1 /*
2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
7 * Use is subject to license terms.
8 *
9 * Copyright 2018 Joyent, Inc. All rights reserved.
10 */
11
12 #ifndef __IPF_STACK_H__
13 #define __IPF_STACK_H__
14
15 /* FIXME: appears needed for ip_proxy.h - tcpseq */
16 #include <net/route.h>
17 #include <netinet/in.h>
18 #include <netinet/in_systm.h>
19 #include <netinet/ip.h>
20 #include <netinet/ip_var.h>
21 #include <netinet/tcp.h>
22 #include <netinet/udp.h>
23 #include <netinet/ip_icmp.h>
24 #include <netinet/tcpip.h>
25
26 #include "ip_compat.h"
27 #include "ip_fil.h"
28 #include "ip_nat.h"
29 #include "ip_frag.h"
30 #include "ip_state.h"
31 #include "ip_proxy.h"
32 #include "ip_auth.h"
33 #include "ip_lookup.h"
34 #include "ip_pool.h"
35 #include "ip_htable.h"
36 #include <net/radix.h>
37 #include <sys/neti.h>
38 #include <sys/hook.h>
39
40 /*
41 * IPF stack instances
42 */
43 struct ipf_stack {
44 struct ipf_stack *ifs_next;
45 struct ipf_stack **ifs_pnext;
46 struct ipf_stack *ifs_gz_cont_ifs;
47 netid_t ifs_netid;
48 zoneid_t ifs_zone;
49 boolean_t ifs_gz_controlled;
50
51 /* ipf module */
52 fr_info_t ifs_frcache[2][8];
53
54 filterstats_t ifs_frstats[2];
55 frentry_t *ifs_ipfilter[2][2];
56 frentry_t *ifs_ipfilter6[2][2];
57 frentry_t *ifs_ipacct6[2][2];
58 frentry_t *ifs_ipacct[2][2];
59 #if 0 /* not used */
60 frentry_t *ifs_ipnatrules[2][2];
61 #endif
62 frgroup_t *ifs_ipfgroups[IPL_LOGSIZE][2];
63 int ifs_fr_refcnt;
64 /*
65 * For fr_running:
66 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
67 */
68 int ifs_fr_running;
69 int ifs_fr_flags;
70 int ifs_fr_active;
71 int ifs_fr_control_forwarding;
72 int ifs_fr_update_ipid;
73 #if 0
74 ushort_t ifs_fr_ip_id;
75 #endif
76 int ifs_fr_chksrc;
77 int ifs_fr_minttl;
78 int ifs_fr_icmpminfragmtu;
79 int ifs_fr_pass;
80 ulong_t ifs_fr_frouteok[2];
81 ulong_t ifs_fr_userifqs;
82 ulong_t ifs_fr_badcoalesces[2];
83 uchar_t ifs_ipf_iss_secret[32];
84 timeout_id_t ifs_fr_timer_id;
85 #if 0
86 timeout_id_t ifs_synctimeoutid;
87 #endif
88 int ifs_ipf_locks_done;
89
90 ipftoken_t *ifs_ipftokenhead;
91 ipftoken_t **ifs_ipftokentail;
92
93 ipfmutex_t ifs_ipl_mutex;
94 ipfmutex_t ifs_ipf_authmx;
95 ipfmutex_t ifs_ipf_rw;
96 ipfmutex_t ifs_ipf_timeoutlock;
97 ipfrwlock_t ifs_ipf_mutex;
98 ipfrwlock_t ifs_ipf_global;
99 ipfrwlock_t ifs_ipf_frcache;
100 ipfrwlock_t ifs_ip_poolrw;
101 ipfrwlock_t ifs_ipf_frag;
102 ipfrwlock_t ifs_ipf_state;
103 ipfrwlock_t ifs_ipf_nat;
104 ipfrwlock_t ifs_ipf_natfrag;
105 ipfmutex_t ifs_ipf_nat_new;
106 ipfmutex_t ifs_ipf_natio;
107 ipfrwlock_t ifs_ipf_auth;
108 ipfmutex_t ifs_ipf_stinsert;
109 ipfrwlock_t ifs_ipf_ipidfrag;
110 ipfrwlock_t ifs_ipf_tokens;
111 kcondvar_t ifs_iplwait;
112 kcondvar_t ifs_ipfauthwait;
113
114 ipftuneable_t *ifs_ipf_tuneables;
115 ipftuneable_t *ifs_ipf_tunelist;
116
117 /* ip_fil_solaris.c */
118 hook_t *ifs_ipfhook4_in;
119 hook_t *ifs_ipfhook4_out;
120 hook_t *ifs_ipfhook4_loop_in;
