Import a subset of PF distribution files

We do not support any PF functionality, nor do we intend to. However, some NetBSD utilities rely on the presence of these files. Not all of the files are installed. The NetBSD source seems rather inconsistent in where from to include these files. We simply follow what NetBSD does, though. Change-Id: Ib244dfcc60b16ebc4697af22f71b7e014374b855
2016-06-17 22:07:26 +00:00 · 2016-06-17 22:07:26 +00:00 · ebe9f48d04
commit ebe9f48d04
parent 37274f3cdb
7 changed files with 2611 additions and 2 deletions
--- a/dist/pf/sbin/pfctl/pfctl.h
+++ b/dist/pf/sbin/pfctl/pfctl.h
@ -0,0 +1,127 @@
+/*	$NetBSD: pfctl.h,v 1.5 2008/06/18 09:06:26 yamt Exp $	*/
+/*	$OpenBSD: pfctl.h,v 1.41 2007/05/31 04:13:37 mcbride Exp $ */
+
+/*
+ * Copyright (c) 2001 Daniel Hartmeier
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef _PFCTL_H_
+#define _PFCTL_H_
+
+enum pfctl_show { PFCTL_SHOW_RULES, PFCTL_SHOW_LABELS, PFCTL_SHOW_NOTHING };
+
+enum {	PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
+	PFRB_IFACES, PFRB_TRANS, PFRB_MAX };
+struct pfr_buffer {
+	int	 pfrb_type;	/* type of content, see enum above */
+	int	 pfrb_size;	/* number of objects in buffer */
+	int	 pfrb_msize;	/* maximum number of objects in buffer */
+	void	*pfrb_caddr;	/* malloc'ated memory area */
+};
+#define PFRB_FOREACH(var, buf)				\
+	for ((var) = pfr_buf_next((buf), NULL);		\
+	    (var) != NULL;				\
+	    (var) = pfr_buf_next((buf), (var)))
+
+void	 pfr_set_fd(int);
+int	 pfr_get_fd(void);
+int	 pfr_clr_tables(struct pfr_table *, int *, int);
+int	 pfr_add_tables(struct pfr_table *, int, int *, int);
+int	 pfr_del_tables(struct pfr_table *, int, int *, int);
+int	 pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int);
+int	 pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int);
+int	 pfr_clr_tstats(struct pfr_table *, int, int *, int);
+int	 pfr_clr_addrs(struct pfr_table *, int *, int);
+int	 pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int);
+int	 pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int);
+int	 pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
+	    int *, int *, int *, int);
+int	 pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
+int	 pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
+int	 pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, int);
+int	 pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int);
+int	 pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
+int	 pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
+	    int *, int, int);
+void	 pfr_buf_clear(struct pfr_buffer *);
+int	 pfr_buf_add(struct pfr_buffer *, const void *);
+void	*pfr_buf_next(struct pfr_buffer *, const void *);
+int	 pfr_buf_grow(struct pfr_buffer *, int);
+int	 pfr_buf_load(struct pfr_buffer *, char *, int,
+	    int (*)(struct pfr_buffer *, char *, int));
+char	*pfr_strerror(int);
+int	 pfi_get_ifaces(const char *, struct pfi_kif *, int *);
+int	 pfi_clr_istats(const char *, int *, int);
+
+void	 pfctl_print_title(char *);
+int	 pfctl_clear_tables(const char *, int);
+int	 pfctl_show_tables(const char *, int);
+int	 pfctl_command_tables(int, char *[], char *, const char *, char *,
