1f4b3ec61Sdh /*
2f4b3ec61Sdh  * Copyright (C) 1993-2001, 2003 by Darren Reed.
3f4b3ec61Sdh  *
4f4b3ec61Sdh  * See the IPFILTER.LICENCE file for details on licencing.
5f4b3ec61Sdh  *
672680cf5SDarren Reed  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
7f4b3ec61Sdh  * Use is subject to license terms.
894bdecd9SRob Gulewich  *
9*b22a70abSPatrick Mooney  * Copyright 2018 Joyent, Inc.  All rights reserved.
10f4b3ec61Sdh  */
11f4b3ec61Sdh 
12f4b3ec61Sdh #ifndef	__IPF_STACK_H__
13f4b3ec61Sdh #define	__IPF_STACK_H__
14f4b3ec61Sdh 
15f4b3ec61Sdh /* FIXME: appears needed for ip_proxy.h - tcpseq */
16f4b3ec61Sdh #include <net/route.h>
17f4b3ec61Sdh #include <netinet/in.h>
18f4b3ec61Sdh #include <netinet/in_systm.h>
19f4b3ec61Sdh #include <netinet/ip.h>
20f4b3ec61Sdh #include <netinet/ip_var.h>
21f4b3ec61Sdh #include <netinet/tcp.h>
22f4b3ec61Sdh #include <netinet/udp.h>
23f4b3ec61Sdh #include <netinet/ip_icmp.h>
24f4b3ec61Sdh #include <netinet/tcpip.h>
25f4b3ec61Sdh 
26f4b3ec61Sdh #include "ip_compat.h"
27f4b3ec61Sdh #include "ip_fil.h"
28f4b3ec61Sdh #include "ip_nat.h"
29f4b3ec61Sdh #include "ip_frag.h"
30f4b3ec61Sdh #include "ip_state.h"
31f4b3ec61Sdh #include "ip_proxy.h"
32f4b3ec61Sdh #include "ip_auth.h"
33f4b3ec61Sdh #include "ip_lookup.h"
34f4b3ec61Sdh #include "ip_pool.h"
35f4b3ec61Sdh #include "ip_htable.h"
36f4b3ec61Sdh #include <net/radix.h>
37f4b3ec61Sdh #include <sys/neti.h>
38f4b3ec61Sdh #include <sys/hook.h>
39f4b3ec61Sdh 
40f4b3ec61Sdh /*
41f4b3ec61Sdh  * IPF stack instances
42f4b3ec61Sdh  */
43f4b3ec61Sdh struct ipf_stack {
447ddc9b1aSDarren Reed 	struct ipf_stack	*ifs_next;
457ddc9b1aSDarren Reed 	struct ipf_stack	**ifs_pnext;
4694bdecd9SRob Gulewich 	struct ipf_stack	*ifs_gz_cont_ifs;
477ddc9b1aSDarren Reed 	netid_t			ifs_netid;
487ddc9b1aSDarren Reed 	zoneid_t		ifs_zone;
4994bdecd9SRob Gulewich 	boolean_t		ifs_gz_controlled;
50f4b3ec61Sdh 
51f4b3ec61Sdh 	/* ipf module */
5214d3298eSAlexandr Nedvedicky 	fr_info_t		ifs_frcache[2][8];
53f4b3ec61Sdh 
54f4b3ec61Sdh 	filterstats_t		ifs_frstats[2];
55f4b3ec61Sdh 	frentry_t		*ifs_ipfilter[2][2];
56f4b3ec61Sdh 	frentry_t		*ifs_ipfilter6[2][2];
57f4b3ec61Sdh 	frentry_t		*ifs_ipacct6[2][2];
58f4b3ec61Sdh 	frentry_t		*ifs_ipacct[2][2];
59f4b3ec61Sdh #if 0 /* not used */
60f4b3ec61Sdh 	frentry_t		*ifs_ipnatrules[2][2];
61f4b3ec61Sdh #endif
62f4b3ec61Sdh 	frgroup_t		*ifs_ipfgroups[IPL_LOGSIZE][2];
63f4b3ec61Sdh 	int			ifs_fr_refcnt;
64f4b3ec61Sdh 	/*
65f4b3ec61Sdh 	 * For fr_running:
66f4b3ec61Sdh 	 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
67f4b3ec61Sdh 	 */
68f4b3ec61Sdh 	int			ifs_fr_running;
69f4b3ec61Sdh 	int			ifs_fr_flags;
