Deleted Added
sdiff udiff text old ( 130613 ) new ( 130933 )
full compact
1/* $FreeBSD: head/sys/contrib/pf/net/if_pfsync.c 130613 2004-06-16 23:24:02Z mlaier $ */
1/* $FreeBSD: head/sys/contrib/pf/net/if_pfsync.c 130933 2004-06-22 20:13:25Z brooks $ */
2/* $OpenBSD: if_pfsync.c,v 1.26 2004/03/28 18:14:20 mcbride Exp $ */
3
4/*
5 * Copyright (c) 2002 Michael Shalayeff
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
21 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
27 * THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30#ifdef __FreeBSD__
31#include "opt_inet.h"
32#include "opt_inet6.h"
33#include "opt_random_ip_id.h"
34#endif
35
36#ifndef __FreeBSD__
37#include "bpfilter.h"
38#include "pfsync.h"
39#elif __FreeBSD__ >= 5
40#include "opt_bpf.h"
41#include "opt_pf.h"
42#define NBPFILTER DEV_BPF
43#define NPFSYNC DEV_PFSYNC
44#endif
45
46#include <sys/param.h>
47#include <sys/proc.h>
48#include <sys/systm.h>
49#include <sys/time.h>
50#include <sys/mbuf.h>
51#include <sys/socket.h>
52#ifdef __FreeBSD__
53#include <sys/kernel.h>
54#include <sys/malloc.h>
55#include <sys/module.h>
56#include <sys/sockio.h>
57#include <sys/lock.h>
58#include <sys/mutex.h>
59#else
60#include <sys/ioctl.h>
61#include <sys/timeout.h>
62#endif
63
64#include <net/if.h>
65#if defined(__FreeBSD__)
66#include <net/if_clone.h>
67#endif
68#include <net/if_types.h>
69#include <net/route.h>
70#include <net/bpf.h>
71
72#ifdef INET
73#include <netinet/in.h>
74#include <netinet/in_systm.h>
75#include <netinet/in_var.h>
76#include <netinet/ip.h>
77#include <netinet/ip_var.h>
78#endif
79
80#ifdef INET6
81#ifndef INET
82#include <netinet/in.h>
83#endif
84#include <netinet6/nd6.h>
85#endif /* INET6 */
86
87#include <net/pfvar.h>
88#include <net/if_pfsync.h>
89
90#ifdef __FreeBSD__
91#define PFSYNCNAME "pfsync"
92#endif
93
94#define PFSYNC_MINMTU \
95 (sizeof(struct pfsync_header) + sizeof(struct pf_state))
96
97#ifdef PFSYNCDEBUG
98#define DPRINTF(x) do { if (pfsyncdebug) printf x ; } while (0)
99int pfsyncdebug;
100#else
101#define DPRINTF(x)
102#endif
103
104#ifndef __FreeBSD__
105struct pfsync_softc pfsyncif;
106#endif
107int pfsync_sync_ok;
108struct pfsyncstats pfsyncstats;
109
110#ifndef RANDOM_IP_ID
111extern u_int16_t ip_randomid(void);
112#endif
113
114#ifdef __FreeBSD__
115
116/*
117 * Locking notes:
118 * Whenever we really touch/look at the state table we have to hold the
119 * PF_LOCK. Functions that do just the interface handling, grab the per
120 * softc lock instead.
121 *
122 */
123
124static void pfsync_clone_destroy(struct ifnet *);
125static int pfsync_clone_create(struct if_clone *, int);
126#else
127void pfsyncattach(int);
128#endif
129void pfsync_setmtu(struct pfsync_softc *, int);
130int pfsync_insert_net_state(struct pfsync_state *);
131int pfsyncoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
132 struct rtentry *);
133int pfsyncioctl(struct ifnet *, u_long, caddr_t);
134void pfsyncstart(struct ifnet *);
135
136struct mbuf *pfsync_get_mbuf(struct pfsync_softc *, u_int8_t, void **);
137int pfsync_request_update(struct pfsync_state_upd *, struct in_addr *);
138int pfsync_sendout(struct pfsync_softc *);
139void pfsync_timeout(void *);
140void pfsync_send_bus(struct pfsync_softc *, u_int8_t);
141void pfsync_bulk_update(void *);
142void pfsync_bulkfail(void *);
143
144#ifndef __FreeBSD__
145extern int ifqmaxlen;
146extern struct timeval time;
147extern struct timeval mono_time;
148extern int hz;
149#endif
150
151#ifdef __FreeBSD__
152static MALLOC_DEFINE(M_PFSYNC, PFSYNCNAME, "Packet Filter State Sync. Interface");
153static LIST_HEAD(pfsync_list, pfsync_softc) pfsync_list;
151struct if_clone pfsync_cloner = IF_CLONE_INITIALIZER(PFSYNCNAME,
152 pfsync_clone_create, pfsync_clone_destroy, 1, IF_MAXUNIT);
154IFC_SIMPLE_DECLARE(pfsync, 1);
155
156static void
157pfsync_clone_destroy(struct ifnet *ifp)
158{
159 struct pfsync_softc *sc;
160
161 sc = ifp->if_softc;
162 callout_stop(&sc->sc_tmo);
163 callout_stop(&sc->sc_bulk_tmo);
164 callout_stop(&sc->sc_bulkfail_tmo);
165
166#if NBPFILTER > 0
167 bpfdetach(ifp);
168#endif
169 if_detach(ifp);
170 LIST_REMOVE(sc, sc_next);
171 free(sc, M_PFSYNC);
172}
173
174static int
175pfsync_clone_create(struct if_clone *ifc, int unit)
176{
177 struct pfsync_softc *sc;
178 struct ifnet *ifp;
179
180 MALLOC(sc, struct pfsync_softc *, sizeof(*sc), M_PFSYNC,
181 M_WAITOK|M_ZERO);
182
183 pfsync_sync_ok = 1;
184 sc->sc_mbuf = NULL;
185 sc->sc_mbuf_net = NULL;
186 sc->sc_statep.s = NULL;
187 sc->sc_statep_net.s = NULL;
188 sc->sc_maxupdates = 128;
189 sc->sc_sendaddr.s_addr = htonl(INADDR_PFSYNC_GROUP);
190 sc->sc_ureq_received = 0;
191 sc->sc_ureq_sent = 0;
192
193 ifp = &sc->sc_if;
194 if_initname(ifp, ifc->ifc_name, unit);
195 ifp->if_ioctl = pfsyncioctl;
196 ifp->if_output = pfsyncoutput;
197 ifp->if_start = pfsyncstart;
198 ifp->if_type = IFT_PFSYNC;
199 ifp->if_snd.ifq_maxlen = ifqmaxlen;
200 ifp->if_hdrlen = PFSYNC_HDRLEN;
201 ifp->if_baudrate = IF_Mbps(100);
202 ifp->if_softc = sc;
203 pfsync_setmtu(sc, MCLBYTES);
204 /*
205 * XXX
206 * The 2nd arg. 0 to callout_init(9) shoule be set to CALLOUT_MPSAFE
207 * if Gaint lock is removed from the network stack.
