1 /*
2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
7 * Use is subject to license terms.
8 *
9 * Copyright 2019, Joyent, Inc.
10 */
11
12 #ifndef __IPF_STACK_H__
13 #define __IPF_STACK_H__
14
15 /* FIXME: appears needed for ip_proxy.h - tcpseq */
16 #include <net/route.h>
17 #include <netinet/in.h>
18 #include <netinet/in_systm.h>
19 #include <netinet/ip.h>
20 #include <netinet/ip_var.h>
21 #include <netinet/tcp.h>
22 #include <netinet/udp.h>
23 #include <netinet/ip_icmp.h>
24 #include <netinet/tcpip.h>
25
26 #include "ip_compat.h"
27 #include "ip_fil.h"
28 #include "ip_nat.h"
29 #include "ip_frag.h"
30 #include "ip_state.h"
31 #include "ip_proxy.h"
32 #include "ip_auth.h"
33 #include "ip_lookup.h"
34 #include "ip_pool.h"
35 #include "ip_htable.h"
36 #include <net/radix.h>
37 #include <sys/neti.h>
38 #include <sys/hook.h>
39
40 /*
41 * IPF stack instances
42 */
43 struct ipf_stack {
44 struct ipf_stack *ifs_next;
45 struct ipf_stack **ifs_pnext;
46 struct ipf_stack *ifs_gz_cont_ifs;
47 netid_t ifs_netid;
48 zoneid_t ifs_zone;
49 zoneid_t ifs_zone_did;
50 boolean_t ifs_gz_controlled;
51
52 /* ipf module */
53 fr_info_t ifs_frcache[2][8];
54
55 filterstats_t ifs_frstats[2];
56 frentry_t *ifs_ipfilter[2][2];
57 frentry_t *ifs_ipfilter6[2][2];
58 frentry_t *ifs_ipacct6[2][2];
59 frentry_t *ifs_ipacct[2][2];
60 #if 0 /* not used */
61 frentry_t *ifs_ipnatrules[2][2];
62 #endif
63 frgroup_t *ifs_ipfgroups[IPL_LOGSIZE][2];
64 int ifs_fr_refcnt;
65 /*
66 * For fr_running:
67 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
68 */
69 int ifs_fr_running;
70 int ifs_fr_flags;
71 int ifs_fr_active;
72 int ifs_fr_control_forwarding;
73 int ifs_fr_update_ipid;
74 #if 0
75 ushort_t ifs_fr_ip_id;
76 #endif
77 int ifs_fr_chksrc;
78 int ifs_fr_minttl;
79 int ifs_fr_icmpminfragmtu;
80 int ifs_fr_pass;
81 ulong_t ifs_fr_frouteok[2];
82 ulong_t ifs_fr_userifqs;
83 ulong_t ifs_fr_badcoalesces[2];
84 uchar_t ifs_ipf_iss_secret[32];
85 timeout_id_t ifs_fr_timer_id;
86 #if 0
87 timeout_id_t ifs_synctimeoutid;
88 #endif
89 int ifs_ipf_locks_done;
90
91 ipftoken_t *ifs_ipftokenhead;
92 ipftoken_t **ifs_ipftokentail;
93
94 ipfmutex_t ifs_ipl_mutex;
95 ipfmutex_t ifs_ipf_authmx;
96 ipfmutex_t ifs_ipf_rw;
97 ipfmutex_t ifs_ipf_timeoutlock;
98 ipfrwlock_t ifs_ipf_mutex;
99 ipfrwlock_t ifs_ipf_global;
100 ipfrwlock_t ifs_ipf_frcache;
101 ipfrwlock_t ifs_ip_poolrw;
102 ipfrwlock_t ifs_ipf_frag;
103 ipfrwlock_t ifs_ipf_state;
104 ipfrwlock_t ifs_ipf_nat;
105 ipfrwlock_t ifs_ipf_natfrag;
106 ipfmutex_t ifs_ipf_nat_new;
107 ipfmutex_t ifs_ipf_natio;
108 ipfrwlock_t ifs_ipf_auth;
109 ipfmutex_t ifs_ipf_stinsert;
110 ipfrwlock_t ifs_ipf_ipidfrag;
111 ipfrwlock_t ifs_ipf_tokens;
112 kcondvar_t ifs_iplwait;
113 kcondvar_t ifs_ipfauthwait;
114
115 ipftuneable_t *ifs_ipf_tuneables;
116 ipftuneable_t *ifs_ipf_tunelist;
117
118 /* ip_fil_solaris.c */
119 hook_t *ifs_ipfhook4_in;
120 hook_t *ifs_ipfhook4_out;
