if_pfsync.h revision 1.3
1 1.3 degroote /* $NetBSD: if_pfsync.h,v 1.3 2009/09/14 10:36:49 degroote Exp $ */ 2 1.3 degroote /* $OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $ */ 3 1.1 itojun 4 1.1 itojun /* 5 1.1 itojun * Copyright (c) 2001 Michael Shalayeff 6 1.1 itojun * All rights reserved. 7 1.1 itojun * 8 1.1 itojun * Redistribution and use in source and binary forms, with or without 9 1.1 itojun * modification, are permitted provided that the following conditions 10 1.1 itojun * are met: 11 1.1 itojun * 1. Redistributions of source code must retain the above copyright 12 1.1 itojun * notice, this list of conditions and the following disclaimer. 13 1.1 itojun * 2. Redistributions in binary form must reproduce the above copyright 14 1.1 itojun * notice, this list of conditions and the following disclaimer in the 15 1.1 itojun * documentation and/or other materials provided with the distribution. 16 1.1 itojun * 17 1.1 itojun * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 1.1 itojun * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 1.1 itojun * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 1.1 itojun * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, 21 1.1 itojun * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 1.1 itojun * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 1.1 itojun * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 1.1 itojun * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 1.1 itojun * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 1.1 itojun * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 27 1.1 itojun * THE POSSIBILITY OF SUCH DAMAGE. 28 1.1 itojun */ 29 1.1 itojun 30 1.1 itojun #ifndef _NET_IF_PFSYNC_H_ 31 1.1 itojun #define _NET_IF_PFSYNC_H_ 32 1.1 itojun 33 1.3 degroote #define INADDR_PFSYNC_GROUP __IPADDR(0xe00000f0) /* 224.0.0.240 */ 34 1.1 itojun 35 1.1 itojun #define PFSYNC_ID_LEN sizeof(u_int64_t) 36 1.1 itojun 37 1.3 degroote struct pfsync_tdb { 38 1.3 degroote u_int32_t spi; 39 1.3 degroote union sockaddr_union dst; 40 1.3 degroote u_int32_t rpl; 41 1.3 degroote u_int64_t cur_bytes; 42 1.3 degroote u_int8_t sproto; 43 1.3 degroote u_int8_t updates; 44 1.3 degroote u_int8_t pad[2]; 45 1.1 itojun } __packed; 46 1.1 itojun 47 1.1 itojun struct pfsync_state_upd { 48 1.1 itojun u_int32_t id[2]; 49 1.1 itojun struct pfsync_state_peer src; 50 1.1 itojun struct pfsync_state_peer dst; 51 1.1 itojun u_int32_t creatorid; 52 1.1 itojun u_int32_t expire; 53 1.1 itojun u_int8_t timeout; 54 1.1 itojun u_int8_t updates; 55 1.1 itojun u_int8_t pad[6]; 56 1.1 itojun } __packed; 57 1.1 itojun 58 1.1 itojun struct pfsync_state_del { 59 1.1 itojun u_int32_t id[2]; 60 1.1 itojun u_int32_t creatorid; 61 1.1 itojun struct { 62 1.1 itojun u_int8_t state; 63 1.1 itojun } src; 64 1.1 itojun struct { 65 1.1 itojun u_int8_t state; 66 1.1 itojun } dst; 67 1.1 itojun u_int8_t pad[2]; 68 1.1 itojun } __packed; 69 1.1 itojun 70 1.1 itojun struct pfsync_state_upd_req { 71 1.1 itojun u_int32_t id[2]; 72 1.1 itojun u_int32_t creatorid; 73 1.1 itojun u_int32_t pad; 74 1.1 itojun } __packed; 75 1.1 itojun 76 1.1 itojun struct pfsync_state_clr { 77 1.1 itojun char ifname[IFNAMSIZ]; 78 1.1 itojun u_int32_t creatorid; 79 1.1 itojun u_int32_t pad; 80 1.1 itojun } __packed; 81 1.1 itojun 82 1.1 itojun struct pfsync_state_bus { 83 1.1 itojun u_int32_t creatorid; 84 1.1 itojun u_int32_t endtime; 85 1.1 itojun u_int8_t status; 86 1.1 itojun #define PFSYNC_BUS_START 1 87 1.1 itojun #define PFSYNC_BUS_END 2 88 1.1 itojun u_int8_t pad[7]; 89 1.1 itojun } __packed; 90 1.1 itojun 91 1.1 itojun #ifdef _KERNEL 92 1.1 itojun 93 1.1 itojun union sc_statep { 94 1.1 itojun struct pfsync_state *s; 95 1.1 itojun struct pfsync_state_upd *u; 96 1.1 itojun struct pfsync_state_del *d; 97 1.1 itojun struct pfsync_state_clr *c; 98 1.1 itojun struct pfsync_state_bus *b; 99 1.1 itojun struct pfsync_state_upd_req *r; 100 1.1 itojun }; 101 1.1 itojun 102 1.3 degroote union sc_tdb_statep { 103 1.3 degroote struct pfsync_tdb *t; 104 1.3 degroote }; 105 1.3 degroote 106 1.1 itojun extern int pfsync_sync_ok; 107 1.1 itojun 108 1.1 itojun struct pfsync_softc { 109 1.1 itojun struct ifnet sc_if; 110 1.1 itojun struct ifnet *sc_sync_ifp; 111 1.1 itojun 112 1.1 itojun struct ip_moptions sc_imo; 113 1.3 degroote struct callout sc_tmo; 114 1.3 degroote struct callout sc_tdb_tmo; 115 1.3 degroote struct callout sc_bulk_tmo; 116 1.3 degroote struct callout sc_bulkfail_tmo; 117 1.3 degroote struct in_addr sc_sync_peer; 118 1.1 itojun struct in_addr sc_sendaddr; 119 1.3 degroote struct mbuf *sc_mbuf; /* current cumulative mbuf */ 120 1.3 degroote struct mbuf *sc_mbuf_net; /* current cumulative mbuf */ 121 1.3 degroote struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */ 122 1.1 itojun union sc_statep sc_statep; 123 1.1 itojun union sc_statep sc_statep_net; 124 1.3 degroote union sc_tdb_statep sc_statep_tdb; 125 1.1 itojun u_int32_t sc_ureq_received; 126 1.1 itojun u_int32_t sc_ureq_sent; 127 1.3 degroote struct pf_state *sc_bulk_send_next; 128 1.3 degroote struct pf_state *sc_bulk_terminator; 129 1.1 itojun int sc_bulk_tries; 130 1.1 itojun int sc_maxcount; /* number of states in mtu */ 131 1.1 itojun int sc_maxupdates; /* number of updates/state */ 132 1.1 itojun }; 133 1.3 degroote 134 1.3 degroote extern struct pfsync_softc *pfsyncif; 135 1.1 itojun #endif 136 1.1 itojun 137 1.1 itojun 138 1.1 itojun struct pfsync_header { 139 1.1 itojun u_int8_t version; 140 1.3 degroote #define PFSYNC_VERSION 3 141 1.1 itojun u_int8_t af; 142 1.1 itojun u_int8_t action; 143 1.1 itojun #define PFSYNC_ACT_CLR 0 /* clear all states */ 144 1.1 itojun #define PFSYNC_ACT_INS 1 /* insert state */ 145 1.1 itojun #define PFSYNC_ACT_UPD 2 /* update state */ 146 1.1 itojun #define PFSYNC_ACT_DEL 3 /* delete state */ 147 1.1 itojun #define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */ 148 1.1 itojun #define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */ 149 1.1 itojun #define PFSYNC_ACT_INS_F 6 /* insert fragment */ 150 1.1 itojun #define PFSYNC_ACT_DEL_F 7 /* delete fragments */ 151 1.1 itojun #define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */ 152 1.1 itojun #define PFSYNC_ACT_BUS 9 /* Bulk Update Status */ 153 1.3 degroote #define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */ 