Commit userland part of pf version 3.5 from OpenBSD (OPENBSD_3_5_BASE).

3 files changed, 345 insertions, 64 deletions

diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4
index 0717013..053da27 100644
--- a/contrib/pf/man/pf.4
+++ b/contrib/pf/man/pf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.37 2003/08/28 09:41:22 jmc Exp $
+.\"	$OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -75,11 +75,7 @@ Stops the packet filter.
 Starts the ALTQ bandwidth control system.
 .It Dv DIOCSTOPALTQ
 Stops the ALTQ bandwidth control system.
-.It Dv DIOCBEGINADDRS  Fa "u_int32_t"
-Clears the buffer address pool
-and returns a ticket for subsequent DIOCADDADDR, DIOCADDRULE and
-DIOCCHANGERULE calls.
-.It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
+.It Dv DIOCBEGINADDRS  Fa "struct pfioc_pooladdr"
 .Bd -literal
 struct pfioc_pooladdr {
 	u_int32_t		action;
@@ -95,16 +91,17 @@ struct pfioc_pooladdr {
 };
 .Ed
 .Pp
+Clears the buffer address pool
+and returns a
+.Va ticket
+for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
+.It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
+.Pp
 Adds pool address
 .Va addr
 to the buffer address pool to be used in the following
 DIOCADDRULE or DIOCCHANGERULE call.
 All other members of the structure are ignored.
-.It Dv DIOCBEGINRULES  Fa "u_int32_t"
-Clears the inactive ruleset for the type of rule indicated by
-.Va rule.action
-and returns a ticket for subsequent
-DIOCADDRULE and DIOCCOMMITRULES calls.
 .It Dv DIOCADDRULE     Fa "struct pfioc_rule"
 .Bd -literal
 struct pfioc_rule {
@@ -123,7 +120,7 @@ Adds
 at the end of the inactive ruleset.
 Requires
 .Va ticket
-obtained through preceding DIOCBEGINRULES call, and
+obtained through preceding DIOCXBEGIN call, and
 .Va pool_ticket
 obtained through DIOCBEGINADDRS call.
 DIOCADDADDR must also be called if any pool addresses are required.
@@ -136,26 +133,16 @@ names indicate the anchor and ruleset in which to append the rule.
 and
 .Va action
 are ignored.
-.It Dv DIOCCOMMITRULES Fa "u_int32_t"
-Switch inactive to active filter ruleset.
-Requires
-.Va ticket .
-.It Dv DIOCBEGINALTQS  Fa "u_int32_t"
-Clears the inactive list of queues and returns a ticket for subsequent
-DIOCADDALTQ and DIOCCOMMITALTQS calls.
 .It Dv DIOCADDALTQ     Fa "struct pfioc_altq"
 Adds
 .Bd -literal
 struct pfioc_altq {
+	u_int32_t	action;
 	u_int32_t	ticket;
 	u_int32_t	nr;
 	struct pf_altq   altq;
 };
 .Ed
-.It Dv DIOCCOMMITALTQS Fa "u_int32_t"
-Switch inactive to active list of queues.
-Requires
-.Va ticket .
 .It Dv DIOCGETRULES    Fa "struct pfioc_rule"
 Returns
 .Va ticket
@@ -227,8 +214,6 @@ of length
 .Va nbytes
 for the queue specified by
 .Va nr .
-.It Dv DIOCCLRSTATES
-Clears the state table.
 .It Dv DIOCADDSTATE    Fa "struct pfioc_state"
 Adds a state entry.
 .It Dv DIOCGETSTATE    Fa "struct pfioc_state"
@@ -249,8 +234,16 @@ struct pfioc_state_kill {
 	int			psk_proto;
 	struct pf_rule_addr	psk_src;
 	struct pf_rule_addr	psk_dst;
+	char			psk_ifname[IFNAMSIZ];
 };
 .Ed
+.It Dv DIOCCLRSTATES  Fa "struct pfioc_state_kill"
+Clears all states.
+It works like
+.Dv DIOCKILLSTATES ,
+but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the
+.Fa pfioc_state_kill
+structure.
 .It Dv DIOCSETSTATUSIF Fa "struct pfioc_if"
 .Bd -literal
 struct pfioc_if {
@@ -262,14 +255,19 @@ Specifies the interface for which statistics are accumulated.
 .It Dv DIOCGETSTATUS   Fa "struct pf_status"
 .Bd -literal
 struct pf_status {
-	u_int64_t	 counters[PFRES_MAX];
-	u_int64_t	 fcounters[FCNT_MAX];
-	u_int64_t	 pcounters[2][2][3];
-	u_int64_t	 bcounters[2][2];
-	u_int32_t	 running;
-	u_int32_t	 states;
-	u_int32_t	 since;
-	u_int32_t	 debug;
+	u_int64_t	counters[PFRES_MAX];
+	u_int64_t	fcounters[FCNT_MAX];
+	u_int64_t	scounters[SCNT_MAX];
+	u_int64_t	pcounters[2][2][3];
+	u_int64_t	bcounters[2][2];
+	u_int64_t	stateid;
+	u_int32_t	running;
+	u_int32_t	states;
+	u_int32_t	src_nodes;
+	u_int32_t	since;
+	u_int32_t	debug;
+	u_int32_t	hostid;
+	char		ifname[IFNAMSIZ];
 };
 .Ed
 .Pp
@@ -288,7 +286,7 @@ struct pfioc_natlook {
 	u_int16_t	 dport;
 	u_int16_t	 rsport;
 	u_int16_t	 rdport;
-	u_int8_t	 af;
+	sa_family_t	 af;
 	u_int8_t	 proto;
 	u_int8_t	 direction;
 };
@@ -528,19 +526,6 @@ or deleted by the kernel.
 Yes, tables can be deleted if one removes the
 .Va persist
 flag of an unreferenced table.
-.It Dv DIOCRINABEGIN Fa "struct pfioc_table"
-Starts a transaction with the inactive set of tables.
-Cleans up any leftover from a previously aborted transaction, and returns
-a new ticket.
-On exit, pfrio_ndel contains the number of leftover table deleted, and
-pfrio_ticket contains a valid ticket to use for the following two IOCTLs.
-.It Dv DIOCRINACOMMIT Fa "struct pfioc_table"
-Commit the inactive set of tables into the active set.
-While copying the addresses, do a best effort to keep statistics for
-addresses present before and after the commit.
-On entry, io->pfrio_ticket takes a valid ticket.
-On exit, io->pfrio_nadd and io->pfrio_nchange contain the number of tables
-added and altered by the commit operation.
 .It Dv DIOCRINADEFINE Fa "struct pfioc_table"
 Defines a table in the inactive set.
 On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
@@ -549,6 +534,46 @@ A valid ticket must also be supplied to pfrio_ticket.
 On exit, pfrio_nadd contains 0 if the table was already defined in the
 inactive list, or 1 if a new table has been created.
 pfrio_naddr contains the number of addresses effectively put in the table.
+.It Dv DIOCXBEGIN Fa "struct pfioc_trans"
+.Bd -literal
+#define PF_RULESET_ALTQ         (PF_RULESET_MAX)
+#define PF_RULESET_TABLE        (PF_RULESET_MAX+1)
+struct pfioc_trans {
+        int              size;  /* number of elements */
+        int              esize; /* size of each element in bytes */
+        struct pfioc_trans_e {
+                int             rs_num;
+                char            anchor[PF_ANCHOR_NAME_SIZE];
+                char            ruleset[PF_RULESET_NAME_SIZE];
+                u_int32_t       ticket;
+        }               *array;
+};
+.Ed
+.Pp
+Clears all the inactive rulesets specified in the
+.Fa "struct pfioc_trans_e"
+array.
+For each ruleset, a ticket is returned for subsequent "add rule" IOCTLs,
+as well as for the
+.Dv DIOCXCOMMIT
+and
+.Dv DIOCXROLLBACK
+calls.
+.It Dv DIOCXCOMMIT Fa "struct pfioc_trans"
+Atomically switch a vector of inactive rulesets to the active rulesets.
