Commit pf version 3.5 and link additional files to the kernel build.

Version 3.5 brings:
 - Atomic commits of ruleset changes (reduce the chance of ending up in an
   inconsistent state).
 - A 30% reduction in the size of state table entries.
 - Source-tracking (limit number of clients and states per client).
 - Sticky-address (the flexibility of round-robin with the benefits of
   source-hash).
 - Significant improvements to interface handling.
 - and many more ...

1 files changed, 222 insertions, 20 deletions

diff --git a/sys/contrib/pf/net/if_pfsync.h b/sys/contrib/pf/net/if_pfsync.h
index 23539ba79e5d..b276b4a5314d 100644
--- a/sys/contrib/pf/net/if_pfsync.h
+++ b/sys/contrib/pf/net/if_pfsync.h
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: if_pfsync.h,v 1.2 2002/12/11 18:31:26 mickey Exp $	*/
+/*	$OpenBSD: if_pfsync.h,v 1.13 2004/03/22 04:54:17 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2001 Michael Shalayeff
@@ -30,47 +30,217 @@
 #ifndef _NET_IF_PFSYNC_H_
 #define _NET_IF_PFSYNC_H_
 
+
+#define PFSYNC_ID_LEN	sizeof(u_int64_t)
+
+struct pfsync_state_scrub {
+	u_int16_t	pfss_flags;
+	u_int8_t	pfss_ttl;	/* stashed TTL		*/
+	u_int8_t	scrub_flag;
+	u_int32_t	pfss_ts_mod;	/* timestamp modulation	*/
+} __packed;
+
+struct pfsync_state_host {
+	struct pf_addr	addr;
+	u_int16_t	port;
+	u_int16_t	pad[3];
+} __packed;
+
+struct pfsync_state_peer {
+	struct pfsync_state_scrub scrub;	/* state is scrubbed	*/
+	u_int32_t	seqlo;		/* Max sequence number sent	*/
+	u_int32_t	seqhi;		/* Max the other end ACKd + win	*/
+	u_int32_t	seqdiff;	/* Sequence number modulator	*/
+	u_int16_t	max_win;	/* largest window (pre scaling)	*/
+	u_int16_t	mss;		/* Maximum segment size option	*/
+	u_int8_t	state;		/* active state level		*/
+	u_int8_t	wscale;		/* window scaling factor	*/
+	u_int8_t	scrub_flag;
+	u_int8_t	pad[5];
+} __packed;
+
+struct pfsync_state {
+	u_int32_t	 id[2];
+	char		 ifname[IFNAMSIZ];
+	struct pfsync_state_host lan;
+	struct pfsync_state_host gwy;
+	struct pfsync_state_host ext;
+	struct pfsync_state_peer src;
+	struct pfsync_state_peer dst;
+	struct pf_addr	 rt_addr;
+	u_int32_t	 rule;
+	u_int32_t	 anchor;
+	u_int32_t	 nat_rule;
+	u_int32_t	 creation;
+	u_int32_t	 expire;
+	u_int32_t	 packets[2];
+	u_int32_t	 bytes[2];
+	u_int32_t	 creatorid;
+	sa_family_t	 af;
+	u_int8_t	 proto;
+	u_int8_t	 direction;
+	u_int8_t	 log;
+	u_int8_t	 allow_opts;
+	u_int8_t	 timeout;
+	u_int8_t	 sync_flags;
+	u_int8_t	 updates;
+} __packed;
+
+struct pfsync_state_upd {
+	u_int32_t		id[2];
+	struct pfsync_state_peer	src;
+	struct pfsync_state_peer	dst;
+	u_int32_t		creatorid;
+	u_int32_t		expire;
+	u_int8_t		timeout;
+	u_int8_t		updates;
+	u_int8_t		pad[6];
+} __packed;
+
+struct pfsync_state_del {
+	u_int32_t		id[2];
+	u_int32_t		creatorid;
+	struct {
+		u_int8_t	state;
+	} src;
+	struct {
+		u_int8_t	state;
+	} dst;
+	u_int8_t		pad[2];
+} __packed;
+
+struct pfsync_state_upd_req {
+	u_int32_t		id[2];
+	u_int32_t		creatorid;
+	u_int32_t		pad;
+} __packed;
+
+struct pfsync_state_clr {
+	char			ifname[IFNAMSIZ];
+	u_int32_t		creatorid;
+	u_int32_t		pad;
+} __packed;
+
+struct pfsync_state_bus {
+	u_int32_t		creatorid;
+	u_int32_t		endtime;
+	u_int8_t		status;
+#define PFSYNC_BUS_START	1
+#define PFSYNC_BUS_END		2
+	u_int8_t		pad[7];
+} __packed;
+
 #ifdef _KERNEL
+
+union sc_statep {
+	struct pfsync_state	*s;
+	struct pfsync_state_upd	*u;
+	struct pfsync_state_del	*d;
+	struct pfsync_state_clr	*c;
+	struct pfsync_state_bus	*b;
+	struct pfsync_state_upd_req	*r;
+};
+
+extern int	pfsync_sync_ok;
+
 struct pfsync_softc {
-	struct ifnet	sc_if;
+	struct ifnet		 sc_if;
+	struct ifnet		*sc_sync_ifp;
 
