xref: /illumos-gate/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h (revision fb2a9bae0030340ad72b9c26ba1ffee2ee3cafec)
1 /*
2  * Copyright (C) 1993-2001, 2003 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  */
9 
10 #ifndef	__IPF_STACK_H__
11 #define	__IPF_STACK_H__
12 
13 /* FIXME: appears needed for ip_proxy.h - tcpseq */
14 #include <net/route.h>
15 #include <netinet/in.h>
16 #include <netinet/in_systm.h>
17 #include <netinet/ip.h>
18 #include <netinet/ip_var.h>
19 #include <netinet/tcp.h>
20 #include <netinet/udp.h>
21 #include <netinet/ip_icmp.h>
22 #include <netinet/tcpip.h>
23 
24 #include "ip_compat.h"
25 #include "ip_fil.h"
26 #include "ip_nat.h"
27 #include "ip_frag.h"
28 #include "ip_state.h"
29 #include "ip_proxy.h"
30 #include "ip_auth.h"
31 #include "ip_lookup.h"
32 #include "ip_pool.h"
33 #include "ip_htable.h"
34 #include <net/radix.h>
35 #include <sys/neti.h>
36 #include <sys/hook.h>
37 
38 /*
39  * IPF stack instances
40  */
41 struct ipf_stack {
42 	struct ipf_stack	*ifs_next;
43 	struct ipf_stack	**ifs_pnext;
44 	netid_t			ifs_netid;
45 	zoneid_t		ifs_zone;
46 
47 	/* ipf module */
48 	fr_info_t		ifs_frcache[2][8];
49 
50 	filterstats_t		ifs_frstats[2];
51 	frentry_t		*ifs_ipfilter[2][2];
52 	frentry_t		*ifs_ipfilter6[2][2];
53 	frentry_t		*ifs_ipacct6[2][2];
54 	frentry_t		*ifs_ipacct[2][2];
55 #if 0 /* not used */
56 	frentry_t		*ifs_ipnatrules[2][2];
57 #endif
58 	frgroup_t		*ifs_ipfgroups[IPL_LOGSIZE][2];
59 	int			ifs_fr_refcnt;
60 	/*
61 	 * For fr_running:
62 	 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
63 	 */
64 	int			ifs_fr_running;
65 	int			ifs_fr_flags;
66 	int			ifs_fr_active;
67 	int			ifs_fr_control_forwarding;
68 	int			ifs_fr_update_ipid;
69 #if 0
70 	ushort_t		ifs_fr_ip_id;
71 #endif
72 	int			ifs_fr_chksrc;
73 	int			ifs_fr_minttl;
74 	int			ifs_fr_icmpminfragmtu;
75 	int			ifs_fr_pass;
76 	ulong_t			ifs_fr_frouteok[2];
77 	ulong_t			ifs_fr_userifqs;
78 	ulong_t			ifs_fr_badcoalesces[2];
79 	uchar_t			ifs_ipf_iss_secret[32];
80 	timeout_id_t		ifs_fr_timer_id;
81 #if 0
82 	timeout_id_t		ifs_synctimeoutid;
83 #endif
84 	int			ifs_ipf_locks_done;
85 
86 	ipftoken_t 		*ifs_ipftokenhead;
87 	ipftoken_t 		**ifs_ipftokentail;
88 
89 	ipfmutex_t	ifs_ipl_mutex;
90 	ipfmutex_t	ifs_ipf_authmx;
91 	ipfmutex_t	ifs_ipf_rw;
92 	ipfmutex_t	ifs_ipf_timeoutlock;
93 	ipfrwlock_t	ifs_ipf_mutex;
94 	ipfrwlock_t	ifs_ipf_global;
95 	ipfrwlock_t	ifs_ipf_frcache;
96 	ipfrwlock_t	ifs_ip_poolrw;
97 	ipfrwlock_t	ifs_ipf_frag;
98 	ipfrwlock_t	ifs_ipf_state;
99 	ipfrwlock_t	ifs_ipf_nat;
100 	ipfrwlock_t	ifs_ipf_natfrag;
101 	ipfmutex_t	ifs_ipf_nat_new;
102 	ipfmutex_t	ifs_ipf_natio;
103 	ipfrwlock_t	ifs_ipf_auth;
104 	ipfmutex_t	ifs_ipf_stinsert;
105 	ipfrwlock_t	ifs_ipf_ipidfrag;
106 	ipfrwlock_t	ifs_ipf_tokens;
107 	kcondvar_t	ifs_iplwait;
108 	kcondvar_t	ifs_ipfauthwait;
109 
110 	ipftuneable_t	*ifs_ipf_tuneables;
111 	ipftuneable_t	*ifs_ipf_tunelist;
