diff options
| author |   mcbride <mcbride@openbsd.org> | 2005-10-27 12:34:40 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2005-10-27 12:34:40 +0000 |
| commit | 20177903a5f3a7b37672ab90a709b3fd2fc940a0 (patch) | |
| tree | f7a193322de0336cd8eb82163f043e6daa45174d /sys/net/if_pfsync.h | |
| parent | make the example more likely to compile, ha ha; maticd@gmail.com (diff) | |
| download | wireguard-openbsd-20177903a5f3a7b37672ab90a709b3fd2fc940a0.tar.xz wireguard-openbsd-20177903a5f3a7b37672ab90a709b3fd2fc940a0.zip | |
Basic support for attaching states from pfsync to the correct rules.
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
Diffstat (limited to 'sys/net/if_pfsync.h')
| -rw-r--r-- | sys/net/if_pfsync.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index 8adf0a0372b..70bd69666e1 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.h,v 1.26 2005/09/28 01:46:32 pascoe Exp $ */ +/* $OpenBSD: if_pfsync.h,v 1.27 2005/10/27 12:34:40 mcbride Exp $ */ /* * Copyright (c) 2001 Michael Shalayeff @@ -191,7 +191,7 @@ extern struct pfsync_softc pfsyncif; struct pfsync_header { u_int8_t version; -#define PFSYNC_VERSION 2 +#define PFSYNC_VERSION 3 u_int8_t af; u_int8_t action; #define PFSYNC_ACT_CLR 0 /* clear all states */ @@ -207,6 +207,7 @@ struct pfsync_header { #define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */ #define PFSYNC_ACT_MAX 11 u_int8_t count; + u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; } __packed; #define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */ |