Allow a unicast ip address to be specified for pfsync with the 'syncpeer'

keyword. This address is used instead of the multicast address to send state
updates; this allows pairs of pfsync firewalls to protect the traffic
with IPSec.

ifconfig must be updated to match the kernel.

2 files changed, 84 insertions, 8 deletions

diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8
index aa492fa7d96..551f03a9f1f 100644
--- a/sbin/ifconfig/ifconfig.8
+++ b/sbin/ifconfig/ifconfig.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ifconfig.8,v 1.87 2004/07/21 14:20:57 jaredy Exp $
+.\"	$OpenBSD: ifconfig.8,v 1.88 2004/08/03 05:36:32 mcbride Exp $
 .\"	$NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $
 .\"     $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $
 .\"
@@ -67,6 +67,8 @@
 .Ar host-id
 .Nm ifconfig
 .Ar pfsync-interface
+.Cm syncpeer
+.Ar peer_address
 .Cm syncif
 .Ar iface
 .Nm ifconfig
@@ -544,6 +546,21 @@ Valid states are
 .Ar backup ,
 and
 .Ar master .
+.It Cm syncpeer Ar peer_address
+If the driver is a
+.Xr pfsync 4
+pseudo-device, make the pfsync link point-to-point rather than using
+multicast to broadcast the state synchronisation messages.
+The peer_address is the IP address of the other host taking part in
+the pfsync cluster.
+With this option,
+.Xr pfsync 4
+traffic can be protected using
+.Xr ipsec 4 .
+.It Fl syncpeer
+If the driver is a
+.Xr pfsync 4
+pseudo-device, broadcast the packets using multicast.
 .It Cm syncif Ar iface
 If the driver is a
 .Xr pfsync 4
diff --git a/sbin/ifconfig/ifconfig.c b/sbin/ifconfig/ifconfig.c
index 78f41cae059..432175ad598 100644
--- a/sbin/ifconfig/ifconfig.c
+++ b/sbin/ifconfig/ifconfig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ifconfig.c,v 1.110 2004/07/03 20:24:48 deraadt Exp $	*/
+/*	$OpenBSD: ifconfig.c,v 1.111 2004/08/03 05:36:32 mcbride Exp $	*/
 /*	$NetBSD: ifconfig.c,v 1.40 1997/10/01 02:19:43 enami Exp $	*/
 
 /*
@@ -77,7 +77,7 @@ static const char copyright[] =
 #if 0
 static const char sccsid[] = "@(#)ifconfig.c	8.2 (Berkeley) 2/16/94";
 #else
-static const char rcsid[] = "$OpenBSD: ifconfig.c,v 1.110 2004/07/03 20:24:48 deraadt Exp $";
+static const char rcsid[] = "$OpenBSD: ifconfig.c,v 1.111 2004/08/03 05:36:32 mcbride Exp $";
 #endif
 #endif /* not lint */
 