+	    const char *, int);
+int	 pfctl_show_altq(int, const char *, int, int);
+void	 warn_namespace_collision(const char *);
+int	 pfctl_show_ifaces(const char *, int);
+FILE	*pfctl_fopen(const char *, const char *);
+
+#ifndef DEFAULT_PRIORITY
+#define DEFAULT_PRIORITY	1
+#endif
+
+#ifndef DEFAULT_QLIMIT
+#define DEFAULT_QLIMIT		50
+#endif
+
+/*
+ * generalized service curve used for admission control
+ */
+struct segment {
+	LIST_ENTRY(segment)	_next;
+	double			x, y, d, m;
+};
+
+extern	int loadopt;
+
+int		 check_commit_altq(int, int);
+void		 pfaltq_store(struct pf_altq *);
+struct pf_altq	*pfaltq_lookup(const char *);
+char		*rate2str(double);
+
+void	 print_addr(struct pf_addr_wrap *, sa_family_t, int);
+void	 print_host(struct pfsync_state_host *, sa_family_t, int);
+void	 print_seq(struct pfsync_state_peer *);
+void	 print_state(struct pfsync_state *, int);
+int	 unmask(struct pf_addr *, sa_family_t);
+
+int	 pfctl_cmdline_symset(char *);
+int	 pfctl_add_trans(struct pfr_buffer *, int, const char *);
+u_int32_t
+	 pfctl_get_ticket(struct pfr_buffer *, int, const char *);
+int	 pfctl_trans(int, struct pfr_buffer *, u_long, int);
+
+#endif /* _PFCTL_H_ */
--- a/dist/pf/sbin/pfctl/pfctl_parser.h
+++ b/dist/pf/sbin/pfctl/pfctl_parser.h
@ -0,0 +1,280 @@
+/*	$NetBSD: pfctl_parser.h,v 1.5 2008/06/18 09:06:26 yamt Exp $	*/
+/*	$OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */
+
+/*
+ * Copyright (c) 2001 Daniel Hartmeier
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef _PFCTL_PARSER_H_
+#define _PFCTL_PARSER_H_
+
+#define PF_OSFP_FILE		"/etc/pf.os"
+
+#define PF_OPT_DISABLE		0x0001
+#define PF_OPT_ENABLE		0x0002
+#define PF_OPT_VERBOSE		0x0004
+#define PF_OPT_NOACTION		0x0008
+#define PF_OPT_QUIET		0x0010
+#define PF_OPT_CLRRULECTRS	0x0020
+#define PF_OPT_USEDNS		0x0040
+#define PF_OPT_VERBOSE2		0x0080
+#define PF_OPT_DUMMYACTION	0x0100
+#define PF_OPT_DEBUG		0x0200
+#define PF_OPT_SHOWALL		0x0400
+#define PF_OPT_OPTIMIZE		0x0800
+#define PF_OPT_MERGE		0x2000
+#define PF_OPT_RECURSE		0x4000
+
+#define PF_TH_ALL		0xFF
+
+#define PF_NAT_PROXY_PORT_LOW	50001
+#define PF_NAT_PROXY_PORT_HIGH	65535
+
+#define PF_OPTIMIZE_BASIC	0x0001
+#define PF_OPTIMIZE_PROFILE	0x0002
+
+#define FCNT_NAMES { \
+	"searches", \
+	"inserts", \
+	"removals", \
+	NULL \
+}
+
+struct pfr_buffer;	/* forward definition */
+
+
+struct pfctl {
+	int dev;
+	int opts;
+	int optimize;
+	int loadopt;
+	int asd;			/* anchor stack depth */
+	int bn;				/* brace number */
+	int brace;
+	int tdirty;			/* kernel dirty */
+#define PFCTL_ANCHOR_STACK_DEPTH 64
+	struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
+	struct pfioc_pooladdr paddr;
+	struct pfioc_altq *paltq;
+	struct pfioc_queue *pqueue;
+	struct pfr_buffer *trans;
+	struct pf_anchor *anchor, *alast;
+	const char *ruleset;
+
+	/* 'set foo' options */
+	u_int32_t	 timeout[PFTM_MAX];
+	u_int32_t	 limit[PF_LIMIT_MAX];
+	u_int32_t	 debug;
+	u_int32_t	 hostid;
+	char		*ifname;
+
+	u_int8_t	 timeout_set[PFTM_MAX];
+	u_int8_t	 limit_set[PF_LIMIT_MAX];
+	u_int8_t	 debug_set;
+	u_int8_t	 hostid_set;
+	u_int8_t	 ifname_set;
+};
+
+struct node_if {
+	char			 ifname[IFNAMSIZ];
