1/* $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ */ 2 3/* 4 * Copyright (c) 2001 Michael Shalayeff 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, 20 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 26 * THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29/* 30 * Copyright (c) 2008 David Gwynne <dlg@openbsd.org> 31 * 32 * Permission to use, copy, modify, and distribute this software for any 33 * purpose with or without fee is hereby granted, provided that the above 34 * copyright notice and this permission notice appear in all copies. 35 * 36 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 37 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 38 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 39 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 40 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 41 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 42 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 43 */ 44 45#ifndef _NET_IF_PFSYNC_H_ 46#define _NET_IF_PFSYNC_H_ 47 48#define PFSYNC_VERSION 5 49#define PFSYNC_DFLTTL 255 50 51#define PFSYNC_ACT_CLR 0 /* clear all states */ 52#define PFSYNC_ACT_INS 1 /* insert state */ 53#define PFSYNC_ACT_INS_ACK 2 /* ack of insterted state */ 54#define PFSYNC_ACT_UPD 3 /* update state */ 55#define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */ 56#define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */ 57#define PFSYNC_ACT_DEL 6 /* delete state */ 58#define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */ 59#define PFSYNC_ACT_INS_F 8 /* insert fragment */ 60#define PFSYNC_ACT_DEL_F 9 /* delete fragments */ 61#define PFSYNC_ACT_BUS 10 /* bulk update status */ 62#define PFSYNC_ACT_TDB 11 /* TDB replay counter update */ 63#define PFSYNC_ACT_EOF 12 /* end of frame */ 64#define PFSYNC_ACT_MAX 13 65 66#define PFSYNC_ACTIONS "CLR ST", \ 67 "INS ST", \ 68 "INS ST ACK", \ 69 "UPD ST", \ 70 "UPD ST COMP", \ 71 "UPD ST REQ", \ 72 "DEL ST", \ 73 "DEL ST COMP", \ 74 "INS FR", \ 75 "DEL FR", \ 76 "BULK UPD STAT", \ 77 "TDB UPD", \ 78 "EOF" 79 80#define PFSYNC_HMAC_LEN 20 81 82/* 83 * A pfsync frame is built from a header followed by several sections which 84 * are all prefixed with their own subheaders. Frames must be terminated with 85 * an EOF subheader. 86 * 87 * | ... | 88 * | IP header | 89 * +============================+ 90 * | pfsync_header | 91 * +----------------------------+ 92 * | pfsync_subheader | 93 * +----------------------------+ 94 * | first action fields | 95 * | ... | 96 * +----------------------------+ 97 * | pfsync_subheader | 98 * +----------------------------+ 99 * | second action fields | 100 * | ... | 101 * +----------------------------+ 102 * | EOF pfsync_subheader | 103 * +----------------------------+ 104 * | HMAC | 105 * +============================+ 106 */ 107 108/* 109 * Frame header 110 */ 111 112struct pfsync_header { 113 u_int8_t version; 114 u_int8_t _pad; 115 u_int16_t len; 116 u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH]; 117} __packed; 118 119/* 120 * Frame region subheader 121 */ 122 123struct pfsync_subheader { 124 u_int8_t action; 125 u_int8_t _pad; 126 u_int16_t count; 127} __packed; 128 129/* 130 * CLR 131 */ 132 133struct pfsync_clr { 134 char ifname[IFNAMSIZ]; 135 u_int32_t creatorid; 136} __packed; 137 138/* 139 * INS, UPD, DEL 140 */ 141 142/* these use struct pfsync_state in pfvar.h */ 143 144/* 145 * INS_ACK 146 */ 147 148struct pfsync_ins_ack { 149 u_int64_t id; 150 u_int32_t creatorid; 151} __packed; 152 153/* 154 * UPD_C 155 */ 156 157struct pfsync_upd_c { 158 u_int64_t id; 159 struct pfsync_state_peer src; 160 struct pfsync_state_peer dst; 161 u_int32_t creatorid; 162 u_int32_t expire; 163 u_int8_t timeout; 164 u_int8_t _pad[3]; 165} __packed; 166 167/* 168 * UPD_REQ 