xref: /freebsd/sys/net/if_pfsync.h (revision 2ff63af9b88c7413b7d71715b5532625752a248e)

/*-
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Copyright (c) 2001 Michael Shalayeff
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 * THE POSSIBILITY OF SUCH DAMAGE.
 */

/*-
 * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

/*
 *	$OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $
 */

#ifndef _NET_IF_PFSYNC_H_
#define	_NET_IF_PFSYNC_H_

#include <sys/types.h>

#include <net/if.h>
#include <net/pfvar.h>
#include <netpfil/pf/pf.h>

#define	PFSYNC_VERSION		5
#define	PFSYNC_DFLTTL		255

enum pfsync_msg_versions {
	PFSYNC_MSG_VERSION_UNSPECIFIED = 0,
	PFSYNC_MSG_VERSION_1301 = 1301,
	PFSYNC_MSG_VERSION_1400 = 1400,
};

#define PFSYNC_MSG_VERSION_DEFAULT PFSYNC_MSG_VERSION_1400

#define	PFSYNC_ACT_CLR		0	/* clear all states */
#define	PFSYNC_ACT_INS_1301	1	/* insert state */
#define	PFSYNC_ACT_INS_ACK	2	/* ack of inserted state */
#define	PFSYNC_ACT_UPD_1301	3	/* update state */
#define	PFSYNC_ACT_UPD_C	4	/* "compressed" update state */
#define	PFSYNC_ACT_UPD_REQ	5	/* request "uncompressed" state */
#define	PFSYNC_ACT_DEL		6	/* delete state */
#define	PFSYNC_ACT_DEL_C	7	/* "compressed" delete state */
#define	PFSYNC_ACT_INS_F	8	/* insert fragment */
#define	PFSYNC_ACT_DEL_F	9	/* delete fragments */
#define	PFSYNC_ACT_BUS		10	/* bulk update status */
#define	PFSYNC_ACT_TDB		11	/* TDB replay counter update */
#define	PFSYNC_ACT_EOF		12	/* end of frame */
#define PFSYNC_ACT_INS_1400	13	/* insert state */
#define PFSYNC_ACT_UPD_1400	14	/* update state */
#define	PFSYNC_ACT_MAX		15

/*
 * A pfsync frame is built from a header followed by several sections which
 * are all prefixed with their own subheaders. Frames must be terminated with
 * an EOF subheader.
 *
 * | ...			|
 * | IP header			|
 * +============================+
 * | pfsync_header		|
 * +----------------------------+
 * | pfsync_subheader		|
 * +----------------------------+
 * | first action fields	|
 * | ...			|
 * +----------------------------+
 * | pfsync_subheader		|
 * +----------------------------+
 * | second action fields	|
 * | ...			|
 * +----------------------------+
 * | EOF pfsync_subheader	|
 * +----------------------------+
 * | HMAC			|
 * +============================+
 */

/*
 * Frame header
 */

struct pfsync_header {
	u_int8_t			version;
	u_int8_t			_pad;
	u_int16_t			len;
	u_int8_t			pfcksum[PF_MD5_DIGEST_LENGTH];
} __packed;

/*
 * Frame region subheader
 */

struct pfsync_subheader {
	u_int8_t			action;
	u_int8_t			_pad;
	u_int16_t			count;
} __packed;

/*
 * CLR
 */

struct pfsync_clr {
	char				ifname[IFNAMSIZ];
	u_int32_t			creatorid;
} __packed;

/*
 * INS, UPD, DEL
 */

/* these use struct pfsync_state in pfvar.h */

/*
 * INS_ACK
 */

struct pfsync_ins_ack {
	u_int64_t			id;
	u_int32_t			creatorid;
} __packed;

/*
 * UPD_C
 */

struct pfsync_upd_c {
	u_int64_t			id;
	struct pfsync_state_peer	src;
	struct pfsync_state_peer	dst;
	u_int32_t			creatorid;
	u_int32_t			expire;
	u_int8_t			timeout;
	u_int8_t			_pad[3];
} __packed;

/*
 * UPD_REQ
 */

struct pfsync_upd_req {
	u_int64_t			id;
	u_int32_t			creatorid;
} __packed;

