sys/net/pf/if_pfsync.h

   1 /*      $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $  */
   2
   3 /*
   4  * Copyright (c) 2001 Michael Shalayeff
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  19  * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
  20  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  21  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  22  * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  24  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  25  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
  26  * THE POSSIBILITY OF SUCH DAMAGE.
  27  */
  28
  29 #ifndef _NET_IF_PFSYNC_H_
  30 #define _NET_IF_PFSYNC_H_
  31
  32 #include <sys/ioccom.h>
  33
  34 /*
  35  * pfvar.h is required to get struct pf_addr.  Also kdump and other utilities
  36  * blindly include header files to try to get all the ioctl constants and
  37  * buildworld will fail without this.  We need a better way XXX
  38  */
  39 #ifndef _NET_PFVAR_H_
  40 #include "pfvar.h"
  41 #endif
  42
  43 /* Reserved SPI numbers */
  44 #define SPI_LOCAL_USE           0
  45 #define SPI_RESERVED_MIN        1
  46 #define SPI_RESERVED_MAX        255
  47
  48
  49 #define PFSYNC_ID_LEN   sizeof(u_int64_t)
  50
  51 #define PFSYNC_FLAG_COMPRESS    0x01
  52 #define PFSYNC_FLAG_STALE       0x02
  53
  54 struct pfsync_tdb {
  55         u_int32_t       spi;
  56         union sockaddr_union dst;
  57         u_int32_t       rpl;
  58         u_int64_t       cur_bytes;
  59         u_int8_t        sproto;
  60         u_int8_t        updates;
  61         u_int8_t        pad[2];
  62 } __packed;
  63
  64 struct pfsync_state_upd {
  65         u_int32_t               id[2];
  66         struct pfsync_state_peer        src;
  67         struct pfsync_state_peer        dst;
  68         u_int32_t               creatorid;
  69         u_int32_t               expire;
  70         u_int8_t                timeout;
  71         u_int8_t                updates;
  72         u_int8_t                pad[6];
  73 } __packed;
  74
  75 struct pfsync_state_del {
  76         u_int32_t               id[2];
  77         u_int32_t               creatorid;
  78         struct {
  79                 u_int8_t        state;
  80         } src;
  81         struct {
  82                 u_int8_t        state;
  83         } dst;
  84         u_int8_t                pad[2];
  85 } __packed;
  86
  87 struct pfsync_state_upd_req {
  88         u_int32_t               id[2];
  89         u_int32_t               creatorid;
  90         u_int32_t               pad;
  91 } __packed;
  92
  93 struct pfsync_state_clr {
  94         char                    ifname[IFNAMSIZ];
  95         u_int32_t               creatorid;
  96         u_int32_t               pad;
  97 } __packed;
  98
  99 struct pfsync_state_bus {
 100         u_int32_t               creatorid;
 101         u_int32_t               endtime;
 102         u_int8_t                status;
 103 #define PFSYNC_BUS_START        1
 104 #define PFSYNC_BUS_END          2
 105         u_int8_t                pad[7];
 106 } __packed;
 107
 108 /*
 109  * Names for PFSYNC sysctl objects
 110  */
 111 #define PFSYNCCTL_STATS         1       /* PFSYNC stats */
 112 #define PFSYNCCTL_MAXID         2
 113
 114 #define PFSYNCCTL_NAMES { \
 115         { 0, 0 }, \
 116         { "stats", CTLTYPE_STRUCT }, \
 117 }
 118
 119 #ifdef _KERNEL
 120
 121 union sc_statep {
 122         struct pfsync_state     *s;
 123         struct pfsync_state_upd *u;
 124         struct pfsync_state_del *d;
 125         struct pfsync_state_clr *c;
 126         struct pfsync_state_bus *b;
 127         struct pfsync_state_upd_req     *r;
 128 };
 129
 130 union sc_tdb_statep {
 131         struct pfsync_tdb       *t;
 132 };
 133
 134 extern int      pfsync_sync_ok;
 135
 136 struct pfsync_softc {
 137         struct ifnet             sc_if;
 138         struct ifnet            *sc_sync_ifp;
 139
 140         struct ip_moptions       sc_imo;
 141         struct callout           sc_tmo;
 142         struct callout           sc_tdb_tmo;
 143         struct callout           sc_bulk_tmo;
 144         struct callout           sc_bulkfail_tmo;
 145         struct in_addr           sc_sync_peer;
 146         struct in_addr           sc_sendaddr;
 147         struct mbuf             *sc_mbuf;       /* current cumulative mbuf */
 148         struct mbuf             *sc_mbuf_net;   /* current cumulative mbuf */
 149         struct mbuf             *sc_mbuf_tdb;   /* dito for TDB updates */
 150         union sc_statep          sc_statep;
 151         union sc_statep          sc_statep_net;
 152         union sc_tdb_statep      sc_statep_tdb;
 153         u_int32_t                sc_ureq_received;
 154         u_int32_t                sc_ureq_sent;
 155         struct pf_state         *sc_bulk_send_next;
 156         struct pf_state         *sc_bulk_terminator;
 157         int                      sc_bulk_send_cpu;
 158         int                      sc_bulk_terminator_cpu;
 159         int                      sc_bulk_tries;
 160         int                      sc_maxcount;   /* number of states in mtu */
 161         int                      sc_maxupdates; /* number of updates/state */
 162         LIST_ENTRY(pfsync_softc) sc_next;
 163 };
