 503 1.1 itojun splx(s); 504 1.1 itojun break; 505 1.1 itojun case PFSYNC_ACT_UPD: 506 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 507 1.1 itojun count * sizeof(*sp), &offp)) == NULL) { 508 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 509 1.1 itojun return; 510 1.1 itojun } 511 1.1 itojun 512 1.1 itojun s = splsoftnet(); 513 1.1 itojun for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp); 514 1.1 itojun i < count; i++, sp++) { 515 1.3 degroote int flags = PFSYNC_FLAG_STALE; 516 1.3 degroote 517 1.1 itojun /* check for invalid values */ 518 1.1 itojun if (sp->timeout >= PFTM_MAX || 519 1.1 itojun sp->src.state > PF_TCPS_PROXY_DST || 520 1.1 itojun sp->dst.state > PF_TCPS_PROXY_DST) { 521 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 522 1.1 itojun printf("pfsync_insert: PFSYNC_ACT_UPD: " 523 1.1 itojun "invalid value\n"); 524 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 525 1.1 itojun continue; 526 1.1 itojun } 527 1.1 itojun 528 1.3 degroote memcpy(&id_key.id, sp->id, sizeof(id_key.id)); 529 1.3 degroote id_key.creatorid = sp->creatorid; 530 1.1 itojun 531 1.3 degroote st = pf_find_state_byid(&id_key); 532 1.1 itojun if (st == NULL) { 533 1.1 itojun /* insert the update */ 534 1.3 degroote if (pfsync_insert_net_state(sp, chksum_flag)) { 535 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 536 1.3 degroote } 537 1.3 degroote continue; 538 1.3 degroote } 539 1.3 degroote sk = st->state_key; 540 1.3 degroote sfail = 0; 541 1.3 degroote if (sk->proto == IPPROTO_TCP) { 542 1.3 degroote /* 543 1.3 degroote * The state should never go backwards except 544 1.3 degroote * for syn-proxy states. Neither should the 545 1.3 degroote * sequence window slide backwards. 546 1.3 degroote */ 547 1.3 degroote if (st->src.state > sp->src.state && 548 1.3 degroote (st->src.state < PF_TCPS_PROXY_SRC || 549 1.3 degroote sp->src.state >= PF_TCPS_PROXY_SRC)) 550 1.3 degroote sfail = 1; 551 1.3 degroote else if (SEQ_GT(st->src.seqlo, 552 1.3 degroote ntohl(sp->src.seqlo))) 553 1.3 degroote sfail = 3; 554 1.3 degroote else if (st->dst.state > sp->dst.state) { 555 1.3 degroote /* There might still be useful 556 1.3 degroote * information about the src state here, 557 1.3 degroote * so import that part of the update, 558 1.3 degroote * then "fail" so we send the updated 559 1.3 degroote * state back to the peer who is missing 560 1.3 degroote * our what we know. */ 561 1.3 degroote pf_state_peer_ntoh(&sp->src, &st->src); 562 1.3 degroote /* XXX do anything with timeouts? */ 563 1.3 degroote sfail = 7; 564 1.3 degroote flags = 0; 565 1.3 degroote } else if (st->dst.state >= TCPS_SYN_SENT && 566 1.3 degroote SEQ_GT(st->dst.seqlo, ntohl(sp->dst.seqlo))) 567 1.3 degroote sfail = 4; 568 1.3 degroote } else { 569 1.3 degroote /* 570 1.3 degroote * Non-TCP protocol state machine always go 571 1.3 degroote * forwards 572 1.3 degroote */ 573 1.3 degroote if (st->src.state > sp->src.state) 574 1.3 degroote sfail = 5; 575 1.3 degroote else if (st->dst.state > sp->dst.state) 576 1.3 degroote sfail = 6; 577 1.3 degroote } 578 1.3 degroote if (sfail) { 579 1.3 degroote if (pf_status.debug >= PF_DEBUG_MISC) 580 1.3 degroote printf("pfsync: %s stale update " 581 1.3 degroote "(%d) id: %016" PRIu64 "" 582 1.3 degroote "creatorid: %08x\n", 583 1.3 degroote (sfail < 7 ? "ignoring" 584 1.3 degroote : "partial"), sfail, 585 1.3 degroote be64toh(st->id), 586 1.3 degroote ntohl(st->creatorid)); 587 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 588 1.3 degroote 589 1.3 degroote if (!(sp->sync_flags & PFSTATE_STALE)) { 590 1.3 degroote /* we have a better state, send it */ 591 1.3 degroote if (sc->sc_mbuf != NULL && !stale) 592 1.3 degroote pfsync_sendout(sc); 593 1.3 degroote stale++; 594 1.3 degroote if (!st->sync_flags) 595 1.3 degroote pfsync_pack_state( 596 1.3 degroote PFSYNC_ACT_UPD, st, flags); 597 1.3 degroote } 598 1.1 itojun continue; 599 1.1 itojun } 600 1.3 degroote pfsync_alloc_scrub_memory(&sp->dst, &st->dst); 601 1.1 itojun pf_state_peer_ntoh(&sp->src, &st->src); 602 1.1 itojun pf_state_peer_ntoh(&sp->dst, &st->dst); 603 1.3 degroote st->expire = ntohl(sp->expire) + time_second; 604 1.1 itojun st->timeout = sp->timeout; 605 1.1 itojun } 606 1.3 degroote if (stale && sc->sc_mbuf != NULL) 607 1.3 degroote pfsync_sendout(sc); 608 1.1 itojun splx(s); 609 1.1 itojun break; 610 1.1 itojun /* 611 1.1 itojun * It's not strictly necessary for us to support the "uncompressed" 612 1.1 itojun * delete action, but it's relatively simple and maintains consistency. 613 1.1 itojun */ 614 1.1 itojun case PFSYNC_ACT_DEL: 615 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 616 1.1 itojun count * sizeof(*sp), &offp)) == NULL) { 617 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 618 1.1 itojun return; 619 1.1 itojun } 620 1.1 itojun 621 1.1 itojun s = splsoftnet(); 622 1.1 itojun for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp); 623 1.1 itojun i < count; i++, sp++) { 624 1.3 degroote memcpy(&id_key.id, sp->id, sizeof(id_key.id)); 625 1.3 degroote id_key.creatorid = sp->creatorid; 626 1.1 itojun 627 1.3 degroote st = pf_find_state_byid(&id_key); 628 1.1 itojun if (st == NULL) { 629 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 630 1.1 itojun continue; 631 1.1 itojun } 632 1.1 itojun st->sync_flags |= PFSTATE_FROMSYNC; 633 1.3 degroote pf_unlink_state(st); 634 1.1 itojun } 635 1.1 itojun splx(s); 636 1.1 itojun break; 637 1.1 itojun case PFSYNC_ACT_UPD_C: { 638 1.1 itojun int update_requested = 0; 639 1.1 itojun 640 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 