2 /* $OpenBSD: if_pfsync.c,v 1.46 2005/02/20 15:58:38 mcbride Exp $ */
5 * Copyright (c) 2002 Michael Shalayeff
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
21 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
27 * THE POSSIBILITY OF SUCH DAMAGE.
32 #include "opt_inet6.h"
38 #elif __FreeBSD__ >= 5
41 #define NBPFILTER DEV_BPF
42 #define NPFSYNC DEV_PFSYNC
45 #include <sys/param.h>
47 #include <sys/systm.h>
50 #include <sys/socket.h>
51 #include <sys/kernel.h>
53 #include <sys/endian.h>
54 #include <sys/malloc.h>
55 #include <sys/module.h>
56 #include <sys/sockio.h>
58 #include <sys/mutex.h>
59 #include <sys/sysctl.h>
61 #include <sys/ioctl.h>
62 #include <sys/timeout.h>
66 #if defined(__FreeBSD__)
67 #include <net/if_clone.h>
69 #include <net/if_types.h>
70 #include <net/route.h>
72 #include <netinet/tcp.h>
73 #include <netinet/tcp_seq.h>
76 #include <netinet/in.h>
77 #include <netinet/in_systm.h>
78 #include <netinet/in_var.h>
79 #include <netinet/ip.h>
80 #include <netinet/ip_var.h>
85 #include <netinet/in.h>
87 #include <netinet6/nd6.h>
99 extern int carp_suppress_preempt;
102 #include <net/pfvar.h>
103 #include <net/if_pfsync.h>
106 #define PFSYNCNAME "pfsync"
109 #define PFSYNC_MINMTU \
110 (sizeof(struct pfsync_header) + sizeof(struct pf_state))
113 #define DPRINTF(x) do { if (pfsyncdebug) printf x ; } while (0)
120 struct pfsync_softc pfsyncif;
122 struct pfsyncstats pfsyncstats;
124 SYSCTL_DECL(_net_inet_pfsync);
125 SYSCTL_STRUCT(_net_inet_pfsync, 0, stats, CTLFLAG_RW,
126 &pfsyncstats, pfsyncstats,
127 "PFSYNC statistics (struct pfsyncstats, net/if_pfsync.h)");
131 * Whenever we really touch/look at the state table we have to hold the
132 * PF_LOCK. Functions that do just the interface handling, grab the per
133 * softc lock instead.
137 static void pfsync_clone_destroy(struct ifnet *);
138 static int pfsync_clone_create(struct if_clone *, int);
139 static void pfsync_senddef(void *);
141 void pfsyncattach(int);
143 void pfsync_setmtu(struct pfsync_softc *, int);
144 int pfsync_insert_net_state(struct pfsync_state *);
145 int pfsyncoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
147 int pfsyncioctl(struct ifnet *, u_long, caddr_t);
148 void pfsyncstart(struct ifnet *);
150 struct mbuf *pfsync_get_mbuf(struct pfsync_softc *, u_int8_t, void **);
151 int pfsync_request_update(struct pfsync_state_upd *, struct in_addr *);
152 int pfsync_sendout(struct pfsync_softc *);
153 void pfsync_timeout(void *);
154 void pfsync_send_bus(struct pfsync_softc *, u_int8_t);
155 void pfsync_bulk_update(void *);
156 void pfsync_bulkfail(void *);
160 extern int ifqmaxlen;
161 extern struct timeval time;
162 extern struct timeval mono_time;
167 static MALLOC_DEFINE(M_PFSYNC, PFSYNCNAME, "Packet Filter State Sync. Interface");
168 static LIST_HEAD(pfsync_list, pfsync_softc) pfsync_list;
169 #define SCP2IFP(sc) ((sc)->sc_ifp)
170 IFC_SIMPLE_DECLARE(pfsync, 1);
173 pfsync_clone_destroy(struct ifnet *ifp)
175 struct pfsync_softc *sc;
178 callout_stop(&sc->sc_tmo);
179 callout_stop(&sc->sc_bulk_tmo);
180 callout_stop(&sc->sc_bulkfail_tmo);
182 callout_stop(&sc->sc_send_tmo);
189 LIST_REMOVE(sc, sc_next);
194 pfsync_clone_create(struct if_clone *ifc, int unit)
196 struct pfsync_softc *sc;
199 MALLOC(sc, struct pfsync_softc *, sizeof(*sc), M_PFSYNC,
201 ifp = sc->sc_ifp = if_alloc(IFT_PFSYNC);
209 sc->sc_mbuf_net = NULL;
210 sc->sc_statep.s = NULL;
211 sc->sc_statep_net.s = NULL;
212 sc->sc_maxupdates = 128;
213 sc->sc_sync_peer.s_addr = htonl(INADDR_PFSYNC_GROUP);
214 sc->sc_sendaddr.s_addr = htonl(INADDR_PFSYNC_GROUP);
215 sc->sc_ureq_received = 0;
216 sc->sc_ureq_sent = 0;
219 if_initname(ifp, ifc->ifc_name, unit);
220 ifp->if_ioctl = pfsyncioctl;
221 ifp->if_output = pfsyncoutput;
