1223637Sbz/*	$OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $	*/
2126258Smlaier
3126258Smlaier/*
4126258Smlaier * Copyright (c) 2001 Michael Shalayeff
5126258Smlaier * All rights reserved.
6126258Smlaier *
7126258Smlaier * Redistribution and use in source and binary forms, with or without
8126258Smlaier * modification, are permitted provided that the following conditions
9126258Smlaier * are met:
10126258Smlaier * 1. Redistributions of source code must retain the above copyright
11126258Smlaier *    notice, this list of conditions and the following disclaimer.
12126258Smlaier * 2. Redistributions in binary form must reproduce the above copyright
13126258Smlaier *    notice, this list of conditions and the following disclaimer in the
14126258Smlaier *    documentation and/or other materials provided with the distribution.
15126258Smlaier *
16126258Smlaier * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17126258Smlaier * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18126258Smlaier * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19126258Smlaier * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20126258Smlaier * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21126258Smlaier * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22126258Smlaier * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23126258Smlaier * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24126258Smlaier * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25126258Smlaier * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26126258Smlaier * THE POSSIBILITY OF SUCH DAMAGE.
27126258Smlaier */
28126258Smlaier
29223637Sbz/*
30223637Sbz * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
31223637Sbz *
32223637Sbz * Permission to use, copy, modify, and distribute this software for any
33223637Sbz * purpose with or without fee is hereby granted, provided that the above
34223637Sbz * copyright notice and this permission notice appear in all copies.
35223637Sbz *
36223637Sbz * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
37223637Sbz * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
38223637Sbz * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
39223637Sbz * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40223637Sbz * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
41223637Sbz * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
42223637Sbz * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43223637Sbz */
44223637Sbz
45126258Smlaier#ifndef _NET_IF_PFSYNC_H_
46223637Sbz#define	_NET_IF_PFSYNC_H_
47126258Smlaier
48223637Sbz#define	PFSYNC_VERSION		5
49223637Sbz#define	PFSYNC_DFLTTL		255
50130613Smlaier
51223637Sbz#define	PFSYNC_ACT_CLR		0	/* clear all states */
52223637Sbz#define	PFSYNC_ACT_INS		1	/* insert state */
53223637Sbz#define	PFSYNC_ACT_INS_ACK	2	/* ack of insterted state */
54223637Sbz#define	PFSYNC_ACT_UPD		3	/* update state */
55223637Sbz#define	PFSYNC_ACT_UPD_C	4	/* "compressed" update state */
56223637Sbz#define	PFSYNC_ACT_UPD_REQ	5	/* request "uncompressed" state */
57223637Sbz#define	PFSYNC_ACT_DEL		6	/* delete state */
58223637Sbz#define	PFSYNC_ACT_DEL_C	7	/* "compressed" delete state */
59223637Sbz#define	PFSYNC_ACT_INS_F	8	/* insert fragment */
60223637Sbz#define	PFSYNC_ACT_DEL_F	9	/* delete fragments */
61223637Sbz#define	PFSYNC_ACT_BUS		10	/* bulk update status */
62223637Sbz#define	PFSYNC_ACT_TDB		11	/* TDB replay counter update */
63223637Sbz#define	PFSYNC_ACT_EOF		12	/* end of frame */
64223637Sbz#define	PFSYNC_ACT_MAX		13
65130613Smlaier
66223637Sbz#define	PFSYNC_ACTIONS		"CLR ST",		\
67223637Sbz				"INS ST",		\
68223637Sbz				"INS ST ACK",		\
69223637Sbz				"UPD ST",		\
70223637Sbz				"UPD ST COMP",		\
71223637Sbz				"UPD ST REQ",		\
72223637Sbz				"DEL ST",		\
73223637Sbz				"DEL ST COMP",		\
74223637Sbz				"INS FR",		\
75223637Sbz				"DEL FR",		\
76223637Sbz				"BULK UPD STAT",	\
77223637Sbz				"TDB UPD",		\
78223637Sbz				"EOF"
79130613Smlaier
80223637Sbz#define	PFSYNC_HMAC_LEN	20
81223637Sbz
82223637Sbz/*
83223637Sbz * A pfsync frame is built from a header followed by several sections which
84223637Sbz * are all prefixed with their own subheaders. Frames must be terminated with
85223637Sbz * an EOF subheader.
