1f4b3ec61Sdh155122 /* 2f4b3ec61Sdh155122 * Copyright (C) 1993-2001, 2003 by Darren Reed. 3f4b3ec61Sdh155122 * 4f4b3ec61Sdh155122 * See the IPFILTER.LICENCE file for details on licencing. 5f4b3ec61Sdh155122 * 672680cf5SDarren Reed * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 7f4b3ec61Sdh155122 * Use is subject to license terms. 894bdecd9SRob Gulewich * 9*b22a70abSPatrick Mooney * Copyright 2018 Joyent, Inc. All rights reserved. 10f4b3ec61Sdh155122 */ 11f4b3ec61Sdh155122 12f4b3ec61Sdh155122 #ifndef __IPF_STACK_H__ 13f4b3ec61Sdh155122 #define __IPF_STACK_H__ 14f4b3ec61Sdh155122 15f4b3ec61Sdh155122 /* FIXME: appears needed for ip_proxy.h - tcpseq */ 16f4b3ec61Sdh155122 #include <net/route.h> 17f4b3ec61Sdh155122 #include <netinet/in.h> 18f4b3ec61Sdh155122 #include <netinet/in_systm.h> 19f4b3ec61Sdh155122 #include <netinet/ip.h> 20f4b3ec61Sdh155122 #include <netinet/ip_var.h> 21f4b3ec61Sdh155122 #include <netinet/tcp.h> 22f4b3ec61Sdh155122 #include <netinet/udp.h> 23f4b3ec61Sdh155122 #include <netinet/ip_icmp.h> 24f4b3ec61Sdh155122 #include <netinet/tcpip.h> 25f4b3ec61Sdh155122 26f4b3ec61Sdh155122 #include "ip_compat.h" 27f4b3ec61Sdh155122 #include "ip_fil.h" 28f4b3ec61Sdh155122 #include "ip_nat.h" 29f4b3ec61Sdh155122 #include "ip_frag.h" 30f4b3ec61Sdh155122 #include "ip_state.h" 31f4b3ec61Sdh155122 #include "ip_proxy.h" 32f4b3ec61Sdh155122 #include "ip_auth.h" 33f4b3ec61Sdh155122 #include "ip_lookup.h" 34f4b3ec61Sdh155122 #include "ip_pool.h" 35f4b3ec61Sdh155122 #include "ip_htable.h" 36f4b3ec61Sdh155122 #include <net/radix.h> 37f4b3ec61Sdh155122 #include <sys/neti.h> 38f4b3ec61Sdh155122 #include <sys/hook.h> 39f4b3ec61Sdh155122 40f4b3ec61Sdh155122 /* 41f4b3ec61Sdh155122 * IPF stack instances 42f4b3ec61Sdh155122 */ 43f4b3ec61Sdh155122 struct ipf_stack { 447ddc9b1aSDarren Reed struct ipf_stack *ifs_next; 457ddc9b1aSDarren Reed struct ipf_stack **ifs_pnext; 4694bdecd9SRob Gulewich struct ipf_stack *ifs_gz_cont_ifs; 477ddc9b1aSDarren Reed netid_t ifs_netid; 487ddc9b1aSDarren Reed zoneid_t ifs_zone; 4994bdecd9SRob Gulewich boolean_t ifs_gz_controlled; 50f4b3ec61Sdh155122 51f4b3ec61Sdh155122 /* ipf module */ 5214d3298eSAlexandr Nedvedicky fr_info_t ifs_frcache[2][8]; 53f4b3ec61Sdh155122 54f4b3ec61Sdh155122 filterstats_t ifs_frstats[2]; 55f4b3ec61Sdh155122 frentry_t *ifs_ipfilter[2][2]; 56f4b3ec61Sdh155122 frentry_t *ifs_ipfilter6[2][2]; 57f4b3ec61Sdh155122 frentry_t *ifs_ipacct6[2][2]; 58f4b3ec61Sdh155122 frentry_t *ifs_ipacct[2][2]; 59f4b3ec61Sdh155122 #if 0 /* not used */ 60f4b3ec61Sdh155122 frentry_t *ifs_ipnatrules[2][2]; 61f4b3ec61Sdh155122 #endif 62f4b3ec61Sdh155122 frgroup_t *ifs_ipfgroups[IPL_LOGSIZE][2]; 63f4b3ec61Sdh155122 int ifs_fr_refcnt; 64f4b3ec61Sdh155122 /* 65f4b3ec61Sdh155122 * For fr_running: 66f4b3ec61Sdh155122 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading 67f4b3ec61Sdh155122 */ 68f4b3ec61Sdh155122 int ifs_fr_running; 69f4b3ec61Sdh155122 int ifs_fr_flags; 70f4b3ec61Sdh155122 int ifs_fr_active; 71f4b3ec61Sdh155122 int ifs_fr_control_forwarding; 72f4b3ec61Sdh155122 int ifs_fr_update_ipid; 73f4b3ec61Sdh155122 #if 0 74f4b3ec61Sdh155122 ushort_t ifs_fr_ip_id; 75f4b3ec61Sdh155122 #endif 76f4b3ec61Sdh155122 int ifs_fr_chksrc; 77f4b3ec61Sdh155122 int ifs_fr_minttl; 78f4b3ec61Sdh155122 int ifs_fr_icmpminfragmtu; 79f4b3ec61Sdh155122 int ifs_fr_pass; 80f4b3ec61Sdh155122 ulong_t ifs_fr_frouteok[2]; 81f4b3ec61Sdh155122 ulong_t ifs_fr_userifqs; 82f4b3ec61Sdh155122 ulong_t ifs_fr_badcoalesces[2]; 83f4b3ec61Sdh155122 uchar_t ifs_ipf_iss_secret[32]; 84f4b3ec61Sdh155122 timeout_id_t ifs_fr_timer_id; 85f4b3ec61Sdh155122 #if 0 86f4b3ec61Sdh155122 timeout_id_t ifs_synctimeoutid; 87f4b3ec61Sdh155122 #endif 88f4b3ec61Sdh155122 int ifs_ipf_locks_done; 89f4b3ec61Sdh155122 90f4b3ec61Sdh155122 ipftoken_t *ifs_ipftokenhead; 91f4b3ec61Sdh155122 ipftoken_t **ifs_ipftokentail; 92f4b3ec61Sdh155122 93f4b3ec61Sdh155122 ipfmutex_t ifs_ipl_mutex; 94f4b3ec61Sdh155122 ipfmutex_t ifs_ipf_authmx; 95f4b3ec61Sdh155122 ipfmutex_t ifs_ipf_rw; 96f4b3ec61Sdh155122 ipfmutex_t ifs_ipf_timeoutlock; 97f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_mutex; 98f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_global; 9914d3298eSAlexandr Nedvedicky ipfrwlock_t ifs_ipf_frcache; 100f4b3ec61Sdh155122 ipfrwlock_t ifs_ip_poolrw; 101f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_frag; 102f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_state; 103f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_nat; 104f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_natfrag; 105f4b3ec61Sdh155122 ipfmutex_t ifs_ipf_nat_new; 106f4b3ec61Sdh155122 ipfmutex_t ifs_ipf_natio; 107f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_auth; 108f4b3ec61Sdh155122 