Import pfsync support from OpenBSD 4.2
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can be used to synchronise different pf. This work was part of my 2009 GSoC No objection on tech-net@
This commit is contained in:
parent
03266a3f98
commit
2d48ac808c
|
@ -37,7 +37,7 @@
|
|||
*
|
||||
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
|
||||
*
|
||||
* @(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap-bpf.h,v 1.1.1.1 2006/02/27 15:45:47 drochner Exp $ (LBL)
|
||||
* @(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap-bpf.h,v 1.2 2009/09/14 10:36:48 degroote Exp $ (LBL)
|
||||
*/
|
||||
|
||||
/*
|
||||
|
@ -299,8 +299,8 @@ struct bpf_version {
|
|||
*/
|
||||
#ifdef __OpenBSD__
|
||||
#define DLT_OLD_PFLOG 17
|
||||
#define DLT_PFSYNC 18
|
||||
#endif
|
||||
#define DLT_PFSYNC 18
|
||||
#define DLT_PFLOG 117
|
||||
|
||||
/*
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
|
||||
#ifndef lint
|
||||
static const char rcsid[] _U_ =
|
||||
"@(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap.c,v 1.3 2006/02/27 15:57:17 drochner Exp $ (LBL)";
|
||||
"@(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap.c,v 1.4 2009/09/14 10:36:48 degroote Exp $ (LBL)";
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
|
@ -346,6 +346,7 @@ static struct dlt_choice dlt_choices[] = {
|
|||
DLT_CHOICE(DLT_LINUX_SLL, "Linux cooked"),
|
||||
DLT_CHOICE(DLT_LTALK, "Localtalk"),
|
||||
DLT_CHOICE(DLT_PFLOG, "OpenBSD pflog file"),
|
||||
DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"),
|
||||
DLT_CHOICE(DLT_PRISM_HEADER, "802.11 plus Prism header"),
|
||||
DLT_CHOICE(DLT_IP_OVER_FC, "RFC 2625 IP-over-Fibre Channel"),
|
||||
DLT_CHOICE(DLT_SUNATM, "Sun raw ATM"),
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: pf.4,v 1.9 2009/03/22 14:29:34 perry Exp $
|
||||
.\" $NetBSD: pf.4,v 1.10 2009/09/14 10:36:48 degroote Exp $
|
||||
.\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
|
||||
|
@ -1131,7 +1131,7 @@ main(int argc, char *argv[])
|
|||
.Xr ioctl 2 ,
|
||||
.Xr bridge 4 ,
|
||||
.Xr pflog 4 ,
|
||||
.\" .Xr pfsync 4 ,
|
||||
.Xr pfsync 4 ,
|
||||
.Xr pfctl 8 ,
|
||||
.Xr altq 9
|
||||
.Sh HISTORY
|
||||
|
|
|
@ -0,0 +1,244 @@
|
|||
.\" $NetBSD: pfsync.4,v 1.1 2009/09/14 10:36:48 degroote Exp $
|
||||
.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Michael Shalayeff
|
||||
.\" Copyright (c) 2003-2004 Ryan McBride
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF MIND,
|
||||
.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: May 31 2007 $
|
||||
.Dt PFSYNC 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm pfsync
|
||||
.Nd packet filter state table logging interface
|
||||
.Sh SYNOPSIS
|
||||
.Cd "pseudo-device pfsync"
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
interface is a pseudo-device which exposes certain changes to the state
|
||||
table used by
|
||||
.Xr pf 4 .
|
||||
State changes can be viewed by invoking
|
||||
.Xr tcpdump 8
|
||||
on the
|
||||
.Nm
|
||||
interface.
|
||||
If configured with a physical synchronisation interface,
|
||||
.Nm
|
||||
will also send state changes out on that interface using IP multicast,
|
||||
and insert state changes received on that interface from other systems
|
||||
into the state table.
|
||||
.Pp
|
||||
By default, all local changes to the state table are exposed via
|
||||
.Nm .
|
||||
However, state changes from packets received by
|
||||
.Nm
|
||||
over the network are not rebroadcast.
|
||||
States created by a rule marked with the
|
||||
.Ar no-sync
|
||||
keyword are omitted from the
|
||||
.Nm
|
||||
interface (see
|
||||
.Xr pf.conf 5
|
||||
for details).
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
interface will attempt to collapse multiple updates of the same
|
||||
state into one message where possible.
|
||||
The maximum number of times this can be done before the update is sent out
|
||||
is controlled by the
|
||||
.Ar maxupd
|
||||
parameter to ifconfig
|
||||
(see
|
||||
.Xr ifconfig 8
|
||||
and the example below for more details).
|
||||
.Pp
|
||||
Each packet retrieved on this interface has a header associated
|
||||
with it of length
|
||||
.Dv PFSYNC_HDRLEN .
|
||||
The header indicates the version of the protocol, address family,
|
||||
action taken on the following states, and the number of state
|
||||
table entries attached in this packet.
|
||||
This structure is defined in
|
||||
.Aq Pa net/if_pfsync.h
|
||||
as:
|
||||
.Bd -literal -offset indent
|
||||
struct pfsync_header {
|
||||
u_int8_t version;
|
||||
u_int8_t af;
|
||||
u_int8_t action;
|
||||
u_int8_t count;
|
||||
};
|
||||
.Ed
|
||||
.Sh NETWORK SYNCHRONISATION
|
||||
States can be synchronised between two or more firewalls using this
|
||||
interface, by specifying a synchronisation interface using
|
||||
.Xr ifconfig 8 .
|
||||
For example, the following command sets fxp0 as the synchronisation
|
||||
interface:
|
||||
.Bd -literal -offset indent
|
||||
# ifconfig pfsync0 syncdev fxp0
|
||||
.Ed
|
||||
.Pp
|
||||
By default, state change messages are sent out on the synchronisation
|
||||
interface using IP multicast packets.
|
||||
The protocol is IP protocol 240, PFSYNC, and the multicast group
|
||||
used is 224.0.0.240.
|
||||
When a peer address is specified using the
|
||||
.Ic syncpeer
|
||||
keyword, the peer address is used as a destination for the pfsync traffic,
|
||||
and the traffic can then be protected using
|
||||
.Xr ipsec 4 .
|
||||
In such a configuration, the syncdev should be set to the
|
||||
.Xr enc 4
|
||||
interface, as this is where the traffic arrives when it is decapsulated,
|
||||
e.g.:
|
||||
.Bd -literal -offset indent
|
||||
# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
|
||||
.Ed
|
||||
.Pp
|
||||
It is important that the pfsync traffic be well secured
|
||||
as there is no authentication on the protocol and it would
|
||||
be trivial to spoof packets which create states, bypassing the pf ruleset.
|
||||
Either run the pfsync protocol on a trusted network \- ideally a network
|
||||
dedicated to pfsync messages such as a crossover cable between two firewalls,
|
||||
or specify a peer address and protect the traffic with
|
||||
.Xr ipsec 4 .
|
||||
.Pp
|
||||
There is a one-to-one correspondence between packets seen by
|
||||
.Xr bpf 4
|
||||
on the
|
||||
.Nm
|
||||
interface, and packets sent out on the synchronisation interface, i.e.\&
|
||||
a packet with 4 state deletion messages on
|
||||
.Nm
|
||||
means that the same 4 deletions were sent out on the synchronisation
|
||||
interface.
|
||||
However, the actual packet contents may differ as the messages
|
||||
sent over the network are "compressed" where possible, containing
|
||||
only the necessary information.
|
||||
.Sh EXAMPLES
|
||||
.Nm
|
||||
and
|
||||
.Xr carp 4
|
||||
can be used together to provide automatic failover of a pair of firewalls
|
||||
configured in parallel.
|
||||
One firewall handles all traffic \- if it dies or
|
||||
is shut down, the second firewall takes over automatically.
|
||||
.Pp
|
||||
Both firewalls in this example have three
|
||||
.Xr sis 4
|
||||
interfaces.
|
||||
sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the
|
||||
internal interface, on the 192.168.0.0/24 subnet; and sis2 is the
|
||||
.Nm
|
||||
interface, using the 192.168.254.0/24 subnet.
|
||||
A crossover cable connects the two firewalls via their sis2 interfaces.
|
||||
On all three interfaces, firewall A uses the .254 address, while firewall B
|
||||
uses .253.
|
||||
The interfaces are configured as follows (firewall A unless otherwise
|
||||
indicated):
|
||||
.Pp
|
||||
.Pa /etc/hostname.sis0 :
|
||||
.Bd -literal -offset indent
|
||||
inet 10.0.0.254 255.255.255.0 NONE
|
||||
.Ed
|
||||
.Pp
|
||||
.Pa /etc/hostname.sis1 :
|
||||
.Bd -literal -offset indent
|
||||
inet 192.168.0.254 255.255.255.0 NONE
|
||||
.Ed
|
||||
.Pp
|
||||
.Pa /etc/hostname.sis2 :
|
||||
.Bd -literal -offset indent
|
||||
inet 192.168.254.254 255.255.255.0 NONE
|
||||
.Ed
|
||||
.Pp
|
||||
.Pa /etc/hostname.carp0 :
|
||||
.Bd -literal -offset indent
|
||||
inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
|
||||
.Ed
|
||||
.Pp
|
||||
.Pa /etc/hostname.carp1 :
|
||||
.Bd -literal -offset indent
|
||||
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
|
||||
.Ed
|
||||
.Pp
|
||||
.Pa /etc/hostname.pfsync0 :
|
||||
.Bd -literal -offset indent
|
||||
up syncdev sis2
|
||||
.Ed
|
||||
.Pp
|
||||
.Xr pf 4
|
||||
must also be configured to allow
|
||||
.Nm
|
||||
and
|
||||
.Xr carp 4
|
||||
traffic through.
