xref: /illumos-gate/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h (revision b22a70abf81f995ecc990b8444e63308bc389d5c)
1 /*
2  * Copyright (C) 1993-2001, 2003 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  *
9  * Copyright 2018 Joyent, Inc.  All rights reserved.
10  */
11 
12 #ifndef	__IPF_STACK_H__
13 #define	__IPF_STACK_H__
14 
15 /* FIXME: appears needed for ip_proxy.h - tcpseq */
16 #include <net/route.h>
17 #include <netinet/in.h>
18 #include <netinet/in_systm.h>
19 #include <netinet/ip.h>
20 #include <netinet/ip_var.h>
21 #include <netinet/tcp.h>
22 #include <netinet/udp.h>
23 #include <netinet/ip_icmp.h>
24 #include <netinet/tcpip.h>
25 
26 #include "ip_compat.h"
27 #include "ip_fil.h"
28 #include "ip_nat.h"
29 #include "ip_frag.h"
30 #include "ip_state.h"
31 #include "ip_proxy.h"
32 #include "ip_auth.h"
33 #include "ip_lookup.h"
34 #include "ip_pool.h"
35 #include "ip_htable.h"
36 #include <net/radix.h>
37 #include <sys/neti.h>
38 #include <sys/hook.h>
39 
40 /*
41  * IPF stack instances
42  */
43 struct ipf_stack {
44 	struct ipf_stack	*ifs_next;
45 	struct ipf_stack	**ifs_pnext;
46 	struct ipf_stack	*ifs_gz_cont_ifs;
47 	netid_t			ifs_netid;
48 	zoneid_t		ifs_zone;
49 	boolean_t		ifs_gz_controlled;
50 
51 	/* ipf module */
52 	fr_info_t		ifs_frcache[2][8];
53 
54 	filterstats_t		ifs_frstats[2];
55 	frentry_t		*ifs_ipfilter[2][2];
56 	frentry_t		*ifs_ipfilter6[2][2];
57 	frentry_t		*ifs_ipacct6[2][2];
58 	frentry_t		*ifs_ipacct[2][2];
59 #if 0 /* not used */
60 	frentry_t		*ifs_ipnatrules[2][2];
61 #endif
62 	frgroup_t		*ifs_ipfgroups[IPL_LOGSIZE][2];
63 	int			ifs_fr_refcnt;
64 	/*
65 	 * For fr_running:
66 	 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
67 	 */
68 	int			ifs_fr_running;
69 	int			ifs_fr_flags;
70 	int			ifs_fr_active;
71 	int			ifs_fr_control_forwarding;
72 	int			ifs_fr_update_ipid;
73 #if 0
74 	ushort_t		ifs_fr_ip_id;
75 #endif
76 	int			ifs_fr_chksrc;
77 	int			ifs_fr_minttl;
78 	int			ifs_fr_icmpminfragmtu;
79 	int			ifs_fr_pass;
80 	ulong_t			ifs_fr_frouteok[2];
81 	ulong_t			ifs_fr_userifqs;
82 	ulong_t			ifs_fr_badcoalesces[2];
83 	uchar_t			ifs_ipf_iss_secret[32];
84 	timeout_id_t		ifs_fr_timer_id;
85 #if 0
86 	timeout_id_t		ifs_synctimeoutid;
87 #endif
88 	int			ifs_ipf_locks_done;
89 
90 	ipftoken_t		*ifs_ipftokenhead;
91 	ipftoken_t		**ifs_ipftokentail;
92 
93 	ipfmutex_t	ifs_ipl_mutex;
94 	ipfmutex_t	ifs_ipf_authmx;
95 	ipfmutex_t	ifs_ipf_rw;
96 	ipfmutex_t	ifs_ipf_timeoutlock;
97 	ipfrwlock_t	ifs_ipf_mutex;
98 	ipfrwlock_t	ifs_ipf_global;
99 	ipfrwlock_t	ifs_ipf_frcache;
100 	ipfrwlock_t	ifs_ip_poolrw;
101 	ipfrwlock_t	ifs_ipf_frag;
102 	ipfrwlock_t	ifs_ipf_state;
103 	ipfrwlock_t	ifs_ipf_nat;
104 	ipfrwlock_t	ifs_ipf_natfrag;
105 	ipfmutex_t	ifs_ipf_nat_new;
106 	ipfmutex_t	ifs_ipf_natio;
107 	ipfrwlock_t	ifs_ipf_auth;
108 	ipfmutex_t	ifs_ipf_stinsert;
109 	ipfrwlock_t	ifs_ipf_ipidfrag;
110 	ipfrwlock_t	ifs_ipf_tokens;
111 	kcondvar_t	ifs_iplwait;
112 	kcondvar_t	ifs_ipfauthwait;
113 
114 	ipftuneable_t	*ifs_ipf_tuneables;