+	u_int8_t		 not;
+	u_int8_t		 dynamic; /* antispoof */
+	u_int			 ifa_flags;
+	struct node_if		*next;
+	struct node_if		*tail;
+};
+
+struct node_host {
+	struct pf_addr_wrap	 addr;
+	struct pf_addr		 bcast;
+	struct pf_addr		 peer;
+	sa_family_t		 af;
+	u_int8_t		 not;
+	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
+	char			*ifname;
+	u_int			 ifa_flags;
+	struct node_host	*next;
+	struct node_host	*tail;
+};
+
+struct node_os {
+	char			*os;
+	pf_osfp_t		 fingerprint;
+	struct node_os		*next;
+	struct node_os		*tail;
+};
+
+struct node_queue_bw {
+	u_int32_t	bw_absolute;
+	u_int16_t	bw_percent;
+};
+
+struct node_hfsc_sc {
+	struct node_queue_bw	m1;	/* slope of 1st segment; bps */
+	u_int			d;	/* x-projection of m1; msec */
+	struct node_queue_bw	m2;	/* slope of 2nd segment; bps */
+	u_int8_t		used;
+};
+
+struct node_hfsc_opts {
+	struct node_hfsc_sc	realtime;
+	struct node_hfsc_sc	linkshare;
+	struct node_hfsc_sc	upperlimit;
+	int			flags;
+};
+
+struct node_queue_opt {
+	int			 qtype;
+	union {
+		struct cbq_opts		cbq_opts;
+		struct priq_opts	priq_opts;
+		struct node_hfsc_opts	hfsc_opts;
+	}			 data;
+};
+
+SIMPLEQ_HEAD(node_tinithead, node_tinit);
+struct node_tinit {	/* table initializer */
+	SIMPLEQ_ENTRY(node_tinit)	 entries;
+	struct node_host		*host;
+	char				*file;
+};
+
+
+/* optimizer created tables */
+struct pf_opt_tbl {
+	char			 pt_name[PF_TABLE_NAME_SIZE];
+	int			 pt_rulecount;
+	int			 pt_generated;
+	struct node_tinithead	 pt_nodes;
+	struct pfr_buffer	*pt_buf;
+};
+#define PF_OPT_TABLE_PREFIX	"__automatic_"
+
+/* optimizer pf_rule container */
+struct pf_opt_rule {
+	struct pf_rule		 por_rule;
+	struct pf_opt_tbl	*por_src_tbl;
+	struct pf_opt_tbl	*por_dst_tbl;
+	u_int64_t		 por_profile_count;
+	TAILQ_ENTRY(pf_opt_rule) por_entry;
+	TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT];
+};
+
+TAILQ_HEAD(pf_opt_queue, pf_opt_rule);
+
+int	pfctl_rules(int, char *, FILE *, int, int, char *, struct pfr_buffer *);
+int	pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
+
+int	pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *);
+int	pfctl_add_altq(struct pfctl *, struct pf_altq *);
+int	pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t);
+void	pfctl_move_pool(struct pf_pool *, struct pf_pool *);
+void	pfctl_clear_pool(struct pf_pool *);
+
+int	pfctl_set_timeout(struct pfctl *, const char *, int, int);
+int	pfctl_set_optimization(struct pfctl *, const char *);
+int	pfctl_set_limit(struct pfctl *, const char *, unsigned int);
+int	pfctl_set_logif(struct pfctl *, char *);
+int	pfctl_set_hostid(struct pfctl *, u_int32_t);
+int	pfctl_set_debug(struct pfctl *, char *);
+int	pfctl_set_interface_flags(struct pfctl *, char *, int, int);
+
+int	parse_rules(FILE *, struct pfctl *);
+int	parse_flags(char *);
+int	pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
+
+void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
+void	print_src_node(struct pf_src_node *, int);
+void	print_rule(struct pf_rule *, const char *, int);
+void	print_tabledef(const char *, int, int, struct node_tinithead *);
+void	print_status(struct pf_status *, int);
+