112 
113 	/* ip_fil_solaris.c */
114 	hook_t		*ifs_ipfhook4_in;
115 	hook_t		*ifs_ipfhook4_out;
116 	hook_t		*ifs_ipfhook4_loop_in;
117 	hook_t		*ifs_ipfhook4_loop_out;
118 	hook_t		*ifs_ipfhook4_nicevents;
119 	hook_t		*ifs_ipfhook6_in;
120 	hook_t		*ifs_ipfhook6_out;
121 	hook_t		*ifs_ipfhook6_loop_in;
122 	hook_t		*ifs_ipfhook6_loop_out;
123 	hook_t		*ifs_ipfhook6_nicevents;
124 
125 	/* flags to indicate whether hooks are registered. */
126 	boolean_t	ifs_hook4_physical_in;
127 	boolean_t	ifs_hook4_physical_out;
128 	boolean_t	ifs_hook4_nic_events;
129 	boolean_t	ifs_hook4_loopback_in;
130 	boolean_t	ifs_hook4_loopback_out;
131 	boolean_t	ifs_hook6_physical_in;
132 	boolean_t	ifs_hook6_physical_out;
133 	boolean_t	ifs_hook6_nic_events;
134 	boolean_t	ifs_hook6_loopback_in;
135 	boolean_t	ifs_hook6_loopback_out;
136 
137 	int		ifs_ipf_loopback;
138 	net_handle_t	ifs_ipf_ipv4;
139 	net_handle_t	ifs_ipf_ipv6;
140 
141 	/* ip_auth.c */
142 	int			ifs_fr_authsize;
143 	int			ifs_fr_authused;
144 	int			ifs_fr_defaultauthage;
145 	int			ifs_fr_auth_lock;
146 	int			ifs_fr_auth_init;
147 	fr_authstat_t		ifs_fr_authstats;
148 	frauth_t		*ifs_fr_auth;
149 	mb_t			**ifs_fr_authpkts;
150 	int			ifs_fr_authstart;
151 	int			ifs_fr_authend;
152 	int			ifs_fr_authnext;
153 	frauthent_t		*ifs_fae_list;
154 	frentry_t		*ifs_ipauth;
155 	frentry_t		*ifs_fr_authlist;
156 
157 	/* ip_frag.c */
158 	ipfr_t			*ifs_ipfr_list;
159 	ipfr_t			**ifs_ipfr_tail;
160 	ipfr_t			**ifs_ipfr_heads;
161 
162 	ipfr_t			*ifs_ipfr_natlist;
163 	ipfr_t			**ifs_ipfr_nattail;
164 	ipfr_t			**ifs_ipfr_nattab;
165 
166 	ipfr_t  		*ifs_ipfr_ipidlist;
167 	ipfr_t  		**ifs_ipfr_ipidtail;
168 	ipfr_t			**ifs_ipfr_ipidtab;
169 
170 	ipfrstat_t		ifs_ipfr_stats;
171 	int			ifs_ipfr_inuse;
172 	int			ifs_ipfr_size;
173 
174 	int			ifs_fr_ipfrttl;
175 	int			ifs_fr_frag_lock;
176 	int			ifs_fr_frag_init;
177 	ulong_t			ifs_fr_ticks;
178 
179 	frentry_t		ifs_frblock;
180 
181 	/* ip_htable.c */
182 	iphtable_t		*ifs_ipf_htables[IPL_LOGSIZE];
183 	ulong_t			ifs_ipht_nomem[IPL_LOGSIZE];
184 	ulong_t			ifs_ipf_nhtables[IPL_LOGSIZE];
185 	ulong_t			ifs_ipf_nhtnodes[IPL_LOGSIZE];
186 
187 	/* ip_log.c */
188 	iplog_t			**ifs_iplh[IPL_LOGSIZE];
189 	iplog_t			*ifs_iplt[IPL_LOGSIZE];
190 	iplog_t			*ifs_ipll[IPL_LOGSIZE];
191 	int			ifs_iplused[IPL_LOGSIZE];
192 	fr_info_t		ifs_iplcrc[IPL_LOGSIZE];
193 	int			ifs_ipl_suppress;
194 	int			ifs_ipl_buffer_sz;
195 	int			ifs_ipl_logmax;
196 	int			ifs_ipl_logall;
197 	int			ifs_ipl_log_init;
198 	int			ifs_ipl_logsize;
199 
200 	/* ip_lookup.c */
201 	ip_pool_stat_t		ifs_ippoolstat;
202 	int			ifs_ip_lookup_inited;
203 
204 	/* ip_nat.c */
205 	/* nat_table[0] -> hashed list sorted by inside (ip, port) */
206 	/* nat_table[1] -> hashed list sorted by outside (ip, port) */
207 	nat_t			**ifs_nat_table[2];
208 	nat_t			*ifs_nat_instances;
209 	ipnat_t			*ifs_nat_list;