115 	ipftuneable_t	*ifs_ipf_tunelist;
116 
117 	/* ip_fil_solaris.c */
118 	hook_t		*ifs_ipfhook4_in;
119 	hook_t		*ifs_ipfhook4_out;
120 	hook_t		*ifs_ipfhook4_loop_in;
121 	hook_t		*ifs_ipfhook4_loop_out;
122 	hook_t		*ifs_ipfhook4_nicevents;
123 	hook_t		*ifs_ipfhook6_in;
124 	hook_t		*ifs_ipfhook6_out;
125 	hook_t		*ifs_ipfhook6_loop_in;
126 	hook_t		*ifs_ipfhook6_loop_out;
127 	hook_t		*ifs_ipfhook6_nicevents;
128 
129 	hook_t		*ifs_ipfhookviona_in;
130 	hook_t		*ifs_ipfhookviona_out;
131 
132 	/* flags to indicate whether hooks are registered. */
133 	boolean_t	ifs_hook4_physical_in;
134 	boolean_t	ifs_hook4_physical_out;
135 	boolean_t	ifs_hook4_nic_events;
136 	boolean_t	ifs_hook4_loopback_in;
137 	boolean_t	ifs_hook4_loopback_out;
138 	boolean_t	ifs_hook6_physical_in;
139 	boolean_t	ifs_hook6_physical_out;
140 	boolean_t	ifs_hook6_nic_events;
141 	boolean_t	ifs_hook6_loopback_in;
142 	boolean_t	ifs_hook6_loopback_out;
143 	boolean_t	ifs_hookviona_physical_in;
144 	boolean_t	ifs_hookviona_physical_out;
145 
146 	int		ifs_ipf_loopback;
147 	net_handle_t	ifs_ipf_ipv4;
148 	net_handle_t	ifs_ipf_ipv6;
149 	net_handle_t	ifs_ipf_viona;
150 
151 	/* ip_auth.c */
152 	int			ifs_fr_authsize;
153 	int			ifs_fr_authused;
154 	int			ifs_fr_defaultauthage;
155 	int			ifs_fr_auth_lock;
156 	int			ifs_fr_auth_init;
157 	fr_authstat_t		ifs_fr_authstats;
158 	frauth_t		*ifs_fr_auth;
159 	mb_t			**ifs_fr_authpkts;
160 	int			ifs_fr_authstart;
161 	int			ifs_fr_authend;
162 	int			ifs_fr_authnext;
163 	frauthent_t		*ifs_fae_list;
164 	frentry_t		*ifs_ipauth;
165 	frentry_t		*ifs_fr_authlist;
166 
167 	/* ip_frag.c */
168 	ipfr_t			*ifs_ipfr_list;
169 	ipfr_t			**ifs_ipfr_tail;
170 	ipfr_t			**ifs_ipfr_heads;
171 
172 	ipfr_t			*ifs_ipfr_natlist;
173 	ipfr_t			**ifs_ipfr_nattail;
174 	ipfr_t			**ifs_ipfr_nattab;
175 
176 	ipfr_t			*ifs_ipfr_ipidlist;
177 	ipfr_t			**ifs_ipfr_ipidtail;
178 	ipfr_t			**ifs_ipfr_ipidtab;
179 
180 	ipfrstat_t		ifs_ipfr_stats;
181 	int			ifs_ipfr_inuse;
182 	int			ifs_ipfr_size;
183 
184 	int			ifs_fr_ipfrttl;
185 	int			ifs_fr_frag_lock;
186 	int			ifs_fr_frag_init;
187 	ulong_t			ifs_fr_ticks;
188 
189 	frentry_t		ifs_frblock;
190 
191 	/* ip_htable.c */
192 	iphtable_t		*ifs_ipf_htables[IPL_LOGSIZE];
193 	ulong_t			ifs_ipht_nomem[IPL_LOGSIZE];
194 	ulong_t			ifs_ipf_nhtables[IPL_LOGSIZE];
195 	ulong_t			ifs_ipf_nhtnodes[IPL_LOGSIZE];
196 
197 	/* ip_log.c */
198 	iplog_t			**ifs_iplh[IPL_LOGSIZE];
199 	iplog_t			*ifs_iplt[IPL_LOGSIZE];
200 	iplog_t			*ifs_ipll[IPL_LOGSIZE];
201 	int			ifs_iplused[IPL_LOGSIZE];
202 	fr_info_t		ifs_iplcrc[IPL_LOGSIZE];
203 	int			ifs_ipl_suppress;
204 	int			ifs_ipl_buffer_sz;
205 	int			ifs_ipl_logmax;
206 	int			ifs_ipl_logall;
207 	int			ifs_ipl_log_init;
208 	int			ifs_ipl_logsize;
209 
210 	/* ip_lookup.c */
211 	ip_pool_stat_t		ifs_ippoolstat;
212 	int			ifs_ip_lookup_inited;
213 
214 	/* ip_nat.c */
215 	/* nat_table[0] -> hashed list sorted by inside (ip, port) */
216 	/* nat_table[1] -> hashed list sorted by outside (ip, port) */