+int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
+	    struct node_queue_opt *);
+int	eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
+	    struct node_queue_opt *);
+
+void	 print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *,
+	    struct node_queue_opt *);
+void	 print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,
+	    int, struct node_queue_opt *);
+
+int	pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,
+	    u_int32_t);
+
+void		 pfctl_clear_fingerprints(int, int);
+int		 pfctl_file_fingerprints(int, int, const char *);
+pf_osfp_t	 pfctl_get_fingerprint(const char *);
+int		 pfctl_load_fingerprints(int, int);
+char		*pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);
+void		 pfctl_show_fingerprints(int);
+
+
+struct icmptypeent {
+	const char *name;
+	u_int8_t type;
+};
+
+struct icmpcodeent {
+	const char *name;
+	u_int8_t type;
+	u_int8_t code;
+};
+
+const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t);
+const struct icmptypeent *geticmptypebyname(char *, u_int8_t);
+const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
+const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
+
+struct pf_timeout {
+	const char	*name;
+	int		 timeout;
+};
+
+#define PFCTL_FLAG_FILTER	0x02
+#define PFCTL_FLAG_NAT		0x04
+#define PFCTL_FLAG_OPTION	0x08
+#define PFCTL_FLAG_ALTQ		0x10
+#define PFCTL_FLAG_TABLE	0x20
+
+extern const struct pf_timeout pf_timeouts[];
+
+void			 set_ipmask(struct node_host *, u_int8_t);
+int			 check_netmask(struct node_host *, sa_family_t);
+int			 unmask(struct pf_addr *, sa_family_t);
+void			 ifa_load(void);
+struct node_host	*ifa_exists(const char *);
+struct node_host	*ifa_lookup(const char *, int);
+struct node_host	*host(const char *);
+
+int			 append_addr(struct pfr_buffer *, char *, int);
+int			 append_addr_host(struct pfr_buffer *,
+			    struct node_host *, int, int);
+
+#endif /* _PFCTL_PARSER_H_ */
--- a/distrib/sets/lists/minix-comp/mi
+++ b/distrib/sets/lists/minix-comp/mi
@ -1311,10 +1311,12 @@
 ./usr/include/net/if_dl.h                               minix-comp
 ./usr/include/net/if_ether.h                            minix-comp
 ./usr/include/net/if_media.h                            minix-comp
+./usr/include/net/if_pflog.h                            minix-comp
 ./usr/include/net/if_types.h                            minix-comp
 ./usr/include/net/netlib.h                              minix-comp
 ./usr/include/net/pfil.h                                minix-comp
 ./usr/include/net/pfkeyv2.h                             minix-comp
+./usr/include/net/pfvar.h                               minix-comp
 ./usr/include/net/radix.h                               minix-comp
 ./usr/include/net/route.h                               minix-comp
 ./usr/include/net80211                                  minix-comp
--- a/sys/dist/pf/net/if_pflog.h
+++ b/sys/dist/pf/net/if_pflog.h
@ -0,0 +1,82 @@
+/*	$NetBSD: if_pflog.h,v 1.5 2008/06/18 09:06:27 yamt Exp $	*/
+/*	$OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */
+
+/*
+ * Copyright 2001 Niels Provos <provos@citi.umich.edu>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _NET_IF_PFLOG_H_
+#define _NET_IF_PFLOG_H_
