xref: /freebsd/sys/net/if_pfsync.h (revision 99475087d63b4602a0213645bc17d82c3946e2fd) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2001 Michael Shalayeff
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
20  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22  * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
26  * THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /*-
30  * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
31  *
32  * Permission to use, copy, modify, and distribute this software for any
33  * purpose with or without fee is hereby granted, provided that the above
34  * copyright notice and this permission notice appear in all copies.
35  *
36  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
37  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
38  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
39  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
40  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
41  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
42  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
43  */
44 
45 /*
46  *	$OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $
47  */
48 
49 #ifndef _NET_IF_PFSYNC_H_
50 #define	_NET_IF_PFSYNC_H_
51 
52 #include <sys/types.h>
53 
54 #include <net/if.h>
55 #include <net/pfvar.h>
56 #include <netpfil/pf/pf.h>
57 
58 #define	PFSYNC_VERSION		5
59 #define	PFSYNC_DFLTTL		255
60 
61 enum pfsync_msg_versions {
62 	PFSYNC_MSG_VERSION_UNSPECIFIED = 0,
63 	PFSYNC_MSG_VERSION_1301 = 1301,
64 	PFSYNC_MSG_VERSION_1400 = 1400,
65 	PFSYNC_MSG_VERSION_1500 = 1500,
66 };
67 
68 #define PFSYNC_MSG_VERSION_DEFAULT PFSYNC_MSG_VERSION_1500
69 
70 #define	PFSYNC_ACT_CLR		0	/* clear all states */
71 #define	PFSYNC_ACT_INS_1301	1	/* insert state */
72 #define	PFSYNC_ACT_INS_ACK	2	/* ack of inserted state */
73 #define	PFSYNC_ACT_UPD_1301	3	/* update state */
74 #define	PFSYNC_ACT_UPD_C	4	/* "compressed" update state */
75 #define	PFSYNC_ACT_UPD_REQ	5	/* request "uncompressed" state */
76 #define	PFSYNC_ACT_DEL		6	/* delete state */
77 #define	PFSYNC_ACT_DEL_C	7	/* "compressed" delete state */
78 #define	PFSYNC_ACT_INS_F	8	/* insert fragment */
79 #define	PFSYNC_ACT_DEL_F	9	/* delete fragments */
80 #define	PFSYNC_ACT_BUS		10	/* bulk update status */
81 #define	PFSYNC_ACT_TDB		11	/* TDB replay counter update */
82 #define	PFSYNC_ACT_EOF		12	/* end of frame */
83 #define PFSYNC_ACT_INS_1400	13	/* insert state */
84 #define PFSYNC_ACT_UPD_1400	14	/* update state */
85 #define PFSYNC_ACT_INS_1500	15	/* insert state */
86 #define PFSYNC_ACT_UPD_1500	16	/* update state */
87 #define	PFSYNC_ACT_MAX		17
88 
89 /*
90  * A pfsync frame is built from a header followed by several sections which
91  * are all prefixed with their own subheaders. Frames must be terminated with
92  * an EOF subheader.
93  *
94  * | ...			|
95  * | IP header			|
96  * +============================+
97  * | pfsync_header		|
98  * +----------------------------+
99  * | pfsync_subheader		|
100  * +----------------------------+
101  * | first action fields	|
102  * | ...			|
103  * +----------------------------+
104  * | pfsync_subheader		|
105  * +----------------------------+
106  * | second action fields	|
107  * | ...			|
108  * +----------------------------+
109  * | EOF pfsync_subheader	|
110  * +----------------------------+
111  * | HMAC			|
112  * +============================+
113  */
114 
115 /*
116  * Frame header
117  */
118 
119 struct pfsync_header {
120 	u_int8_t			version;
121 	u_int8_t			_pad;
122 	u_int16_t			len;
123 	u_int8_t			pfcksum[PF_MD5_DIGEST_LENGTH];
124 } __packed;
125 
126 /*
127  * Frame region subheader
128  */
129 
130 struct pfsync_subheader {
131 	u_int8_t			action;
132 	u_int8_t			_pad;
133 	u_int16_t			count;
134 } __packed;
135 
136 /*
137  * CLR
138  */
139 
140 struct pfsync_clr {
141 	char				ifname[IFNAMSIZ];
142 	u_int32_t			creatorid;
143 } __packed;
144 
145 /*