+	struct ip_moptions	 sc_imo;
 #ifdef __FreeBSD__
-	struct callout	sc_tmo;
+	struct callout		 sc_tmo;
+	struct callout		 sc_bulk_tmo;
+	struct callout		 sc_bulkfail_tmo;
 #else
-	struct timeout	sc_tmo;
+	struct timeout		 sc_tmo;
+	struct timeout		 sc_bulk_tmo;
+	struct timeout		 sc_bulkfail_tmo;
 #endif
-	struct mbuf	*sc_mbuf;	/* current cummulative mbuf */
-	struct pf_state	*sc_ptr;	/* current ongoing state */
-	int		 sc_count;	/* number of states in one mtu */
+	struct in_addr		 sc_sendaddr;
+	struct mbuf		*sc_mbuf;	/* current cummulative mbuf */
+	struct mbuf		*sc_mbuf_net;	/* current cummulative mbuf */
+	union sc_statep		 sc_statep;
+	union sc_statep		 sc_statep_net;
+	u_int32_t		 sc_ureq_received;
+	u_int32_t		 sc_ureq_sent;
+	int			 sc_bulk_tries;
+	int			 sc_maxcount;	/* number of states in mtu */
+	int			 sc_maxupdates;	/* number of updates/state */
 #ifdef __FreeBSD__
 	LIST_ENTRY(pfsync_softc) sc_next;
 #endif
 };
 #endif
 
+
 struct pfsync_header {
 	u_int8_t version;
-#define	PFSYNC_VERSION	1
+#define	PFSYNC_VERSION	2
 	u_int8_t af;
 	u_int8_t action;
-#define	PFSYNC_ACT_CLR	0
-#define	PFSYNC_ACT_INS	1
-#define	PFSYNC_ACT_UPD	2
-#define	PFSYNC_ACT_DEL	3
-#define	PFSYNC_ACT_MAX	4
+#define	PFSYNC_ACT_CLR		0	/* clear all states */
+#define	PFSYNC_ACT_INS		1	/* insert state */
+#define	PFSYNC_ACT_UPD		2	/* update state */
+#define	PFSYNC_ACT_DEL		3	/* delete state */
+#define	PFSYNC_ACT_UPD_C	4	/* "compressed" state update */
+#define	PFSYNC_ACT_DEL_C	5	/* "compressed" state delete */
+#define	PFSYNC_ACT_INS_F	6	/* insert fragment */
+#define	PFSYNC_ACT_DEL_F	7	/* delete fragments */
+#define	PFSYNC_ACT_UREQ		8	/* request "uncompressed" state */
+#define PFSYNC_ACT_BUS		9	/* Bulk Update Status */
+#define	PFSYNC_ACT_MAX		10
 	u_int8_t count;
-};
+} __packed;
 