+
+#define	PFLOGIFS_MAX	16
+
+struct pflog_softc {
+	struct ifnet		sc_if;		/* the interface */
+	int			sc_unit;
+	LIST_ENTRY(pflog_softc)	sc_list;
+};
+
+#define PFLOG_RULESET_NAME_SIZE	16
+
+struct pfloghdr {
+	u_int8_t	length;
+	sa_family_t	af;
+	u_int8_t	action;
+	u_int8_t	reason;
+	char		ifname[IFNAMSIZ];
+	char		ruleset[PFLOG_RULESET_NAME_SIZE];
+	u_int32_t	rulenr;
+	u_int32_t	subrulenr;
+	uid_t		uid;
+	pid_t		pid;
+	uid_t		rule_uid;
+	pid_t		rule_pid;
+	u_int8_t	dir;
+	u_int8_t	pad[3];
+};
+
+#define PFLOG_HDRLEN		sizeof(struct pfloghdr)
+/* minus pad, also used as a signature */
+#define PFLOG_REAL_HDRLEN	offsetof(struct pfloghdr, pad)
+
+/* XXX remove later when old format logs are no longer needed */
+struct old_pfloghdr {
+	u_int32_t af;
+	char ifname[IFNAMSIZ];
+	short rnr;
+	u_short reason;
+	u_short action;
+	u_short dir;
+};
+#define OLD_PFLOG_HDRLEN	sizeof(struct old_pfloghdr)
+
+#ifdef _KERNEL
+
+#if NPFLOG > 0
+#define	PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) pflog_packet(i,a,b,c,d,e,f,g,h)
+#else
+#define	PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) ((void)0)
+#endif /* NPFLOG > 0 */
+#endif /* _KERNEL */
+#endif /* _NET_IF_PFLOG_H_ */
--- a/sys/dist/pf/net/if_pfsync.h
+++ b/sys/dist/pf/net/if_pfsync.h
@ -0,0 +1,284 @@
+/*	$NetBSD: if_pfsync.h,v 1.3 2009/09/14 10:36:49 degroote Exp $	*/
+/*	$OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $	*/
+
+/*
+ * Copyright (c) 2001 Michael Shalayeff
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _NET_IF_PFSYNC_H_
+#define _NET_IF_PFSYNC_H_
+
+#define  INADDR_PFSYNC_GROUP     __IPADDR(0xe00000f0)    /* 224.0.0.240 */
+
+#define PFSYNC_ID_LEN	sizeof(u_int64_t)
+
+struct pfsync_tdb {
+	u_int32_t	spi;
+	union sockaddr_union dst;
+	u_int32_t	rpl;
+	u_int64_t	cur_bytes;
+	u_int8_t	sproto;
+	u_int8_t	updates;
+	u_int8_t	pad[2];
+} __packed;
+
+struct pfsync_state_upd {
+	u_int32_t		id[2];
+	struct pfsync_state_peer	src;
+	struct pfsync_state_peer	dst;
+	u_int32_t		creatorid;
+	u_int32_t		expire;
+	u_int8_t		timeout;
+	u_int8_t		updates;
+	u_int8_t		pad[6];
+} __packed;
+
+struct pfsync_state_del {
+	u_int32_t		id[2];
+	u_int32_t		creatorid;
+	struct {
+		u_int8_t	state;
+	} src;
+	struct {
+		u_int8_t	state;
+	} dst;
+	u_int8_t		pad[2];
+} __packed;
+
+struct pfsync_state_upd_req {
+	u_int32_t		id[2];
+	u_int32_t		creatorid;
+	u_int32_t		pad;
+} __packed;
+
+struct pfsync_state_clr {
+	char			ifname[IFNAMSIZ];
+	u_int32_t		creatorid;
+	u_int32_t		pad;
+} __packed;
+
+struct pfsync_state_bus {
+	u_int32_t		creatorid;
+	u_int32_t		endtime;
+	u_int8_t		status;
+#define PFSYNC_BUS_START	1
+#define PFSYNC_BUS_END		2
+	u_int8_t		pad[7];
+} __packed;
+
+#ifdef _KERNEL
+
+union sc_statep {
+	struct pfsync_state	*s;
+	struct pfsync_state_upd	*u;
+	struct pfsync_state_del	*d;
+	struct pfsync_state_clr	*c;
+	struct pfsync_state_bus	*b;
+	struct pfsync_state_upd_req	*r;
+};
+
+union sc_tdb_statep {
+	struct pfsync_tdb	*t;
+};
+
+extern int	pfsync_sync_ok;
+
+struct pfsync_softc {
+	struct ifnet		 sc_if;
+	struct ifnet		*sc_sync_ifp;
+
+	struct ip_moptions	 sc_imo;
+	struct callout		 sc_tmo;
+	struct callout		 sc_tdb_tmo;
