[src/trunk]: src Import pfsync support from OpenBSD 4.2

[degroote <degroote%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ca8fea35caca
branches:  trunk
changeset: 747414:ca8fea35caca
user:      degroote <degroote%NetBSD.org@localhost>
date:      Mon Sep 14 10:36:48 2009 +0000

description:
Import pfsync support from OpenBSD 4.2

Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can
be used to synchronise different pf.

This work was part of my 2009 GSoC

No objection on tech-net@

diffstat:

 dist/libpcap/pcap-bpf.h               |     4 +-
 dist/libpcap/pcap.c                   |     3 +-
 dist/pf/share/man/man4/pf.4           |     4 +-
 dist/pf/share/man/man4/pfsync.4       |   244 ++++
 dist/tcpdump/interface.h              |     4 +-
 dist/tcpdump/ipproto.c                |     5 +-
 dist/tcpdump/pf_print_state.c         |   320 +++++
 dist/tcpdump/print-ip.c               |     8 +-
 dist/tcpdump/print-pfsync.c           |   222 ++++
 dist/tcpdump/tcpdump.c                |     7 +-
 distrib/sets/lists/man/mi             |     5 +-
 etc/protocols                         |     3 +-
 sbin/ifconfig/Makefile.inc            |     5 +-
 sbin/ifconfig/ifconfig.8              |    34 +-
 sbin/ifconfig/pfsync.c                |   229 ++++
 sys/dist/pf/net/if_pfsync.c           |  1828 +++++++++++++++++++++++++++++++++
 sys/dist/pf/net/if_pfsync.h           |   284 +++++
 sys/dist/pf/net/pf.c                  |     8 +-
 sys/dist/pf/net/pf_ioctl.c            |     8 +-
 sys/net/files.pf                      |     6 +-
 sys/netinet/in.h                      |     3 +-
 sys/netinet/in_proto.c                |    21 +-
 sys/rump/librump/rumpnet/opt/pfsync.h |     2 +
 sys/sys/sockio.h                      |     5 +-
 usr.bin/netstat/Makefile              |     5 +-
 usr.bin/netstat/inet.c                |    52 +-
 usr.bin/netstat/main.c                |     8 +-
 usr.bin/netstat/netstat.h             |     3 +-
 usr.sbin/pf/man/man4/Makefile         |     4 +-
 usr.sbin/tcpdump/Makefile             |     6 +-
 30 files changed, 3294 insertions(+), 46 deletions(-)

diffs (truncated from 3802 to 300 lines):

diff -r 8cab3db19b44 -r ca8fea35caca dist/libpcap/pcap-bpf.h
--- a/dist/libpcap/pcap-bpf.h   Mon Sep 14 09:26:28 2009 +0000
+++ b/dist/libpcap/pcap-bpf.h   Mon Sep 14 10:36:48 2009 +0000
@@ -37,7 +37,7 @@
  *
  *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
  *
- * @(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap-bpf.h,v 1.1.1.1 2006/02/27 15:45:47 drochner Exp $ (LBL)
+ * @(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap-bpf.h,v 1.2 2009/09/14 10:36:48 degroote Exp $ (LBL)
  */
 
 /*
@@ -299,8 +299,8 @@
  */
 #ifdef __OpenBSD__
 #define DLT_OLD_PFLOG  17
+#endif
 #define DLT_PFSYNC     18
-#endif
 #define DLT_PFLOG      117
 
 /*
diff -r 8cab3db19b44 -r ca8fea35caca dist/libpcap/pcap.c
--- a/dist/libpcap/pcap.c       Mon Sep 14 09:26:28 2009 +0000
+++ b/dist/libpcap/pcap.c       Mon Sep 14 10:36:48 2009 +0000
@@ -33,7 +33,7 @@
 