121 hook_t *ifs_ipfhook4_loop_out;
122 hook_t *ifs_ipfhook4_nicevents;
123 hook_t *ifs_ipfhook6_in;
124 hook_t *ifs_ipfhook6_out;
125 hook_t *ifs_ipfhook6_loop_in;
126 hook_t *ifs_ipfhook6_loop_out;
127 hook_t *ifs_ipfhook6_nicevents;
128
129 hook_t *ifs_ipfhookvndl3v4_in;
130 hook_t *ifs_ipfhookvndl3v6_in;
131 hook_t *ifs_ipfhookvndl3v4_out;
132 hook_t *ifs_ipfhookvndl3v6_out;
133
134 hook_t *ifs_ipfhookviona_in;
135 hook_t *ifs_ipfhookviona_out;
136
137 /* flags to indicate whether hooks are registered. */
138 boolean_t ifs_hook4_physical_in;
139 boolean_t ifs_hook4_physical_out;
140 boolean_t ifs_hook4_nic_events;
141 boolean_t ifs_hook4_loopback_in;
142 boolean_t ifs_hook4_loopback_out;
143 boolean_t ifs_hook6_physical_in;
144 boolean_t ifs_hook6_physical_out;
145 boolean_t ifs_hook6_nic_events;
146 boolean_t ifs_hook6_loopback_in;
147 boolean_t ifs_hook6_loopback_out;
148 boolean_t ifs_hookvndl3v4_physical_in;
149 boolean_t ifs_hookvndl3v6_physical_in;
150 boolean_t ifs_hookvndl3v4_physical_out;
151 boolean_t ifs_hookvndl3v6_physical_out;
152 boolean_t ifs_hookviona_physical_in;
153 boolean_t ifs_hookviona_physical_out;
154
155 int ifs_ipf_loopback;
156 net_handle_t ifs_ipf_ipv4;
157 net_handle_t ifs_ipf_ipv6;
158 net_handle_t ifs_ipf_vndl3v4;
159 net_handle_t ifs_ipf_vndl3v6;
160 net_handle_t ifs_ipf_viona;
161
162 /* ip_auth.c */
163 int ifs_fr_authsize;
164 int ifs_fr_authused;
165 int ifs_fr_defaultauthage;
166 int ifs_fr_auth_lock;
167 int ifs_fr_auth_init;
168 fr_authstat_t ifs_fr_authstats;
169 frauth_t *ifs_fr_auth;
170 mb_t **ifs_fr_authpkts;
171 int ifs_fr_authstart;
172 int ifs_fr_authend;
173 int ifs_fr_authnext;
174 frauthent_t *ifs_fae_list;
175 frentry_t *ifs_ipauth;
176 frentry_t *ifs_fr_authlist;
177
178 /* ip_frag.c */
179 ipfr_t *ifs_ipfr_list;
180 ipfr_t **ifs_ipfr_tail;
181 ipfr_t **ifs_ipfr_heads;
182
183 ipfr_t *ifs_ipfr_natlist;
184 ipfr_t **ifs_ipfr_nattail;
185 ipfr_t **ifs_ipfr_nattab;
186
187 ipfr_t *ifs_ipfr_ipidlist;
188 ipfr_t **ifs_ipfr_ipidtail;
189 ipfr_t **ifs_ipfr_ipidtab;
190
191 ipfrstat_t ifs_ipfr_stats;
192 int ifs_ipfr_inuse;
193 int ifs_ipfr_size;
194
195 int ifs_fr_ipfrttl;
196 int ifs_fr_frag_lock;
197 int ifs_fr_frag_init;
198 ulong_t ifs_fr_ticks;
199
200 frentry_t ifs_frblock;
201
202 /* ip_htable.c */
203 iphtable_t *ifs_ipf_htables[IPL_LOGSIZE];
204 ulong_t ifs_ipht_nomem[IPL_LOGSIZE];
205 ulong_t ifs_ipf_nhtables[IPL_LOGSIZE];
206 ulong_t ifs_ipf_nhtnodes[IPL_LOGSIZE];
207
208 /* ip_log.c */
209 iplog_t **ifs_iplh[IPL_LOGSIZE];
210 iplog_t *ifs_iplt[IPL_LOGSIZE];
211 iplog_t *ifs_ipll[IPL_LOGSIZE];
212 int ifs_iplused[IPL_LOGSIZE];
213 fr_info_t ifs_iplcrc[IPL_LOGSIZE];
214 int ifs_ipl_suppress;
215 int ifs_ipl_buffer_sz;
216 int ifs_ipl_logmax;
217 int ifs_ipl_logall;
218 int ifs_ipl_log_init;
219 int ifs_ipl_logsize;
220
221 /* ip_lookup.c */
222 ip_pool_stat_t ifs_ippoolstat;
223 int ifs_ip_lookup_inited;
224