154 1.3 degroote #define PFSYNC_ACT_MAX 11 155 1.1 itojun u_int8_t count; 156 1.3 degroote u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 157 1.1 itojun } __packed; 158 1.1 itojun 159 1.1 itojun #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */ 160 1.3 degroote #define PFSYNC_MAX_BULKTRIES 12 161 1.1 itojun #define PFSYNC_HDRLEN sizeof(struct pfsync_header) 162 1.1 itojun #define PFSYNC_ACTIONS \ 163 1.1 itojun "CLR ST", "INS ST", "UPD ST", "DEL ST", \ 164 1.1 itojun "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \ 165 1.3 degroote "UPD REQ", "BLK UPD STAT", "TDB UPD" 166 1.1 itojun 167 1.1 itojun #define PFSYNC_DFLTTL 255 168 1.1 itojun 169 1.3 degroote #define PFSYNC_STAT_IPACKETS 0 /* total input packets, IPv4 */ 170 1.3 degroote #define PFSYNC_STAT_IPACKETS6 1 /* total input packets, IPv6 */ 171 1.3 degroote #define PFSYNC_STAT_BADIF 2 /* not the right interface */ 172 1.3 degroote #define PFSYNC_STAT_BADTTL 3 /* TTL is not PFSYNC_DFLTTL */ 173 1.3 degroote #define PFSYNC_STAT_HDROPS 4 /* packets shorter than hdr */ 174 1.3 degroote #define PFSYNC_STAT_BADVER 5 /* bad (incl unsupp) version */ 175 1.3 degroote #define PFSYNC_STAT_BADACT 6 /* bad action */ 176 1.3 degroote #define PFSYNC_STAT_BADLEN 7 /* data length does not match */ 177 1.3 degroote #define PFSYNC_STAT_BADAUTH 8 /* bad authentication */ 178 1.3 degroote #define PFSYNC_STAT_STALE 9 /* stale state */ 179 1.3 degroote #define PFSYNC_STAT_BADVAL 10 /* bad values */ 180 1.3 degroote #define PFSYNC_STAT_BADSTATE 11 /* insert/lookup failed */ 181 1.3 degroote #define PFSYNC_STAT_OPACKETS 12 /* total output packets, IPv4 */ 182 1.3 degroote #define PFSYNC_STAT_OPACKETS6 13 /* total output packets, IPv6 */ 183 1.3 degroote #define PFSYNC_STAT_ONOMEM 14 /* no memory for an mbuf */ 184 1.3 degroote #define PFSYNC_STAT_OERRORS 15 /* ip output error */ 185 1.3 degroote 186 1.3 degroote #define PFSYNC_NSTATS 16 187 1.1 itojun 188 1.1 itojun /* 189 1.1 itojun * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC 190 1.1 itojun */ 191 1.1 itojun struct pfsyncreq { 192 1.3 degroote char pfsyncr_syncdev[IFNAMSIZ]; 193 1.3 degroote struct in_addr pfsyncr_syncpeer; 194 1.3 degroote int pfsyncr_maxupdates; 195 1.3 degroote int pfsyncr_authlevel; 196 1.1 itojun }; 197 1.1 itojun 198 1.1 itojun 199 1.3 degroote /* for copies to/from network */ 200 1.1 itojun #define pf_state_peer_hton(s,d) do { \ 201 1.1 itojun (d)->seqlo = htonl((s)->seqlo); \ 202 1.1 itojun (d)->seqhi = htonl((s)->seqhi); \ 203 1.1 itojun (d)->seqdiff = htonl((s)->seqdiff); \ 204 1.1 itojun (d)->max_win = htons((s)->max_win); \ 205 1.1 itojun (d)->mss = htons((s)->mss); \ 206 1.1 itojun (d)->state = (s)->state; \ 207 1.1 itojun (d)->wscale = (s)->wscale; \ 208 1.3 degroote if ((s)->scrub) { \ 209 1.3 degroote (d)->scrub.pfss_flags = \ 210 1.3 degroote htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \ 211 1.3 degroote (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \ 212 1.3 degroote (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\ 213 1.3 degroote (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \ 214 1.3 