208 */
209 callout_init(&sc->sc_tmo, 0);
210 callout_init(&sc->sc_bulk_tmo, 0);
211 callout_init(&sc->sc_bulkfail_tmo, 0);
212 if_attach(&sc->sc_if);
213
214 LIST_INSERT_HEAD(&pfsync_list, sc, sc_next);
215#if NBPFILTER > 0
216 bpfattach(&sc->sc_if, DLT_PFSYNC, PFSYNC_HDRLEN);
217#endif
218
219 return (0);
220}
221#else /* !__FreeBSD__ */
222void
223pfsyncattach(int npfsync)
224{
225 struct ifnet *ifp;
226
227 pfsync_sync_ok = 1;
228 bzero(&pfsyncif, sizeof(pfsyncif));
229 pfsyncif.sc_mbuf = NULL;
230 pfsyncif.sc_mbuf_net = NULL;
231 pfsyncif.sc_statep.s = NULL;
232 pfsyncif.sc_statep_net.s = NULL;
233 pfsyncif.sc_maxupdates = 128;
234 pfsyncif.sc_sendaddr.s_addr = INADDR_PFSYNC_GROUP;
235 pfsyncif.sc_ureq_received = 0;
236 pfsyncif.sc_ureq_sent = 0;
237 ifp = &pfsyncif.sc_if;
238 strlcpy(ifp->if_xname, "pfsync0", sizeof ifp->if_xname);
239 ifp->if_softc = &pfsyncif;
240 ifp->if_ioctl = pfsyncioctl;
241 ifp->if_output = pfsyncoutput;
242 ifp->if_start = pfsyncstart;
243 ifp->if_type = IFT_PFSYNC;
244 ifp->if_snd.ifq_maxlen = ifqmaxlen;
245 ifp->if_hdrlen = PFSYNC_HDRLEN;
246 pfsync_setmtu(&pfsyncif, MCLBYTES);
247 timeout_set(&pfsyncif.sc_tmo, pfsync_timeout, &pfsyncif);
248 timeout_set(&pfsyncif.sc_bulk_tmo, pfsync_bulk_update, &pfsyncif);
249 timeout_set(&pfsyncif.sc_bulkfail_tmo, pfsync_bulkfail, &pfsyncif);
250 if_attach(ifp);
251 if_alloc_sadl(ifp);
252
253#if NBPFILTER > 0
254 bpfattach(&pfsyncif.sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
255#endif
256}
257#endif
258
259/*
260 * Start output on the pfsync interface.
261 */
262void
263pfsyncstart(struct ifnet *ifp)
264{
265#ifdef __FreeBSD__
266 IF_LOCK(&ifp->if_snd);
267 _IF_DROP(&ifp->if_snd);
268 _IF_DRAIN(&ifp->if_snd);
269 IF_UNLOCK(&ifp->if_snd);
270#else
271 struct mbuf *m;
272 int s;
273
274 for (;;) {
275 s = splimp();
276 IF_DROP(&ifp->if_snd);
277 IF_DEQUEUE(&ifp->if_snd, m);
278 splx(s);
279
280 if (m == NULL)
281 return;
282 else
283 m_freem(m);
284 }
285#endif
286}
287
288int
289pfsync_insert_net_state(struct pfsync_state *sp)
290{
291 struct pf_state *st = NULL;
292 struct pf_rule *r = NULL;
293 struct pfi_kif *kif;
294
295#ifdef __FreeBSD__
296 PF_ASSERT(MA_OWNED);
297#endif
298 if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) {
299 printf("pfsync_insert_net_state: invalid creator id:"
300 " %08x\n", ntohl(sp->creatorid));
301 return (EINVAL);
302 }
303
304 kif = pfi_lookup_create(sp->ifname);
305 if (kif == NULL) {
306 if (pf_status.debug >= PF_DEBUG_MISC)
307 printf("pfsync_insert_net_state: "
308 "unknown interface: %s\n", sp->ifname);
309 /* skip this state */
310 return (0);
311 }
312
313 /*
314 * Just use the default rule until we have infrastructure to find the
315 * best matching rule.
316 */
317 r = &pf_default_rule;
318
319 if (!r->max_states || r->states < r->max_states)
320 st = pool_get(&pf_state_pl, PR_NOWAIT);
321 if (st == NULL) {
322 pfi_maybe_destroy(kif);
323 return (ENOMEM);
324 }
325 bzero(st, sizeof(*st));
326
327 st->rule.ptr = r;
328 /* XXX get pointers to nat_rule and anchor */
329
330 /* fill in the rest of the state entry */
331 pf_state_host_ntoh(&sp->lan, &st->lan);
332 pf_state_host_ntoh(&sp->gwy, &st->gwy);
333 pf_state_host_ntoh(&sp->ext, &st->ext);
334
335 pf_state_peer_ntoh(&sp->src, &st->src);
336 pf_state_peer_ntoh(&sp->dst, &st->dst);
337
338 bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr));
339#ifdef __FreeBSD__
340 st->creation = ntohl(sp->creation) + time_second;
341 st->expire = ntohl(sp->expire) + time_second;
342#else
343 st->creation = ntohl(sp->creation) + time.tv_sec;
344 st->expire = ntohl(sp->expire) + time.tv_sec;
345#endif
346
347 st->af = sp->af;
348 st->proto = sp->proto;
349 st->direction = sp->direction;
350 st->log = sp->log;
351 st->timeout = sp->timeout;
352 st->allow_opts = sp->allow_opts;
353
354 bcopy(sp->id, &st->id, sizeof(st->id));
355 st->creatorid = sp->creatorid;
356 st->sync_flags = sp->sync_flags | PFSTATE_FROMSYNC;
357
358
359 if (pf_insert_state(kif, st)) {
360 pfi_maybe_destroy(kif);
361 pool_put(&pf_state_pl, st);
362 return (EINVAL);
363 }
364
365 return (0);
366}
367
368void
369#ifdef __FreeBSD__
370pfsync_input(struct mbuf *m, __unused int off)
371#else
372pfsync_input(struct mbuf *m, ...)