210 	uint_t			ifs_ipf_nattable_sz;
211 	uint_t			ifs_ipf_nattable_max;
212 	uint_t			ifs_ipf_natrules_sz;
213 	uint_t			ifs_ipf_rdrrules_sz;
214 	uint_t			ifs_ipf_hostmap_sz;
215 	uint_t			ifs_fr_nat_maxbucket;
216 	uint_t			ifs_fr_nat_maxbucket_reset;
217 	uint32_t		ifs_nat_masks;
218 	uint32_t		ifs_rdr_masks;
219 	uint32_t		ifs_nat6_masks[4];
220 	uint32_t		ifs_rdr6_masks[4];
221 	ipnat_t			**ifs_nat_rules;
222 	ipnat_t			**ifs_rdr_rules;
223 	hostmap_t		**ifs_maptable;
224 	hostmap_t		*ifs_ipf_hm_maplist;
225 
226 	ipftq_t			ifs_nat_tqb[IPF_TCP_NSTATES];
227 	ipftq_t			ifs_nat_udptq;
228 	ipftq_t			ifs_nat_icmptq;
229 	ipftq_t			ifs_nat_iptq;
230 	ipftq_t			*ifs_nat_utqe;
231 	int			ifs_nat_logging;
232 	ulong_t			ifs_fr_defnatage;
233 	ulong_t			ifs_fr_defnatipage;
234 	ulong_t			ifs_fr_defnaticmpage;
235 	natstat_t		ifs_nat_stats;
236 	int			ifs_fr_nat_lock;
237 	int			ifs_fr_nat_init;
238 	uint_t			ifs_nat_flush_level_hi;
239 	uint_t			ifs_nat_flush_level_lo;
240 	ulong_t			ifs_nat_last_force_flush;
241 	int			ifs_nat_doflush;
242 
243 	/* ip_pool.c */
244 	ip_pool_stat_t		ifs_ipoolstat;
245 	ip_pool_t		*ifs_ip_pool_list[IPL_LOGSIZE];
246 
247 	/* ip_proxy.c */
248 	ap_session_t		*ifs_ap_sess_list;
249 	aproxy_t		*ifs_ap_proxylist;
250 	aproxy_t		*ifs_ap_proxies; /* copy of lcl_ap_proxies */
251 
252 	/* ip_state.c */
253 	ipstate_t		**ifs_ips_table;
254 	ulong_t			*ifs_ips_seed;
255 	int			ifs_ips_num;
256 	ulong_t			ifs_ips_last_force_flush;
257 	uint_t			ifs_state_flush_level_hi;
258 	uint_t			ifs_state_flush_level_lo;
259 	ips_stat_t		ifs_ips_stats;
260 
261 	ulong_t			ifs_fr_tcpidletimeout;
262 	ulong_t			ifs_fr_tcpclosewait;
263 	ulong_t			ifs_fr_tcplastack;
264 	ulong_t			ifs_fr_tcptimeout;
265 	ulong_t			ifs_fr_tcpclosed;
266 	ulong_t			ifs_fr_tcphalfclosed;
267 	ulong_t			ifs_fr_udptimeout;
268 	ulong_t			ifs_fr_udpacktimeout;
269 	ulong_t			ifs_fr_icmptimeout;
270 	ulong_t			ifs_fr_icmpacktimeout;
271 	int			ifs_fr_statemax;
272 	int			ifs_fr_statesize;
273 	int			ifs_fr_state_doflush;
274 	int			ifs_fr_state_lock;
275 	int			ifs_fr_state_maxbucket;
276 	int			ifs_fr_state_maxbucket_reset;
277 	int			ifs_fr_state_init;
278 	int			ifs_fr_enable_active;
279 	ipftq_t			ifs_ips_tqtqb[IPF_TCP_NSTATES];
280 	ipftq_t			ifs_ips_udptq;
281 	ipftq_t			ifs_ips_udpacktq;
282 	ipftq_t			ifs_ips_iptq;
283 	ipftq_t			ifs_ips_icmptq;
284 	ipftq_t			ifs_ips_icmpacktq;
285 	ipftq_t			ifs_ips_deletetq;
286 	ipftq_t			*ifs_ips_utqe;
287 	int			ifs_ipstate_logging;
288 	ipstate_t		*ifs_ips_list;
289 	ulong_t			ifs_fr_iptimeout;
290 
291 	/* radix.c */
292 	int			ifs_max_keylen;
293 	struct radix_mask	*ifs_rn_mkfreelist;
294 	struct radix_node_head	*ifs_mask_rnhead;
295 	char			*ifs_addmask_key;
296 	char			*ifs_rn_zeros;
297 	char			*ifs_rn_ones;
298 #ifdef KERNEL
299 	/* kstats for inbound and outbound */
300 	kstat_t			*ifs_kstatp[2];
301 #endif
302 };
303 
304 #endif	/* __IPF_STACK_H__ */
305