|
||||
The following should be added to the top of
|
||||
.Pa /etc/pf.conf :
|
||||
.Bd -literal -offset indent
|
||||
pass quick on { sis2 } proto pfsync
|
||||
pass on { sis0 sis1 } proto carp
|
||||
.Ed
|
||||
.Pp
|
||||
If it is preferable that one firewall handle the traffic,
|
||||
the
|
||||
.Ar advskew
|
||||
on the backup firewall's
|
||||
.Xr carp 4
|
||||
interfaces should be set to something higher than
|
||||
the primary's.
|
||||
For example, if firewall B is the backup, its
|
||||
.Pa /etc/hostname.carp1
|
||||
would look like this:
|
||||
.Bd -literal -offset indent
|
||||
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
|
||||
advskew 100
|
||||
.Ed
|
||||
.Pp
|
||||
The following must also be added to
|
||||
.Pa /etc/sysctl.conf :
|
||||
.Bd -literal -offset indent
|
||||
net.inet.carp.preempt=1
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr bpf 4 ,
|
||||
.Xr carp 4 ,
|
||||
.Xr inet 4 ,
|
||||
.Xr inet6 4 ,
|
||||
.Xr ipsec 4 ,
|
||||
.Xr netintro 4 ,
|
||||
.Xr pf 4 ,
|
||||
.Xr hostname.if 5 ,
|
||||
.Xr pf.conf 5 ,
|
||||
.Xr protocols 5 ,
|
||||
.Xr ifconfig 8 ,
|
||||
.Xr tcpdump 8
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
device first appeared in
|
||||
.Ox 3.3 .
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: interface.h,v 1.7 2007/07/24 11:53:39 drochner Exp $ */
|
||||
/* $NetBSD: interface.h,v 1.8 2009/09/14 10:36:48 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988-2002
|
||||
|
@ -199,6 +199,8 @@ extern void dvmrp_print(const u_char *, u_int);
|
|||
extern void egp_print(const u_char *, u_int);
|
||||
extern u_int enc_if_print(const struct pcap_pkthdr *, const u_char *);
|
||||
extern u_int pflog_if_print(const struct pcap_pkthdr *, const u_char *);
|
||||
extern u_int pfsync_if_print(const struct pcap_pkthdr *, const u_char *);
|
||||
extern void pfsync_ip_print(const u_char*, u_int, const u_char *);
|
||||
extern u_int arcnet_if_print(const struct pcap_pkthdr *, const u_char *);
|
||||
extern u_int arcnet_linux_if_print(const struct pcap_pkthdr *, const u_char *);
|
||||
extern void ether_print(const u_char *, u_int, u_int);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipproto.c,v 1.2 2007/07/24 11:53:39 drochner Exp $ */
|
||||
/* $NetBSD: ipproto.c,v 1.3 2009/09/14 10:36:49 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
|
@ -21,7 +21,7 @@
|
|||
static const char rcsid[] _U_ =
|
||||
"@(#) Header: /tcpdump/master/tcpdump/ipproto.c,v 1.3.2.3 2005/09/20 06:05:37 guy Exp (LBL)";
|
||||
#else
|
||||
__RCSID("$NetBSD: ipproto.c,v 1.2 2007/07/24 11:53:39 drochner Exp $");
|
||||
__RCSID("$NetBSD: ipproto.c,v 1.3 2009/09/14 10:36:49 degroote Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -62,6 +62,7 @@ struct tok ipproto_values[] = {
|
|||
{ IPPROTO_PGM, "PGM" },
|
||||
{ IPPROTO_SCTP, "SCTP" },
|
||||
{ IPPROTO_MOBILITY, "Mobility" },
|
||||
{ IPPROTO_PFSYNC, "PFSYNC" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
|
|
|
@ -0,0 +1,320 @@
|
|||
/* $NetBSD: pf_print_state.c,v 1.1 2009/09/14 10:36:49 degroote Exp $ */
|
||||
/* $OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Daniel Hartmeier
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* - Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* - Redistributions in binary form must reproduce the above
|
||||
* copyright notice, this list of conditions and the following
|
||||
* disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
||||
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
#define TCPSTATES
|
||||
#include <netinet/tcp_fsm.h>
|
||||
#include <net/pfvar.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netdb.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "pfctl_parser.h"
|
||||
#include "pfctl.h"
|
||||
|
||||
void print_name(struct pf_addr *, sa_family_t);
|
||||
|
||||
void
|
||||
print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
|
||||
{
|
||||
switch (addr->type) {
|
||||
case PF_ADDR_DYNIFTL:
|
||||
printf("(%s", addr->v.ifname);
|
||||
if (addr->iflags & PFI_AFLAG_NETWORK)
|
||||
printf(":network");
|
||||
if (addr->iflags & PFI_AFLAG_BROADCAST)
|
||||
printf(":broadcast");
|
||||
if (addr->iflags & PFI_AFLAG_PEER)
|
||||
printf(":peer");
|
||||
if (addr->iflags & PFI_AFLAG_NOALIAS)
|
||||
printf(":0");
|
||||
if (verbose) {
|
||||
if (addr->p.dyncnt <= 0)
|
||||
printf(":*");
|
||||
else
|
||||
printf(":%d", addr->p.dyncnt);
|
||||
}
|
||||
printf(")");
|
||||
break;
|
||||
case PF_ADDR_TABLE:
|
||||
if (verbose)
|
||||
if (addr->p.tblcnt == -1)
|
||||
printf("<%s:*>", addr->v.tblname);
|
||||
else
|
||||
printf("<%s:%d>", addr->v.tblname,
|
||||
addr->p.tblcnt);
|
||||
else
|
||||
printf("<%s>", addr->v.tblname);
|
||||
return;
|
||||
case PF_ADDR_ADDRMASK:
|
||||
if (PF_AZERO(&addr->v.a.addr, AF_INET6) &&
|
||||
PF_AZERO(&addr->v.a.mask, AF_INET6))
|
||||
printf("any");
|
||||
else {
|
||||
char buf[48];
|
||||
|
||||
if (inet_ntop(af, &addr->v.a.addr, buf,
|
||||
sizeof(buf)) == NULL)
|
||||
printf("?");
|
||||
else
|
||||
printf("%s", buf);
|
||||
}
|
||||
break;
|
||||
case PF_ADDR_NOROUTE:
|
||||
printf("no-route");
|
||||
return;
|
||||
case PF_ADDR_URPFFAILED:
|
||||
printf("urpf-failed");
|
||||
return;
|
||||
case PF_ADDR_RTLABEL:
|
||||
printf("route \"%s\"", addr->v.rtlabelname);
|
||||
return;
|
||||
default:
|
||||
printf("?");
|
||||
return;
|
||||
}
|
||||
|
||||
/* mask if not _both_ address and mask are zero */
|
||||
if (!(PF_AZERO(&addr->v.a.addr, AF_INET6) &&
|
||||
PF_AZERO(&addr->v.a.mask, AF_INET6))) {
|
||||
int bits = unmask(&addr->v.a.mask, af);
|
||||
|
||||
if (bits != (af == AF_INET ? 32 : 128))
|
||||
printf("/%d", bits);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
print_name(struct pf_addr *addr, sa_family_t af)
|
||||
{
|
||||
char host[NI_MAXHOST];
|
||||
|
||||
strlcpy(host, "?", sizeof(host));
|
||||
switch (af) {
|
||||
case AF_INET: {
|
||||
struct sockaddr_in sin;
|
||||
|
||||
memset(&sin, 0, sizeof(sin));
|
||||
sin.sin_len = sizeof(sin);
|
||||
sin.sin_family = AF_INET;
|
||||
sin.sin_addr = addr->v4;
|
||||
getnameinfo((struct sockaddr *)&sin, sin.sin_len,
|
||||
host, sizeof(host), NULL, 0, NI_NOFQDN);
|
||||
break;
|
||||
}
|
||||
case AF_INET6: {
|
||||
struct sockaddr_in6 sin6;
|
||||
|
||||
memset(&sin6, 0, sizeof(sin6));
|
||||
sin6.sin6_len = sizeof(sin6);
|
||||
sin6.sin6_family = AF_INET6;
|
||||
sin6.sin6_addr = addr->v6;
|
||||
getnameinfo((struct sockaddr *)&sin6, sin6.sin6_len,
|
||||
host, sizeof(host), NULL, 0, NI_NOFQDN);
|
||||
break;
|
||||
}
|
||||
}
|
||||
printf("%s", host);
|
||||
}
|
||||
|
||||
void
|
||||
print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
|
||||
{
|
||||
u_int16_t p = ntohs(h->port);
|
||||
|
||||
if (opts & PF_OPT_USEDNS)
|
||||
print_name(&h->addr, af);
|
||||
else {
|
||||
struct pf_addr_wrap aw;
|
||||
|
||||
memset(&aw, 0, sizeof(aw));
|
||||
aw.v.a.addr = h->addr;
|
||||
if (af == AF_INET)
|
||||
aw.v.a.mask.addr32[0] = 0xffffffff;
|
||||
else {
|
||||
memset(&aw.v.a.mask, 0xff, sizeof(aw.v.a.mask));
|
||||
af = AF_INET6;
|
||||
}
|
||||
print_addr(&aw, af, opts & PF_OPT_VERBOSE2);
|
||||
}
|
||||
|
||||
if (p) {
|
||||
if (af == AF_INET)
|
||||
printf(":%u", p);
|
||||
else
|
||||
printf("[%u]", p);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
print_seq(struct pfsync_state_peer *p)
|
||||
{
|
||||
if (p->seqdiff)
|
||||
printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
|
||||
p->seqdiff);
|
||||
else
|
||||
printf("[%u + %u]", p->seqlo, p->seqhi - p->seqlo);
|
||||
}
|
||||