 #ifndef lint
 static const char rcsid[] _U_ =
-    "@(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap.c,v 1.3 2006/02/27 15:57:17 drochner Exp $ (LBL)";
+    "@(#) $Header: /cvsroot/src/dist/libpcap/Attic/pcap.c,v 1.4 2009/09/14 10:36:48 degroote Exp $ (LBL)";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -346,6 +346,7 @@
        DLT_CHOICE(DLT_LINUX_SLL, "Linux cooked"),
        DLT_CHOICE(DLT_LTALK, "Localtalk"),
        DLT_CHOICE(DLT_PFLOG, "OpenBSD pflog file"),
+       DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"),   
        DLT_CHOICE(DLT_PRISM_HEADER, "802.11 plus Prism header"),
        DLT_CHOICE(DLT_IP_OVER_FC, "RFC 2625 IP-over-Fibre Channel"),
        DLT_CHOICE(DLT_SUNATM, "Sun raw ATM"),
diff -r 8cab3db19b44 -r ca8fea35caca dist/pf/share/man/man4/pf.4
--- a/dist/pf/share/man/man4/pf.4       Mon Sep 14 09:26:28 2009 +0000
+++ b/dist/pf/share/man/man4/pf.4       Mon Sep 14 10:36:48 2009 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: pf.4,v 1.9 2009/03/22 14:29:34 perry Exp $
+.\"    $NetBSD: pf.4,v 1.10 2009/09/14 10:36:48 degroote Exp $
 .\"    $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
@@ -1131,7 +1131,7 @@
 .Xr ioctl 2 ,
 .Xr bridge 4 ,
 .Xr pflog 4 ,
-.\" .Xr pfsync 4 ,
+.Xr pfsync 4 ,
 .Xr pfctl 8 ,
 .Xr altq 9
 .Sh HISTORY
diff -r 8cab3db19b44 -r ca8fea35caca dist/pf/share/man/man4/pfsync.4
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/pf/share/man/man4/pfsync.4   Mon Sep 14 10:36:48 2009 +0000
@@ -0,0 +1,244 @@
+.\"    $NetBSD: pfsync.4,v 1.1 2009/09/14 10:36:48 degroote Exp $
+.\"    $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
+.\"
+.\" Copyright (c) 2002 Michael Shalayeff
+.\" Copyright (c) 2003-2004 Ryan McBride
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF MIND,
+.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: May 31 2007 $
+.Dt PFSYNC 4
+.Os
+.Sh NAME
+.Nm pfsync
+.Nd packet filter state table logging interface
+.Sh SYNOPSIS
+.Cd "pseudo-device pfsync"
+.Sh DESCRIPTION
+The
+.Nm
+interface is a pseudo-device which exposes certain changes to the state
+table used by
+.Xr pf 4 .
+State changes can be viewed by invoking
+.Xr tcpdump 8
+on the
+.Nm
+interface.
+If configured with a physical synchronisation interface,
+.Nm
+will also send state changes out on that interface using IP multicast,
+and insert state changes received on that interface from other systems
+into the state table.
+.Pp
+By default, all local changes to the state table are exposed via
+.Nm .
+However, state changes from packets received by
+.Nm
+over the network are not rebroadcast.
+States created by a rule marked with the
+.Ar no-sync
+keyword are omitted from the
+.Nm
+interface (see
+.Xr pf.conf 5
+for details).
+.Pp
+The
+.Nm
+interface will attempt to collapse multiple updates of the same
+state into one message where possible.
+The maximum number of times this can be done before the update is sent out
+is controlled by the
+.Ar maxupd
+parameter to ifconfig
+(see
+.Xr ifconfig 8
+and the example below for more details).
+.Pp
+Each packet retrieved on this interface has a header associated
+with it of length
+.Dv PFSYNC_HDRLEN .
+The header indicates the version of the protocol, address family,
+action taken on the following states, and the number of state
+table entries attached in this packet.
+This structure is defined in
+.Aq Pa net/if_pfsync.h
+as:
+.Bd -literal -offset indent
+struct pfsync_header {
+       u_int8_t version;
+       u_int8_t af;
+       u_int8_t action;
+       u_int8_t count;
+};
+.Ed
+.Sh NETWORK SYNCHRONISATION
+States can be synchronised between two or more firewalls using this
+interface, by specifying a synchronisation interface using
+.Xr ifconfig 8 .