+Implemented as a standard 2-phase commit, which will either fail for all
+rulesets or completely succeed.
+All tickets need to be valid.
+Returns
+.Dv EBUSY
+if a concurrent process is trying to update some of the same rulesets
+concurrently.
+.It Dv DIOCXROLLBACK Fa "struct pfioc_trans"
+Clean up the kernel by undoing all changes that have taken place on the
+inactive rulesets since the last
+.Dv DIOCXBEGIN .
+.Dv DIOCXROLLBACK
+will silently ignore rulesets for which the ticket is invalid.
 .It Dv DIOCFPFLUSH
 Flush the passive OS fingerprint table.
 .It Dv DIOCFPADD Fa "struct pf_osfp_ioctl"
@@ -626,6 +651,115 @@ The rest of the structure members will come back filled.
 Get the whole list by repeatedly incrementing the
 .Va fp_getnum
 number until the ioctl returns EBUSY.
+.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes"
+.Bd -literal
+struct pfioc_src_nodes {
+        int     psn_len;
+        union {
+                caddr_t          psu_buf;
+                struct pf_src_node      *psu_src_nodes;
+        } psn_u;
+#define psn_buf         psn_u.psu_buf
+#define psn_src_nodes   psn_u.psu_src_nodes
+};
+.Ed
+.Pp
+Get the list of source nodes kept by the
+.Ar sticky-address
+and
+.Ar source-track
+options.
+The ioctl must be called once with
+.Va psn_len
+set to 0.
+If the ioctl returns without error,
+.Va psn_len
+will be set to the size of the buffer required to hold all the
+.Va pf_src_node
+structures held in the table.
+A buffer of this size should then be allocated, and a pointer to this buffer
+placed in
+.Va psn_buf .
+The ioctl must then be called again to fill this buffer with the actual
+source node data.
+After the ioctl call
+.Va psn_len
+will be set to the length of the buffer actually used.
+.It Dv DIOCCLRSRCNODES Fa "struct pfioc_table"
+Clear the tree of source tracking nodes.
+.It Dv DIOCIGETIFACES Fa "struct pfioc_iface"
+Gets the list of interfaces and interface drivers known to
+.Nm .
+All the IOCTLs that manipulate interfaces
+use the same structure described below:
+.Bd -literal
+struct pfioc_iface {
+        char                     pfiio_name[IFNAMSIZ];
+        void                    *pfiio_buffer;
+        int                      pfiio_esize;
+        int                      pfiio_size;
+        int                      pfiio_nzero;
+        int                      pfiio_flags;
+};
+
+#define PFI_FLAG_GROUP     0x0001  /* gets groups of interfaces */
+#define PFI_FLAG_INSTANCE  0x0002  /* gets single interfaces */
+#define PFI_FLAG_ALLMASK   0x0003
+.Ed
+.Pp
+If not empty,
+.Va pfiio_name
+can be used to restrict the search to a specific interface or driver.
+.Va pfiio_buffer[pfiio_size]
+is the user-supplied buffer for returning the data.
+On entry,
+.Va pfiio_size
+represents the number of
+.Va pfi_if
+entries that can fit into the buffer.
+The kernel will replace this value by the real number of entries it wants
+to return.
+.Va pfiio_esize
+should be set to sizeof(struct pfi_if).
+.Va pfiio_flags
+should be set to
+.Dv PFI_FLAG_GROUP , PFI_FLAG_INSTANCE ,
+or both to tell the kernel to return a group of interfaces
+(drivers, like "fxp"), real interface instances (like "fxp1") or both.
