xref: /illumos-gate/usr/src/uts/common/inet/ipf/netinet/ip_proxy.h (revision 9a016c63ca347047a236dff12f0da83aac8981d1) 
1 /*
2  * Copyright (C) 1997-2001 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * $Id: ip_proxy.h,v 2.31.2.3 2005/06/18 02:41:33 darrenr Exp $
7  */
8 
9 #ifndef	__IP_PROXY_H__
10 #define	__IP_PROXY_H__
11 
12 #ifndef SOLARIS
13 #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
14 #endif
15 
16 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
17 #define	SIOCPROXY	_IOWR('r', 64, struct ap_control)
18 #else
19 #define	SIOCPROXY	_IOWR(r, 64, struct ap_control)
20 #endif
21 
22 #ifndef	APR_LABELLEN
23 #define	APR_LABELLEN	16
24 #endif
25 #define	AP_SESS_SIZE	53
26 
27 struct	nat;
28 struct	ipnat;
29 struct	ipstate;
30 
31 typedef	struct	ap_tcp {
32 	u_short	apt_sport;	/* source port */
33 	u_short	apt_dport;	/* destination port */
34 	short	apt_sel[2];	/* {seq,ack}{off,min} set selector */
35 	short	apt_seqoff[2];	/* sequence # difference */
36 	u_32_t	apt_seqmin[2];	/* don't change seq-off until after this */
37 	short	apt_ackoff[2];	/* sequence # difference */
38 	u_32_t	apt_ackmin[2];	/* don't change seq-off until after this */
39 	u_char	apt_state[2];	/* connection state */
40 } ap_tcp_t;
41 
42 typedef	struct	ap_udp {
43 	u_short	apu_sport;	/* source port */
44 	u_short	apu_dport;	/* destination port */
45 } ap_udp_t;
46 
47 typedef	struct ap_session {
48 	struct	aproxy	*aps_apr;
49 	union {
50 		struct	ap_tcp	apu_tcp;
51 		struct	ap_udp	apu_udp;
52 	} aps_un;
53 	u_int	aps_flags;
54 	U_QUAD_T aps_bytes;	/* bytes sent */
55 	U_QUAD_T aps_pkts;	/* packets sent */
56 	void	*aps_nat;	/* pointer back to nat struct */
57 	void	*aps_data;	/* private data */
58 	int	aps_p;		/* protocol */
59 	int	aps_psiz;	/* size of private data */
60 	struct	ap_session	*aps_hnext;
61 	struct	ap_session	*aps_next;
62 } ap_session_t;
63 
64 #define	aps_sport	aps_un.apu_tcp.apt_sport
65 #define	aps_dport	aps_un.apu_tcp.apt_dport
66 #define	aps_sel		aps_un.apu_tcp.apt_sel
67 #define	aps_seqoff	aps_un.apu_tcp.apt_seqoff
68 #define	aps_seqmin	aps_un.apu_tcp.apt_seqmin
69 #define	aps_state	aps_un.apu_tcp.apt_state
70 #define	aps_ackoff	aps_un.apu_tcp.apt_ackoff
71 #define	aps_ackmin	aps_un.apu_tcp.apt_ackmin
72 
73 
74 typedef	struct	ap_control {
75 	char	apc_label[APR_LABELLEN];
76 	u_char	apc_p;
77 	/*
78 	 * The following fields are upto the proxy's apr_ctl routine to deal
79 	 * with.  When the proxy gets this in kernel space, apc_data will
80 	 * point to a malloc'd region of memory of apc_dsize bytes.  If the
81 	 * proxy wants to keep that memory, it must set apc_data to NULL
82 	 * before it returns.  It is expected if this happens that it will
83 	 * take care to free it in apr_fini or otherwise as appropriate.
84 	 * apc_cmd is provided as a standard place to put simple commands,
85 	 * with apc_arg being available to put a simple arg.
