Re: pfsync and policy routing states patch
* Romey Valadez [2010-01-15 00:53]: > this patch apply to OpenBSD v4.6 -stable we really don't care much for diffs to -stable. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
pfsync and policy routing states patch - version2
Hi tech@,
here is a version 2 of the patch to correct the synchronization of
states that use route-to policy, thanks to Bret Lambert for your
patience to teach me and your suggestions.
This patch apply to OpenBSD v4.6 -stable, nexthop_idx will give us the
reference into the route pool that have a same interface that the
current state is using to reach the nexthop, this reference not need
to point to exact current pool we need only a reference to the correct
interface, so in the standby peer we only look at that reference into
the pool to take out the interface reference, so we can complete the
rt_kif info in the state.
this patch is applied under sys/net, it modifies pfsync_state_import,
pfsync_state_export, pfsync_in_upd functions and pfsync_state_peer
struct.
===
RCS file: RCS/pfvar.h,v
retrieving revision 1.290
diff -u -r1.290 pfvar.h
--- pfvar.h 2010/01/13 23:33:23 1.290
+++ pfvar.h 2010/01/20 22:26:23
@@ -826,7 +826,8 @@
u_int16_t mss;/* Maximum segment size option */
u_int8_tstate; /* active state level */
u_int8_twscale; /* window scaling factor*/
- u_int8_tpad[6];
+ u_int8_tnexthop_idx;/* nexthop in pool index*/
+ u_int8_tpad[5];
} __packed;
struct pfsync_state_key {
===
RCS file: RCS/if_pfsync.c,v
retrieving revision 1.127
diff -u -r1.127 if_pfsync.c
--- if_pfsync.c 2010/01/13 23:06:38 1.127
+++ if_pfsync.c 2010/01/20 22:28:39
@@ -398,6 +398,8 @@
void
pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
{
+ struct pf_pooladdr *acur = NULL;
+ struct pf_rule *r = NULL;
bzero(sp, sizeof(struct pfsync_state));
/* copy from state key */
@@ -449,6 +451,20 @@
else
sp->nat_rule = htonl(st->nat_rule.ptr->nr);
+ /* insert the rpool position reference for route-to states */
+ sp->dst.nexthop_idx = 0;
+ if(st->rt_kif) {
+ if(sp->rule != htonl(-1) && ntohl(sp->rule) <
pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount)
+ r =
pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)];
+ if(r != NULL) {
+ TAILQ_FOREACH(acur, &r->rpool.list, entries) {
+ sp->dst.nexthop_idx++;
+ if(st->rt_kif == acur->kif)
+ break;
+ }
+ }
+ }
+
pf_state_counter_hton(st->packets[0], sp->packets[0]);
pf_state_counter_hton(st->packets[1], sp->packets[1]);
pf_state_counter_hton(st->bytes[0], sp->bytes[0]);
@@ -465,6 +481,8 @@
struct pfi_kif *kif;
int pool_flags;
int error;
+ struct pf_pooladdr *acur;
+ u_int8_t count;
if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) {
printf("pfsync_state_import: invalid creator id:"
@@ -563,6 +581,18 @@
st->nat_rule.ptr = NULL;
st->anchor.ptr = NULL;
st->rt_kif = NULL;
+ /* try to insert the route-to kif for this state */
+ if(r != &pf_default_rule && r->rpool.cur) {
+ count = 0;
+ TAILQ_FOREACH(acur, &r->rpool.list, entries) {
+ count++;
+ if(count == sp->dst.nexthop_idx) {
+ st->rt_kif = acur->kif;
+ break;
+ }
+ }
+ }
+
st->pfsync_time = time_uptime;
st->sync_state = PFSYNC_S_NONE;
@@ -916,7 +946,7 @@
st = pf_find_state_byid(&id_key);
if (st == NULL) {
/* insert the update */
- if (pfsync_state_import(sp, 0))
+ if (pfsync_state_import(sp, pkt->flags))
pfsyncstats.pfsyncs_badstate++;
continue;
}
I tested and it is working fine, any suggestions are welcomed.
Here is the original problem that I trying to solve with this patch:
if one rule with policy routing using route-to or reply-to creates a
state, this will inserted on the peer with pfsycn protocol with
rt_addr to the nexthop ip address but without the nexthop interface
output reference, in pfsync_state_import the rt_kif is inserted as:
st->rt_kif = NULL;
pfsync will bind the state to the ruleset if the checksum of ruleset
on both firewall is the same.
so when a failover happens:
pf_test probes the next packet coming in on an interface and it
belongs to a state and the action is pass it, if the rule to this
state has a route-to/reply-to routing then pf_route is called.