217 	nat_t			**ifs_nat_table[2];
218 	nat_t			*ifs_nat_instances;
219 	ipnat_t			*ifs_nat_list;
220 	uint_t			ifs_ipf_nattable_sz;
221 	uint_t			ifs_ipf_nattable_max;
222 	uint_t			ifs_ipf_natrules_sz;
223 	uint_t			ifs_ipf_rdrrules_sz;
224 	uint_t			ifs_ipf_hostmap_sz;
225 	uint_t			ifs_fr_nat_maxbucket;
226 	uint_t			ifs_fr_nat_maxbucket_reset;
227 	uint32_t		ifs_nat_masks;
228 	uint32_t		ifs_rdr_masks;
229 	uint32_t		ifs_nat6_masks[4];
230 	uint32_t		ifs_rdr6_masks[4];
231 	ipnat_t			**ifs_nat_rules;
232 	ipnat_t			**ifs_rdr_rules;
233 	hostmap_t		**ifs_maptable;
234 	hostmap_t		*ifs_ipf_hm_maplist;
235 
236 	ipftq_t			ifs_nat_tqb[IPF_TCP_NSTATES];
237 	ipftq_t			ifs_nat_udptq;
238 	ipftq_t			ifs_nat_icmptq;
239 	ipftq_t			ifs_nat_iptq;
240 	ipftq_t			*ifs_nat_utqe;
241 	int			ifs_nat_logging;
242 	ulong_t			ifs_fr_defnatage;
243 	ulong_t			ifs_fr_defnatipage;
244 	ulong_t			ifs_fr_defnaticmpage;
245 	natstat_t		ifs_nat_stats;
246 	int			ifs_fr_nat_lock;
247 	int			ifs_fr_nat_init;
248 	uint_t			ifs_nat_flush_level_hi;
249 	uint_t			ifs_nat_flush_level_lo;
250 	ulong_t			ifs_nat_last_force_flush;
251 	int			ifs_nat_doflush;
252 
253 	/* ip_pool.c */
254 	ip_pool_stat_t		ifs_ipoolstat;
255 	ip_pool_t		*ifs_ip_pool_list[IPL_LOGSIZE];
256 
257 	/* ip_proxy.c */
258 	ap_session_t		*ifs_ap_sess_list;
259 	aproxy_t		*ifs_ap_proxylist;
260 	aproxy_t		*ifs_ap_proxies; /* copy of lcl_ap_proxies */
261 
262 	/* ip_state.c */
263 	ipstate_t		**ifs_ips_table;
264 	ulong_t			*ifs_ips_seed;
265 	int			ifs_ips_num;
266 	ulong_t			ifs_ips_last_force_flush;
267 	uint_t			ifs_state_flush_level_hi;
268 	uint_t			ifs_state_flush_level_lo;
269 	ips_stat_t		ifs_ips_stats;
270 
271 	ulong_t			ifs_fr_tcpidletimeout;
272 	ulong_t			ifs_fr_tcpclosewait;
273 	ulong_t			ifs_fr_tcplastack;
274 	ulong_t			ifs_fr_tcptimeout;
275 	ulong_t			ifs_fr_tcpclosed;
276 	ulong_t			ifs_fr_tcphalfclosed;
277 	ulong_t			ifs_fr_udptimeout;
278 	ulong_t			ifs_fr_udpacktimeout;
279 	ulong_t			ifs_fr_icmptimeout;
280 	ulong_t			ifs_fr_icmpacktimeout;
281 	int			ifs_fr_statemax;
282 	int			ifs_fr_statesize;
283 	int			ifs_fr_state_doflush;
284 	int			ifs_fr_state_lock;
285 	int			ifs_fr_state_maxbucket;
286 	int			ifs_fr_state_maxbucket_reset;
287 	int			ifs_fr_state_init;
288 	int			ifs_fr_enable_active;
289 	ipftq_t			ifs_ips_tqtqb[IPF_TCP_NSTATES];
290 	ipftq_t			ifs_ips_udptq;
291 	ipftq_t			ifs_ips_udpacktq;
292 	ipftq_t			ifs_ips_iptq;
293 	ipftq_t			ifs_ips_icmptq;
294 	ipftq_t			ifs_ips_icmpacktq;
295 	ipftq_t			ifs_ips_deletetq;
296 	ipftq_t			*ifs_ips_utqe;
297 	int			ifs_ipstate_logging;
298 	ipstate_t		*ifs_ips_list;
299 	ulong_t			ifs_fr_iptimeout;
300 
301 	/* radix.c */
302 	int			ifs_max_keylen;
303 	struct radix_mask	*ifs_rn_mkfreelist;
304 	struct radix_node_head	*ifs_mask_rnhead;
305 	char			*ifs_addmask_key;
306 	char			*ifs_rn_zeros;
307 	char			*ifs_rn_ones;
308 #ifdef KERNEL
309 	/* kstats for inbound and outbound */
310 	kstat_t			*ifs_kstatp[2];
311 #endif
312 };
313 
314 #endif	/* __IPF_STACK_H__ */
315