86 	 */
87 	u_long	apc_cmd;
88 	u_long	apc_arg;
89 	void	*apc_data;
90 	size_t	apc_dsize;
91 } ap_ctl_t;
92 
93 
94 typedef	struct	aproxy	{
95 	struct	aproxy	*apr_next;
96 	char	apr_label[APR_LABELLEN];	/* Proxy label # */
97 	u_char	apr_p;		/* protocol */
98 	int	apr_ref;	/* +1 per rule referencing it */
99 	int	apr_flags;
100 	int	(* apr_init) __P((void));
101 	void	(* apr_fini) __P((void));
102 	int	(* apr_new) __P((fr_info_t *, ap_session_t *, struct nat *));
103 	void	(* apr_del) __P((ap_session_t *));
104 	int	(* apr_inpkt) __P((fr_info_t *, ap_session_t *, struct nat *));
105 	int	(* apr_outpkt) __P((fr_info_t *, ap_session_t *, struct nat *));
106 	int	(* apr_match) __P((fr_info_t *, ap_session_t *, struct nat *));
107 	int	(* apr_ctl) __P((struct aproxy *, struct ap_control *));
108 } aproxy_t;
109 
110 #define	APR_DELETE	1
111 
112 #define	APR_ERR(x)	((x) << 16)
113 #define	APR_EXIT(x)	(((x) >> 16) & 0xffff)
114 #define	APR_INC(x)	((x) & 0xffff)
115 
116 /*
117  * Generic #define's to cover missing things in the kernel
118  */
119 #ifndef isdigit
120 #define isdigit(x)	((x) >= '0' && (x) <= '9')
121 #endif
122 #ifndef isupper
123 #define isupper(x)	(((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
124 #endif
125 #ifndef islower
126 #define islower(x)	(((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
127 #endif
128 #ifndef isalpha
129 #define isalpha(x)	(isupper(x) || islower(x))
130 #endif
131 #ifndef toupper
132 #define toupper(x)	(isupper(x) ? (x) : (x) - 'a' + 'A')
133 #endif
134 #ifndef isspace
135 #define isspace(x)	(((x) == ' ') || ((x) == '\r') || ((x) == '\n') || \
136 			 ((x) == '\t') || ((x) == '\b'))
137 #endif
138 
139 /*
140  * This is the scratch buffer size used to hold strings from the TCP stream
141  * that we may want to parse.  It's an arbitrary size, really, but it must
142  * be at least as large as IPF_FTPBUFSZ.
143  */
144 #define	FTP_BUFSZ	120
145 
146 /*
147  * This buffer, however, doesn't need to be nearly so big.  It just needs to
148  * be able to squeeze in the largest command it needs to rewrite, Which ones
149  * does it rewrite? EPRT, PORT, 227 replies.
150  */
151 #define	IPF_FTPBUFSZ	80	/* This *MUST* be >= 53! */
152 
153 typedef struct  ftpside {
154 	char	*ftps_rptr;
155 	char	*ftps_wptr;
156 	void	*ftps_ifp;
157 	u_32_t	ftps_seq[2];
158 	u_32_t	ftps_len;
159 	int	ftps_junk;	/* 2 = no cr/lf yet, 1 = cannot parse */
160 	int	ftps_cmds;
161 	char	ftps_buf[FTP_BUFSZ];
162 } ftpside_t;
163 
164 typedef struct  ftpinfo {
165 	int 	  	ftp_passok;
166 	int		ftp_incok;
167 	ftpside_t	ftp_side[2];
168 } ftpinfo_t;
169 
170 
171 /*
172  * For the irc proxy.
173  */
174 typedef	struct	ircinfo {
175 	size_t	irc_len;
176 	char	*irc_snick;
177 	char	*irc_dnick;
178 	char	*irc_type;
179 	char	*irc_arg;
180 	char	*irc_addr;
181 	u_32_t	irc_ipnum;
182 	u_short	irc_port;
183 } ircinfo_t;
184 
185 
186 /*
187  * Real audio proxy structure and #defines
188  */
189 typedef	struct	raudio_s {
190 	int	rap_seenpna;
191 	int	rap_seenver;
192 	int	rap_version;
193 	int	rap_eos;	/* End Of Startup */
194 	int	rap_gotid;
195 	int	rap_gotlen;
196 	int	rap_mode;
197 	int	rap_sdone;
198 	u_short	rap_plport;
199 	u_short	rap_prport;
200 	u_short	rap_srport;
201 	char	rap_svr[19];
202 	u_32_t	rap_sbf;	/* flag to indicate which of the 19 bytes have
203 				 * been filled
204 				 */
205 	u_32_t	rap_sseq;
206 } raudio_t;
207 
208 #define	RA_ID_END	0
209 #define	RA_ID_UDP	1
210 #define	RA_ID_ROBUST	7
211 