|
||||
void
|
||||
print_state(struct pfsync_state *s, int opts)
|
||||
{
|
||||
struct pfsync_state_peer *src, *dst;
|
||||
struct protoent *p;
|
||||
int min, sec;
|
||||
|
||||
if (s->direction == PF_OUT) {
|
||||
src = &s->src;
|
||||
dst = &s->dst;
|
||||
} else {
|
||||
src = &s->dst;
|
||||
dst = &s->src;
|
||||
}
|
||||
printf("%s ", s->ifname);
|
||||
if ((p = getprotobynumber(s->proto)) != NULL)
|
||||
printf("%s ", p->p_name);
|
||||
else
|
||||
printf("%u ", s->proto);
|
||||
if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
|
||||
(s->lan.port != s->gwy.port)) {
|
||||
print_host(&s->lan, s->af, opts);
|
||||
if (s->direction == PF_OUT)
|
||||
printf(" -> ");
|
||||
else
|
||||
printf(" <- ");
|
||||
}
|
||||
print_host(&s->gwy, s->af, opts);
|
||||
if (s->direction == PF_OUT)
|
||||
printf(" -> ");
|
||||
else
|
||||
printf(" <- ");
|
||||
print_host(&s->ext, s->af, opts);
|
||||
|
||||
printf(" ");
|
||||
if (s->proto == IPPROTO_TCP) {
|
||||
if (src->state <= TCPS_TIME_WAIT &&
|
||||
dst->state <= TCPS_TIME_WAIT)
|
||||
printf(" %s:%s\n", tcpstates[src->state],
|
||||
tcpstates[dst->state]);
|
||||
else if (src->state == PF_TCPS_PROXY_SRC ||
|
||||
dst->state == PF_TCPS_PROXY_SRC)
|
||||
printf(" PROXY:SRC\n");
|
||||
else if (src->state == PF_TCPS_PROXY_DST ||
|
||||
dst->state == PF_TCPS_PROXY_DST)
|
||||
printf(" PROXY:DST\n");
|
||||
else
|
||||
printf(" <BAD STATE LEVELS %u:%u>\n",
|
||||
src->state, dst->state);
|
||||
if (opts & PF_OPT_VERBOSE) {
|
||||
printf(" ");
|
||||
print_seq(src);
|
||||
if (src->wscale && dst->wscale)
|
||||
printf(" wscale %u",
|
||||
src->wscale & PF_WSCALE_MASK);
|
||||
printf(" ");
|
||||
print_seq(dst);
|
||||
if (src->wscale && dst->wscale)
|
||||
printf(" wscale %u",
|
||||
dst->wscale & PF_WSCALE_MASK);
|
||||
printf("\n");
|
||||
}
|
||||
} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
|
||||
dst->state < PFUDPS_NSTATES) {
|
||||
const char *states[] = PFUDPS_NAMES;
|
||||
|
||||
printf(" %s:%s\n", states[src->state], states[dst->state]);
|
||||
} else if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
|
||||
dst->state < PFOTHERS_NSTATES) {
|
||||
/* XXX ICMP doesn't really have state levels */
|
||||
const char *states[] = PFOTHERS_NAMES;
|
||||
|
||||
printf(" %s:%s\n", states[src->state], states[dst->state]);
|
||||
} else {
|
||||
printf(" %u:%u\n", src->state, dst->state);
|
||||
}
|
||||
|
||||
if (opts & PF_OPT_VERBOSE) {
|
||||
sec = s->creation % 60;
|
||||
s->creation /= 60;
|
||||
min = s->creation % 60;
|
||||
s->creation /= 60;
|
||||
printf(" age %.2u:%.2u:%.2u", s->creation, min, sec);
|
||||
sec = s->expire % 60;
|
||||
s->expire /= 60;
|
||||
min = s->expire % 60;
|
||||
s->expire /= 60;
|
||||
printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
|
||||
printf(", %llu:%llu pkts, %llu:%llu bytes",
|
||||
(unsigned long long)pf_state_counter_from_pfsync(s->packets[0]),
|
||||
(unsigned long long)pf_state_counter_from_pfsync(s->packets[1]),
|
||||
(unsigned long long)pf_state_counter_from_pfsync(s->bytes[0]),
|
||||
(unsigned long long)pf_state_counter_from_pfsync(s->bytes[1]));
|
||||
if (s->anchor != -1)
|
||||
printf(", anchor %u", s->anchor);
|
||||
if (s->rule != -1)
|
||||
printf(", rule %u", s->rule);
|
||||
if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
|
||||
printf(", source-track");
|
||||
if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
|
||||
printf(", sticky-address");
|
||||
printf("\n");
|
||||
}
|
||||
if (opts & PF_OPT_VERBOSE2) {
|
||||
printf(" id: %016llx creatorid: %08x%s\n",
|
||||
(unsigned long long int)pf_state_counter_from_pfsync(s->id),
|
||||
ntohl(s->creatorid),
|
||||
((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
unmask(struct pf_addr *m, sa_family_t af)
|
||||
{
|
||||
int i = 31, j = 0, b = 0;
|
||||
u_int32_t tmp;
|
||||
|
||||
while (j < 4 && m->addr32[j] == 0xffffffff) {
|
||||
b += 32;
|
||||
j++;
|
||||
}
|
||||
if (j < 4) {
|
||||
tmp = ntohl(m->addr32[j]);
|
||||
for (i = 31; tmp & (1 << i); --i)
|
||||
b++;
|
||||
}
|
||||
return (b);
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: print-ip.c,v 1.7 2007/07/24 11:53:44 drochner Exp $ */
|
||||
/* $NetBSD: print-ip.c,v 1.8 2009/09/14 10:36:49 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
|
||||
|
@ -27,7 +27,7 @@
|
|||
static const char rcsid[] _U_ =
|
||||
"@(#) Header: /tcpdump/master/tcpdump/print-ip.c,v 1.149.2.8 2007/01/29 20:57:47 guy Exp (LBL)";
|
||||
#else
|
||||
__RCSID("$NetBSD: print-ip.c,v 1.7 2007/07/24 11:53:44 drochner Exp $");
|
||||
__RCSID("$NetBSD: print-ip.c,v 1.8 2009/09/14 10:36:49 degroote Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -525,6 +525,10 @@ again:
|
|||
pgm_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
|
||||
break;
|
||||
|
||||
case IPPROTO_PFSYNC:
|
||||
pfsync_ip_print(ipds->cp, ipds->len, (const u_char *)ipds->ip);
|
||||
break;
|
||||
|
||||
default:
|
||||
if ((proto = getprotobynumber(ipds->nh)) != NULL)
|
||||
ND_PRINT((ndo, " %s", proto->p_name));
|
||||
|
|
|
@ -0,0 +1,222 @@
|
|||
/* $NetBSD: print-pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $ */
|
||||
/* $OpenBSD: print-pfsync.c,v 1.30 2007/05/31 04:16:26 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002 Michael Shalayeff
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
|
||||
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
* SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||||
* THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
#ifndef lint
|
||||
#if 0
|
||||
static const char rcsid[] =
|
||||
"@(#) $Header: /cvsroot/src/dist/tcpdump/Attic/print-pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $";
|
||||
#else
|
||||
__RCSID("$NetBSD: print-pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/mbuf.h>
|
||||
|
||||
#ifdef __STDC__
|
||||
struct rtentry;
|
||||
#endif
|
||||
#include <net/if.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
|
||||
#include <net/pfvar.h>
|
||||
#include <net/if_pfsync.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <netdb.h>
|
||||
#include <pcap.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "interface.h"
|
||||
#include "addrtoname.h"
|
||||
#include "pfctl_parser.h"
|
||||
#include "pfctl.h"
|
||||
|
||||
const char *pfsync_acts[] = { PFSYNC_ACTIONS };
|
||||
|
||||
static void pfsync_print(struct pfsync_header *, int);
|
||||
|
||||
u_int
|
||||
pfsync_if_print(const struct pcap_pkthdr *h, const u_char *p)
|
||||
{
|
||||
u_int caplen = h->caplen;
|
||||
|
||||
ts_print(&h->ts);
|
||||
|
||||
if (caplen < PFSYNC_HDRLEN) {
|
||||
printf("[|pfsync]");
|
||||
goto out;
|
||||
}
|
||||
|
||||
pfsync_print((struct pfsync_header *)p,
|
||||
caplen - sizeof(struct pfsync_header));
|
||||
out:
|
||||
if (xflag) {
|
||||
default_print((const u_char *)h, caplen);
|
||||
}
|
||||
//putchar('\n');
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
pfsync_ip_print(const u_char *bp, u_int len, const u_char *bp2 __unused)
|
||||
{
|
||||
struct pfsync_header *hdr = (struct pfsync_header *)bp;
|
||||
|
||||
if (len < PFSYNC_HDRLEN)
|
||||
printf("[|pfsync]");
|
||||
else
|
||||
pfsync_print(hdr, (len - sizeof(struct pfsync_header)));
|
||||
//putchar('\n');
|
||||
}
|
||||
|
||||
static void
|
||||
pfsync_print(struct pfsync_header *hdr, int len)
|
||||
{
|
||||
struct pfsync_state *s;
|
||||
struct pfsync_state_upd *u;
|
||||
struct pfsync_state_del *d;
|
||||
struct pfsync_state_clr *c;
|
||||
struct pfsync_state_upd_req *r;
|
||||
struct pfsync_state_bus *b;
|
||||
