if_pfsync.h revision 1.1
1 1.1 itojun /* $OpenBSD: if_pfsync.h,v 1.13 2004/03/22 04:54:17 mcbride Exp $ */ 2 1.1 itojun 3 1.1 itojun /* 4 1.1 itojun * Copyright (c) 2001 Michael Shalayeff 5 1.1 itojun * All rights reserved. 6 1.1 itojun * 7 1.1 itojun * Redistribution and use in source and binary forms, with or without 8 1.1 itojun * modification, are permitted provided that the following conditions 9 1.1 itojun * are met: 10 1.1 itojun * 1. Redistributions of source code must retain the above copyright 11 1.1 itojun * notice, this list of conditions and the following disclaimer. 12 1.1 itojun * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 itojun * notice, this list of conditions and the following disclaimer in the 14 1.1 itojun * documentation and/or other materials provided with the distribution. 15 1.1 itojun * 16 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 1.1 itojun * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 1.1 itojun * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 1.1 itojun * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, 20 1.1 itojun * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 1.1 itojun * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 1.1 itojun * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 1.1 itojun * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24 1.1 itojun * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25 1.1 itojun * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 26 1.1 itojun * THE POSSIBILITY OF SUCH DAMAGE. 27 1.1 itojun */ 28 1.1 itojun 29 1.1 itojun #ifndef _NET_IF_PFSYNC_H_ 30 1.1 itojun #define _NET_IF_PFSYNC_H_ 31 1.1 itojun 32 1.1 itojun 33 1.1 itojun #define PFSYNC_ID_LEN sizeof(u_int64_t) 34 1.1 itojun 35 1.1 itojun struct pfsync_state_scrub { 36 1.1 itojun u_int16_t pfss_flags; 37 1.1 itojun u_int8_t pfss_ttl; /* stashed TTL */ 38 1.1 itojun u_int8_t scrub_flag; 39 1.1 itojun u_int32_t pfss_ts_mod; /* timestamp modulation */ 40 1.1 itojun } __packed; 41 1.1 itojun 42 1.1 itojun struct pfsync_state_host { 43 1.1 itojun struct pf_addr addr; 44 1.1 itojun u_int16_t port; 45 1.1 itojun u_int16_t pad[3]; 46 1.1 itojun } __packed; 47 1.1 itojun 48 1.1 itojun struct pfsync_state_peer { 49 1.1 itojun struct pfsync_state_scrub scrub; /* state is scrubbed */ 50 1.1 itojun u_int32_t seqlo; /* Max sequence number sent */ 51 1.1 itojun u_int32_t seqhi; /* Max the other end ACKd + win */ 52 1.1 itojun u_int32_t seqdiff; /* Sequence number modulator */ 53 1.1 itojun u_int16_t max_win; /* largest window (pre scaling) */ 54 1.1 itojun u_int16_t mss; /* Maximum segment size option */ 55 1.1 itojun u_int8_t state; /* active state level */ 56 1.1 itojun u_int8_t wscale; /* window scaling factor */ 57 1.1 itojun u_int8_t scrub_flag; 58 1.1 itojun u_int8_t pad[5]; 59 1.1 itojun } __packed; 60 1.1 itojun 61 1.1 itojun struct pfsync_state { 62 1.1 itojun u_int32_t id[2]; 63 1.1 itojun char ifname[IFNAMSIZ]; 64 1.1 itojun