Annotation of sys/net/if_pfsync.h, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $ */
2:
3: /*
4: * Copyright (c) 2001 Michael Shalayeff
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: *
16: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19: * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20: * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21: * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22: * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25: * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26: * THE POSSIBILITY OF SUCH DAMAGE.
27: */
28:
29: #ifndef _NET_IF_PFSYNC_H_
30: #define _NET_IF_PFSYNC_H_
31:
32:
33: #define PFSYNC_ID_LEN sizeof(u_int64_t)
34:
35: struct pfsync_tdb {
36: u_int32_t spi;
37: union sockaddr_union dst;
38: u_int32_t rpl;
39: u_int64_t cur_bytes;
40: u_int8_t sproto;
41: u_int8_t updates;
42: u_int8_t pad[2];
43: } __packed;
44:
45: struct pfsync_state_upd {
46: u_int32_t id[2];
47: struct pfsync_state_peer src;
48: struct pfsync_state_peer dst;
49: u_int32_t creatorid;
50: u_int32_t expire;
51: u_int8_t timeout;
52: u_int8_t updates;
53: u_int8_t pad[6];
54: } __packed;
55:
56: struct pfsync_state_del {
57: u_int32_t id[2];
58: u_int32_t creatorid;
59: struct {
60: u_int8_t state;
61: } src;
62: struct {
63: u_int8_t state;
64: } dst;
65: u_int8_t pad[2];
66: } __packed;
67:
68: struct pfsync_state_upd_req {
69: u_int32_t id[2];
70: u_int32_t creatorid;
71: u_int32_t pad;
72: } __packed;
73:
74: struct pfsync_state_clr {
75: char ifname[IFNAMSIZ];
76: u_int32_t creatorid;
77: u_int32_t pad;
78: } __packed;
79:
80: struct pfsync_state_bus {
81: u_int32_t creatorid;
82: u_int32_t endtime;
83: u_int8_t status;
84: #define PFSYNC_BUS_START 1
85: #define PFSYNC_BUS_END 2
86: u_int8_t pad[7];
87: } __packed;
88:
89: #ifdef _KERNEL
90:
91: union sc_statep {
92: struct pfsync_state *s;
93: struct pfsync_state_upd *u;
94: struct pfsync_state_del *d;
95: struct pfsync_state_clr *c;
96: struct pfsync_state_bus *b;
97: struct pfsync_state_upd_req *r;
98: };
99:
100: union sc_tdb_statep {
101: struct pfsync_tdb *t;
102: };
103:
104: extern int pfsync_sync_ok;
105:
106: struct pfsync_softc {
107: struct ifnet sc_if;
108: struct ifnet *sc_sync_ifp;
109:
110: struct ip_moptions sc_imo;
111: struct timeout sc_tmo;
112: struct timeout sc_tdb_tmo;
113: struct timeout sc_bulk_tmo;
114: struct timeout sc_bulkfail_tmo;
115: struct in_addr sc_sync_peer;
116: struct in_addr sc_sendaddr;
117: struct mbuf *sc_mbuf; /* current cumulative mbuf */
118: struct mbuf *sc_mbuf_net; /* current cumulative mbuf */
119: struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */
120: union sc_statep sc_statep;
121: union sc_statep sc_statep_net;
122: union sc_tdb_statep sc_statep_tdb;
123: u_int32_t sc_ureq_received;
124: u_int32_t sc_ureq_sent;
125: struct pf_state *sc_bulk_send_next;
126: struct pf_state *sc_bulk_terminator;
127: int sc_bulk_tries;
128: int sc_maxcount; /* number of states in mtu */
129: int sc_maxupdates; /* number of updates/state */
130: };
131:
132: extern struct pfsync_softc *pfsyncif;
133: #endif
134:
135:
136: struct pfsync_header {
137: u_int8_t version;
138: #define PFSYNC_VERSION 3
139: u_int8_t af;
140: u_int8_t action;
141: #define PFSYNC_ACT_CLR 0 /* clear all states */
142: #define PFSYNC_ACT_INS 1 /* insert state */
143: #define PFSYNC_ACT_UPD 2 /* update state */
144: #define PFSYNC_ACT_DEL 3 /* delete state */
145: #define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */
146: #define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */
147: #define PFSYNC_ACT_INS_F 6 /* insert fragment */
148: #define PFSYNC_ACT_DEL_F 7 /* delete fragments */
149: #define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */
150: #define PFSYNC_ACT_BUS 9 /* Bulk Update Status */
151: #define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */
152: #define PFSYNC_ACT_MAX 11
153: u_int8_t count;
154: u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
155: } __packed;
156:
157: #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */
158: #define PFSYNC_MAX_BULKTRIES 12
159: #define PFSYNC_HDRLEN sizeof(struct pfsync_header)
160: #define PFSYNC_ACTIONS \
161: "CLR ST", "INS ST", "UPD ST", "DEL ST", \