212 #define	RAP_M_UDP	1
213 #define	RAP_M_ROBUST	2
214 #define	RAP_M_TCP	4
215 #define	RAP_M_UDP_ROBUST	(RAP_M_UDP|RAP_M_ROBUST)
216 
217 
218 /*
219  * MSN RPC proxy
220  */
221 typedef	struct	msnrpcinfo	{
222 	u_int		mri_flags;
223 	int		mri_cmd[2];
224 	u_int		mri_valid;
225 	struct	in_addr	mri_raddr;
226 	u_short		mri_rport;
227 } msnrpcinfo_t;
228 
229 
230 /*
231  * IPSec proxy
232  */
233 typedef	u_32_t	ipsec_cookie_t[2];
234 
235 typedef struct ipsec_pxy {
236 	ipsec_cookie_t	ipsc_icookie;
237 	ipsec_cookie_t	ipsc_rcookie;
238 	int		ipsc_rckset;
239 	ipnat_t		ipsc_rule;
240 	nat_t		*ipsc_nat;
241 	struct ipstate	*ipsc_state;
242 } ipsec_pxy_t;
243 
244 /*
245  * PPTP proxy
246  */
247 typedef	struct pptp_side {
248 	u_32_t		pptps_nexthdr;
249 	u_32_t		pptps_next;
250 	int		pptps_state;
251 	int		pptps_gothdr;
252 	int		pptps_len;
253 	int		pptps_bytes;
254 	char		*pptps_wptr;
255 	char		pptps_buffer[512];
256 } pptp_side_t;
257 
258 typedef	struct pptp_pxy {
259 	ipnat_t		pptp_rule;
260 	nat_t		*pptp_nat;
261 	struct ipstate	*pptp_state;
262 	u_short		pptp_call[2];
263 	pptp_side_t	pptp_side[2];
264 } pptp_pxy_t;
265 
266 
267 /*
268  * Sun RPCBIND proxy
269  */
270 #define RPCB_MAXMSG	888
271 #define RPCB_RES_PMAP	0	/* Response contains a v2 port. */
272 #define RPCB_RES_STRING	1	/* " " " v3 (GETADDR) string. */
273 #define RPCB_RES_LIST	2	/* " " " v4 (GETADDRLIST) list. */
274 #define RPCB_MAXREQS	32	/* Arbitrary limit on tracked transactions */
275 
276 #define RPCB_REQMIN	40
277 #define RPCB_REQMAX	888
278 #define RPCB_REPMIN	20
279 #define	RPCB_REPMAX	604	/* XXX double check this! */
280 
281 /*
282  * These macros determine the number of bytes between p and the end of
283  * r->rs_buf relative to l.
284  */
285 #define RPCB_BUF_END(r) (char *)((r)->rm_msgbuf + (r)->rm_buflen)
286 #define RPCB_BUF_GEQ(r, p, l)   \
287         ((RPCB_BUF_END((r)) > (char *)(p)) &&           \
288          ((RPCB_BUF_END((r)) - (char *)(p)) >= (l)))
289 #define	RPCB_BUF_EQ(r, p, l)                            \
290         (RPCB_BUF_END((r)) == ((char *)(p) + (l)))
291 
292 /*
293  * The following correspond to RPC(B) detailed in RFC183[13].
294  */
295 #define RPCB_CALL		0
296 #define RPCB_REPLY		1
297 #define RPCB_MSG_VERSION	2
298 #define RPCB_PROG		100000
299 #define RPCB_GETPORT		3
300 #define RPCB_GETADDR		3
301 #define RPCB_GETADDRLIST	11
302 #define RPCB_MSG_ACCEPTED	0
303 #define RPCB_MSG_DENIED		1
304 
305 /* BEGIN (Generic XDR structures) */
306 typedef struct xdr_string {
307 	u_32_t	*xs_len;
308 	char	*xs_str;
309 } xdr_string_t;
310 
311 typedef struct xdr_auth {
312 	/* u_32_t	xa_flavor; */
313 	xdr_string_t	xa_string;
314 } xdr_auth_t;
315 
316 typedef struct xdr_uaddr {
317 	u_32_t		xu_ip;
318 	u_short         xu_port;
319 	xdr_string_t	xu_str;
320 } xdr_uaddr_t;
321 
322 typedef	struct xdr_proto {
323 	u_int		xp_proto;
324 	xdr_string_t	xp_str;
325 } xdr_proto_t;
326 
327 #define xu_xslen	xu_str.xs_len
328 #define xu_xsstr	xu_str.xs_str
329 #define	xp_xslen	xp_str.xs_len
330 #define xp_xsstr	xp_str.xs_str
331 /* END (Generic XDR structures) */
332 
333 /* BEGIN (RPC call structures) */
334 typedef struct pmap_args {
335 	/* u_32_t	pa_prog; */
336 	/* u_32_t	pa_vers; */
337 	u_32_t		*pa_prot;
338 	/* u_32_t	pa_port; */
339 } pmap_args_t;
340 
341 typedef struct rpcb_args {
342 	/* u_32_t	*ra_prog; */
343 	/* u_32_t	*ra_vers; */
344 	xdr_proto_t	ra_netid;
345 	xdr_uaddr_t	ra_maddr;
346 	/* xdr_string_t	ra_owner; */