ipfmutex_t ifs_ipf_stinsert; 109f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_ipidfrag; 110f4b3ec61Sdh155122 ipfrwlock_t ifs_ipf_tokens; 111f4b3ec61Sdh155122 kcondvar_t ifs_iplwait; 112f4b3ec61Sdh155122 kcondvar_t ifs_ipfauthwait; 113f4b3ec61Sdh155122 114f4b3ec61Sdh155122 ipftuneable_t *ifs_ipf_tuneables; 115f4b3ec61Sdh155122 ipftuneable_t *ifs_ipf_tunelist; 116f4b3ec61Sdh155122 117f4b3ec61Sdh155122 /* ip_fil_solaris.c */ 1187ddc9b1aSDarren Reed hook_t *ifs_ipfhook4_in; 1197ddc9b1aSDarren Reed hook_t *ifs_ipfhook4_out; 1207ddc9b1aSDarren Reed hook_t *ifs_ipfhook4_loop_in; 1217ddc9b1aSDarren Reed hook_t *ifs_ipfhook4_loop_out; 1227ddc9b1aSDarren Reed hook_t *ifs_ipfhook4_nicevents; 1237ddc9b1aSDarren Reed hook_t *ifs_ipfhook6_in; 1247ddc9b1aSDarren Reed hook_t *ifs_ipfhook6_out; 1257ddc9b1aSDarren Reed hook_t *ifs_ipfhook6_loop_in; 1267ddc9b1aSDarren Reed hook_t *ifs_ipfhook6_loop_out; 1277ddc9b1aSDarren Reed hook_t *ifs_ipfhook6_nicevents; 128f4b3ec61Sdh155122 129*b22a70abSPatrick Mooney hook_t *ifs_ipfhookviona_in; 130*b22a70abSPatrick Mooney hook_t *ifs_ipfhookviona_out; 131*b22a70abSPatrick Mooney 132f4b3ec61Sdh155122 /* flags to indicate whether hooks are registered. */ 133f4b3ec61Sdh155122 boolean_t ifs_hook4_physical_in; 134f4b3ec61Sdh155122 boolean_t ifs_hook4_physical_out; 135f4b3ec61Sdh155122 boolean_t ifs_hook4_nic_events; 136f4b3ec61Sdh155122 boolean_t ifs_hook4_loopback_in; 137f4b3ec61Sdh155122 boolean_t ifs_hook4_loopback_out; 138f4b3ec61Sdh155122 boolean_t ifs_hook6_physical_in; 139f4b3ec61Sdh155122 boolean_t ifs_hook6_physical_out; 140f4b3ec61Sdh155122 boolean_t ifs_hook6_nic_events; 141f4b3ec61Sdh155122 boolean_t ifs_hook6_loopback_in; 142f4b3ec61Sdh155122 boolean_t ifs_hook6_loopback_out; 143*b22a70abSPatrick Mooney boolean_t ifs_hookviona_physical_in; 144*b22a70abSPatrick Mooney boolean_t ifs_hookviona_physical_out; 145f4b3ec61Sdh155122 146f4b3ec61Sdh155122 int ifs_ipf_loopback; 1477ddc9b1aSDarren Reed net_handle_t ifs_ipf_ipv4; 1487ddc9b1aSDarren Reed net_handle_t ifs_ipf_ipv6; 149*b22a70abSPatrick Mooney net_handle_t ifs_ipf_viona; 150f4b3ec61Sdh155122 151f4b3ec61Sdh155122 /* ip_auth.c */ 152f4b3ec61Sdh155122 int ifs_fr_authsize; 153f4b3ec61Sdh155122 int ifs_fr_authused; 154f4b3ec61Sdh155122 int ifs_fr_defaultauthage; 155f4b3ec61Sdh155122 int ifs_fr_auth_lock; 156f4b3ec61Sdh155122 int