/*
 * DEL_C
 */

struct pfsync_del_c {
	u_int64_t			id;
	u_int32_t			creatorid;
} __packed;

/*
 * INS_F, DEL_F
 */

/* not implemented (yet) */

/*
 * BUS
 */

struct pfsync_bus {
	u_int32_t			creatorid;
	u_int32_t			endtime;
	u_int8_t			status;
#define	PFSYNC_BUS_START			1
#define	PFSYNC_BUS_END				2
	u_int8_t			_pad[3];
} __packed;

/*
 * TDB
 */

struct pfsync_tdb {
	u_int32_t			spi;
	union sockaddr_union		dst;
	u_int32_t			rpl;
	u_int64_t			cur_bytes;
	u_int8_t			sproto;
	u_int8_t			updates;
	u_int8_t			_pad[2];
} __packed;

#define	PFSYNC_HDRLEN		sizeof(struct pfsync_header)

struct pfsyncstats {
	u_int64_t	pfsyncs_ipackets;	/* total input packets, IPv4 */
	u_int64_t	pfsyncs_ipackets6;	/* total input packets, IPv6 */
	u_int64_t	pfsyncs_badif;		/* not the right interface */
	u_int64_t	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
	u_int64_t	pfsyncs_hdrops;		/* packets shorter than hdr */
	u_int64_t	pfsyncs_badver;		/* bad (incl unsupp) version */
	u_int64_t	pfsyncs_badact;		/* bad action */
	u_int64_t	pfsyncs_badlen;		/* data length does not match */
	u_int64_t	pfsyncs_badauth;	/* bad authentication */
	u_int64_t	pfsyncs_stale;		/* stale state */
	u_int64_t	pfsyncs_badval;		/* bad values */
	u_int64_t	pfsyncs_badstate;	/* insert/lookup failed */

	u_int64_t	pfsyncs_opackets;	/* total output packets, IPv4 */
	u_int64_t	pfsyncs_opackets6;	/* total output packets, IPv6 */
	u_int64_t	pfsyncs_onomem;		/* no memory for an mbuf */
	u_int64_t	pfsyncs_oerrors;	/* ip output error */

	u_int64_t	pfsyncs_iacts[PFSYNC_ACT_MAX];
	u_int64_t	pfsyncs_oacts[PFSYNC_ACT_MAX];
};

/*
 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
 */
struct pfsyncreq {
	char		 pfsyncr_syncdev[IFNAMSIZ];
	struct in_addr	 pfsyncr_syncpeer;
	int		 pfsyncr_maxupdates;
#define	PFSYNCF_OK		0x00000001
#define	PFSYNCF_DEFER		0x00000002
	int		 pfsyncr_defer;
};

struct pfsync_kstatus {
	char		 	syncdev[IFNAMSIZ];
	struct sockaddr_storage	syncpeer;
	int		 	maxupdates;
	int			version;
	int		 	flags;
};

struct pfsyncioc_nv {
	void            *data;
	size_t           len;   /* The length of the nvlist data. */
	size_t           size;  /* The total size of the data buffer. */
};

#define	SIOCSETPFSYNC   _IOW('i', 247, struct ifreq)
#define	SIOCGETPFSYNC   _IOWR('i', 248, struct ifreq)
#define	SIOCSETPFSYNCNV _IOW('i', 249, struct ifreq)
#define	SIOCGETPFSYNCNV _IOWR('i', 250, struct ifreq)

#ifdef _KERNEL

/*
 * this shows where a pf state is with respect to the syncing.
 * pf_kstate->sync_state
 */
#define	PFSYNC_S_INS	0x00
#define	PFSYNC_S_IACK	0x01
#define	PFSYNC_S_UPD	0x02
#define	PFSYNC_S_UPD_C	0x03
#define	PFSYNC_S_DEL_C	0x04

#define	PFSYNC_S_DEFER	0xfe
#define	PFSYNC_S_NONE	0xff

#define	PFSYNC_SI_IOCTL		0x01
#define	PFSYNC_SI_CKSUM		0x02
#define	PFSYNC_SI_ACK		0x04

#endif /* _KERNEL */

#endif /* _NET_IF_PFSYNC_H_ */