Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h
+++ new/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h
1 1 /*
2 2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
7 7 * Use is subject to license terms.
8 8 *
9 - * Copyright 2018 Joyent, Inc. All rights reserved.
9 + * Copyright 2019, Joyent, Inc.
10 10 */
11 11
12 12 #ifndef __IPF_STACK_H__
13 13 #define __IPF_STACK_H__
14 14
15 15 /* FIXME: appears needed for ip_proxy.h - tcpseq */
16 16 #include <net/route.h>
17 17 #include <netinet/in.h>
18 18 #include <netinet/in_systm.h>
19 19 #include <netinet/ip.h>
20 20 #include <netinet/ip_var.h>
21 21 #include <netinet/tcp.h>
22 22 #include <netinet/udp.h>
23 23 #include <netinet/ip_icmp.h>
24 24 #include <netinet/tcpip.h>
25 25
26 26 #include "ip_compat.h"
27 27 #include "ip_fil.h"
28 28 #include "ip_nat.h"
29 29 #include "ip_frag.h"
30 30 #include "ip_state.h"
31 31 #include "ip_proxy.h"
32 32 #include "ip_auth.h"
33 33 #include "ip_lookup.h"
34 34 #include "ip_pool.h"
35 35 #include "ip_htable.h"
36 36 #include <net/radix.h>
37 37 #include <sys/neti.h>
38 38 #include <sys/hook.h>
|
↓ open down ↓ |
19 lines elided |
↑ open up ↑ |
39 39
40 40 /*
41 41 * IPF stack instances
42 42 */
43 43 struct ipf_stack {
44 44 struct ipf_stack *ifs_next;
45 45 struct ipf_stack **ifs_pnext;
46 46 struct ipf_stack *ifs_gz_cont_ifs;
47 47 netid_t ifs_netid;
48 48 zoneid_t ifs_zone;
49 + zoneid_t ifs_zone_did;
49 50 boolean_t ifs_gz_controlled;
50 51
51 52 /* ipf module */
52 53 fr_info_t ifs_frcache[2][8];
53 54
54 55 filterstats_t ifs_frstats[2];
55 56 frentry_t *ifs_ipfilter[2][2];
56 57 frentry_t *ifs_ipfilter6[2][2];
57 58 frentry_t *ifs_ipacct6[2][2];
58 59 frentry_t *ifs_ipacct[2][2];
59 60 #if 0 /* not used */
60 61 frentry_t *ifs_ipnatrules[2][2];
61 62 #endif
62 63 frgroup_t *ifs_ipfgroups[IPL_LOGSIZE][2];
63 64 int ifs_fr_refcnt;
64 65 /*
65 66 * For fr_running:
66 67 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
67 68 */
68 69 int ifs_fr_running;
69 70 int ifs_fr_flags;
70 71 int ifs_fr_active;
71 72 int ifs_fr_control_forwarding;
72 73 int ifs_fr_update_ipid;
73 74 #if 0
74 75 ushort_t ifs_fr_ip_id;
75 76 #endif
76 77 int ifs_fr_chksrc;
77 78 int ifs_fr_minttl;
78 79 int ifs_fr_icmpminfragmtu;
79 80 int ifs_fr_pass;
80 81 ulong_t ifs_fr_frouteok[2];
81 82 ulong_t ifs_fr_userifqs;
82 83 ulong_t ifs_fr_badcoalesces[2];
83 84 uchar_t ifs_ipf_iss_secret[32];
84 85 timeout_id_t ifs_fr_timer_id;
85 86 #if 0
86 87 timeout_id_t ifs_synctimeoutid;
87 88 #endif
88 89 int ifs_ipf_locks_done;
89 90
90 91 ipftoken_t *ifs_ipftokenhead;