+#define PFSYNC_BULKPACKETS	1	/* # of packets per timeout */
+#define PFSYNC_MAX_BULKTRIES	12	
 #define PFSYNC_HDRLEN	sizeof(struct pfsync_header)
 #define	PFSYNC_ACTIONS \
-	"CLR ST", "INS ST", "UPD ST", "DEL ST"
+	"CLR ST", "INS ST", "UPD ST", "DEL ST", \
+	"UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
+	"UPD REQ", "BLK UPD STAT"
+
+#define PFSYNC_DFLTTL		255
+
+struct pfsyncstats {
+	u_long	pfsyncs_ipackets;	/* total input packets, IPv4 */
+	u_long	pfsyncs_ipackets6;	/* total input packets, IPv6 */
+	u_long	pfsyncs_badif;		/* not the right interface */
+	u_long	pfsyncs_badttl;		/* TTL is not PFSYNC_DFLTTL */
+	u_long	pfsyncs_hdrops;		/* packets shorter than header */
+	u_long	pfsyncs_badver;		/* bad (incl unsupp) version */
+	u_long	pfsyncs_badact;		/* bad action */
+	u_long	pfsyncs_badlen;		/* data length does not match */
+	u_long	pfsyncs_badauth;	/* bad authentication */
+	u_long	pfsyncs_badstate;	/* insert/lookup failed */
+
+	u_long	pfsyncs_opackets;	/* total output packets, IPv4 */
+	u_long	pfsyncs_opackets6;	/* total output packets, IPv6 */
+	u_long	pfsyncs_onomem;		/* no memory for an mbuf for a send */
+	u_long	pfsyncs_oerrors;	/* ip output error */
+};
+
+/*
+ * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
+ */
+struct pfsyncreq {
+	char	pfsyncr_syncif[IFNAMSIZ];
+	int	pfsyncr_maxupdates;
+	int	pfsyncr_authlevel;
+};
+#define SIOCSETPFSYNC	_IOW('i', 247, struct ifreq)
+#define SIOCGETPFSYNC	_IOWR('i', 248, struct ifreq)
+
 
 #define pf_state_peer_hton(s,d) do {		\
 	(d)->seqlo = htonl((s)->seqlo);		\
 	(d)->seqhi = htonl((s)->seqhi);		\
 	(d)->seqdiff = htonl((s)->seqdiff);	\
 	(d)->max_win = htons((s)->max_win);	\
+	(d)->mss = htons((s)->mss);		\
 	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
 } while (0)
 
 #define pf_state_peer_ntoh(s,d) do {		\
@@ -78,15 +248,47 @@ struct pfsync_header {
 	(d)->seqhi = ntohl((s)->seqhi);		\
 	(d)->seqdiff = ntohl((s)->seqdiff);	\
 	(d)->max_win = ntohs((s)->max_win);	\
+	(d)->mss = ntohs((s)->mss);		\
 	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+} while (0)
+
+#define pf_state_host_hton(s,d) do {				\
+	bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr));	\
+	(d)->port = (s)->port;					\
+} while (0)
+
+#define pf_state_host_ntoh(s,d) do {				\
+	bcopy(&(s)->addr, &(d)->addr, sizeof((d)->addr));	\
+	(d)->port = (s)->port;					\
 } while (0)
 
 #ifdef _KERNEL
-int pfsync_clear_state(struct pf_state *);
-int pfsync_pack_state(u_int8_t, struct pf_state *);
-#define pfsync_insert_state(st)	pfsync_pack_state(PFSYNC_ACT_INS, (st))
-#define pfsync_update_state(st)	pfsync_pack_state(PFSYNC_ACT_UPD, (st))
-#define pfsync_delete_state(st)	pfsync_pack_state(PFSYNC_ACT_DEL, (st))
+#ifdef __FreeBSD__
+void pfsync_input(struct mbuf *, __unused int);
+#else
+void pfsync_input(struct mbuf *, ...);
+#endif
+int pfsync_clear_states(u_int32_t, char *);
+int pfsync_pack_state(u_int8_t, struct pf_state *, int);
+#define pfsync_insert_state(st)	do {				\
+	if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) ||	\
+	    (st->proto == IPPROTO_PFSYNC))			\
+		st->sync_flags |= PFSTATE_NOSYNC;		\
+	else if (!st->sync_flags)				\
+		pfsync_pack_state(PFSYNC_ACT_INS, (st), 1);	\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
+#define pfsync_update_state(st) do {				\
+	if (!st->sync_flags)					\
+		pfsync_pack_state(PFSYNC_ACT_UPD, (st), 1);	\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
+#define pfsync_delete_state(st) do {				\
+	if (!st->sync_flags)					\
+		pfsync_pack_state(PFSYNC_ACT_DEL, (st), 1);	\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
 #endif
 
 #endif /* _NET_IF_PFSYNC_H_ */