xref: /illumos-gate/usr/src/uts/common/inet/ipf/netinet/ip_proxy.h (revision 67d74cc3e7c9d9461311136a0b2069813a3fd927)
1 /*
2  * Copyright (C) 1997-2001 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * $Id: ip_proxy.h,v 2.31.2.3 2005/06/18 02:41:33 darrenr Exp $
7  *
8  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
9  * Use is subject to license terms.
10  */
11 
12 #ifndef	__IP_PROXY_H__
13 #define	__IP_PROXY_H__
14 
15 #ifdef	SOLARIS
16 #undef	SOLARIS
17 #endif
18 #if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
19 #define	SOLARIS	(1)
20 #else
21 #define	SOLARIS	(0)
22 #endif
23 
24 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
25 #define	SIOCPROXY	_IOWR('r', 64, struct ap_control)
26 #else
27 #define	SIOCPROXY	_IOWR(r, 64, struct ap_control)
28 #endif
29 
30 #ifndef	APR_LABELLEN
31 #define	APR_LABELLEN	16
32 #endif
33 #define	AP_SESS_SIZE	53
34 
35 struct	nat;
36 struct	ipnat;
37 struct	ipstate;
38 
39 typedef	struct	ap_tcp {
40 	u_short	apt_sport;	/* source port */
41 	u_short	apt_dport;	/* destination port */
42 	short	apt_sel[2];	/* {seq,ack}{off,min} set selector */
43 	short	apt_seqoff[2];	/* sequence # difference */
44 	u_32_t	apt_seqmin[2];	/* don't change seq-off until after this */
45 	short	apt_ackoff[2];	/* sequence # difference */
46 	u_32_t	apt_ackmin[2];	/* don't change seq-off until after this */
47 	u_char	apt_state[2];	/* connection state */
48 } ap_tcp_t;
49 
50 typedef	struct	ap_udp {
51 	u_short	apu_sport;	/* source port */
52 	u_short	apu_dport;	/* destination port */
53 } ap_udp_t;
54 
55 typedef	struct ap_session {
56 	struct	aproxy	*aps_apr;
57 	union {
58 		struct	ap_tcp	apu_tcp;
59 		struct	ap_udp	apu_udp;
60 	} aps_un;
61 	u_int	aps_flags;
62 	U_QUAD_T aps_bytes;	/* bytes sent */
63 	U_QUAD_T aps_pkts;	/* packets sent */
64 	void	*aps_nat;	/* pointer back to nat struct */
65 	void	*aps_data;	/* private data */
66 	int	aps_p;		/* protocol */
67 	int	aps_psiz;	/* size of private data */
68 	struct	ap_session	*aps_hnext;
69 	struct	ap_session	*aps_next;
70 } ap_session_t;
71 
72 #define	aps_sport	aps_un.apu_tcp.apt_sport
73 #define	aps_dport	aps_un.apu_tcp.apt_dport
74 #define	aps_sel		aps_un.apu_tcp.apt_sel
75 #define	aps_seqoff	aps_un.apu_tcp.apt_seqoff
76 #define	aps_seqmin	aps_un.apu_tcp.apt_seqmin
77 #define	aps_state	aps_un.apu_tcp.apt_state
78 #define	aps_ackoff	aps_un.apu_tcp.apt_ackoff
79 #define	aps_ackmin	aps_un.apu_tcp.apt_ackmin
80 
81 
82 typedef	struct	ap_control {
83 	char	apc_label[APR_LABELLEN];
84 	u_char	apc_p;
85 	/*
86 	 * The following fields are upto the proxy's apr_ctl routine to deal
87 	 * with.  When the proxy gets this in kernel space, apc_data will
88 	 * point to a malloc'd region of memory of apc_dsize bytes.  If the
89 	 * proxy wants to keep that memory, it must set apc_data to NULL
90 	 * before it returns.  It is expected if this happens that it will
91 	 * take care to free it in apr_fini or otherwise as appropriate.