struct pfsync_tdb *t;
|
||||
int i, flags = 0, min, sec;
|
||||
u_int64_t id;
|
||||
|
||||
if (eflag)
|
||||
printf("PFSYNCv%d count %d: ",
|
||||
hdr->version, hdr->count);
|
||||
|
||||
if (hdr->action < PFSYNC_ACT_MAX)
|
||||
printf("%s %s:", (vflag == 0) ? "PFSYNC" : "",
|
||||
pfsync_acts[hdr->action]);
|
||||
else
|
||||
printf("%s %d?:", (vflag == 0) ? "PFSYNC" : "",
|
||||
hdr->action);
|
||||
|
||||
if (!vflag)
|
||||
return;
|
||||
if (vflag)
|
||||
flags |= PF_OPT_VERBOSE;
|
||||
if (vflag > 1)
|
||||
flags |= PF_OPT_VERBOSE2;
|
||||
if (!nflag)
|
||||
flags |= PF_OPT_USEDNS;
|
||||
|
||||
switch (hdr->action) {
|
||||
case PFSYNC_ACT_CLR:
|
||||
if (sizeof(*c) <= len) {
|
||||
c = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
printf("\n\tcreatorid: %08x", htonl(c->creatorid));
|
||||
if (c->ifname[0] != '\0')
|
||||
printf(" interface: %s", c->ifname);
|
||||
}
|
||||
case PFSYNC_ACT_INS:
|
||||
case PFSYNC_ACT_UPD:
|
||||
case PFSYNC_ACT_DEL:
|
||||
for (i = 1, s = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
i <= hdr->count && i * sizeof(*s) <= len; i++, s++) {
|
||||
|
||||
putchar('\n');
|
||||
print_state(s, flags);
|
||||
if (vflag > 1 && hdr->action == PFSYNC_ACT_UPD)
|
||||
printf(" updates: %d", s->updates);
|
||||
}
|
||||
break;
|
||||
case PFSYNC_ACT_UPD_C:
|
||||
for (i = 1, u = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
i <= hdr->count && i * sizeof(*u) <= len; i++, u++) {
|
||||
memcpy(&id, &u->id, sizeof(id));
|
||||
printf("\n\tid: %" PRIu64 " creatorid: %08x",
|
||||
be64toh(id), ntohl(u->creatorid));
|
||||
if (vflag > 1)
|
||||
printf(" updates: %d", u->updates);
|
||||
}
|
||||
break;
|
||||
case PFSYNC_ACT_DEL_C:
|
||||
for (i = 1, d = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
i <= hdr->count && i * sizeof(*d) <= len; i++, d++) {
|
||||
memcpy(&id, &d->id, sizeof(id));
|
||||
printf("\n\tid: %" PRIu64 " creatorid: %08x",
|
||||
be64toh(id), ntohl(d->creatorid));
|
||||
}
|
||||
break;
|
||||
case PFSYNC_ACT_UREQ:
|
||||
for (i = 1, r = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
i <= hdr->count && i * sizeof(*r) <= len; i++, r++) {
|
||||
memcpy(&id, &r->id, sizeof(id));
|
||||
printf("\n\tid: %" PRIu64 " creatorid: %08x",
|
||||
be64toh(id), ntohl(r->creatorid));
|
||||
}
|
||||
break;
|
||||
case PFSYNC_ACT_BUS:
|
||||
if (sizeof(*b) <= len) {
|
||||
b = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
printf("\n\tcreatorid: %08x", htonl(b->creatorid));
|
||||
sec = b->endtime % 60;
|
||||
b->endtime /= 60;
|
||||
min = b->endtime % 60;
|
||||
b->endtime /= 60;
|
||||
printf(" age %.2u:%.2u:%.2u", b->endtime, min, sec);
|
||||
switch (b->status) {
|
||||
case PFSYNC_BUS_START:
|
||||
printf(" status: start");
|
||||
break;
|
||||
case PFSYNC_BUS_END:
|
||||
printf(" status: end");
|
||||
break;
|
||||
default:
|
||||
printf(" status: ?");
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case PFSYNC_ACT_TDB_UPD:
|
||||
for (i = 1, t = (void *)((char *)hdr + PFSYNC_HDRLEN);
|
||||
i <= hdr->count && i * sizeof(*t) <= len; i++, t++)
|
||||
printf("\n\tspi: %08x rpl: %u cur_bytes: %llu",
|
||||
htonl(t->spi), htonl(t->rpl),
|
||||
be64toh(t->cur_bytes));
|
||||
/* XXX add dst and sproto? */
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: tcpdump.c,v 1.8 2007/07/24 11:53:50 drochner Exp $ */
|
||||
/* $NetBSD: tcpdump.c,v 1.9 2009/09/14 10:36:49 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000
|
||||
|
@ -36,7 +36,7 @@ The Regents of the University of California. All rights reserved.\n";
|
|||
static const char rcsid[] _U_ =
|
||||
"@(#) Header: /tcpdump/master/tcpdump/tcpdump.c,v 1.253.2.12 2006/02/01 14:39:56 hannes Exp (LBL)";
|
||||
#else
|
||||
__RCSID("$NetBSD: tcpdump.c,v 1.8 2007/07/24 11:53:50 drochner Exp $");
|
||||
__RCSID("$NetBSD: tcpdump.c,v 1.9 2009/09/14 10:36:49 degroote Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -200,6 +200,9 @@ static struct printer printers[] = {
|
|||
#ifdef DLT_PFLOG
|
||||
{ pflog_if_print, DLT_PFLOG },
|
||||
#endif
|
||||
#ifdef DLT_PFSYNC
|
||||
{ pfsync_if_print, DLT_PFSYNC },
|
||||
#endif
|
||||
#ifdef DLT_FR
|
||||
{ fr_if_print, DLT_FR },
|
||||
#endif
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: mi,v 1.1157 2009/09/08 07:08:01 skrll Exp $
|
||||
# $NetBSD: mi,v 1.1158 2009/09/14 10:36:49 degroote Exp $
|
||||
#
|
||||
# Note: don't delete entries from here - mark them as "obsolete" instead.
|
||||
#
|
||||
|
@ -1285,6 +1285,7 @@
|
|||
./usr/share/man/cat4/pdcsata.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/pf.0 man-pf-catman pf,.cat
|
||||
./usr/share/man/cat4/pflog.0 man-pf-catman pf,.cat
|
||||
./usr/share/man/cat4/pfsync.0 man-pf-catman pf,.cat
|
||||
./usr/share/man/cat4/phy.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/piixide.0 man-sys-catman .cat
|
||||
./usr/share/man/cat4/piixpcib.0 man-sys-catman .cat
|
||||
|
@ -3851,6 +3852,7 @@
|
|||
./usr/share/man/html4/pdcsata.html man-sys-htmlman html
|
||||
./usr/share/man/html4/pf.html man-pf-htmlman pf,html
|
||||
./usr/share/man/html4/pflog.html man-pf-htmlman pf,html
|
||||
./usr/share/man/html4/pfsync.html man-pf-htmlman pf,html
|
||||
./usr/share/man/html4/phy.html man-sys-htmlman html
|
||||
./usr/share/man/html4/piixide.html man-sys-htmlman html
|
||||
./usr/share/man/html4/piixpcib.html man-sys-htmlman html
|
||||
|
@ -6295,6 +6297,7 @@
|
|||
./usr/share/man/man4/pdcsata.4 man-sys-man .man
|
||||
./usr/share/man/man4/pf.4 man-pf-man pf,.man
|
||||
./usr/share/man/man4/pflog.4 man-pf-man pf,.man
|
||||
./usr/share/man/man4/pfsync.4 man-pf-man pf,.man
|
||||
./usr/share/man/man4/phy.4 man-sys-man .man
|
||||
./usr/share/man/man4/piixide.4 man-sys-man .man
|
||||
./usr/share/man/man4/piixpcib.4 man-sys-man .man
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: protocols,v 1.20 2008/11/30 08:49:25 tsutsui Exp $
|
||||
# $NetBSD: protocols,v 1.21 2009/09/14 10:36:49 degroote Exp $
|
||||
# See also: protocols(5), http://www.sethwklein.net/projects/iana-etc/
|
||||
#
|
||||
#
|
||||
|
@ -157,6 +157,7 @@ mobility 135 Mobility # Header [RFC3775]
|
|||
udplite 136 UDPLite # [RFC3828]
|
||||
mpls-in-ip 137 MPLS-in-IP # [RFC4023]
|
||||
# 138-252 Unassigned [IANA]
|
||||
pfsync 240 PFSYNC # PF Synchronization
|
||||
use 253 Use # for experimentation and testing [RFC3692]
|
||||
use 254 Use # for experimentation and testing [RFC3692]
|
||||
# 255 Reserved [IANA]
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile.inc,v 1.3 2009/05/26 21:58:31 pooka Exp $
|
||||
# $NetBSD: Makefile.inc,v 1.4 2009/09/14 10:36:49 degroote Exp $
|
||||
|
||||
PROG= ifconfig
|
||||
|
||||
|
@ -19,3 +19,6 @@ SRCS+= parse.c
|
|||
SRCS+= tunnel.c
|
||||
SRCS+= util.c
|
||||
SRCS+= vlan.c
|
||||
|
||||
CPPFLAGS+=-I ${.CURDIR}/../../sys/dist/pf/
|
||||
SRCS+= pfsync.c
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: ifconfig.8,v 1.100 2009/08/07 20:13:12 dyoung Exp $
|
||||
.\" $NetBSD: ifconfig.8,v 1.101 2009/09/14 10:36:49 degroote Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 1983, 1991, 1993
|
||||
.\" The Regents of the University of California. All rights reserved.
|
||||
|
@ -723,6 +723,37 @@ support it.
|
|||
.It Cm -tso6
|
||||
Disable hardware-assisted TCP/IPv6 segmentation on interfaces that
|
||||
support it.
|
||||
.It Cm maxupd Ar n
|
||||
If the driver is a
|
||||
.Xr pfsync 4
|
||||
pseudo-device, indicate the maximum number
|
||||
of updates for a single state which can be collapsed into one.
|
||||
This is an 8-bit number; the default value is 128.
