1/*	$OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $	*/
2
3/*
4 * Copyright (c) 2001 Michael Shalayeff
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26 * THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29/*
30 * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
31 *
32 * Permission to use, copy, modify, and distribute this software for any
33 * purpose with or without fee is hereby granted, provided that the above
34 * copyright notice and this permission notice appear in all copies.
35 *
36 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
37 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
38 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
39 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
41 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
42 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43 */
44
45#ifndef _NET_IF_PFSYNC_H_
46#define	_NET_IF_PFSYNC_H_
47
48#define	PFSYNC_VERSION		5
49#define	PFSYNC_DFLTTL		255
50
51#define	PFSYNC_ACT_CLR		0	/* clear all states */
52#define	PFSYNC_ACT_INS		1	/* insert state */
53#define	PFSYNC_ACT_INS_ACK	2	/* ack of insterted state */
54#define	PFSYNC_ACT_UPD		3	/* update state */
55#define	PFSYNC_ACT_UPD_C	4	/* "compressed" update state */
56#define	PFSYNC_ACT_UPD_REQ	5	/* request "uncompressed" state */
57#define	PFSYNC_ACT_DEL		6	/* delete state */
58#define	PFSYNC_ACT_DEL_C	7	/* "compressed" delete state */
59#define	PFSYNC_ACT_INS_F	8	/* insert fragment */
60#define	PFSYNC_ACT_DEL_F	9	/* delete fragments */
61#define	PFSYNC_ACT_BUS		10	/* bulk update status */
62#define	PFSYNC_ACT_TDB		11	/* TDB replay counter update */
63#define	PFSYNC_ACT_EOF		12	/* end of frame */
64#define	PFSYNC_ACT_MAX		13
65
66#define	PFSYNC_ACTIONS		"CLR ST",		\
67				"INS ST",		\
68				"INS ST ACK",		\
69				"UPD ST",		\
70				"UPD ST COMP",		\
71				"UPD ST REQ",		\
72				"DEL ST",		\
73				"DEL ST COMP",		\
74				"INS FR",		\
75				"DEL FR",		\
76				"BULK UPD STAT",	\
77				"TDB UPD",		\
78				"EOF"
79
80#define	PFSYNC_HMAC_LEN	20
81
82/*
83 * A pfsync frame is built from a header followed by several sections which
84 * are all prefixed with their own subheaders. Frames must be terminated with
85 * an EOF subheader.
86 *
87 * | ...			|
88 * | IP header			|
89 * +============================+
90 * | pfsync_header		|
91 * +----------------------------+
92 * | pfsync_subheader		|
93 * +----------------------------+
94 * | first action fields	|
95 * | ...			|
96 * +----------------------------+
97 * | pfsync_subheader		|
98 * +----------------------------+
99 * | second action fields	|
100 * | ...			|
101 * +----------------------------+
102 * | EOF pfsync_subheader	|
103 * +----------------------------+
104 * | HMAC			|
105 * +============================+
106 */
107
108/*
109 * Frame header
110 */
111
112struct pfsync_header {
113	u_int8_t			version;
114	u_int8_t			_pad;
115	u_int16_t			len;
116	u_int8_t			pfcksum[PF_MD5_DIGEST_LENGTH];
117} __packed;
118
119/*
120 * Frame region subheader
121 */
122
123struct pfsync_subheader {
124	u_int8_t			action;
125	u_int8_t			_pad;
126	u_int16_t			count;
127} __packed;
128
129/*
130 * CLR
131 */
132
133struct pfsync_clr {
134	char				ifname[IFNAMSIZ];
135	u_int32_t			creatorid;
136} __packed;
137
138/*
139 * INS, UPD, DEL
140 */
141
142/* these use struct pfsync_state in pfvar.h */
143
144/*
145 * INS_ACK
146 */
147
148struct pfsync_ins_ack {
149	u_int64_t			id;
150	u_int32_t			creatorid;
151} __packed;
152
153/*
154 * UPD_C
155 */
156
157struct pfsync_upd_c {
158	u_int64_t			id;
159	struct pfsync_state_peer	src;
160	struct pfsync_state_peer	dst;
161	u_int32_t			creatorid;
162	u_int32_t			expire;
163	u_int8_t			timeout;
164	u_int8_t			_pad[3];
165} __packed;
166
167/*
168 * UPD_REQ
169 */
170
171struct pfsync_upd_req {
172	u_int64_t			id;
173	u_int32_t			creatorid;