92 	 * apc_cmd is provided as a standard place to put simple commands,
93 	 * with apc_arg being available to put a simple arg.
94 	 */
95 	u_long	apc_cmd;
96 	u_long	apc_arg;
97 	void	*apc_data;
98 	size_t	apc_dsize;
99 } ap_ctl_t;
100 
101 
102 typedef	struct	aproxy	{
103 	struct	aproxy	*apr_next;
104 	char	apr_label[APR_LABELLEN];	/* Proxy label # */
105 	u_char	apr_p;		/* protocol */
106 	int	apr_ref;	/* +1 per rule referencing it */
107 	int	apr_flags;
108 	void	*apr_private;	/* proxy private data */
109 	int	(* apr_init) __P((void **, ipf_stack_t *));
110 	void	(* apr_fini) __P((void **, ipf_stack_t *));
111 	int	(* apr_new) __P((fr_info_t *, ap_session_t *, struct nat *, void *));
112 	void	(* apr_del) __P((ap_session_t *, void *, ipf_stack_t *));
113 	int	(* apr_inpkt) __P((fr_info_t *, ap_session_t *, struct nat *, void *));
114 	int	(* apr_outpkt) __P((fr_info_t *, ap_session_t *, struct nat *, void *));
115 	int	(* apr_match) __P((fr_info_t *, ap_session_t *, struct nat *, void *));
116 	int	(* apr_ctl) __P((struct aproxy *, struct ap_control *, void *));
117 } aproxy_t;
118 
119 #define	APR_DELETE	1
120 
121 #define	APR_ERR(x)	((x) << 16)
122 #define	APR_EXIT(x)	(((x) >> 16) & 0xffff)
123 #define	APR_INC(x)	((x) & 0xffff)
124 
125 /*
126  * Generic #define's to cover missing things in the kernel
127  */
128 #ifndef isdigit
129 #define isdigit(x)	((x) >= '0' && (x) <= '9')
130 #endif
131 #ifndef isupper
132 #define isupper(x)	(((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
133 #endif
134 #ifndef islower
135 #define islower(x)	(((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
136 #endif
137 #ifndef isalpha
138 #define isalpha(x)	(isupper(x) || islower(x))
139 #endif
140 #ifndef toupper
141 #define toupper(x)	(isupper(x) ? (x) : (x) - 'a' + 'A')
142 #endif
143 #ifndef isspace
144 #define isspace(x)	(((x) == ' ') || ((x) == '\r') || ((x) == '\n') || \
145 			 ((x) == '\t') || ((x) == '\b'))
146 #endif
147 
148 /*
149  * This is the scratch buffer size used to hold strings from the TCP stream
150  * that we may want to parse.  It's an arbitrary size, really, but it must
151  * be at least as large as IPF_FTPBUFSZ.
152  */
153 #define	FTP_BUFSZ	120
154 
155 /*
156  * This buffer, however, doesn't need to be nearly so big.  It just needs to
157  * be able to squeeze in the largest command it needs to rewrite, Which ones
158  * does it rewrite? EPRT, PORT, 227 replies.
159  */
160 #define	IPF_FTPBUFSZ	80	/* This *MUST* be >= 53! */
161 
162 typedef struct  ftpside {
163 	char	*ftps_rptr;
164 	char	*ftps_wptr;
165 	void	*ftps_ifp;
166 	u_32_t	ftps_seq[2];
167 	u_32_t	ftps_len;
168 	int	ftps_junk;	/* 2 = no cr/lf yet, 1 = cannot parse */
169 	int	ftps_cmds;
170 	char	ftps_buf[FTP_BUFSZ];
171 } ftpside_t;
172 
173 typedef struct  ftpinfo {
174 	int 	  	ftp_passok;
175 	int		ftp_incok;
176 	ftpside_t	ftp_side[2];
177 } ftpinfo_t;
178 
179 
180 /*
181  * For the irc proxy.