641 1.1 itojun count * sizeof(*up), &offp)) == NULL) { 642 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 643 1.1 itojun return; 644 1.1 itojun } 645 1.1 itojun 646 1.1 itojun s = splsoftnet(); 647 1.1 itojun for (i = 0, up = (struct pfsync_state_upd *)(mp->m_data + offp); 648 1.1 itojun i < count; i++, up++) { 649 1.1 itojun /* check for invalid values */ 650 1.1 itojun if (up->timeout >= PFTM_MAX || 651 1.1 itojun up->src.state > PF_TCPS_PROXY_DST || 652 1.1 itojun up->dst.state > PF_TCPS_PROXY_DST) { 653 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 654 1.1 itojun printf("pfsync_insert: " 655 1.1 itojun "PFSYNC_ACT_UPD_C: " 656 1.1 itojun "invalid value\n"); 657 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 658 1.1 itojun continue; 659 1.1 itojun } 660 1.1 itojun 661 1.3 degroote memcpy(&id_key.id, up->id, sizeof(id_key.id)); 662 1.3 degroote id_key.creatorid = up->creatorid; 663 1.1 itojun 664 1.3 degroote st = pf_find_state_byid(&id_key); 665 1.1 itojun if (st == NULL) { 666 1.1 itojun /* We don't have this state. Ask for it. */ 667 1.3 degroote error = pfsync_request_update(up, &src); 668 1.3 degroote if (error == ENOMEM) { 669 1.3 degroote splx(s); 670 1.3 degroote goto done; 671 1.3 degroote } 672 1.1 itojun update_requested = 1; 673 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 674 1.1 itojun continue; 675 1.1 itojun } 676 1.3 degroote sk = st->state_key; 677 1.3 degroote sfail = 0; 678 1.3 degroote if (sk->proto == IPPROTO_TCP) { 679 1.3 degroote /* 680 1.3 degroote * The state should never go backwards except 681 1.3 degroote * for syn-proxy states. Neither should the 682 1.3 degroote * sequence window slide backwards. 683 1.3 degroote */ 684 1.3 degroote if (st->src.state > up->src.state && 685 1.3 degroote (st->src.state < PF_TCPS_PROXY_SRC || 686 1.3 degroote up->src.state >= PF_TCPS_PROXY_SRC)) 687 1.3 degroote sfail = 1; 688 1.3 degroote else if (st->dst.state > up->dst.state) 689 1.3 degroote sfail = 2; 690 1.3 degroote else if (SEQ_GT(st->src.seqlo, 691 1.3 degroote ntohl(up->src.seqlo))) 692 1.3 degroote sfail = 3; 693 1.3 degroote else if (st->dst.state >= TCPS_SYN_SENT && 694 1.3 degroote SEQ_GT(st->dst.seqlo, ntohl(up->dst.seqlo))) 695 1.3 degroote sfail = 4; 696 1.3 degroote } else { 697 1.3 degroote /* 698 1.3 degroote * Non-TCP protocol state machine always go 699 1.3 degroote * forwards 700 1.3 degroote */ 701 1.3 degroote if (st->src.state > up->src.state) 702 1.3 degroote sfail = 5; 703 1.3 degroote else if (st->dst.state > up->dst.state) 704 1.3 degroote sfail = 6; 705 1.3 degroote } 706 1.3 degroote if (sfail) { 707 1.3 degroote if (pf_status.debug >= PF_DEBUG_MISC) 708 1.3 degroote printf("pfsync: ignoring stale update " 709 1.3 degroote "(%d) id: %016" PRIu64 "" 710 1.3 degroote "creatorid: %08x\n", sfail, 711 1.3 degroote be64toh(st->id), 712 1.3 degroote ntohl(st->creatorid)); 713 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 714 1.3 degroote 715 1.3 degroote /* we have a better state, send it out */ 716 1.3 degroote if ((!stale || update_requested) && 717 1.3 degroote sc->sc_mbuf != NULL) { 718 1.3 degroote pfsync_sendout(sc); 719 1.3 degroote update_requested = 0; 720 1.3 degroote } 721 1.3 degroote stale++; 722 1.3 degroote if (!st->sync_flags) 723 1.3 degroote pfsync_pack_state(PFSYNC_ACT_UPD, st, 724 1.3 degroote PFSYNC_FLAG_STALE); 725 1.3 degroote continue; 726 1.3 degroote } 727 1.3 degroote pfsync_alloc_scrub_memory(&up->dst, &st->dst); 728 1.1 itojun pf_state_peer_ntoh(&up->src, &st->src); 729 1.1 itojun pf_state_peer_ntoh(&up->dst, &st->dst); 730 1.3 degroote st->expire = ntohl(up->expire) + time_second; 731 1.1 itojun st->timeout = up->timeout; 732 1.1 itojun } 733 1.3 degroote if ((update_requested || stale) && sc->sc_mbuf) 734 1.1 itojun pfsync_sendout(sc); 735 1.1 itojun splx(s); 736 1.1 itojun break; 737 1.1 itojun } 738 1.1 itojun case PFSYNC_ACT_DEL_C: 739 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 740 1.1 itojun count * sizeof(*dp), &offp)) == NULL) { 741 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 742 1.1 itojun return; 743 1.1 itojun } 744 1.1 itojun 745 1.1 itojun s = splsoftnet(); 746 1.1 itojun for (i = 0, dp = (struct pfsync_state_del *)(mp->m_data + offp); 747 1.1 itojun i < count; i++, dp++) { 748 1.3 degroote memcpy(&id_key.id, dp->id, sizeof(id_key.id)); 749 1.3 degroote id_key.creatorid = dp->creatorid; 750 1.1 itojun 751 1.3 degroote st = pf_find_state_byid(&id_key); 752 1.1 itojun if (st == NULL) { 753 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 754 1.1 itojun continue; 755 1.1 itojun } 756 1.1 itojun st->sync_flags |= PFSTATE_FROMSYNC; 757 1.3 degroote pf_unlink_state(st); 758 1.1 itojun } 759 1.1 itojun splx(s); 760 1.1 itojun break; 761 1.1 itojun case PFSYNC_ACT_INS_F: 762 1.1 itojun case PFSYNC_ACT_DEL_F: 763 1.1 itojun /* not implemented */ 764 1.1 itojun break; 765 1.1 itojun case PFSYNC_ACT_UREQ: 766 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 767 1.1 itojun count * sizeof(*rup), &offp)) == NULL) { 768 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 769 1.1 itojun return; 770 1.1 itojun } 771 1.1 itojun 772 1.1 itojun s = splsoftnet(); 773 1.1 itojun if (sc->sc_mbuf != NULL) 774 1.1 itojun pfsync_sendout(sc); 775 1.1 itojun for (i = 0, 776 1.1 itojun rup = (struct pfsync_state_upd_req *)(mp->m_data + offp); 777 1.1 itojun i < count; i++, rup++) { 778 1.3 degroote memcpy(&id_key.id, rup->id, sizeof(id_key.id)); 779 1.3 degroote id_key.creatorid = rup->creatorid; 780 1.1 itojun 781 1.3 degroote if (id_key.id == 0 && id_key.creatorid == 