121 hook_t *ifs_ipfhook4_loop_in;
122 hook_t *ifs_ipfhook4_loop_out;
123 hook_t *ifs_ipfhook4_nicevents;
124 hook_t *ifs_ipfhook6_in;
125 hook_t *ifs_ipfhook6_out;
126 hook_t *ifs_ipfhook6_loop_in;
127 hook_t *ifs_ipfhook6_loop_out;
128 hook_t *ifs_ipfhook6_nicevents;
129
130 hook_t *ifs_ipfhookvndl3v4_in;
131 hook_t *ifs_ipfhookvndl3v6_in;
132 hook_t *ifs_ipfhookvndl3v4_out;
133 hook_t *ifs_ipfhookvndl3v6_out;
134
135 hook_t *ifs_ipfhookviona_in;
136 hook_t *ifs_ipfhookviona_out;
137
138 /* flags to indicate whether hooks are registered. */
139 boolean_t ifs_hook4_physical_in;
140 boolean_t ifs_hook4_physical_out;
141 boolean_t ifs_hook4_nic_events;
142 boolean_t ifs_hook4_loopback_in;
143 boolean_t ifs_hook4_loopback_out;
144 boolean_t ifs_hook6_physical_in;
145 boolean_t ifs_hook6_physical_out;
146 boolean_t ifs_hook6_nic_events;
147 boolean_t ifs_hook6_loopback_in;
148 boolean_t ifs_hook6_loopback_out;
149 boolean_t ifs_hookvndl3v4_physical_in;
150 boolean_t ifs_hookvndl3v6_physical_in;
151 boolean_t ifs_hookvndl3v4_physical_out;
152 boolean_t ifs_hookvndl3v6_physical_out;
153 boolean_t ifs_hookviona_physical_in;
154 boolean_t ifs_hookviona_physical_out;
155
156 int ifs_ipf_loopback;
157 net_handle_t ifs_ipf_ipv4;
158 net_handle_t ifs_ipf_ipv6;
159 net_handle_t ifs_ipf_vndl3v4;
160 net_handle_t ifs_ipf_vndl3v6;
161 net_handle_t ifs_ipf_viona;
162
163 /* ip_auth.c */
164 int ifs_fr_authsize;
165 int ifs_fr_authused;
166 int ifs_fr_defaultauthage;
167 int ifs_fr_auth_lock;
168 int ifs_fr_auth_init;
169 fr_authstat_t ifs_fr_authstats;
170 frauth_t *ifs_fr_auth;
171 mb_t **ifs_fr_authpkts;
172 int ifs_fr_authstart;
173 int ifs_fr_authend;
174 int ifs_fr_authnext;
175 frauthent_t *ifs_fae_list;
176 frentry_t *ifs_ipauth;
177 frentry_t *ifs_fr_authlist;
178
179 /* ip_frag.c */
180 ipfr_t *ifs_ipfr_list;
181 ipfr_t **ifs_ipfr_tail;
182 ipfr_t **ifs_ipfr_heads;
183
184 ipfr_t *ifs_ipfr_natlist;
185 ipfr_t **ifs_ipfr_nattail;
186 ipfr_t **ifs_ipfr_nattab;
187
188 ipfr_t *ifs_ipfr_ipidlist;
189 ipfr_t **ifs_ipfr_ipidtail;
190 ipfr_t **ifs_ipfr_ipidtab;
191
192 ipfrstat_t ifs_ipfr_stats;
193 int ifs_ipfr_inuse;
194 int ifs_ipfr_size;
195
196 int ifs_fr_ipfrttl;
197 int ifs_fr_frag_lock;
198 int ifs_fr_frag_init;
199 ulong_t ifs_fr_ticks;
200
201 frentry_t ifs_frblock;
202
203 /* ip_htable.c */
204 iphtable_t *ifs_ipf_htables[IPL_LOGSIZE];
205 ulong_t ifs_ipht_nomem[IPL_LOGSIZE];
206 ulong_t ifs_ipf_nhtables[IPL_LOGSIZE];
207 ulong_t ifs_ipf_nhtnodes[IPL_LOGSIZE];
208
209 /* ip_log.c */
210 iplog_t **ifs_iplh[IPL_LOGSIZE];
211 iplog_t *ifs_iplt[IPL_LOGSIZE];
212 iplog_t *ifs_ipll[IPL_LOGSIZE];
213 int ifs_iplused[IPL_LOGSIZE];
214 fr_info_t ifs_iplcrc[IPL_LOGSIZE];
215 int ifs_ipl_suppress;
216 int ifs_ipl_buffer_sz;
217 int ifs_ipl_logmax;
218 int ifs_ipl_logall;
219 int ifs_ipl_log_init;
220 int ifs_ipl_logsize;
221
222 /* ip_lookup.c */
223 ip_pool_stat_t ifs_ippoolstat;
224 int ifs_ip_lookup_inited;
225