182  */
183 typedef	struct	ircinfo {
184 	size_t	irc_len;
185 	char	*irc_snick;
186 	char	*irc_dnick;
187 	char	*irc_type;
188 	char	*irc_arg;
189 	char	*irc_addr;
190 	u_32_t	irc_ipnum;
191 	u_short	irc_port;
192 } ircinfo_t;
193 
194 
195 /*
196  * Real audio proxy structure and #defines
197  */
198 typedef	struct	raudio_s {
199 	int	rap_seenpna;
200 	int	rap_seenver;
201 	int	rap_version;
202 	int	rap_eos;	/* End Of Startup */
203 	int	rap_gotid;
204 	int	rap_gotlen;
205 	int	rap_mode;
206 	int	rap_sdone;
207 	u_short	rap_plport;
208 	u_short	rap_prport;
209 	u_short	rap_srport;
210 	char	rap_svr[19];
211 	u_32_t	rap_sbf;	/* flag to indicate which of the 19 bytes have
212 				 * been filled
213 				 */
214 	u_32_t	rap_sseq;
215 } raudio_t;
216 
217 #define	RA_ID_END	0
218 #define	RA_ID_UDP	1
219 #define	RA_ID_ROBUST	7
220 
221 #define	RAP_M_UDP	1
222 #define	RAP_M_ROBUST	2
223 #define	RAP_M_TCP	4
224 #define	RAP_M_UDP_ROBUST	(RAP_M_UDP|RAP_M_ROBUST)
225 
226 
227 /*
228  * MSN RPC proxy
229  */
230 typedef	struct	msnrpcinfo	{
231 	u_int		mri_flags;
232 	int		mri_cmd[2];
233 	u_int		mri_valid;
234 	struct	in_addr	mri_raddr;
235 	u_short		mri_rport;
236 } msnrpcinfo_t;
237 
238 
239 /*
240  * IPSec proxy
241  */
242 typedef	u_32_t	ipsec_cookie_t[2];
243 
244 typedef struct ipsec_pxy {
245 	ipsec_cookie_t	ipsc_icookie;
246 	ipsec_cookie_t	ipsc_rcookie;
247 	int		ipsc_rckset;
248 	ipnat_t		ipsc_rule;
249 	nat_t		*ipsc_nat;
250 	struct ipstate	*ipsc_state;
251 } ipsec_pxy_t;
252 
253 /*
254  * PPTP proxy
255  */
256 typedef	struct pptp_side {
257 	u_32_t		pptps_nexthdr;
258 	u_32_t		pptps_next;
259 	int		pptps_state;
260 	int		pptps_gothdr;
261 	int		pptps_len;
262 	int		pptps_bytes;
263 	char		*pptps_wptr;
264 	char		pptps_buffer[512];
265 } pptp_side_t;
266 
267 typedef	struct pptp_pxy {
268 	ipnat_t		pptp_rule;
269 	nat_t		*pptp_nat;
270 	struct ipstate	*pptp_state;
271 	u_short		pptp_call[2];
272 	pptp_side_t	pptp_side[2];
273 } pptp_pxy_t;
274 
275 
276 /*
277  * Sun RPCBIND proxy
278  */
279 #define RPCB_MAXMSG	888
280 #define RPCB_RES_PMAP	0	/* Response contains a v2 port. */
281 #define RPCB_RES_STRING	1	/* " " " v3 (GETADDR) string. */
282 #define RPCB_RES_LIST	2	/* " " " v4 (GETADDRLIST) list. */
283 #define RPCB_MAXREQS	32	/* Arbitrary limit on tracked transactions */
284 
285 #define RPCB_REQMIN	40
286 #define RPCB_REQMAX	888
287 #define RPCB_REPMIN	20
288 #define	RPCB_REPMAX	604	/* XXX double check this! */
289 
290 /*
291  * These macros determine the number of bytes between p and the end of
292  * r->rs_buf relative to l.