ifs_fr_auth_init; 157f4b3ec61Sdh155122 fr_authstat_t ifs_fr_authstats; 158f4b3ec61Sdh155122 frauth_t *ifs_fr_auth; 159f4b3ec61Sdh155122 mb_t **ifs_fr_authpkts; 160f4b3ec61Sdh155122 int ifs_fr_authstart; 161f4b3ec61Sdh155122 int ifs_fr_authend; 162f4b3ec61Sdh155122 int ifs_fr_authnext; 163f4b3ec61Sdh155122 frauthent_t *ifs_fae_list; 164f4b3ec61Sdh155122 frentry_t *ifs_ipauth; 165f4b3ec61Sdh155122 frentry_t *ifs_fr_authlist; 166f4b3ec61Sdh155122 167f4b3ec61Sdh155122 /* ip_frag.c */ 168f4b3ec61Sdh155122 ipfr_t *ifs_ipfr_list; 169f4b3ec61Sdh155122 ipfr_t **ifs_ipfr_tail; 170f4b3ec61Sdh155122 ipfr_t **ifs_ipfr_heads; 171f4b3ec61Sdh155122 172f4b3ec61Sdh155122 ipfr_t *ifs_ipfr_natlist; 173f4b3ec61Sdh155122 ipfr_t **ifs_ipfr_nattail; 174f4b3ec61Sdh155122 ipfr_t **ifs_ipfr_nattab; 175f4b3ec61Sdh155122 176f4b3ec61Sdh155122 ipfr_t *ifs_ipfr_ipidlist; 177f4b3ec61Sdh155122 ipfr_t **ifs_ipfr_ipidtail; 178f4b3ec61Sdh155122 ipfr_t **ifs_ipfr_ipidtab; 179f4b3ec61Sdh155122 180f4b3ec61Sdh155122 ipfrstat_t ifs_ipfr_stats; 181f4b3ec61Sdh155122 int ifs_ipfr_inuse; 182f4b3ec61Sdh155122 int ifs_ipfr_size; 183f4b3ec61Sdh155122 184f4b3ec61Sdh155122 int ifs_fr_ipfrttl; 185f4b3ec61Sdh155122 int ifs_fr_frag_lock; 186f4b3ec61Sdh155122 int ifs_fr_frag_init; 187f4b3ec61Sdh155122 ulong_t ifs_fr_ticks; 188f4b3ec61Sdh155122 189f4b3ec61Sdh155122 frentry_t ifs_frblock; 190f4b3ec61Sdh155122 191f4b3ec61Sdh155122 /* ip_htable.c */ 192f4b3ec61Sdh155122 iphtable_t *ifs_ipf_htables[IPL_LOGSIZE]; 193f4b3ec61Sdh155122 ulong_t ifs_ipht_nomem[IPL_LOGSIZE]; 194f4b3ec61Sdh155122 ulong_t ifs_ipf_nhtables[IPL_LOGSIZE]; 195f4b3ec61Sdh155122 ulong_t ifs_ipf_nhtnodes[IPL_LOGSIZE]; 196f4b3ec61Sdh155122 197f4b3ec61Sdh155122 /* ip_log.c */ 198f4b3ec61Sdh155122 iplog_t **ifs_iplh[IPL_LOGSIZE]; 199f4b3ec61Sdh155122 iplog_t *ifs_iplt[IPL_LOGSIZE]; 200f4b3ec61Sdh155122 iplog_t *ifs_ipll[IPL_LOGSIZE]; 201f4b3ec61Sdh155122 int ifs_iplused[IPL_LOGSIZE]; 202f4b3ec61Sdh155122 fr_info_t ifs_iplcrc[IPL_LOGSIZE]; 203f4b3ec61Sdh155122 int ifs_ipl_suppress; 204f4b3ec61Sdh155122 int ifs_ipl_buffer_sz; 205f4b3ec61Sdh155122 int ifs_ipl_logmax; 206f4b3ec61Sdh155122 int ifs_ipl_logall; 207f4b3ec61Sdh155122 int ifs_ipl_log_init; 208f4b3ec61Sdh155122 int ifs_ipl_logsize; 209f4b3ec61Sdh155122 210f4b3ec61Sdh155122 /* ip_lookup.c */ 211f4b3ec61Sdh155122 ip_pool_stat_t ifs_ippoolstat; 212f4b3ec61Sdh155122 int