diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
| commit | 3f6ecdcf7bf4d1a9f842f454e434a0f834bc9338 (patch) | |
| tree | a34c50e86533706da38cd062ce07e20342bfe726 /sbin/pfctl | |
| parent | 9b4a7db3efb0a8f50c08258e2f5a3353e1ee210e (diff) | |
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/parse.y | 15 | ||||
| -rw-r--r-- | sbin/pfctl/pf_print_state.c | 10 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 20 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 3 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.h | 3 |
5 files changed, 44 insertions, 7 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 5fa0985374d..5628803fc5e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.425 2003/12/15 00:02:03 mcbride Exp $ */ +/* $OpenBSD: parse.y,v 1.426 2003/12/15 07:11:30 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -383,7 +383,7 @@ typedef struct { %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID -%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG +%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG HOSTID %token ANTISPOOF FOR %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT @@ -477,6 +477,16 @@ option : SET OPTIMIZATION STRING { YYERROR; } } + | SET HOSTID number { + if ($3 == 0) { + yyerror("hostid must be non-zero"); + YYERROR; + } + if (pfctl_set_hostid(pf, $3) != 0) { + yyerror("error setting loginterface %08x", $3); + YYERROR; + } + } | SET BLOCKPOLICY DROP { if (pf->opts & PF_OPT_VERBOSE) printf("set block-policy drop\n"); @@ -4069,6 +4079,7 @@ lookup(char *s) { "global", GLOBAL}, { "group", GROUP}, { "hfsc", HFSC}, + { "hostid", HOSTID}, { "icmp-type", ICMPTYPE}, { "icmp6-type", ICMP6TYPE}, { "in", IN}, diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c index 22f1d0399f9..94972d73820 100644 --- a/sbin/pfctl/pf_print_state.c +++ b/sbin/pfctl/pf_print_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.34 2003/12/15 00:02:03 mcbride Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.35 2003/12/15 07:11:30 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -140,8 +140,10 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts) aw.v.a.addr = h->addr; if (af == AF_INET) aw.v.a.mask.addr32[0] = 0xffffffff; - else + else { memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask)); + af = AF_INET6; + } print_addr(&aw, af, opts & PF_OPT_VERBOSE2); } @@ -263,6 +265,10 @@ print_state(struct pf_state *s, int opts) printf("\n"); printf("\n"); } + if (opts & PF_OPT_VERBOSE2) { + printf(" id: %016llx creatorid: %08x\n", + betoh64(s->id), ntohl(s->creatorid)); + } } int diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index db3194958d4..1a8a0ea17dc 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.193 2003/12/15 00:02:03 mcbride Exp $ */ +/* $OpenBSD: pfctl.c,v 1.194 2003/12/15 07:11:30 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1213,6 +1213,24 @@ pfctl_set_logif(struct pfctl *pf, char *ifname) } int +pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid) +{ + if ((loadopt & PFCTL_FLAG_OPTION) == 0) + return (0); + + HTONL(hostid); + + if ((pf->opts & PF_OPT_NOACTION) == 0) + if (ioctl(dev, DIOCSETHOSTID, &hostid)) + err(1, "DIOCSETHOSTID"); + + if (pf->opts & PF_OPT_VERBOSE) + printf("set hostid %#08x\n", hostid); + + return (0); +} + +int pfctl_set_debug(struct pfctl *pf, char *d) { u_int32_t level; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 7cb363c1de5..ccd1f7ec574 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.182 2003/12/15 00:02:03 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.183 2003/12/15 07:11:30 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -508,6 +508,7 @@ print_status(struct pf_status *s, int opts) printf("%15s\n\n", "Debug: Loud"); break; } + printf("hostid: 0x%08x\n\n", ntohl(s->hostid)); if (s->ifname[0] != 0) { printf("Interface Stats for %-16s %5s %16s\n", s->ifname, "IPv4", "IPv6"); diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index c0a710c533e..fe130816264 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.70 2003/12/15 00:02:03 mcbride Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.71 2003/12/15 07:11:30 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -154,6 +154,7 @@ int pfctl_set_timeout(struct pfctl *, const char *, int, int); int pfctl_set_optimization(struct pfctl *, const char *); int pfctl_set_limit(struct pfctl *, const char *, unsigned int); int pfctl_set_logif(struct pfctl *, char *); +int pfctl_set_hostid(struct pfctl *, u_int32_t); int pfctl_set_debug(struct pfctl *, char *); int parse_rules(FILE *, struct pfctl *); |