293  */
294 #define RPCB_BUF_END(r) (char *)((r)->rm_msgbuf + (r)->rm_buflen)
295 #define RPCB_BUF_GEQ(r, p, l)   \
296         ((RPCB_BUF_END((r)) > (char *)(p)) &&           \
297          ((RPCB_BUF_END((r)) - (char *)(p)) >= (l)))
298 #define	RPCB_BUF_EQ(r, p, l)                            \
299         (RPCB_BUF_END((r)) == ((char *)(p) + (l)))
300 
301 /*
302  * The following correspond to RPC(B) detailed in RFC183[13].
303  */
304 #define RPCB_CALL		0
305 #define RPCB_REPLY		1
306 #define RPCB_MSG_VERSION	2
307 #define RPCB_PROG		100000
308 #define RPCB_GETPORT		3
309 #define RPCB_GETADDR		3
310 #define RPCB_GETADDRLIST	11
311 #define RPCB_MSG_ACCEPTED	0
312 #define RPCB_MSG_DENIED		1
313 
314 /* BEGIN (Generic XDR structures) */
315 typedef struct xdr_string {
316 	u_32_t	*xs_len;
317 	char	*xs_str;
318 } xdr_string_t;
319 
320 typedef struct xdr_auth {
321 	/* u_32_t	xa_flavor; */
322 	xdr_string_t	xa_string;
323 } xdr_auth_t;
324 
325 typedef struct xdr_uaddr {
326 	u_32_t		xu_ip;
327 	u_short         xu_port;
328 	xdr_string_t	xu_str;
329 } xdr_uaddr_t;
330 
331 typedef	struct xdr_proto {
332 	u_int		xp_proto;
333 	xdr_string_t	xp_str;
334 } xdr_proto_t;
335 
336 #define xu_xslen	xu_str.xs_len
337 #define xu_xsstr	xu_str.xs_str
338 #define	xp_xslen	xp_str.xs_len
339 #define xp_xsstr	xp_str.xs_str
340 /* END (Generic XDR structures) */
341 
342 /* BEGIN (RPC call structures) */
343 typedef struct pmap_args {
344 	/* u_32_t	pa_prog; */
345 	/* u_32_t	pa_vers; */
346 	u_32_t		*pa_prot;
347 	/* u_32_t	pa_port; */
348 } pmap_args_t;
349 
350 typedef struct rpcb_args {
351 	/* u_32_t	*ra_prog; */
352 	/* u_32_t	*ra_vers; */
353 	xdr_proto_t	ra_netid;
354 	xdr_uaddr_t	ra_maddr;
355 	/* xdr_string_t	ra_owner; */
356 } rpcb_args_t;
357 
358 typedef struct rpc_call {
359 	/* u_32_t	rc_rpcvers; */
360 	/* u_32_t	rc_prog; */
361 	u_32_t	*rc_vers;
362 	u_32_t	*rc_proc;
363 	xdr_auth_t	rc_authcred;
364 	xdr_auth_t	rc_authverf;
365 	union {
366 		pmap_args_t	ra_pmapargs;
367 		rpcb_args_t	ra_rpcbargs;
368 	} rpcb_args;
369 } rpc_call_t;
370 
371 #define	rc_pmapargs	rpcb_args.ra_pmapargs
372 #define rc_rpcbargs	rpcb_args.ra_rpcbargs
373 /* END (RPC call structures) */
374 
375 /* BEGIN (RPC reply structures) */
376 typedef struct rpcb_entry {
377 	xdr_uaddr_t	re_maddr;
378 	xdr_proto_t	re_netid;
379 	/* u_32_t	re_semantics; */
380 	xdr_string_t	re_family;
381 	xdr_proto_t	re_proto;
382 	u_32_t		*re_more; /* 1 == another entry follows */
383 } rpcb_entry_t;
384 
385 typedef struct rpcb_listp {
386 	u_32_t		*rl_list; /* 1 == list follows */