ifs_ip_lookup_inited; 213f4b3ec61Sdh155122 214f4b3ec61Sdh155122 /* ip_nat.c */ 215f4b3ec61Sdh155122 /* nat_table[0] -> hashed list sorted by inside (ip, port) */ 216f4b3ec61Sdh155122 /* nat_table[1] -> hashed list sorted by outside (ip, port) */ 217f4b3ec61Sdh155122 nat_t **ifs_nat_table[2]; 218f4b3ec61Sdh155122 nat_t *ifs_nat_instances; 219f4b3ec61Sdh155122 ipnat_t *ifs_nat_list; 220f4b3ec61Sdh155122 uint_t ifs_ipf_nattable_sz; 221f4b3ec61Sdh155122 uint_t ifs_ipf_nattable_max; 222f4b3ec61Sdh155122 uint_t ifs_ipf_natrules_sz; 223f4b3ec61Sdh155122 uint_t ifs_ipf_rdrrules_sz; 224f4b3ec61Sdh155122 uint_t ifs_ipf_hostmap_sz; 225f4b3ec61Sdh155122 uint_t ifs_fr_nat_maxbucket; 226f4b3ec61Sdh155122 uint_t ifs_fr_nat_maxbucket_reset; 227f4b3ec61Sdh155122 uint32_t ifs_nat_masks; 228f4b3ec61Sdh155122 uint32_t ifs_rdr_masks; 229d6c23f6fSyx160601 uint32_t ifs_nat6_masks[4]; 230d6c23f6fSyx160601 uint32_t ifs_rdr6_masks[4]; 231f4b3ec61Sdh155122 ipnat_t **ifs_nat_rules; 232f4b3ec61Sdh155122 ipnat_t **ifs_rdr_rules; 233f4b3ec61Sdh155122 hostmap_t **ifs_maptable; 234f4b3ec61Sdh155122 hostmap_t *ifs_ipf_hm_maplist; 235f4b3ec61Sdh155122 236f4b3ec61Sdh155122 ipftq_t ifs_nat_tqb[IPF_TCP_NSTATES]; 237f4b3ec61Sdh155122 ipftq_t ifs_nat_udptq; 238f4b3ec61Sdh155122 ipftq_t ifs_nat_icmptq; 239f4b3ec61Sdh155122 ipftq_t ifs_nat_iptq; 240f4b3ec61Sdh155122 ipftq_t *ifs_nat_utqe; 241f4b3ec61Sdh155122 int ifs_nat_logging; 242f4b3ec61Sdh155122 ulong_t ifs_fr_defnatage; 243f4b3ec61Sdh155122 ulong_t ifs_fr_defnatipage; 244f4b3ec61Sdh155122 ulong_t ifs_fr_defnaticmpage; 245f4b3ec61Sdh155122 natstat_t ifs_nat_stats; 246f4b3ec61Sdh155122 int ifs_fr_nat_lock; 247f4b3ec61Sdh155122 int ifs_fr_nat_init; 248ea8244dcSJohn Ojemann uint_t ifs_nat_flush_level_hi; 249ea8244dcSJohn Ojemann uint_t ifs_nat_flush_level_lo; 2503805c50fSan207044 ulong_t ifs_nat_last_force_flush; 2513805c50fSan207044 int ifs_nat_doflush; 252f4b3ec61Sdh155122 253f4b3ec61Sdh155122 /* ip_pool.c */ 254f4b3ec61Sdh155122 ip_pool_stat_t ifs_ipoolstat; 255f4b3ec61Sdh155122 ip_pool_t *ifs_ip_pool_list[IPL_LOGSIZE]; 256f4b3ec61Sdh155122 257f4b3ec61Sdh155122 /* ip_proxy.c */ 258f4b3ec61Sdh155122 ap_session_t *ifs_ap_sess_list; 259f4b3ec61Sdh155122 aproxy_t *ifs_ap_proxylist; 260f4b3ec61Sdh155122 aproxy_t *ifs_ap_proxies; /* copy of lcl_ap_proxies */ 261f4b3ec61Sdh155122 262f4b3ec61Sdh155122 /* ip_state.c */ 