diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2003-12-15 07:11:32 +0000 |
| commit | 3f6ecdcf7bf4d1a9f842f454e434a0f834bc9338 (patch) | |
| tree | a34c50e86533706da38cd062ce07e20342bfe726 /usr.sbin | |
| parent | 9b4a7db3efb0a8f50c08258e2f5a3353e1ee210e (diff) | |
Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/authpf/authpf.c | 9 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/interface.h | 5 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/print-ip.c | 15 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/print-pfsync.c | 123 |
4 files changed, 108 insertions, 44 deletions
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index f610ea7e898..b48c2a32f2c 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.72 2003/12/10 04:10:37 beck Exp $ */ +/* $OpenBSD: authpf.c,v 1.73 2003/12/15 07:11:31 mcbride Exp $ */ /* * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). @@ -856,6 +856,13 @@ pfctl_set_logif(struct pfctl *pf, char *ifname) } int +pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid) +{ + fprintf(stderr, "set hostid not supported in authpf\n"); + return (1); +} + +int pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet) { fprintf(stderr, "set timeout not supported in authpf\n"); diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h index 87898265d78..ee0ac296bb8 100644 --- a/usr.sbin/tcpdump/interface.h +++ b/usr.sbin/tcpdump/interface.h @@ -1,4 +1,4 @@ -/* $OpenBSD: interface.h,v 1.40 2003/08/21 19:14:23 frantzen Exp $ */ +/* $OpenBSD: interface.h,v 1.41 2003/12/15 07:11:31 mcbride Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -20,7 +20,7 @@ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.40 2003/08/21 19:14:23 frantzen Exp $ (LBL) + * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.41 2003/12/15 07:11:31 mcbride Exp $ (LBL) */ #ifndef tcpdump_interface_h @@ -200,6 +200,7 @@ extern void pflog_old_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); extern void pfsync_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); +extern void pfsync_ip_print(const u_char *, u_int, const u_char *); extern void ether_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); extern void fddi_if_print(u_char *, const struct pcap_pkthdr *, const u_char *); diff --git a/usr.sbin/tcpdump/print-ip.c b/usr.sbin/tcpdump/print-ip.c index fd0bafde914..62ab0d1dbc7 100644 --- a/usr.sbin/tcpdump/print-ip.c +++ b/usr.sbin/tcpdump/print-ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-ip.c,v 1.19 2003/02/20 23:39:20 jason Exp $ */ +/* $OpenBSD: print-ip.c,v 1.20 2003/12/15 07:11:31 mcbride Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -23,7 +23,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ip.c,v 1.19 2003/02/20 23:39:20 jason Exp $ (LBL)"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-ip.c,v 1.20 2003/12/15 07:11:31 mcbride Exp $ (LBL)"; #endif #include <sys/param.h> @@ -557,6 +557,17 @@ ip_print(register const u_char *bp, register u_int length) vrrp_print(cp, len, ip->ip_ttl); break; +#ifndef IPPROTO_PFSYNC +#define IPPROTO_PFSYNC 136 +#endif + case IPPROTO_PFSYNC: + if (vflag) + (void)printf("pfsync %s > %s: ", + ipaddr_string(&ip->ip_src), + ipaddr_string(&ip->ip_dst)); + pfsync_ip_print(cp, len, (const u_char *)ip); + break; + default: (void)printf("%s > %s:", ipaddr_string(&ip->ip_src), ipaddr_string(&ip->ip_dst)); diff --git a/usr.sbin/tcpdump/print-pfsync.c b/usr.sbin/tcpdump/print-pfsync.c index 4c09468942e..fb749ceb991 100644 --- a/usr.sbin/tcpdump/print-pfsync.c +++ b/usr.sbin/tcpdump/print-pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-pfsync.c,v 1.12 2003/11/08 19:51:38 dhartmei Exp $ */ +/* $OpenBSD: print-pfsync.c,v 1.13 2003/12/15 07:11:31 mcbride Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -28,7 +28,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pfsync.c,v 1.12 2003/11/08 19:51:38 dhartmei Exp $"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pfsync.c,v 1.13 