347 } rpcb_args_t;
348 
349 typedef struct rpc_call {
350 	/* u_32_t	rc_rpcvers; */
351 	/* u_32_t	rc_prog; */
352 	u_32_t	*rc_vers;
353 	u_32_t	*rc_proc;
354 	xdr_auth_t	rc_authcred;
355 	xdr_auth_t	rc_authverf;
356 	union {
357 		pmap_args_t	ra_pmapargs;
358 		rpcb_args_t	ra_rpcbargs;
359 	} rpcb_args;
360 } rpc_call_t;
361 
362 #define	rc_pmapargs	rpcb_args.ra_pmapargs
363 #define rc_rpcbargs	rpcb_args.ra_rpcbargs
364 /* END (RPC call structures) */
365 
366 /* BEGIN (RPC reply structures) */
367 typedef struct rpcb_entry {
368 	xdr_uaddr_t	re_maddr;
369 	xdr_proto_t	re_netid;
370 	/* u_32_t	re_semantics; */
371 	xdr_string_t	re_family;
372 	xdr_proto_t	re_proto;
373 	u_32_t		*re_more; /* 1 == another entry follows */
374 } rpcb_entry_t;
375 
376 typedef struct rpcb_listp {
377 	u_32_t		*rl_list; /* 1 == list follows */
378 	int		rl_cnt;
379 	rpcb_entry_t	rl_entries[2]; /* TCP / UDP only */
380 } rpcb_listp_t;
381 
382 typedef struct rpc_resp {
383 	/* u_32_t	rr_acceptdeny; */
384 	/* Omitted 'message denied' fork; we don't care about rejects. */
385 	xdr_auth_t	rr_authverf;
386 	/* u_32_t		*rr_astat;	*/
387 	union {
388 		u_32_t		*resp_pmap;
389 		xdr_uaddr_t	resp_getaddr;
390 		rpcb_listp_t	resp_getaddrlist;
391 	} rpcb_reply;
392 } rpc_resp_t;
393 
394 #define	rr_v2	rpcb_reply.resp_pmap
395 #define rr_v3	rpcb_reply.resp_getaddr
396 #define	rr_v4	rpcb_reply.resp_getaddrlist
397 /* END (RPC reply structures) */
398 
399 /* BEGIN (RPC message structure & macros) */
400 typedef struct rpc_msg {
401 	char	rm_msgbuf[RPCB_MAXMSG];	/* RPCB data buffer */
402 	u_int	rm_buflen;
403 	u_32_t	*rm_xid;
404 	/* u_32_t Call vs Reply */
405 	union {
406 		rpc_call_t	rb_call;
407 		rpc_resp_t	rb_resp;
408 	} rm_body;
409 } rpc_msg_t;
410 
411 #define rm_call		rm_body.rb_call
412 #define rm_resp		rm_body.rb_resp
413 /* END (RPC message structure & macros) */
414 
415 /*
416  * These code paths aren't hot enough to warrant per transaction
417  * mutexes.
418  */
419 typedef struct rpcb_xact {
420 	struct	rpcb_xact	*rx_next;
421 	struct	rpcb_xact	**rx_pnext;
422 	u_32_t	rx_xid;		/* RPC transmission ID */
423 	u_int	rx_type;	/* RPCB response type */
424 	u_int	rx_ref;         /* reference count */
425 	u_int	rx_proto;	/* transport protocol (v2 only) */
426 } rpcb_xact_t;
427 
428 typedef struct rpcb_session {
429         ipfmutex_t	rs_rxlock;
430 	rpcb_xact_t	*rs_rxlist;
431 } rpcb_session_t;
432 
433 /*
434  * For an explanation, please see the following:
435  *   RFC1832 - Sections 3.11, 4.4, and 4.5.
436  */
437 #define XDRALIGN(x)	((((x) % 4) != 0) ? ((((x) + 3) / 4) * 4) : (x))
438 
439 extern	ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
440 extern	ap_session_t	*ap_sess_list;
441 extern	aproxy_t	ap_proxies[];
442 extern	int		ippr_ftp_pasvonly;
443 
444 extern	int	appr_add __P((aproxy_t *));
445 extern	int	appr_ctl __P((ap_ctl_t *));
446 extern	int	appr_del __P((aproxy_t *));
447 extern	int	appr_init __P((void));
448 extern	void	appr_unload __P((void));
449 extern	int	appr_ok __P((fr_info_t *, tcphdr_t *, struct ipnat *));
450 extern	int	appr_match __P((fr_info_t *, struct nat *));
451 extern	void	appr_free __P((aproxy_t *));
452 extern	void	aps_free __P((ap_session_t *));
453 extern	int	appr_check __P((fr_info_t *, struct nat *));
454 extern	aproxy_t	*appr_lookup __P((u_int, char *));
455 extern	int	appr_new __P((fr_info_t *, struct nat *));
456 extern	int	appr_ioctl __P((caddr_t, ioctlcmd_t, int));
457 
458 #endif /* __IP_PROXY_H__ */
459