225 /* ip_nat.c */
226 /* nat_table[0] -> hashed list sorted by inside (ip, port) */
227 /* nat_table[1] -> hashed list sorted by outside (ip, port) */
228 nat_t **ifs_nat_table[2];
229 nat_t *ifs_nat_instances;
230 ipnat_t *ifs_nat_list;
231 uint_t ifs_ipf_nattable_sz;
232 uint_t ifs_ipf_nattable_max;
233 uint_t ifs_ipf_natrules_sz;
234 uint_t ifs_ipf_rdrrules_sz;
235 uint_t ifs_ipf_hostmap_sz;
236 uint_t ifs_fr_nat_maxbucket;
237 uint_t ifs_fr_nat_maxbucket_reset;
238 uint32_t ifs_nat_masks;
239 uint32_t ifs_rdr_masks;
240 uint32_t ifs_nat6_masks[4];
241 uint32_t ifs_rdr6_masks[4];
242 ipnat_t **ifs_nat_rules;
243 ipnat_t **ifs_rdr_rules;
244 hostmap_t **ifs_maptable;
245 hostmap_t *ifs_ipf_hm_maplist;
246
247 ipftq_t ifs_nat_tqb[IPF_TCP_NSTATES];
248 ipftq_t ifs_nat_udptq;
249 ipftq_t ifs_nat_icmptq;
250 ipftq_t ifs_nat_iptq;
251 ipftq_t *ifs_nat_utqe;
252 int ifs_nat_logging;
253 ulong_t ifs_fr_defnatage;
254 ulong_t ifs_fr_defnatipage;
255 ulong_t ifs_fr_defnaticmpage;
256 natstat_t ifs_nat_stats;
257 int ifs_fr_nat_lock;
258 int ifs_fr_nat_init;
259 uint_t ifs_nat_flush_level_hi;
260 uint_t ifs_nat_flush_level_lo;
261 ulong_t ifs_nat_last_force_flush;
262 int ifs_nat_doflush;
263
264 /* ip_pool.c */
265 ip_pool_stat_t ifs_ipoolstat;
266 ip_pool_t *ifs_ip_pool_list[IPL_LOGSIZE];
267
268 /* ip_proxy.c */
269 ap_session_t *ifs_ap_sess_list;
270 aproxy_t *ifs_ap_proxylist;
271 aproxy_t *ifs_ap_proxies; /* copy of lcl_ap_proxies */
272
273 /* ip_state.c */
274 ipstate_t **ifs_ips_table;
275 ulong_t *ifs_ips_seed;
276 int ifs_ips_num;
277 ulong_t ifs_ips_last_force_flush;
278 uint_t ifs_state_flush_level_hi;
279 uint_t ifs_state_flush_level_lo;
280 ips_stat_t ifs_ips_stats;
281
282 ulong_t ifs_fr_tcpidletimeout;
283 ulong_t ifs_fr_tcpclosewait;
284 ulong_t ifs_fr_tcplastack;
285 ulong_t ifs_fr_tcptimeout;
286 ulong_t ifs_fr_tcpclosed;
287 ulong_t ifs_fr_tcphalfclosed;
288 ulong_t ifs_fr_udptimeout;
289 ulong_t ifs_fr_udpacktimeout;
290 ulong_t ifs_fr_icmptimeout;
291 ulong_t ifs_fr_icmpacktimeout;
292 int ifs_fr_statemax;
293 int ifs_fr_statesize;
294 int ifs_fr_state_doflush;
295 int ifs_fr_state_lock;
296 int ifs_fr_state_maxbucket;
297 int ifs_fr_state_maxbucket_reset;
298 int ifs_fr_state_init;
299 int ifs_fr_enable_active;
300 ipftq_t ifs_ips_tqtqb[IPF_TCP_NSTATES];
301 ipftq_t ifs_ips_udptq;
302 ipftq_t ifs_ips_udpacktq;
303 ipftq_t ifs_ips_iptq;
304 ipftq_t ifs_ips_icmptq;
305 ipftq_t ifs_ips_icmpacktq;
306 ipftq_t ifs_ips_deletetq;
307 ipftq_t *ifs_ips_utqe;
308 int ifs_ipstate_logging;
309 ipstate_t *ifs_ips_list;
310 ulong_t ifs_fr_iptimeout;
311
312 /* radix.c */
313 int ifs_max_keylen;
314 struct radix_mask *ifs_rn_mkfreelist;
315 struct radix_node_head *ifs_mask_rnhead;
316 char *ifs_addmask_key;
317 char *ifs_rn_zeros;
318 char *ifs_rn_ones;
319 #ifdef KERNEL
320 /* kstats for inbound and outbound */
321 kstat_t *ifs_kstatp[2];
322 #endif
323 };
324
325 #endif /* __IPF_STACK_H__ */