0) { 782 1.3 degroote sc->sc_ureq_received = time_uptime; 783 1.3 degroote if (sc->sc_bulk_send_next == NULL) 784 1.3 degroote sc->sc_bulk_send_next = 785 1.3 degroote TAILQ_FIRST(&state_list); 786 1.3 degroote sc->sc_bulk_terminator = sc->sc_bulk_send_next; 787 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 788 1.1 itojun printf("pfsync: received " 789 1.1 itojun "bulk update request\n"); 790 1.1 itojun pfsync_send_bus(sc, PFSYNC_BUS_START); 791 1.3 degroote callout_schedule(&sc->sc_bulk_tmo, 1 * hz); 792 1.1 itojun } else { 793 1.3 degroote st = pf_find_state_byid(&id_key); 794 1.1 itojun if (st == NULL) { 795 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADSTATE); 796 1.1 itojun continue; 797 1.1 itojun } 798 1.3 degroote if (!st->sync_flags) 799 1.3 degroote pfsync_pack_state(PFSYNC_ACT_UPD, 800 1.3 degroote st, 0); 801 1.1 itojun } 802 1.1 itojun } 803 1.1 itojun if (sc->sc_mbuf != NULL) 804 1.1 itojun pfsync_sendout(sc); 805 1.1 itojun splx(s); 806 1.1 itojun break; 807 1.1 itojun case PFSYNC_ACT_BUS: 808 1.1 itojun /* If we're not waiting for a bulk update, who cares. */ 809 1.1 itojun if (sc->sc_ureq_sent == 0) 810 1.1 itojun break; 811 1.1 itojun 812 1.1 itojun if ((mp = m_pulldown(m, iplen + sizeof(*ph), 813 1.1 itojun sizeof(*bus), &offp)) == NULL) { 814 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_BADLEN); 815 1.1 itojun return; 816 1.1 itojun } 817 1.1 itojun bus = (struct pfsync_state_bus *)(mp->m_data + offp); 818 1.1 itojun switch (bus->status) { 819 1.1 itojun case PFSYNC_BUS_START: 820 1.3 degroote callout_schedule(&sc->sc_bulkfail_tmo, 821 1.1 itojun pf_pool_limits[PF_LIMIT_STATES].limit / 822 1.1 itojun (PFSYNC_BULKPACKETS * sc->sc_maxcount)); 823 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 824 1.1 itojun printf("pfsync: received bulk " 825 1.1 itojun "update start\n"); 826 1.1 itojun break; 827 1.1 itojun case PFSYNC_BUS_END: 828 1.3 degroote if (time_uptime - ntohl(bus->endtime) >= 829 1.1 itojun sc->sc_ureq_sent) { 830 1.1 itojun /* that's it, we're happy */ 831 1.1 itojun sc->sc_ureq_sent = 0; 832 1.1 itojun sc->sc_bulk_tries = 0; 833 1.3 degroote callout_stop(&sc->sc_bulkfail_tmo); 834 1.3 degroote #if NCARP > 0 835 1.3 degroote if (!pfsync_sync_ok) 836 1.3 degroote carp_suppress_preempt--; 837 1.3 degroote #endif 838 1.1 itojun pfsync_sync_ok = 1; 839 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 840 1.1 itojun printf("pfsync: received valid " 841 1.1 itojun "bulk update end\n"); 842 1.1 itojun } else { 843 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 844 1.1 itojun printf("pfsync: received invalid " 845 1.1 itojun "bulk update end: bad timestamp\n"); 846 1.1 itojun } 847 1.1 itojun break; 848 1.1 itojun } 849 1.1 itojun break; 850 1.1 itojun } 851 1.1 itojun 852 1.1 itojun done: 853 1.23 rin m_freem(m); 854 1.1 itojun } 855 1.1 itojun 856 1.1 itojun int 857 1.3 degroote pfsyncoutput(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 858 1.12 ozaki const struct rtentry *rt) 859 1.1 itojun { 860 1.1 itojun m_freem(m); 861 1.1 itojun return (0); 862 1.1 itojun } 863 1.1 itojun 864 1.1 itojun /* ARGSUSED */ 865 1.1 itojun int 866 1.3 degroote pfsyncioctl(struct ifnet *ifp, u_long cmd, void* data) 867 1.1 itojun { 868 1.3 degroote struct lwp *l = curlwp; 869 1.1 itojun struct pfsync_softc *sc = ifp->if_softc; 870 1.1 itojun struct ifreq *ifr = (struct ifreq *)data; 871 1.1 itojun struct ip_moptions *imo = &sc->sc_imo; 872 1.1 itojun struct pfsyncreq pfsyncr; 873 1.1 itojun struct ifnet *sifp; 874 1.1 itojun int s, error; 875 1.1 itojun 876 1.1 itojun switch (cmd) { 877 1.1 itojun case SIOCSIFADDR: 878 1.1 itojun case SIOCAIFADDR: 879 1.1 itojun case SIOCSIFDSTADDR: 880 1.1 itojun case SIOCSIFFLAGS: 881 1.1 itojun if (ifp->if_flags & IFF_UP) 882 1.1 itojun ifp->if_flags |= IFF_RUNNING; 883 1.1 itojun else 884 1.1 itojun ifp->if_flags &= ~IFF_RUNNING; 885 1.1 itojun break; 886 1.1 itojun case SIOCSIFMTU: 887 1.1 itojun if (ifr->ifr_mtu < PFSYNC_MINMTU) 888 1.1 itojun return (EINVAL); 889 1.1 itojun if (ifr->ifr_mtu > MCLBYTES) 890 1.1 itojun ifr->ifr_mtu = MCLBYTES; 891 1.1 itojun s = splnet(); 892 1.1 itojun if (ifr->ifr_mtu < ifp->if_mtu) 893 1.1 itojun pfsync_sendout(sc); 894 1.1 itojun pfsync_setmtu(sc, ifr->ifr_mtu); 895 1.1 itojun splx(s); 896 1.1 itojun break; 897 1.1 itojun case SIOCGETPFSYNC: 898 1.3 degroote if ((error = kauth_authorize_network(l->l_cred, 899 1.3 degroote KAUTH_NETWORK_INTERFACE, 900 1.3 degroote KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, ifp, (void *)cmd, 901 1.3 degroote NULL)) != 0) 902 1.3 degroote return (error); 903 1.3 degroote memset(&pfsyncr, 0, sizeof(pfsyncr)); 904 1.1 itojun if (sc->sc_sync_ifp) 905 1.3 degroote strlcpy(pfsyncr.pfsyncr_syncdev, 906 1.1 itojun sc->sc_sync_ifp->if_xname, IFNAMSIZ); 907 1.3 degroote pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer; 908 1.1 itojun pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates; 909 1.1 itojun if ((error = copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr)))) 910 1.1 itojun return (error); 911 1.1 itojun break; 912 1.1 itojun case SIOCSETPFSYNC: 913 1.3 degroote if ((error = kauth_authorize_network(l->l_cred, 914 1.3 degroote KAUTH_NETWORK_INTERFACE, 915 1.3 degroote KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, 916 1.3 degroote NULL)) != 0) 917 1.1 itojun return (error); 918 1.1 itojun if ((error = copyin(ifr->ifr_data, &pfsyncr, sizeof(pfsyncr)))) 919 1.1 itojun return (error); 920 1.1 itojun 921 1.3 degroote if (pfsyncr.pfsyncr_syncpeer.s_addr == 0) 922 1.3 degroote