162: "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
163: "UPD REQ", "BLK UPD STAT", "TDB UPD"
164:
165: #define PFSYNC_DFLTTL 255
166:
167: struct pfsyncstats {
168: u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
169: u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */
170: u_int64_t pfsyncs_badif; /* not the right interface */
171: u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */
172: u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */
173: u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */
174: u_int64_t pfsyncs_badact; /* bad action */
175: u_int64_t pfsyncs_badlen; /* data length does not match */
176: u_int64_t pfsyncs_badauth; /* bad authentication */
177: u_int64_t pfsyncs_stale; /* stale state */
178: u_int64_t pfsyncs_badval; /* bad values */
179: u_int64_t pfsyncs_badstate; /* insert/lookup failed */
180:
181: u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */
182: u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */
183: u_int64_t pfsyncs_onomem; /* no memory for an mbuf */
184: u_int64_t pfsyncs_oerrors; /* ip output error */
185: };
186:
187: /*
188: * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
189: */
190: struct pfsyncreq {
191: char pfsyncr_syncdev[IFNAMSIZ];
192: struct in_addr pfsyncr_syncpeer;
193: int pfsyncr_maxupdates;
194: int pfsyncr_authlevel;
195: };
196:
197:
198: /* for copies to/from network */
199: #define pf_state_peer_hton(s,d) do { \
200: (d)->seqlo = htonl((s)->seqlo); \
201: (d)->seqhi = htonl((s)->seqhi); \
202: (d)->seqdiff = htonl((s)->seqdiff); \
203: (d)->max_win = htons((s)->max_win); \
204: (d)->mss = htons((s)->mss); \
205: (d)->state = (s)->state; \
206: (d)->wscale = (s)->wscale; \
207: if ((s)->scrub) { \
208: (d)->scrub.pfss_flags = \
209: htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \
210: (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
211: (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
212: (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
213: } \
214: } while (0)
215:
216: #define pf_state_peer_ntoh(s,d) do { \
217: (d)->seqlo = ntohl((s)->seqlo); \
218: (d)->seqhi = ntohl((s)->seqhi); \
219: (d)->seqdiff = ntohl((s)->seqdiff); \
220: (d)->max_win = ntohs((s)->max_win); \
221: (d)->mss = ntohs((s)->mss); \
222: (d)->state = (s)->state; \
223: (d)->wscale = (s)->wscale; \
224: if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
225: (d)->scrub != NULL) { \
226: (d)->scrub->pfss_flags = \
227: ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
228: (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
229: (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
230: } \
231: } while (0)
232:
233: #define pf_state_host_hton(s,d) do { \
234: bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \
235: (d)->port = (s)->port; \
236: } while (0)
237:
238: #define pf_state_host_ntoh(s,d) do { \
239: bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \
240: (d)->port = (s)->port; \
241: } while (0)
242:
243: #define pf_state_counter_hton(s,d) do { \
244: d[0] = htonl((s>>32)&0xffffffff); \
245: d[1] = htonl(s&0xffffffff); \
246: } while (0)
247:
248: #define pf_state_counter_ntoh(s,d) do { \
249: d = ntohl(s[0]); \
250: d = d<<32; \
251: d += ntohl(s[1]); \
252: } while (0)
253:
254: #ifdef _KERNEL
255: void pfsync_input(struct mbuf *, ...);
256: int pfsync_clear_states(u_int32_t, char *);
257: int pfsync_pack_state(u_int8_t, struct pf_state *, int);
258: #define pfsync_insert_state(st) do { \
259: if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \
260: (st->state_key->proto == IPPROTO_PFSYNC)) \
261: st->sync_flags |= PFSTATE_NOSYNC; \
262: else if (!st->sync_flags) \
263: pfsync_pack_state(PFSYNC_ACT_INS, (st), \
264: PFSYNC_FLAG_COMPRESS); \
265: st->sync_flags &= ~PFSTATE_FROMSYNC; \
266: } while (0)
267: #define pfsync_update_state(st) do { \
268: if (!st->sync_flags) \
269: pfsync_pack_state(PFSYNC_ACT_UPD, (st), \
270: PFSYNC_FLAG_COMPRESS); \
271: st->sync_flags &= ~PFSTATE_FROMSYNC; \
272: } while (0)
273: #define pfsync_delete_state(st) do { \
274: if (!st->sync_flags) \
275: pfsync_pack_state(PFSYNC_ACT_DEL, (st), \
276: PFSYNC_FLAG_COMPRESS); \
277: } while (0)
278: int pfsync_update_tdb(struct tdb *, int);
279: #endif
280:
281: #endif /* _NET_IF_PFSYNC_H_ */
CVSweb