|
||||
.It Cm syncdev Ar iface
|
||||
If the driver is a
|
||||
.Xr pfsync 4
|
||||
pseudo-device, use the specified interface
|
||||
to send and receive pfsync state synchronisation messages.
|
||||
.It Fl syncdev
|
||||
If the driver is a
|
||||
.Xr pfsync 4
|
||||
pseudo-device, stop sending pfsync state
|
||||
synchronisation messages over the network.
|
||||
.It Cm syncpeer Ar peer_address
|
||||
If the driver is a
|
||||
.Xr pfsync 4
|
||||
pseudo-device, make the pfsync link point-to-point rather than using
|
||||
multicast to broadcast the state synchronisation messages.
|
||||
The peer_address is the IP address of the other host taking part in
|
||||
the pfsync cluster.
|
||||
With this option,
|
||||
.Xr pfsync 4
|
||||
traffic can be protected using
|
||||
.Xr ipsec 4 .
|
||||
.It Fl syncpeer
|
||||
If the driver is a
|
||||
.Xr pfsync 4
|
||||
pseudo-device, broadcast the packets using multicast.
|
||||
.El
|
||||
.Pp
|
||||
.Nm
|
||||
|
@ -848,6 +879,7 @@ tried to alter an interface's configuration.
|
|||
.Xr carp 4 ,
|
||||
.Xr ifmedia 4 ,
|
||||
.Xr netintro 4 ,
|
||||
.Xr pfsync 4 ,
|
||||
.Xr vlan 4 ,
|
||||
.Xr ifconfig.if 5 ,
|
||||
.\" .Xr eon 5 ,
|
||||
|
|
|
@ -0,0 +1,229 @@
|
|||
/* $NetBSD: pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2009 The NetBSD Foundation, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
||||
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
||||
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
#ifndef lint
|
||||
__RCSID("$NetBSD: pfsync.c,v 1.1 2009/09/14 10:36:49 degroote Exp $");
|
||||
#endif /* not lint */
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/sockio.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
#include <net/pfvar.h>
|
||||
#include <net/if_pfsync.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <err.h>
|
||||
#include <errno.h>
|
||||
#include <util.h>
|
||||
|
||||
#include "env.h"
|
||||
#include "parse.h"
|
||||
#include "extern.h"
|
||||
|
||||
static status_func_t status;
|
||||
static usage_func_t usage;
|
||||
static cmdloop_branch_t branch;
|
||||
|
||||
static void pfsync_constructor(void) __attribute__((constructor));
|
||||
static void pfsync_status(prop_dictionary_t, prop_dictionary_t);
|
||||
static int setpfsync_maxupd(prop_dictionary_t, prop_dictionary_t);
|
||||
static int setpfsync_peer(prop_dictionary_t, prop_dictionary_t);
|
||||
static int setpfsyncdev(prop_dictionary_t, prop_dictionary_t);
|
||||
|
||||
struct pinteger parse_maxupd = PINTEGER_INITIALIZER1(&parse_maxupd, "maxupd",
|
||||
0, 255, 10, setpfsync_maxupd, "maxupd", &command_root.pb_parser);
|
||||
|
||||
struct piface pfsyncdev = PIFACE_INITIALIZER(&pfsyncdev, "syncdev", setpfsyncdev,
|
||||
"syncdev", &command_root.pb_parser);
|
||||
|
||||
struct paddr parse_sync_peer = PADDR_INITIALIZER(&parse_sync_peer, "syncpeer",
|
||||
setpfsync_peer, "syncpeer", NULL, NULL, NULL, &command_root.pb_parser);
|
||||
|
||||
static const struct kwinst pfsynckw[] = {
|
||||
{.k_word = "maxupd", .k_nextparser = &parse_maxupd.pi_parser},
|
||||
{.k_word = "syncdev", .k_nextparser = &pfsyncdev.pif_parser},
|
||||
{.k_word = "-syncdev", .k_key = "syncdev", .k_type = KW_T_STR,
|
||||
.k_str = "", .k_exec = setpfsyncdev,
|
||||
.k_nextparser = &command_root.pb_parser},
|
||||
{.k_word = "syncpeer", .k_nextparser = &parse_sync_peer.pa_parser},
|
||||
{.k_word = "-syncpeer", .k_key = "syncpeer", .k_type = KW_T_STR,
|
||||
.k_str = "", .k_exec = setpfsync_peer,
|
||||
.k_nextparser = &command_root.pb_parser}
|
||||
};
|
||||
|
||||
struct pkw pfsync = PKW_INITIALIZER(&pfsync, "pfsync", NULL, NULL,
|
||||
pfsynckw, __arraycount(pfsynckw), NULL);
|
||||
|
||||
static void
|
||||
pfsync_set(prop_dictionary_t env, struct pfsyncreq *pfsyncr)
|
||||
{
|
||||
if (indirect_ioctl(env, SIOCSETPFSYNC, pfsyncr) == -1)
|
||||
err(EXIT_FAILURE, "SIOCSETPFSYNC");
|
||||
}
|
||||
|
||||
static int
|
||||
pfsync_get1(prop_dictionary_t env, struct pfsyncreq *pfsyncr)
|
||||
{
|
||||
memset(pfsyncr, 0, sizeof(*pfsyncr));
|
||||
|
||||
return indirect_ioctl(env, SIOCGETPFSYNC, pfsyncr);
|
||||
}
|
||||
|
||||
static void
|
||||
pfsync_get(prop_dictionary_t env, struct pfsyncreq *pfsyncr)
|
||||
{
|
||||
if (pfsync_get1(env, pfsyncr) == -1)
|
||||
err(EXIT_FAILURE, "SIOCGETPFSYNC");
|
||||
}
|
||||
|
||||
static void
|
||||
pfsync_status(prop_dictionary_t env, prop_dictionary_t oenv)
|
||||
{
|
||||
struct pfsyncreq pfsyncr;
|
||||
|
||||
if (pfsync_get1(env, &pfsyncr) == -1)
|
||||
return;
|
||||
|
||||
if (pfsyncr.pfsyncr_syncdev[0] != '\0') {
|
||||
printf("\tpfsync: syncdev: %s ", pfsyncr.pfsyncr_syncdev);
|
||||
if (pfsyncr.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP)
|
||||
printf("syncpeer: %s ",
|
||||
inet_ntoa(pfsyncr.pfsyncr_syncpeer));
|
||||
printf("maxupd: %d\n", pfsyncr.pfsyncr_maxupdates);
|
||||
}
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
int
|
||||
setpfsync_maxupd(prop_dictionary_t env, prop_dictionary_t oenv)
|
||||
{
|
||||
struct pfsyncreq pfsyncr;
|
||||
uint8_t maxupd;
|
||||
|
||||
if (!prop_dictionary_get_uint8(env, "maxupd", &maxupd)) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
}
|
||||
|
||||
pfsync_get(env, &pfsyncr);
|
||||
|
||||
pfsyncr.pfsyncr_maxupdates = maxupd;
|
||||
|
||||
pfsync_set(env, &pfsyncr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* ARGSUSED */
|
||||
int
|
||||
setpfsyncdev(prop_dictionary_t env, prop_dictionary_t oenv)
|
||||
{
|
||||
struct pfsyncreq pfsyncr;
|
||||
const char *dev;
|
||||
|
||||
if (!prop_dictionary_get_cstring_nocopy(env, "syncdev", &dev)) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
}
|
||||
|
||||
pfsync_get(env, &pfsyncr);
|
||||
|
||||
strlcpy(pfsyncr.pfsyncr_syncdev, dev, sizeof(pfsyncr.pfsyncr_syncdev));
|
||||
|
||||
pfsync_set(env, &pfsyncr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
int
|
||||
setpfsync_peer(prop_dictionary_t env, prop_dictionary_t oenv)
|
||||
{
|
||||
struct pfsyncreq pfsyncr;
|
||||
prop_data_t data;
|
||||
const struct paddr_prefix *peerpfx;
|
||||
const struct sockaddr_in *s;
|
||||
|
||||
data = (prop_data_t)prop_dictionary_get(env, "syncpeer");
|
||||
if (data == NULL) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
}
|
||||
|
||||
pfsync_get(env, &pfsyncr);
|
||||
|
||||
peerpfx = prop_data_data_nocopy(data);
|
||||
|
||||
if (peerpfx != NULL) {
|
||||
// Only AF_INET is supported for now
|
||||
if (peerpfx->pfx_addr.sa_family != AF_INET) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
s = (const struct sockaddr_in*)&peerpfx->pfx_addr;
|
||||
|
||||
memcpy(&pfsyncr.pfsyncr_syncpeer.s_addr, &s->sin_addr,
|
||||
MIN(sizeof(pfsyncr.pfsyncr_syncpeer.s_addr),
|
||||
peerpfx->pfx_addr.sa_len));
|
||||
} else {
|
||||
memset(&pfsyncr.pfsyncr_syncpeer.s_addr, 0,
|
||||
sizeof(pfsyncr.pfsyncr_syncpeer.s_addr));
|
||||
}
|
||||
|
||||
pfsync_set(env, &pfsyncr);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
pfsync_usage(prop_dictionary_t env)
|
||||
{
|
||||
fprintf(stderr,
|
||||
"\t[ maxupd n ] [ syncdev iface ] [syncpeer peer_addr]\n");
|
||||
}
|
||||
|
||||
static void
|
||||
pfsync_constructor(void)
|
||||
{
|
||||
cmdloop_branch_init(&branch, &pfsync.pk_parser);
|
||||
register_cmdloop_branch(&branch);
|
||||
status_func_init(&status, pfsync_status);
|
||||
usage_func_init(&usage, pfsync_usage);
|
||||
register_status(&status);
|
||||
register_usage(&usage);
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,284 @@
|
|||
/* $NetBSD: if_pfsync.h,v 1.3 2009/09/14 10:36:49 degroote Exp $ */
|
||||
/* $OpenBSD: if_pfsync.h,v 1.31 2007/05/31 04:11:42 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001 Michael Shalayeff