sc->sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP; 923 1.3 degroote else 924 1.3 degroote sc->sc_sync_peer.s_addr = 925 1.3 degroote pfsyncr.pfsyncr_syncpeer.s_addr; 926 1.3 degroote 927 1.1 itojun if (pfsyncr.pfsyncr_maxupdates > 255) 928 1.1 itojun return (EINVAL); 929 1.1 itojun sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates; 930 1.1 itojun 931 1.3 degroote if (pfsyncr.pfsyncr_syncdev[0] == 0) { 932 1.1 itojun sc->sc_sync_ifp = NULL; 933 1.1 itojun if (sc->sc_mbuf_net != NULL) { 934 1.1 itojun /* Don't keep stale pfsync packets around. */ 935 1.1 itojun s = splnet(); 936 1.1 itojun m_freem(sc->sc_mbuf_net); 937 1.1 itojun sc->sc_mbuf_net = NULL; 938 1.1 itojun sc->sc_statep_net.s = NULL; 939 1.1 itojun splx(s); 940 1.1 itojun } 941 1.3 degroote if (imo->imo_num_memberships > 0) { 942 1.3 degroote in_delmulti(imo->imo_membership[--imo->imo_num_memberships]); 943 1.15 ozaki imo->imo_multicast_if_index = 0; 944 1.3 degroote } 945 1.1 itojun break; 946 1.1 itojun } 947 1.3 degroote 948 1.3 degroote if ((sifp = ifunit(pfsyncr.pfsyncr_syncdev)) == NULL) 949 1.1 itojun return (EINVAL); 950 1.1 itojun 951 1.1 itojun s = splnet(); 952 1.1 itojun if (sifp->if_mtu < sc->sc_if.if_mtu || 953 1.1 itojun (sc->sc_sync_ifp != NULL && 954 1.1 itojun sifp->if_mtu < sc->sc_sync_ifp->if_mtu) || 955 1.1 itojun sifp->if_mtu < MCLBYTES - sizeof(struct ip)) 956 1.1 itojun pfsync_sendout(sc); 957 1.1 itojun sc->sc_sync_ifp = sifp; 958 1.1 itojun 959 1.1 itojun pfsync_setmtu(sc, sc->sc_if.if_mtu); 960 1.1 itojun 961 1.1 itojun if (imo->imo_num_memberships > 0) { 962 1.1 itojun in_delmulti(imo->imo_membership[--imo->imo_num_memberships]); 963 1.15 ozaki imo->imo_multicast_if_index = 0; 964 1.1 itojun } 965 1.1 itojun 966 1.3 degroote if (sc->sc_sync_ifp && 967 1.3 degroote sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) { 968 1.1 itojun struct in_addr addr; 969 1.1 itojun 970 1.3 degroote if (!(sc->sc_sync_ifp->if_flags & IFF_MULTICAST)) { 971 1.3 degroote sc->sc_sync_ifp = NULL; 972 1.3 degroote splx(s); 973 1.3 degroote return (EADDRNOTAVAIL); 974 1.3 degroote } 975 1.3 degroote 976 1.1 itojun addr.s_addr = INADDR_PFSYNC_GROUP; 977 1.3 degroote 978 1.1 itojun if ((imo->imo_membership[0] = 979 1.1 itojun in_addmulti(&addr, sc->sc_sync_ifp)) == NULL) { 980 1.3 degroote sc->sc_sync_ifp = NULL; 981 1.1 itojun splx(s); 982 1.1 itojun return (ENOBUFS); 983 1.1 itojun } 984 1.1 itojun imo->imo_num_memberships++; 985 1.15 ozaki imo->imo_multicast_if_index = if_get_index(sc->sc_sync_ifp); 986 1.1 itojun imo->imo_multicast_ttl = PFSYNC_DFLTTL; 987 1.1 itojun imo->imo_multicast_loop = 0; 988 1.3 degroote } 989 1.1 itojun 990 1.3 degroote if (sc->sc_sync_ifp || 991 1.3 degroote sc->sc_sendaddr.s_addr != INADDR_PFSYNC_GROUP) { 992 1.1 itojun /* Request a full state table update. */ 993 1.3 degroote sc->sc_ureq_sent = time_uptime; 994 1.3 degroote #if NCARP > 0 995 1.3 degroote if (pfsync_sync_ok) 996 1.3 degroote carp_suppress_preempt ++; 997 1.3 degroote #endif 998 1.1 itojun pfsync_sync_ok = 0; 999 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 1000 1.1 itojun printf("pfsync: requesting bulk update\n"); 1001 1.3 degroote callout_schedule(&sc->sc_bulkfail_tmo, 5 * hz); 1002 1.3 degroote error = pfsync_request_update(NULL, NULL); 1003 1.3 degroote if (error == ENOMEM) { 1004 1.3 degroote splx(s); 1005 1.3 degroote return (ENOMEM); 1006 1.3 degroote } 1007 1.1 itojun pfsync_sendout(sc); 1008 1.1 itojun } 1009 1.1 itojun splx(s); 1010 1.1 itojun 1011 1.1 itojun break; 1012 1.1 itojun 1013 1.1 itojun default: 1014 1.3 degroote return ifioctl_common(ifp, cmd, data); 1015 1.1 itojun } 1016 1.1 itojun 1017 1.1 itojun return (0); 1018 1.1 itojun } 1019 1.1 itojun 1020 1.1 itojun void 1021 1.1 itojun pfsync_setmtu(struct pfsync_softc *sc, int mtu_req) 1022 1.1 itojun { 1023 1.1 itojun int mtu; 1024 1.1 itojun 1025 1.1 itojun if (sc->sc_sync_ifp && sc->sc_sync_ifp->if_mtu < mtu_req) 1026 1.1 itojun mtu = sc->sc_sync_ifp->if_mtu; 1027 1.1 itojun else 1028 1.1 itojun mtu = mtu_req; 1029 1.1 itojun 1030 1.1 itojun sc->sc_maxcount = (mtu - sizeof(struct pfsync_header)) / 1031 1.1 itojun sizeof(struct pfsync_state); 1032 1.1 itojun if (sc->sc_maxcount > 254) 1033 1.1 itojun sc->sc_maxcount = 254; 1034 1.1 itojun sc->sc_if.if_mtu = sizeof(struct pfsync_header) + 1035 1.1 itojun sc->sc_maxcount * sizeof(struct pfsync_state); 1036 1.1 itojun } 1037 1.1 itojun 1038 1.1 itojun struct mbuf * 1039 1.1 itojun pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action, void **sp) 1040 1.1 itojun { 1041 1.1 itojun struct pfsync_header *h; 1042 1.1 itojun struct mbuf *m; 1043 1.1 itojun int len; 1044 1.1 itojun 1045 1.1 itojun MGETHDR(m, M_DONTWAIT, MT_DATA); 1046 1.1 itojun if (m == NULL) { 1047 1.20 thorpej #ifdef __NetBSD__ 1048 1.20 thorpej if_statinc(&sc->sc_if, if_oerrors); 1049 1.20 thorpej #else 1050 1.1 itojun sc->sc_if.if_oerrors++; 1051 1.20 thorpej #endif /* __NetBSD__ */ 1052 1.1 itojun return (NULL); 1053 1.1 itojun } 1054 1.1 itojun 1055 1.1 itojun switch (action) { 1056 1.1 itojun case PFSYNC_ACT_CLR: 1057 1.1 itojun len = sizeof(struct pfsync_header) + 1058 1.1 itojun sizeof(struct pfsync_state_clr); 1059 1.1 itojun break; 1060 1.1 itojun case PFSYNC_ACT_UPD_C: 1061 1.1 itojun len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd)) + 1062 1.1 itojun sizeof(struct pfsync_header); 1063 1.1 itojun break; 1064 1.1 itojun case PFSYNC_ACT_DEL_C: 1065 1.1 itojun len = (sc->sc_maxcount * sizeof(struct pfsync_state_del)) + 1066 1.1 itojun sizeof(struct pfsync_header); 1067 1.1 itojun break; 1068 1.1 itojun case PFSYNC_ACT_UREQ: 