373#endif
374{
375 struct ip *ip = mtod(m, struct ip *);
376 struct pfsync_header *ph;
377#ifdef __FreeBSD__
378 struct pfsync_softc *sc = LIST_FIRST(&pfsync_list);
379#else
380 struct pfsync_softc *sc = &pfsyncif;
381#endif
382 struct pf_state *st, key;
383 struct pfsync_state *sp;
384 struct pfsync_state_upd *up;
385 struct pfsync_state_del *dp;
386 struct pfsync_state_clr *cp;
387 struct pfsync_state_upd_req *rup;
388 struct pfsync_state_bus *bus;
389 struct in_addr src;
390 struct mbuf *mp;
391 int iplen, action, error, i, s, count, offp;
392
393 pfsyncstats.pfsyncs_ipackets++;
394
395 /* verify that we have a sync interface configured */
396 if (!sc->sc_sync_ifp || !pf_status.running) /* XXX PF_LOCK? */
397 goto done;
398
399 /* verify that the packet came in on the right interface */
400 if (sc->sc_sync_ifp != m->m_pkthdr.rcvif) {
401 pfsyncstats.pfsyncs_badif++;
402 goto done;
403 }
404
405 /* verify that the IP TTL is 255. */
406 if (ip->ip_ttl != PFSYNC_DFLTTL) {
407 pfsyncstats.pfsyncs_badttl++;
408 goto done;
409 }
410
411 iplen = ip->ip_hl << 2;
412
413 if (m->m_pkthdr.len < iplen + sizeof(*ph)) {
414 pfsyncstats.pfsyncs_hdrops++;
415 goto done;
416 }
417
418 if (iplen + sizeof(*ph) > m->m_len) {
419 if ((m = m_pullup(m, iplen + sizeof(*ph))) == NULL) {
420 pfsyncstats.pfsyncs_hdrops++;
421 goto done;
422 }
423 ip = mtod(m, struct ip *);
424 }
425 ph = (struct pfsync_header *)((char *)ip + iplen);
426
427 /* verify the version */
428 if (ph->version != PFSYNC_VERSION) {
429 pfsyncstats.pfsyncs_badver++;
430 goto done;
431 }
432
433 action = ph->action;
434 count = ph->count;
435
436 /* make sure it's a valid action code */
437 if (action >= PFSYNC_ACT_MAX) {
438 pfsyncstats.pfsyncs_badact++;
439 goto done;
440 }
441
442 /* Cheaper to grab this now than having to mess with mbufs later */
443 src = ip->ip_src;
444
445 switch (action) {
446 case PFSYNC_ACT_CLR: {
447 struct pfi_kif *kif;
448 u_int32_t creatorid;
449 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
450 sizeof(*cp), &offp)) == NULL) {
451 pfsyncstats.pfsyncs_badlen++;
452 return;
453 }
454 cp = (struct pfsync_state_clr *)(mp->m_data + offp);
455 creatorid = cp->creatorid;
456
457 s = splsoftnet();
458#ifdef __FreeBSD__
459 PF_LOCK();
460#endif
461 if (cp->ifname[0] == '\0') {
462 RB_FOREACH(st, pf_state_tree_id, &tree_id) {
463 if (st->creatorid == creatorid)
464 st->timeout = PFTM_PURGE;
465 }
466 } else {
467 kif = pfi_lookup_if(cp->ifname);
468 if (kif == NULL) {
469 if (pf_status.debug >= PF_DEBUG_MISC)
470 printf("pfsync_input: PFSYNC_ACT_CLR "
471 "bad interface: %s\n", cp->ifname);
472 splx(s);
473#ifdef __FreeBSD__
474 PF_UNLOCK();
475#endif
476 goto done;
477 }
478 RB_FOREACH(st, pf_state_tree_lan_ext,
479 &kif->pfik_lan_ext) {
480 if (st->creatorid == creatorid)
481 st->timeout = PFTM_PURGE;
482 }
483 }
484 pf_purge_expired_states();
485#ifdef __FreeBSD__
486 PF_UNLOCK();
487#endif
488 splx(s);
489
490 break;
491 }
492 case PFSYNC_ACT_INS:
493 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
494 count * sizeof(*sp), &offp)) == NULL) {
495 pfsyncstats.pfsyncs_badlen++;
496 return;
497 }
498
499 s = splsoftnet();
500#ifdef __FreeBSD__
501 PF_LOCK();
502#endif
503 for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
504 i < count; i++, sp++) {
505 /* check for invalid values */
506 if (sp->timeout >= PFTM_MAX ||
507 sp->src.state > PF_TCPS_PROXY_DST ||
508 sp->dst.state > PF_TCPS_PROXY_DST ||
509 sp->direction > PF_OUT ||
510 (sp->af != AF_INET && sp->af != AF_INET6)) {
511 if (pf_status.debug >= PF_DEBUG_MISC)
512 printf("pfsync_insert: PFSYNC_ACT_INS: "
513 "invalid value\n");
514 pfsyncstats.pfsyncs_badstate++;
515 continue;
516 }
517
518 if ((error = pfsync_insert_net_state(sp))) {
519 if (error == ENOMEM) {
520 splx(s);
521#ifdef __FreeBSD__
522 PF_UNLOCK();
523#endif
524 goto done;
525 }
526 continue;
527 }
528 }
529#ifdef __FreeBSD__
530 PF_UNLOCK();
531#endif
532 splx(s);
533 break;
534 case PFSYNC_ACT_UPD:
535 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
536 count * sizeof(*sp), &offp)) == NULL) {
537 pfsyncstats.pfsyncs_badlen++;
538 return;
539 }
540
541 s = splsoftnet();
542#ifdef __FreeBSD__
543 PF_LOCK();
544#endif
545 for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
546 i < count; i++, sp++) {
547 /* check for invalid values */
548 if (sp->timeout >= PFTM_MAX ||
549 sp->src.state > PF_TCPS_PROXY_DST ||
550 sp->dst.state > PF_TCPS_PROXY_DST) {
551 if (pf_status.debug >= PF_DEBUG_MISC)
552 printf("pfsync_insert: PFSYNC_ACT_UPD: "
553 "invalid value\n");
554 pfsyncstats.pfsyncs_badstate++;
555 continue;
556 }
557
558 bcopy(sp->id, &key.id, sizeof(key.id));
559 key.creatorid = sp->creatorid;
560
561 st = pf_find_state_byid(&key);
562 if (st == NULL) {
563 /* insert the update */
564 if (pfsync_insert_net_state(sp))
565 pfsyncstats.pfsyncs_badstate++;
566 continue;
567 }
568 pf_state_peer_ntoh(&sp->src, &st->src);
569 pf_state_peer_ntoh(&sp->dst, &st->dst);
570#ifdef __FreeBSD__
571 st->expire = ntohl(sp->expire) + time_second;
572#else
573 st->expire = ntohl(sp->expire) + time.tv_sec;
574#endif
575 st->timeout = sp->timeout;
576
577 }
578#ifdef __FreeBSD__
579 PF_UNLOCK();
580#endif
581 splx(s);
582 break;
583 /*
584 * It's not strictly necessary for us to support the "uncompressed"
585 * delete action, but it's relatively simple and maintains consistency.
586 */
587 case PFSYNC_ACT_DEL:
588 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
589 count * sizeof(*sp), &offp)) == NULL) {
590 pfsyncstats.pfsyncs_badlen++;
591 return;
592 }
593
594 s = splsoftnet();
595#ifdef __FreeBSD__
596 PF_LOCK();
597#endif
598 for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
599 i < count; i++, sp++) {
600 bcopy(sp->id, &key.id, sizeof(key.id));
601 key.creatorid = sp->creatorid;
602
603 st = pf_find_state_byid(&key);
604 if (st == NULL) {
605 pfsyncstats.pfsyncs_badstate++;
606 continue;
607 }
608 /*
609 * XXX
610 * pf_purge_expired_states() is expensive,
611 * we really want to purge the state directly.