@@ -201,6 +201,8 @@ void	setcarp_state(const char *, int);
 void	setpfsync_syncif(const char *, int);
 void	setpfsync_maxupd(const char *, int);
 void	unsetpfsync_syncif(const char *, int);
+void	setpfsync_syncpeer(const char *, int);
+void	unsetpfsync_syncpeer(const char *, int);
 void	pfsync_status(void);
 int	main(int, char *[]);
 int	prefix(void *val, int);
@@ -289,8 +291,10 @@ const struct	cmd {
 	{ "vhid",	NEXTARG,	0,		setcarp_vhid },
 	{ "state",	NEXTARG,	0,		setcarp_state },
 	{ "syncif",	NEXTARG,	0,		setpfsync_syncif },
-	{ "maxupd",	NEXTARG,	0,		setpfsync_maxupd },
 	{ "-syncif",	1,		0,		unsetpfsync_syncif },
+	{ "syncpeer",	NEXTARG,	0,		setpfsync_syncpeer },
+	{ "-syncpeer",	1,		0,		unsetpfsync_syncpeer },
+	{ "maxupd",	NEXTARG,	0,		setpfsync_maxupd },
 	/* giftunnel is for backward compat */
 	{ "giftunnel",  NEXTARG2,	0,		NULL, settunnel } ,
 	{ "tunnel",	NEXTARG2,	0,		NULL, settunnel } ,
@@ -2542,7 +2546,8 @@ usage(void)
 #endif
 	    "\t[vlan vlan_tag vlandev parent_iface] [-vlandev] [vhid n]\n"
 	    "\t[advbase n] [advskew n] [maxupd n] [pass passphrase]\n"
-	    "\t[state init | backup | master] [syncif iface] [-syncif]\n"
+	    "\t[state init | backup | master]\n"
+	    "\t[syncif iface] [-syncif] [syncpeer peer_address] [-syncpeer]\n"
 	    "\t[phase n] [range netrange] [timeslot timeslot_range]\n"
 	    "\t[802.2] [802.2tr] [802.3] [snap] [EtherII]\n"
 	    "       ifconfig -A | -Am | -a | -am [address_family]\n"
@@ -2848,6 +2853,56 @@ unsetpfsync_syncif(const char *val, int d)
 		err(1, "SIOCSETPFSYNC");
 }
 
+
+void
+setpfsync_syncpeer(const char *val, int d)
+{
+	struct pfsyncreq preq;
+	struct addrinfo hints, *peerres;
+	int ecode;
+	struct if_laddrreq req;
+
+	bzero((char *)&preq, sizeof(struct pfsyncreq));
+	ifr.ifr_data = (caddr_t)&preq;
+
+	if (ioctl(s, SIOCGETPFSYNC, (caddr_t)&ifr) == -1)
+		err(1, "SIOCGETPFSYNC");
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_INET;
+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+
+	if ((ecode = getaddrinfo(val, NULL, &hints, &peerres)) != 0)
+		errx(1, "error in parsing address string: %s",
+		    gai_strerror(ecode));
+
+	if (peerres->ai_addr->sa_family != AF_INET)
+		errx(1, "only IPv4 addresses supported for the syncpeer");
+
+	preq.pfsyncr_syncpeer.s_addr = ((struct sockaddr_in *)
+	    peerres->ai_addr)->sin_addr.s_addr;
+		
+	if (ioctl(s, SIOCSETPFSYNC, (caddr_t)&ifr) == -1)
+		err(1, "SIOCSETPFSYNC");
+}
+
+void
+unsetpfsync_syncpeer(const char *val, int d)
+{
+	struct pfsyncreq preq;
+
+	bzero((char *)&preq, sizeof(struct pfsyncreq));
+	ifr.ifr_data = (caddr_t)&preq;
+
+	if (ioctl(s, SIOCGETPFSYNC, (caddr_t)&ifr) == -1)
+		err(1, "SIOCGETPFSYNC");
+
+	preq.pfsyncr_syncpeer.s_addr = 0;
+
+	if (ioctl(s, SIOCSETPFSYNC, (caddr_t)&ifr) == -1)
+		err(1, "SIOCSETPFSYNC");
+}
+
 void
 setpfsync_maxupd(const char *val, int d)
 {
@@ -2882,9 +2937,13 @@ pfsync_status(void)
 	if (ioctl(s, SIOCGETPFSYNC, (caddr_t)&ifr) == -1)
 		return;
 
-	if (preq.pfsyncr_syncif[0] != '\0')
-		printf("\tpfsync: syncif: %s maxupd: %d\n",
-		    preq.pfsyncr_syncif, preq.pfsyncr_maxupdates);
+	if (preq.pfsyncr_syncif[0] != '\0') {
+		printf("\tpfsync: syncif: %s ", preq.pfsyncr_syncif);
+		if (preq.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP)
+			printf("syncpeer: %s ",
+			    inet_ntoa(preq.pfsyncr_syncpeer));
+		printf("maxupd: %d\n", preq.pfsyncr_maxupdates);
+	}
 }
 
 #ifdef INET6