70f4b3ec61Sdh 	int			ifs_fr_active;
71f4b3ec61Sdh 	int			ifs_fr_control_forwarding;
72f4b3ec61Sdh 	int			ifs_fr_update_ipid;
73f4b3ec61Sdh #if 0
74f4b3ec61Sdh 	ushort_t		ifs_fr_ip_id;
75f4b3ec61Sdh #endif
76f4b3ec61Sdh 	int			ifs_fr_chksrc;
77f4b3ec61Sdh 	int			ifs_fr_minttl;
78f4b3ec61Sdh 	int			ifs_fr_icmpminfragmtu;
79f4b3ec61Sdh 	int			ifs_fr_pass;
80f4b3ec61Sdh 	ulong_t			ifs_fr_frouteok[2];
81f4b3ec61Sdh 	ulong_t			ifs_fr_userifqs;
82f4b3ec61Sdh 	ulong_t			ifs_fr_badcoalesces[2];
83f4b3ec61Sdh 	uchar_t			ifs_ipf_iss_secret[32];
84f4b3ec61Sdh 	timeout_id_t		ifs_fr_timer_id;
85f4b3ec61Sdh #if 0
86f4b3ec61Sdh 	timeout_id_t		ifs_synctimeoutid;
87f4b3ec61Sdh #endif
88f4b3ec61Sdh 	int			ifs_ipf_locks_done;
89f4b3ec61Sdh 
90*b22a70abSPatrick Mooney 	ipftoken_t		*ifs_ipftokenhead;
91*b22a70abSPatrick Mooney 	ipftoken_t		**ifs_ipftokentail;
92f4b3ec61Sdh 
93f4b3ec61Sdh 	ipfmutex_t	ifs_ipl_mutex;
94f4b3ec61Sdh 	ipfmutex_t	ifs_ipf_authmx;
95f4b3ec61Sdh 	ipfmutex_t	ifs_ipf_rw;
96f4b3ec61Sdh 	ipfmutex_t	ifs_ipf_timeoutlock;
97f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_mutex;
98f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_global;
9914d3298eSAlexandr Nedvedicky 	ipfrwlock_t	ifs_ipf_frcache;
100f4b3ec61Sdh 	ipfrwlock_t	ifs_ip_poolrw;
101f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_frag;
102f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_state;
103f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_nat;
104f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_natfrag;
105f4b3ec61Sdh 	ipfmutex_t	ifs_ipf_nat_new;
106f4b3ec61Sdh 	ipfmutex_t	ifs_ipf_natio;
107f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_auth;
108f4b3ec61Sdh 	ipfmutex_t	ifs_ipf_stinsert;
109f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_ipidfrag;
110f4b3ec61Sdh 	ipfrwlock_t	ifs_ipf_tokens;
111f4b3ec61Sdh 	kcondvar_t	ifs_iplwait;
112f4b3ec61Sdh 	kcondvar_t	ifs_ipfauthwait;
113f4b3ec61Sdh 
114f4b3ec61Sdh 	ipftuneable_t	*ifs_ipf_tuneables;
115f4b3ec61Sdh 	ipftuneable_t	*ifs_ipf_tunelist;
116f4b3ec61Sdh 
117f4b3ec61Sdh 	/* ip_fil_solaris.c */
1187ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook4_in;
1197ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook4_out;
1207ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook4_loop_in;
1217ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook4_loop_out;
1227ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook4_nicevents;
1237ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook6_in;
1247ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook6_out;
1257ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook6_loop_in;