612 */
613 st->timeout = PFTM_PURGE;
614 st->sync_flags |= PFSTATE_FROMSYNC;
615 }
616 pf_purge_expired_states();
617#ifdef __FreeBSD__
618 PF_UNLOCK();
619#endif
620 splx(s);
621 break;
622 case PFSYNC_ACT_UPD_C: {
623 int update_requested = 0;
624
625 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
626 count * sizeof(*up), &offp)) == NULL) {
627 pfsyncstats.pfsyncs_badlen++;
628 return;
629 }
630
631 s = splsoftnet();
632#ifdef __FreeBSD__
633 PF_LOCK();
634#endif
635 for (i = 0, up = (struct pfsync_state_upd *)(mp->m_data + offp);
636 i < count; i++, up++) {
637 /* check for invalid values */
638 if (up->timeout >= PFTM_MAX ||
639 up->src.state > PF_TCPS_PROXY_DST ||
640 up->dst.state > PF_TCPS_PROXY_DST) {
641 if (pf_status.debug >= PF_DEBUG_MISC)
642 printf("pfsync_insert: "
643 "PFSYNC_ACT_UPD_C: "
644 "invalid value\n");
645 pfsyncstats.pfsyncs_badstate++;
646 continue;
647 }
648
649 bcopy(up->id, &key.id, sizeof(key.id));
650 key.creatorid = up->creatorid;
651
652 st = pf_find_state_byid(&key);
653 if (st == NULL) {
654 /* We don't have this state. Ask for it. */
655 pfsync_request_update(up, &src);
656 update_requested = 1;
657 pfsyncstats.pfsyncs_badstate++;
658 continue;
659 }
660 pf_state_peer_ntoh(&up->src, &st->src);
661 pf_state_peer_ntoh(&up->dst, &st->dst);
662#ifdef __FreeBSD__
663 st->expire = ntohl(up->expire) + time_second;
664#else
665 st->expire = ntohl(up->expire) + time.tv_sec;
666#endif
667 st->timeout = up->timeout;
668 }
669 if (update_requested)
670 pfsync_sendout(sc);
671#ifdef __FreeBSD__
672 PF_UNLOCK();
673#endif
674 splx(s);
675 break;
676 }
677 case PFSYNC_ACT_DEL_C:
678 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
679 count * sizeof(*dp), &offp)) == NULL) {
680 pfsyncstats.pfsyncs_badlen++;
681 return;
682 }
683
684 s = splsoftnet();
685#ifdef __FreeBSD__
686 PF_LOCK();
687#endif
688 for (i = 0, dp = (struct pfsync_state_del *)(mp->m_data + offp);
689 i < count; i++, dp++) {
690 bcopy(dp->id, &key.id, sizeof(key.id));
691 key.creatorid = dp->creatorid;
692
693 st = pf_find_state_byid(&key);
694 if (st == NULL) {
695 pfsyncstats.pfsyncs_badstate++;
696 continue;
697 }
698 /*
699 * XXX
700 * pf_purge_expired_states() is expensive,
701 * we really want to purge the state directly.
702 */
703 st->timeout = PFTM_PURGE;
704 st->sync_flags |= PFSTATE_FROMSYNC;
705 }
706 pf_purge_expired_states();
707#ifdef __FreeBSD__
708 PF_UNLOCK();
709#endif
710 splx(s);
711 break;
712 case PFSYNC_ACT_INS_F:
713 case PFSYNC_ACT_DEL_F:
714 /* not implemented */
715 break;
716 case PFSYNC_ACT_UREQ:
717 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
718 count * sizeof(*rup), &offp)) == NULL) {
719 pfsyncstats.pfsyncs_badlen++;
720 return;
721 }
722
723 s = splsoftnet();
724 /* XXX send existing. pfsync_pack_state should handle this. */
725#ifdef __FreeBSD__
726 PF_LOCK();
727#endif
728 if (sc->sc_mbuf != NULL)
729 pfsync_sendout(sc);
730 for (i = 0,
731 rup = (struct pfsync_state_upd_req *)(mp->m_data + offp);
732 i < count; i++, rup++) {
733 bcopy(rup->id, &key.id, sizeof(key.id));
734 key.creatorid = rup->creatorid;
735
736 if (key.id == 0 && key.creatorid == 0) {
737#ifdef __FreeBSD__
738 sc->sc_ureq_received = time_uptime;
739#else
740 sc->sc_ureq_received = mono_time.tv_sec;
741#endif
742 if (pf_status.debug >= PF_DEBUG_MISC)
743 printf("pfsync: received "
744 "bulk update request\n");
745 pfsync_send_bus(sc, PFSYNC_BUS_START);
746#ifdef __FreeBSD__
747 callout_reset(&sc->sc_bulk_tmo, 1 * hz,
748 pfsync_bulk_update,
749 LIST_FIRST(&pfsync_list));
750#else
751 timeout_add(&sc->sc_bulk_tmo, 1 * hz);
752#endif
753 } else {
754 st = pf_find_state_byid(&key);
755 if (st == NULL) {
756 pfsyncstats.pfsyncs_badstate++;
757 continue;
758 }
759 pfsync_pack_state(PFSYNC_ACT_UPD, st, 0);
760 }
761 }
762 if (sc->sc_mbuf != NULL)
763 pfsync_sendout(sc);
764#ifdef __FreeBSD__
765 PF_UNLOCK();
766#endif
767 splx(s);
768 break;
769 case PFSYNC_ACT_BUS:
770 /* If we're not waiting for a bulk update, who cares. */
771 if (sc->sc_ureq_sent == 0)
772 break;
773
774 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
775 sizeof(*bus), &offp)) == NULL) {
776 pfsyncstats.pfsyncs_badlen++;
777 return;
778 }
779 bus = (struct pfsync_state_bus *)(mp->m_data + offp);
780 switch (bus->status) {
781 case PFSYNC_BUS_START:
782#ifdef __FreeBSD__
783 callout_reset(&sc->sc_bulkfail_tmo,
784 pf_pool_limits[PF_LIMIT_STATES].limit /
785 (PFSYNC_BULKPACKETS * sc->sc_maxcount),
786 pfsync_bulkfail, LIST_FIRST(&pfsync_list));
787#else
788 timeout_add(&sc->sc_bulkfail_tmo,
789 pf_pool_limits[PF_LIMIT_STATES].limit /
790 (PFSYNC_BULKPACKETS * sc->sc_maxcount));
791#endif
792 if (pf_status.debug >= PF_DEBUG_MISC)
793 printf("pfsync: received bulk "
794 "update start\n");
795 break;
796 case PFSYNC_BUS_END:
797#ifdef __FreeBSD__
798 if (time_uptime - ntohl(bus->endtime) >=
799#else
800 if (mono_time.tv_sec - ntohl(bus->endtime) >=
801#endif
802 sc->sc_ureq_sent) {
803 /* that's it, we're happy */
804 sc->sc_ureq_sent = 0;
805 sc->sc_bulk_tries = 0;
806#ifdef __FreeBSD__
807 callout_stop(&sc->sc_bulkfail_tmo);
808#else
809 timeout_del(&sc->sc_bulkfail_tmo);
810#endif
811 pfsync_sync_ok = 1;
812 if (pf_status.debug >= PF_DEBUG_MISC)
813 printf("pfsync: received valid "
814 "bulk update end\n");
815 } else {
816 if (pf_status.debug >= PF_DEBUG_MISC)
817 printf("pfsync: received invalid "
818 "bulk update end: bad timestamp\n");
