1 /* 2 * Copyright (C) 1993-2001, 2003 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 7 * Use is subject to license terms. 8 */ 9 10 #pragma ident "%Z%%M% %I% %E% SMI" 11 12 #ifndef __IPF_STACK_H__ 13 #define __IPF_STACK_H__ 14 15 /* FIXME: appears needed for ip_proxy.h - tcpseq */ 16 #include <net/route.h> 17 #include <netinet/in.h> 18 #include <netinet/in_systm.h> 19 #include <netinet/ip.h> 20 #include <netinet/ip_var.h> 21 #include <netinet/tcp.h> 22 #include <netinet/udp.h> 23 #include <netinet/ip_icmp.h> 24 #include <netinet/tcpip.h> 25 26 #include "ip_compat.h" 27 #include "ip_fil.h" 28 #include "ip_nat.h" 29 #include "ip_frag.h" 30 #include "ip_state.h" 31 #include "ip_proxy.h" 32 #include "ip_auth.h" 33 #include "ip_lookup.h" 34 #include "ip_pool.h" 35 #include "ip_htable.h" 36 #include <net/radix.h> 37 #include <sys/neti.h> 38 #include <sys/hook.h> 39 40 /* 41 * IPF stack instances 42 */ 43 struct ipf_stack { 44 netstack_t *ifs_netstack; 45 46 /* ipf module */ 47 fr_info_t ifs_frcache[2][8]; 48 49 filterstats_t ifs_frstats[2]; 50 frentry_t *ifs_ipfilter[2][2]; 51 frentry_t *ifs_ipfilter6[2][2]; 52 frentry_t *ifs_ipacct6[2][2]; 53 frentry_t *ifs_ipacct[2][2]; 54 #if 0 /* not used */ 55 frentry_t *ifs_ipnatrules[2][2]; 56 #endif 57 frgroup_t *ifs_ipfgroups[IPL_LOGSIZE][2]; 58 int ifs_fr_refcnt; 59 /* 60 * For fr_running: 61 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading 62 */ 63 int ifs_fr_running; 64 int ifs_fr_flags; 65 int ifs_fr_active; 66 int ifs_fr_control_forwarding; 67 int ifs_fr_update_ipid; 68 #if 0 69 ushort_t ifs_fr_ip_id; 70 #endif 71 int ifs_fr_chksrc; 72 int ifs_fr_minttl; 73 int ifs_fr_icmpminfragmtu; 74 int ifs_fr_pass; 75 ulong_t ifs_fr_frouteok[2]; 76 ulong_t ifs_fr_userifqs; 77 ulong_t ifs_fr_badcoalesces[2]; 78 uchar_t ifs_ipf_iss_secret[32]; 79 timeout_id_t ifs_fr_timer_id; 80 #if 0 81 timeout_id_t ifs_synctimeoutid; 82 #endif 83 int ifs_ipf_locks_done; 84 85 ipftoken_t *ifs_ipftokenhead; 86 ipftoken_t **ifs_ipftokentail; 87 88 ipfmutex_t ifs_ipl_mutex; 89 ipfmutex_t ifs_ipf_authmx; 90 ipfmutex_t ifs_ipf_rw; 91 ipfmutex_t ifs_ipf_timeoutlock; 92 ipfrwlock_t ifs_ipf_mutex; 93 ipfrwlock_t ifs_ipf_global; 94 ipfrwlock_t ifs_ipf_frcache; 95 ipfrwlock_t ifs_ip_poolrw; 96 ipfrwlock_t ifs_ipf_frag; 97 ipfrwlock_t ifs_ipf_state; 98 ipfrwlock_t ifs_ipf_nat; 99 ipfrwlock_t ifs_ipf_natfrag; 100 ipfmutex_t ifs_ipf_nat_new; 101 ipfmutex_t ifs_ipf_natio; 102 ipfrwlock_t ifs_ipf_auth; 103 ipfmutex_t ifs_ipf_stinsert; 104 ipfrwlock_t ifs_ipf_ipidfrag; 105 ipfrwlock_t ifs_ipf_tokens; 106 kcondvar_t ifs_iplwait; 