91 92 ipftoken_t **ifs_ipftokentail;
92 93
93 94 ipfmutex_t ifs_ipl_mutex;
94 95 ipfmutex_t ifs_ipf_authmx;
95 96 ipfmutex_t ifs_ipf_rw;
96 97 ipfmutex_t ifs_ipf_timeoutlock;
97 98 ipfrwlock_t ifs_ipf_mutex;
98 99 ipfrwlock_t ifs_ipf_global;
99 100 ipfrwlock_t ifs_ipf_frcache;
100 101 ipfrwlock_t ifs_ip_poolrw;
101 102 ipfrwlock_t ifs_ipf_frag;
102 103 ipfrwlock_t ifs_ipf_state;
103 104 ipfrwlock_t ifs_ipf_nat;
104 105 ipfrwlock_t ifs_ipf_natfrag;
105 106 ipfmutex_t ifs_ipf_nat_new;
106 107 ipfmutex_t ifs_ipf_natio;
107 108 ipfrwlock_t ifs_ipf_auth;
108 109 ipfmutex_t ifs_ipf_stinsert;
109 110 ipfrwlock_t ifs_ipf_ipidfrag;
110 111 ipfrwlock_t ifs_ipf_tokens;
111 112 kcondvar_t ifs_iplwait;
112 113 kcondvar_t ifs_ipfauthwait;
113 114
114 115 ipftuneable_t *ifs_ipf_tuneables;
115 116 ipftuneable_t *ifs_ipf_tunelist;
116 117
117 118 /* ip_fil_solaris.c */
118 119 hook_t *ifs_ipfhook4_in;
119 120 hook_t *ifs_ipfhook4_out;
120 121 hook_t *ifs_ipfhook4_loop_in;
121 122 hook_t *ifs_ipfhook4_loop_out;
122 123 hook_t *ifs_ipfhook4_nicevents;
123 124 hook_t *ifs_ipfhook6_in;
124 125 hook_t *ifs_ipfhook6_out;
125 126 hook_t *ifs_ipfhook6_loop_in;
126 127 hook_t *ifs_ipfhook6_loop_out;
127 128 hook_t *ifs_ipfhook6_nicevents;
128 129
129 130 hook_t *ifs_ipfhookvndl3v4_in;
130 131 hook_t *ifs_ipfhookvndl3v6_in;
131 132 hook_t *ifs_ipfhookvndl3v4_out;
132 133 hook_t *ifs_ipfhookvndl3v6_out;
133 134
134 135 hook_t *ifs_ipfhookviona_in;
135 136 hook_t *ifs_ipfhookviona_out;
136 137
137 138 /* flags to indicate whether hooks are registered. */
138 139 boolean_t ifs_hook4_physical_in;
139 140 boolean_t ifs_hook4_physical_out;
140 141 boolean_t ifs_hook4_nic_events;
141 142 boolean_t ifs_hook4_loopback_in;
142 143 boolean_t ifs_hook4_loopback_out;
143 144 boolean_t ifs_hook6_physical_in;
144 145 boolean_t ifs_hook6_physical_out;
145 146 boolean_t ifs_hook6_nic_events;
146 147 boolean_t ifs_hook6_loopback_in;
147 148 boolean_t ifs_hook6_loopback_out;
148 149 boolean_t ifs_hookvndl3v4_physical_in;
149 150 boolean_t ifs_hookvndl3v6_physical_in;
150 151 boolean_t ifs_hookvndl3v4_physical_out;
151 152 boolean_t ifs_hookvndl3v6_physical_out;
152 153 boolean_t ifs_hookviona_physical_in;
153 154 boolean_t ifs_hookviona_physical_out;
154 155
155 156 int ifs_ipf_loopback;
156 157 net_handle_t ifs_ipf_ipv4;
157 158 net_handle_t ifs_ipf_ipv6;
158 159 net_handle_t ifs_ipf_vndl3v4;
159 160 net_handle_t ifs_ipf_vndl3v6;
160 161 net_handle_t ifs_ipf_viona;
161 162
162 163 /* ip_auth.c */
163 164 int ifs_fr_authsize;
164 165 int ifs_fr_authused;
165 166 int ifs_fr_defaultauthage;