222 ifp->if_start = pfsyncstart;
223 ifp->if_snd.ifq_maxlen = ifqmaxlen;
224 ifp->if_hdrlen = PFSYNC_HDRLEN;
225 ifp->if_baudrate = IF_Mbps(100);
227 pfsync_setmtu(sc, MCLBYTES);
228 callout_init(&sc->sc_tmo, NET_CALLOUT_MPSAFE);
229 callout_init(&sc->sc_bulk_tmo, NET_CALLOUT_MPSAFE);
230 callout_init(&sc->sc_bulkfail_tmo, NET_CALLOUT_MPSAFE);
231 callout_init(&sc->sc_send_tmo, NET_CALLOUT_MPSAFE);
232 sc->sc_ifq.ifq_maxlen = ifqmaxlen;
233 mtx_init(&sc->sc_ifq.ifq_mtx, ifp->if_xname, "pfsync send queue",
237 LIST_INSERT_HEAD(&pfsync_list, sc, sc_next);
239 bpfattach(ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
244 #else /* !__FreeBSD__ */
246 pfsyncattach(int npfsync)
251 bzero(&pfsyncif, sizeof(pfsyncif));
252 pfsyncif.sc_mbuf = NULL;
253 pfsyncif.sc_mbuf_net = NULL;
254 pfsyncif.sc_statep.s = NULL;
255 pfsyncif.sc_statep_net.s = NULL;
256 pfsyncif.sc_maxupdates = 128;
257 pfsyncif.sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP;
258 pfsyncif.sc_sendaddr.s_addr = INADDR_PFSYNC_GROUP;
259 pfsyncif.sc_ureq_received = 0;
260 pfsyncif.sc_ureq_sent = 0;
261 ifp = &pfsyncif.sc_if;
262 strlcpy(ifp->if_xname, "pfsync0", sizeof ifp->if_xname);
263 ifp->if_softc = &pfsyncif;
264 ifp->if_ioctl = pfsyncioctl;
265 ifp->if_output = pfsyncoutput;
266 ifp->if_start = pfsyncstart;
267 ifp->if_type = IFT_PFSYNC;
268 ifp->if_snd.ifq_maxlen = ifqmaxlen;
269 ifp->if_hdrlen = PFSYNC_HDRLEN;
270 pfsync_setmtu(&pfsyncif, MCLBYTES);
271 timeout_set(&pfsyncif.sc_tmo, pfsync_timeout, &pfsyncif);
272 timeout_set(&pfsyncif.sc_bulk_tmo, pfsync_bulk_update, &pfsyncif);
273 timeout_set(&pfsyncif.sc_bulkfail_tmo, pfsync_bulkfail, &pfsyncif);
278 bpfattach(&pfsyncif.sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
284 * Start output on the pfsync interface.
287 pfsyncstart(struct ifnet *ifp)
290 IF_LOCK(&ifp->if_snd);
291 _IF_DROP(&ifp->if_snd);
292 _IF_DRAIN(&ifp->if_snd);
293 IF_UNLOCK(&ifp->if_snd);
300 IF_DROP(&ifp->if_snd);
301 IF_DEQUEUE(&ifp->if_snd, m);
313 pfsync_insert_net_state(struct pfsync_state *sp)
315 struct pf_state *st = NULL;
316 struct pf_rule *r = NULL;
322 if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) {
323 printf("pfsync_insert_net_state: invalid creator id:"
324 " %08x\n", ntohl(sp->creatorid));
328 kif = pfi_lookup_create(sp->ifname);
330 if (pf_status.debug >= PF_DEBUG_MISC)
331 printf("pfsync_insert_net_state: "
332 "unknown interface: %s\n", sp->ifname);
333 /* skip this state */
338 * Just use the default rule until we have infrastructure to find the
339 * best matching rule.
341 r = &pf_default_rule;
343 if (!r->max_states || r->states < r->max_states)
344 st = pool_get(&pf_state_pl, PR_NOWAIT);
346 pfi_maybe_destroy(kif);
349 bzero(st, sizeof(*st));
352 /* XXX get pointers to nat_rule and anchor */
354 /* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
357 /* fill in the rest of the state entry */
358 pf_state_host_ntoh(&sp->lan, &st->lan);
359 pf_state_host_ntoh(&sp->gwy, &st->gwy);
360 pf_state_host_ntoh(&sp->ext, &st->ext);
362 pf_state_peer_ntoh(&sp->src, &st->src);
363 pf_state_peer_ntoh(&sp->dst, &st->dst);
365 bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr));
366 st->creation = time_second - ntohl(sp->creation);
367 st->expire = ntohl(sp->expire) + time_second;
370 st->proto = sp->proto;
371 st->direction = sp->direction;
373 st->timeout = sp->timeout;
374 st->allow_opts = sp->allow_opts;
376 bcopy(sp->id, &st->id, sizeof(st->id));
377 st->creatorid = sp->creatorid;
378 st->sync_flags = PFSTATE_FROMSYNC;
381 if (pf_insert_state(kif, st)) {
382 pfi_maybe_destroy(kif);
383 /* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */
385 pool_put(&pf_state_pl, st);
394 pfsync_input(struct mbuf *m, __unused int off)
396 pfsync_input(struct mbuf *m, ...)
