Annotation of sys/net/if_pfsync.h, Revision 1.1
1.1 ! nbrk 1: /* $OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $ */
! 2:
! 3: /*
! 4: * Copyright (c) 2001 Michael Shalayeff
! 5: * All rights reserved.
! 6: *
! 7: * Redistribution and use in source and binary forms, with or without
! 8: * modification, are permitted provided that the following conditions
! 9: * are met:
! 10: * 1. Redistributions of source code must retain the above copyright
! 11: * notice, this list of conditions and the following disclaimer.
! 12: * 2. Redistributions in binary form must reproduce the above copyright
! 13: * notice, this list of conditions and the following disclaimer in the
! 14: * documentation and/or other materials provided with the distribution.
! 15: *
! 16: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
! 17: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
! 18: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
! 19: * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
! 20: * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
! 21: * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
! 22: * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 23: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
! 24: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
! 25: * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
! 26: * THE POSSIBILITY OF SUCH DAMAGE.
! 27: */
! 28:
! 29: #ifndef _NET_IF_PFSYNC_H_
! 30: #define _NET_IF_PFSYNC_H_
! 31:
! 32:
! 33: #define PFSYNC_ID_LEN sizeof(u_int64_t)
! 34:
! 35: struct pfsync_tdb {
! 36: u_int32_t spi;
! 37: union sockaddr_union dst;
! 38: u_int32_t rpl;
! 39: u_int64_t cur_bytes;
! 40: u_int8_t sproto;
! 41: u_int8_t updates;
! 42: u_int8_t pad[2];
! 43: } __packed;
! 44:
! 45: struct pfsync_state_upd {
! 46: u_int32_t id[2];
! 47: struct pfsync_state_peer src;
! 48: struct pfsync_state_peer dst;
! 49: u_int32_t creatorid;
! 50: u_int32_t expire;
! 51: u_int8_t timeout;
! 52: u_int8_t updates;
! 53: u_int8_t pad[6];
! 54: } __packed;
! 55:
! 56: struct pfsync_state_del {
! 57: u_int32_t id[2];
! 58: u_int32_t creatorid;
! 59: struct {
! 60: u_int8_t state;
! 61: } src;
! 62: struct {
! 63: u_int8_t state;
! 64: } dst;
! 65: u_int8_t pad[2];
! 66: } __packed;
! 67:
! 68: struct pfsync_state_upd_req {
! 69: u_int32_t id[2];
! 70: u_int32_t creatorid;
! 71: u_int32_t pad;
! 72: } __packed;
! 73:
! 74: struct pfsync_state_clr {
! 75: char ifname[IFNAMSIZ];
! 76: u_int32_t creatorid;
! 77: u_int32_t pad;
! 78: } __packed;
! 79:
! 80: struct pfsync_state_bus {
! 81: u_int32_t creatorid;
! 82: u_int32_t endtime;
! 83: u_int8_t status;
! 84: #define PFSYNC_BUS_START 1
! 85: #define PFSYNC_BUS_END 2
! 86: u_int8_t pad[7];
! 87: } __packed;
! 88:
! 89: #ifdef _KERNEL
! 90:
! 91: union sc_statep {
! 92: struct pfsync_state *s;
! 93: struct pfsync_state_upd *u;
! 94: struct pfsync_state_del *d;
! 95: struct pfsync_state_clr *c;
! 96: struct pfsync_state_bus *b;
! 97: struct pfsync_state_upd_req *r;
! 98: };
! 99:
! 100: union sc_tdb_statep {
! 101: struct pfsync_tdb *t;
! 102: };
! 103:
! 104: extern int pfsync_sync_ok;
! 105:
! 106: struct pfsync_softc {
! 107: struct ifnet sc_if;
! 108: struct ifnet *sc_sync_ifp;
! 109:
! 110: struct ip_moptions sc_imo;
! 111: struct timeout sc_tmo;
! 112: struct timeout sc_tdb_tmo;
! 113: struct timeout sc_bulk_tmo;
! 114: struct timeout sc_bulkfail_tmo;
! 115: struct in_addr sc_sync_peer;
! 116: struct in_addr sc_sendaddr;
! 117: struct mbuf *sc_mbuf; /* current cumulative mbuf */
! 118: struct mbuf *sc_mbuf_net; /* current cumulative mbuf */
! 119: struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */
! 120: union sc_statep sc_statep;
! 121: union sc_statep sc_statep_net;
! 122: union sc_tdb_statep sc_statep_tdb;
! 123: u_int32_t sc_ureq_received;
! 124: u_int32_t sc_ureq_sent;
! 125: struct pf_state *sc_bulk_send_next;
! 126: struct pf_state *sc_bulk_terminator;
! 127: int sc_bulk_tries;
! 128: int sc_maxcount; /* number of states in mtu */
! 129: int sc_maxupdates; /* number of updates/state */
! 130: };
! 131:
! 132: extern struct pfsync_softc *pfsyncif;
! 133: #endif
! 134:
! 135:
! 136: struct pfsync_header {
! 137: u_int8_t version;
! 138: #define PFSYNC_VERSION 3
! 139: u_int8_t af;
! 140: u_int8_t action;
! 141: #define PFSYNC_ACT_CLR 0 /* clear all states */
! 142: #define PFSYNC_ACT_INS 1 /* insert state */
! 143: #define PFSYNC_ACT_UPD 2 /* update state */
! 144: #define PFSYNC_ACT_DEL 3 /* delete state */
! 145: #define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */
! 146: #define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */
! 147: #define PFSYNC_ACT_INS_F 6 /* insert fragment */
! 148: #define PFSYNC_ACT_DEL_F 7 /* delete fragments */
! 149: #define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */
! 150: #define PFSYNC_ACT_BUS 9 /* Bulk Update Status */
! 151: #define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */
! 152: #define PFSYNC_ACT_MAX 11
! 153: u_int8_t count;
! 154: u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
! 155: } __packed;
! 156:
! 157: #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */
! 158: #define PFSYNC_MAX_BULKTRIES 12
! 159: #define PFSYNC_HDRLEN sizeof(struct pfsync_header)
! 160: #define PFSYNC_ACTIONS \
! 161: "CLR ST", "INS ST", "UPD ST", "DEL ST", \
! 162: "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
! 163: "UPD REQ", "BLK UPD STAT", "TDB UPD"
! 164:
! 165: #define PFSYNC_DFLTTL 255
! 166:
! 167: struct pfsyncstats {
! 168: u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
! 169: u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */
! 170: u_int64_t pfsyncs_badif; /* not the right interface */
! 171: u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */
! 172: u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */
! 173: u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */
! 174: u_int64_t pfsyncs_badact; /* bad action */
! 175: u_int64_t pfsyncs_badlen; /* data length does not match */
! 176: u_int64_t pfsyncs_badauth; /* bad authentication */
! 177: u_int64_t pfsyncs_stale; /* stale state */
! 178: u_int64_t pfsyncs_badval; /* bad values */
! 179: u_int64_t pfsyncs_badstate; /* insert/lookup failed */
! 180:
! 181: u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */
! 182: u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */
! 183: u_int64_t pfsyncs_onomem; /* no memory for an mbuf */
! 184: u_int64_t pfsyncs_oerrors; /* ip output error */
! 185: };
! 186:
! 187: /*
! 188: * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
! 189: */
! 190: struct pfsyncreq {
! 191: char pfsyncr_syncdev[IFNAMSIZ];
! 192: struct in_addr pfsyncr_syncpeer;
! 193: int pfsyncr_maxupdates;
! 194: int pfsyncr_authlevel;
! 195: };
! 196:
! 197:
! 198: /* for copies to/from network */
! 199: #define pf_state_peer_hton(s,d) do { \
! 200: (d)->seqlo = htonl((s)->seqlo); \
! 201: (d)->seqhi = htonl((s)->seqhi); \
! 202: (d)->seqdiff = htonl((s)->seqdiff); \
! 203: (d)->max_win = htons((s)->max_win); \
! 204: (d)->mss = htons((s)->mss); \
! 205: (d)->state = (s)->state; \
! 206: (d)->wscale = (s)->wscale; \
! 207: if ((s)->scrub) { \
! 208: (d)->scrub.pfss_flags = \
! 209: htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \
! 210: (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
! 211: (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
! 212: (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
! 213: } \
! 214: } while (0)
! 215:
! 216: #define pf_state_peer_ntoh(s,d) do { \
! 217: (d)->seqlo = ntohl((s)->seqlo); \
! 218: (d)->seqhi = ntohl((s)->seqhi); \
! 219: (d)->seqdiff = ntohl((s)->seqdiff); \
! 220: (d)->max_win = ntohs((s)->max_win); \
! 221: (d)->mss = ntohs((s)->mss); \
! 222: (d)->state = (s)->state; \
! 223: (d)->wscale = (s)->wscale; \
! 224: if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
! 225: (d)->scrub != NULL) { \
! 226: (d)->scrub->pfss_flags = \
! 227: ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
! 228: (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
! 229: (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
! 230: } \
! 231: } while (0)
! 232:
! 233: #define pf_state_host_hton(s,d) do { \
! 234: bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \
! 235: (d)->port = (s)->port; \
! 236: } while (0)
! 237:
! 238: #define pf_state_host_ntoh(s,d) do { \
! 239: bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr)); \
! 240: (d)->port = (s)->port; \
! 241: } while (0)
! 242:
! 243: #define pf_state_counter_hton(s,d) do { \
! 244: d[0] = htonl((s>>32)&0xffffffff); \
! 245: d[1] = htonl(s&0xffffffff); \
! 246: } while (0)
! 247:
! 248: #define pf_state_counter_ntoh(s,d) do { \
! 249: d = ntohl(s[0]); \
! 250: d = d<<32; \
! 251: d += ntohl(s[1]); \
! 252: } while (0)
! 253:
! 254: #ifdef _KERNEL
! 255: void pfsync_input(struct mbuf *, ...);
! 256: int pfsync_clear_states(u_int32_t, char *);
! 257: int pfsync_pack_state(u_int8_t, struct pf_state *, int);
! 258: #define pfsync_insert_state(st) do { \
! 259: if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \
! 260: (st->state_key->proto == IPPROTO_PFSYNC)) \
! 261: st->sync_flags |= PFSTATE_NOSYNC; \
! 262: else if (!st->sync_flags) \
! 263: pfsync_pack_state(PFSYNC_ACT_INS, (st), \
! 264: PFSYNC_FLAG_COMPRESS); \
! 265: st->sync_flags &= ~PFSTATE_FROMSYNC; \
! 266: } while (0)
! 267: #define pfsync_update_state(st) do { \
! 268: if (!st->sync_flags) \
! 269: pfsync_pack_state(PFSYNC_ACT_UPD, (st), \
! 270: PFSYNC_FLAG_COMPRESS); \
! 271: st->sync_flags &= ~PFSTATE_FROMSYNC; \
! 272: } while (0)
! 273: #define pfsync_delete_state(st) do { \
! 274: if (!st->sync_flags) \
! 275: pfsync_pack_state(PFSYNC_ACT_DEL, (st), \
! 276: PFSYNC_FLAG_COMPRESS); \
! 277: } while (0)
! 278: int pfsync_update_tdb(struct tdb *, int);
! 279: #endif
! 280:
! 281: #endif /* _NET_IF_PFSYNC_H_ */
CVSweb