2003/12/15 07:11:31 mcbride Exp $"; #endif #include <sys/param.h> @@ -64,15 +64,13 @@ struct rtentry; const char *pfsync_acts[] = { PFSYNC_ACTIONS }; +void pfsync_print(struct pfsync_header *, int); + void pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, register const u_char *p) { - /*u_int length = h->len;*/ u_int caplen = h->caplen; - struct pfsync_header *hdr; - struct pf_state *s; - int i, flags; ts_print(&h->ts); @@ -81,10 +79,36 @@ pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, goto out; } - packetp = p; - snapend = p + caplen; + pfsync_print((struct pfsync_header *)p, + caplen - sizeof(struct pfsync_header)); +out: + if (xflag) { + default_print((const u_char *)h, caplen); + putchar('\n'); + } +} + +void +pfsync_ip_print(const u_char *bp, u_int len, const u_char *bp2) +{ + const struct ip *ip = (const struct ip *)bp2; + struct pfsync_header *hdr = (struct pfsync_header *)bp; + u_int hlen = ip->ip_hl << 2; + + if (len < PFSYNC_HDRLEN) + printf("[|pfsync]"); + else + pfsync_print(hdr, (len - sizeof(struct pfsync_header) + hlen)); +} + +void +pfsync_print(struct pfsync_header *hdr, int len) +{ + struct pfsync_state *s; + struct pfsync_state_upd *u; + struct pfsync_state_del *d; + int i, flags; - hdr = (struct pfsync_header *)p; if (eflag) printf("version %d count %d: ", hdr->version, hdr->count); @@ -100,35 +124,56 @@ pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, if (!nflag) flags |= PF_OPT_USEDNS; - for (i = 1, s = (struct pf_state *)(p + PFSYNC_HDRLEN); - i <= hdr->count && PFSYNC_HDRLEN + i * sizeof(*s) <= caplen; - i++, s++) { - struct pf_state st; - - bcopy(&s->lan, &st.lan, sizeof(st.lan)); - bcopy(&s->gwy, &st.gwy, sizeof(st.gwy)); - bcopy(&s->ext, &st.ext, sizeof(st.ext)); - pf_state_peer_ntoh(&s->src, &st.src); - pf_state_peer_ntoh(&s->dst, &st.dst); - st.rule.nr = ntohl(s->rule.nr); - st.anchor.nr = ntohl(s->anchor.nr); - bcopy(&s->rt_addr, &st.rt_addr, sizeof(st.rt_addr)); - st.creation = ntohl(s->creation); - st.expire = ntohl(s->expire); - st.packets[0] = ntohl(s->packets[0]); - st.packets[1] = ntohl(s->packets[1]); - st.bytes[0] = ntohl(s->bytes[0]); - st.bytes[1] = ntohl(s->bytes[1]); - st.af = s->af; - st.proto = s->proto; - st.direction = s->direction; - st.log = s->log; - st.allow_opts = s->allow_opts; - - print_state(&st, flags); + switch (hdr->action) { + case PFSYNC_ACT_INS: + case PFSYNC_ACT_UPD: + case PFSYNC_ACT_DEL: + for (i = 1, s = (void *)((char *)hdr + PFSYNC_HDRLEN); + i <= hdr->count && i * sizeof(*s) <= len; i++, s++) { + struct pf_state st; + + st.id = s->id; + pf_state_host_ntoh(&s->lan, &st.lan); + pf_state_host_ntoh(&s->gwy, &st.gwy); + pf_state_host_ntoh(&s->ext, &st.ext); + pf_state_peer_ntoh(&s->src, &st.src); + pf_state_peer_ntoh(&s->dst, &st.dst); + st.rule.nr = ntohl(s->rule); + st.nat_rule.nr = ntohl(s->nat_rule); + st.anchor.nr = ntohl(s->anchor); + bcopy(&s->rt_addr, &st.rt_addr, sizeof(st.rt_addr)); + st.creation = ntohl(s->creation); + st.expire = ntohl(s->expire); + st.packets[0] = ntohl(s->packets[0]); + st.packets[1] = ntohl(s->packets[1]); + st.bytes[0] = ntohl(s->bytes[0]); + st.bytes[1] = ntohl(s->bytes[1]); + st.creatorid = s->creatorid; + st.af = s->af; + st.proto = s->proto; + st.direction = s->direction; + st.log = s->log; + st.allow_opts = s->allow_opts; + st.sync_flags = s->sync_flags; + + print_state(&st, flags); + } + break; + case PFSYNC_ACT_UPD_C: + for (i = 1, u = (void *)((char *)hdr + PFSYNC_HDRLEN); + i <= hdr->count && i * sizeof(*u) <= len; i++, d++) { + printf("\tid: %016llx creatorid: %08x\n", + betoh64(u->id), htonl(u->creatorid)); + } + break; + case PFSYNC_ACT_DEL_C: + for (i = 1, d = (void *)((char *)hdr + PFSYNC_HDRLEN); + i <= hdr->count && i * sizeof(*d) <= len; i++, d++) { + printf("\tid: %016llx creatorid: %08x\n", + betoh64(d->id), htonl(d->creatorid)); + } + break; + default: + break; } -out: - if (xflag) - default_print((const u_char *)hdr, caplen); - putchar('\n'); } |