+	struct callout		 sc_bulk_tmo;
+	struct callout		 sc_bulkfail_tmo;
+	struct in_addr		 sc_sync_peer;
+	struct in_addr		 sc_sendaddr;
+	struct mbuf		*sc_mbuf;	/* current cumulative mbuf */
+	struct mbuf		*sc_mbuf_net;	/* current cumulative mbuf */
+    	struct mbuf		*sc_mbuf_tdb;	/* dito for TDB updates */
+	union sc_statep		 sc_statep;
+	union sc_statep		 sc_statep_net;
+	union sc_tdb_statep	 sc_statep_tdb;
+	u_int32_t		 sc_ureq_received;
+	u_int32_t		 sc_ureq_sent;
+	struct pf_state		*sc_bulk_send_next;
+	struct pf_state		*sc_bulk_terminator;
+	int			 sc_bulk_tries;
+	int			 sc_maxcount;	/* number of states in mtu */
+	int			 sc_maxupdates;	/* number of updates/state */
+};
+
+extern struct pfsync_softc	*pfsyncif;
+#endif
+
+
+struct pfsync_header {
+	u_int8_t version;
+#define	PFSYNC_VERSION	3
+	u_int8_t af;
+	u_int8_t action;
+#define	PFSYNC_ACT_CLR		0	/* clear all states */
+#define	PFSYNC_ACT_INS		1	/* insert state */
+#define	PFSYNC_ACT_UPD		2	/* update state */
+#define	PFSYNC_ACT_DEL		3	/* delete state */
+#define	PFSYNC_ACT_UPD_C	4	/* "compressed" state update */
+#define	PFSYNC_ACT_DEL_C	5	/* "compressed" state delete */
+#define	PFSYNC_ACT_INS_F	6	/* insert fragment */
+#define	PFSYNC_ACT_DEL_F	7	/* delete fragments */
+#define	PFSYNC_ACT_UREQ		8	/* request "uncompressed" state */
+#define PFSYNC_ACT_BUS		9	/* Bulk Update Status */
+#define PFSYNC_ACT_TDB_UPD	10	/* TDB replay counter update */
+#define	PFSYNC_ACT_MAX		11
+	u_int8_t count;
+	u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
+} __packed;
+
+#define PFSYNC_BULKPACKETS	1	/* # of packets per timeout */
+#define PFSYNC_MAX_BULKTRIES	12
+#define PFSYNC_HDRLEN	sizeof(struct pfsync_header)
+#define	PFSYNC_ACTIONS \
+	"CLR ST", "INS ST", "UPD ST", "DEL ST", \
+	"UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
+	"UPD REQ", "BLK UPD STAT", "TDB UPD"
+
+#define PFSYNC_DFLTTL		255
+
+#define PFSYNC_STAT_IPACKETS	0	/* total input packets, IPv4 */
+#define PFSYNC_STAT_IPACKETS6	1	/* total input packets, IPv6 */
+#define PFSYNC_STAT_BADIF		2	/* not the right interface */
+#define PFSYNC_STAT_BADTTL		3	/* TTL is not PFSYNC_DFLTTL */
+#define PFSYNC_STAT_HDROPS		4	/* packets shorter than hdr */
+#define PFSYNC_STAT_BADVER		5	/* bad (incl unsupp) version */
+#define PFSYNC_STAT_BADACT		6	/* bad action */
+#define PFSYNC_STAT_BADLEN		7	/* data length does not match */
+#define PFSYNC_STAT_BADAUTH		8	/* bad authentication */
+#define PFSYNC_STAT_STALE		9	/* stale state */
+#define PFSYNC_STAT_BADVAL		10	/* bad values */
+#define PFSYNC_STAT_BADSTATE	11	/* insert/lookup failed */
+#define PFSYNC_STAT_OPACKETS	12	/* total output packets, IPv4 */
+#define PFSYNC_STAT_OPACKETS6	13	/* total output packets, IPv6 */
+#define PFSYNC_STAT_ONOMEM		14	/* no memory for an mbuf */
+#define PFSYNC_STAT_OERRORS		15	/* ip output error */
+
+#define PFSYNC_NSTATS			16
+
+/*
+ * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
+ */
+struct pfsyncreq {
+	char		 pfsyncr_syncdev[IFNAMSIZ];
+	struct in_addr	 pfsyncr_syncpeer;
+	int		 pfsyncr_maxupdates;
+	int		 pfsyncr_authlevel;
+};
+
+
+/* for copies to/from network */
+#define pf_state_peer_hton(s,d) do {		\
