Line data Source code
1 : /* $OpenBSD: if_pfsync.h,v 1.54 2018/09/11 07:53:38 sashan Exp $ */
2 :
3 : /*
4 : * Copyright (c) 2001 Michael Shalayeff
5 : * All rights reserved.
6 : *
7 : * Redistribution and use in source and binary forms, with or without
8 : * modification, are permitted provided that the following conditions
9 : * are met:
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : * 2. Redistributions in binary form must reproduce the above copyright
13 : * notice, this list of conditions and the following disclaimer in the
14 : * documentation and/or other materials provided with the distribution.
15 : *
16 : * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 : * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 : * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 : * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20 : * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 : * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 : * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 : * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26 : * THE POSSIBILITY OF SUCH DAMAGE.
27 : */
28 :
29 : /*
30 : * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
31 : *
32 : * Permission to use, copy, modify, and distribute this software for any
33 : * purpose with or without fee is hereby granted, provided that the above
34 : * copyright notice and this permission notice appear in all copies.
35 : *
36 : * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
37 : * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
38 : * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
39 : * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40 : * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
41 : * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
42 : * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43 : */
44 :
45 : #ifndef _NET_IF_PFSYNC_H_
46 : #define _NET_IF_PFSYNC_H_
47 :
48 : #define PFSYNC_VERSION 6
49 : #define PFSYNC_DFLTTL 255
50 :
51 : #define PFSYNC_ACT_CLR 0 /* clear all states */
52 : #define PFSYNC_ACT_OINS 1 /* old insert state */
53 : #define PFSYNC_ACT_INS_ACK 2 /* ack of insterted state */
54 : #define PFSYNC_ACT_OUPD 3 /* old update state */
55 : #define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */
56 : #define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */
57 : #define PFSYNC_ACT_DEL 6 /* delete state */
58 : #define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */
59 : #define PFSYNC_ACT_INS_F 8 /* insert fragment */
60 : #define PFSYNC_ACT_DEL_F 9 /* delete fragments */
61 : #define PFSYNC_ACT_BUS 10 /* bulk update status */
62 : #define PFSYNC_ACT_OTDB 11 /* old TDB replay counter update */
63 : #define PFSYNC_ACT_EOF 12 /* end of frame - DEPRECATED */
64 : #define PFSYNC_ACT_INS 13 /* insert state */
65 : #define PFSYNC_ACT_UPD 14 /* update state */
66 : #define PFSYNC_ACT_TDB 15 /* TDB replay counter update */
67 : #define PFSYNC_ACT_MAX 16
68 :
69 : #define PFSYNC_ACTIONS "CLR ST", \
70 : "INS ST OLD", \
71 : "INS ST ACK", \
72 : "UPD ST OLD", \
73 : "UPD ST COMP", \
74 : "UPD ST REQ", \
75 : "DEL ST", \
76 : "DEL ST COMP", \
77 : "INS FR", \
78 : "DEL FR", \
79 : "BULK UPD STAT", \
80 : "UPD TDB OLD", \
81 : "EOF", \
82 : "INS ST", \
83 : "UPD ST", \
84 : "UPD TDB"
85 :
86 : /*
87 : * A pfsync frame is built from a header followed by several sections which
88 : * are all prefixed with their own subheaders.
89 : *
90 : * | ... |
91 : * | IP header |
92 : * +============================+
93 : * | pfsync_header |
94 : * +----------------------------+
95 : * | pfsync_subheader |
96 : * +----------------------------+
97 : * | first action fields |
98 : * | ... |
99 : * +----------------------------+
100 : * | pfsync_subheader |
101 : * +----------------------------+
102 : * | second action fields |
103 : * | ... |
104 : * +============================+
105 : */
106 :
107 : /*
108 : * Frame header
109 : */
110 :
111 : struct pfsync_header {
112 : u_int8_t version;
113 : u_int8_t _pad;
114 : u_int16_t len; /* in bytes */
115 : u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH];
116 : } __packed;
117 :
118 : /*
119 : * Frame region subheader
120 : */
121 :
122 : struct pfsync_subheader {
123 : u_int8_t action;
124 : u_int8_t len; /* in dwords */
125 : u_int16_t count;
126 : } __packed;
127 :
128 : /*
129 : * CLR
130 : */
131 :
132 : struct pfsync_clr {
133 : char ifname[IFNAMSIZ];
134 : u_int32_t creatorid;
135 : } __packed;
136 :
137 : /*
138 : * OINS, OUPD
139 : */
140 :
141 : /* these messages are deprecated */
142 :
143 : /*
144 : * INS, UPD, DEL
145 : */
146 :
147 : /* these use struct pfsync_state in pfvar.h */
148 :
149 : /*
150 : * INS_ACK
151 : */
152 :
153 : struct pfsync_ins_ack {
154 : u_int64_t id;
155 : u_int32_t creatorid;