+The data is returned in the
+.Va pfi_if
+structure described below:
+.Bd -literal
+struct pfi_if {
+        char                             pfif_name[IFNAMSIZ];
+        u_int64_t                        pfif_packets[2][2][2];
+        u_int64_t                        pfif_bytes[2][2][2];
+        u_int64_t                        pfif_addcnt;
+        u_int64_t                        pfif_delcnt;
+        long                             pfif_tzero;
+        int                              pfif_states;
+        int                              pfif_rules;
+        int                              pfif_flags;
+};
+
+#define PFI_IFLAG_GROUP         0x0001  /* group of interfaces */
+#define PFI_IFLAG_INSTANCE      0x0002  /* single instance */
+#define PFI_IFLAG_CLONABLE      0x0010  /* clonable group */
+#define PFI_IFLAG_DYNAMIC       0x0020  /* dynamic group */
+#define PFI_IFLAG_ATTACHED      0x0040  /* interface attached */
+#define PFI_IFLAG_REFERENCED    0x0080  /* referenced by rules */
+.Ed
+.It Dv DIOCICLRISTATS Fa "struct pfioc_iface"
+Clear the statistics counters of one or more interfaces.
+.Va pfiio_name
+and
+.Va pfrio_flags
+can be used to select which interfaces need to be cleared.
+The filtering process is the same as for
+.Dv DIOCIGETIFACES .
+.Va pfiio_nzero
+will be set by the kernel to the number of interfaces and drivers
+that have been cleared.
 .El
 .Sh EXAMPLES
 The following example demonstrates how to use the DIOCNATLOOK command
diff --git a/contrib/pf/man/pflog.4 b/contrib/pf/man/pflog.4
index c3f7173..6fc278e 100644
--- a/contrib/pf/man/pflog.4
+++ b/contrib/pf/man/pflog.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflog.4,v 1.4 2003/09/22 04:53:15 jmc Exp $
+.\"	$OpenBSD: pflog.4,v 1.7 2004/03/21 19:47:59 miod Exp $
 .\"
 .\" Copyright (c) 2001 Tobias Weingartner
 .\" All rights reserved.
@@ -32,19 +32,20 @@
 .Nm pflog
 .Nd packet filter logging interface
 .Sh SYNOPSIS
-.Sy device pflog
+.Cd "device pflog"
 .Sh DESCRIPTION
 The
 .Nm pflog
-interface is the interface the packet filter,
-.Xr pf 4 ,
-copies all the packets to which it has been configured to log.
-In this way, all logged packets can easily be monitored in real
+interface is a pseudo-device which makes visible all packets logged by
+the packet filter,
+.Xr pf 4 .
+Logged packets can easily be monitored in real
 time by invoking
 .Xr tcpdump 8
 on the
 .Nm
-interface.
+interface, or stored to disk using
+.Xr pflogd 8 .
 .Pp
 Each packet retrieved on this interface has a header associated
 with it of length
diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4
index 9b22f57..5375a52 100644
--- a/contrib/pf/man/pfsync.4
+++ b/contrib/pf/man/pfsync.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pfsync.4,v 1.6 2003/06/06 10:29:41 jmc Exp $
+.\"	$OpenBSD: pfsync.4,v 1.16 2004/03/22 21:04:36 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Michael Shalayeff
 .\" All rights reserved.
@@ -32,19 +32,48 @@
 .Nm pfsync
 .Nd packet filter states table logging interface
 .Sh SYNOPSIS
-.Sy device pfsync
+.Cd "device pfsync"
 .Sh DESCRIPTION
 The
-.Nm pfsync
-interface is the interface to the packet filter,
-.Xr pf 4 ,
-exposing all the changes to the state table.
-This allows for both debugging of rulesets and monitoring
-for changes in the table by invoking
+.Nm
+interface is a pseudo-device which exposes certain changes to the state
+table used by
+.Xr pf 4 .
+State changes can be viewed by invoking
 .Xr tcpdump 8
 on the
 .Nm
 interface.
+If configured with a physical synchronisation interface,
+.Nm
+will also send state changes out on that interface using IP multicast,
+and insert state changes received on that interface from other systems
+into the state table.
+.Pp
+By default, all local changes to the state table are exposed via
+.Nm .
+However, state changes from packets received by
+.Nm
+over the network are not rebroadcast.
+States created by a rule marked with the
+.Ar no-sync
+keyword are omitted from the
+.Nm
+interface (see
+.Xr pf.conf 5
+for details).
+.Pp
+The
+.Nm
+interface will attempt to collapse multiple updates of the same
+state into one message where possible.
