xref: /illumos-gate/usr/src/uts/common/inet/ipsecesp.h (revision 2e837a72011f54762249b6612c2a64f171efcd43)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25  */
26 
27 #ifndef	_INET_IPSECESP_H
28 #define	_INET_IPSECESP_H
29 
30 #include <inet/ip.h>
31 #include <inet/ipdrop.h>
32 
33 #ifdef	__cplusplus
34 extern "C" {
35 #endif
36 
37 #ifdef _KERNEL
38 
39 /* Named Dispatch Parameter Management Structure */
40 typedef struct ipsecespparam_s {
41 	uint_t	ipsecesp_param_min;
42 	uint_t	ipsecesp_param_max;
43 	uint_t	ipsecesp_param_value;
44 	char	*ipsecesp_param_name;
45 } ipsecespparam_t;
46 
47 /*
48  * Stats.  This may eventually become a full-blown SNMP MIB once that spec
49  * stabilizes.
50  */
51 
52 typedef struct esp_kstats_s {
53 	kstat_named_t esp_stat_num_aalgs;
54 	kstat_named_t esp_stat_good_auth;
55 	kstat_named_t esp_stat_bad_auth;
56 	kstat_named_t esp_stat_bad_padding;
57 	kstat_named_t esp_stat_replay_failures;
58 	kstat_named_t esp_stat_replay_early_failures;
59 	kstat_named_t esp_stat_keysock_in;
60 	kstat_named_t esp_stat_out_requests;
61 	kstat_named_t esp_stat_acquire_requests;
62 	kstat_named_t esp_stat_bytes_expired;
63 	kstat_named_t esp_stat_out_discards;
64 	kstat_named_t esp_stat_crypto_sync;
65 	kstat_named_t esp_stat_crypto_async;
66 	kstat_named_t esp_stat_crypto_failures;
67 	kstat_named_t esp_stat_num_ealgs;
68 	kstat_named_t esp_stat_bad_decrypt;
69 	kstat_named_t esp_stat_sa_port_renumbers;
70 } esp_kstats_t;
71 
72 /*
73  * espstack->esp_kstats is equal to espstack->esp_ksp->ks_data if
74  * kstat_create_netstack for espstack->esp_ksp succeeds, but when it
75  * fails, it will be NULL. Note this is done for all stack instances,
76  * so it *could* fail. hence a non-NULL checking is done for
77  * ESP_BUMP_STAT and ESP_DEBUMP_STAT
78  */
79 #define	ESP_BUMP_STAT(espstack, x)					\
80 do {									\
81 	if (espstack->esp_kstats != NULL)				\
82 		(espstack->esp_kstats->esp_stat_ ## x).value.ui64++;	\
83 _NOTE(CONSTCOND)							\
84 } while (0)
85 
86 #define	ESP_DEBUMP_STAT(espstack, x)					\
87 do {									\
88 	if (espstack->esp_kstats != NULL)				\
89 		(espstack->esp_kstats->esp_stat_ ## x).value.ui64--;	\
90 _NOTE(CONSTCOND)							\
91 } while (0)
92 
93 /*
94  * IPSECESP stack instances
95  */
96 struct ipsecesp_stack {
97 	netstack_t		*ipsecesp_netstack;	/* Common netstack */
98 
99 	caddr_t			ipsecesp_g_nd;
100 	struct ipsecespparam_s	*ipsecesp_params;
101 	kmutex_t		ipsecesp_param_lock;	/* Protects params */
102 
103 	/* Packet dropper for ESP drops. */
104 	ipdropper_t		esp_dropper;
105 
106 	kstat_t			*esp_ksp;
107 	struct esp_kstats_s	*esp_kstats;
108 
109 	/*
110 	 * Keysock instance of ESP.  There can be only one per stack instance.
111 	 * Use atomic_cas_ptr() on this because I don't set it until
112 	 * KEYSOCK_HELLO comes down.
113 	 * Paired up with the esp_pfkey_q is the esp_event, which will age SAs.
114 	 */
115 	queue_t			*esp_pfkey_q;
116 	timeout_id_t		esp_event;
117 
118 	sadbp_t			esp_sadb;
119 };
120 typedef struct ipsecesp_stack ipsecesp_stack_t;
121 
122 #define	ipsecesp_debug	ipsecesp_params[0].ipsecesp_param_value
123 #define	ipsecesp_age_interval ipsecesp_params[1].ipsecesp_param_value
124 #define	ipsecesp_age_int_max	ipsecesp_params[1].ipsecesp_param_max
125 #define	ipsecesp_reap_delay	ipsecesp_params[2].ipsecesp_param_value
126 #define	ipsecesp_replay_size	ipsecesp_params[3].ipsecesp_param_value
127 #define	ipsecesp_acquire_timeout	\
128 	ipsecesp_params[4].ipsecesp_param_value
129 #define	ipsecesp_larval_timeout	\
130 	ipsecesp_params[5].ipsecesp_param_value
131 #define	ipsecesp_default_soft_bytes	\
132 	ipsecesp_params[6].ipsecesp_param_value
133 #define	ipsecesp_default_hard_bytes	\
134 	ipsecesp_params[7].ipsecesp_param_value
135 #define	ipsecesp_default_soft_addtime	\
136 	ipsecesp_params[8].ipsecesp_param_value
137 #define	ipsecesp_default_hard_addtime	\
138 	ipsecesp_params[9].ipsecesp_param_value
139 #define	ipsecesp_default_soft_usetime	\
140 	ipsecesp_params[10].ipsecesp_param_value
141 #define	ipsecesp_default_hard_usetime	\
142 	ipsecesp_params[11].ipsecesp_param_value
143 #define	ipsecesp_log_unknown_spi	\
144 	ipsecesp_params[12].ipsecesp_param_value
145 #define	ipsecesp_padding_check	\
146 	ipsecesp_params[13].ipsecesp_param_value
147 #define	ipsecesp_nat_keepalive_interval	\
148 	ipsecesp_params[14].ipsecesp_param_value
149 
150 #endif	/* _KERNEL */
151 
152 /*
153  * For now, only provide "aligned" version of header.
154  * If aligned version is needed, we'll go with the naming conventions then.
155  */
156 
157 typedef struct esph {
158 	uint32_t esph_spi;
159 	uint32_t esph_replay;
160 } esph_t;
161 
162 /* No need for "old" ESP, just point a uint32_t *. */
163 
164 #ifdef	__cplusplus
165 }
166 #endif
167 
168 #endif /* _INET_IPSECESP_H */
169