399 struct ip *ip = mtod(m, struct ip *);
400 struct pfsync_header *ph;
402 struct pfsync_softc *sc = LIST_FIRST(&pfsync_list);
404 struct pfsync_softc *sc = &pfsyncif;
406 struct pf_state *st, key;
407 struct pfsync_state *sp;
408 struct pfsync_state_upd *up;
409 struct pfsync_state_del *dp;
410 struct pfsync_state_clr *cp;
411 struct pfsync_state_upd_req *rup;
412 struct pfsync_state_bus *bus;
415 int iplen, action, error, i, s, count, offp, sfail, stale = 0;
417 pfsyncstats.pfsyncs_ipackets++;
419 /* verify that we have a sync interface configured */
420 if (!sc->sc_sync_ifp || !pf_status.running) /* XXX PF_LOCK? */
423 /* verify that the packet came in on the right interface */
424 if (sc->sc_sync_ifp != m->m_pkthdr.rcvif) {
425 pfsyncstats.pfsyncs_badif++;
429 /* verify that the IP TTL is 255. */
430 if (ip->ip_ttl != PFSYNC_DFLTTL) {
431 pfsyncstats.pfsyncs_badttl++;
435 iplen = ip->ip_hl << 2;
437 if (m->m_pkthdr.len < iplen + sizeof(*ph)) {
438 pfsyncstats.pfsyncs_hdrops++;
442 if (iplen + sizeof(*ph) > m->m_len) {
443 if ((m = m_pullup(m, iplen + sizeof(*ph))) == NULL) {
444 pfsyncstats.pfsyncs_hdrops++;
447 ip = mtod(m, struct ip *);
449 ph = (struct pfsync_header *)((char *)ip + iplen);
451 /* verify the version */
452 if (ph->version != PFSYNC_VERSION) {
453 pfsyncstats.pfsyncs_badver++;
460 /* make sure it's a valid action code */
461 if (action >= PFSYNC_ACT_MAX) {
462 pfsyncstats.pfsyncs_badact++;
466 /* Cheaper to grab this now than having to mess with mbufs later */
470 case PFSYNC_ACT_CLR: {
471 struct pf_state *nexts;
474 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
475 sizeof(*cp), &offp)) == NULL) {
476 pfsyncstats.pfsyncs_badlen++;
479 cp = (struct pfsync_state_clr *)(mp->m_data + offp);
480 creatorid = cp->creatorid;
486 if (cp->ifname[0] == '\0') {
487 for (st = RB_MIN(pf_state_tree_id, &tree_id);
489 nexts = RB_NEXT(pf_state_tree_id, &tree_id, st);
490 if (st->creatorid == creatorid) {
491 st->timeout = PFTM_PURGE;
492 pf_purge_expired_state(st);
496 kif = pfi_lookup_if(cp->ifname);
498 if (pf_status.debug >= PF_DEBUG_MISC)
499 printf("pfsync_input: PFSYNC_ACT_CLR "
500 "bad interface: %s\n", cp->ifname);
507 for (st = RB_MIN(pf_state_tree_lan_ext,
508 &kif->pfik_lan_ext); st; st = nexts) {
509 nexts = RB_NEXT(pf_state_tree_lan_ext,
510 &kif->pfik_lan_ext, st);
511 if (st->creatorid == creatorid) {
512 st->timeout = PFTM_PURGE;
513 pf_purge_expired_state(st);
525 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
526 count * sizeof(*sp), &offp)) == NULL) {
527 pfsyncstats.pfsyncs_badlen++;
535 for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
536 i < count; i++, sp++) {
537 /* check for invalid values */
538 if (sp->timeout >= PFTM_MAX ||
539 sp->src.state > PF_TCPS_PROXY_DST ||
540 sp->dst.state > PF_TCPS_PROXY_DST ||
541 sp->direction > PF_OUT ||
542 (sp->af != AF_INET && sp->af != AF_INET6)) {
543 if (pf_status.debug >= PF_DEBUG_MISC)
544 printf("pfsync_insert: PFSYNC_ACT_INS: "
546 pfsyncstats.pfsyncs_badstate++;
550 if ((error = pfsync_insert_net_state(sp))) {
551 if (error == ENOMEM) {
567 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
568 count * sizeof(*sp), &offp)) == NULL) {
569 pfsyncstats.pfsyncs_badlen++;
577 for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
578 i < count; i++, sp++) {
579 int flags = PFSYNC_FLAG_STALE;
581 /* check for invalid values */
582 if (sp->timeout >= PFTM_MAX ||
583 sp->src.state > PF_TCPS_PROXY_DST ||
584 sp->dst.state > PF_TCPS_PROXY_DST) {
585 if (pf_status.debug >= PF_DEBUG_MISC)
586 printf("pfsync_insert: PFSYNC_ACT_UPD: "
588 pfsyncstats.pfsyncs_badstate++;
592 bcopy(sp->id, &key.id, sizeof(key.id));
593 key.creatorid = sp->creatorid;
595 st = pf_find_state_byid(&key);
597 /* insert the update */
598 if (pfsync_insert_net_state(sp))
599 pfsyncstats.pfsyncs_badstate++;
603 if (st->proto == IPPROTO_TCP) {
605 * The state should never go backwards except
606 * for syn-proxy states. Neither should the
607 * sequence window slide backwards.
609 if (st->src.state > sp->src.state &&
610 (st->src.state < PF_TCPS_PROXY_SRC ||
611 sp->src.state >= PF_TCPS_PROXY_SRC))
613 else if (SEQ_GT(st->src.seqlo,
614 ntohl(sp->src.seqlo)))
616 else if (st->dst.state > sp->dst.state) {
617 /* There might still be useful
618 * information about the src state here,
619 * so import that part of the update,
620 * then "fail" so we send the updated
621 * state back to the peer who is missing
622 * our what we know. */
623 pf_state_peer_ntoh(&sp->src, &st->src);
624 /* XXX do anything with timeouts? */
627 } else if (st->dst.state >= TCPS_SYN_SENT &&
628 SEQ_GT(st->dst.seqlo, ntohl(sp->dst.seqlo)))
632 * Non-TCP protocol state machine always go
635 if (st->src.state > sp->src.state)
637 else if ( st->dst.state > sp->dst.state)
641 if (pf_status.debug >= PF_DEBUG_MISC)
642 printf("pfsync: %s stale update "
645 (sfail < 7 ? "ignoring"
648 (unsigned long long)be64toh(st->id),
652 ntohl(st->creatorid));
653 pfsyncstats.pfsyncs_badstate++;
655 if (!(sp->sync_flags & PFSTATE_STALE)) {
656 /* we have a better state, send it */
657 if (sc->sc_mbuf != NULL && !stale)
662 PFSYNC_ACT_UPD, st, flags);
666 pf_state_peer_ntoh(&sp->src, &st->src);
667 pf_state_peer_ntoh(&sp->dst, &st->dst);
668 st->expire = ntohl(sp->expire) + time_second;
669 st->timeout = sp->timeout;
671 if (stale && sc->sc_mbuf != NULL)
679 * It's not strictly necessary for us to support the "uncompressed"
680 * delete action, but it's relatively simple and maintains consistency.