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
|
||||
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
* SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||||
* THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _NET_IF_PFSYNC_H_
|
||||
#define _NET_IF_PFSYNC_H_
|
||||
|
||||
#define INADDR_PFSYNC_GROUP __IPADDR(0xe00000f0) /* 224.0.0.240 */
|
||||
|
||||
#define PFSYNC_ID_LEN sizeof(u_int64_t)
|
||||
|
||||
struct pfsync_tdb {
|
||||
u_int32_t spi;
|
||||
union sockaddr_union dst;
|
||||
u_int32_t rpl;
|
||||
u_int64_t cur_bytes;
|
||||
u_int8_t sproto;
|
||||
u_int8_t updates;
|
||||
u_int8_t pad[2];
|
||||
} __packed;
|
||||
|
||||
struct pfsync_state_upd {
|
||||
u_int32_t id[2];
|
||||
struct pfsync_state_peer src;
|
||||
struct pfsync_state_peer dst;
|
||||
u_int32_t creatorid;
|
||||
u_int32_t expire;
|
||||
u_int8_t timeout;
|
||||
u_int8_t updates;
|
||||
u_int8_t pad[6];
|
||||
} __packed;
|
||||
|
||||
struct pfsync_state_del {
|
||||
u_int32_t id[2];
|
||||
u_int32_t creatorid;
|
||||
struct {
|
||||
u_int8_t state;
|
||||
} src;
|
||||
struct {
|
||||
u_int8_t state;
|
||||
} dst;
|
||||
u_int8_t pad[2];
|
||||
} __packed;
|
||||
|
||||
struct pfsync_state_upd_req {
|
||||
u_int32_t id[2];
|
||||
u_int32_t creatorid;
|
||||
u_int32_t pad;
|
||||
} __packed;
|
||||
|
||||
struct pfsync_state_clr {
|
||||
char ifname[IFNAMSIZ];
|
||||
u_int32_t creatorid;
|
||||
u_int32_t pad;
|
||||
} __packed;
|
||||
|
||||
struct pfsync_state_bus {
|
||||
u_int32_t creatorid;
|
||||
u_int32_t endtime;
|
||||
u_int8_t status;
|
||||
#define PFSYNC_BUS_START 1
|
||||
#define PFSYNC_BUS_END 2
|
||||
u_int8_t pad[7];
|
||||
} __packed;
|
||||
|
||||
#ifdef _KERNEL
|
||||
|
||||
union sc_statep {
|
||||
struct pfsync_state *s;
|
||||
struct pfsync_state_upd *u;
|
||||
struct pfsync_state_del *d;
|
||||
struct pfsync_state_clr *c;
|
||||
struct pfsync_state_bus *b;
|
||||
struct pfsync_state_upd_req *r;
|
||||
};
|
||||
|
||||
union sc_tdb_statep {
|
||||
struct pfsync_tdb *t;
|
||||
};
|
||||
|
||||
extern int pfsync_sync_ok;
|
||||
|
||||
struct pfsync_softc {
|
||||
struct ifnet sc_if;
|
||||
struct ifnet *sc_sync_ifp;
|
||||
|
||||
struct ip_moptions sc_imo;
|
||||
struct callout sc_tmo;
|
||||
struct callout sc_tdb_tmo;
|
||||
struct callout sc_bulk_tmo;
|
||||
struct callout sc_bulkfail_tmo;
|
||||
struct in_addr sc_sync_peer;
|
||||
struct in_addr sc_sendaddr;
|
||||
struct mbuf *sc_mbuf; /* current cumulative mbuf */
|
||||
struct mbuf *sc_mbuf_net; /* current cumulative mbuf */
|
||||
struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */
|
||||
union sc_statep sc_statep;
|
||||
union sc_statep sc_statep_net;
|
||||
union sc_tdb_statep sc_statep_tdb;
|
||||
u_int32_t sc_ureq_received;
|
||||
u_int32_t sc_ureq_sent;
|
||||
struct pf_state *sc_bulk_send_next;
|
||||
struct pf_state *sc_bulk_terminator;
|
||||
int sc_bulk_tries;
|
||||
int sc_maxcount; /* number of states in mtu */
|
||||
int sc_maxupdates; /* number of updates/state */
|
||||
};
|
||||
|
||||
extern struct pfsync_softc *pfsyncif;
|
||||
#endif
|
||||
|
||||
|
||||
struct pfsync_header {
|
||||
u_int8_t version;
|
||||
#define PFSYNC_VERSION 3
|
||||
u_int8_t af;
|
||||
u_int8_t action;
|
||||
#define PFSYNC_ACT_CLR 0 /* clear all states */
|
||||
#define PFSYNC_ACT_INS 1 /* insert state */
|
||||
#define PFSYNC_ACT_UPD 2 /* update state */
|
||||
#define PFSYNC_ACT_DEL 3 /* delete state */
|
||||
#define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */
|
||||
#define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */
|
||||
#define PFSYNC_ACT_INS_F 6 /* insert fragment */
|
||||
#define PFSYNC_ACT_DEL_F 7 /* delete fragments */
|
||||
#define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */
|
||||
#define PFSYNC_ACT_BUS 9 /* Bulk Update Status */
|
||||
#define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */
|
||||
#define PFSYNC_ACT_MAX 11
|
||||
u_int8_t count;
|
||||
u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
|
||||
} __packed;
|
||||
|
||||
#define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */
|
||||
#define PFSYNC_MAX_BULKTRIES 12
|
||||
#define PFSYNC_HDRLEN sizeof(struct pfsync_header)
|
||||
#define PFSYNC_ACTIONS \
|
||||
"CLR ST", "INS ST", "UPD ST", "DEL ST", \
|
||||
"UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
|
||||
"UPD REQ", "BLK UPD STAT", "TDB UPD"
|
||||
|
||||
#define PFSYNC_DFLTTL 255
|
||||
|
||||
#define PFSYNC_STAT_IPACKETS 0 /* total input packets, IPv4 */
|
||||
#define PFSYNC_STAT_IPACKETS6 1 /* total input packets, IPv6 */
|
||||
#define PFSYNC_STAT_BADIF 2 /* not the right interface */
|
||||
#define PFSYNC_STAT_BADTTL 3 /* TTL is not PFSYNC_DFLTTL */
|
||||
#define PFSYNC_STAT_HDROPS 4 /* packets shorter than hdr */
|
||||
#define PFSYNC_STAT_BADVER 5 /* bad (incl unsupp) version */
|
||||
#define PFSYNC_STAT_BADACT 6 /* bad action */
|
||||
#define PFSYNC_STAT_BADLEN 7 /* data length does not match */
|
||||
#define PFSYNC_STAT_BADAUTH 8 /* bad authentication */
|
||||
#define PFSYNC_STAT_STALE 9 /* stale state */
|
||||
#define PFSYNC_STAT_BADVAL 10 /* bad values */
|
||||
#define PFSYNC_STAT_BADSTATE 11 /* insert/lookup failed */
|
||||
#define PFSYNC_STAT_OPACKETS 12 /* total output packets, IPv4 */
|
||||
#define PFSYNC_STAT_OPACKETS6 13 /* total output packets, IPv6 */
|
||||
#define PFSYNC_STAT_ONOMEM 14 /* no memory for an mbuf */
|
||||
#define PFSYNC_STAT_OERRORS 15 /* ip output error */
|
||||
|
||||
#define PFSYNC_NSTATS 16
|
||||
|
||||
/*
|
||||
* Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC
|
||||
*/
|
||||
struct pfsyncreq {
|
||||
char pfsyncr_syncdev[IFNAMSIZ];
|
||||
struct in_addr pfsyncr_syncpeer;
|
||||
int pfsyncr_maxupdates;
|
||||
int pfsyncr_authlevel;
|
||||
};
|
||||
|
||||
|
||||
/* for copies to/from network */
|
||||
#define pf_state_peer_hton(s,d) do { \
|
||||
(d)->seqlo = htonl((s)->seqlo); \
|
||||
(d)->seqhi = htonl((s)->seqhi); \
|
||||
(d)->seqdiff = htonl((s)->seqdiff); \
|
||||
(d)->max_win = htons((s)->max_win); \
|
||||
(d)->mss = htons((s)->mss); \
|
||||
(d)->state = (s)->state; \
|
||||
(d)->wscale = (s)->wscale; \
|
||||
if ((s)->scrub) { \
|
||||
(d)->scrub.pfss_flags = \
|
||||
htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \
|
||||
(d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
|
||||
(d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
|
||||
(d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#define pf_state_peer_ntoh(s,d) do { \
|
||||
(d)->seqlo = ntohl((s)->seqlo); \
|
||||
(d)->seqhi = ntohl((s)->seqhi); \
|
||||
(d)->seqdiff = ntohl((s)->seqdiff); \
|
||||
(d)->max_win = ntohs((s)->max_win); \
|
||||
(d)->mss = ntohs((s)->mss); \
|
||||
(d)->state = (s)->state; \
|
||||
(d)->wscale = (s)->wscale; \
|
||||
if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
|
||||
(d)->scrub != NULL) { \
|
||||
(d)->scrub->pfss_flags = \
|
||||
ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
|
||||
(d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
|
||||
(d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#define pf_state_host_hton(s,d) do { \
|
||||
memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr)); \
|
||||
(d)->port = (s)->port; \
|
||||
} while (0)
|
||||
|
||||
#define pf_state_host_ntoh(s,d) do { \
|
||||
memcpy(&(d)->addr, &(s)->addr, sizeof((d)->addr)); \
|
||||
(d)->port = (s)->port; \
|
||||
} while (0)
|
||||
|
||||
#define pf_state_counter_hton(s,d) do { \
|
||||
d[0] = htonl((s>>32)&0xffffffff); \
|
||||
d[1] = htonl(s&0xffffffff); \
|
||||
} while (0)
|
||||
|
||||
#define pf_state_counter_ntoh(s,d) do { \
|
||||
d = ntohl(s[0]); \
|
||||
d = d<<32; \
|
||||