1267ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook6_loop_out;
1277ddc9b1aSDarren Reed 	hook_t		*ifs_ipfhook6_nicevents;
128f4b3ec61Sdh 
129*b22a70abSPatrick Mooney 	hook_t		*ifs_ipfhookviona_in;
130*b22a70abSPatrick Mooney 	hook_t		*ifs_ipfhookviona_out;
131*b22a70abSPatrick Mooney 
132f4b3ec61Sdh 	/* flags to indicate whether hooks are registered. */
133f4b3ec61Sdh 	boolean_t	ifs_hook4_physical_in;
134f4b3ec61Sdh 	boolean_t	ifs_hook4_physical_out;
135f4b3ec61Sdh 	boolean_t	ifs_hook4_nic_events;
136f4b3ec61Sdh 	boolean_t	ifs_hook4_loopback_in;
137f4b3ec61Sdh 	boolean_t	ifs_hook4_loopback_out;
138f4b3ec61Sdh 	boolean_t	ifs_hook6_physical_in;
139f4b3ec61Sdh 	boolean_t	ifs_hook6_physical_out;
140f4b3ec61Sdh 	boolean_t	ifs_hook6_nic_events;
141f4b3ec61Sdh 	boolean_t	ifs_hook6_loopback_in;
142f4b3ec61Sdh 	boolean_t	ifs_hook6_loopback_out;
143*b22a70abSPatrick Mooney 	boolean_t	ifs_hookviona_physical_in;
144*b22a70abSPatrick Mooney 	boolean_t	ifs_hookviona_physical_out;
145f4b3ec61Sdh 
146f4b3ec61Sdh 	int		ifs_ipf_loopback;
1477ddc9b1aSDarren Reed 	net_handle_t	ifs_ipf_ipv4;
1487ddc9b1aSDarren Reed 	net_handle_t	ifs_ipf_ipv6;
149*b22a70abSPatrick Mooney 	net_handle_t	ifs_ipf_viona;
150f4b3ec61Sdh 
151f4b3ec61Sdh 	/* ip_auth.c */
152f4b3ec61Sdh 	int			ifs_fr_authsize;
153f4b3ec61Sdh 	int			ifs_fr_authused;
154f4b3ec61Sdh 	int			ifs_fr_defaultauthage;
155f4b3ec61Sdh 	int			ifs_fr_auth_lock;
156f4b3ec61Sdh 	int			ifs_fr_auth_init;
157f4b3ec61Sdh 	fr_authstat_t		ifs_fr_authstats;
158f4b3ec61Sdh 	frauth_t		*ifs_fr_auth;
159f4b3ec61Sdh 	mb_t			**ifs_fr_authpkts;
160f4b3ec61Sdh 	int			ifs_fr_authstart;
161f4b3ec61Sdh 	int			ifs_fr_authend;
162f4b3ec61Sdh 	int			ifs_fr_authnext;
163f4b3ec61Sdh 	frauthent_t		*ifs_fae_list;
164f4b3ec61Sdh 	frentry_t		*ifs_ipauth;
165f4b3ec61Sdh 	frentry_t		*ifs_fr_authlist;
166f4b3ec61Sdh 
167f4b3ec61Sdh 	/* ip_frag.c */
168f4b3ec61Sdh 	ipfr_t			*ifs_ipfr_list;
169f4b3ec61Sdh 	ipfr_t			**ifs_ipfr_tail;
170f4b3ec61Sdh 	ipfr_t			**ifs_ipfr_heads;
171f4b3ec61Sdh 
172f4b3ec61Sdh 	ipfr_t			*ifs_ipfr_natlist;
173f4b3ec61Sdh 	ipfr_t			**ifs_ipfr_nattail;
174f4b3ec61Sdh 	ipfr_t			**ifs_ipfr_nattab;
175f4b3ec61Sdh 
176*b22a70abSPatrick Mooney 	ipfr_t			*ifs_ipfr_ipidlist;
177*b22a70abSPatrick Mooney 	ipfr_t			**ifs_ipfr_ipidtail;
178f4b3ec61Sdh 	ipfr_t			**ifs_ipfr_ipidtab;
179f4b3ec61Sdh 
180f4b3ec61Sdh 	ipfrstat_t		ifs_ipfr_stats;
181f4b3ec61Sdh 	int			ifs_ipfr_inuse;
182f4b3ec61Sdh 	int			ifs_ipfr_size;
183f4b3ec61Sdh 
184f4b3ec61Sdh 	int			ifs_fr_ipfrttl;
185f4b3ec61Sdh 	int			ifs_fr_frag_lock;
186f4b3ec61Sdh 	int			ifs_fr_frag_init;
187f4b3ec61Sdh 	ulong_t			ifs_fr_ticks;