1069 1.1 itojun len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd_req)) + 1070 1.1 itojun sizeof(struct pfsync_header); 1071 1.1 itojun break; 1072 1.1 itojun case PFSYNC_ACT_BUS: 1073 1.1 itojun len = sizeof(struct pfsync_header) + 1074 1.1 itojun sizeof(struct pfsync_state_bus); 1075 1.1 itojun break; 1076 1.3 degroote case PFSYNC_ACT_TDB_UPD: 1077 1.3 degroote len = (sc->sc_maxcount * sizeof(struct pfsync_tdb)) + 1078 1.3 degroote sizeof(struct pfsync_header); 1079 1.3 degroote break; 1080 1.1 itojun default: 1081 1.1 itojun len = (sc->sc_maxcount * sizeof(struct pfsync_state)) + 1082 1.1 itojun sizeof(struct pfsync_header); 1083 1.1 itojun break; 1084 1.1 itojun } 1085 1.1 itojun 1086 1.1 itojun if (len > MHLEN) { 1087 1.1 itojun MCLGET(m, M_DONTWAIT); 1088 1.1 itojun if ((m->m_flags & M_EXT) == 0) { 1089 1.1 itojun m_free(m); 1090 1.20 thorpej #ifdef __NetBSD__ 1091 1.20 thorpej if_statinc(&sc->sc_if, if_oerrors); 1092 1.20 thorpej #else 1093 1.1 itojun sc->sc_if.if_oerrors++; 1094 1.20 thorpej #endif /* __NetBSD__ */ 1095 1.1 itojun return (NULL); 1096 1.1 itojun } 1097 1.1 itojun m->m_data += (MCLBYTES - len) &~ (sizeof(long) - 1); 1098 1.1 itojun } else 1099 1.19 maxv m_align(m, len); 1100 1.1 itojun 1101 1.13 ozaki m_reset_rcvif(m); 1102 1.1 itojun m->m_pkthdr.len = m->m_len = sizeof(struct pfsync_header); 1103 1.1 itojun h = mtod(m, struct pfsync_header *); 1104 1.1 itojun h->version = PFSYNC_VERSION; 1105 1.1 itojun h->af = 0; 1106 1.1 itojun h->count = 0; 1107 1.1 itojun h->action = action; 1108 1.3 degroote if (action != PFSYNC_ACT_TDB_UPD) 1109 1.3 degroote memcpy(&h->pf_chksum, &pf_status.pf_chksum, 1110 1.3 degroote PF_MD5_DIGEST_LENGTH); 1111 1.1 itojun 1112 1.1 itojun *sp = (void *)((char *)h + PFSYNC_HDRLEN); 1113 1.3 degroote if (action == PFSYNC_ACT_TDB_UPD) 1114 1.3 degroote callout_schedule(&sc->sc_tdb_tmo, hz); 1115 1.3 degroote else 1116 1.3 degroote callout_schedule(&sc->sc_tmo, hz); 1117 1.1 itojun return (m); 1118 1.1 itojun } 1119 1.1 itojun 1120 1.1 itojun int 1121 1.3 degroote pfsync_pack_state(u_int8_t action, struct pf_state *st, int flags) 1122 1.1 itojun { 1123 1.3 degroote struct ifnet *ifp = NULL; 1124 1.3 degroote struct pfsync_softc *sc = pfsyncif; 1125 1.1 itojun struct pfsync_header *h, *h_net; 1126 1.1 itojun struct pfsync_state *sp = NULL; 1127 1.1 itojun struct pfsync_state_upd *up = NULL; 1128 1.1 itojun struct pfsync_state_del *dp = NULL; 1129 1.3 degroote struct pf_state_key *sk = st->state_key; 1130 1.1 itojun struct pf_rule *r; 1131 1.1 itojun u_long secs; 1132 1.1 itojun int s, ret = 0; 1133 1.1 itojun u_int8_t i = 255, newaction = 0; 1134 1.1 itojun 1135 1.3 degroote if (sc == NULL) 1136 1.3 degroote return (0); 1137 1.3 degroote ifp = &sc->sc_if; 1138 1.3 degroote 1139 1.1 itojun /* 1140 1.1 itojun * If a packet falls in the forest and there's nobody around to 1141 1.1 itojun * hear, does it make a sound? 1142 1.1 itojun */ 1143 1.3 degroote if (ifp->if_bpf == NULL && sc->sc_sync_ifp == NULL && 1144 1.3 degroote sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) { 1145 1.1 itojun /* Don't leave any stale pfsync packets hanging around. */ 1146 1.1 itojun if (sc->sc_mbuf != NULL) { 1147 1.1 itojun m_freem(sc->sc_mbuf); 1148 1.1 itojun sc->sc_mbuf = NULL; 1149 1.1 itojun sc->sc_statep.s = NULL; 1150 1.1 itojun } 1151 1.1 itojun return (0); 1152 1.1 itojun } 1153 1.1 itojun 1154 1.1 itojun if (action >= PFSYNC_ACT_MAX) 1155 1.1 itojun return (EINVAL); 1156 1.1 itojun 1157 1.1 itojun s = splnet(); 1158 1.1 itojun if (sc->sc_mbuf == NULL) { 1159 1.1 itojun if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action, 1160 1.1 itojun (void *)&sc->sc_statep.s)) == NULL) { 1161 1.1 itojun splx(s); 1162 1.1 itojun return (ENOMEM); 1163 1.1 itojun } 1164 1.1 itojun h = mtod(sc->sc_mbuf, struct pfsync_header *); 1165 1.1 itojun } else { 1166 1.1 itojun h = mtod(sc->sc_mbuf, struct pfsync_header *); 1167 1.1 itojun if (h->action != action) { 1168 1.1 itojun pfsync_sendout(sc); 1169 1.1 itojun if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action, 1170 1.1 itojun (void *)&sc->sc_statep.s)) == NULL) { 1171 1.1 itojun splx(s); 1172 1.1 itojun return (ENOMEM); 1173 1.1 itojun } 1174 1.1 itojun h = mtod(sc->sc_mbuf, struct pfsync_header *); 1175 1.1 itojun } else { 1176 1.1 itojun /* 1177 1.1 itojun * If it's an update, look in the packet to see if 1178 1.1 itojun * we already have an update for the state. 1179 1.1 itojun */ 1180 1.1 itojun if (action == PFSYNC_ACT_UPD && sc->sc_maxupdates) { 1181 1.1 itojun struct pfsync_state *usp = 1182 1.1 itojun (void *)((char *)h + PFSYNC_HDRLEN); 1183 1.1 itojun 1184 1.1 itojun for (i = 0; i < h->count; i++) { 1185 1.1 itojun if (!memcmp(usp->id, &st->id, 1186 1.1 itojun PFSYNC_ID_LEN) && 1187 1.1 itojun usp->creatorid == st->creatorid) { 1188 1.1 itojun sp = usp; 1189 1.1 itojun sp->updates++; 1190 1.1 itojun break; 1191 1.1 itojun } 1192 1.1 itojun usp++; 1193 1.1 itojun } 1194 1.1 itojun } 1195 1.1 itojun } 1196 1.1 itojun } 1197 1.1 itojun 1198 1.3 degroote secs = time_second; 1199 1.1 itojun 1200 1.3 degroote st->pfsync_time = time_uptime; 1201 1.1 itojun 1202 1.1 itojun if (sp == NULL) { 1203 1.1 itojun /* not a "duplicate" update */ 1204 1.1 itojun i = 255; 1205 1.1 itojun sp = sc->sc_statep.s++; 1206 1.1 itojun sc->sc_mbuf->m_pkthdr.len = 1207 1.1 itojun sc->sc_mbuf->m_len += sizeof(struct pfsync_state); 1208 1.1 itojun h->count++; 1209 1.3 degroote memset(sp, 0, sizeof(*sp)); 1210 1.1 itojun 1211 1.3 degroote memcpy(sp->id, &st->id, sizeof(sp->id)); 1212 1.1 itojun sp->creatorid = st->creatorid; 1213 1.1 itojun 1214 1.3 degroote strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname)); 1215 1.3 degroote pf_state_host_hton(&sk->lan, &sp->lan); 1216 1.3 degroote pf_state_host_hton(&sk->gwy, &sp->gwy); 1217 1.3 degroote pf_state_host_hton(&sk->ext, &sp->ext); 1218 1.1 itojun 1219 1.3 degroote memcpy(&sp->rt_addr, &st->rt_addr, sizeof(sp->rt_addr)); 1220 1.1 itojun 1221 1.1 itojun sp->creation = htonl(secs - st->creation); 1222 1.3 degroote pf_state_counter_hton(st->packets[0], sp->packets[0]); 1223 1.3 degroote pf_state_counter_hton(st->packets[1], sp->packets[1]); 1224 1.3 degroote pf_state_counter_hton(st->bytes[0], sp->bytes[0]); 1225 1.3 degroote pf_state_counter_hton(st->bytes[1], sp->bytes[1]); 1226 1.1 itojun if ((r = st->rule.ptr) == NULL) 1227 1.1 itojun sp->rule = htonl(-1); 1228 1.1 itojun else 1229 1.1 itojun sp->rule = htonl(r->nr); 1230 1.1 itojun if ((r = st->anchor.ptr) == NULL) 1231 1.1 itojun sp->anchor = htonl(-1); 1232 1.1 itojun else 1233 1.1 itojun sp->anchor = htonl(r->nr); 1234 1.3 degroote sp->af = sk->af; 1235 1.3 degroote sp->proto = sk->proto; 1236 1.3 degroote sp->direction = sk->direction; 1237 1.1 itojun sp->log = st->log; 1238 1.1 itojun sp->allow_opts = st->allow_opts; 1239 1.1 itojun sp->timeout = st->timeout; 1240 1.1 itojun 1241 1.3 degroote if (flags & PFSYNC_FLAG_STALE) 1242 1.3 degroote sp->sync_flags |= PFSTATE_STALE; 1243 1.1 itojun } 1244 1.1 itojun 1245 1.1 itojun pf_state_peer_hton(&st->src, &sp->src); 1246 1.1 itojun pf_state_peer_hton(&st->dst, &sp->dst); 1247 1.1 itojun 1248 1.1 itojun if (st->expire <= secs) 1249 1.1 itojun sp->expire = htonl(0); 1250 1.1 itojun else 1251 1.1 itojun sp->expire = htonl(st->expire - secs); 1252 1.1 itojun 1253 1.1 itojun /* do we need to build "compressed" actions for network transfer? */ 1254 1.3 degroote if (sc->sc_sync_ifp && flags & PFSYNC_FLAG_COMPRESS) { 1255 1.1 itojun switch (action) { 1256 1.1 itojun case PFSYNC_ACT_UPD: 1257 1.1 itojun newaction = PFSYNC_ACT_UPD_C; 1258 1.1 itojun break; 1259 1.1 itojun case PFSYNC_ACT_DEL: 1260 1.1 itojun newaction = PFSYNC_ACT_DEL_C; 1261 1.1 itojun break; 1262 1.1 itojun default: 1263 1.1 itojun /* by default we just send the uncompressed states */ 1264 1.1 itojun break; 1265 1.1 itojun } 1266 1.1 itojun } 1267 1.1 itojun 1268 1.1 itojun if (newaction) { 1269 1.1 itojun if (sc->sc_mbuf_net == NULL) { 1270 1.1 itojun if ((sc->sc_mbuf_net = pfsync_get_mbuf(sc, newaction, 1271 1.1 itojun (void *)&sc->sc_statep_net.s)) == NULL) { 1272 1.1 itojun splx(s); 1273 1.1 itojun return (ENOMEM); 1274 1.1 itojun } 1275 1.1 itojun } 1276 1.1 itojun h_net = mtod(sc->sc_mbuf_net, struct pfsync_header *); 1277 1.1 itojun 1278 1.1 itojun switch (newaction) { 1279 1.1 itojun case PFSYNC_ACT_UPD_C: 1280 1.1 itojun if (i != 255) { 1281 1.1 itojun up = (void *)((char *)h_net + 1282 1.1 itojun PFSYNC_HDRLEN + (i * sizeof(*up))); 1283 1.1 itojun up->updates++; 1284 1.1 itojun } else { 1285 1.1 itojun h_net->count++; 1286 1.1 itojun sc->sc_mbuf_net->m_pkthdr.len = 1287 1.1 itojun sc->sc_mbuf_net->m_len += sizeof(*up); 1288 1.1 itojun up = sc->sc_statep_net.u++; 1289 1.1 itojun 1290 1.3 degroote memset(up, 0, sizeof(*up)); 1291 1.3 degroote memcpy(up->id, &st->id, sizeof(up->id)); 1292 1.1 itojun up->creatorid = st->creatorid; 1293 1.1 itojun } 1294 1.1 itojun up->timeout = st->timeout; 1295 1.1 itojun up->expire = sp->expire; 1296 1.1 itojun up->src = sp->src; 1297 1.1 itojun up->dst = sp->dst; 1298 1.1 itojun break; 1299 1.1 itojun case PFSYNC_ACT_DEL_C: 1300 1.1 itojun sc->sc_mbuf_net->m_pkthdr.len = 1301 1.1 itojun sc->sc_mbuf_net->m_len += sizeof(*dp); 1302 1.1 itojun dp = sc->sc_statep_net.d++; 1303 1.1 itojun h_net->count++; 1304 1.1 itojun 1305 1.3 degroote memset(dp, 0, sizeof(*dp)); 1306 1.3 degroote memcpy(dp->id, &st->id, sizeof(dp->id)); 1307 1.1 itojun dp->creatorid = st->creatorid; 1308 1.1 itojun break; 1309 1.1 itojun } 1310 1.1 itojun } 1311 1.1 itojun 1312 1.1 itojun if (h->count == sc->sc_maxcount || 1313 1.1 itojun (sc->sc_maxupdates && (sp->updates >= sc->sc_maxupdates))) 1314 1.1 itojun ret = pfsync_sendout(sc); 1315 1.1 itojun 1316 1.1 itojun splx(s); 1317 1.1 itojun return (ret); 1318 1.1 itojun } 1319 1.1 itojun 1320 1.1 itojun /* This must be called in splnet() */ 1321 1.1 itojun int 1322 1.1 itojun pfsync_request_update(struct pfsync_state_upd *up, struct in_addr *src) 1323 1.1 itojun { 1324 1.1 itojun struct pfsync_header *h; 1325 1.3 degroote struct pfsync_softc *sc = pfsyncif; 1326 1.1 itojun struct pfsync_state_upd_req *rup; 1327 1.3 degroote int ret = 0; 1328 1.3 degroote 1329 1.3 degroote if (sc == NULL) 1330 1.3 degroote return (0); 1331 1.1 itojun 1332 1.1 itojun if (sc->sc_mbuf == NULL) { 1333 1.1 itojun if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ, 1334 1.3 degroote (void *)&sc->sc_statep.s)) == NULL) 1335 1.1 itojun return (ENOMEM); 1336 1.1 itojun h = mtod(sc->sc_mbuf, struct pfsync_header *); 1337 1.1 itojun } else { 1338 1.1 itojun h = mtod(sc->sc_mbuf, struct pfsync_header *); 1339 1.1 itojun if (h->action != PFSYNC_ACT_UREQ) { 1340 1.1 itojun pfsync_sendout(sc); 1341 1.1 itojun if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ, 1342 1.3 degroote (void *)&sc->sc_statep.s)) == NULL) 1343 1.1 itojun return (ENOMEM); 1344 1.1 itojun h = mtod(sc->sc_mbuf, struct pfsync_header *); 1345 1.1 itojun } 1346 1.1 itojun } 1347 1.1 itojun 1348 1.1 itojun if (src != NULL) 1349 1.1 itojun sc->sc_sendaddr = *src; 1350 1.1 itojun sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*rup); 1351 1.1 itojun h->count++; 1352 1.1 