The pf_route function needs the interface to do the routing of the
packet
pfsync and policy routing states patch
Hi All
I'm testing this patch to permit synchronization of states that use
route-to or reply-to for policy routing, this patch apply to OpenBSD
v4.6 -stable, this is the problem:
when pfsync send an state that uses route-to or reply-to option to the
other machine, it only sends only current next-hop address in rt_addr
member of pfsync_state struct, the peer gets the pfsync data and it
will try to insert the state and bind it to ruleset, when the
secondary machine gets active and a packet going to pass through pf
will try to process pf_route if the state matches with a rule with
route/reply option, but the interface information hadn't inserted into
the state so the state will has st->rt_kif = NULL then the packet will
be droped in pf_route function.
To complete the route/reply option of one state and keep compatibility
with pfsync_state structure, we can use the data space holding by pad
member into pfsync_state_peer, it seems to not be used by other
function, so we can free rename it, I rename it as ex_info (extra info),
so we can use it to put the info to complete the state. The ex_info
data is 6 bytes length so we can't put the st->rt_kif->pfik_name data
here. We can put the relative position of the rt_kif into the
route/reply pool, this manner we need only 2 bytes to send the integer
that represents the relative position into the pool, this position
will only tell us
where the interface can be found, it no necesary be the exact pool, so
when a peer
receives the pfsync data it can bind it into the pool if the both
ruleset have a checksum match.
I made some tests and it is running fine, this patch can be ported to
the -current version of cvs, but we need to make a little changes
beacuse rpool member of pf_rule struct has a new name: route.
The modified functions was: pfsync_state_export, pfsync_state_import
and pfsync_in_upd, the pfsync_in_upd was inserted a new state with
flags equal to zero, now it insert the new state with the pkt->flags,
so if the ruleset checksum matches this state will be attached to the
ruleset in pfsync_state_import function
===
RCS file: src/sys/net/RCS/if_pfsync.c,v
retrieving revision 1.127
diff -u -r1.127 src/sys/net/if_pfsync.c
--- src/sys/net/if_pfsync.c 2010/01/13 23:06:38 1.127
+++ src/sys/net/if_pfsync.c 2010/01/14 21:45:18
@@ -398,6 +398,9 @@
void
pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
{
+ struct pf_pooladdr *acur = NULL;
+ struct pf_rule *r = NULL;
+ int count = 0;
bzero(sp, sizeof(struct pfsync_state));
/* copy from state key */
@@ -449,6 +452,20 @@
else
sp->nat_rule = htonl(st->nat_rule.ptr->nr);
+ /* insert the rpool position reference for route-to states */
+ if(st->rt_kif) {
+ if(sp->rule != htonl(-1) && ntohl(sp->rule) <
pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount)
+ r =
pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)];
+ if(r != NULL) {
+ TAILQ_FOREACH(acur, &r->rpool.list, entries) {
+ count++;
+ if(st->rt_kif == acur->kif)
+ break;
+ }
+ }
+ bcopy(&count, &sp->dst.ex_info, sizeof(count));
+ }
+
pf_state_counter_hton(st->packets[0], sp->packets[0]);
pf_state_counter_hton(st->packets[1], sp->packets[1]);
pf_state_counter_hton(st->bytes[0], sp->bytes[0]);
@@ -465,6 +482,9 @@
struct pfi_kif *kif;
int pool_flags;
int error;
+ struct pf_pooladdr *acur;
+ int count;
+ int i;
if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) {
printf("pfsync_state_import: invalid creator id:"
@@ -563,6 +583,19 @@
st->nat_rule.ptr = NULL;
st->anchor.ptr = NULL;
st->rt_kif = NULL;
+ /* try to insert the route-to kif for this state */
+ if(r != &pf_default_rule && r->rpool.cur) {
+ bcopy(&sp->dst.ex_info, &count, sizeof(count));
+ i = 0;
+ TAILQ_FOREACH(acur, &r->rpool.list, entries) {
+ i++;
+ if(i == count) {
+ st->rt_kif = acur->kif;
+ break;
+ }
+ }
+ }
+
st->pfsync_time = time_uptime;
st->sync_state = PFSYNC_S_NONE;
@@ -916,7 +949,7 @@
st = pf_find_state_byid(&id_key);
if (st == NULL) {
/* insert the update */
- if (pfsync_state_import(sp, 0))
+ if (pfsync_state_import(sp, pkt->flags))
pfsyncstats.pfsyncs_badstate++;
continue;
}
pfsync and policy routing states patch
Hi All
I'm testing this patch to permit synchronization of states that use
route-to or reply-to for policy routing, this patch apply to OpenBSD
v4.6 -stable, this is the problem:
when pfsync send an state that uses route-to or reply-to option to the
other machine, it only sends only current next-hop address in rt_addr
member of pfsync_state struct, the peer gets the pfsync data and it
will try to insert the state and bind it to ruleset, when the
secondary machine gets active and a packet going to pass through pf
will try to process pf_route if the state matches with a rule with
route/reply option, but the interface information hadn't inserted into
the state so the state will has st->rt_kif = NULL then the packet will
be droped in pf_route function.