188f4b3ec61Sdh 
189f4b3ec61Sdh 	frentry_t		ifs_frblock;
190f4b3ec61Sdh 
191f4b3ec61Sdh 	/* ip_htable.c */
192f4b3ec61Sdh 	iphtable_t		*ifs_ipf_htables[IPL_LOGSIZE];
193f4b3ec61Sdh 	ulong_t			ifs_ipht_nomem[IPL_LOGSIZE];
194f4b3ec61Sdh 	ulong_t			ifs_ipf_nhtables[IPL_LOGSIZE];
195f4b3ec61Sdh 	ulong_t			ifs_ipf_nhtnodes[IPL_LOGSIZE];
196f4b3ec61Sdh 
197f4b3ec61Sdh 	/* ip_log.c */
198f4b3ec61Sdh 	iplog_t			**ifs_iplh[IPL_LOGSIZE];
199f4b3ec61Sdh 	iplog_t			*ifs_iplt[IPL_LOGSIZE];
200f4b3ec61Sdh 	iplog_t			*ifs_ipll[IPL_LOGSIZE];
201f4b3ec61Sdh 	int			ifs_iplused[IPL_LOGSIZE];
202f4b3ec61Sdh 	fr_info_t		ifs_iplcrc[IPL_LOGSIZE];
203f4b3ec61Sdh 	int			ifs_ipl_suppress;
204f4b3ec61Sdh 	int			ifs_ipl_buffer_sz;
205f4b3ec61Sdh 	int			ifs_ipl_logmax;
206f4b3ec61Sdh 	int			ifs_ipl_logall;
207f4b3ec61Sdh 	int			ifs_ipl_log_init;
208f4b3ec61Sdh 	int			ifs_ipl_logsize;
209f4b3ec61Sdh 
210f4b3ec61Sdh 	/* ip_lookup.c */
211f4b3ec61Sdh 	ip_pool_stat_t		ifs_ippoolstat;
212f4b3ec61Sdh 	int			ifs_ip_lookup_inited;
213f4b3ec61Sdh 
214f4b3ec61Sdh 	/* ip_nat.c */
215f4b3ec61Sdh 	/* nat_table[0] -> hashed list sorted by inside (ip, port) */
216f4b3ec61Sdh 	/* nat_table[1] -> hashed list sorted by outside (ip, port) */
217f4b3ec61Sdh 	nat_t			**ifs_nat_table[2];
218f4b3ec61Sdh 	nat_t			*ifs_nat_instances;
219f4b3ec61Sdh 	ipnat_t			*ifs_nat_list;
220f4b3ec61Sdh 	uint_t			ifs_ipf_nattable_sz;
221f4b3ec61Sdh 	uint_t			ifs_ipf_nattable_max;
222f4b3ec61Sdh 	uint_t			ifs_ipf_natrules_sz;
223f4b3ec61Sdh 	uint_t			ifs_ipf_rdrrules_sz;
224f4b3ec61Sdh 	uint_t			ifs_ipf_hostmap_sz;
225f4b3ec61Sdh 	uint_t			ifs_fr_nat_maxbucket;
226f4b3ec61Sdh 	uint_t			ifs_fr_nat_maxbucket_reset;
227f4b3ec61Sdh 	uint32_t		ifs_nat_masks;
228f4b3ec61Sdh 	uint32_t		ifs_rdr_masks;
229d6c23f6fSyx 	uint32_t		ifs_nat6_masks[4];
230d6c23f6fSyx 	uint32_t		ifs_rdr6_masks[4];
231f4b3ec61Sdh 	ipnat_t			**ifs_nat_rules;
232f4b3ec61Sdh 	ipnat_t			**ifs_rdr_rules;
233f4b3ec61Sdh 	hostmap_t		**ifs_maptable;
234f4b3ec61Sdh 	hostmap_t		*ifs_ipf_hm_maplist;
235f4b3ec61Sdh 
236f4b3ec61Sdh 	ipftq_t			ifs_nat_tqb[IPF_TCP_NSTATES];
237f4b3ec61Sdh 	ipftq_t			ifs_nat_udptq;
238f4b3ec61Sdh 	ipftq_t			ifs_nat_icmptq;
239f4b3ec61Sdh 	ipftq_t			ifs_nat_iptq;
240f4b3ec61Sdh 	ipftq_t			*ifs_nat_utqe;
241f4b3ec61Sdh 	int			ifs_nat_logging;
242f4b3ec61Sdh 	ulong_t			ifs_fr_defnatage;
243f4b3ec61Sdh 	ulong_t			ifs_fr_defnatipage;
244f4b3ec61Sdh 	ulong_t			ifs_fr_defnaticmpage;
245f4b3ec61Sdh 	natstat_t		ifs_nat_stats;
246f4b3ec61Sdh 	int			ifs_fr_nat_lock;
247f4b3ec61Sdh 	int			ifs_fr_nat_init;
248ea8244dcSJohn Ojemann 	uint_t			ifs_nat_flush_level_hi;
249ea8244dcSJohn Ojemann 	uint_t			ifs_nat_flush_level_lo;