166 167 int ifs_fr_auth_lock;
167 168 int ifs_fr_auth_init;
168 169 fr_authstat_t ifs_fr_authstats;
169 170 frauth_t *ifs_fr_auth;
170 171 mb_t **ifs_fr_authpkts;
171 172 int ifs_fr_authstart;
172 173 int ifs_fr_authend;
173 174 int ifs_fr_authnext;
174 175 frauthent_t *ifs_fae_list;
175 176 frentry_t *ifs_ipauth;
176 177 frentry_t *ifs_fr_authlist;
177 178
178 179 /* ip_frag.c */
179 180 ipfr_t *ifs_ipfr_list;
180 181 ipfr_t **ifs_ipfr_tail;
181 182 ipfr_t **ifs_ipfr_heads;
182 183
183 184 ipfr_t *ifs_ipfr_natlist;
184 185 ipfr_t **ifs_ipfr_nattail;
185 186 ipfr_t **ifs_ipfr_nattab;
186 187
187 188 ipfr_t *ifs_ipfr_ipidlist;
188 189 ipfr_t **ifs_ipfr_ipidtail;
189 190 ipfr_t **ifs_ipfr_ipidtab;
190 191
191 192 ipfrstat_t ifs_ipfr_stats;
192 193 int ifs_ipfr_inuse;
193 194 int ifs_ipfr_size;
194 195
195 196 int ifs_fr_ipfrttl;
196 197 int ifs_fr_frag_lock;
197 198 int ifs_fr_frag_init;
198 199 ulong_t ifs_fr_ticks;
199 200
200 201 frentry_t ifs_frblock;
201 202
202 203 /* ip_htable.c */
203 204 iphtable_t *ifs_ipf_htables[IPL_LOGSIZE];
204 205 ulong_t ifs_ipht_nomem[IPL_LOGSIZE];
205 206 ulong_t ifs_ipf_nhtables[IPL_LOGSIZE];
206 207 ulong_t ifs_ipf_nhtnodes[IPL_LOGSIZE];
207 208
208 209 /* ip_log.c */
209 210 iplog_t **ifs_iplh[IPL_LOGSIZE];
210 211 iplog_t *ifs_iplt[IPL_LOGSIZE];
211 212 iplog_t *ifs_ipll[IPL_LOGSIZE];
212 213 int ifs_iplused[IPL_LOGSIZE];
213 214 fr_info_t ifs_iplcrc[IPL_LOGSIZE];
214 215 int ifs_ipl_suppress;
215 216 int ifs_ipl_buffer_sz;
216 217 int ifs_ipl_logmax;
217 218 int ifs_ipl_logall;
218 219 int ifs_ipl_log_init;
219 220 int ifs_ipl_logsize;
220 221
221 222 /* ip_lookup.c */
222 223 ip_pool_stat_t ifs_ippoolstat;
223 224 int ifs_ip_lookup_inited;
224 225
225 226 /* ip_nat.c */
226 227 /* nat_table[0] -> hashed list sorted by inside (ip, port) */
227 228 /* nat_table[1] -> hashed list sorted by outside (ip, port) */
228 229 nat_t **ifs_nat_table[2];
229 230 nat_t *ifs_nat_instances;
230 231 ipnat_t *ifs_nat_list;
231 232 uint_t ifs_ipf_nattable_sz;
232 233 uint_t ifs_ipf_nattable_max;
233 234 uint_t ifs_ipf_natrules_sz;
234 235 uint_t ifs_ipf_rdrrules_sz;
235 236 uint_t ifs_ipf_hostmap_sz;
236 237 uint_t ifs_fr_nat_maxbucket;
237 238 uint_t ifs_fr_nat_maxbucket_reset;
238 239 uint32_t ifs_nat_masks;
239 240 uint32_t ifs_rdr_masks;
240 241 uint32_t ifs_nat6_masks[4];
241 242 uint32_t ifs_rdr6_masks[4];
242 243 ipnat_t **ifs_nat_rules;
243 244 ipnat_t **ifs_rdr_rules;
244 245 hostmap_t **ifs_maptable;
245 246 hostmap_t *ifs_ipf_hm_maplist;
246 247
247 248 ipftq_t ifs_nat_tqb[IPF_TCP_NSTATES];
248 249 ipftq_t ifs_nat_udptq;
249 250 ipftq_t ifs_nat_icmptq;
250 251 ipftq_t ifs_nat_iptq;
251 252 ipftq_t *ifs_nat_utqe;
252 253 int ifs_nat_logging;
253 254 ulong_t ifs_fr_defnatage;
254 255 ulong_t ifs_fr_defnatipage;
255 256 ulong_t ifs_fr_defnaticmpage;
256 257 natstat_t ifs_nat_stats;
257 258 int ifs_fr_nat_lock;
258 259 int ifs_fr_nat_init;
259 260 uint_t ifs_nat_flush_level_hi;
260 261 uint_t ifs_nat_flush_level_lo;
261 262 ulong_t ifs_nat_last_force_flush;
262 263 int ifs_nat_doflush;
263 264
264 265 /* ip_pool.c */
265 266 ip_pool_stat_t ifs_ipoolstat;
266 267 ip_pool_t *ifs_ip_pool_list[IPL_LOGSIZE];
267 268
268 269 /* ip_proxy.c */
269 270 ap_session_t *ifs_ap_sess_list;
270 271 aproxy_t *ifs_ap_proxylist;
271 272 aproxy_t *ifs_ap_proxies; /* copy of lcl_ap_proxies */
272 273
273 274 /* ip_state.c */
274 275 ipstate_t **ifs_ips_table;
275 276 ulong_t *ifs_ips_seed;
276 277 int ifs_ips_num;
277 278 ulong_t ifs_ips_last_force_flush;
278 279 uint_t ifs_state_flush_level_hi;
279 280 uint_t ifs_state_flush_level_lo;
280 281 ips_stat_t ifs_ips_stats;
281 282
282 283 ulong_t ifs_fr_tcpidletimeout;
283 284 ulong_t ifs_fr_tcpclosewait;
284 285 ulong_t ifs_fr_tcplastack;
285 286 ulong_t ifs_fr_tcptimeout;
286 287 ulong_t ifs_fr_tcpclosed;
287 288 ulong_t ifs_fr_tcphalfclosed;
288 289 ulong_t ifs_fr_udptimeout;
289 290 ulong_t ifs_fr_udpacktimeout;
290 291 ulong_t ifs_fr_icmptimeout;
291 292 ulong_t ifs_fr_icmpacktimeout;
292 293 int ifs_fr_statemax;
293 294 int ifs_fr_statesize;
294 295 int ifs_fr_state_doflush;
295 296 int ifs_fr_state_lock;
296 297 int ifs_fr_state_maxbucket;
297 298 int ifs_fr_state_maxbucket_reset;
298 299 int ifs_fr_state_init;
299 300 int ifs_fr_enable_active;
300 301 ipftq_t ifs_ips_tqtqb[IPF_TCP_NSTATES];
301 302 ipftq_t ifs_ips_udptq;
302 303 ipftq_t ifs_ips_udpacktq;
303 304 ipftq_t ifs_ips_iptq;
304 305 ipftq_t ifs_ips_icmptq;
305 306 ipftq_t ifs_ips_icmpacktq;
306 307 ipftq_t ifs_ips_deletetq;
307 308 ipftq_t *ifs_ips_utqe;
308 309 int ifs_ipstate_logging;
|
↓ open down ↓ |
250 lines elided |
↑ open up ↑ |
309 310 ipstate_t *ifs_ips_list;
310 311 ulong_t ifs_fr_iptimeout;
311 312
312 313 /* radix.c */
313 314 int ifs_max_keylen;
314 315 struct radix_mask *ifs_rn_mkfreelist;
315 316 struct radix_node_head *ifs_mask_rnhead;
316 317 char *ifs_addmask_key;
317 318 char *ifs_rn_zeros;
318 319 char *ifs_rn_ones;
320 +
319 321 #ifdef KERNEL
320 322 /* kstats for inbound and outbound */
321 323 kstat_t *ifs_kstatp[2];
322 324 #endif
323 325 };
324 326
325 327 #endif /* __IPF_STACK_H__ */
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX