1/*-
2 * Copyright (c) 2001 Michael Shalayeff
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
18 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
19 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
22 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
23 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
24 * THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27/*-
28 * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
29 *
30 * Permission to use, copy, modify, and distribute this software for any
31 * purpose with or without fee is hereby granted, provided that the above
32 * copyright notice and this permission notice appear in all copies.
33 *
34 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
35 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
36 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
37 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
38 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
39 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
40 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
41 */
42
43/*
44 *	$OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $
45 *	$FreeBSD$
46 */
47
48
49#ifndef _NET_IF_PFSYNC_H_
50#define	_NET_IF_PFSYNC_H_
51
52#define	PFSYNC_VERSION		5
53#define	PFSYNC_DFLTTL		255
54
55#define	PFSYNC_ACT_CLR		0	/* clear all states */
56#define	PFSYNC_ACT_INS		1	/* insert state */
57#define	PFSYNC_ACT_INS_ACK	2	/* ack of insterted state */
58#define	PFSYNC_ACT_UPD		3	/* update state */
59#define	PFSYNC_ACT_UPD_C	4	/* "compressed" update state */
60#define	PFSYNC_ACT_UPD_REQ	5	/* request "uncompressed" state */
61#define	PFSYNC_ACT_DEL		6	/* delete state */
62#define	PFSYNC_ACT_DEL_C	7	/* "compressed" delete state */
63#define	PFSYNC_ACT_INS_F	8	/* insert fragment */
64#define	PFSYNC_ACT_DEL_F	9	/* delete fragments */
65#define	PFSYNC_ACT_BUS		10	/* bulk update status */
66#define	PFSYNC_ACT_TDB		11	/* TDB replay counter update */
67#define	PFSYNC_ACT_EOF		12	/* end of frame */
68#define	PFSYNC_ACT_MAX		13
69
70/*
71 * A pfsync frame is built from a header followed by several sections which
72 * are all prefixed with their own subheaders. Frames must be terminated with
73 * an EOF subheader.
74 *
75 * | ...			|
76 * | IP header			|
77 * +============================+
78 * | pfsync_header		|
79 * +----------------------------+
80 * | pfsync_subheader		|
81 * +----------------------------+
82 * | first action fields	|
83 * | ...			|
84 * +----------------------------+
85 * | pfsync_subheader		|
86 * +----------------------------+
87 * | second action fields	|
88 * | ...			|
89 * +----------------------------+
90 * | EOF pfsync_subheader	|
91 * +----------------------------+
92 * | HMAC			|
93 * +============================+
94 */
95
96/*
97 * Frame header
98 */
99
100struct pfsync_header {
101	u_int8_t			version;
102	u_int8_t			_pad;
103	u_int16_t			len;
104	u_int8_t			pfcksum[PF_MD5_DIGEST_LENGTH];
105} __packed;
106
107/*
108 * Frame region subheader
109 */
110
111struct pfsync_subheader {
112	u_int8_t			action;
113	u_int8_t			_pad;
114	u_int16_t			count;
115} __packed;
116
117/*
118 * CLR
119 */
120
121struct pfsync_clr {
122	char				ifname[IFNAMSIZ];
123	u_int32_t			creatorid;
124} __packed;
125
126/*
127 * INS, UPD, DEL
128 */
129
130/* these use struct pfsync_state in pfvar.h */
