Add initial support for pf state synchronization over the network.

Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
  added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
  be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
  packets on pfsync no longer contains regular pf_state structs,
  but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

3 files changed, 52 insertions, 5 deletions

diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c
index 84b6ec9bd35..384ea4500e6 100644
--- a/usr.bin/netstat/inet.c
+++ b/usr.bin/netstat/inet.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: inet.c,v 1.74 2003/12/02 23:16:29 markus Exp $	*/
+/*	$OpenBSD: inet.c,v 1.75 2003/12/15 07:11:31 mcbride Exp $	*/
 /*	$NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $	*/
 
 /*
@@ -34,7 +34,7 @@
 #if 0
 static char sccsid[] = "from: @(#)inet.c	8.4 (Berkeley) 4/20/94";
 #else
-static char *rcsid = "$OpenBSD: inet.c,v 1.74 2003/12/02 23:16:29 markus Exp $";
+static char *rcsid = "$OpenBSD: inet.c,v 1.75 2003/12/15 07:11:31 mcbride Exp $";
 #endif
 #endif /* not lint */
 
@@ -71,6 +71,9 @@ static char *rcsid = "$OpenBSD: inet.c,v 1.74 2003/12/02 23:16:29 markus Exp $";
 #include <netinet/ip_ipcomp.h>
 #include <netinet/ip_ether.h>
 #include <netinet/ip_carp.h>
+#include <net/if.h>
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
 
 #include <arpa/inet.h>
 #include <limits.h>
@@ -892,6 +895,45 @@ carp_stats(u_long off, char *name)
 #undef p2
 }
 
+/* 
+ * Dump pfsync statistics structure.
+ */
+void
+pfsync_stats(u_long off, char *name)
+{
+	struct pfsyncstats pfsyncstat;
+
+	if (off == 0)
+		return;
+	kread(off, (char *)&pfsyncstat, sizeof(pfsyncstat));
+	printf("%s:\n", name);
+
+#define p(f, m) if (pfsyncstat.f || sflag <= 1) \
+	printf(m, pfsyncstat.f, plural(pfsyncstat.f))
+#define p2(f, m) if (pfsyncstat.f || sflag <= 1) \
+	printf(m, pfsyncstat.f)
+
+	p(pfsyncs_ipackets, "\t%u packet%s received (IPv4)\n");
+	p(pfsyncs_ipackets6, "\t%u packet%s received (IPv6)\n");
+	p(pfsyncs_badif, "\t\t%u packet%s discarded for bad interface\n");
+	p(pfsyncs_badttl, "\t\t%u packet%s discarded for bad interface\n");
+	p(pfsyncs_hdrops, "\t\t%u packet%s shorter than header\n");
+	p(pfsyncs_badver,	"\t\t%u discarded packet%s with a bad version\n");
+	p(pfsyncs_badact,	"\t\t%u discarded packet%s with a bad action\n");
+	p2(pfsyncs_badlen, "\t\t%u discarded because packet too short\n");
+	p2(pfsyncs_badauth, "\t\t%u discarded for bad authentication\n");
+	p(pfsyncs_badstate, "\t%u failed state lookup/insert%s\n");
+	p(pfsyncs_opackets, "\t%u packet%s sent (IPv4)\n");
+	p(pfsyncs_opackets6, "\t%u packet%s sent (IPv6)\n");
+	p2(pfsyncs_onomem, "\t\t%u send failed due to mbuf memory error\n");
+	p2(pfsyncs_oerrors, "\t\t%u send error\n");
+#undef p
+#undef p2
+}
+
+/*
+ * Dump IPCOMP statistics structure.
+ */
 /*
  * Dump IPCOMP statistics structure.
  */
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index a84310601d2..9757189b2df 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.42 2003/11/28 23:10:49 jmc Exp $	*/
+/*	$OpenBSD: main.c,v 1.43 2003/12/15 07:11:31 mcbride Exp $	*/
 /*	$NetBSD: main.c,v 1.9 1996/05/07 02:55:02 thorpej Exp $	*/
 
 /*
@@ -40,7 +40,7 @@ char copyright[] =
 #if 0
 static char sccsid[] = "from: @(#)main.c	8.4 (Berkeley) 3/1/94";
 #else
-static char *rcsid = "$OpenBSD: main.c,v 1.42 2003/11/28 23:10:49 jmc Exp $";
+static char *rcsid = "$OpenBSD: main.c,v 1.43 2003/12/15 07:11:31 mcbride Exp $";
 #endif
 #endif /* not lint */
 
@@ -181,6 +181,8 @@ struct nlist nl[] = {
 	{ "_rawcbtable" },
 #define	N_RAWIP6TABLE	57
 	{ "_rawin6pcbtable" },
+#define N_PFSYNCSTAT	58
+	{ "_pfsyncstats" },
 	{ ""},
 };
 
@@ -214,6 +216,8 @@ struct protox {
 	  ipcomp_stats,	"ipcomp" },
  	{ -1,		N_CARPSTAT,	1,	0,
  	  carp_stats,	"carp" },
+ 	{ -1,		N_PFSYNCSTAT,	1,	0,
+ 	  pfsync_stats,	"pfsync" },
 	{ -1,		-1,		0,	0,
 	  0,		0 }
 };
diff --git a/usr.bin/netstat/netstat.h b/usr.bin/netstat/netstat.h
index 10bd073b5b5..7c7a487110d 100644
--- a/usr.bin/netstat/netstat.h
+++ b/usr.bin/netstat/netstat.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: netstat.h,v 1.26 2003/10/17 21:04:59 mcbride Exp $	*/
+/*	$OpenBSD: netstat.h,v 1.27 2003/12/15 07:11:31 mcbride Exp $	*/
 /*	$NetBSD: netstat.h,v 1.6 1996/05/07 02:55:05 thorpej Exp $	*/
 
 /*
@@ -79,6 +79,7 @@ void	ah_stats(u_long, char *);
 void	esp_stats(u_long, char *);
 void	ipip_stats(u_long, char *);
 void	carp_stats (u_long, char *);
+void	pfsync_stats (u_long, char *);
 void	etherip_stats(u_long, char *);
 void	protopr(u_long, char *);
 void	ipcomp_stats(u_long, char *);