169 */ 170 171struct pfsync_upd_req { 172 u_int64_t id; 173 u_int32_t creatorid; 174} __packed; 175 176/* 177 * DEL_C 178 */ 179 180struct pfsync_del_c { 181 u_int64_t id; 182 u_int32_t creatorid; 183} __packed; 184 185/* 186 * INS_F, DEL_F 187 */ 188 189/* not implemented (yet) */ 190 191/* 192 * BUS 193 */ 194 195struct pfsync_bus { 196 u_int32_t creatorid; 197 u_int32_t endtime; 198 u_int8_t status; 199#define PFSYNC_BUS_START 1 200#define PFSYNC_BUS_END 2 201 u_int8_t _pad[3]; 202} __packed; 203 204/* 205 * TDB 206 */ 207 208struct pfsync_tdb { 209 u_int32_t spi; 210 union sockaddr_union dst; 211 u_int32_t rpl; 212 u_int64_t cur_bytes; 213 u_int8_t sproto; 214 u_int8_t updates; 215 u_int8_t _pad[2]; 216} __packed; 217 218/* 219 * EOF 220 */ 221 222struct pfsync_eof { 223 u_int8_t hmac[PFSYNC_HMAC_LEN]; 224} __packed; 225 226#define PFSYNC_HDRLEN sizeof(struct pfsync_header) 227 228 229 230/* 231 * Names for PFSYNC sysctl objects 232 */ 233#define PFSYNCCTL_STATS 1 /* PFSYNC stats */ 234#define PFSYNCCTL_MAXID 2 235 236#define PFSYNCCTL_NAMES { \ 237 { 0, 0 }, \ 238 { "stats", CTLTYPE_STRUCT }, \ 239} 240 241struct pfsyncstats { 242 u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */ 243 u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */ 244 u_int64_t pfsyncs_badif; /* not the right interface */ 245 u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */ 246 u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */ 247 u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */ 248 u_int64_t pfsyncs_badact; /* bad action */ 249 u_int64_t pfsyncs_badlen; /* data length does not match */ 250 u_int64_t pfsyncs_badauth; /* bad authentication */ 251 u_int64_t pfsyncs_stale; /* stale state */ 252 u_int64_t pfsyncs_badval; /* bad values */ 253 u_int64_t pfsyncs_badstate; /* insert/lookup failed */ 254 255 u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */ 256 u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */ 257 u_int64_t pfsyncs_onomem; /* no memory for an mbuf */ 258 u_int64_t pfsyncs_oerrors; /* ip output error */ 259}; 260 261/* 262 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC 263 */ 264struct pfsyncreq { 265 char pfsyncr_syncdev[IFNAMSIZ]; 266 struct in_addr pfsyncr_syncpeer; 267 int pfsyncr_maxupdates; 268 int pfsyncr_authlevel; 269}; 270 271#ifdef __FreeBSD__ 272#define SIOCSETPFSYNC _IOW('i', 247, struct ifreq) 273#define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq) 274#endif 275 276#ifdef _KERNEL 277 278/* 279 * this shows where a pf state is with respect to the syncing. 280 */ 281#define PFSYNC_S_INS 0x00 282#define PFSYNC_S_IACK 0x01 283#define PFSYNC_S_UPD 0x02 284#define PFSYNC_S_UPD_C 0x03 285#define PFSYNC_S_DEL 0x04 286#define PFSYNC_S_COUNT 0x05 287 288#define PFSYNC_S_DEFER 0xfe 289#define PFSYNC_S_NONE 0xff 290 291#ifdef __FreeBSD__ 292void pfsync_input(struct mbuf *, __unused int); 293#else 294void pfsync_input(struct mbuf *, ...); 295#endif 296int pfsync_sysctl(int *, u_int, void *, size_t *, 297 void *, size_t); 298 299#define PFSYNC_SI_IOCTL 0x01 300#define PFSYNC_SI_CKSUM 0x02 301#define PFSYNC_SI_ACK 0x04 302int pfsync_state_import(struct pfsync_state *, u_int8_t); 303#ifndef __FreeBSD__ 304void pfsync_state_export(struct pfsync_state *, 305 struct pf_state *); 306#endif 307 308void pfsync_insert_state(struct pf_state *); 309void pfsync_update_state(struct pf_state *); 310void pfsync_delete_state(struct pf_state *); 311void pfsync_clear_states(u_int32_t, const char *); 312 313#ifdef notyet 314void pfsync_update_tdb(struct tdb *, int); 315void pfsync_delete_tdb(struct tdb *); 316#endif 317 318int pfsync_defer(struct pf_state *, struct mbuf *); 319 320int pfsync_up(void); 321int pfsync_state_in_use(struct pf_state *); 322#endif 323 324#endif /* _NET_IF_PFSYNC_H_ */ 325