 164
 165 extern struct pfsync_softc      *pfsyncif;
 166 #endif
 167
 168
 169 struct pfsync_header {
 170         u_int8_t version;
 171 #define PFSYNC_VERSION  4
 172         u_int8_t af;
 173         u_int8_t action;
 174 #define PFSYNC_ACT_CLR          0       /* clear all states */
 175 #define PFSYNC_ACT_INS          1       /* insert state */
 176 #define PFSYNC_ACT_UPD          2       /* update state */
 177 #define PFSYNC_ACT_DEL          3       /* delete state */
 178 #define PFSYNC_ACT_UPD_C        4       /* "compressed" state update */
 179 #define PFSYNC_ACT_DEL_C        5       /* "compressed" state delete */
 180 #define PFSYNC_ACT_INS_F        6       /* insert fragment */
 181 #define PFSYNC_ACT_DEL_F        7       /* delete fragments */
 182 #define PFSYNC_ACT_UREQ         8       /* request "uncompressed" state */
 183 #define PFSYNC_ACT_BUS          9       /* Bulk Update Status */
 184 #define PFSYNC_ACT_TDB_UPD      10      /* TDB replay counter update */
 185 #define PFSYNC_ACT_MAX          11
 186         u_int8_t count;
 187         u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
 188 } __packed;
 189
 190 #define PFSYNC_BULKPACKETS      1       /* # of packets per timeout */
 191 #define PFSYNC_MAX_BULKTRIES    12
 192 #define PFSYNC_HDRLEN   sizeof(struct pfsync_header)
 193 #define PFSYNC_ACTIONS \
 194         "CLR ST", "INS ST", "UPD ST", "DEL ST", \
 195         "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
 196         "UPD REQ", "BLK UPD STAT", "TDB UPD"
 197
 198 #define PFSYNC_DFLTTL           255
 199
 200 struct pfsyncstats {
 201         u_int64_t       pfsyncs_ipackets;       /* total input packets, IPv4 */
 202         u_int64_t       pfsyncs_ipackets6;      /* total input packets, IPv6 */
 203         u_int64_t       pfsyncs_badif;          /* not the right interface */
 204         u_int64_t       pfsyncs_badttl;         /* TTL is not PFSYNC_DFLTTL */
 205         u_int64_t       pfsyncs_hdrops;         /* packets shorter than hdr */
 206         u_int64_t       pfsyncs_badver;         /* bad (incl unsupp) version */
 207         u_int64_t       pfsyncs_badact;         /* bad action */
 208         u_int64_t       pfsyncs_badlen;         /* data length does not match */
 209         u_int64_t       pfsyncs_badauth;        /* bad authentication */
 210         u_int64_t       pfsyncs_stale;          /* stale state */
 211         u_int64_t       pfsyncs_badval;         /* bad values */
 212         u_int64_t       pfsyncs_badstate;       /* insert/lookup failed */
 213
 214         u_int64_t       pfsyncs_opackets;       /* total output packets, IPv4 */
 215         u_int64_t       pfsyncs_opackets6;      /* total output packets, IPv6 */
 216         u_int64_t       pfsyncs_onomem;         /* no memory for an mbuf */
 217         u_int64_t       pfsyncs_oerrors;        /* ip output error */
 218 };
 219
 220 /*
 221  * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
 222  */
 223 struct pfsyncreq {
 224         char             pfsyncr_syncdev[IFNAMSIZ];
 225         struct in_addr   pfsyncr_syncpeer;
 226         int              pfsyncr_maxupdates;
 227         int              pfsyncr_authlevel;
 228 };
 229 #define SIOCSETPFSYNC   _IOW('i', 247, struct ifreq)
 230 #define SIOCGETPFSYNC   _IOWR('i', 248, struct ifreq)
 231
 232 #ifdef _KERNEL
 233 void                    pfsync_input(struct mbuf *, ...);
 234 int                     pfsync_clear_states(u_int32_t, char *);
 235 int                     pfsync_pack_state(u_int8_t, struct pf_state *, int);
 236 int                     pfsync_sysctl(int *, u_int,  void *, size_t *,
 237                             void *, size_t);
 238 void                    pfsync_state_export(struct pfsync_state *,
 239                             struct pf_state *);
 240
 241 #define PFSYNC_SI_IOCTL         0x01
 242 #define PFSYNC_SI_CKSUM         0x02
 243 int                     pfsync_state_import(struct pfsync_state *, u_int8_t);
 244
 245 #define pfsync_insert_state(st) do {                            \
 246         if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) ||        \
 247             (st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC))     \
 248                 st->sync_flags |= PFSTATE_NOSYNC;               \
 249         else if (!st->sync_flags)                               \
 250                 pfsync_pack_state(PFSYNC_ACT_INS, (st),         \
 251                     PFSYNC_FLAG_COMPRESS);                      \
 252         st->sync_flags &= ~PFSTATE_FROMSYNC;                    \
 253 } while (0)
 254 #define pfsync_update_state(st) do {                            \
 255         if (!(st)->sync_flags)                                  \
 256                 pfsync_pack_state(PFSYNC_ACT_UPD, (st),         \
 257                     PFSYNC_FLAG_COMPRESS);                      \
 258         (st)->sync_flags &= ~PFSTATE_FROMSYNC;                  \
 259 } while (0)
 260 #define pfsync_delete_state(st) do {                            \
 261         if (!(st)->sync_flags)                                  \
 262                 pfsync_pack_state(PFSYNC_ACT_DEL, (st),         \
 263                     PFSYNC_FLAG_COMPRESS);                      \
 264 } while (0)
 265 #endif
 266
 267 #endif /* _NET_IF_PFSYNC_H_ */