387 	int		rl_cnt;
388 	rpcb_entry_t	rl_entries[2]; /* TCP / UDP only */
389 } rpcb_listp_t;
390 
391 typedef struct rpc_resp {
392 	/* u_32_t	rr_acceptdeny; */
393 	/* Omitted 'message denied' fork; we don't care about rejects. */
394 	xdr_auth_t	rr_authverf;
395 	/* u_32_t		*rr_astat;	*/
396 	union {
397 		u_32_t		*resp_pmap;
398 		xdr_uaddr_t	resp_getaddr;
399 		rpcb_listp_t	resp_getaddrlist;
400 	} rpcb_reply;
401 } rpc_resp_t;
402 
403 #define	rr_v2	rpcb_reply.resp_pmap
404 #define rr_v3	rpcb_reply.resp_getaddr
405 #define	rr_v4	rpcb_reply.resp_getaddrlist
406 /* END (RPC reply structures) */
407 
408 /* BEGIN (RPC message structure & macros) */
409 typedef struct rpc_msg {
410 	char	rm_msgbuf[RPCB_MAXMSG];	/* RPCB data buffer */
411 	u_int	rm_buflen;
412 	u_32_t	*rm_xid;
413 	/* u_32_t Call vs Reply */
414 	union {
415 		rpc_call_t	rb_call;
416 		rpc_resp_t	rb_resp;
417 	} rm_body;
418 } rpc_msg_t;
419 
420 #define rm_call		rm_body.rb_call
421 #define rm_resp		rm_body.rb_resp
422 /* END (RPC message structure & macros) */
423 
424 /*
425  * These code paths aren't hot enough to warrant per transaction
426  * mutexes.
427  */
428 typedef struct rpcb_xact {
429 	struct	rpcb_xact	*rx_next;
430 	struct	rpcb_xact	**rx_pnext;
431 	u_32_t	rx_xid;		/* RPC transmission ID */
432 	u_int	rx_type;	/* RPCB response type */
433 	u_int	rx_ref;         /* reference count */
434 	u_int	rx_proto;	/* transport protocol (v2 only) */
435 } rpcb_xact_t;
436 
437 typedef struct rpcb_session {
438         ipfmutex_t	rs_rxlock;
439 	rpcb_xact_t	*rs_rxlist;
440 } rpcb_session_t;
441 
442 /*
443  * For an explanation, please see the following:
444  *   RFC1832 - Sections 3.11, 4.4, and 4.5.
445  */
446 #define XDRALIGN(x)	((((x) % 4) != 0) ? ((((x) + 3) / 4) * 4) : (x))
447 
448 extern	int	appr_add __P((aproxy_t *, ipf_stack_t *));
449 extern	int	appr_ctl __P((ap_ctl_t *, ipf_stack_t *));
450 extern	int	appr_del __P((aproxy_t *, ipf_stack_t *));
451 extern	int	appr_init __P((ipf_stack_t *));
452 extern	void	appr_unload __P((ipf_stack_t *));
453 extern	int	appr_ok __P((fr_info_t *, tcphdr_t *, struct ipnat *));
454 extern	int	appr_match __P((fr_info_t *, struct nat *));
455 extern	void	appr_free __P((aproxy_t *));
456 extern	void	aps_free __P((ap_session_t *, ipf_stack_t *));
457 extern	int	appr_check __P((fr_info_t *, struct nat *));
458 extern	aproxy_t	*appr_lookup __P((u_int, char *, ipf_stack_t *));
459 extern	int	appr_new __P((fr_info_t *, struct nat *));
460 extern	int	appr_ioctl __P((caddr_t, ioctlcmd_t, int, ipf_stack_t *));
461 
462 #endif /* __IP_PROXY_H__ */
463