683 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
684 count * sizeof(*sp), &offp)) == NULL) {
685 pfsyncstats.pfsyncs_badlen++;
693 for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
694 i < count; i++, sp++) {
695 bcopy(sp->id, &key.id, sizeof(key.id));
696 key.creatorid = sp->creatorid;
698 st = pf_find_state_byid(&key);
700 pfsyncstats.pfsyncs_badstate++;
703 st->timeout = PFTM_PURGE;
704 st->sync_flags |= PFSTATE_FROMSYNC;
705 pf_purge_expired_state(st);
712 case PFSYNC_ACT_UPD_C: {
713 int update_requested = 0;
715 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
716 count * sizeof(*up), &offp)) == NULL) {
717 pfsyncstats.pfsyncs_badlen++;
725 for (i = 0, up = (struct pfsync_state_upd *)(mp->m_data + offp);
726 i < count; i++, up++) {
727 /* check for invalid values */
728 if (up->timeout >= PFTM_MAX ||
729 up->src.state > PF_TCPS_PROXY_DST ||
730 up->dst.state > PF_TCPS_PROXY_DST) {
731 if (pf_status.debug >= PF_DEBUG_MISC)
732 printf("pfsync_insert: "
735 pfsyncstats.pfsyncs_badstate++;
739 bcopy(up->id, &key.id, sizeof(key.id));
740 key.creatorid = up->creatorid;
742 st = pf_find_state_byid(&key);
744 /* We don't have this state. Ask for it. */
745 error = pfsync_request_update(up, &src);
746 if (error == ENOMEM) {
750 update_requested = 1;
751 pfsyncstats.pfsyncs_badstate++;
755 if (st->proto == IPPROTO_TCP) {
757 * The state should never go backwards except
758 * for syn-proxy states. Neither should the
759 * sequence window slide backwards.
761 if (st->src.state > up->src.state &&
762 (st->src.state < PF_TCPS_PROXY_SRC ||
763 up->src.state >= PF_TCPS_PROXY_SRC))
765 else if (st->dst.state > up->dst.state)
767 else if (SEQ_GT(st->src.seqlo,
768 ntohl(up->src.seqlo)))
770 else if (st->dst.state >= TCPS_SYN_SENT &&
771 SEQ_GT(st->dst.seqlo, ntohl(up->dst.seqlo)))
775 * Non-TCP protocol state machine always go
778 if (st->src.state > up->src.state)
780 else if (st->dst.state > up->dst.state)
784 if (pf_status.debug >= PF_DEBUG_MISC)
785 printf("pfsync: ignoring stale update "
787 "creatorid: %08x\n", sfail,
789 (unsigned long long)be64toh(st->id),
793 ntohl(st->creatorid));
794 pfsyncstats.pfsyncs_badstate++;
796 /* we have a better state, send it out */
797 if ((!stale || update_requested) &&
798 sc->sc_mbuf != NULL) {
800 update_requested = 0;
804 pfsync_pack_state(PFSYNC_ACT_UPD, st,
808 pf_state_peer_ntoh(&up->src, &st->src);
809 pf_state_peer_ntoh(&up->dst, &st->dst);
810 st->expire = ntohl(up->expire) + time_second;
811 st->timeout = up->timeout;
813 if ((update_requested || stale) && sc->sc_mbuf)
821 case PFSYNC_ACT_DEL_C:
822 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
823 count * sizeof(*dp), &offp)) == NULL) {
824 pfsyncstats.pfsyncs_badlen++;
832 for (i = 0, dp = (struct pfsync_state_del *)(mp->m_data + offp);
833 i < count; i++, dp++) {
834 bcopy(dp->id, &key.id, sizeof(key.id));
835 key.creatorid = dp->creatorid;
837 st = pf_find_state_byid(&key);
839 pfsyncstats.pfsyncs_badstate++;
842 st->timeout = PFTM_PURGE;
843 st->sync_flags |= PFSTATE_FROMSYNC;
844 pf_purge_expired_state(st);
851 case PFSYNC_ACT_INS_F:
852 case PFSYNC_ACT_DEL_F:
853 /* not implemented */
855 case PFSYNC_ACT_UREQ:
856 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
857 count * sizeof(*rup), &offp)) == NULL) {
858 pfsyncstats.pfsyncs_badlen++;
866 if (sc->sc_mbuf != NULL)
869 rup = (struct pfsync_state_upd_req *)(mp->m_data + offp);
870 i < count; i++, rup++) {
871 bcopy(rup->id, &key.id, sizeof(key.id));
872 key.creatorid = rup->creatorid;
874 if (key.id == 0 && key.creatorid == 0) {
875 sc->sc_ureq_received = time_uptime;
876 if (pf_status.debug >= PF_DEBUG_MISC)
877 printf("pfsync: received "
878 "bulk update request\n");
879 pfsync_send_bus(sc, PFSYNC_BUS_START);
881 callout_reset(&sc->sc_bulk_tmo, 1 * hz,
883 LIST_FIRST(&pfsync_list));
885 timeout_add(&sc->sc_bulk_tmo, 1 * hz);
888 st = pf_find_state_byid(&key);
890 pfsyncstats.pfsyncs_badstate++;
894 pfsync_pack_state(PFSYNC_ACT_UPD,
898 if (sc->sc_mbuf != NULL)
906 /* If we're not waiting for a bulk update, who cares. */
907 if (sc->sc_ureq_sent == 0)
910 if ((mp = m_pulldown(m, iplen + sizeof(*ph),
