64484cf630
forwarding a packet, that creates state, until pfsync(4) peer acks state addition (or 10 msec timeout passes). This is needed for active-active CARP configurations, which are poorly supported in FreeBSD and arguably a good idea at all. Unfortunately by the time of import this feature in OpenBSD was turned on, and did not have a switch to turn it off. This leaked to FreeBSD. This change make it possible to turn this feature off via ioctl() and turns it off by default. Obtained from: OpenBSD
325 lines
8.0 KiB
C
325 lines
8.0 KiB
C
/* $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2001 Michael Shalayeff
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
|
|
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
|
* THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#ifndef _NET_IF_PFSYNC_H_
|
|
#define _NET_IF_PFSYNC_H_
|
|
|
|
#define PFSYNC_VERSION 5
|
|
#define PFSYNC_DFLTTL 255
|
|
|
|
#define PFSYNC_ACT_CLR 0 /* clear all states */
|
|
#define PFSYNC_ACT_INS 1 /* insert state */
|
|
#define PFSYNC_ACT_INS_ACK 2 /* ack of insterted state */
|
|
#define PFSYNC_ACT_UPD 3 /* update state */
|
|
#define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */
|
|
#define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */
|
|
#define PFSYNC_ACT_DEL 6 /* delete state */
|
|
#define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */
|
|
#define PFSYNC_ACT_INS_F 8 /* insert fragment */
|
|
#define PFSYNC_ACT_DEL_F 9 /* delete fragments */
|
|
#define PFSYNC_ACT_BUS 10 /* bulk update status */
|
|
#define PFSYNC_ACT_TDB 11 /* TDB replay counter update */
|
|
#define PFSYNC_ACT_EOF 12 /* end of frame */
|
|
#define PFSYNC_ACT_MAX 13
|
|
|
|
#define PFSYNC_ACTIONS "CLR ST", \
|
|
"INS ST", \
|
|
"INS ST ACK", \
|
|
"UPD ST", \
|
|
"UPD ST COMP", \
|
|
"UPD ST REQ", \
|
|
"DEL ST", \
|
|
"DEL ST COMP", \
|
|
"INS FR", \
|
|
"DEL FR", \
|
|
"BULK UPD STAT", \
|
|
"TDB UPD", \
|
|
"EOF"
|
|
|
|
#define PFSYNC_HMAC_LEN 20
|
|
|
|
/*
|
|
* A pfsync frame is built from a header followed by several sections which
|
|
* are all prefixed with their own subheaders. Frames must be terminated with
|
|
* an EOF subheader.
|
|
*
|
|
* | ... |
|
|
* | IP header |
|
|
* +============================+
|
|
* | pfsync_header |
|
|
* +----------------------------+
|
|
* | pfsync_subheader |
|
|
* +----------------------------+
|
|
* | first action fields |
|
|
* | ... |
|
|
* +----------------------------+
|
|
* | pfsync_subheader |
|
|
* +----------------------------+
|
|
* | second action fields |
|
|
* | ... |
|
|
* +----------------------------+
|
|
* | EOF pfsync_subheader |
|
|
* +----------------------------+
|
|
* | HMAC |
|
|
* +============================+
|
|
*/
|
|
|
|
/*
|
|
* Frame header
|
|
*/
|
|
|
|
struct pfsync_header {
|
|
u_int8_t version;
|
|
u_int8_t _pad;
|
|
u_int16_t len;
|
|
u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH];
|
|
} __packed;
|
|
|
|
/*
|
|
* Frame region subheader
|
|
*/
|
|
|
|
struct pfsync_subheader {
|
|
u_int8_t action;
|
|
u_int8_t _pad;
|
|
u_int16_t count;
|
|
} __packed;
|
|
|
|
/*
|
|
* CLR
|
|
*/
|
|
|
|
struct pfsync_clr {
|
|
char ifname[IFNAMSIZ];
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* INS, UPD, DEL
|
|
*/
|
|
|
|
/* these use struct pfsync_state in pfvar.h */
|
|
|
|
/*
|
|
* INS_ACK
|
|
*/
|
|
|
|
struct pfsync_ins_ack {
|
|
u_int64_t id;
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* UPD_C
|
|
*/
|
|
|
|
struct pfsync_upd_c {
|
|
u_int64_t id;
|
|
struct pfsync_state_peer src;
|
|
struct pfsync_state_peer dst;
|
|
u_int32_t creatorid;
|
|
u_int32_t expire;
|
|
u_int8_t timeout;
|
|
u_int8_t _pad[3];
|
|
} __packed;
|
|
|
|
/*
|
|
* UPD_REQ
|
|
*/
|
|
|
|
struct pfsync_upd_req {
|
|
u_int64_t id;