146  * INS, UPD, DEL
147  */
148 
149 /* these use struct pfsync_state in pfvar.h */
150 
151 /*
152  * INS_ACK
153  */
154 
155 struct pfsync_ins_ack {
156 	u_int64_t			id;
157 	u_int32_t			creatorid;
158 } __packed;
159 
160 /*
161  * UPD_C
162  */
163 
164 struct pfsync_upd_c {
165 	u_int64_t			id;
166 	struct pf_state_peer_export	src;
167 	struct pf_state_peer_export	dst;
168 	u_int32_t			creatorid;
169 	u_int32_t			expire;
170 	u_int8_t			timeout;
171 	u_int8_t			_pad[3];
172 } __packed;
173 
174 /*
175  * UPD_REQ
176  */
177 
178 struct pfsync_upd_req {
179 	u_int64_t			id;
180 	u_int32_t			creatorid;
181 } __packed;
182 
183 /*
184  * DEL_C
185  */
186 
187 struct pfsync_del_c {
188 	u_int64_t			id;
189 	u_int32_t			creatorid;
190 } __packed;
191 
192 /*
193  * INS_F, DEL_F
194  */
195 
196 /* not implemented (yet) */
197 
198 /*
199  * BUS
200  */
201 
202 struct pfsync_bus {
203 	u_int32_t			creatorid;
204 	u_int32_t			endtime;
205 	u_int8_t			status;
206 #define	PFSYNC_BUS_START			1
207 #define	PFSYNC_BUS_END				2
208 	u_int8_t			_pad[3];
209 } __packed;
210 
211 /*
212  * TDB
213  */
214 
215 struct pfsync_tdb {
216 	u_int32_t			spi;
217 	union sockaddr_union		dst;
218 	u_int32_t			rpl;
219 	u_int64_t			cur_bytes;
220 	u_int8_t			sproto;
221 	u_int8_t			updates;
222 	u_int8_t			_pad[2];
223 } __packed;
224 
225 #define	PFSYNC_HDRLEN		sizeof(struct pfsync_header)
226 
227 struct pfsyncstats {
228 	u_int64_t	pfsyncs_ipackets;	/* total input packets, IPv4 */
229 	u_int64_t	pfsyncs_ipackets6;	/* total input packets, IPv6 */
230 	u_int64_t	pfsyncs_badif;		/* not the right interface */
231 	u_int64_t	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
232 	u_int64_t	pfsyncs_hdrops;		/* packets shorter than hdr */
233 	u_int64_t	pfsyncs_badver;		/* bad (incl unsupp) version */
234 	u_int64_t	pfsyncs_badact;		/* bad action */
235 	u_int64_t	pfsyncs_badlen;		/* data length does not match */
236 	u_int64_t	pfsyncs_badauth;	/* bad authentication */
237 	u_int64_t	pfsyncs_stale;		/* stale state */
238 	u_int64_t	pfsyncs_badval;		/* bad values */
239 	u_int64_t	pfsyncs_badstate;	/* insert/lookup failed */
240 
241 	u_int64_t	pfsyncs_opackets;	/* total output packets, IPv4 */
242 	u_int64_t	pfsyncs_opackets6;	/* total output packets, IPv6 */
243 	u_int64_t	pfsyncs_onomem;		/* no memory for an mbuf */
244 	u_int64_t	pfsyncs_oerrors;	/* ip output error */
245 
246 	u_int64_t	pfsyncs_iacts[PFSYNC_ACT_MAX];
247 	u_int64_t	pfsyncs_oacts[PFSYNC_ACT_MAX];
248 };
249 
250 /*
251  * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
252  */
253 struct pfsyncreq {
254 	char		 pfsyncr_syncdev[IFNAMSIZ];
255 	struct in_addr	 pfsyncr_syncpeer;
256 	int		 pfsyncr_maxupdates;
257 #define	PFSYNCF_OK		0x00000001
258 #define	PFSYNCF_DEFER		0x00000002
259 	int		 pfsyncr_defer;
260 };
261 
262 struct pfsync_kstatus {
263 	char		 	syncdev[IFNAMSIZ];
264 	struct sockaddr_storage	syncpeer;
265 	int		 	maxupdates;
266 	int			version;
267 	int		 	flags;
268 };
269 
270 struct pfsyncioc_nv {
271 	void            *data;
272 	size_t           len;   /* The length of the nvlist data. */
273 	size_t           size;  /* The total size of the data buffer. */
274 };
275 
276 #define	SIOCSETPFSYNC   _IOW('i', 247, struct ifreq)
277 #define	SIOCGETPFSYNC   _IOWR('i', 248, struct ifreq)
278 #define	SIOCSETPFSYNCNV _IOW('i', 249, struct ifreq)
279 #define	SIOCGETPFSYNCNV _IOWR('i', 250, struct ifreq)
280 
281 #ifdef _KERNEL
282 
283 /*
284  * this shows where a pf state is with respect to the syncing.
285  * pf_kstate->sync_state
286  */
287 #define	PFSYNC_S_INS	0x00
288 #define	PFSYNC_S_IACK	0x01
289 #define	PFSYNC_S_UPD	0x02
290 #define	PFSYNC_S_UPD_C	0x03
291 #define	PFSYNC_S_DEL_C	0x04
292 
293 #define	PFSYNC_S_DEFER	0xfe
294 #define	PFSYNC_S_NONE	0xff
295 
296 #define	PFSYNC_SI_IOCTL		0x01
297 #define	PFSYNC_SI_CKSUM		0x02
298 #define	PFSYNC_SI_ACK		0x04
299 
300 #endif /* _KERNEL */
301 
302 #endif /* _NET_IF_PFSYNC_H_ */
303