342 lines
8.4 KiB
C
342 lines
8.4 KiB
C
/* $OpenBSD: if_pfsync.h,v 1.62 2024/05/13 01:15:53 jsg Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2001 Michael Shalayeff
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
|
|
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
|
* THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#ifndef _NET_IF_PFSYNC_H_
|
|
#define _NET_IF_PFSYNC_H_
|
|
|
|
#define PFSYNC_VERSION 6
|
|
#define PFSYNC_DFLTTL 255
|
|
|
|
#define PFSYNC_ACT_CLR 0 /* clear all states */
|
|
#define PFSYNC_ACT_OINS 1 /* old insert state */
|
|
#define PFSYNC_ACT_INS_ACK 2 /* ack of inserted state */
|
|
#define PFSYNC_ACT_OUPD 3 /* old update state */
|
|
#define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */
|
|
#define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */
|
|
#define PFSYNC_ACT_DEL 6 /* delete state */
|
|
#define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */
|
|
#define PFSYNC_ACT_INS_F 8 /* insert fragment */
|
|
#define PFSYNC_ACT_DEL_F 9 /* delete fragments */
|
|
#define PFSYNC_ACT_BUS 10 /* bulk update status */
|
|
#define PFSYNC_ACT_OTDB 11 /* old TDB replay counter update */
|
|
#define PFSYNC_ACT_EOF 12 /* end of frame - DEPRECATED */
|
|
#define PFSYNC_ACT_INS 13 /* insert state */
|
|
#define PFSYNC_ACT_UPD 14 /* update state */
|
|
#define PFSYNC_ACT_TDB 15 /* TDB replay counter update */
|
|
#define PFSYNC_ACT_MAX 16
|
|
|
|
#define PFSYNC_ACTIONS "CLR ST", \
|
|
"INS ST OLD", \
|
|
"INS ST ACK", \
|
|
"UPD ST OLD", \
|
|
"UPD ST COMP", \
|
|
"UPD ST REQ", \
|
|
"DEL ST", \
|
|
"DEL ST COMP", \
|
|
"INS FR", \
|
|
"DEL FR", \
|
|
"BULK UPD STAT", \
|
|
"UPD TDB OLD", \
|
|
"EOF", \
|
|
"INS ST", \
|
|
"UPD ST", \
|
|
"UPD TDB"
|
|
|
|
/*
|
|
* A pfsync frame is built from a header followed by several sections which
|
|
* are all prefixed with their own subheaders.
|
|
*
|
|
* | ... |
|
|
* | IP header |
|
|
* +============================+
|
|
* | pfsync_header |
|
|
* +----------------------------+
|
|
* | pfsync_subheader |
|
|
* +----------------------------+
|
|
* | first action fields |
|
|
* | ... |
|
|
* +----------------------------+
|
|
* | pfsync_subheader |
|
|
* +----------------------------+
|
|
* | second action fields |
|
|
* | ... |
|
|
* +============================+
|
|
*/
|
|
|
|
/*
|
|
* Frame header
|
|
*/
|
|
|
|
struct pfsync_header {
|
|
u_int8_t version;
|
|
u_int8_t _pad;
|
|
u_int16_t len; /* in bytes */
|
|
u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH];
|
|
} __packed;
|
|
|
|
/*
|
|
* Frame region subheader
|
|
*/
|
|
|
|
struct pfsync_subheader {
|
|
u_int8_t action;
|
|
u_int8_t len; /* in dwords */
|
|
u_int16_t count;
|
|
} __packed;
|
|
|
|
/*
|
|
* CLR
|
|
*/
|
|
|
|
struct pfsync_clr {
|
|
char ifname[IFNAMSIZ];
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* OINS, OUPD
|
|
*/
|
|
|
|
/* these messages are deprecated */
|
|
|
|
/*
|
|
* INS, UPD, DEL
|
|
*/
|
|
|
|
/* these use struct pfsync_state in pfvar.h */
|
|
|
|
/*
|
|
* INS_ACK
|
|
*/
|
|
|
|
struct pfsync_ins_ack {
|
|
u_int64_t id;
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* UPD_C
|
|
*/
|
|
|
|
struct pfsync_upd_c {
|
|
u_int64_t id;
|
|
struct pfsync_state_peer src;
|
|
struct pfsync_state_peer dst;
|
|
u_int32_t creatorid;
|
|
u_int32_t expire;
|
|
u_int8_t timeout;
|
|
u_int8_t state_flags;
|
|
u_int8_t _pad[2];
|
|
} __packed;
|
|
|
|
/*
|
|
* UPD_REQ
|
|
*/
|
|
|
|
struct pfsync_upd_req {
|
|
u_int64_t id;
|
|
u_int32_t creatorid;
|
|
} __packed __aligned(4);
|
|
|
|
/*
|
|
* DEL_C
|
|
*/
|
|
|
|
struct pfsync_del_c {
|
|
u_int64_t id;
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* INS_F, DEL_F
|
|
*/
|
|
|
|
/* not implemented (yet) */
|
|
|
|
/*
|
|
* BUS
|
|
*/
|
|
|
|
struct pfsync_bus {