degroote } \ 215 1.1 itojun } while (0) 216 1.1 itojun 217 1.1 itojun #define pf_state_peer_ntoh(s,d) do { \ 218 1.1 itojun (d)->seqlo = ntohl((s)->seqlo); \ 219 1.1 itojun (d)->seqhi = ntohl((s)->seqhi); \ 220 1.1 itojun (d)->seqdiff = ntohl((s)->seqdiff); \ 221 1.1 itojun (d)->max_win = ntohs((s)->max_win); \ 222 1.1 itojun (d)->mss = ntohs((s)->mss); \ 223 1.1 itojun (d)->state = (s)->state; \ 224 1.1 itojun (d)->wscale = (s)->wscale; \ 225 1.3 degroote if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \ 226 1.3 degroote (d)->scrub != NULL) { \ 227 1.3 degroote (d)->scrub->pfss_flags = \ 228 1.3 degroote ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \ 229 1.3 degroote (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \ 230 1.3 degroote (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\ 231 1.3 degroote } \ 232 1.1 itojun } while (0) 233 1.1 itojun 234 1.1 itojun #define pf_state_host_hton(s,d) do { \ 235 1.3 degroote memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr)); \ 236 1.1 itojun (d)->port = (s)->port; \ 237 1.1 itojun } while (0) 238 1.1 itojun 239 1.1 itojun #define pf_state_host_ntoh(s,d) do { \ 240 1.3 degroote memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr)); \ 241 1.1 itojun (d)->port = (s)->port; \ 242 1.1 itojun } while (0) 243 1.1 itojun 244 1.3 degroote #define pf_state_counter_hton(s,d) do { \ 245 1.3 degroote d[0] = htonl((s>>32)&0xffffffff); \ 246 1.3 degroote d[1] = htonl(s&0xffffffff); \ 247 1.3 degroote } while (0) 248 1.3 degroote 249 1.3 degroote #define pf_state_counter_ntoh(s,d) do { \ 250 1.3 degroote d = ntohl(s[0]); \ 251 1.3 degroote d = d<<32; \ 252 1.3 degroote d += ntohl(s[1]); \ 253 1.3 degroote } while (0) 254 1.3 degroote 255 1.1 itojun #ifdef _KERNEL 256 1.1 itojun void pfsync_input(struct mbuf *, ...); 257 1.1 itojun int pfsync_clear_states(u_int32_t, char *); 258 1.1 itojun int pfsync_pack_state(u_int8_t, struct pf_state *, int); 259 1.1 itojun #define pfsync_insert_state(st) do { \ 260 1.1 itojun if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \ 261 1.3 degroote (st->state_key->proto == IPPROTO_PFSYNC)) \ 262 1.1 itojun st->sync_flags |= PFSTATE_NOSYNC; \ 263 1.1 itojun else if (!st->sync_flags) \ 264 1.3 degroote pfsync_pack_state(PFSYNC_ACT_INS, (st), \ 265 1.3 degroote PFSYNC_FLAG_COMPRESS); \ 266 1.1 itojun st->sync_flags &= ~PFSTATE_FROMSYNC; \ 267 1.1 itojun } while (0) 268 1.1 itojun #define pfsync_update_state(st) do { \ 269 1.1 itojun if (!st->sync_flags) \ 270 1.3 degroote pfsync_pack_state(PFSYNC_ACT_UPD, (st), \ 271 1.3 degroote PFSYNC_FLAG_COMPRESS); \ 272 1.1 itojun st->sync_flags &= ~PFSTATE_FROMSYNC; \ 273 1.1 itojun } while (0) 274 1.1 itojun #define pfsync_delete_state(st) do { \ 275 1.1 itojun if (!st->sync_flags) \ 276 1.3 degroote pfsync_pack_state(PFSYNC_ACT_DEL, (st), \ 277 1.3 degroote PFSYNC_FLAG_COMPRESS); \ 278 1.1 itojun } while (0) 279 1.3 degroote #ifdef NOTYET 280 1.3 degroote int pfsync_update_tdb(struct tdb *, int); 281 1.3 degroote #endif /* NOTYET */ 282 1.1 itojun #endif 283 1.1 itojun 284 1.1 itojun #endif /* _NET_IF_PFSYNC_H_ */ 285
Indexes created Thu Sep 25 16:09:42 GMT 2025