911 sizeof(*bus), &offp)) == NULL) {
912 pfsyncstats.pfsyncs_badlen++;
915 bus = (struct pfsync_state_bus *)(mp->m_data + offp);
916 switch (bus->status) {
917 case PFSYNC_BUS_START:
919 callout_reset(&sc->sc_bulkfail_tmo,
920 pf_pool_limits[PF_LIMIT_STATES].limit /
921 (PFSYNC_BULKPACKETS * sc->sc_maxcount),
922 pfsync_bulkfail, LIST_FIRST(&pfsync_list));
924 timeout_add(&sc->sc_bulkfail_tmo,
925 pf_pool_limits[PF_LIMIT_STATES].limit /
926 (PFSYNC_BULKPACKETS * sc->sc_maxcount));
928 if (pf_status.debug >= PF_DEBUG_MISC)
929 printf("pfsync: received bulk "
933 if (time_uptime - ntohl(bus->endtime) >=
935 /* that's it, we're happy */
936 sc->sc_ureq_sent = 0;
937 sc->sc_bulk_tries = 0;
939 callout_stop(&sc->sc_bulkfail_tmo);
941 timeout_del(&sc->sc_bulkfail_tmo);
943 #if NCARP > 0 /* XXX_IMPORT */
945 carp_suppress_preempt--;
948 if (pf_status.debug >= PF_DEBUG_MISC)
949 printf("pfsync: received valid "
950 "bulk update end\n");
952 if (pf_status.debug >= PF_DEBUG_MISC)
953 printf("pfsync: received invalid "
954 "bulk update end: bad timestamp\n");
967 pfsyncoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
976 pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
979 struct proc *p = curproc;
981 struct pfsync_softc *sc = ifp->if_softc;
982 struct ifreq *ifr = (struct ifreq *)data;
983 struct ip_moptions *imo = &sc->sc_imo;
984 struct pfsyncreq pfsyncr;
993 if (ifp->if_flags & IFF_UP)
994 ifp->if_drv_flags |= IFF_DRV_RUNNING;
996 ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
999 if (ifr->ifr_mtu < PFSYNC_MINMTU)
1001 if (ifr->ifr_mtu > MCLBYTES)
1002 ifr->ifr_mtu = MCLBYTES;
1007 if (ifr->ifr_mtu < ifp->if_mtu) {
1010 pfsync_setmtu(sc, ifr->ifr_mtu);
1018 /* XXX: read unlocked */
1020 bzero(&pfsyncr, sizeof(pfsyncr));
1021 if (sc->sc_sync_ifp)
1022 strlcpy(pfsyncr.pfsyncr_syncdev,
1023 sc->sc_sync_ifp->if_xname, IFNAMSIZ);
1024 pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer;
1025 pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates;
1026 if ((error = copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))))
1031 if ((error = suser(curthread)) != 0)
1033 if ((error = suser(p, p->p_acflag)) != 0)
1036 if ((error = copyin(ifr->ifr_data, &pfsyncr, sizeof(pfsyncr))))
1039 if (pfsyncr.pfsyncr_syncpeer.s_addr == 0)
1041 sc->sc_sync_peer.s_addr = htonl(INADDR_PFSYNC_GROUP);
1043 sc->sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP;
1046 sc->sc_sync_peer.s_addr =
1047 pfsyncr.pfsyncr_syncpeer.s_addr;
1049 if (pfsyncr.pfsyncr_maxupdates > 255)
1052 callout_drain(&sc->sc_send_tmo);
1055 sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates;
1057 if (pfsyncr.pfsyncr_syncdev[0] == 0) {
1058 sc->sc_sync_ifp = NULL;
1059 if (sc->sc_mbuf_net != NULL) {
1060 /* Don't keep stale pfsync packets around. */
1062 m_freem(sc->sc_mbuf_net);
1063 sc->sc_mbuf_net = NULL;
1064 sc->sc_statep_net.s = NULL;
1067 if (imo->imo_num_memberships > 0) {
1068 in_delmulti(imo->imo_membership[--imo->imo_num_memberships]);
1069 imo->imo_multicast_ifp = NULL;
1077 if ((sifp = ifunit(pfsyncr.pfsyncr_syncdev)) == NULL) {
1086 if (sifp->if_mtu < SCP2IFP(sc)->if_mtu ||
1088 if (sifp->if_mtu < sc->sc_if.if_mtu ||
1090 (sc->sc_sync_ifp != NULL &&
1091 sifp->if_mtu < sc->sc_sync_ifp->if_mtu) ||
1092 sifp->if_mtu < MCLBYTES - sizeof(struct ip))
1094 sc->sc_sync_ifp = sifp;
1097 pfsync_setmtu(sc, SCP2IFP(sc)->if_mtu);
1099 pfsync_setmtu(sc, sc->sc_if.if_mtu);
1102 if (imo->imo_num_memberships > 0) {
1103 in_delmulti(imo->imo_membership[--imo->imo_num_memberships]);
1104 imo->imo_multicast_ifp = NULL;
1107 if (sc->sc_sync_ifp &&
1109 sc->sc_sync_peer.s_addr == htonl(INADDR_PFSYNC_GROUP)) {
1111 sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) {
1113 struct in_addr addr;
1115 if (!(sc->sc_sync_ifp->if_flags & IFF_MULTICAST)) {
1116 sc->sc_sync_ifp = NULL;
1121 return (EADDRNOTAVAIL);
1124 PF_UNLOCK(); /* addmulti mallocs w/ WAITOK */
1125 addr.s_addr = htonl(INADDR_PFSYNC_GROUP);
1127 addr.s_addr = INADDR_PFSYNC_GROUP;
1130 if ((imo->imo_membership[0] =
1131 in_addmulti(&addr, sc->sc_sync_ifp)) == NULL) {
1132 sc->sc_sync_ifp = NULL;
1136 imo->imo_num_memberships++;