+For example, the following command sets fxp0 as the synchronisation
+interface:
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncdev fxp0
+.Ed
+.Pp
+By default, state change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group
+used is 224.0.0.240.
+When a peer address is specified using the
+.Ic syncpeer
+keyword, the peer address is used as a destination for the pfsync traffic,
+and the traffic can then be protected using
+.Xr ipsec 4 .
+In such a configuration, the syncdev should be set to the
+.Xr enc 4
+interface, as this is where the traffic arrives when it is decapsulated,
+e.g.:
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
+.Ed
+.Pp
+It is important that the pfsync traffic be well secured
+as there is no authentication on the protocol and it would
+be trivial to spoof packets which create states, bypassing the pf ruleset.
+Either run the pfsync protocol on a trusted network \- ideally  a network
+dedicated to pfsync messages such as a crossover cable between two firewalls,
+or specify a peer address and protect the traffic with
+.Xr ipsec 4 .
+.Pp
+There is a one-to-one correspondence between packets seen by
+.Xr bpf 4
+on the
+.Nm
+interface, and packets sent out on the synchronisation interface, i.e.\&
+a packet with 4 state deletion messages on
+.Nm
+means that the same 4 deletions were sent out on the synchronisation
+interface.
+However, the actual packet contents may differ as the messages
+sent over the network are "compressed" where possible, containing
+only the necessary information.
+.Sh EXAMPLES
+.Nm
+and
+.Xr carp 4
+can be used together to provide automatic failover of a pair of firewalls
+configured in parallel.
+One firewall handles all traffic \- if it dies or
+is shut down, the second firewall takes over automatically.
+.Pp
+Both firewalls in this example have three
+.Xr sis 4
+interfaces.
+sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the
+internal interface, on the 192.168.0.0/24 subnet; and sis2 is the
+.Nm
+interface, using the 192.168.254.0/24 subnet.
+A crossover cable connects the two firewalls via their sis2 interfaces.
+On all three interfaces, firewall A uses the .254 address, while firewall B
+uses .253.
+The interfaces are configured as follows (firewall A unless otherwise
+indicated):
+.Pp
+.Pa /etc/hostname.sis0 :
+.Bd -literal -offset indent
+inet 10.0.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis1 :
+.Bd -literal -offset indent
+inet 192.168.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis2 :
+.Bd -literal -offset indent
+inet 192.168.254.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.carp0 :
+.Bd -literal -offset indent
+inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
+.Ed
+.Pp
+.Pa /etc/hostname.carp1 :
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
+.Ed
+.Pp
+.Pa /etc/hostname.pfsync0 :
+.Bd -literal -offset indent
+up syncdev sis2
+.Ed
+.Pp
+.Xr pf 4
+must also be configured to allow
+.Nm
+and
+.Xr carp 4
+traffic through.
+The following should be added to the top of
+.Pa /etc/pf.conf :
+.Bd -literal -offset indent
+pass quick on { sis2 } proto pfsync
+pass on { sis0 sis1 } proto carp
+.Ed
+.Pp
+If it is preferable that one firewall handle the traffic,
+the
+.Ar advskew
+on the backup firewall's
+.Xr carp 4
+interfaces should be set to something higher than
+the primary's.
+For example, if firewall B is the backup, its
+.Pa /etc/hostname.carp1
+would look like this:
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
+       advskew 100
+.Ed
+.Pp
+The following must also be added to
+.Pa /etc/sysctl.conf :
+.Bd -literal -offset indent
+net.inet.carp.preempt=1
+.Ed
+.Sh SEE ALSO
+.Xr bpf 4 ,
+.Xr carp 4 ,
+.Xr inet 4 ,
+.Xr inet6 4 ,
+.Xr ipsec 4 ,
+.Xr netintro 4 ,
+.Xr pf 4 ,
+.Xr hostname.if 5 ,
+.Xr pf.conf 5 ,