First step of rearranging pf's state table internals...

- Split pf_state into pf_state (used for tracking connection information),
  and pf_state_key (used for searching the state table)

- Use pfsync_state in the ioctl for userland access to the state
  table. This will sheild userland somewhat from future changes.

ok henning@ toby@ pyr@

1 files changed, 141 insertions, 21 deletions

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index d55c600f6a6..bc9a6d63a79 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.245 2007/05/28 17:16:39 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.246 2007/05/31 04:11:42 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -685,8 +685,8 @@ struct pf_state_peer {
 
 TAILQ_HEAD(pf_state_queue, pf_state);
 
-/* keep synced with struct pf_state, used in RB_FIND */
-struct pf_state_cmp {
+/* keep synced with struct pf_state_key, used in RB_FIND */
+struct pf_state_key_cmp {
 	u_int64_t	 id;
 	u_int32_t	 creatorid;
 	struct pf_state_host lan;
@@ -698,7 +698,7 @@ struct pf_state_cmp {
 	u_int8_t	 pad;
 };
 
-struct pf_state {
+struct pf_state_key {
 	u_int64_t	 id;
 	u_int32_t	 creatorid;
 	struct pf_state_host lan;
@@ -708,6 +708,20 @@ struct pf_state {
 	u_int8_t	 proto;
 	u_int8_t	 direction;
 	u_int8_t	 pad;
+
+	union {
+		struct {
+			RB_ENTRY(pf_state_key)	 entry_lan_ext;
+			RB_ENTRY(pf_state_key)	 entry_ext_gwy;
+			RB_ENTRY(pf_state_key)	 entry_id;
+		} s;
+	} u;
+	struct pf_state	*state;
+};
+
+
+struct pf_state {
+	struct pf_state_key	*state_key;
 	u_int8_t	 log;
 	u_int8_t	 allow_opts;
 	u_int8_t	 timeout;
@@ -717,9 +731,6 @@ struct pf_state {
 #define	PFSTATE_STALE	 0x04
 	union {
 		struct {
-			RB_ENTRY(pf_state)	 entry_lan_ext;
-			RB_ENTRY(pf_state)	 entry_ext_gwy;
-			RB_ENTRY(pf_state)	 entry_id;
 			TAILQ_ENTRY(pf_state)	 entry_list;
 			struct pfi_kif		*kif;
 		} s;
@@ -742,6 +753,114 @@ struct pf_state {
 	u_int16_t	 tag;
 };
 
+
+/*
+ * Unified state structures for pulling states out of the kernel
+ * used by pfsync(4) and the pf(4) ioctl.
+ */
+struct pfsync_state_scrub {
+	u_int16_t	pfss_flags;
+	u_int8_t	pfss_ttl;	/* stashed TTL		*/
+#define PFSYNC_SCRUB_FLAG_VALID 	0x01
+	u_int8_t	scrub_flag;
+	u_int32_t	pfss_ts_mod;	/* timestamp modulation	*/
+} __packed;
+
+struct pfsync_state_host {
+	struct pf_addr	addr;
+	u_int16_t	port;
+	u_int16_t	pad[3];
+} __packed;
+
+struct pfsync_state_peer {
+	struct pfsync_state_scrub scrub;	/* state is scrubbed	*/
+	u_int32_t	seqlo;		/* Max sequence number sent	*/
+	u_int32_t	seqhi;		/* Max the other end ACKd + win	*/
+	u_int32_t	seqdiff;	/* Sequence number modulator	*/
+	u_int16_t	max_win;	/* largest window (pre scaling)	*/
+	u_int16_t	mss;		/* Maximum segment size option	*/
+	u_int8_t	state;		/* active state level		*/
+	u_int8_t	wscale;		/* window scaling factor	*/
+	u_int8_t	pad[6];
+} __packed;
+
+struct pfsync_state {
+	u_int32_t	 id[2];
+	char		 ifname[IFNAMSIZ];
+	struct pfsync_state_host lan;
+	struct pfsync_state_host gwy;
+	struct pfsync_state_host ext;
+	struct pfsync_state_peer src;
+	struct pfsync_state_peer dst;
+	struct pf_addr	 rt_addr;
+	u_int32_t	 rule;
+	u_int32_t	 anchor;
+	u_int32_t	 nat_rule;
+	u_int32_t	 creation;
+	u_int32_t	 expire;
+	u_int32_t	 packets[2][2];
+	u_int32_t	 bytes[2][2];
+	u_int32_t	 creatorid;
+	sa_family_t	 af;
+	u_int8_t	 proto;
+	u_int8_t	 direction;
+	u_int8_t	 log;
+	u_int8_t	 allow_opts;
+	u_int8_t	 timeout;
+	u_int8_t	 sync_flags;
+	u_int8_t	 updates;
+} __packed;
+
+#define PFSYNC_FLAG_COMPRESS 	0x01
+#define PFSYNC_FLAG_STALE	0x02
+#define PFSYNC_FLAG_SRCNODE	0x04
+#define PFSYNC_FLAG_NATSRCNODE	0x08
+
+/* for copies to/from userland via pf_ioctl() */
+#define pf_state_peer_to_pfsync(s,d) do {	\
+	(d)->seqlo = (s)->seqlo;		\
+	(d)->seqhi = (s)->seqhi;		\
+	(d)->seqdiff = (s)->seqdiff;		\
+	(d)->max_win = (s)->max_win;		\
+	(d)->mss = (s)->mss;			\
+	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+	if ((s)->scrub) {						\
+		(d)->scrub.pfss_flags = 				\
+		    (s)->scrub->pfss_flags & PFSS_TIMESTAMP;		\
+		(d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;		\
+		(d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod;	\
+		(d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;	\
+	}								\
+} while (0)
+
+#define pf_state_peer_from_pfsync(s,d) do {	\
+	(d)->seqlo = (s)->seqlo;		\
+	(d)->seqhi = (s)->seqhi;		\
+	(d)->seqdiff = (s)->seqdiff;		\
+	(d)->max_win = (s)->max_win;		\
+	(d)->mss = ntohs((s)->mss);		\
+	(d)->state = (s)->state;		\
+	(d)->wscale = (s)->wscale;		\
+	if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && 	\
+	    (d)->scrub != NULL) {					\
+		(d)->scrub->pfss_flags =				\
+		    ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;	\
+		(d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;		\
+		(d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod;	\
+	}								\
+} while (0)
+
+#define pf_state_counter_to_pfsync(s,d) do {			\
+	d[0] = (s>>32)&0xffffffff;				\
+	d[1] = s&0xffffffff;					\
+} while (0)
+
+#define pf_state_counter_from_pfsync(s)		\
+	(((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1]))
+
+
+
 TAILQ_HEAD(pf_rulequeue, pf_rule);
 
