diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
| commit | 3f6ecdcf7bf4d1a9f842f454e434a0f834bc9338 (patch) | |
| tree | a34c50e86533706da38cd062ce07e20342bfe726 /sys/net/pf_ioctl.c | |
| parent | 9b4a7db3efb0a8f50c08258e2f5a3353e1ee210e (diff) | |
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
Diffstat (limited to 'sys/net/pf_ioctl.c')
| -rw-r--r-- | sys/net/pf_ioctl.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index bd1e7db5921..2d0493f9538 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.89 2003/12/15 00:02:04 mcbride Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.90 2003/12/15 07:11:30 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -58,7 +58,9 @@ #include <netinet/ip_var.h> #include <netinet/ip_icmp.h> +#include <dev/rndvar.h> #include <net/pfvar.h> +#include <net/if_pfsync.h> #ifdef INET6 #include <netinet/ip6.h> @@ -161,6 +163,10 @@ pfattach(int num) pf_normalize_init(); bzero(&pf_status, sizeof(pf_status)); pf_status.debug = PF_DEBUG_URGENT; + + /* XXX do our best to avoid a conflict */ + pf_status.hostid = arc4random(); + pf_status.stateid = 1; /* might want 0 for something special */ } int @@ -782,13 +788,17 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) if (pf_status.running) error = EEXIST; else { + u_int64_t stateid = pf_status.stateid; u_int32_t states = pf_status.states; u_int32_t debug = pf_status.debug; + u_int32_t hostid = pf_status.hostid; u_int32_t src_nodes = pf_status.src_nodes; bzero(&pf_status, sizeof(struct pf_status)); pf_status.running = 1; pf_status.states = states; pf_status.debug = debug; + pf_status.stateid = stateid; + pf_status.hostid = hostid; pf_status.states = src_nodes; pf_status.since = time.tv_sec; if (status_ifp != NULL) @@ -1199,6 +1209,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) pf_purge_expired_states(); pf_status.states = 0; splx(s); + pfsync_clear_states(pf_status.hostid); break; } @@ -2486,6 +2497,17 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } + case DIOCSETHOSTID: { + u_int32_t *hostid = (u_int32_t *)addr; + + if (*hostid == 0) { + error = EINVAL; + goto fail; + } + pf_status.hostid = *hostid; + break; + } + case DIOCOSFPFLUSH: s = splsoftnet(); pf_osfp_flush(); |