1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 #ifndef _INET_IPSECESP_H
28 #define _INET_IPSECESP_H
29
30 #include <inet/ip.h>
31 #include <inet/ipdrop.h>
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 #ifdef _KERNEL
38
39 /* Named Dispatch Parameter Management Structure */
40 typedef struct ipsecespparam_s {
41 uint_t ipsecesp_param_min;
42 uint_t ipsecesp_param_max;
43 uint_t ipsecesp_param_value;
44 char *ipsecesp_param_name;
45 } ipsecespparam_t;
46
47 /*
48 * Stats. This may eventually become a full-blown SNMP MIB once that spec
49 * stabilizes.
50 */
51
52 typedef struct esp_kstats_s {
53 kstat_named_t esp_stat_num_aalgs;
54 kstat_named_t esp_stat_good_auth;
55 kstat_named_t esp_stat_bad_auth;
56 kstat_named_t esp_stat_bad_padding;
57 kstat_named_t esp_stat_replay_failures;
58 kstat_named_t esp_stat_replay_early_failures;
59 kstat_named_t esp_stat_keysock_in;
60 kstat_named_t esp_stat_out_requests;
61 kstat_named_t esp_stat_acquire_requests;
62 kstat_named_t esp_stat_bytes_expired;
63 kstat_named_t esp_stat_out_discards;
64 kstat_named_t esp_stat_crypto_sync;
65 kstat_named_t esp_stat_crypto_async;
66 kstat_named_t esp_stat_crypto_failures;
67 kstat_named_t esp_stat_num_ealgs;
68 kstat_named_t esp_stat_bad_decrypt;
69 kstat_named_t esp_stat_sa_port_renumbers;
70 } esp_kstats_t;
71
72 /*
73 * espstack->esp_kstats is equal to espstack->esp_ksp->ks_data if
74 * kstat_create_netstack for espstack->esp_ksp succeeds, but when it
75 * fails, it will be NULL. Note this is done for all stack instances,
76 * so it *could* fail. hence a non-NULL checking is done for
77 * ESP_BUMP_STAT and ESP_DEBUMP_STAT
78 */
79 #define ESP_BUMP_STAT(espstack, x) \
80 do { \
81 if (espstack->esp_kstats != NULL) \
82 (espstack->esp_kstats->esp_stat_ ## x).value.ui64++; \
83 _NOTE(CONSTCOND) \
84 } while (0)
85
86 #define ESP_DEBUMP_STAT(espstack, x) \
87 do { \
88 if (espstack->esp_kstats != NULL) \
89 (espstack->esp_kstats->esp_stat_ ## x).value.ui64--; \
90 _NOTE(CONSTCOND) \
91 } while (0)
92
93 /*
94 * IPSECESP stack instances
95 */
96 struct ipsecesp_stack {
97 netstack_t *ipsecesp_netstack; /* Common netstack */
98
99 caddr_t ipsecesp_g_nd;
100 struct ipsecespparam_s *ipsecesp_params;
101 kmutex_t ipsecesp_param_lock; /* Protects params */
102
103 /* Packet dropper for ESP drops. */
104 ipdropper_t esp_dropper;
105
106 kstat_t *esp_ksp;
107 struct esp_kstats_s *esp_kstats;
108
109 /*
110 * Keysock instance of ESP. There can be only one per stack instance.
111 * Use casptr() on this because I don't set it until KEYSOCK_HELLO
112 * comes down.
113 * Paired up with the esp_pfkey_q is the esp_event, which will age SAs.
114 */
115 queue_t *esp_pfkey_q;
116 timeout_id_t esp_event;
117
118 sadbp_t esp_sadb;
119 };
120 typedef struct ipsecesp_stack ipsecesp_stack_t;
121
122 #define ipsecesp_debug ipsecesp_params[0].ipsecesp_param_value
123 #define ipsecesp_age_interval ipsecesp_params[1].ipsecesp_param_value
124 #define ipsecesp_age_int_max ipsecesp_params[1].ipsecesp_param_max
125 #define ipsecesp_reap_delay ipsecesp_params[2].ipsecesp_param_value
126 #define ipsecesp_replay_size ipsecesp_params[3].ipsecesp_param_value
127 #define ipsecesp_acquire_timeout \
128 ipsecesp_params[4].ipsecesp_param_value
129 #define ipsecesp_larval_timeout \
130 ipsecesp_params[5].ipsecesp_param_value
131 #define ipsecesp_default_soft_bytes \
132 ipsecesp_params[6].ipsecesp_param_value
133 #define ipsecesp_default_hard_bytes \
134 ipsecesp_params[7].ipsecesp_param_value
135 #define ipsecesp_default_soft_addtime \
136 ipsecesp_params[8].ipsecesp_param_value
137 #define ipsecesp_default_hard_addtime \
138 ipsecesp_params[9].ipsecesp_param_value
139 #define ipsecesp_default_soft_usetime \
140 ipsecesp_params[10].ipsecesp_param_value
141 #define ipsecesp_default_hard_usetime \
142 ipsecesp_params[11].ipsecesp_param_value
143 #define ipsecesp_log_unknown_spi \
144 ipsecesp_params[12].ipsecesp_param_value
145 #define ipsecesp_padding_check \
146 ipsecesp_params[13].ipsecesp_param_value
147 #define ipsecesp_nat_keepalive_interval \
148 ipsecesp_params[14].ipsecesp_param_value
149
150 #endif /* _KERNEL */
151
152 /*
153 * For now, only provide "aligned" version of header.
154 * If aligned version is needed, we'll go with the naming conventions then.
155 */
156
157 typedef struct esph {
158 uint32_t esph_spi;
159 uint32_t esph_replay;
160 } esph_t;
161
162 /* No need for "old" ESP, just point a uint32_t *. */
163
164 #ifdef __cplusplus
165 }
166 #endif
167
168 #endif /* _INET_IPSECESP_H */