107 kcondvar_t ifs_ipfauthwait; 108 109 ipftuneable_t *ifs_ipf_tuneables; 110 ipftuneable_t *ifs_ipf_tunelist; 111 112 /* ip_fil_solaris.c */ 113 hook_t ifs_ipfhook_in; 114 hook_t ifs_ipfhook_out; 115 hook_t ifs_ipfhook_loop_in; 116 hook_t ifs_ipfhook_loop_out; 117 hook_t ifs_ipfhook_nicevents; 118 119 /* flags to indicate whether hooks are registered. */ 120 boolean_t ifs_hook4_physical_in; 121 boolean_t ifs_hook4_physical_out; 122 boolean_t ifs_hook4_nic_events; 123 boolean_t ifs_hook4_loopback_in; 124 boolean_t ifs_hook4_loopback_out; 125 boolean_t ifs_hook6_physical_in; 126 boolean_t ifs_hook6_physical_out; 127 boolean_t ifs_hook6_nic_events; 128 boolean_t ifs_hook6_loopback_in; 129 boolean_t ifs_hook6_loopback_out; 130 131 int ifs_ipf_loopback; 132 net_data_t ifs_ipf_ipv4; 133 net_data_t ifs_ipf_ipv6; 134 135 /* ip_auth.c */ 136 int ifs_fr_authsize; 137 int ifs_fr_authused; 138 int ifs_fr_defaultauthage; 139 int ifs_fr_auth_lock; 140 int ifs_fr_auth_init; 141 fr_authstat_t ifs_fr_authstats; 142 frauth_t *ifs_fr_auth; 143 mb_t **ifs_fr_authpkts; 144 int ifs_fr_authstart; 145 int ifs_fr_authend; 146 int ifs_fr_authnext; 147 frauthent_t *ifs_fae_list; 148 frentry_t *ifs_ipauth; 149 frentry_t *ifs_fr_authlist; 150 151 /* ip_frag.c */ 152 ipfr_t *ifs_ipfr_list; 153 ipfr_t **ifs_ipfr_tail; 154 ipfr_t **ifs_ipfr_heads; 155 156 ipfr_t *ifs_ipfr_natlist; 157 ipfr_t **ifs_ipfr_nattail; 158 ipfr_t **ifs_ipfr_nattab; 159 160 ipfr_t *ifs_ipfr_ipidlist; 161 ipfr_t **ifs_ipfr_ipidtail; 162 ipfr_t **ifs_ipfr_ipidtab; 163 164 ipfrstat_t ifs_ipfr_stats; 165 int ifs_ipfr_inuse; 166 int ifs_ipfr_size; 167 168 int ifs_fr_ipfrttl; 169 int ifs_fr_frag_lock; 170 int ifs_fr_frag_init; 171 ulong_t ifs_fr_ticks; 172 173 frentry_t ifs_frblock; 174 175 /* ip_htable.c */ 176 iphtable_t *ifs_ipf_htables[IPL_LOGSIZE]; 177 ulong_t ifs_ipht_nomem[IPL_LOGSIZE]; 178 ulong_t ifs_ipf_nhtables[IPL_LOGSIZE]; 179 ulong_t ifs_ipf_nhtnodes[IPL_LOGSIZE]; 180 181 /* ip_log.c */ 182 iplog_t **ifs_iplh[IPL_LOGSIZE]; 183 iplog_t *ifs_iplt[IPL_LOGSIZE]; 184 iplog_t *ifs_ipll[IPL_LOGSIZE]; 185 int ifs_iplused[IPL_LOGSIZE]; 186 fr_info_t ifs_iplcrc[IPL_LOGSIZE]; 187 int ifs_ipl_suppress; 188 int ifs_ipl_buffer_sz; 189 int ifs_ipl_logmax; 190 int ifs_ipl_logall; 191 int ifs_ipl_log_init; 192 int ifs_ipl_logsize; 193 194 /* ip_lookup.c */ 195 ip_pool_stat_t ifs_ippoolstat; 196 int ifs_ip_lookup_inited; 197 198 /* ip_nat.c */ 199 /* nat_table[0] -> hashed list sorted by inside (ip, port) */ 200 /* nat_table[1] -> hashed list sorted by outside (ip, port) */ 201 nat_t **ifs_nat_table[2]; 202 nat_t *ifs_nat_instances; 203 ipnat_t *ifs_nat_list; 204 uint_t ifs_ipf_nattable_sz; 205 uint_t ifs_ipf_nattable_max; 206 uint_t ifs_ipf_natrules_sz; 207 uint_t ifs_ipf_rdrrules_sz; 208 uint_t ifs_ipf_hostmap_sz; 209 uint_t ifs_fr_nat_maxbucket; 210 uint_t ifs_fr_nat_maxbucket_reset; 211 uint32_t ifs_nat_masks; 212 uint32_t ifs_rdr_masks; 213 ipnat_t **ifs_nat_rules; 214 ipnat_t **ifs_rdr_rules; 215 hostmap_t **ifs_maptable; 216 hostmap_t *ifs_ipf_hm_maplist; 217 218 ipftq_t ifs_nat_tqb[IPF_TCP_NSTATES]; 219 ipftq_t ifs_nat_udptq; 220 ipftq_t ifs_nat_icmptq; 221 ipftq_t ifs_nat_iptq; 222 ipftq_t *ifs_nat_utqe; 223 int ifs_nat_logging; 224 ulong_t ifs_fr_defnatage; 225 ulong_t ifs_fr_defnatipage; 226 ulong_t ifs_fr_defnaticmpage; 227 natstat_t ifs_nat_stats; 228 int ifs_fr_nat_lock; 229 int ifs_fr_nat_init; 230 uint_t ifs_nat_flush_lvl_hi; 231 uint_t ifs_nat_flush_lvl_lo; 232 ulong_t ifs_nat_last_force_flush; 233 int ifs_nat_doflush; 234 235 /* ip_pool.c */ 236 ip_pool_stat_t ifs_ipoolstat; 237 ip_pool_t *ifs_ip_pool_list[IPL_LOGSIZE]; 238 239 /* ip_proxy.c */ 240 ap_session_t *ifs_ap_sess_list; 241 aproxy_t *ifs_ap_proxylist; 242 aproxy_t *ifs_ap_proxies; /* copy of lcl_ap_proxies */ 243 244 /* ip_state.c */ 245 ipstate_t **ifs_ips_table; 246 ulong_t *ifs_ips_seed; 247 int ifs_ips_num; 248 ulong_t ifs_ips_last_force_flush; 249 ips_stat_t ifs_ips_stats; 250 251 ulong_t ifs_fr_tcpidletimeout; 252 ulong_t ifs_fr_tcpclosewait; 253 ulong_t ifs_fr_tcplastack; 254 ulong_t ifs_fr_tcptimeout; 255 ulong_t ifs_fr_tcpclosed; 256 ulong_t ifs_fr_tcphalfclosed; 257 ulong_t ifs_fr_udptimeout; 258 ulong_t ifs_fr_udpacktimeout; 259 ulong_t ifs_fr_icmptimeout; 260 ulong_t ifs_fr_icmpacktimeout; 261 int ifs_fr_statemax; 262 int ifs_fr_statesize; 263 int ifs_fr_state_doflush; 264 int ifs_fr_state_lock; 265 int ifs_fr_state_maxbucket; 266 int ifs_fr_state_maxbucket_reset; 267 int ifs_fr_state_init; 268 ipftq_t ifs_ips_tqtqb[IPF_TCP_NSTATES]; 269 ipftq_t ifs_ips_udptq; 270 ipftq_t ifs_ips_udpacktq; 271 ipftq_t ifs_ips_iptq; 272 ipftq_t ifs_ips_icmptq; 273 ipftq_t ifs_ips_icmpacktq; 274 ipftq_t ifs_ips_deletetq; 275 ipftq_t *ifs_ips_utqe; 276 int ifs_ipstate_logging; 277 ipstate_t *ifs_ips_list; 278 ulong_t ifs_fr_iptimeout; 279 280 /* radix.c */ 281 int ifs_max_keylen; 282 struct radix_mask *ifs_rn_mkfreelist; 283 struct radix_node_head *ifs_mask_rnhead; 284 char *ifs_addmask_key; 285 char *ifs_rn_zeros; 286 char *ifs_rn_ones; 287 #ifdef KERNEL 288 /* kstats for inbound and outbound */ 289 kstat_t *ifs_kstatp[2]; 290 #endif 291 }; 292 293 #endif /* __IPF_STACK_H__ */ 294