131
132/*
133 * INS_ACK
134 */
135
136struct pfsync_ins_ack {
137	u_int64_t			id;
138	u_int32_t			creatorid;
139} __packed;
140
141/*
142 * UPD_C
143 */
144
145struct pfsync_upd_c {
146	u_int64_t			id;
147	struct pfsync_state_peer	src;
148	struct pfsync_state_peer	dst;
149	u_int32_t			creatorid;
150	u_int32_t			expire;
151	u_int8_t			timeout;
152	u_int8_t			_pad[3];
153} __packed;
154
155/*
156 * UPD_REQ
157 */
158
159struct pfsync_upd_req {
160	u_int64_t			id;
161	u_int32_t			creatorid;
162} __packed;
163
164/*
165 * DEL_C
166 */
167
168struct pfsync_del_c {
169	u_int64_t			id;
170	u_int32_t			creatorid;
171} __packed;
172
173/*
174 * INS_F, DEL_F
175 */
176
177/* not implemented (yet) */
178
179/*
180 * BUS
181 */
182
183struct pfsync_bus {
184	u_int32_t			creatorid;
185	u_int32_t			endtime;
186	u_int8_t			status;
187#define	PFSYNC_BUS_START			1
188#define	PFSYNC_BUS_END				2
189	u_int8_t			_pad[3];
190} __packed;
191
192/*
193 * TDB
194 */
195
196struct pfsync_tdb {
197	u_int32_t			spi;
198	union sockaddr_union		dst;
199	u_int32_t			rpl;
200	u_int64_t			cur_bytes;
201	u_int8_t			sproto;
202	u_int8_t			updates;
203	u_int8_t			_pad[2];
204} __packed;
205
206#define	PFSYNC_HDRLEN		sizeof(struct pfsync_header)
207
208/*
209 * Names for PFSYNC sysctl objects
210 */
211#define	PFSYNCCTL_STATS		1	/* PFSYNC stats */
212#define	PFSYNCCTL_MAXID		2
213
214struct pfsyncstats {
215	u_int64_t	pfsyncs_ipackets;	/* total input packets, IPv4 */
216	u_int64_t	pfsyncs_ipackets6;	/* total input packets, IPv6 */
217	u_int64_t	pfsyncs_badif;		/* not the right interface */
218	u_int64_t	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
219	u_int64_t	pfsyncs_hdrops;		/* packets shorter than hdr */
220	u_int64_t	pfsyncs_badver;		/* bad (incl unsupp) version */
221	u_int64_t	pfsyncs_badact;		/* bad action */
222	u_int64_t	pfsyncs_badlen;		/* data length does not match */
223	u_int64_t	pfsyncs_badauth;	/* bad authentication */
224	u_int64_t	pfsyncs_stale;		/* stale state */
225	u_int64_t	pfsyncs_badval;		/* bad values */
226	u_int64_t	pfsyncs_badstate;	/* insert/lookup failed */
227
228	u_int64_t	pfsyncs_opackets;	/* total output packets, IPv4 */
229	u_int64_t	pfsyncs_opackets6;	/* total output packets, IPv6 */
230	u_int64_t	pfsyncs_onomem;		/* no memory for an mbuf */
231	u_int64_t	pfsyncs_oerrors;	/* ip output error */
232
233	u_int64_t	pfsyncs_iacts[PFSYNC_ACT_MAX];
234	u_int64_t	pfsyncs_oacts[PFSYNC_ACT_MAX];
235};
236
237/*
238 * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
239 */
240struct pfsyncreq {
241	char		 pfsyncr_syncdev[IFNAMSIZ];
242	struct in_addr	 pfsyncr_syncpeer;
243	int		 pfsyncr_maxupdates;
244	int		 pfsyncr_defer;
245};
246
247#define	SIOCSETPFSYNC   _IOW('i', 247, struct ifreq)
248#define	SIOCGETPFSYNC   _IOWR('i', 248, struct ifreq)
249
250#ifdef _KERNEL
251
252/*
253 * this shows where a pf state is with respect to the syncing.
254 */
255#define	PFSYNC_S_INS	0x00
256#define	PFSYNC_S_IACK	0x01
257#define	PFSYNC_S_UPD	0x02
258#define	PFSYNC_S_UPD_C	0x03
259#define	PFSYNC_S_DEL	0x04
260#define	PFSYNC_S_COUNT	0x05
261
262#define	PFSYNC_S_DEFER	0xfe
263#define	PFSYNC_S_NONE	0xff
264
265#define	PFSYNC_SI_IOCTL		0x01
266#define	PFSYNC_SI_CKSUM		0x02
267#define	PFSYNC_SI_ACK		0x04
268
269#endif /* _KERNEL */
270
271#endif /* _NET_IF_PFSYNC_H_ */
272