86223637Sbz *
87223637Sbz * | ...			|
88223637Sbz * | IP header			|
89223637Sbz * +============================+
90223637Sbz * | pfsync_header		|
91223637Sbz * +----------------------------+
92223637Sbz * | pfsync_subheader		|
93223637Sbz * +----------------------------+
94223637Sbz * | first action fields	|
95223637Sbz * | ...			|
96223637Sbz * +----------------------------+
97223637Sbz * | pfsync_subheader		|
98223637Sbz * +----------------------------+
99223637Sbz * | second action fields	|
100223637Sbz * | ...			|
101223637Sbz * +----------------------------+
102223637Sbz * | EOF pfsync_subheader	|
103223637Sbz * +----------------------------+
104223637Sbz * | HMAC			|
105223637Sbz * +============================+
106223637Sbz */
107223637Sbz
108223637Sbz/*
109223637Sbz * Frame header
110223637Sbz */
111223637Sbz
112223637Sbzstruct pfsync_header {
113223637Sbz	u_int8_t			version;
114223637Sbz	u_int8_t			_pad;
115223637Sbz	u_int16_t			len;
116223637Sbz	u_int8_t			pfcksum[PF_MD5_DIGEST_LENGTH];
117130613Smlaier} __packed;
118130613Smlaier
119223637Sbz/*
120223637Sbz * Frame region subheader
121223637Sbz */
122223637Sbz
123223637Sbzstruct pfsync_subheader {
124223637Sbz	u_int8_t			action;
125223637Sbz	u_int8_t			_pad;
126223637Sbz	u_int16_t			count;
127130613Smlaier} __packed;
128130613Smlaier
129223637Sbz/*
130223637Sbz * CLR
131223637Sbz */
132223637Sbz
133223637Sbzstruct pfsync_clr {
134223637Sbz	char				ifname[IFNAMSIZ];
135223637Sbz	u_int32_t			creatorid;
136130613Smlaier} __packed;
137130613Smlaier
138223637Sbz/*
139223637Sbz * INS, UPD, DEL
140223637Sbz */
141145836Smlaier
142223637Sbz/* these use struct pfsync_state in pfvar.h */
143223637Sbz
144223637Sbz/*
145223637Sbz * INS_ACK
146223637Sbz */
147223637Sbz
148223637Sbzstruct pfsync_ins_ack {
149223637Sbz	u_int64_t			id;
150223637Sbz	u_int32_t			creatorid;
151171168Smlaier} __packed;
152171168Smlaier
153223637Sbz/*
154223637Sbz * UPD_C
155223637Sbz */
156223637Sbz
157223637Sbzstruct pfsync_upd_c {
158223637Sbz	u_int64_t			id;
159130613Smlaier	struct pfsync_state_peer	src;
160130613Smlaier	struct pfsync_state_peer	dst;
161223637Sbz	u_int32_t			creatorid;
162223637Sbz	u_int32_t			expire;
163223637Sbz	u_int8_t			timeout;
164223637Sbz	u_int8_t			_pad[3];
165130613Smlaier} __packed;
166130613Smlaier
167223637Sbz/*
168223637Sbz * UPD_REQ
169223637Sbz */
170130613Smlaier
171223637Sbzstruct pfsync_upd_req {
172223637Sbz	u_int64_t			id;
173223637Sbz	u_int32_t			creatorid;
174130613Smlaier} __packed;
175130613Smlaier
176223637Sbz/*
177223637Sbz * DEL_C
178223637Sbz */
179130613Smlaier
180223637Sbzstruct pfsync_del_c {
181223637Sbz	u_int64_t			id;
182223637Sbz	u_int32_t			creatorid;
183130613Smlaier} __packed;
184130613Smlaier
185223637Sbz/*
186223637Sbz * INS_F, DEL_F
187223637Sbz */
188130613Smlaier
189223637Sbz/* not implemented (yet) */
190130613Smlaier
191223637Sbz/*
192223637Sbz * BUS
193223637Sbz */
194171168Smlaier
195223637Sbzstruct pfsync_bus {
196223637Sbz	u_int32_t			creatorid;
197223637Sbz	u_int32_t			endtime;
198223637Sbz	u_int8_t			status;
199223637Sbz#define	PFSYNC_BUS_START			1
200223637Sbz#define	PFSYNC_BUS_END				2
201223637Sbz	u_int8_t			_pad[3];
202223637Sbz} __packed;
203130613Smlaier
204223637Sbz/*
205223637Sbz * TDB
206223637Sbz */
207126258Smlaier
208223637Sbzstruct pfsync_tdb {
209223637Sbz	u_int32_t			spi;
210223637Sbz	union sockaddr_union		dst;
211223637Sbz	u_int32_t			rpl;
212223637Sbz	u_int64_t			cur_bytes;
213223637Sbz	u_int8_t			sproto;
214223637Sbz	u_int8_t			updates;
215223637Sbz	u_int8_t			_pad[2];
216223637Sbz} __packed;
217171168Smlaier
218223637Sbz/*
219223637Sbz * EOF
220223637Sbz */
221126258Smlaier
222223637Sbzstruct pfsync_eof {
223223637Sbz	u_int8_t			hmac[PFSYNC_HMAC_LEN];
224130613Smlaier} __packed;
225126258Smlaier
226223637Sbz#define	PFSYNC_HDRLEN		sizeof(struct pfsync_header)
227126258Smlaier
228130613Smlaier
229223637Sbz
230223637Sbz/*
231223637Sbz * Names for PFSYNC sysctl objects