itojun rup = sc->sc_statep.r++; 1353 1.3 degroote memset(rup, 0, sizeof(*rup)); 1354 1.1 itojun if (up != NULL) { 1355 1.3 degroote memcpy(rup->id, up->id, sizeof(rup->id)); 1356 1.1 itojun rup->creatorid = up->creatorid; 1357 1.1 itojun } 1358 1.1 itojun 1359 1.1 itojun if (h->count == sc->sc_maxcount) 1360 1.1 itojun ret = pfsync_sendout(sc); 1361 1.1 itojun 1362 1.1 itojun return (ret); 1363 1.1 itojun } 1364 1.1 itojun 1365 1.1 itojun int 1366 1.1 itojun pfsync_clear_states(u_int32_t creatorid, char *ifname) 1367 1.1 itojun { 1368 1.3 degroote struct pfsync_softc *sc = pfsyncif; 1369 1.1 itojun struct pfsync_state_clr *cp; 1370 1.1 itojun int s, ret; 1371 1.1 itojun 1372 1.3 degroote if (sc == NULL) 1373 1.3 degroote return (0); 1374 1.3 degroote 1375 1.1 itojun s = splnet(); 1376 1.1 itojun if (sc->sc_mbuf != NULL) 1377 1.1 itojun pfsync_sendout(sc); 1378 1.1 itojun if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_CLR, 1379 1.1 itojun (void *)&sc->sc_statep.c)) == NULL) { 1380 1.1 itojun splx(s); 1381 1.1 itojun return (ENOMEM); 1382 1.1 itojun } 1383 1.1 itojun sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*cp); 1384 1.1 itojun cp = sc->sc_statep.c; 1385 1.1 itojun cp->creatorid = creatorid; 1386 1.1 itojun if (ifname != NULL) 1387 1.1 itojun strlcpy(cp->ifname, ifname, IFNAMSIZ); 1388 1.1 itojun 1389 1.1 itojun ret = (pfsync_sendout(sc)); 1390 1.1 itojun splx(s); 1391 1.1 itojun return (ret); 1392 1.1 itojun } 1393 1.1 itojun 1394 1.1 itojun void 1395 1.1 itojun pfsync_timeout(void *v) 1396 1.1 itojun { 1397 1.1 itojun struct pfsync_softc *sc = v; 1398 1.1 itojun int s; 1399 1.1 itojun 1400 1.1 itojun s = splnet(); 1401 1.1 itojun pfsync_sendout(sc); 1402 1.1 itojun splx(s); 1403 1.1 itojun } 1404 1.1 itojun 1405 1.1 itojun void 1406 1.3 degroote pfsync_tdb_timeout(void *v) 1407 1.3 degroote { 1408 1.3 degroote struct pfsync_softc *sc = v; 1409 1.3 degroote int s; 1410 1.3 degroote 1411 1.3 degroote s = splnet(); 1412 1.3 degroote pfsync_tdb_sendout(sc); 1413 1.3 degroote splx(s); 1414 1.3 degroote } 1415 1.3 degroote 1416 1.3 degroote /* This must be called in splnet() */ 1417 1.3 degroote void 1418 1.1 itojun pfsync_send_bus(struct pfsync_softc *sc, u_int8_t status) 1419 1.1 itojun { 1420 1.1 itojun struct pfsync_state_bus *bus; 1421 1.1 itojun 1422 1.1 itojun if (sc->sc_mbuf != NULL) 1423 1.1 itojun pfsync_sendout(sc); 1424 1.1 itojun 1425 1.1 itojun if (pfsync_sync_ok && 1426 1.1 itojun (sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_BUS, 1427 1.1 itojun (void *)&sc->sc_statep.b)) != NULL) { 1428 1.1 itojun sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*bus); 1429 1.1 itojun bus = sc->sc_statep.b; 1430 1.1 itojun bus->creatorid = pf_status.hostid; 1431 1.1 itojun bus->status = status; 1432 1.3 degroote bus->endtime = htonl(time_uptime - sc->sc_ureq_received); 1433 1.1 itojun pfsync_sendout(sc); 1434 1.1 itojun } 1435 1.1 itojun } 1436 1.1 itojun 1437 1.1 itojun void 1438 1.1 itojun pfsync_bulk_update(void *v) 1439 1.1 itojun { 1440 1.1 itojun struct pfsync_softc *sc = v; 1441 1.1 itojun int s, i = 0; 1442 1.1 itojun struct pf_state *state; 1443 1.1 itojun 1444 1.1 itojun s = splnet(); 1445 1.1 itojun if (sc->sc_mbuf != NULL) 1446 1.1 itojun pfsync_sendout(sc); 1447 1.1 itojun 1448 1.1 itojun /* 1449 1.1 itojun * Grab at most PFSYNC_BULKPACKETS worth of states which have not 1450 1.1 itojun * been sent since the latest request was made. 1451 1.1 itojun */ 1452 1.3 degroote state = sc->sc_bulk_send_next; 1453 1.3 degroote if (state) 1454 1.3 degroote do { 1455 1.3 degroote /* send state update if syncable and not already sent */ 1456 1.3 degroote if (!state->sync_flags 1457 1.3 degroote && state->timeout < PFTM_MAX 1458 1.3 degroote && state->pfsync_time <= sc->sc_ureq_received) { 1459 1.1 itojun pfsync_pack_state(PFSYNC_ACT_UPD, state, 0); 1460 1.3 degroote i++; 1461 1.3 degroote } 1462 1.3 degroote 1463 1.3 degroote /* figure next state to send */ 1464 1.3 degroote state = TAILQ_NEXT(state, entry_list); 1465 1.1 itojun 1466 1.3 degroote /* wrap to start of list if we hit the end */ 1467 1.3 degroote if (!state) 1468 1.3 degroote state = TAILQ_FIRST(&state_list); 1469 1.3 degroote } while (i < sc->sc_maxcount * PFSYNC_BULKPACKETS && 1470 1.3 degroote state != sc->sc_bulk_terminator); 1471 1.3 degroote 1472 1.3 degroote if (!state || state == sc->sc_bulk_terminator) { 1473 1.3 degroote /* we're done */ 1474 1.3 degroote pfsync_send_bus(sc, PFSYNC_BUS_END); 1475 1.3 degroote sc->sc_ureq_received = 0; 1476 1.3 degroote sc->sc_bulk_send_next = NULL; 1477 1.3 degroote sc->sc_bulk_terminator = NULL; 1478 1.3 degroote callout_stop(&sc->sc_bulk_tmo); 1479 1.3 degroote if (pf_status.debug >= PF_DEBUG_MISC) 1480 1.3 degroote printf("pfsync: bulk update complete\n"); 1481 1.3 degroote } else { 1482 1.3 degroote /* look again for more in a bit */ 1483 1.3 degroote callout_schedule(&sc->sc_bulk_tmo, 1); 1484 1.3 degroote sc->sc_bulk_send_next = state; 1485 1.1 itojun } 1486 1.1 itojun if (sc->sc_mbuf != NULL) 1487 1.1 itojun pfsync_sendout(sc); 1488 1.1 itojun splx(s); 1489 1.1 itojun } 1490 1.1 itojun 1491 1.1 itojun void 1492 1.1 itojun pfsync_bulkfail(void *v) 1493 1.1 itojun { 1494 1.1 itojun struct pfsync_softc *sc = v; 1495 1.3 degroote int s, error; 1496 1.1 itojun 1497 1.1 itojun if (sc->sc_bulk_tries++ < PFSYNC_MAX_BULKTRIES) { 1498 1.1 itojun /* Try again in a bit */ 1499 1.3 degroote callout_schedule(&sc->sc_bulkfail_tmo, 5 * hz); 1500 1.3 degroote s = splnet(); 1501 1.3 degroote error = pfsync_request_update(NULL, NULL); 1502 1.3 degroote if (error == ENOMEM) { 1503 1.3 degroote if (pf_status.debug >= PF_DEBUG_MISC) 1504 1.3 degroote printf("pfsync: cannot allocate mbufs for " 1505 1.3 degroote "bulk update\n"); 1506 1.3 degroote } else 1507 1.3 degroote pfsync_sendout(sc); 1508 1.3 degroote splx(s); 1509 1.1 itojun } else { 1510 1.1 itojun /* Pretend like the transfer was ok */ 1511 1.1 itojun sc->sc_ureq_sent = 0; 1512 1.1 itojun sc->sc_bulk_tries = 0; 1513 1.3 degroote #if NCARP > 0 1514 1.3 degroote if (!pfsync_sync_ok) 1515 1.3 degroote carp_suppress_preempt --; 1516 1.3 degroote #endif 1517 1.1 itojun pfsync_sync_ok = 1; 1518 1.1 itojun if (pf_status.debug >= PF_DEBUG_MISC) 1519 1.1 itojun printf("pfsync: failed to receive " 1520 1.1 itojun "bulk update status\n"); 1521 1.3 degroote callout_stop(&sc->sc_bulkfail_tmo); 1522 1.1 itojun } 1523 1.1 itojun } 1524 1.1 itojun 1525 1.3 degroote /* This must be called in splnet() */ 1526 1.1 itojun int 1527 1.3 degroote pfsync_sendout(struct pfsync_softc *sc) 1528 1.1 itojun { 1529 1.1 itojun struct ifnet *ifp = &sc->sc_if; 1530 1.1 itojun struct mbuf *m; 1531 1.1 itojun 1532 1.3 degroote callout_stop(&sc->sc_tmo); 1533 1.1 itojun 1534 1.1 itojun if (sc->sc_mbuf == NULL) 1535 1.1 itojun return (0); 1536 1.1 itojun m = sc->sc_mbuf; 1537 1.1 itojun sc->sc_mbuf = NULL; 1538 1.1 itojun sc->sc_statep.s = NULL; 1539 1.1 itojun 1540 1.16 msaitoh bpf_mtap(ifp, m, BPF_D_OUT); 1541 1.1 itojun 1542 1.1 itojun if (sc->sc_mbuf_net) { 1543 1.1 itojun m_freem(m); 1544 1.1 itojun m = sc->sc_mbuf_net; 1545 1.1 itojun sc->sc_mbuf_net = NULL; 1546 1.1 itojun sc->sc_statep_net.s = NULL; 1547 1.1 itojun } 1548 1.1 itojun 1549 1.3 degroote return pfsync_sendout_mbuf(sc, m); 1550 1.3 degroote } 1551 1.3 degroote 1552 1.3 degroote int 1553 1.3 degroote pfsync_tdb_sendout(struct pfsync_softc *sc) 1554 1.3 degroote { 1555 1.3 degroote struct ifnet *ifp = &sc->sc_if; 1556 1.3 degroote struct mbuf *m; 1557 1.3 degroote 1558 1.3 degroote callout_stop(&sc->sc_tdb_tmo); 1559 1.3 degroote 1560 1.3 degroote if (sc->sc_mbuf_tdb == NULL) 1561 1.3 degroote return (0); 1562 1.3 degroote m = sc->sc_mbuf_tdb; 1563 1.3 degroote sc->sc_mbuf_tdb = NULL; 1564 1.3 degroote sc->sc_statep_tdb.t = NULL; 1565 1.1 itojun 1566 1.17 msaitoh bpf_mtap(ifp, m, BPF_D_OUT); 1567 1.3 degroote 1568 1.3 degroote return pfsync_sendout_mbuf(sc, m); 1569 1.3 degroote } 1570 1.3 degroote 1571 1.3 degroote int 1572 1.3 degroote pfsync_sendout_mbuf(struct pfsync_softc *sc, struct mbuf *m) 1573 1.3 degroote { 1574 1.3 degroote struct sockaddr sa; 1575 1.3 degroote struct ip *ip; 1576 1.3 degroote 1577 1.3 degroote if (sc->sc_sync_ifp || 1578 1.3 degroote sc->sc_sync_peer.s_addr != INADDR_PFSYNC_GROUP) { 1579 1.1 itojun M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 1580 1.1 itojun if (m == NULL) { 1581 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_ONOMEM); 1582 1.1 itojun return (0); 1583 1.1 itojun } 1584 1.1 itojun ip = mtod(m, struct ip *); 1585 1.1 itojun ip->ip_v = IPVERSION; 1586 1.1 itojun ip->ip_hl = sizeof(*ip) >> 2; 1587 1.1 itojun ip->ip_tos = IPTOS_LOWDELAY; 1588 1.1 itojun ip->ip_len = htons(m->m_pkthdr.len); 1589 1.22 christos ip->ip_id = ip_randomid(); 1590 1.1 itojun ip->ip_off = htons(IP_DF); 1591 1.1 itojun ip->ip_ttl = PFSYNC_DFLTTL; 1592 1.1 itojun ip->ip_p = IPPROTO_PFSYNC; 1593 1.1 itojun ip->ip_sum = 0; 1594 1.1 itojun 1595 1.3 degroote memset(&sa, 0, sizeof(sa)); 1596 1.3 degroote ip->ip_src.s_addr = INADDR_ANY; 1597 1.1 itojun 1598 1.1 itojun if (sc->sc_sendaddr.s_addr == INADDR_PFSYNC_GROUP) 1599 1.1 itojun m->m_flags |= M_MCAST; 1600 1.1 itojun ip->ip_dst = sc->sc_sendaddr; 1601 1.3 degroote sc->sc_sendaddr.s_addr = sc->sc_sync_peer.s_addr; 1602 1.1 itojun 1603 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_OPACKETS); 1604 1.1 itojun 1605 1.3 degroote if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL)) { 1606 1.3 degroote PFSYNC_STATINC(PFSYNC_STAT_OERRORS); 1607 1.3 degroote } 1608 1.1 itojun } else 1609 1.1 itojun m_freem(m); 1610 1.1 itojun 1611 1.1 itojun return (0); 1612 1.1 itojun } 1613 1.3 degroote 1614 1.3 degroote static int 1615 1.3 degroote sysctl_net_inet_pfsync_stats(SYSCTLFN_ARGS) 1616 1.3 degroote { 1617 1.3 degroote 1618 1.3 degroote return (NETSTAT_SYSCTL(pfsyncstat_percpu, PFSYNC_NSTATS)); 1619 1.3 degroote } 1620 1.3 degroote 1621 1.3 degroote SYSCTL_SETUP(sysctl_net_inet_pfsync_setup, "sysctl net.inet.pfsync subtree setup") 1622 1.3 degroote { 1623 1.3 degroote 1624 1.3 degroote sysctl_createv(clog, 0, NULL, NULL, 1625 1.3 degroote CTLFLAG_PERMANENT, 1626 1.3 degroote CTLTYPE_NODE, "net", NULL, 1627 1.3 degroote NULL, 0, NULL, 0, 1628 1.3 degroote CTL_NET, CTL_EOL); 1629 1.3 degroote sysctl_createv(clog, 0, NULL, NULL, 1630 1.3 degroote CTLFLAG_PERMANENT, 1631 1.3 degroote CTLTYPE_NODE, "inet", NULL, 1632 1.3 degroote NULL, 0, NULL, 0, 1633 1.3 degroote CTL_NET, PF_INET, CTL_EOL); 1634 1.3 degroote sysctl_createv(clog, 0, NULL, NULL, 1635 1.3 degroote CTLFLAG_PERMANENT, 1636 1.3 degroote CTLTYPE_NODE, "pfsync", 1637 1.3 degroote SYSCTL_DESCR("pfsync related settings"), 1638 1.3 degroote NULL, 0, NULL, 0, 1639 1.3 degroote CTL_NET, PF_INET, IPPROTO_PFSYNC, CTL_EOL); 1640 1.3 degroote sysctl_createv(clog, 0, NULL, NULL, 1641 1.3 degroote CTLFLAG_PERMANENT|CTLFLAG_READONLY, 1642 1.3 degroote CTLTYPE_STRUCT, "stats", 1643 1.3 degroote SYSCTL_DESCR("pfsync statistics"), 1644 1.3 degroote sysctl_net_inet_pfsync_stats, 0, NULL, 0, 1645 1.3 degroote CTL_NET, PF_INET, IPPROTO_PFSYNC, 1646 1.3 degroote CTL_CREATE, CTL_EOL); 1647 1.3 degroote } 1648
Indexes created Mon Sep 22 13:09:51 GMT 2025