d += ntohl(s[1]); \
|
||||
} while (0)
|
||||
|
||||
#ifdef _KERNEL
|
||||
void pfsync_input(struct mbuf *, ...);
|
||||
int pfsync_clear_states(u_int32_t, char *);
|
||||
int pfsync_pack_state(u_int8_t, struct pf_state *, int);
|
||||
#define pfsync_insert_state(st) do { \
|
||||
if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \
|
||||
(st->state_key->proto == IPPROTO_PFSYNC)) \
|
||||
st->sync_flags |= PFSTATE_NOSYNC; \
|
||||
else if (!st->sync_flags) \
|
||||
pfsync_pack_state(PFSYNC_ACT_INS, (st), \
|
||||
PFSYNC_FLAG_COMPRESS); \
|
||||
st->sync_flags &= ~PFSTATE_FROMSYNC; \
|
||||
} while (0)
|
||||
#define pfsync_update_state(st) do { \
|
||||
if (!st->sync_flags) \
|
||||
pfsync_pack_state(PFSYNC_ACT_UPD, (st), \
|
||||
PFSYNC_FLAG_COMPRESS); \
|
||||
st->sync_flags &= ~PFSTATE_FROMSYNC; \
|
||||
} while (0)
|
||||
#define pfsync_delete_state(st) do { \
|
||||
if (!st->sync_flags) \
|
||||
pfsync_pack_state(PFSYNC_ACT_DEL, (st), \
|
||||
PFSYNC_FLAG_COMPRESS); \
|
||||
} while (0)
|
||||
#ifdef NOTYET
|
||||
int pfsync_update_tdb(struct tdb *, int);
|
||||
#endif /* NOTYET */
|
||||
#endif
|
||||
|
||||
#endif /* _NET_IF_PFSYNC_H_ */
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: pf.c,v 1.56 2009/07/28 18:15:26 minskim Exp $ */
|
||||
/* $NetBSD: pf.c,v 1.57 2009/09/14 10:36:49 degroote Exp $ */
|
||||
/* $OpenBSD: pf.c,v 1.552.2.1 2007/11/27 16:37:57 henning Exp $ */
|
||||
|
||||
/*
|
||||
|
@ -37,16 +37,12 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.56 2009/07/28 18:15:26 minskim Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: pf.c,v 1.57 2009/09/14 10:36:49 degroote Exp $");
|
||||
|
||||
#include "bpfilter.h"
|
||||
#include "pflog.h"
|
||||
|
||||
#ifndef __NetBSD__
|
||||
#include "pfsync.h"
|
||||
#else
|
||||
#define NPFSYNC 0
|
||||
#endif /* __NetBSD__ */
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: pf_ioctl.c,v 1.35 2009/07/28 18:15:26 minskim Exp $ */
|
||||
/* $NetBSD: pf_ioctl.c,v 1.36 2009/09/14 10:36:50 degroote Exp $ */
|
||||
/* $OpenBSD: pf_ioctl.c,v 1.182 2007/06/24 11:17:13 mcbride Exp $ */
|
||||
|
||||
/*
|
||||
|
@ -37,18 +37,14 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.35 2009/07/28 18:15:26 minskim Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.36 2009/09/14 10:36:50 degroote Exp $");
|
||||
|
||||
#ifdef _KERNEL_OPT
|
||||
#include "opt_inet.h"
|
||||
#include "opt_pfil_hooks.h"
|
||||
#endif
|
||||
|
||||
#ifndef __NetBSD__
|
||||
#include "pfsync.h"
|
||||
#else
|
||||
#define NPFSYNC 0
|
||||
#endif /* __NetBSD__ */
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# $NetBSD: files.pf,v 1.4 2008/06/18 09:06:28 yamt Exp $
|
||||
# $NetBSD: files.pf,v 1.5 2009/09/14 10:36:50 degroote Exp $
|
||||
|
||||
defpseudo pf: ifnet
|
||||
defpseudo pflog: ifnet
|
||||
#defpseudo pfsync: ifnet
|
||||
defpseudo pfsync: ifnet
|
||||
|
||||
file dist/pf/net/if_pflog.c pflog needs-flag
|
||||
#file dist/pf/net/if_pfsync.c pfsync needs-flag
|
||||
file dist/pf/net/if_pfsync.c pfsync needs-flag
|
||||
|
||||
file dist/pf/net/pf.c pf needs-flag
|
||||
file dist/pf/net/pf_if.c pf
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: in.h,v 1.85 2009/07/17 22:02:54 minskim Exp $ */
|
||||
/* $NetBSD: in.h,v 1.86 2009/09/14 10:36:50 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1982, 1986, 1990, 1993
|
||||
|
@ -103,6 +103,7 @@ typedef __sa_family_t sa_family_t;
|
|||
#define IPPROTO_IPCOMP 108 /* IP Payload Comp. Protocol */
|
||||
#define IPPROTO_VRRP 112 /* VRRP RFC 2338 */
|
||||
#define IPPROTO_CARP 112 /* Common Address Resolution Protocol */
|
||||
#define IPPROTO_PFSYNC 240 /* PFSYNC */
|
||||
#define IPPROTO_RAW 255 /* raw IP packet */
|
||||
#define IPPROTO_MAX 256
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: in_proto.c,v 1.97 2009/02/28 18:31:12 pooka Exp $ */
|
||||
/* $NetBSD: in_proto.c,v 1.98 2009/09/14 10:36:50 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
@ -61,7 +61,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.97 2009/02/28 18:31:12 pooka Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.98 2009/09/14 10:36:50 degroote Exp $");
|
||||
|
||||
#include "opt_mrouting.h"
|
||||
#include "opt_eon.h" /* ISO CLNL over IP */
|
||||
|
@ -144,6 +144,12 @@ __KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.97 2009/02/28 18:31:12 pooka Exp $");
|
|||
#include <netinet/ip_carp.h>
|
||||
#endif
|
||||
|
||||
#include "pfsync.h"
|
||||
#if NPFSYNC > 0
|
||||
#include <net/pfvar.h>
|
||||
#include <net/if_pfsync.h>
|
||||
#endif
|
||||
|
||||
#include "etherip.h"
|
||||
#if NETHERIP > 0
|
||||
#include <netinet/ip_etherip.h>
|
||||
|
@ -358,6 +364,17 @@ const struct protosw inetsw[] = {
|
|||
.pr_usrreq = rip_usrreq,
|
||||
},
|
||||
#endif /* NCARP > 0 */
|
||||
#if NPFSYNC > 0
|
||||
{ .pr_type = SOCK_RAW,
|
||||
.pr_domain = &inetdomain,
|
||||
.pr_protocol = IPPROTO_PFSYNC,
|
||||
.pr_flags = PR_ATOMIC|PR_ADDR,
|
||||
.pr_input = pfsync_input,
|
||||
.pr_output = rip_output,
|
||||
.pr_ctloutput = rip_ctloutput,
|
||||
.pr_usrreq = rip_usrreq,
|
||||
},
|
||||
#endif /* NPFSYNC > 0 */
|
||||
{ .pr_type = SOCK_RAW,
|
||||
.pr_domain = &inetdomain,
|
||||
.pr_protocol = IPPROTO_IGMP,
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
/* $NetBSD: pfsync.h,v 1.1 2009/09/14 10:36:50 degroote Exp $ */
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: sockio.h,v 1.28 2009/01/11 02:45:55 christos Exp $ */
|
||||
/* $NetBSD: sockio.h,v 1.29 2009/09/14 10:36:50 degroote Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1982, 1986, 1990, 1993, 1994
|
||||
|
@ -129,4 +129,7 @@
|
|||
#define SIOCZIFDATA _IOWR('i', 134, struct ifdatareq) /* get if_data then
|
||||
zero ctrs*/
|
||||
|
||||
#define SIOCSETPFSYNC _IOW('i', 247, struct ifreq)
|
||||
#define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq)
|
||||
|
||||
#endif /* !_SYS_SOCKIO_H_ */
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile,v 1.28 2007/05/28 12:06:29 tls Exp $
|
||||
# $NetBSD: Makefile,v 1.29 2009/09/14 10:36:50 degroote Exp $
|
||||
# from: @(#)Makefile 8.1 (Berkeley) 6/12/93
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
@ -9,12 +9,13 @@ PROG= netstat
|
|||
SRCS= atalk.c bpf.c fast_ipsec.c if.c inet.c inet6.c ipsec.c iso.c \
|
||||
main.c mbuf.c mroute.c mroute6.c show.c route.c tp_astring.c \
|
||||
unix.c
|
||||
.PATH: ${NETBSDSRCDIR}/sys/netiso
|
||||
.PATH: ${NETBSDSRCDIR}/sys/netiso
|
||||
BINGRP= kmem
|
||||
BINMODE=2555
|
||||
LDADD= -lkvm
|
||||
DPADD= ${LIBKVM}
|
||||
CPPFLAGS+= -DIPSEC
|
||||
CPPFLAGS+= -I${NETBSDSRCDIR}/sys/dist/pf
|
||||
|
||||
.if (${USE_INET6} != "no")
|
||||
CPPFLAGS+= -DINET6
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: inet.c,v 1.90 2009/04/12 16:08:37 lukem Exp $ */
|
||||
/* $NetBSD: inet.c,v 1.91 2009/09/14 10:36:50 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1983, 1988, 1993
|
||||
|
@ -34,7 +34,7 @@
|
|||
#if 0
|
||||
static char sccsid[] = "from: @(#)inet.c 8.4 (Berkeley) 4/20/94";
|
||||
#else
|
||||
__RCSID("$NetBSD: inet.c,v 1.90 2009/04/12 16:08:37 lukem Exp $");
|
||||
__RCSID("$NetBSD: inet.c,v 1.91 2009/09/14 10:36:50 degroote Exp $");
|
||||
#endif
|
||||
#endif /* not lint */
|
||||
|
||||
|
@ -76,6 +76,8 @@ __RCSID("$NetBSD: inet.c,v 1.90 2009/04/12 16:08:37 lukem Exp $");
|
|||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_carp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <net/pfvar.h>
|
||||
#include <net/if_pfsync.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
#include <kvm.h>
|
||||
|
@ -684,6 +686,52 @@ carp_stats(u_long off, const char *name)
|
|||
#undef p2
|
||||
}
|
||||
|
||||
/*
|
||||
* Dump PFSYNC statistics structure.