+	(d)->seqlo = htonl((s)->seqlo);		\
+	(d)->seqhi = htonl((s)->seqhi);		\
+	(d)->seqdiff = htonl((s)->seqdiff);	\
+	(d)->max_win = htons((s)->max_win);	\
+	(d)->mss = htons((s)->mss);		\
+	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+	if ((s)->scrub) {						\
+		(d)->scrub.pfss_flags = 				\
+		    htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP);	\
+		(d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;		\
+		(d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
+		(d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;	\
+	}								\
+} while (0)
+
+#define pf_state_peer_ntoh(s,d) do {		\
+	(d)->seqlo = ntohl((s)->seqlo);		\
+	(d)->seqhi = ntohl((s)->seqhi);		\
+	(d)->seqdiff = ntohl((s)->seqdiff);	\
+	(d)->max_win = ntohs((s)->max_win);	\
+	(d)->mss = ntohs((s)->mss);		\
+	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+	if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && 	\
+	    (d)->scrub != NULL) {					\
+		(d)->scrub->pfss_flags =				\
+		    ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;	\
+		(d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;		\
+		(d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
+	}								\
+} while (0)
+
+#define pf_state_host_hton(s,d) do {				\
+	memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr));	\
+	(d)->port = (s)->port;					\
+} while (0)
+
+#define pf_state_host_ntoh(s,d) do {				\
+	memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr));	\
+	(d)->port = (s)->port;					\
+} while (0)
+
+#define pf_state_counter_hton(s,d) do {				\
+	d[0] = htonl((s>>32)&0xffffffff);			\
+	d[1] = htonl(s&0xffffffff);				\
+} while (0)
+
+#define pf_state_counter_ntoh(s,d) do {				\
+	d = ntohl(s[0]);					\
+	d = d<<32;						\
+	d += ntohl(s[1]);					\
+} while (0)
+
+#ifdef _KERNEL
+void pfsync_input(struct mbuf *, ...);
+int pfsync_clear_states(u_int32_t, char *);
+int pfsync_pack_state(u_int8_t, struct pf_state *, int);
+#define pfsync_insert_state(st)	do {				\
+	if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) ||	\
+	    (st->state_key->proto == IPPROTO_PFSYNC))			\
+		st->sync_flags |= PFSTATE_NOSYNC;		\
+	else if (!st->sync_flags)				\
+		pfsync_pack_state(PFSYNC_ACT_INS, (st), 	\
+		    PFSYNC_FLAG_COMPRESS);			\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
+#define pfsync_update_state(st) do {				\
+	if (!st->sync_flags)					\
+		pfsync_pack_state(PFSYNC_ACT_UPD, (st), 	\
+		    PFSYNC_FLAG_COMPRESS);			\
+	st->sync_flags &= ~PFSTATE_FROMSYNC;			\
+} while (0)
+#define pfsync_delete_state(st) do {				\
+	if (!st->sync_flags)					\
+		pfsync_pack_state(PFSYNC_ACT_DEL, (st),		\
+		    PFSYNC_FLAG_COMPRESS);			\
+} while (0)
+#ifdef NOTYET
+int pfsync_update_tdb(struct tdb *, int);
+#endif /* NOTYET */
+#endif
+
+#endif /* _NET_IF_PFSYNC_H_ */
--- a/sys/dist/pf/net/pfvar.h
+++ b/sys/dist/pf/net/pfvar.h
--- a/sys/net/Makefile
+++ b/sys/net/Makefile
@ -5,9 +5,9 @@ INCSDIR= /usr/include/net
 INCS=	bpf.h bpfdesc.h bpfjit.h dlt.h ethertypes.h if.h if_arp.h \
 	if_dl.h if_ether.h \
 	if_media.h \
-	\
+	if_pflog.h \
 	if_types.h \
-	pfil.h pfkeyv2.h radix.h \
+	pfil.h pfkeyv2.h pfvar.h radix.h \
 	route.h 

 .if !defined(__MINIX)