1137 imo->imo_multicast_ifp = sc->sc_sync_ifp;
1138 imo->imo_multicast_ttl = PFSYNC_DFLTTL;
1139 imo->imo_multicast_loop = 0;
1145 if (sc->sc_sync_ifp ||
1147 sc->sc_sendaddr.s_addr != htonl(INADDR_PFSYNC_GROUP)) {
1149 sc->sc_sendaddr.s_addr != INADDR_PFSYNC_GROUP) {
1151 /* Request a full state table update. */
1152 sc->sc_ureq_sent = time_uptime;
1155 carp_suppress_preempt++;
1158 if (pf_status.debug >= PF_DEBUG_MISC)
1159 printf("pfsync: requesting bulk update\n");
1161 callout_reset(&sc->sc_bulkfail_tmo, 5 * hz,
1162 pfsync_bulkfail, LIST_FIRST(&pfsync_list));
1164 timeout_add(&sc->sc_bulkfail_tmo, 5 * hz);
1166 error = pfsync_request_update(NULL, NULL);
1167 if (error == ENOMEM) {
1191 pfsync_setmtu(struct pfsync_softc *sc, int mtu_req)
1195 if (sc->sc_sync_ifp && sc->sc_sync_ifp->if_mtu < mtu_req)
1196 mtu = sc->sc_sync_ifp->if_mtu;
1200 sc->sc_maxcount = (mtu - sizeof(struct pfsync_header)) /
1201 sizeof(struct pfsync_state);
1202 if (sc->sc_maxcount > 254)
1203 sc->sc_maxcount = 254;
1205 SCP2IFP(sc)->if_mtu = sizeof(struct pfsync_header) +
1206 sc->sc_maxcount * sizeof(struct pfsync_state);
1208 sc->sc_if.if_mtu = sizeof(struct pfsync_header) +
1209 sc->sc_maxcount * sizeof(struct pfsync_state);
1214 pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action, void **sp)
1216 struct pfsync_header *h;
1221 PF_ASSERT(MA_OWNED);
1223 MGETHDR(m, M_DONTWAIT, MT_DATA);
1226 SCP2IFP(sc)->if_oerrors++;
1228 sc->sc_if.if_oerrors++;
1234 case PFSYNC_ACT_CLR:
1235 len = sizeof(struct pfsync_header) +
1236 sizeof(struct pfsync_state_clr);
1238 case PFSYNC_ACT_UPD_C:
1239 len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd)) +
1240 sizeof(struct pfsync_header);
1242 case PFSYNC_ACT_DEL_C:
1243 len = (sc->sc_maxcount * sizeof(struct pfsync_state_del)) +
1244 sizeof(struct pfsync_header);
1246 case PFSYNC_ACT_UREQ:
1247 len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd_req)) +
1248 sizeof(struct pfsync_header);
1250 case PFSYNC_ACT_BUS:
1251 len = sizeof(struct pfsync_header) +
1252 sizeof(struct pfsync_state_bus);
1255 len = (sc->sc_maxcount * sizeof(struct pfsync_state)) +
1256 sizeof(struct pfsync_header);
1261 MCLGET(m, M_DONTWAIT);
1262 if ((m->m_flags & M_EXT) == 0) {
1265 SCP2IFP(sc)->if_oerrors++;
1267 sc->sc_if.if_oerrors++;
1271 m->m_data += (MCLBYTES - len) &~ (sizeof(long) - 1);
1275 m->m_pkthdr.rcvif = NULL;
1276 m->m_pkthdr.len = m->m_len = sizeof(struct pfsync_header);
1277 h = mtod(m, struct pfsync_header *);
1278 h->version = PFSYNC_VERSION;
1283 *sp = (void *)((char *)h + PFSYNC_HDRLEN);
1285 callout_reset(&sc->sc_tmo, hz, pfsync_timeout,
1286 LIST_FIRST(&pfsync_list));
1288 timeout_add(&sc->sc_tmo, hz);
1294 pfsync_pack_state(u_int8_t action, struct pf_state *st, int flags)
1297 struct ifnet *ifp = SCP2IFP(LIST_FIRST(&pfsync_list));
1299 struct ifnet *ifp = &pfsyncif.sc_if;
1301 struct pfsync_softc *sc = ifp->if_softc;
1302 struct pfsync_header *h, *h_net;
1303 struct pfsync_state *sp = NULL;
1304 struct pfsync_state_upd *up = NULL;
1305 struct pfsync_state_del *dp = NULL;
1309 u_int8_t i = 255, newaction = 0;
1312 PF_ASSERT(MA_OWNED);
1315 * If a packet falls in the forest and there's nobody around to
1316 * hear, does it make a sound?
1318 if (ifp->if_bpf == NULL && sc->sc_sync_ifp == NULL &&
1320 sc->sc_sync_peer.s_addr == htonl(INADDR_PFSYNC_GROUP)) {
1322 sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) {
1324 /* Don't leave any stale pfsync packets hanging around. */
1325 if (sc->sc_mbuf != NULL) {
1326 m_freem(sc->sc_mbuf);
1328 sc->sc_statep.s = NULL;
1333 if (action >= PFSYNC_ACT_MAX)
1337 if (sc->sc_mbuf == NULL) {
1338 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action,
1339 (void *)&sc->sc_statep.s)) == NULL) {
1343 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1345 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1346 if (h->action != action) {
1348 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action,
1349 (void *)&sc->sc_statep.s)) == NULL) {
1353 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1356 * If it's an update, look in the packet to see if
1357 * we already have an update for the state.