struct pfsync_state_host lan; 65 1.1 itojun struct pfsync_state_host gwy; 66 1.1 itojun struct pfsync_state_host ext; 67 1.1 itojun struct pfsync_state_peer src; 68 1.1 itojun struct pfsync_state_peer dst; 69 1.1 itojun struct pf_addr rt_addr; 70 1.1 itojun u_int32_t rule; 71 1.1 itojun u_int32_t anchor; 72 1.1 itojun u_int32_t nat_rule; 73 1.1 itojun u_int32_t creation; 74 1.1 itojun u_int32_t expire; 75 1.1 itojun u_int32_t packets[2]; 76 1.1 itojun u_int32_t bytes[2]; 77 1.1 itojun u_int32_t creatorid; 78 1.1 itojun sa_family_t af; 79 1.1 itojun u_int8_t proto; 80 1.1 itojun u_int8_t direction; 81 1.1 itojun u_int8_t log; 82 1.1 itojun u_int8_t allow_opts; 83 1.1 itojun u_int8_t timeout; 84 1.1 itojun u_int8_t sync_flags; 85 1.1 itojun u_int8_t updates; 86 1.1 itojun } __packed; 87 1.1 itojun 88 1.1 itojun struct pfsync_state_upd { 89 1.1 itojun u_int32_t id[2]; 90 1.1 itojun struct pfsync_state_peer src; 91 1.1 itojun struct pfsync_state_peer dst; 92 1.1 itojun u_int32_t creatorid; 93 1.1 itojun u_int32_t expire; 94 1.1 itojun u_int8_t timeout; 95 1.1 itojun u_int8_t updates; 96 1.1 itojun u_int8_t pad[6]; 97 1.1 itojun } __packed; 98 1.1 itojun 99 1.1 itojun struct pfsync_state_del { 100 1.1 itojun u_int32_t id[2]; 101 1.1 itojun u_int32_t creatorid; 102 1.1 itojun struct { 103 1.1 itojun u_int8_t state; 104 1.1 itojun } src; 105 1.1 itojun struct { 106 1.1 itojun u_int8_t state; 107 1.1 itojun } dst; 108 1.1 itojun u_int8_t pad[2]; 109 1.1 itojun } __packed; 110 1.1 itojun 111 1.1 itojun struct pfsync_state_upd_req { 112 1.1 itojun u_int32_t id[2]; 113 1.1 itojun u_int32_t creatorid; 114 1.1 itojun u_int32_t pad; 115 1.1 itojun } __packed; 116 1.1 itojun 117 1.1 itojun struct pfsync_state_clr { 118 1.1 itojun char ifname[IFNAMSIZ]; 119 1.1 itojun u_int32_t creatorid; 120 1.1 itojun u_int32_t pad; 121 1.1 itojun } __packed; 122 1.1 itojun 123 1.1 itojun struct pfsync_state_bus { 124 1.1 itojun u_int32_t creatorid; 125 1.1 itojun u_int32_t endtime; 126 1.1 itojun u_int8_t status; 127 1.1 itojun #define PFSYNC_BUS_START 1 128 1.1 itojun #define PFSYNC_BUS_END 2 129 1.1 itojun u_int8_t pad[7]; 130 1.1 itojun } __packed; 131 1.1 itojun 132 1.1 itojun #ifdef _KERNEL 133 1.1 itojun 134 1.1 itojun union sc_statep { 135 1.1 itojun struct pfsync_state *s; 136 1.1 itojun struct pfsync_state_upd *u; 137 1.1 itojun struct pfsync_state_del *d; 138 1.1 itojun struct pfsync_state_clr *c; 139 1.1 itojun struct pfsync_state_bus *b; 140 1.1 itojun struct pfsync_state_upd_req *r; 141 1.1 itojun }; 142 1.1 itojun 143 1.1 itojun extern int pfsync_sync_ok; 144 1.1 itojun 145 1.1 itojun struct pfsync_softc { 146 1.1 itojun struct ifnet sc_if; 147 1.1 itojun struct ifnet *sc_sync_ifp; 148 1.1 itojun 149 1.1 itojun struct ip_moptions sc_imo; 150 1.1 itojun struct timeout sc_tmo; 151 1.1 itojun struct timeout sc_bulk_tmo; 152 1.1 itojun struct timeout sc_bulkfail_tmo; 153 1.1 itojun struct in_addr sc_sendaddr; 154 1.1 itojun struct mbuf *sc_mbuf; /* current cummulative mbuf */ 155 1.1 itojun struct mbuf *sc_mbuf_net; /* current cummulative mbuf */ 156 1.1 itojun union sc_statep sc_statep; 157 1.1 itojun union sc_statep sc_statep_net; 158 1.1 itojun u_int32_t sc_ureq_received; 159 1.1 itojun u_int32_t sc_ureq_sent; 160 1.1 itojun int sc_bulk_tries; 161 1.1 itojun int sc_maxcount; /* number of states in mtu */ 162 1.1 itojun int sc_maxupdates; /* number of updates/state */ 163 1.1 itojun }; 164 1.1 itojun #endif 165 1.1 itojun 166 1.1 itojun 167 1.1 itojun struct pfsync_header { 168 1.1 itojun u_int8_t version; 169 1.1 itojun #define PFSYNC_VERSION 2 170 1.1 itojun u_int8_t af; 171 1.1 itojun u_int8_t action; 172 1.1 itojun #define PFSYNC_ACT_CLR 0 /* clear all states */ 173 1.1 itojun #define PFSYNC_ACT_INS 1 /* insert state */ 174 1.1 itojun #define PFSYNC_ACT_UPD 2 /* update state */ 175 1.1 itojun #define PFSYNC_ACT_DEL 3 /* delete state */ 176 1.1 itojun #define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */ 177 1.1 itojun #define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */ 178 1.1 itojun #define PFSYNC_ACT_INS_F 6 /* insert fragment */ 179 1.1 itojun #define PFSYNC_ACT_DEL_F 7 /* delete fragments */ 180 1.1 itojun #define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */ 181 1.1 itojun #define PFSYNC_ACT_BUS 9 /* Bulk Update Status */ 182 1.1 itojun #define PFSYNC_ACT_MAX 10 183 1.1 itojun u_int8_t count; 184 1.1 itojun } __packed; 185 1.1 itojun 186 1.1 itojun #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */ 187 1.1 itojun #define PFSYNC_MAX_BULKTRIES 12 188 1.1 itojun #define PFSYNC_HDRLEN sizeof(struct pfsync_header) 189 1.1 itojun #define PFSYNC_ACTIONS \ 190 1.1 itojun "CLR ST", "INS ST", "UPD ST", "DEL ST", \ 191 1.1 itojun "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \ 192 1.1 itojun "UPD REQ", "BLK UPD STAT" 193 1.1 itojun 194 1.1 itojun #define PFSYNC_DFLTTL 255 195 1.1 itojun 196 1.1 itojun struct pfsyncstats { 197 1.1 itojun u_long pfsyncs_ipackets; /* total input packets, IPv4 */ 198 1.1 itojun u_long pfsyncs_ipackets6; /* total input packets, IPv6 */ 199 1.1 itojun u_long pfsyncs_badif; /* not the right interface */ 200 1.1 itojun u_long pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */ 201 1.1 itojun u_long pfsyncs_hdrops; /* packets shorter than header */ 202 1.1 itojun u_long pfsyncs_badver; /* bad (incl unsupp) version */ 203 1.1 itojun u_long pfsyncs_badact; /* bad action */ 204 1.1 itojun u_long pfsyncs_badlen; /* data length does not match */ 205 1.1 itojun u_long pfsyncs_badauth; /* bad authentication */ 206 1.1 itojun u_long pfsyncs_badstate; /* insert/lookup failed */ 207 1.1 itojun 208 1.1 itojun u_long pfsyncs_opackets; /* total output packets, IPv4 */ 209 1.1 itojun u_long pfsyncs_opackets6; /* total output packets, IPv6 */ 210 1.1 itojun u_long pfsyncs_onomem; /* no memory for an mbuf for a send */ 211 1.1 itojun u_long pfsyncs_oerrors; /* ip output error */ 212 1.1 itojun }; 