156 : } __packed;
157 :
158 : /*
159 : * UPD_C
160 : */
161 :
162 : struct pfsync_upd_c {
163 : u_int64_t id;
164 : struct pfsync_state_peer src;
165 : struct pfsync_state_peer dst;
166 : u_int32_t creatorid;
167 : u_int32_t expire;
168 : u_int8_t timeout;
169 : u_int8_t state_flags;
170 : u_int8_t _pad[2];
171 : } __packed;
172 :
173 : /*
174 : * UPD_REQ
175 : */
176 :
177 : struct pfsync_upd_req {
178 : u_int64_t id;
179 : u_int32_t creatorid;
180 : } __packed;
181 :
182 : /*
183 : * DEL_C
184 : */
185 :
186 : struct pfsync_del_c {
187 : u_int64_t id;
188 : u_int32_t creatorid;
189 : } __packed;
190 :
191 : /*
192 : * INS_F, DEL_F
193 : */
194 :
195 : /* not implemented (yet) */
196 :
197 : /*
198 : * BUS
199 : */
200 :
201 : struct pfsync_bus {
202 : u_int32_t creatorid;
203 : u_int32_t endtime;
204 : u_int8_t status;
205 : #define PFSYNC_BUS_START 1
206 : #define PFSYNC_BUS_END 2
207 : u_int8_t _pad[3];
208 : } __packed;
209 :
210 : /*
211 : * TDB
212 : */
213 : struct pfsync_tdb {
214 : u_int32_t spi;
215 : union sockaddr_union dst;
216 : u_int64_t rpl;
217 : u_int64_t cur_bytes;
218 : u_int8_t sproto;
219 : u_int8_t updates;
220 : u_int16_t rdomain;
221 : } __packed;
222 :
223 : /*
224 : * EOF
225 : */
226 :
227 : /* this message is deprecated */
228 :
229 :
230 : #define PFSYNC_HDRLEN sizeof(struct pfsync_header)
231 :
232 :
233 : /*
234 : * Names for PFSYNC sysctl objects
235 : */
236 : #define PFSYNCCTL_STATS 1 /* PFSYNC stats */
237 : #define PFSYNCCTL_MAXID 2
238 :
239 : #define PFSYNCCTL_NAMES { \
240 : { 0, 0 }, \
241 : { "stats", CTLTYPE_STRUCT }, \
242 : }
243 :
244 : struct pfsyncstats {
245 : u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
246 : u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */
247 : u_int64_t pfsyncs_badif; /* not the right interface */
248 : u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */
249 : u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */
250 : u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */
251 : u_int64_t pfsyncs_badact; /* bad action */
252 : u_int64_t pfsyncs_badlen; /* data length does not match */
253 : u_int64_t pfsyncs_badauth; /* bad authentication */
254 : u_int64_t pfsyncs_stale; /* stale state */
255 : u_int64_t pfsyncs_badval; /* bad values */
256 : u_int64_t pfsyncs_badstate; /* insert/lookup failed */
257 :
258 : u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */
259 : u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */
260 : u_int64_t pfsyncs_onomem; /* no memory for an mbuf */
261 : u_int64_t pfsyncs_oerrors; /* ip output error */
262 : };
263 :
264 : /*
265 : * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
266 : */
267 : struct pfsyncreq {
268 : char pfsyncr_syncdev[IFNAMSIZ];
269 : struct in_addr pfsyncr_syncpeer;
270 : int pfsyncr_maxupdates;
271 : int pfsyncr_defer;
272 : };
273 :
274 : #ifdef _KERNEL
275 :
276 : #include <sys/percpu.h>
277 :
278 : enum pfsync_counters {
279 : pfsyncs_ipackets,
280 : pfsyncs_ipackets6,
281 : pfsyncs_badif,
282 : pfsyncs_badttl,
283 : pfsyncs_hdrops,
284 : pfsyncs_badver,
285 : pfsyncs_badact,
286 : pfsyncs_badlen,
287 : pfsyncs_badauth,
288 : pfsyncs_stale,
289 : pfsyncs_badval,
290 : pfsyncs_badstate,
291 : pfsyncs_opackets,
292 : pfsyncs_opackets6,
293 : pfsyncs_onomem,
294 : pfsyncs_oerrors,
295 : pfsyncs_ncounters,
296 : };
297 :
298 : extern struct cpumem *pfsynccounters;
299 :
300 : static inline void
301 0 : pfsyncstat_inc(enum pfsync_counters c)
302 : {
303 0 : counters_inc(pfsynccounters, c);
304 0 : }
305 :
306 : /*
307 : * this shows where a pf state is with respect to the syncing.
308 : */
309 : #define PFSYNC_S_IACK 0x00
310 : #define PFSYNC_S_UPD_C 0x01
311 : #define PFSYNC_S_DEL 0x02
312 : #define PFSYNC_S_INS 0x03
313 : #define PFSYNC_S_UPD 0x04
314 : #define PFSYNC_S_COUNT 0x05
315 :
316 : #define PFSYNC_S_DEFER 0xfe
317 : #define PFSYNC_S_NONE 0xff
318 :
319 : int pfsync_input(struct mbuf **, int *, int, int);
320 : int pfsync_sysctl(int *, u_int, void *, size_t *,
321 : void *, size_t);
322 :
323 : #define PFSYNC_SI_IOCTL 0x01
324 : #define PFSYNC_SI_CKSUM 0x02
325 : #define PFSYNC_SI_ACK 0x04
326 : int pfsync_state_import(struct pfsync_state *, int);
327 : void pfsync_state_export(struct pfsync_state *,
328 : struct pf_state *);
329 :
330 : void pfsync_insert_state(struct pf_state *);
331 : void pfsync_update_state(struct pf_state *, int *);
332 : void pfsync_delete_state(struct pf_state *);
333 : void pfsync_clear_states(u_int32_t, const char *);
334 :
335 : void pfsync_update_tdb(struct tdb *, int);
336 : void pfsync_delete_tdb(struct tdb *);
337 :
338 : int pfsync_defer(struct pf_state *, struct mbuf *);
339 :
340 : int pfsync_up(void);
341 : int pfsync_state_in_use(struct pf_state *);
342 : #endif /* _KERNEL */
343 :
344 : #endif /* _NET_IF_PFSYNC_H_ */
|