226 /* ip_nat.c */
227 /* nat_table[0] -> hashed list sorted by inside (ip, port) */
228 /* nat_table[1] -> hashed list sorted by outside (ip, port) */
229 nat_t **ifs_nat_table[2];
230 nat_t *ifs_nat_instances;
231 ipnat_t *ifs_nat_list;
232 uint_t ifs_ipf_nattable_sz;
233 uint_t ifs_ipf_nattable_max;
234 uint_t ifs_ipf_natrules_sz;
235 uint_t ifs_ipf_rdrrules_sz;
236 uint_t ifs_ipf_hostmap_sz;
237 uint_t ifs_fr_nat_maxbucket;
238 uint_t ifs_fr_nat_maxbucket_reset;
239 uint32_t ifs_nat_masks;
240 uint32_t ifs_rdr_masks;
241 uint32_t ifs_nat6_masks[4];
242 uint32_t ifs_rdr6_masks[4];
243 ipnat_t **ifs_nat_rules;
244 ipnat_t **ifs_rdr_rules;
245 hostmap_t **ifs_maptable;
246 hostmap_t *ifs_ipf_hm_maplist;
247
248 ipftq_t ifs_nat_tqb[IPF_TCP_NSTATES];
249 ipftq_t ifs_nat_udptq;
250 ipftq_t ifs_nat_icmptq;
251 ipftq_t ifs_nat_iptq;
252 ipftq_t *ifs_nat_utqe;
253 int ifs_nat_logging;
254 ulong_t ifs_fr_defnatage;
255 ulong_t ifs_fr_defnatipage;
256 ulong_t ifs_fr_defnaticmpage;
257 natstat_t ifs_nat_stats;
258 int ifs_fr_nat_lock;
259 int ifs_fr_nat_init;
260 uint_t ifs_nat_flush_level_hi;
261 uint_t ifs_nat_flush_level_lo;
262 ulong_t ifs_nat_last_force_flush;
263 int ifs_nat_doflush;
264
265 /* ip_pool.c */
266 ip_pool_stat_t ifs_ipoolstat;
267 ip_pool_t *ifs_ip_pool_list[IPL_LOGSIZE];
268
269 /* ip_proxy.c */
270 ap_session_t *ifs_ap_sess_list;
271 aproxy_t *ifs_ap_proxylist;
272 aproxy_t *ifs_ap_proxies; /* copy of lcl_ap_proxies */
273
274 /* ip_state.c */
275 ipstate_t **ifs_ips_table;
276 ulong_t *ifs_ips_seed;
277 int ifs_ips_num;
278 ulong_t ifs_ips_last_force_flush;
279 uint_t ifs_state_flush_level_hi;
280 uint_t ifs_state_flush_level_lo;
281 ips_stat_t ifs_ips_stats;
282
283 ulong_t ifs_fr_tcpidletimeout;
284 ulong_t ifs_fr_tcpclosewait;
285 ulong_t ifs_fr_tcplastack;
286 ulong_t ifs_fr_tcptimeout;
287 ulong_t ifs_fr_tcpclosed;
288 ulong_t ifs_fr_tcphalfclosed;
289 ulong_t ifs_fr_udptimeout;
290 ulong_t ifs_fr_udpacktimeout;
291 ulong_t ifs_fr_icmptimeout;
292 ulong_t ifs_fr_icmpacktimeout;
293 int ifs_fr_statemax;
294 int ifs_fr_statesize;
295 int ifs_fr_state_doflush;
296 int ifs_fr_state_lock;
297 int ifs_fr_state_maxbucket;
298 int ifs_fr_state_maxbucket_reset;
299 int ifs_fr_state_init;
300 int ifs_fr_enable_active;
301 ipftq_t ifs_ips_tqtqb[IPF_TCP_NSTATES];
302 ipftq_t ifs_ips_udptq;
303 ipftq_t ifs_ips_udpacktq;
304 ipftq_t ifs_ips_iptq;
305 ipftq_t ifs_ips_icmptq;
306 ipftq_t ifs_ips_icmpacktq;
307 ipftq_t ifs_ips_deletetq;
308 ipftq_t *ifs_ips_utqe;
309 int ifs_ipstate_logging;
310 ipstate_t *ifs_ips_list;
311 ulong_t ifs_fr_iptimeout;
312
313 /* radix.c */
314 int ifs_max_keylen;
315 struct radix_mask *ifs_rn_mkfreelist;
316 struct radix_node_head *ifs_mask_rnhead;
317 char *ifs_addmask_key;
318 char *ifs_rn_zeros;
319 char *ifs_rn_ones;
320
321 #ifdef KERNEL
322 /* kstats for inbound and outbound */
323 kstat_t *ifs_kstatp[2];
324 #endif
325 };
326
327 #endif /* __IPF_STACK_H__ */