819 }
820 break;
821 }
822 break;
823 }
824
825done:
826 if (m)
827 m_freem(m);
828}
829
830int
831pfsyncoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
832 struct rtentry *rt)
833{
834 m_freem(m);
835 return (0);
836}
837
838/* ARGSUSED */
839int
840pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
841{
842#ifndef __FreeBSD__
843 struct proc *p = curproc;
844#endif
845 struct pfsync_softc *sc = ifp->if_softc;
846 struct ifreq *ifr = (struct ifreq *)data;
847 struct ip_moptions *imo = &sc->sc_imo;
848 struct pfsyncreq pfsyncr;
849 struct ifnet *sifp;
850 int s, error;
851
852 switch (cmd) {
853 case SIOCSIFADDR:
854 case SIOCAIFADDR:
855 case SIOCSIFDSTADDR:
856 case SIOCSIFFLAGS:
857 if (ifp->if_flags & IFF_UP)
858 ifp->if_flags |= IFF_RUNNING;
859 else
860 ifp->if_flags &= ~IFF_RUNNING;
861 break;
862 case SIOCSIFMTU:
863 if (ifr->ifr_mtu < PFSYNC_MINMTU)
864 return (EINVAL);
865 if (ifr->ifr_mtu > MCLBYTES)
866 ifr->ifr_mtu = MCLBYTES;
867 s = splnet();
868#ifdef __FreeBSD__
869 PF_LOCK();
870#endif
871 if (ifr->ifr_mtu < ifp->if_mtu) {
872 pfsync_sendout(sc);
873 }
874 pfsync_setmtu(sc, ifr->ifr_mtu);
875#ifdef __FreeBSD__
876 PF_UNLOCK();
877#endif
878 splx(s);
879 break;
880 case SIOCGETPFSYNC:
881#ifdef __FreeBSD__
882 /* XXX: read unlocked */
883#endif
884 bzero(&pfsyncr, sizeof(pfsyncr));
885 if (sc->sc_sync_ifp)
886 strlcpy(pfsyncr.pfsyncr_syncif,
887 sc->sc_sync_ifp->if_xname, IFNAMSIZ);
888 pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates;
889 if ((error = copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))))
890 return (error);
891 break;
892 case SIOCSETPFSYNC:
893#ifdef __FreeBSD__
894 if ((error = suser(curthread)) != 0)
895#else
896 if ((error = suser(p, p->p_acflag)) != 0)
897#endif
898 return (error);
899 if ((error = copyin(ifr->ifr_data, &pfsyncr, sizeof(pfsyncr))))
900 return (error);
901
902 if (pfsyncr.pfsyncr_maxupdates > 255)
903 return (EINVAL);
904#ifdef __FreeBSD__
905 PF_LOCK();
906#endif
907 sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates;
908
909 if (pfsyncr.pfsyncr_syncif[0] == 0) {
910 sc->sc_sync_ifp = NULL;
911 if (sc->sc_mbuf_net != NULL) {
912 /* Don't keep stale pfsync packets around. */
913 s = splnet();
914 m_freem(sc->sc_mbuf_net);
915 sc->sc_mbuf_net = NULL;
916 sc->sc_statep_net.s = NULL;
917 splx(s);
918 }
919#ifdef __FreeBSD__
920 PF_UNLOCK();
921#endif
922 break;
923 }
924 if ((sifp = ifunit(pfsyncr.pfsyncr_syncif)) == NULL) {
925#ifdef __FreeBSD__
926 PF_UNLOCK();
927#endif
928 return (EINVAL);
929 }
930 else if (sifp == sc->sc_sync_ifp) {
931#ifdef __FreeBSD__
932 PF_UNLOCK();
933#endif
934 break;
935 }
936
937 s = splnet();
938 if (sifp->if_mtu < sc->sc_if.if_mtu ||
939 (sc->sc_sync_ifp != NULL &&
940 sifp->if_mtu < sc->sc_sync_ifp->if_mtu) ||
941 sifp->if_mtu < MCLBYTES - sizeof(struct ip))
942 pfsync_sendout(sc);
943 sc->sc_sync_ifp = sifp;
944
945 pfsync_setmtu(sc, sc->sc_if.if_mtu);
946
947 if (imo->imo_num_memberships > 0) {
948 in_delmulti(imo->imo_membership[--imo->imo_num_memberships]);
949 imo->imo_multicast_ifp = NULL;
950 }
951
952 if (sc->sc_sync_ifp) {
953 struct in_addr addr;
954
955#ifdef __FreeBSD__
956 PF_UNLOCK(); /* addmulti mallocs w/ WAITOK */
957 addr.s_addr = htonl(INADDR_PFSYNC_GROUP);
958#else
959 addr.s_addr = INADDR_PFSYNC_GROUP;
960#endif
961 if ((imo->imo_membership[0] =
962 in_addmulti(&addr, sc->sc_sync_ifp)) == NULL) {
963 splx(s);
964 return (ENOBUFS);
965 }
966 imo->imo_num_memberships++;
967 imo->imo_multicast_ifp = sc->sc_sync_ifp;
968 imo->imo_multicast_ttl = PFSYNC_DFLTTL;
969 imo->imo_multicast_loop = 0;
970
971 /* Request a full state table update. */
972#ifdef __FreeBSD__
973 PF_LOCK();
974 sc->sc_ureq_sent = time_uptime;
975#else
976 sc->sc_ureq_sent = mono_time.tv_sec;
977#endif
978 pfsync_sync_ok = 0;
979 if (pf_status.debug >= PF_DEBUG_MISC)
980 printf("pfsync: requesting bulk update\n");
981#ifdef __FreeBSD__
982 callout_reset(&sc->sc_bulkfail_tmo, 5 * hz,
983 pfsync_bulkfail, LIST_FIRST(&pfsync_list));
984#else
985 timeout_add(&sc->sc_bulkfail_tmo, 5 * hz);
986#endif
987 pfsync_request_update(NULL, NULL);
988 pfsync_sendout(sc);
989 }
990#ifdef __FreeBSD__
991 PF_UNLOCK();
992#endif
993 splx(s);
994
995 break;
996
997 default:
998 return (ENOTTY);
999 }
1000
1001 return (0);
1002}
1003
1004void
1005pfsync_setmtu(struct pfsync_softc *sc, int mtu_req)
1006{
1007 int mtu;
1008
1009 if (sc->sc_sync_ifp && sc->sc_sync_ifp->if_mtu < mtu_req)
1010 mtu = sc->sc_sync_ifp->if_mtu;
1011 else
1012 mtu = mtu_req;
1013
1014 sc->sc_maxcount = (mtu - sizeof(struct pfsync_header)) /
1015 sizeof(struct pfsync_state);
1016 if (sc->sc_maxcount > 254)
1017 sc->sc_maxcount = 254;
1018 sc->sc_if.if_mtu = sizeof(struct pfsync_header) +
1019 sc->sc_maxcount * sizeof(struct pfsync_state);
1020}
1021
1022struct mbuf *
1023pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action, void **sp)
1024{
1025 struct pfsync_header *h;
1026 struct mbuf *m;
1027 int len;
1028
1029#ifdef __FreeBSD__
1030 PF_ASSERT(MA_OWNED);
1031#endif
1032 MGETHDR(m, M_DONTWAIT, MT_DATA);
1033 if (m == NULL) {
1034 sc->sc_if.if_oerrors++;
1035 return (NULL);
1036 }
1037
1038 switch (action) {
1039 case PFSYNC_ACT_CLR:
1040 len = sizeof(struct pfsync_header) +
1041 sizeof(struct pfsync_state_clr);
1042 break;
1043 case PFSYNC_ACT_UPD_C:
1044 len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd)) +
1045 sizeof(struct pfsync_header);
1046 break;
1047 case PFSYNC_ACT_DEL_C:
1048 len = (sc->sc_maxcount * sizeof(struct pfsync_state_del)) +
1049 sizeof(struct pfsync_header);
1050 break;
1051 case PFSYNC_ACT_UREQ:
1052 len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd_req)) +
1053 sizeof(struct pfsync_header);
1054 break;
1055 case PFSYNC_ACT_BUS:
1056 len = sizeof(struct pfsync_header) +
1057 sizeof(struct pfsync_state_bus);
1058 break;
1059 default:
1060 len = (sc->sc_maxcount * sizeof(struct pfsync_state)) +
1061 sizeof(struct pfsync_header);
1062 break;
1063 }
1064
1065 if (len > MHLEN) {
1066 MCLGET(m, M_DONTWAIT);
1067 if ((m->m_flags & M_EXT) == 0) {
1068 m_free(m);
1069 sc->sc_if.if_oerrors++;
1070 return (NULL);
1071 }
1072 m->m_data += (MCLBYTES - len) &~ (sizeof(long) - 1);
1073 } else
1074 MH_ALIGN(m, len);
1075
1076 m->m_pkthdr.rcvif = NULL;
1077 m->m_pkthdr.len = m->m_len = sizeof(struct pfsync_header);
1078 h = mtod(m, struct pfsync_header *);
1079 h->version = PFSYNC_VERSION;
1080 h->af = 0;
1081 h->count = 0;
1082 h->action = action;
1083
1084 *sp = (void *)((char *)h + PFSYNC_HDRLEN);
1085#ifdef __FreeBSD__
1086 callout_reset(&sc->sc_tmo, hz, pfsync_timeout,
1087 LIST_FIRST(&pfsync_list));
1088#else
1089 timeout_add(&sc->sc_tmo, hz);
1090#endif
1091 return (m);
1092}
1093
1094int
1095pfsync_pack_state(u_int8_t action, struct pf_state *st, int compress)
1096{
1097#ifdef __FreeBSD__
1098 struct ifnet *ifp = &(LIST_FIRST(&pfsync_list))->sc_if;
1099#else
1100 struct ifnet *ifp = &pfsyncif.sc_if;
1101#endif
1102 struct pfsync_softc *sc = ifp->if_softc;
1103 struct pfsync_header *h, *h_net;
1104 struct pfsync_state *sp = NULL;
1105 struct pfsync_state_upd *up = NULL;
1106 struct pfsync_state_del *dp = NULL;
1107 struct pf_rule *r;
1108 u_long secs;
1109 int s, ret = 0;
1110 u_int8_t i = 255, newaction = 0;
1111
1112#ifdef __FreeBSD__
1113 PF_ASSERT(MA_OWNED);
1114#endif
1115 /*
1116 * If a packet falls in the forest and there's nobody around to
1117 * hear, does it make a sound?
1118 */
1119 if (ifp->if_bpf == NULL && sc->sc_sync_ifp == NULL) {
1120 /* Don't leave any stale pfsync packets hanging around. */
1121 if (sc->sc_mbuf != NULL) {
1122 m_freem(sc->sc_mbuf);
1123 sc->sc_mbuf = NULL;
1124 sc->sc_statep.s = NULL;
1125 }
1126 return (0);
1127 }
1128
1129 if (action >= PFSYNC_ACT_MAX)
1130 return (EINVAL);
1131
1132 s = splnet();
1133 if (sc->sc_mbuf == NULL) {
1134 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action,
1135 (void *)&sc->sc_statep.s)) == NULL) {
1136 splx(s);
1137 return (ENOMEM);
1138 }
1139 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1140 } else {
1141 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1142 if (h->action != action) {
1143 pfsync_sendout(sc);
1144 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action,
1145 (void *)&sc->sc_statep.s)) == NULL) {
1146 splx(s);
1147 return (ENOMEM);
1148 }
1149 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1150 } else {
1151 /*
1152 * If it's an update, look in the packet to see if
1153 * we already have an update for the state.
1154 */
1155 if (action == PFSYNC_ACT_UPD && sc->sc_maxupdates) {
1156 struct pfsync_state *usp =
1157 (void *)((char *)h + PFSYNC_HDRLEN);
1158
1159 for (i = 0; i < h->count; i++) {
1160 if (!memcmp(usp->id, &st->id,
1161 PFSYNC_ID_LEN) &&
1162 usp->creatorid == st->creatorid) {
1163 sp = usp;
1164 sp->updates++;
1165 break;
1166 }
1167 usp++;
1168 }
1169 }
1170 }
1171 }
1172
1173#ifdef __FreeBSD__
1174 secs = time_second;
1175
1176 st->pfsync_time = time_uptime;
1177#else
1178 secs = time.tv_sec;
1179
1180 st->pfsync_time = mono_time.tv_sec;
1181#endif
1182 TAILQ_REMOVE(&state_updates, st, u.s.entry_updates);
1183 TAILQ_INSERT_TAIL(&state_updates, st, u.s.entry_updates);
1184
1185 if (sp == NULL) {
1186 /* not a "duplicate" update */
1187 i = 255;
1188 sp = sc->sc_statep.s++;
1189 sc->sc_mbuf->m_pkthdr.len =
1190 sc->sc_mbuf->m_len += sizeof(struct pfsync_state);
1191 h->count++;
1192 bzero(sp, sizeof(*sp));
1193
1194 bcopy(&st->id, sp->id, sizeof(sp->id));
1195 sp->creatorid = st->creatorid;
1196
1197 strlcpy(sp->ifname, st->u.s.kif->pfik_name, sizeof(sp->ifname));
1198 pf_state_host_hton(&st->lan, &sp->lan);
1199 pf_state_host_hton(&st->gwy, &sp->gwy);
1200 pf_state_host_hton(&st->ext, &sp->ext);
1201
1202 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
1203
1204 sp->creation = htonl(secs - st->creation);
1205 sp->packets[0] = htonl(st->packets[0]);
1206 sp->packets[1] = htonl(st->packets[1]);
1207 sp->bytes[0] = htonl(st->bytes[0]);
1208 sp->bytes[1] = htonl(st->bytes[1]);
1209 if ((r = st->rule.ptr) == NULL)
1210 sp->rule = htonl(-1);
1211 else
1212 sp->rule = htonl(r->nr);
1213 if ((r = st->anchor.ptr) == NULL)
1214 sp->anchor = htonl(-1);
1215 else
1216 sp->anchor = htonl(r->nr);
1217 sp->af = st->af;
1218 sp->proto = st->proto;
1219 sp->direction = st->direction;
1220 sp->log = st->log;
1221 sp->allow_opts = st->allow_opts;
1222 sp->timeout = st->timeout;
1223
1224 sp->sync_flags = st->sync_flags & PFSTATE_NOSYNC;
1225 }
1226
1227 pf_state_peer_hton(&st->src, &sp->src);
1228 pf_state_peer_hton(&st->dst, &sp->dst);
1229
1230 if (st->expire <= secs)
1231 sp->expire = htonl(0);
1232 else
1233 sp->expire = htonl(st->expire - secs);
1234
1235 /* do we need to build "compressed" actions for network transfer? */
1236 if (sc->sc_sync_ifp && compress) {
1237 switch (action) {
1238 case PFSYNC_ACT_UPD:
1239 newaction = PFSYNC_ACT_UPD_C;
1240 break;
1241 case PFSYNC_ACT_DEL:
1242 newaction = PFSYNC_ACT_DEL_C;
1243 break;
1244 default:
1245 /* by default we just send the uncompressed states */
1246 break;
1247 }
1248 }
1249
1250 if (newaction) {
1251 if (sc->sc_mbuf_net == NULL) {
1252 if ((sc->sc_mbuf_net = pfsync_get_mbuf(sc, newaction,
1253 (void *)&sc->sc_statep_net.s)) == NULL) {
1254 splx(s);
1255 return (ENOMEM);
1256 }
1257 }
1258 h_net = mtod(sc->sc_mbuf_net, struct pfsync_header *);
1259
1260 switch (newaction) {
1261 case PFSYNC_ACT_UPD_C:
1262 if (i != 255) {
1263 up = (void *)((char *)h_net +
1264 PFSYNC_HDRLEN + (i * sizeof(*up)));
1265 up->updates++;
1266 } else {
1267 h_net->count++;
1268 sc->sc_mbuf_net->m_pkthdr.len =
1269 sc->sc_mbuf_net->m_len += sizeof(*up);
1270 up = sc->sc_statep_net.u++;
1271
1272 bzero(up, sizeof(*up));
1273 bcopy(&st->id, up->id, sizeof(up->id));
1274 up->creatorid = st->creatorid;
1275 }
1276 up->timeout = st->timeout;
1277 up->expire = sp->expire;
1278 up->src = sp->src;
1279 up->dst = sp->dst;
1280 break;
1281 case PFSYNC_ACT_DEL_C:
1282 sc->sc_mbuf_net->m_pkthdr.len =
1283 sc->sc_mbuf_net->m_len += sizeof(*dp);
1284 dp = sc->sc_statep_net.d++;
1285 h_net->count++;
1286
1287 bzero(dp, sizeof(*dp));
1288 bcopy(&st->id, dp->id, sizeof(dp->id));
1289 dp->creatorid = st->creatorid;
1290 break;
1291 }
1292 }
1293
1294 if (h->count == sc->sc_maxcount ||
1295 (sc->sc_maxupdates && (sp->updates >= sc->sc_maxupdates)))
1296 ret = pfsync_sendout(sc);
1297
1298 splx(s);
1299 return (ret);
1300}
1301
1302/* This must be called in splnet() */
1303int
1304pfsync_request_update(struct pfsync_state_upd *up, struct in_addr *src)
1305{
1306#ifdef __FreeBSD__
1307 struct ifnet *ifp = &(LIST_FIRST(&pfsync_list))->sc_if;
1308#else
1309 struct ifnet *ifp = &pfsyncif.sc_if;
1310#endif
1311 struct pfsync_header *h;
1312 struct pfsync_softc *sc = ifp->if_softc;
1313 struct pfsync_state_upd_req *rup;
1314 int s, ret = 0; /* make the compiler happy */
1315
1316#ifdef __FreeBSD__
1317 PF_ASSERT(MA_OWNED);
1318#endif
1319 if (sc->sc_mbuf == NULL) {
1320 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ,
1321 (void *)&sc->sc_statep.s)) == NULL) {
1322 splx(s);
1323 return (ENOMEM);
1324 }
1325 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1326 } else {
1327 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1328 if (h->action != PFSYNC_ACT_UREQ) {
1329 pfsync_sendout(sc);
1330 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ,
1331 (void *)&sc->sc_statep.s)) == NULL) {
1332 splx(s);
1333 return (ENOMEM);
1334 }
1335 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1336 }
1337 }
1338
1339 if (src != NULL)
1340 sc->sc_sendaddr = *src;
1341 sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*rup);
1342 h->count++;
1343 rup = sc->sc_statep.r++;
1344 bzero(rup, sizeof(*rup));
1345 if (up != NULL) {
1346 bcopy(up->id, rup->id, sizeof(rup->id));
1347 rup->creatorid = up->creatorid;
1348 }
1349
1350 if (h->count == sc->sc_maxcount)
1351 ret = pfsync_sendout(sc);
1352
1353 return (ret);
1354}
1355
1356int
1357pfsync_clear_states(u_int32_t creatorid, char *ifname)
1358{
1359#ifdef __FreeBSD__
1360 struct ifnet *ifp = &(LIST_FIRST(&pfsync_list))->sc_if;
1361#else
1362 struct ifnet *ifp = &pfsyncif.sc_if;
1363#endif
1364 struct pfsync_softc *sc = ifp->if_softc;
1365 struct pfsync_state_clr *cp;
1366 int s, ret;
1367
1368 s = splnet();
1369#ifdef __FreeBSD__
1370 PF_ASSERT(MA_OWNED);
1371#endif
1372 if (sc->sc_mbuf != NULL)
1373 pfsync_sendout(sc);
1374 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_CLR,
1375 (void *)&sc->sc_statep.c)) == NULL) {
1376 splx(s);
1377 return (ENOMEM);
1378 }
1379 sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*cp);
1380 cp = sc->sc_statep.c;
1381 cp->creatorid = creatorid;
1382 if (ifname != NULL)
1383 strlcpy(cp->ifname, ifname, IFNAMSIZ);
1384
1385 ret = (pfsync_sendout(sc));
1386 splx(s);
1387 return (ret);
1388}
1389
1390void
1391pfsync_timeout(void *v)
1392{
1393 struct pfsync_softc *sc = v;
1394 int s;
1395
1396 s = splnet();
1397#ifdef __FreeBSD__
1398 PF_LOCK();
1399#endif
1400 pfsync_sendout(sc);
1401#ifdef __FreeBSD__
1402 PF_UNLOCK();
1403#endif
1404 splx(s);
1405}
1406
1407void
1408pfsync_send_bus(struct pfsync_softc *sc, u_int8_t status)
1409{
1410 struct pfsync_state_bus *bus;
1411
1412#ifdef __FreeBSD__
1413 PF_ASSERT(MA_OWNED);
1414#endif
1415 if (sc->sc_mbuf != NULL)
1416 pfsync_sendout(sc);
1417
1418 if (pfsync_sync_ok &&
1419 (sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_BUS,
1420 (void *)&sc->sc_statep.b)) != NULL) {
1421 sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*bus);
1422 bus = sc->sc_statep.b;
1423 bus->creatorid = pf_status.hostid;
1424 bus->status = status;
1425#ifdef __FreeBSD__
1426 bus->endtime = htonl(time_uptime - sc->sc_ureq_received);
1427#else
1428 bus->endtime = htonl(mono_time.tv_sec - sc->sc_ureq_received);
1429#endif
1430 pfsync_sendout(sc);
1431 }
1432}
1433
1434void
1435pfsync_bulk_update(void *v)
1436{
1437 struct pfsync_softc *sc = v;
1438 int s, i = 0;
1439 struct pf_state *state;
1440
1441#ifdef __FreeBSD__
1442 PF_LOCK();
1443#endif
1444 s = splnet();
1445 if (sc->sc_mbuf != NULL)
1446 pfsync_sendout(sc);
1447
1448 /*
1449 * Grab at most PFSYNC_BULKPACKETS worth of states which have not
1450 * been sent since the latest request was made.