1359 if (action == PFSYNC_ACT_UPD && sc->sc_maxupdates) {
1360 struct pfsync_state *usp =
1361 (void *)((char *)h + PFSYNC_HDRLEN);
1363 for (i = 0; i < h->count; i++) {
1364 if (!memcmp(usp->id, &st->id,
1366 usp->creatorid == st->creatorid) {
1379 st->pfsync_time = time_uptime;
1380 TAILQ_REMOVE(&state_updates, st, u.s.entry_updates);
1381 TAILQ_INSERT_TAIL(&state_updates, st, u.s.entry_updates);
1384 /* not a "duplicate" update */
1386 sp = sc->sc_statep.s++;
1387 sc->sc_mbuf->m_pkthdr.len =
1388 sc->sc_mbuf->m_len += sizeof(struct pfsync_state);
1390 bzero(sp, sizeof(*sp));
1392 bcopy(&st->id, sp->id, sizeof(sp->id));
1393 sp->creatorid = st->creatorid;
1395 strlcpy(sp->ifname, st->u.s.kif->pfik_name, sizeof(sp->ifname));
1396 pf_state_host_hton(&st->lan, &sp->lan);
1397 pf_state_host_hton(&st->gwy, &sp->gwy);
1398 pf_state_host_hton(&st->ext, &sp->ext);
1400 bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
1402 sp->creation = htonl(secs - st->creation);
1403 sp->packets[0] = htonl(st->packets[0]);
1404 sp->packets[1] = htonl(st->packets[1]);
1405 sp->bytes[0] = htonl(st->bytes[0]);
1406 sp->bytes[1] = htonl(st->bytes[1]);
1407 if ((r = st->rule.ptr) == NULL)
1408 sp->rule = htonl(-1);
1410 sp->rule = htonl(r->nr);
1411 if ((r = st->anchor.ptr) == NULL)
1412 sp->anchor = htonl(-1);
1414 sp->anchor = htonl(r->nr);
1416 sp->proto = st->proto;
1417 sp->direction = st->direction;
1419 sp->allow_opts = st->allow_opts;
1420 sp->timeout = st->timeout;
1422 if (flags & PFSYNC_FLAG_STALE)
1423 sp->sync_flags |= PFSTATE_STALE;
1426 pf_state_peer_hton(&st->src, &sp->src);
1427 pf_state_peer_hton(&st->dst, &sp->dst);
1429 if (st->expire <= secs)
1430 sp->expire = htonl(0);
1432 sp->expire = htonl(st->expire - secs);
1434 /* do we need to build "compressed" actions for network transfer? */
1435 if (sc->sc_sync_ifp && flags & PFSYNC_FLAG_COMPRESS) {
1437 case PFSYNC_ACT_UPD:
1438 newaction = PFSYNC_ACT_UPD_C;
1440 case PFSYNC_ACT_DEL:
1441 newaction = PFSYNC_ACT_DEL_C;
1444 /* by default we just send the uncompressed states */
1450 if (sc->sc_mbuf_net == NULL) {
1451 if ((sc->sc_mbuf_net = pfsync_get_mbuf(sc, newaction,
1452 (void *)&sc->sc_statep_net.s)) == NULL) {
1457 h_net = mtod(sc->sc_mbuf_net, struct pfsync_header *);
1459 switch (newaction) {
1460 case PFSYNC_ACT_UPD_C:
1462 up = (void *)((char *)h_net +
1463 PFSYNC_HDRLEN + (i * sizeof(*up)));
1467 sc->sc_mbuf_net->m_pkthdr.len =
1468 sc->sc_mbuf_net->m_len += sizeof(*up);
1469 up = sc->sc_statep_net.u++;
1471 bzero(up, sizeof(*up));
1472 bcopy(&st->id, up->id, sizeof(up->id));
1473 up->creatorid = st->creatorid;
1475 up->timeout = st->timeout;
1476 up->expire = sp->expire;
1480 case PFSYNC_ACT_DEL_C:
1481 sc->sc_mbuf_net->m_pkthdr.len =
1482 sc->sc_mbuf_net->m_len += sizeof(*dp);
1483 dp = sc->sc_statep_net.d++;
1486 bzero(dp, sizeof(*dp));
1487 bcopy(&st->id, dp->id, sizeof(dp->id));
1488 dp->creatorid = st->creatorid;
1493 if (h->count == sc->sc_maxcount ||
1494 (sc->sc_maxupdates && (sp->updates >= sc->sc_maxupdates)))
1495 ret = pfsync_sendout(sc);
1501 /* This must be called in splnet() */
1503 pfsync_request_update(struct pfsync_state_upd *up, struct in_addr *src)
1506 struct ifnet *ifp = SCP2IFP(LIST_FIRST(&pfsync_list));
1508 struct ifnet *ifp = &pfsyncif.sc_if;
1510 struct pfsync_header *h;
1511 struct pfsync_softc *sc = ifp->if_softc;
1512 struct pfsync_state_upd_req *rup;
1516 PF_ASSERT(MA_OWNED);
1518 if (sc->sc_mbuf == NULL) {
1519 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ,
1520 (void *)&sc->sc_statep.s)) == NULL)
1522 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1524 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1525 if (h->action != PFSYNC_ACT_UREQ) {
1527 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ,
1528 (void *)&sc->sc_statep.s)) == NULL)
1530 h = mtod(sc->sc_mbuf, struct pfsync_header *);
1535 sc->sc_sendaddr = *src;
1536 sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*rup);
1538 rup = sc->sc_statep.r++;
1539 bzero(rup, sizeof(*rup));
1541 bcopy(up->id, rup->id, sizeof(rup->id));
1542 rup->creatorid = up->creatorid;
1545 if (h->count == sc->sc_maxcount)
1546 ret = pfsync_sendout(sc);
1552 pfsync_clear_states(u_int32_t creatorid, char *ifname)
1555 struct ifnet *ifp = SCP2IFP(LIST_FIRST(&pfsync_list));
1557 struct ifnet *ifp = &pfsyncif.sc_if;
1559 struct pfsync_softc *sc = ifp->if_softc;
1560 struct pfsync_state_clr *cp;
1565 PF_ASSERT(MA_OWNED);
1567 if (sc->sc_mbuf != NULL)
1569 if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_CLR,
1570 (void *)&sc->sc_statep.c)) == NULL) {
1574 sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*cp);
1575 cp = sc->sc_statep.c;
1576 cp->creatorid = creatorid;
1578 strlcpy(cp->ifname, ifname, IFNAMSIZ);
1580 ret = (pfsync_sendout(sc));
1586 pfsync_timeout(void *v)
1588 struct pfsync_softc *sc = v;
1602 /* This must be called in splnet() */
1604 pfsync_send_bus(struct pfsync_softc *sc, u_int8_t status)
1606 struct pfsync_state_bus *bus;
1609 PF_ASSERT(MA_OWNED);
1611 if (sc->sc_mbuf != NULL)
1614 if (pfsync_sync_ok &&
1615 (sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_BUS,
1616 (void *)&sc->sc_statep.b)) != NULL) {
1617 sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*bus);
1618 bus = sc->sc_statep.b;
1619 bus->creatorid = pf_status.hostid;
1620 bus->status = status;
1621 bus->endtime = htonl(time_uptime - sc->sc_ureq_received);
1627 pfsync_bulk_update(void *v)
1629 struct pfsync_softc *sc = v;
1631 struct pf_state *state;
1637 if (sc->sc_mbuf != NULL)
1641 * Grab at most PFSYNC_BULKPACKETS worth of states which have not
1642 * been sent since the latest request was made.
