1 /*- 2 * Copyright (c) 2001 Michael Shalayeff 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, 18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 22 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 23 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 24 * THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 /*- 28 * Copyright (c) 2008 David Gwynne <dlg@openbsd.org> 29 * 30 * Permission to use, copy, modify, and distribute this software for any 31 * purpose with or without fee is hereby granted, provided that the above 32 * copyright notice and this permission notice appear in all copies. 33 * 34 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 35 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 36 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 37 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 38 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 39 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 40 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 41 */ 42 43 /* 44 * $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ 45 * $FreeBSD$ 46 */ 47 48 49 #ifndef _NET_IF_PFSYNC_H_ 50 #define _NET_IF_PFSYNC_H_ 51 52 #define PFSYNC_VERSION 5 53 #define PFSYNC_DFLTTL 255 54 55 #define PFSYNC_ACT_CLR 0 /* clear all states */ 56 #define PFSYNC_ACT_INS 1 /* insert state */ 57 #define PFSYNC_ACT_INS_ACK 2 /* ack of insterted state */ 58 #define PFSYNC_ACT_UPD 3 /* update state */ 59 #define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */ 60 #define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */ 61 #define PFSYNC_ACT_DEL 6 /* delete state */ 62 #define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */ 63 #define PFSYNC_ACT_INS_F 8 /* insert fragment */ 64 #define PFSYNC_ACT_DEL_F 9 /* delete fragments */ 65 #define PFSYNC_ACT_BUS 10 /* bulk update status */ 66 #define PFSYNC_ACT_TDB 11 /* TDB replay counter update */ 67 #define PFSYNC_ACT_EOF 12 /* end of frame */ 68 #define PFSYNC_ACT_MAX 13 69 70 /* 71 * A pfsync frame is built from a header followed by several sections which 72 * are all prefixed with their own subheaders. Frames must be terminated with 73 * an EOF subheader. 74 * 75 * | ... | 76 * | IP header | 77 * +============================+ 78 * | pfsync_header | 79 * +----------------------------+ 80 * | pfsync_subheader | 81 * +----------------------------+ 82 * | first action fields | 83 * | ... | 84 * +----------------------------+ 85 * | pfsync_subheader | 86 * +----------------------------+ 87 * | second action fields | 88 * | ... | 89 * +----------------------------+ 90 * | EOF pfsync_subheader | 91 * +----------------------------+ 92 * | HMAC | 93 * +============================+ 94 */ 95 96 /* 97 * Frame header 98 */ 99 100 struct pfsync_header { 101 u_int8_t version; 102 u_int8_t _pad; 103 u_int16_t len; 104 u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH]; 105 } __packed; 106 107 /* 108 * Frame region subheader 109 */ 110 111 struct pfsync_subheader { 112 u_int8_t action; 113 u_int8_t _pad; 114 u_int16_t count; 115 } __packed; 116 117 /* 118 * CLR 119 */ 120 121 struct pfsync_clr { 122 char ifname[IFNAMSIZ]; 123 u_int32_t creatorid; 124 } __packed; 125 126 /* 127 * INS, UPD, DEL 128 */ 129 130 /* these use struct pfsync_state in pfvar.h */ 131 132 /* 133 * INS_ACK 134 */ 135 136 struct pfsync_ins_ack { 137 u_int64_t id; 138 u_int32_t creatorid; 139 } __packed; 140 141 /* 142 * UPD_C 143 */ 144 145 struct pfsync_upd_c { 146 u_int64_t id; 147 struct pfsync_state_peer src; 148 struct pfsync_state_peer dst; 149 u_int32_t creatorid; 150 u_int32_t expire; 151 u_int8_t timeout; 152 u_int8_t _pad[3]; 153 } __packed; 154 155 /* 156 * UPD_REQ 157 */ 158 159 struct pfsync_upd_req { 160 u_int64_t id; 161 u_int32_t creatorid; 162 } __packed; 163 164 /* 165 * DEL_C 166 */ 167 168 struct pfsync_del_c { 169 u_int64_t id; 170 u_int32_t creatorid; 171 } __packed; 172 173 /* 174 * INS_F, DEL_F 175 */ 176 177 /* not implemented (yet) */ 178 179 /* 180 * BUS 181 */ 182 183 struct pfsync_bus { 184 u_int32_t creatorid; 185 u_int32_t endtime; 186 u_int8_t status; 187 #define PFSYNC_BUS_START 1 188 #define PFSYNC_BUS_END 2 189 u_int8_t _pad[3]; 190 } __packed; 191 192 /* 193 * TDB 194 */ 195 196 struct pfsync_tdb { 197 u_int32_t spi; 198 union sockaddr_union dst; 199 u_int32_t rpl; 200 u_int64_t cur_bytes; 201 u_int8_t sproto; 202 u_int8_t updates; 203 u_int8_t _pad[2]; 204 } __packed; 205 206 #define PFSYNC_HDRLEN sizeof(struct pfsync_header) 207 208 /* 209 * Names for PFSYNC sysctl objects 210 */ 211 #define PFSYNCCTL_STATS 1 /* PFSYNC stats */ 212 #define PFSYNCCTL_MAXID 2 213 214 #define PFSYNCCTL_NAMES { \ 215 { 0, 0 }, \ 216 { "stats", CTLTYPE_STRUCT }, \ 217 } 218 219 struct pfsyncstats { 220 u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */ 221 u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */ 222 u_int64_t pfsyncs_badif; /* not the right interface */ 223 u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */ 224 u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */ 225 u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */ 226 u_int64_t pfsyncs_badact; /* bad action */ 227 u_int64_t pfsyncs_badlen; /* data length does not match */ 228 u_int64_t pfsyncs_badauth; /* bad authentication */ 229 u_int64_t pfsyncs_stale; /* stale state */ 230 u_int64_t pfsyncs_badval; /* bad values */ 231 u_int64_t pfsyncs_badstate; /* insert/lookup failed */ 232 233 u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */ 234 u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */ 235 u_int64_t pfsyncs_onomem; /* no memory for an mbuf */ 236 u_int64_t pfsyncs_oerrors; /* ip output error */ 237 238 u_int64_t pfsyncs_iacts[PFSYNC_ACT_MAX]; 239 u_int64_t pfsyncs_oacts[PFSYNC_ACT_MAX]; 240 }; 241 242 /* 243 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC 244 */ 245 struct pfsyncreq { 246 char pfsyncr_syncdev[IFNAMSIZ]; 247 struct in_addr pfsyncr_syncpeer; 248 int pfsyncr_maxupdates; 249 int pfsyncr_defer; 250 }; 251 252 #define SIOCSETPFSYNC _IOW('i', 247, struct ifreq) 253 #define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq) 254 255 #ifdef _KERNEL 256 257 /* 258 * this shows where a pf state is with respect to the syncing. 259 */ 260 #define PFSYNC_S_INS 0x00 261 #define PFSYNC_S_IACK 0x01 262 #define PFSYNC_S_UPD 0x02 263 #define PFSYNC_S_UPD_C 0x03 264 #define PFSYNC_S_DEL 0x04 265 #define PFSYNC_S_COUNT 0x05 266 267 #define PFSYNC_S_DEFER 0xfe 268 #define PFSYNC_S_NONE 0xff 269 270 #define PFSYNC_SI_IOCTL 0x01 271 #define PFSYNC_SI_CKSUM 0x02 272 #define PFSYNC_SI_ACK 0x04 273 274 #endif /* _KERNEL */ 275 276 #endif /* _NET_IF_PFSYNC_H_ */ 277