2503805c50fSan 	ulong_t			ifs_nat_last_force_flush;
2513805c50fSan 	int			ifs_nat_doflush;
252f4b3ec61Sdh 
253f4b3ec61Sdh 	/* ip_pool.c */
254f4b3ec61Sdh 	ip_pool_stat_t		ifs_ipoolstat;
255f4b3ec61Sdh 	ip_pool_t		*ifs_ip_pool_list[IPL_LOGSIZE];
256f4b3ec61Sdh 
257f4b3ec61Sdh 	/* ip_proxy.c */
258f4b3ec61Sdh 	ap_session_t		*ifs_ap_sess_list;
259f4b3ec61Sdh 	aproxy_t		*ifs_ap_proxylist;
260f4b3ec61Sdh 	aproxy_t		*ifs_ap_proxies; /* copy of lcl_ap_proxies */
261f4b3ec61Sdh 
262f4b3ec61Sdh 	/* ip_state.c */
263f4b3ec61Sdh 	ipstate_t		**ifs_ips_table;
264f4b3ec61Sdh 	ulong_t			*ifs_ips_seed;
265f4b3ec61Sdh 	int			ifs_ips_num;
266f4b3ec61Sdh 	ulong_t			ifs_ips_last_force_flush;
267ea8244dcSJohn Ojemann 	uint_t			ifs_state_flush_level_hi;
268ea8244dcSJohn Ojemann 	uint_t			ifs_state_flush_level_lo;
269f4b3ec61Sdh 	ips_stat_t		ifs_ips_stats;
270f4b3ec61Sdh 
271f4b3ec61Sdh 	ulong_t			ifs_fr_tcpidletimeout;
272f4b3ec61Sdh 	ulong_t			ifs_fr_tcpclosewait;
273f4b3ec61Sdh 	ulong_t			ifs_fr_tcplastack;
274f4b3ec61Sdh 	ulong_t			ifs_fr_tcptimeout;
275f4b3ec61Sdh 	ulong_t			ifs_fr_tcpclosed;
276f4b3ec61Sdh 	ulong_t			ifs_fr_tcphalfclosed;
277f4b3ec61Sdh 	ulong_t			ifs_fr_udptimeout;
278f4b3ec61Sdh 	ulong_t			ifs_fr_udpacktimeout;
279f4b3ec61Sdh 	ulong_t			ifs_fr_icmptimeout;
280f4b3ec61Sdh 	ulong_t			ifs_fr_icmpacktimeout;
281f4b3ec61Sdh 	int			ifs_fr_statemax;
282f4b3ec61Sdh 	int			ifs_fr_statesize;
283f4b3ec61Sdh 	int			ifs_fr_state_doflush;
284f4b3ec61Sdh 	int			ifs_fr_state_lock;
285f4b3ec61Sdh 	int			ifs_fr_state_maxbucket;
286f4b3ec61Sdh 	int			ifs_fr_state_maxbucket_reset;
287f4b3ec61Sdh 	int			ifs_fr_state_init;
28872680cf5SDarren Reed 	int			ifs_fr_enable_active;
289f4b3ec61Sdh 	ipftq_t			ifs_ips_tqtqb[IPF_TCP_NSTATES];
290f4b3ec61Sdh 	ipftq_t			ifs_ips_udptq;
291f4b3ec61Sdh 	ipftq_t			ifs_ips_udpacktq;
292f4b3ec61Sdh 	ipftq_t			ifs_ips_iptq;
293f4b3ec61Sdh 	ipftq_t			ifs_ips_icmptq;
294f4b3ec61Sdh 	ipftq_t			ifs_ips_icmpacktq;
2951e6b25a4San 	ipftq_t			ifs_ips_deletetq;
296f4b3ec61Sdh 	ipftq_t			*ifs_ips_utqe;
297f4b3ec61Sdh 	int			ifs_ipstate_logging;
298f4b3ec61Sdh 	ipstate_t		*ifs_ips_list;
299f4b3ec61Sdh 	ulong_t			ifs_fr_iptimeout;
300f4b3ec61Sdh 
301f4b3ec61Sdh 	/* radix.c */
302f4b3ec61Sdh 	int			ifs_max_keylen;
303f4b3ec61Sdh 	struct radix_mask	*ifs_rn_mkfreelist;
304f4b3ec61Sdh 	struct radix_node_head	*ifs_mask_rnhead;
305f4b3ec61Sdh 	char			*ifs_addmask_key;
306f4b3ec61Sdh 	char			*ifs_rn_zeros;
307f4b3ec61Sdh 	char			*ifs_rn_ones;
308f4b3ec61Sdh #ifdef KERNEL
309f4b3ec61Sdh 	/* kstats for inbound and outbound */
310f4b3ec61Sdh 	kstat_t			*ifs_kstatp[2];
311f4b3ec61