|
|
u_int32_t creatorid;
|
|
u_int32_t endtime;
|
|
u_int8_t status;
|
|
#define PFSYNC_BUS_START 1
|
|
#define PFSYNC_BUS_END 2
|
|
u_int8_t _pad[3];
|
|
} __packed;
|
|
|
|
/*
|
|
* TDB
|
|
*/
|
|
struct pfsync_tdb {
|
|
u_int32_t spi;
|
|
union sockaddr_union dst;
|
|
u_int64_t rpl;
|
|
u_int64_t cur_bytes;
|
|
u_int8_t sproto;
|
|
u_int8_t updates;
|
|
u_int16_t rdomain;
|
|
} __packed;
|
|
|
|
/*
|
|
* EOF
|
|
*/
|
|
|
|
/* this message is deprecated */
|
|
|
|
|
|
#define PFSYNC_HDRLEN sizeof(struct pfsync_header)
|
|
|
|
|
|
/*
|
|
* Names for PFSYNC sysctl objects
|
|
*/
|
|
#define PFSYNCCTL_STATS 1 /* PFSYNC stats */
|
|
#define PFSYNCCTL_MAXID 2
|
|
|
|
#define PFSYNCCTL_NAMES { \
|
|
{ 0, 0 }, \
|
|
{ "stats", CTLTYPE_STRUCT }, \
|
|
}
|
|
|
|
struct pfsyncstats {
|
|
u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
|
|
u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */
|
|
u_int64_t pfsyncs_badif; /* not the right interface */
|
|
u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */
|
|
u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */
|
|
u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */
|
|
u_int64_t pfsyncs_badact; /* bad action */
|
|
u_int64_t pfsyncs_badlen; /* data length does not match */
|
|
u_int64_t pfsyncs_badauth; /* bad authentication */
|
|
u_int64_t pfsyncs_stale; /* stale state */
|
|
u_int64_t pfsyncs_badval; /* bad values */
|
|
u_int64_t pfsyncs_badstate; /* insert/lookup failed */
|
|
|
|
u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */
|
|
u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */
|
|
u_int64_t pfsyncs_onomem; /* no memory for an mbuf */
|
|
u_int64_t pfsyncs_oerrors; /* ip output error */
|
|
};
|
|
|
|
/*
|
|
* Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
|
|
*/
|
|
struct pfsyncreq {
|
|
char pfsyncr_syncdev[IFNAMSIZ];
|
|
struct in_addr pfsyncr_syncpeer;
|
|
int pfsyncr_maxupdates;
|
|
int pfsyncr_defer;
|
|
};
|
|
|
|
#ifdef _KERNEL
|
|
|
|
#include <sys/percpu.h>
|
|
|
|
enum pfsync_counters {
|
|
pfsyncs_ipackets,
|
|
pfsyncs_ipackets6,
|
|
pfsyncs_badif,
|
|
pfsyncs_badttl,
|
|
pfsyncs_hdrops,
|
|
pfsyncs_badver,
|
|
pfsyncs_badact,
|
|
pfsyncs_badlen,
|
|
pfsyncs_badauth,
|
|
pfsyncs_stale,
|
|
pfsyncs_badval,
|
|
pfsyncs_badstate,
|
|
pfsyncs_opackets,
|
|
pfsyncs_opackets6,
|
|
pfsyncs_onomem,
|
|
pfsyncs_oerrors,
|
|
pfsyncs_ncounters,
|
|
};
|
|
|
|
/*
|
|
* this shows where a pf state is with respect to the syncing.
|
|
*/
|
|
#define PFSYNC_S_IACK 0x00
|
|
#define PFSYNC_S_UPD_C 0x01
|
|
#define PFSYNC_S_DEL 0x02
|
|
#define PFSYNC_S_INS 0x03
|
|
#define PFSYNC_S_UPD 0x04
|
|
#define PFSYNC_S_COUNT 0x05
|
|
|
|
#define PFSYNC_S_NONE 0xd0
|
|
#define PFSYNC_S_SYNC 0xd1
|
|
#define PFSYNC_S_PFSYNC 0xd2
|
|
#define PFSYNC_S_DEAD 0xde
|
|
|
|
int pfsync_input4(struct mbuf **, int *, int, int);
|
|
int pfsync_sysctl(int *, u_int, void *, size_t *,
|
|
void *, size_t);
|
|
|
|
#define PFSYNC_SI_IOCTL 0x01
|
|
#define PFSYNC_SI_CKSUM 0x02
|
|
#define PFSYNC_SI_ACK 0x04
|
|
#define PFSYNC_SI_PFSYNC 0x08
|
|
void pfsync_state_export(struct pfsync_state *,
|
|
struct pf_state *);
|
|
|
|
void pfsync_init_state(struct pf_state *,
|
|
const struct pf_state_key *,
|
|
const struct pf_state_key *, int);
|
|
void pfsync_insert_state(struct pf_state *);
|
|
void pfsync_update_state(struct pf_state *);
|
|
void pfsync_delete_state(struct pf_state *);
|
|
void pfsync_clear_states(u_int32_t, const char *);
|
|
|
|
void pfsync_update_tdb(struct tdb *, int);
|
|
void pfsync_delete_tdb(struct tdb *);
|
|
|
|
int pfsync_defer(struct pf_state *, struct mbuf *);
|
|
|
|
int pfsync_is_up(void);
|
|
int pfsync_state_in_use(struct pf_state *);
|
|
#endif /* _KERNEL */
|
|
|
|
#endif /* _NET_IF_PFSYNC_H_ */
|