diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
| commit | 3f6ecdcf7bf4d1a9f842f454e434a0f834bc9338 (patch) | |
| tree | a34c50e86533706da38cd062ce07e20342bfe726 /sys/netinet | |
| parent | 9b4a7db3efb0a8f50c08258e2f5a3353e1ee210e (diff) | |
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/in.h | 4 | ||||
| -rw-r--r-- | sys/netinet/in_proto.c | 15 |
2 files changed, 17 insertions, 2 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 03dabb85914..5d09134af38 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in.h,v 1.58 2003/10/17 21:04:58 mcbride Exp $ */ +/* $OpenBSD: in.h,v 1.59 2003/12/15 07:11:30 mcbride Exp $ */ /* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */ /* @@ -73,6 +73,7 @@ #define IPPROTO_PIM 103 /* Protocol indep. multicast */ #define IPPROTO_IPCOMP 108 /* IP Payload Comp. Protocol */ #define IPPROTO_CARP 112 /* CARP */ +#define IPPROTO_PFSYNC 136 /* PFSYNC */ #define IPPROTO_RAW 255 /* raw IP packet */ #define IPPROTO_MAX 256 @@ -200,6 +201,7 @@ struct in_addr { #define INADDR_ALLHOSTS_GROUP __IPADDR(0xe0000001) /* 224.0.0.1 */ #define INADDR_ALLROUTERS_GROUP __IPADDR(0xe0000002) /* 224.0.0.2 */ #define INADDR_CARP_GROUP __IPADDR(0xe0000012) /* 224.0.0.18 */ +#define INADDR_PFSYNC_GROUP __IPADDR(0xe0000088) /* 224.0.0.136 */ #define INADDR_MAX_LOCAL_GROUP __IPADDR(0xe00000ff) /* 224.0.0.255 */ #define IN_LOOPBACKNET 127 /* official! */ diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index 2f83f8fcb65..06c535d0fb1 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_proto.c,v 1.37 2003/10/17 21:04:58 mcbride Exp $ */ +/* $OpenBSD: in_proto.c,v 1.38 2003/12/15 07:11:30 mcbride Exp $ */ /* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */ /* @@ -181,6 +181,12 @@ #include <netinet/ip_carp.h> #endif +#include "pfsync.h" +#if NPFSYNC > 0 +#include <net/pfvar.h> +#include <net/if_pfsync.h> +#endif + extern struct domain inetdomain; struct protosw inetsw[] = { @@ -311,6 +317,13 @@ struct protosw inetsw[] = { 0, 0, 0, 0, carp_sysctl }, #endif /* NCARP > 0 */ +#if NPFSYNC > 0 +{ SOCK_RAW, &inetdomain, IPPROTO_PFSYNC, PR_ATOMIC|PR_ADDR, + pfsync_input, rip_output, 0, rip_ctloutput, + rip_usrreq, + 0, 0, 0, 0, +}, +#endif /* NPFSYNC > 0 */ /* raw wildcard */ { SOCK_RAW, &inetdomain, 0, PR_ATOMIC|PR_ADDR, rip_input, rip_output, 0, rip_ctloutput, |