 struct pf_anchor;
@@ -883,12 +1002,12 @@ struct pfr_ktable {
 #define pfrkt_nomatch	pfrkt_ts.pfrts_nomatch
 #define pfrkt_tzero	pfrkt_ts.pfrts_tzero
 
-RB_HEAD(pf_state_tree_lan_ext, pf_state);
-RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state,
+RB_HEAD(pf_state_tree_lan_ext, pf_state_key);
+RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state_key,
     u.s.entry_lan_ext, pf_state_compare_lan_ext);
 
-RB_HEAD(pf_state_tree_ext_gwy, pf_state);
-RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state,
+RB_HEAD(pf_state_tree_ext_gwy, pf_state_key);
+RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key,
     u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
 
 TAILQ_HEAD(pfi_statehead, pfi_kif);
@@ -1217,8 +1336,8 @@ struct pfioc_natlook {
 };
 
 struct pfioc_state {
-	u_int32_t	 nr;
-	struct pf_state	 state;
+	u_int32_t 	 nr;
+	void		*state;
 };
 
 struct pfioc_src_node_kill {
@@ -1240,8 +1359,8 @@ struct pfioc_state_kill {
 struct pfioc_states {
 	int	ps_len;
 	union {
-		caddr_t		 psu_buf;
-		struct pf_state	*psu_states;
+		caddr_t			 psu_buf;
+		struct pfsync_state	*psu_states;
 	} ps_u;
 #define ps_buf		ps_u.psu_buf
 #define ps_states	ps_u.psu_states
@@ -1422,8 +1541,8 @@ RB_HEAD(pf_src_tree, pf_src_node);
 RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
 extern struct pf_src_tree tree_src_tracking;
 
-RB_HEAD(pf_state_tree_id, pf_state);
-RB_PROTOTYPE(pf_state_tree_id, pf_state,
+RB_HEAD(pf_state_tree_id, pf_state_key);
+RB_PROTOTYPE(pf_state_tree_id, pf_state_key,
     entry_id, pf_state_compare_id);
 extern struct pf_state_tree_id tree_id;
 extern struct pf_state_queue state_list;
@@ -1448,7 +1567,8 @@ extern void			 pf_tbladdr_remove(struct pf_addr_wrap *);
 extern void			 pf_tbladdr_copyout(struct pf_addr_wrap *);
 extern void			 pf_calc_skip_steps(struct pf_rulequeue *);
 extern struct pool		 pf_src_tree_pl, pf_rule_pl;
-extern struct pool		 pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
+extern struct pool		 pf_state_pl, pf_state_key_pl, pf_altq_pl,
+				    pf_pooladdr_pl;
 extern struct pool		 pf_state_scrub_pl;
 extern void			 pf_purge_thread(void *);
 extern void			 pf_purge_expired_src_nodes(int);
@@ -1461,9 +1581,9 @@ extern int			 pf_insert_src_node(struct pf_src_node **,
 				    struct pf_rule *, struct pf_addr *,
 				    sa_family_t);
 void				 pf_src_tree_remove_state(struct pf_state *);
-extern struct pf_state		*pf_find_state_byid(struct pf_state_cmp *);
-extern struct pf_state		*pf_find_state_all(struct pf_state_cmp *key,
-				    u_int8_t tree, int *more);
+extern struct pf_state		*pf_find_state_byid(struct pf_state_key_cmp *);
+extern struct pf_state		*pf_find_state_all(struct pf_state_key_cmp *,
+				    u_int8_t, int *);
 extern void			 pf_print_state(struct pf_state *);
 extern void			 pf_print_flags(u_int8_t);
 extern u_int16_t		 pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,