1 /* $OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $ */
2
3 /*
4 * Copyright (c) 2001 Michael Shalayeff
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26 * THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #ifndef _NET_IF_PFSYNC_H_
30 #define _NET_IF_PFSYNC_H_
31
32
33 #define PFSYNC_ID_LEN sizeof(u_int64_t)
34
35 struct pfsync_tdb {
36 u_int32_t spi;
37 union sockaddr_union dst;
38 u_int32_t rpl;
39 u_int64_t cur_bytes;
40 u_int8_t sproto;
41 u_int8_t updates;
42 u_int8_t pad[2];
43 } __packed;
44
45 struct pfsync_state_upd {
46 u_int32_t id[2];
47 struct pfsync_state_peer src;
48 struct pfsync_state_peer dst;
49 u_int32_t creatorid;
50 u_int32_t expire;
51 u_int8_t timeout;
52 u_int8_t updates;
53 u_int8_t pad[6];
54 } __packed;
55
56 struct pfsync_state_del {
57 u_int32_t id[2];
58 u_int32_t creatorid;
59 struct {
60 u_int8_t state;
61 } src;
62 struct {
63 u_int8_t state;
64 } dst;
65 u_int8_t pad[2];
66 } __packed;
67
68 struct pfsync_state_upd_req {
69 u_int32_t id[2];
70 u_int32_t creatorid;
71 u_int32_t pad;
72 } __packed;
73
74 struct pfsync_state_clr {
75 char ifname[IFNAMSIZ];
76 u_int32_t creatorid;
77 u_int32_t pad;
78 } __packed;
79
80 struct pfsync_state_bus {
81 u_int32_t creatorid;
82 u_int32_t endtime;
83 u_int8_t status;
84 #define PFSYNC_BUS_START 1
85 #define PFSYNC_BUS_END 2
86 u_int8_t pad[7];
87 } __packed;
88
89 #ifdef _KERNEL
90
91 union sc_statep {
92 struct pfsync_state *s;
93 struct pfsync_state_upd *u;
94 struct pfsync_state_del *d;
95 struct pfsync_state_clr *c;
96 struct pfsync_state_bus *b;
97 struct pfsync_state_upd_req *r;
98 };
99
100 union sc_tdb_statep {
101 struct pfsync_tdb *t;
102 };
103
104 extern int pfsync_sync_ok;
105
106 struct pfsync_softc {
107 struct ifnet sc_if;
108 struct ifnet *sc_sync_ifp;
109
110 struct ip_moptions sc_imo;
111 struct timeout sc_tmo;
112 struct timeout sc_tdb_tmo;
113 struct timeout sc_bulk_tmo;
114 struct timeout sc_bulkfail_tmo;
115 struct in_addr sc_sync_peer;
116 struct in_addr sc_sendaddr;
117 struct mbuf *sc_mbuf; /* current cumulative mbuf */
118 struct mbuf *sc_mbuf_net; /* current cumulative mbuf */
119 struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */
120 union sc_statep sc_statep;
121 union sc_statep sc_statep_net;
122 union sc_tdb_statep sc_statep_tdb;
123 u_int32_t sc_ureq_received;
124 u_int32_t sc_ureq_sent;
125 struct pf_state *sc_bulk_send_next;
126 struct pf_state *sc_bulk_terminator;
127 int sc_bulk_tries;
128 int sc_maxcount; /* number of states in mtu */
129 int sc_maxupdates; /* number of updates/state */
130 };
131
132 extern struct pfsync_softc *pfsyncif;
133 #endif
134
135
136 struct pfsync_header {
137 u_int8_t version;
138 #define PFSYNC_VERSION 3
139 u_int8_t af;
140 u_int8_t action;
141 #define PFSYNC_ACT_CLR 0 /* clear all states */
142 #define PFSYNC_ACT_INS 1 /* insert state */
143 #define PFSYNC_ACT_UPD 2 /* update state */
144 #define PFSYNC_ACT_DEL 3 /* delete state */
145 #define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */
146 #define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */
147 #define PFSYNC_ACT_INS_F 6 /* insert fragment */
148 #define PFSYNC_ACT_DEL_F 7 /* delete fragments */
149 #define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */
150 #define PFSYNC_ACT_BUS 9 /* Bulk Update Status */
151 #define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */
152 #define PFSYNC_ACT_MAX 11
153 u_int8_t count;
154 u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
155 } __packed;
156
157 #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */
158 #define PFSYNC_MAX_BULKTRIES 12
159 #define PFSYNC_HDRLEN sizeof(struct pfsync_header)
160 #define PFSYNC_ACTIONS \
161 "CLR ST", "INS ST", "UPD ST", "DEL ST", \
162 "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
163 "UPD REQ", "BLK UPD STAT", "TDB UPD"
164
165 #define PFSYNC_DFLTTL 255
166
167 struct pfsyncstats {
168 u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
169 u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */
170 u_int64_t pfsyncs_badif; /* not the right interface */
171 u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */
172 u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */
173 u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */
174 u_int64_t pfsyncs_badact; /* bad action */
175 u_int64_t pfsyncs_badlen; /* data length does not match */
176 u_int64_t pfsyncs_badauth; /* bad authentication */
177 u_int64_t pfsyncs_stale; /* stale state */
178 u_int64_t pfsyncs_badval; /* bad values */
179 u_int64_t pfsyncs_badstate; /* insert/lookup failed */
180
181 u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */
182 u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */
183 u_int64_t pfsyncs_onomem; /* no memory for an mbuf */
184 u_int64_t pfsyncs_oerrors; /* ip output error */
185 };
186
187 /*
188 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
189 */
190 struct pfsyncreq {
191 char pfsyncr_syncdev[IFNAMSIZ];
192 struct in_addr pfsyncr_syncpeer;
193 int pfsyncr_maxupdates;
194 int pfsyncr_authlevel;
195 };
196
197
198 /* for copies to/from network */
199 #define pf_state_peer_hton(s,d) do { \
200 (d)->seqlo = htonl((s)->seqlo); \
201 (d)->seqhi = htonl((s)->seqhi); \
202 (d)->seqdiff = htonl((s)->seqdiff); \
203 (d)->max_win = htons((s)->max_win); \
204 (d)->mss = htons((s)->mss); \
205 (d)->state = (s)->state; \
206 (d)->wscale = (s)->wscale; \
207 if ((s)->scrub) { \
208 (d)->scrub.pfss_flags = \
209 htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \
210 (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
211 (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
212 (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
213 } \
214 } while (0)
215
216 #define pf_state_peer_ntoh(s,d) do { \
217 (d)->seqlo = ntohl((s)->seqlo); \
218 (d)->seqhi = ntohl((s)->seqhi); \
219 (d)->seqdiff = ntohl((s)->seqdiff); \
220 (d)->max_win = ntohs((s)->max_win); \
221 (d)->mss = ntohs((s)->mss); \
222 (d)->state = (s)->state; \
223 (d)->wscale = (s)->wscale; \
224 if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
225 (d)->scrub != NULL) { \
226 (d)->scrub->pfss_flags = \
227 ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
228 (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
229 (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
230 } \
231 } while (0)
232
233 #define pf_state_host_hton(s,d) do { \
234 bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \
235 (d)->port = (s)->port; \
236 } while (0)
237
238 #define pf_state_host_ntoh(s,d) do { \
239 bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \
240 (d)->port = (s)->port; \
241 } while (0)
242
243 #define pf_state_counter_hton(s,d) do { \
244 d[0] = htonl((s>>32)&0xffffffff); \
245 d[1] = htonl(s&0xffffffff); \
246 } while (0)
247
248 #define pf_state_counter_ntoh(s,d) do { \
249 d = ntohl(s[0]); \
250 d = d<<32; \
251 d += ntohl(s[1]); \
252 } while (0)
253
254 #ifdef _KERNEL
255 void pfsync_input(struct mbuf *, ...);
256 int pfsync_clear_states(u_int32_t, char *);
257 int pfsync_pack_state(u_int8_t, struct pf_state *, int);
258 #define pfsync_insert_state(st) do { \
259 if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \
260 (st->state_key->proto == IPPROTO_PFSYNC)) \
261 st->sync_flags |= PFSTATE_NOSYNC; \
262 else if (!st->sync_flags) \
263 pfsync_pack_state(PFSYNC_ACT_INS, (st), \
264 PFSYNC_FLAG_COMPRESS); \
265 st->sync_flags &= ~PFSTATE_FROMSYNC; \
266 } while (0)
267 #define pfsync_update_state(st) do { \
268 if (!st->sync_flags) \
269 pfsync_pack_state(PFSYNC_ACT_UPD, (st), \
270 PFSYNC_FLAG_COMPRESS); \
271 st->sync_flags &= ~PFSTATE_FROMSYNC; \
272 } while (0)
273 #define pfsync_delete_state(st) do { \
274 if (!st->sync_flags) \
275 pfsync_pack_state(PFSYNC_ACT_DEL, (st), \
276 PFSYNC_FLAG_COMPRESS); \
277 } while (0)
278 int pfsync_update_tdb(struct tdb *, int);
279 #endif
280
281 #endif /* _NET_IF_PFSYNC_H_ */