+The maximum number of times this can be done before the update is sent out
+is controlled by the
+.Ar maxupd
+to ifconfig.
+(see
+.Xr ifconfig 8
+and the example below for more details)
 .Pp
 Each packet retrieved on this interface has a header associated
 with it of length
@@ -63,16 +92,133 @@ struct pfsync_header {
 	u_int8_t count;
 };
 .Ed
+.Sh NETWORK SYNCHRONISATION
+States can be synchronised between two or more firewalls using this
+interface, by specifying a synchronisation interface using
+.Xr ifconfig 8 .
+For example, the following command sets fxp0 as the synchronisation
+interface.
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncif fxp0
+.Ed
+.Pp
+State change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group
+used is 224.0.0.240.
+.Pp
+It is important that the synchronisation interface be on a trusted
+network as there is no authentication on the protocol and it would
+be trivial to spoof packets which create states, bypassing the pf ruleset.
+Ideally, this is a network dedicated to pfsync messages,
+i.e. a crossover cable between two firewalls.
+.Pp
+There is a one-to-one correspondence between packets seen by
+.Xr bpf 4
+on the
+.Nm
+interface, and packets sent out on the synchronisation interface, i.e.\&
+a packet with 4 state deletion messages on
+.Nm
+means that the same 4 deletions were sent out on the synchronisation
+interface.
+However, the actual packet contents may differ as the messages
+sent over the network are "compressed" where possible, containing
+only the necessary information.
 .Sh EXAMPLES
+.Nm
+and
+.Xr carp 4
+can be used together to provide automatic failover of a pair of firewalls
+configured in parallel.
+One firewall handles all traffic \- if it dies or
+is shut down, the second firewall takes over automatically.
+.Pp
+Both firewalls in this example have three
+.Xr sis 4
+interfaces.
+sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the
+internal interface, on the 192.168.0.0/24 subnet, and sis2 is the
+.Nm
+interface, using the 192.168.254.0/24 subnet.
+A crossover cable connects the two firewalls via their sis2 interfaces.
+On all three interfaces, firewall A uses the .254 address, while firewall B
+uses .253.
+The interfaces are configured as follows (firewall A unless otherwise
+indicated):
+.Pp
+.Pa /etc/hostname.sis0 :
+.Bd -literal -offset indent
+inet 10.0.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis1 :
+.Bd -literal -offset indent
+inet 192.168.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis2 :
+.Bd -literal -offset indent
+inet 192.168.254.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.carp0 :
+.Bd -literal -offset indent
+inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
+.Ed
+.Pp
+.Pa /etc/hostname.carp1 :
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
+.Ed
+.Pp
+.Pa /etc/hostname.pfsync0 :
+.Bd -literal -offset indent
+up syncif sis2
+.Ed
+.Pp
+.Xr pf 4
+must also be configured to allow
+.Nm
+and
+.Xr carp 4
+traffic through.
+The following should be added to the top of
+.Pa /etc/pf.conf :
+.Bd -literal -offset indent
+pass quick on { sis2 } proto pfsync
+pass on { sis0 sis1 } proto carp keep state
+.Ed
+.Pp
+If it is preferable that one firewall handle the traffic,
+the
+.Ar advskew
+on the backup firewall's
+.Xr carp 4
+interfaces should be set to something higher than
+the primary's.
+For example, if firewall B is the backup, its
+.Pa /etc/hostname.carp1
+would look like this:
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
+	advskew 100
+.Ed
+.Pp
+The following must also be added to
+.Pa /etc/sysctl.conf :
 .Bd -literal -offset indent
-# ifconfig pfsync0 up
-# tcpdump -s1500 -evtni pfsync0
+net.inet.carp.preempt=1
 .Ed
 .Sh SEE ALSO
+.Xr bpf 4 ,
 .Xr inet 4 ,
 .Xr inet6 4 ,
 .Xr netintro 4 ,
 .Xr pf 4 ,
+.Xr hostname.if 5 ,
+.Xr pf.conf 5 ,
+.Xr protocols 5 ,
 .Xr ifconfig 8 ,
 .Xr tcpdump 8
 .Sh HISTORY