|
||||
*/
|
||||
void
|
||||
pfsync_stats(u_long off, const char *name)
|
||||
{
|
||||
uint64_t pfsyncstat[PFSYNC_NSTATS];
|
||||
|
||||
if (use_sysctl) {
|
||||
size_t size = sizeof(pfsyncstat);
|
||||
|
||||
if (sysctlbyname("net.inet.pfsync.stats", pfsyncstat, &size,
|
||||
NULL, 0) == -1)
|
||||
return;
|
||||
} else {
|
||||
warnx("%s stats not available via KVM.", name);
|
||||
return;
|
||||
}
|
||||
|
||||
printf("%s:\n", name);
|
||||
|
||||
#define p(f, m) if (pfsyncstat[f] || sflag <= 1) \
|
||||
printf(m, pfsyncstat[f], plural(pfsyncstat[f]))
|
||||
#define p2(f, m) if (pfsyncstat[f] || sflag <= 1) \
|
||||
printf(m, pfsyncstat[f])
|
||||
|
||||
p(PFSYNC_STAT_IPACKETS, "\t%" PRIu64 " packet%s received (IPv4)\n");
|
||||
p(PFSYNC_STAT_IPACKETS6,"\t%" PRIu64 " packet%s received (IPv6)\n");
|
||||
p(PFSYNC_STAT_BADIF, "\t\t%" PRIu64 " packet%s discarded for bad interface\n");
|
||||
p(PFSYNC_STAT_BADTTL, "\t\t%" PRIu64 " packet%s discarded for bad ttl\n");
|
||||
p(PFSYNC_STAT_HDROPS, "\t\t%" PRIu64 " packet%s shorter than header\n");
|
||||
p(PFSYNC_STAT_BADVER, "\t\t%" PRIu64 " packet%s discarded for bad version\n");
|
||||
p(PFSYNC_STAT_BADAUTH, "\t\t%" PRIu64 " packet%s discarded for bad HMAC\n");
|
||||
p(PFSYNC_STAT_BADACT,"\t\t%" PRIu64 " packet%s discarded for bad action\n");
|
||||
p(PFSYNC_STAT_BADLEN, "\t\t%" PRIu64 " packet%s discarded for short packet\n");
|
||||
p(PFSYNC_STAT_BADVAL, "\t\t%" PRIu64 " state%s discarded for bad values\n");
|
||||
p(PFSYNC_STAT_STALE, "\t\t%" PRIu64 " stale state%s\n");
|
||||
p(PFSYNC_STAT_BADSTATE, "\t\t%" PRIu64 " failed state lookup/insert%s\n");
|
||||
p(PFSYNC_STAT_OPACKETS, "\t%" PRIu64 " packet%s sent (IPv4)\n");
|
||||
p(PFSYNC_STAT_OPACKETS6, "\t%" PRIu64 " packet%s sent (IPv6)\n");
|
||||
p2(PFSYNC_STAT_ONOMEM, "\t\t%" PRIu64 " send failed due to mbuf memory error\n");
|
||||
p2(PFSYNC_STAT_OERRORS, "\t\t%" PRIu64 " send error\n");
|
||||
#undef p
|
||||
#undef p2
|
||||
}
|
||||
|
||||
/*
|
||||
* Dump PIM statistics structure.
|
||||
*/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: main.c,v 1.72 2009/09/13 02:53:17 elad Exp $ */
|
||||
/* $NetBSD: main.c,v 1.73 2009/09/14 10:36:51 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1983, 1988, 1993
|
||||
|
@ -39,7 +39,7 @@ __COPYRIGHT("@(#) Copyright (c) 1983, 1988, 1993\
|
|||
#if 0
|
||||
static char sccsid[] = "from: @(#)main.c 8.4 (Berkeley) 3/1/94";
|
||||
#else
|
||||
__RCSID("$NetBSD: main.c,v 1.72 2009/09/13 02:53:17 elad Exp $");
|
||||
__RCSID("$NetBSD: main.c,v 1.73 2009/09/14 10:36:51 degroote Exp $");
|
||||
#endif
|
||||
#endif /* not lint */
|
||||
|
||||
|
@ -198,6 +198,8 @@ struct nlist nl[] = {
|
|||
{ "_pimstat", 0, 0, 0, 0 },
|
||||
#define N_CARPSTAT 65
|
||||
{ "_carpstats", 0, 0, 0, 0 }, /* not available via kvm */
|
||||
#define N_PFSYNCSTAT 66
|
||||
{ "_pfsyncstats", 0, 0, 0, 0}, /* not available via kvm */
|
||||
{ "", 0, 0, 0, 0 },
|
||||
};
|
||||
|
||||
|
@ -233,6 +235,8 @@ struct protox {
|
|||
#endif
|
||||
{ -1, N_PIMSTAT, 1, 0,
|
||||
pim_stats, NULL, 0, "pim" },
|
||||
{ -1, N_PFSYNCSTAT, 1, 0,
|
||||
pfsync_stats, NULL, 0, "pfsync" },
|
||||
{ -1, -1, 0, 0,
|
||||
0, NULL, 0, 0 }
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: netstat.h,v 1.38 2009/09/13 02:53:17 elad Exp $ */
|
||||
/* $NetBSD: netstat.h,v 1.39 2009/09/14 10:36:51 degroote Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1992, 1993
|
||||
|
@ -78,6 +78,7 @@ void igmp_stats __P((u_long, const char *));
|
|||
void pim_stats __P((u_long, const char *));
|
||||
void arp_stats __P((u_long, const char *));
|
||||
void carp_stats __P((u_long, const char *));
|
||||
void pfsync_stats __P((u_long, const char*));
|
||||
#ifdef IPSEC
|
||||
/* run-time selector for which implementation (KAME, FAST_IPSEC) to show */
|
||||
void ipsec_switch __P((u_long, const char *));
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
# $NetBSD: Makefile,v 1.1 2004/11/14 11:26:48 yamt Exp $
|
||||
# $NetBSD: Makefile,v 1.2 2009/09/14 10:36:51 degroote Exp $
|
||||
|
||||
.include <bsd.own.mk>
|
||||
|
||||
.PATH: ${NETBSDSRCDIR}/dist/pf/share/man/man4
|
||||
|
||||
MAN= pf.4 pflog.4
|
||||
MAN= pf.4 pflog.4 pfsync.4
|
||||
|
||||
.include <bsd.man.mk>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile,v 1.49 2009/04/22 15:23:09 lukem Exp $
|
||||
# $NetBSD: Makefile,v 1.50 2009/09/14 10:36:51 degroote Exp $
|
||||
|
||||
WARNS?= 1 # XXX: out of date third-party program
|
||||
|
||||
|
@ -13,6 +13,7 @@ PROG= tcpdump
|
|||
MAN= tcpdump.8
|
||||
|
||||
SRCS= addrtoname.c cpack.c gmpls.c gmt2local.c machdep.c oui.c parsenfsfh.c \
|
||||
pf_print_state.c \
|
||||
print-802_11.c print-ah.c print-aodv.c print-ap1394.c print-arcnet.c \
|
||||
print-arp.c \
|
||||
print-ascii.c print-atalk.c print-atm.c print-bfd.c print-bgp.c \
|
||||
|
@ -24,7 +25,7 @@ SRCS= addrtoname.c cpack.c gmpls.c gmt2local.c machdep.c oui.c parsenfsfh.c \
|
|||
print-ipx.c print-isakmp.c print-isoclns.c print-krb.c \
|
||||
print-l2tp.c print-lane.c print-ldp.c print-llc.c print-lwres.c \
|
||||
print-msdp.c print-mobile.c print-mobility.c print-mpls.c print-nfs.c \
|
||||
print-ntp.c print-null.c print-ospf.c print-pflog.c \
|
||||
print-ntp.c print-null.c print-ospf.c print-pflog.c print-pfsync.c \
|
||||
print-pim.c print-ppp.c print-pppoe.c print-pptp.c \
|
||||
print-radius.c print-raw.c print-rip.c print-rsvp.c print-rx.c \
|
||||
print-sctp.c print-sl.c print-sll.c print-smb.c print-snmp.c \
|
||||
|
@ -51,6 +52,7 @@ LDADD+= -lpcap -ll
|
|||
DPADD+= ${LIBPCAP} ${LIBL}
|
||||
|
||||
CPPFLAGS+= -I${.CURDIR} -I${SRCDIR} -I${NETBSDSRCDIR}/sys/dist/pf
|
||||
CPPFLAGS+= -I${NETBSDSRCDIR}/dist/pf/sbin/pfctl
|
||||
|
||||
AWKS= atime.awk packetdat.awk stime.awk send-ack.awk
|
||||
|
||||
|
|
Loading…
Reference in New Issue