To complete the route/reply option of one state and keep compatibility
with pfsync_state structure, we can use the data space holding by pad
member into pfsync_state_peer, it seems to not be used by other
function, so we can free rename, I rename it as ex_info (extra info),
so we can use it to put the info to complete the state. The ex_info
data is 6 bytes length so we can't put the st->rt_kif->pfik_name data
here. We can put the relative position of the rt_kif into the
route/reply pool, this manner we need only 2 bytes to send the integer
that represents the relative position into the pool, so when a peer
receives the pfsync data it can bind it into the pool if the both
ruleset have a checksum match.
I made some tests and it is running fine, this patch can be ported to
the -current version of cvs, but we need to make a little changes
beacuse rpool member of pf_rule struct has a new name: route.
The modified functions was: pfsync_state_export, pfsync_state_import
and pfsync_in_upd, the pfsync_in_upd was inserted a new state with
flags equal to zero, now it insert the new state with the pkt->flags,
so if the ruleset checksum matches this state will be attached to the
ruleset in pfsync_state_import function
===
RCS file: src/sys/net/RCS/if_pfsync.c,v
retrieving revision 1.127
diff -u -r1.127 src/sys/net/if_pfsync.c
--- src/sys/net/if_pfsync.c 2010/01/13 23:06:38 1.127
+++ src/sys/net/if_pfsync.c 2010/01/14 21:45:18
@@ -398,6 +398,9 @@
void
pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
{
+ struct pf_pooladdr *acur = NULL;
+ struct pf_rule *r = NULL;
+ int count = 0;
bzero(sp, sizeof(struct pfsync_state));
/* copy from state key */
@@ -449,6 +452,20 @@
else
sp->nat_rule = htonl(st->nat_rule.ptr->nr);
+ /* insert the rpool position reference for route-to states */
+ if(st->rt_kif) {
+ if(sp->rule != htonl(-1) && ntohl(sp->rule) <
pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount)
+ r =
pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)];
+ if(r != NULL) {
+ TAILQ_FOREACH(acur, &r->rpool.list, entries) {
+ count++;
+ if(st->rt_kif == acur->kif)
+ break;
+ }
+ }
+ bcopy(&count, &sp->dst.ex_info, sizeof(count));
+ }
+
pf_state_counter_hton(st->packets[0], sp->packets[0]);
pf_state_counter_hton(st->packets[1], sp->packets[1]);
pf_state_counter_hton(st->bytes[0], sp->bytes[0]);
@@ -465,6 +482,9 @@
struct pfi_kif *kif;
int pool_flags;
int error;
+ struct pf_pooladdr *acur;
+ int count;
+ int i;
if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) {
printf("pfsync_state_import: invalid creator id:"
@@ -563,6 +583,19 @@
st->nat_rule.ptr = NULL;
st->anchor.ptr = NULL;
st->rt_kif = NULL;
+ /* try to insert the route-to kif for this state */
+ if(r != &pf_default_rule && r->rpool.cur) {
+ bcopy(&sp->dst.ex_info, &count, sizeof(count));
+ i = 0;
+ TAILQ_FOREACH(acur, &r->rpool.list, entries) {
+ i++;
+ if(i == count) {
+ st->rt_kif = acur->kif;
+ break;
+ }
+ }
+ }
+
st->pfsync_time = time_uptime;
st->sync_state = PFSYNC_S_NONE;
@@ -916,7 +949,7 @@
st = pf_find_state_byid(&id_key);
if (st == NULL) {
/* insert the update */
- if (pfsync_state_import(sp, 0))
+ if (pfsync_state_import(sp, pkt->flags))
pfsyncstats.pfsyncs_badstate++;
continue;
}
===
RCS file: src/sys/net/RCS/pfvar.h,v
retriev