1644 while ((state = TAILQ_FIRST(&state_updates)) != NULL &&
1645 ++i < (sc->sc_maxcount * PFSYNC_BULKPACKETS)) {
1646 if (state->pfsync_time > sc->sc_ureq_received) {
1648 pfsync_send_bus(sc, PFSYNC_BUS_END);
1649 sc->sc_ureq_received = 0;
1651 callout_stop(&sc->sc_bulk_tmo);
1653 timeout_del(&sc->sc_bulk_tmo);
1655 if (pf_status.debug >= PF_DEBUG_MISC)
1656 printf("pfsync: bulk update complete\n");
1659 /* send an update and move to end of list */
1660 if (!state->sync_flags)
1661 pfsync_pack_state(PFSYNC_ACT_UPD, state, 0);
1662 state->pfsync_time = time_uptime;
1663 TAILQ_REMOVE(&state_updates, state, u.s.entry_updates);
1664 TAILQ_INSERT_TAIL(&state_updates, state,
1667 /* look again for more in a bit */
1669 callout_reset(&sc->sc_bulk_tmo, 1, pfsync_timeout,
1670 LIST_FIRST(&pfsync_list));
1672 timeout_add(&sc->sc_bulk_tmo, 1);
1676 if (sc->sc_mbuf != NULL)
1685 pfsync_bulkfail(void *v)
1687 struct pfsync_softc *sc = v;
1693 if (sc->sc_bulk_tries++ < PFSYNC_MAX_BULKTRIES) {
1694 /* Try again in a bit */
1696 callout_reset(&sc->sc_bulkfail_tmo, 5 * hz, pfsync_bulkfail,
1697 LIST_FIRST(&pfsync_list));
1699 timeout_add(&sc->sc_bulkfail_tmo, 5 * hz);
1702 error = pfsync_request_update(NULL, NULL);
1703 if (error == ENOMEM) {
1704 if (pf_status.debug >= PF_DEBUG_MISC)
1705 printf("pfsync: cannot allocate mbufs for "
1711 /* Pretend like the transfer was ok */
1712 sc->sc_ureq_sent = 0;
1713 sc->sc_bulk_tries = 0;
1715 if (!pfsync_sync_ok)
1716 carp_suppress_preempt--;
1719 if (pf_status.debug >= PF_DEBUG_MISC)
1720 printf("pfsync: failed to receive "
1721 "bulk update status\n");
1723 callout_stop(&sc->sc_bulkfail_tmo);
1725 timeout_del(&sc->sc_bulkfail_tmo);
1733 /* This must be called in splnet() */
1736 struct pfsync_softc *sc;
1740 struct ifnet *ifp = SCP2IFP(sc);
1742 struct ifnet *ifp = &sc->if_sc;
1748 PF_ASSERT(MA_OWNED);
1749 callout_stop(&sc->sc_tmo);
1751 timeout_del(&sc->sc_tmo);
1754 if (sc->sc_mbuf == NULL)
1758 sc->sc_statep.s = NULL;
1761 KASSERT(m != NULL, ("pfsync_sendout: null mbuf"));
1768 bpf_mtap(ifp->if_bpf, m);
1772 if (sc->sc_mbuf_net) {
1774 m = sc->sc_mbuf_net;
1775 sc->sc_mbuf_net = NULL;
1776 sc->sc_statep_net.s = NULL;
1780 if (sc->sc_sync_ifp ||
1781 sc->sc_sync_peer.s_addr != htonl(INADDR_PFSYNC_GROUP)) {
1783 if (sc->sc_sync_ifp ||sc->sc_sync_peer.s_addr != INADDR_PFSYNC_GROUP) {
1788 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
1790 pfsyncstats.pfsyncs_onomem++;
1793 ip = mtod(m, struct ip *);
1794 ip->ip_v = IPVERSION;
1795 ip->ip_hl = sizeof(*ip) >> 2;
1796 ip->ip_tos = IPTOS_LOWDELAY;
1798 ip->ip_len = m->m_pkthdr.len;
1800 ip->ip_len = htons(m->m_pkthdr.len);
1802 ip->ip_id = htons(ip_randomid());
1806 ip->ip_off = htons(IP_DF);
1808 ip->ip_ttl = PFSYNC_DFLTTL;
1809 ip->ip_p = IPPROTO_PFSYNC;
1812 bzero(&sa, sizeof(sa));
1813 ip->ip_src.s_addr = INADDR_ANY;
1816 if (sc->sc_sendaddr.s_addr == htonl(INADDR_PFSYNC_GROUP))
1818 if (sc->sc_sendaddr.s_addr == INADDR_PFSYNC_GROUP)
1820 m->m_flags |= M_MCAST;
1821 ip->ip_dst = sc->sc_sendaddr;
1822 sc->sc_sendaddr.s_addr = sc->sc_sync_peer.s_addr;
1824 pfsyncstats.pfsyncs_opackets++;
1826 if (!IF_HANDOFF(&sc->sc_ifq, m, NULL))
1827 pfsyncstats.pfsyncs_oerrors++;
1828 callout_reset(&sc->sc_send_tmo, 1, pfsync_senddef, sc);
1830 if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))
1831 pfsyncstats.pfsyncs_oerrors++;
1841 pfsync_senddef(void *arg)
1843 struct pfsync_softc *sc = (struct pfsync_softc *)arg;
1847 IF_DEQUEUE(&sc->sc_ifq, m);
1850 if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))
1851 pfsyncstats.pfsyncs_oerrors++;
1856 pfsync_modevent(module_t mod, int type, void *data)
1862 LIST_INIT(&pfsync_list);
1863 if_clone_attach(&pfsync_cloner);
1867 if_clone_detach(&pfsync_cloner);
1868 while (!LIST_EMPTY(&pfsync_list))
1869 pfsync_clone_destroy(
1870 SCP2IFP(LIST_FIRST(&pfsync_list)));
1881 static moduledata_t pfsync_mod = {
1887 #define PFSYNC_MODVER 1
1889 DECLARE_MODULE(pfsync, pfsync_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
1890 MODULE_VERSION(pfsync, PFSYNC_MODVER);
1891 #endif /* __FreeBSD__ */