232223637Sbz */
233223637Sbz#define	PFSYNCCTL_STATS		1	/* PFSYNC stats */
234223637Sbz#define	PFSYNCCTL_MAXID		2
235223637Sbz
236223637Sbz#define	PFSYNCCTL_NAMES { \
237223637Sbz	{ 0, 0 }, \
238223637Sbz	{ "stats", CTLTYPE_STRUCT }, \
239223637Sbz}
240223637Sbz
241130613Smlaierstruct pfsyncstats {
242145836Smlaier	u_int64_t	pfsyncs_ipackets;	/* total input packets, IPv4 */
243145836Smlaier	u_int64_t	pfsyncs_ipackets6;	/* total input packets, IPv6 */
244145836Smlaier	u_int64_t	pfsyncs_badif;		/* not the right interface */
245145836Smlaier	u_int64_t	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
246145836Smlaier	u_int64_t	pfsyncs_hdrops;		/* packets shorter than hdr */
247145836Smlaier	u_int64_t	pfsyncs_badver;		/* bad (incl unsupp) version */
248145836Smlaier	u_int64_t	pfsyncs_badact;		/* bad action */
249145836Smlaier	u_int64_t	pfsyncs_badlen;		/* data length does not match */
250145836Smlaier	u_int64_t	pfsyncs_badauth;	/* bad authentication */
251145836Smlaier	u_int64_t	pfsyncs_stale;		/* stale state */
252145836Smlaier	u_int64_t	pfsyncs_badval;		/* bad values */
253145836Smlaier	u_int64_t	pfsyncs_badstate;	/* insert/lookup failed */
254130613Smlaier
255145836Smlaier	u_int64_t	pfsyncs_opackets;	/* total output packets, IPv4 */
256145836Smlaier	u_int64_t	pfsyncs_opackets6;	/* total output packets, IPv6 */
257145836Smlaier	u_int64_t	pfsyncs_onomem;		/* no memory for an mbuf */
258145836Smlaier	u_int64_t	pfsyncs_oerrors;	/* ip output error */
259130613Smlaier};
260130613Smlaier
261130613Smlaier/*
262130613Smlaier * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
263130613Smlaier */
264130613Smlaierstruct pfsyncreq {
265145836Smlaier	char		 pfsyncr_syncdev[IFNAMSIZ];
266145836Smlaier	struct in_addr	 pfsyncr_syncpeer;
267145836Smlaier	int		 pfsyncr_maxupdates;
268145836Smlaier	int		 pfsyncr_authlevel;
269130613Smlaier};
270130613Smlaier
271145836Smlaier#ifdef __FreeBSD__
272223637Sbz#define	SIOCSETPFSYNC   _IOW('i', 247, struct ifreq)
273223637Sbz#define	SIOCGETPFSYNC   _IOWR('i', 248, struct ifreq)
274145836Smlaier#endif
275130613Smlaier
276223637Sbz#ifdef _KERNEL
277126258Smlaier
278223637Sbz/*
279223637Sbz * this shows where a pf state is with respect to the syncing.
280223637Sbz */
281223637Sbz#define	PFSYNC_S_INS	0x00
282223637Sbz#define	PFSYNC_S_IACK	0x01
283223637Sbz#define	PFSYNC_S_UPD	0x02
284223637Sbz#define	PFSYNC_S_UPD_C	0x03
285223637Sbz#define	PFSYNC_S_DEL	0x04
286223637Sbz#define	PFSYNC_S_COUNT	0x05
287126258Smlaier
288223637Sbz#define	PFSYNC_S_DEFER	0xfe
289223637Sbz#define	PFSYNC_S_NONE	0xff
290130613Smlaier
291130613Smlaier#ifdef __FreeBSD__
292223637Sbzvoid			pfsync_input(struct mbuf *, __unused int);
293130613Smlaier#else
294223637Sbzvoid			pfsync_input(struct mbuf *, ...);
295126258Smlaier#endif
296223637Sbzint			pfsync_sysctl(int *, u_int,  void *, size_t *,
297223637Sbz			    void *, size_t);
298223637Sbz
299223637Sbz#define	PFSYNC_SI_IOCTL		0x01
300223637Sbz#define	PFSYNC_SI_CKSUM		0x02
301223637Sbz#define	PFSYNC_SI_ACK		0x04
302223637Sbzint			pfsync_state_import(struct pfsync_state *, u_int8_t);
303223637Sbz#ifndef __FreeBSD__
304223637Sbzvoid			pfsync_state_export(struct pfsync_state *,
305223637Sbz			    struct pf_state *);
306130613Smlaier#endif
307223637Sbz
308223637Sbzvoid			pfsync_insert_state(struct pf_state *);
309223637Sbzvoid			pfsync_update_state(struct pf_state *);
310223637Sbzvoid			pfsync_delete_state(struct pf_state *);
311223637Sbzvoid			pfsync_clear_states(u_int32_t, const char *);
312223637Sbz
313223637Sbz#ifdef notyet
314223637Sbzvoid			pfsync_update_tdb(struct tdb *, int);
315223637Sbzvoid			pfsync_delete_tdb(struct tdb *);
316171168Smlaier#endif
317126258Smlaier
318223637Sbzint			pfsync_defer(struct pf_state *, struct mbuf *);
319223637Sbz
320223637Sbzint			pfsync_up(void);
321223637Sbzint			pfsync_state_in_use(struct pf_state *);
322223637Sbz#endif
323223637Sbz
324126258Smlaier#endif /* _NET_IF_PFSYNC_H_ */
325