174} __packed;
175
176/*
177 * DEL_C
178 */
179
180struct pfsync_del_c {
181	u_int64_t			id;
182	u_int32_t			creatorid;
183} __packed;
184
185/*
186 * INS_F, DEL_F
187 */
188
189/* not implemented (yet) */
190
191/*
192 * BUS
193 */
194
195struct pfsync_bus {
196	u_int32_t			creatorid;
197	u_int32_t			endtime;
198	u_int8_t			status;
199#define	PFSYNC_BUS_START			1
200#define	PFSYNC_BUS_END				2
201	u_int8_t			_pad[3];
202} __packed;
203
204/*
205 * TDB
206 */
207
208struct pfsync_tdb {
209	u_int32_t			spi;
210	union sockaddr_union		dst;
211	u_int32_t			rpl;
212	u_int64_t			cur_bytes;
213	u_int8_t			sproto;
214	u_int8_t			updates;
215	u_int8_t			_pad[2];
216} __packed;
217
218/*
219 * EOF
220 */
221
222struct pfsync_eof {
223	u_int8_t			hmac[PFSYNC_HMAC_LEN];
224} __packed;
225
226#define	PFSYNC_HDRLEN		sizeof(struct pfsync_header)
227
228
229
230/*
231 * Names for PFSYNC sysctl objects
232 */
233#define	PFSYNCCTL_STATS		1	/* PFSYNC stats */
234#define	PFSYNCCTL_MAXID		2
235
236#define	PFSYNCCTL_NAMES { \
237	{ 0, 0 }, \
238	{ "stats", CTLTYPE_STRUCT }, \
239}
240
241struct pfsyncstats {
242	u_int64_t	pfsyncs_ipackets;	/* total input packets, IPv4 */
243	u_int64_t	pfsyncs_ipackets6;	/* total input packets, IPv6 */
244	u_int64_t	pfsyncs_badif;		/* not the right interface */
245	u_int64_t	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
246	u_int64_t	pfsyncs_hdrops;		/* packets shorter than hdr */
247	u_int64_t	pfsyncs_badver;		/* bad (incl unsupp) version */
248	u_int64_t	pfsyncs_badact;		/* bad action */
249	u_int64_t	pfsyncs_badlen;		/* data length does not match */
250	u_int64_t	pfsyncs_badauth;	/* bad authentication */
251	u_int64_t	pfsyncs_stale;		/* stale state */
252	u_int64_t	pfsyncs_badval;		/* bad values */
253	u_int64_t	pfsyncs_badstate;	/* insert/lookup failed */
254
255	u_int64_t	pfsyncs_opackets;	/* total output packets, IPv4 */
256	u_int64_t	pfsyncs_opackets6;	/* total output packets, IPv6 */
257	u_int64_t	pfsyncs_onomem;		/* no memory for an mbuf */
258	u_int64_t	pfsyncs_oerrors;	/* ip output error */
259};
260
261/*
262 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
263 */
264struct pfsyncreq {
265	char		 pfsyncr_syncdev[IFNAMSIZ];
266	struct in_addr	 pfsyncr_syncpeer;
267	int		 pfsyncr_maxupdates;
268	int		 pfsyncr_authlevel;
269};
270
271#ifdef __FreeBSD__
272#define	SIOCSETPFSYNC   _IOW('i', 247, struct ifreq)
273#define	SIOCGETPFSYNC   _IOWR('i', 248, struct ifreq)
274#endif
275
276#ifdef _KERNEL
277
278/*
279 * this shows where a pf state is with respect to the syncing.
280 */
281#define	PFSYNC_S_INS	0x00
282#define	PFSYNC_S_IACK	0x01
283#define	PFSYNC_S_UPD	0x02
284#define	PFSYNC_S_UPD_C	0x03
285#define	PFSYNC_S_DEL	0x04
286#define	PFSYNC_S_COUNT	0x05
287
288#define	PFSYNC_S_DEFER	0xfe
289#define	PFSYNC_S_NONE	0xff
290
291#ifdef __FreeBSD__
292void			pfsync_input(struct mbuf *, __unused int);
293#else
294void			pfsync_input(struct mbuf *, ...);
295#endif
296int			pfsync_sysctl(int *, u_int,  void *, size_t *,
297			    void *, size_t);
298
299#define	PFSYNC_SI_IOCTL		0x01
300#define	PFSYNC_SI_CKSUM		0x02
301#define	PFSYNC_SI_ACK		0x04
302int			pfsync_state_import(struct pfsync_state *, u_int8_t);
303#ifndef __FreeBSD__
304void			pfsync_state_export(struct pfsync_state *,
305			    struct pf_state *);
306#endif
307
308void			pfsync_insert_state(struct pf_state *);
309void			pfsync_update_state(struct pf_state *);
310void			pfsync_delete_state(struct pf_state *);
311void			pfsync_clear_states(u_int32_t, const char *);
312
313#ifdef notyet
314void			pfsync_update_tdb(struct tdb *, int);
315void			pfsync_delete_tdb(struct tdb *);
316#endif
317
318int			pfsync_defer(struct pf_state *, struct mbuf *);
319
320int			pfsync_up(void);
321int			pfsync_state_in_use(struct pf_state *);
322#endif
323
324#endif /* _NET_IF_PFSYNC_H_ */
325