263f4b3ec61Sdh155122 ipstate_t **ifs_ips_table; 264f4b3ec61Sdh155122 ulong_t *ifs_ips_seed; 265f4b3ec61Sdh155122 int ifs_ips_num; 266f4b3ec61Sdh155122 ulong_t ifs_ips_last_force_flush; 267ea8244dcSJohn Ojemann uint_t ifs_state_flush_level_hi; 268ea8244dcSJohn Ojemann uint_t ifs_state_flush_level_lo; 269f4b3ec61Sdh155122 ips_stat_t ifs_ips_stats; 270f4b3ec61Sdh155122 271f4b3ec61Sdh155122 ulong_t ifs_fr_tcpidletimeout; 272f4b3ec61Sdh155122 ulong_t ifs_fr_tcpclosewait; 273f4b3ec61Sdh155122 ulong_t ifs_fr_tcplastack; 274f4b3ec61Sdh155122 ulong_t ifs_fr_tcptimeout; 275f4b3ec61Sdh155122 ulong_t ifs_fr_tcpclosed; 276f4b3ec61Sdh155122 ulong_t ifs_fr_tcphalfclosed; 277f4b3ec61Sdh155122 ulong_t ifs_fr_udptimeout; 278f4b3ec61Sdh155122 ulong_t ifs_fr_udpacktimeout; 279f4b3ec61Sdh155122 ulong_t ifs_fr_icmptimeout; 280f4b3ec61Sdh155122 ulong_t ifs_fr_icmpacktimeout; 281f4b3ec61Sdh155122 int ifs_fr_statemax; 282f4b3ec61Sdh155122 int ifs_fr_statesize; 283f4b3ec61Sdh155122 int ifs_fr_state_doflush; 284f4b3ec61Sdh155122 int ifs_fr_state_lock; 285f4b3ec61Sdh155122 int ifs_fr_state_maxbucket; 286f4b3ec61Sdh155122 int ifs_fr_state_maxbucket_reset; 287f4b3ec61Sdh155122 int ifs_fr_state_init; 28872680cf5SDarren Reed int ifs_fr_enable_active; 289f4b3ec61Sdh155122 ipftq_t ifs_ips_tqtqb[IPF_TCP_NSTATES]; 290f4b3ec61Sdh155122 ipftq_t ifs_ips_udptq; 291f4b3ec61Sdh155122 ipftq_t ifs_ips_udpacktq; 292f4b3ec61Sdh155122 ipftq_t ifs_ips_iptq; 293f4b3ec61Sdh155122 ipftq_t ifs_ips_icmptq; 294f4b3ec61Sdh155122 ipftq_t ifs_ips_icmpacktq; 2951e6b25a4San207044 ipftq_t ifs_ips_deletetq; 296f4b3ec61Sdh155122 ipftq_t *ifs_ips_utqe; 297f4b3ec61Sdh155122 int ifs_ipstate_logging; 298f4b3ec61Sdh155122 ipstate_t *ifs_ips_list; 299f4b3ec61Sdh155122 ulong_t ifs_fr_iptimeout; 300f4b3ec61Sdh155122 301f4b3ec61Sdh155122 /* radix.c */ 302f4b3ec61Sdh155122 int ifs_max_keylen; 303f4b3ec61Sdh155122 struct radix_mask *ifs_rn_mkfreelist; 304f4b3ec61Sdh155122 struct radix_node_head *ifs_mask_rnhead; 305f4b3ec61Sdh155122 char *ifs_addmask_key; 306f4b3ec61Sdh155122 char *ifs_rn_zeros; 307f4b3ec61Sdh155122 char *ifs_rn_ones; 308f4b3ec61Sdh155122 #ifdef KERNEL 309f4b3ec61Sdh155122 /* kstats for inbound and outbound */ 310f4b3ec61Sdh155122 kstat_t *ifs_kstatp[2]; 311f4b3ec61Sdh155122 #endif 312f4b3ec61Sdh155122 }; 313f4b3ec61Sdh155122 314f4b3ec61Sdh155122 #endif /* __IPF_STACK_H__ */ 315