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* DEL_C
|
|
*/
|
|
|
|
struct pfsync_del_c {
|
|
u_int64_t id;
|
|
u_int32_t creatorid;
|
|
} __packed;
|
|
|
|
/*
|
|
* INS_F, DEL_F
|
|
*/
|
|
|
|
/* not implemented (yet) */
|
|
|
|
/*
|
|
* BUS
|
|
*/
|
|
|
|
struct pfsync_bus {
|
|
u_int32_t creatorid;
|
|
u_int32_t endtime;
|
|
u_int8_t status;
|
|
#define PFSYNC_BUS_START 1
|
|
#define PFSYNC_BUS_END 2
|
|
u_int8_t _pad[3];
|
|
} __packed;
|
|
|
|
/*
|
|
* TDB
|
|
*/
|
|
|
|
struct pfsync_tdb {
|
|
u_int32_t spi;
|
|
union sockaddr_union dst;
|
|
u_int32_t rpl;
|
|
u_int64_t cur_bytes;
|
|
u_int8_t sproto;
|
|
u_int8_t updates;
|
|
u_int8_t _pad[2];
|
|
} __packed;
|
|
|
|
/*
|
|
* EOF
|
|
*/
|
|
|
|
struct pfsync_eof {
|
|
u_int8_t hmac[PFSYNC_HMAC_LEN];
|
|
} __packed;
|
|
|
|
#define PFSYNC_HDRLEN sizeof(struct pfsync_header)
|
|
|
|
|
|
|
|
/*
|
|
* Names for PFSYNC sysctl objects
|
|
*/
|
|
#define PFSYNCCTL_STATS 1 /* PFSYNC stats */
|
|
#define PFSYNCCTL_MAXID 2
|
|
|
|
#define PFSYNCCTL_NAMES { \
|
|
{ 0, 0 }, \
|
|
{ "stats", CTLTYPE_STRUCT }, \
|
|
}
|
|
|
|
struct pfsyncstats {
|
|
u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
|
|
u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */
|
|
u_int64_t pfsyncs_badif; /* not the right interface */
|
|
u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */
|
|
u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */
|
|
u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */
|
|
u_int64_t pfsyncs_badact; /* bad action */
|
|
u_int64_t pfsyncs_badlen; /* data length does not match */
|
|
u_int64_t pfsyncs_badauth; /* bad authentication */
|
|
u_int64_t pfsyncs_stale; /* stale state */
|
|
u_int64_t pfsyncs_badval; /* bad values */
|
|
u_int64_t pfsyncs_badstate; /* insert/lookup failed */
|
|
|
|
u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */
|
|
u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */
|
|
u_int64_t pfsyncs_onomem; /* no memory for an mbuf */
|
|
u_int64_t pfsyncs_oerrors; /* ip output error */
|
|
};
|
|
|
|
/*
|
|
* Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
|
|
*/
|
|
struct pfsyncreq {
|
|
char pfsyncr_syncdev[IFNAMSIZ];
|
|
struct in_addr pfsyncr_syncpeer;
|
|
int pfsyncr_maxupdates;
|
|
int pfsyncr_defer;
|
|
};
|
|
|
|
#ifdef __FreeBSD__
|
|
#define SIOCSETPFSYNC _IOW('i', 247, struct ifreq)
|
|
#define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq)
|
|
#endif
|
|
|
|
#ifdef _KERNEL
|
|
|
|
/*
|
|
* this shows where a pf state is with respect to the syncing.
|
|
*/
|
|
#define PFSYNC_S_INS 0x00
|
|
#define PFSYNC_S_IACK 0x01
|
|
#define PFSYNC_S_UPD 0x02
|
|
#define PFSYNC_S_UPD_C 0x03
|
|
#define PFSYNC_S_DEL 0x04
|
|
#define PFSYNC_S_COUNT 0x05
|
|
|
|
#define PFSYNC_S_DEFER 0xfe
|
|
#define PFSYNC_S_NONE 0xff
|
|
|
|
#ifdef __FreeBSD__
|
|
void pfsync_input(struct mbuf *, __unused int);
|
|
#else
|
|
void pfsync_input(struct mbuf *, ...);
|
|
#endif
|
|
int pfsync_sysctl(int *, u_int, void *, size_t *,
|
|
void *, size_t);
|
|
|
|
#define PFSYNC_SI_IOCTL 0x01
|
|
#define PFSYNC_SI_CKSUM 0x02
|
|
#define PFSYNC_SI_ACK 0x04
|
|
int pfsync_state_import(struct pfsync_state *, u_int8_t);
|
|
#ifndef __FreeBSD__
|
|
void pfsync_state_export(struct pfsync_state *,
|
|
struct pf_state *);
|
|
#endif
|
|
|
|
void pfsync_insert_state(struct pf_state *);
|
|
void pfsync_update_state(struct pf_state *);
|
|
void pfsync_delete_state(struct pf_state *);
|
|
void pfsync_clear_states(u_int32_t, const char *);
|
|
|
|
#ifdef notyet
|
|
void pfsync_update_tdb(struct tdb *, int);
|
|
void pfsync_delete_tdb(struct tdb *);
|
|
#endif
|
|
|
|
int pfsync_defer(struct pf_state *, struct mbuf *);
|
|
|
|
int pfsync_up(void);
|
|
int pfsync_state_in_use(struct pf_state *);
|
|
#endif
|
|
|
|
#endif /* _NET_IF_PFSYNC_H_ */
|