1451 */
1452 while ((state = TAILQ_FIRST(&state_updates)) != NULL &&
1453 ++i < (sc->sc_maxcount * PFSYNC_BULKPACKETS)) {
1454 if (state->pfsync_time > sc->sc_ureq_received) {
1455 /* we're done */
1456 pfsync_send_bus(sc, PFSYNC_BUS_END);
1457 sc->sc_ureq_received = 0;
1458#ifdef __FreeBSD__
1459 callout_stop(&sc->sc_bulk_tmo);
1460#else
1461 timeout_del(&sc->sc_bulk_tmo);
1462#endif
1463 if (pf_status.debug >= PF_DEBUG_MISC)
1464 printf("pfsync: bulk update complete\n");
1465 break;
1466 } else {
1467 /* send an update and move to end of list */
1468 if (!state->sync_flags)
1469 pfsync_pack_state(PFSYNC_ACT_UPD, state, 0);
1470#ifdef __FreeBSD__
1471 state->pfsync_time = time_uptime;
1472#else
1473 state->pfsync_time = mono_time.tv_sec;
1474#endif
1475 TAILQ_REMOVE(&state_updates, state, u.s.entry_updates);
1476 TAILQ_INSERT_TAIL(&state_updates, state,
1477 u.s.entry_updates);
1478
1479 /* look again for more in a bit */
1480#ifdef __FreeBSD__
1481 callout_reset(&sc->sc_bulk_tmo, 1, pfsync_timeout,
1482 LIST_FIRST(&pfsync_list));
1483#else
1484 timeout_add(&sc->sc_bulk_tmo, 1);
1485#endif
1486 }
1487 }
1488 if (sc->sc_mbuf != NULL)
1489 pfsync_sendout(sc);
1490 splx(s);
1491#ifdef __FreeBSD__
1492 PF_UNLOCK();
1493#endif
1494}
1495
1496void
1497pfsync_bulkfail(void *v)
1498{
1499 struct pfsync_softc *sc = v;
1500
1501#ifdef __FreeBSD__
1502 PF_LOCK();
1503#endif
1504 if (sc->sc_bulk_tries++ < PFSYNC_MAX_BULKTRIES) {
1505 /* Try again in a bit */
1506#ifdef __FreeBSD__
1507 callout_reset(&sc->sc_bulkfail_tmo, 5 * hz, pfsync_bulkfail,
1508 LIST_FIRST(&pfsync_list));
1509#else
1510 timeout_add(&sc->sc_bulkfail_tmo, 5 * hz);
1511#endif
1512 pfsync_request_update(NULL, NULL);
1513 pfsync_sendout(sc);
1514 } else {
1515 /* Pretend like the transfer was ok */
1516 sc->sc_ureq_sent = 0;
1517 sc->sc_bulk_tries = 0;
1518 pfsync_sync_ok = 1;
1519 if (pf_status.debug >= PF_DEBUG_MISC)
1520 printf("pfsync: failed to receive "
1521 "bulk update status\n");
1522#ifdef __FreeBSD__
1523 callout_stop(&sc->sc_bulkfail_tmo);
1524#else
1525 timeout_del(&sc->sc_bulkfail_tmo);
1526#endif
1527 }
1528#ifdef __FreeBSD__
1529 PF_UNLOCK();
1530#endif
1531}
1532
1533int
1534pfsync_sendout(sc)
1535 struct pfsync_softc *sc;
1536{
1537 struct ifnet *ifp = &sc->sc_if;
1538 struct mbuf *m;
1539
1540#ifdef __FreeBSD__
1541 PF_ASSERT(MA_OWNED);
1542 callout_stop(&sc->sc_tmo);
1543#else
1544 timeout_del(&sc->sc_tmo);
1545#endif
1546
1547 if (sc->sc_mbuf == NULL)
1548 return (0);
1549 m = sc->sc_mbuf;
1550 sc->sc_mbuf = NULL;
1551 sc->sc_statep.s = NULL;
1552
1553#ifdef __FreeBSD__
1554 KASSERT(m != NULL, ("pfsync_sendout: null mbuf"));
1555#endif
1556#if NBPFILTER > 0
1557 if (ifp->if_bpf)
1558 bpf_mtap(ifp->if_bpf, m);
1559#endif
1560
1561 if (sc->sc_mbuf_net) {
1562 m_freem(m);
1563 m = sc->sc_mbuf_net;
1564 sc->sc_mbuf_net = NULL;
1565 sc->sc_statep_net.s = NULL;
1566 }
1567
1568 if (sc->sc_sync_ifp) {
1569 struct ip *ip;
1570 struct ifaddr *ifa;
1571 struct sockaddr sa;
1572
1573 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
1574 if (m == NULL) {
1575 pfsyncstats.pfsyncs_onomem++;
1576 return (0);
1577 }
1578 ip = mtod(m, struct ip *);
1579 ip->ip_v = IPVERSION;
1580 ip->ip_hl = sizeof(*ip) >> 2;
1581 ip->ip_tos = IPTOS_LOWDELAY;
1582#ifdef __FreeBSD__
1583 ip->ip_len = m->m_pkthdr.len;
1584#else
1585 ip->ip_len = htons(m->m_pkthdr.len);
1586#endif
1587 ip->ip_id = htons(ip_randomid());
1588#ifdef __FreeBSD__
1589 ip->ip_off = IP_DF;
1590#else
1591 ip->ip_off = htons(IP_DF);
1592#endif
1593 ip->ip_ttl = PFSYNC_DFLTTL;
1594 ip->ip_p = IPPROTO_PFSYNC;
1595 ip->ip_sum = 0;
1596
1597 bzero(&sa, sizeof(sa));
1598 sa.sa_family = AF_INET;
1599 ifa = ifaof_ifpforaddr(&sa, sc->sc_sync_ifp);
1600 if (ifa == NULL)
1601 return (0);
1602 ip->ip_src.s_addr = ifatoia(ifa)->ia_addr.sin_addr.s_addr;
1603
1604#ifdef __FreeBSD__
1605 if (sc->sc_sendaddr.s_addr == htonl(INADDR_PFSYNC_GROUP))
1606#else
1607 if (sc->sc_sendaddr.s_addr == INADDR_PFSYNC_GROUP)
1608#endif
1609 m->m_flags |= M_MCAST;
1610 ip->ip_dst = sc->sc_sendaddr;
1611#ifdef __FreeBSD__
1612 sc->sc_sendaddr.s_addr = htonl(INADDR_PFSYNC_GROUP);
1613#else
1614 sc->sc_sendaddr.s_addr = INADDR_PFSYNC_GROUP;
1615#endif
1616
1617 pfsyncstats.pfsyncs_opackets++;
1618
1619#ifdef __FreeBSD__
1620 PF_UNLOCK();
1621#endif
1622 if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))
1623 pfsyncstats.pfsyncs_oerrors++;
1624
1625#ifdef __FreeBSD__
1626 PF_LOCK();
1627#endif
1628 } else
1629 m_freem(m);
1630
1631 return (0);
1632}
1633
1634
1635#ifdef __FreeBSD__
1636static int
1637pfsync_modevent(module_t mod, int type, void *data)
1638{
1639 int error = 0;
1640
1641 switch (type) {
1642 case MOD_LOAD:
1643 LIST_INIT(&pfsync_list);
1644 if_clone_attach(&pfsync_cloner);
1645 break;
1646
1647 case MOD_UNLOAD:
1648 if_clone_detach(&pfsync_cloner);
1649 while (!LIST_EMPTY(&pfsync_list))
1650 pfsync_clone_destroy(
1651 &LIST_FIRST(&pfsync_list)->sc_if);
1652 break;
1653
1654 default:
1655 error = EINVAL;
1656 break;
1657 }
1658
1659 return error;
1660}
1661
1662static moduledata_t pfsync_mod = {
1663 "pfsync",
1664 pfsync_modevent,
1665 0
1666};
1667
1668#define PFSYNC_MODVER 1
1669
1670DECLARE_MODULE(pfsync, pfsync_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
1671MODULE_VERSION(pfsync, PFSYNC_MODVER);
1672#endif /* __FreeBSD__ */