213 1.1 itojun 214 1.1 itojun /* 215 1.1 itojun * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC 216 1.1 itojun */ 217 1.1 itojun struct pfsyncreq { 218 1.1 itojun char pfsyncr_syncif[IFNAMSIZ]; 219 1.1 itojun int pfsyncr_maxupdates; 220 1.1 itojun int pfsyncr_authlevel; 221 1.1 itojun }; 222 1.1 itojun #define SIOCSETPFSYNC _IOW('i', 247, struct ifreq) 223 1.1 itojun #define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq) 224 1.1 itojun 225 1.1 itojun 226 1.1 itojun #define pf_state_peer_hton(s,d) do { \ 227 1.1 itojun (d)->seqlo = htonl((s)->seqlo); \ 228 1.1 itojun (d)->seqhi = htonl((s)->seqhi); \ 229 1.1 itojun (d)->seqdiff = htonl((s)->seqdiff); \ 230 1.1 itojun (d)->max_win = htons((s)->max_win); \ 231 1.1 itojun (d)->mss = htons((s)->mss); \ 232 1.1 itojun (d)->state = (s)->state; \ 233 1.1 itojun (d)->wscale = (s)->wscale; \ 234 1.1 itojun } while (0) 235 1.1 itojun 236 1.1 itojun #define pf_state_peer_ntoh(s,d) do { \ 237 1.1 itojun (d)->seqlo = ntohl((s)->seqlo); \ 238 1.1 itojun (d)->seqhi = ntohl((s)->seqhi); \ 239 1.1 itojun (d)->seqdiff = ntohl((s)->seqdiff); \ 240 1.1 itojun (d)->max_win = ntohs((s)->max_win); \ 241 1.1 itojun (d)->mss = ntohs((s)->mss); \ 242 1.1 itojun (d)->state = (s)->state; \ 243 1.1 itojun (d)->wscale = (s)->wscale; \ 244 1.1 itojun } while (0) 245 1.1 itojun 246 1.1 itojun #define pf_state_host_hton(s,d) do { \ 247 1.1 itojun bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \ 248 1.1 itojun (d)->port = (s)->port; \ 249 1.1 itojun } while (0) 250 1.1 itojun 251 1.1 itojun #define pf_state_host_ntoh(s,d) do { \ 252 1.1 itojun bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \ 253 1.1 itojun (d)->port = (s)->port; \ 254 1.1 itojun } while (0) 255 1.1 itojun 256 1.1 itojun #ifdef _KERNEL 257 1.1 itojun void pfsync_input(struct mbuf *, ...); 258 1.1 itojun int pfsync_clear_states(u_int32_t, char *); 259 1.1 itojun int pfsync_pack_state(u_int8_t, struct pf_state *, int); 260 1.1 itojun #define pfsync_insert_state(st) do { \ 261 1.1 itojun if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \ 262 1.1 itojun (st->proto == IPPROTO_PFSYNC)) \ 263 1.1 itojun st->sync_flags |= PFSTATE_NOSYNC; \ 264 1.1 itojun else if (!st->sync_flags) \ 265 1.1 itojun pfsync_pack_state(PFSYNC_ACT_INS, (st), 1); \ 266 1.1 itojun st->sync_flags &= ~PFSTATE_FROMSYNC; \ 267 1.1 itojun } while (0) 268 1.1 itojun #define pfsync_update_state(st) do { \ 269 1.1 itojun if (!st->sync_flags) \ 270 1.1 itojun pfsync_pack_state(PFSYNC_ACT_UPD, (st), 1); \ 271 1.1 itojun st->sync_flags &= ~PFSTATE_FROMSYNC; \ 272 1.1 itojun } while (0) 273 1.1 itojun #define pfsync_delete_state(st) do { \ 274 1.1 itojun if (!st->sync_flags) \ 275 1.1 itojun pfsync_pack_state(PFSYNC_ACT_DEL, (st), 1); \ 276 1.1 itojun st->sync_flags &= ~PFSTATE_FROMSYNC; \ 277 1.1 itojun } while (0) 278 1.1 itojun #endif 279 1.1 itojun 280 1.1 itojun #endif /* _NET_IF_PFSYNC_H_ */ 281
Indexes created Thu Sep 25 16:09:42 GMT 2025