xref: /onnv-gate/usr/src/uts/common/inet/ipf/netinet/ip_state.h (revision 11761:199d73518c96) 
12393Syz155240 /*
22393Syz155240  * Copyright (C) 1995-2001 by Darren Reed.
32393Syz155240  *
42393Syz155240  * See the IPFILTER.LICENCE file for details on licencing.
52393Syz155240  *
62393Syz155240  * @(#)ip_state.h	1.3 1/12/96 (C) 1995 Darren Reed
72393Syz155240  * $Id: ip_state.h,v 2.68.2.5 2005/08/11 19:58:04 darrenr Exp $
82393Syz155240  *
9*11761SZdenek.Kotala@Sun.COM  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
102393Syz155240  * Use is subject to license terms.
112393Syz155240  */
122393Syz155240 
132393Syz155240 #ifndef	__IP_STATE_H__
142393Syz155240 #define	__IP_STATE_H__
152393Syz155240 
162393Syz155240 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
172393Syz155240 # define	SIOCDELST	_IOW('r', 61, struct ipfobj)
182393Syz155240 #else
192393Syz155240 # define	SIOCDELST	_IOW(r, 61, struct ipfobj)
202393Syz155240 #endif
212393Syz155240 
222393Syz155240 struct ipscan;
232393Syz155240 
242393Syz155240 #ifndef	IPSTATE_SIZE
252393Syz155240 # define	IPSTATE_SIZE	5737
262393Syz155240 #endif
272393Syz155240 #ifndef	IPSTATE_MAX
28*11761SZdenek.Kotala@Sun.COM # define	IPSTATE_MAX	50000	/* Maximum number of states held */
292393Syz155240 #endif
302393Syz155240 
312393Syz155240 #define	PAIRS(s1,d1,s2,d2)	((((s1) == (s2)) && ((d1) == (d2))) ||\
322393Syz155240 				 (((s1) == (d2)) && ((d1) == (s2))))
332393Syz155240 #define	IPPAIR(s1,d1,s2,d2)	PAIRS((s1).s_addr, (d1).s_addr, \
342393Syz155240 				      (s2).s_addr, (d2).s_addr)
352393Syz155240 
362393Syz155240 
372393Syz155240 typedef struct ipstate {
382393Syz155240 	ipfmutex_t	is_lock;
392393Syz155240 	struct	ipstate	*is_next;
402393Syz155240 	struct	ipstate	**is_pnext;
412393Syz155240 	struct	ipstate	*is_hnext;
422393Syz155240 	struct	ipstate	**is_phnext;
432393Syz155240 	struct	ipstate	**is_me;
442393Syz155240 	void		*is_ifp[4];
452393Syz155240 	void		*is_sync;
462393Syz155240 	struct nat	*is_nat[2];
472393Syz155240 	frentry_t	*is_rule;
482393Syz155240 	struct	ipftq	*is_tqehead[2];
492393Syz155240 	struct	ipscan	*is_isc;
502393Syz155240 	U_QUAD_T	is_pkts[4];
512393Syz155240 	U_QUAD_T	is_bytes[4];
522393Syz155240 	U_QUAD_T	is_icmppkts[4];
532393Syz155240 	struct	ipftqent is_sti;
542393Syz155240 	u_int	is_frage[2];
552393Syz155240 	int	is_ref;			/* reference count */
562393Syz155240 	int	is_isninc[2];
572393Syz155240 	u_short	is_sumd[2];
582393Syz155240 	i6addr_t	is_src;
592393Syz155240 	i6addr_t	is_dst;
602393Syz155240 	u_int	is_pass;
612393Syz155240 	u_char	is_p;			/* Protocol */
622393Syz155240 	u_char	is_v;
632393Syz155240 	u_32_t	is_hv;
642393Syz155240 	u_32_t	is_tag;
652393Syz155240 	u_32_t	is_opt[2];		/* packet options set */
662393Syz155240 					/* in both directions */
672393Syz155240 	u_32_t	is_optmsk[2];		/*    "      "    mask */
682393Syz155240 					/* in both directions */
692393Syz155240 	u_short	is_sec;			/* security options set */
702393Syz155240 	u_short	is_secmsk;		/*    "        "    mask */
712393Syz155240 	u_short	is_auth;		/* authentication options set */
722393Syz155240 	u_short	is_authmsk;		/*    "              "    mask */
732393Syz155240 	union {
742393Syz155240 		icmpinfo_t	is_ics;
752393Syz155240 		tcpinfo_t	is_ts;
762393Syz155240 		udpinfo_t	is_us;
772393Syz155240 		greinfo_t	is_ug;
782393Syz155240 	} is_ps;
792393Syz155240 	u_32_t	is_flags;
802393Syz155240 	int	is_flx[2][2];
812393Syz155240 	u_32_t	is_rulen;		/* rule number when created */
822393Syz155240 	u_32_t	is_s0[2];
832393Syz155240 	u_short	is_smsk[2];
842393Syz155240 	char	is_group[FR_GROUPLEN];
852393Syz155240 	char	is_sbuf[2][16];
862393Syz155240 	char	is_ifname[4][LIFNAMSIZ];
872393Syz155240 } ipstate_t;
882393Syz155240 
892393Syz155240 #define	is_die		is_sti.tqe_die
902393Syz155240 #define	is_state	is_sti.tqe_state
912393Syz155240 #define	is_saddr	is_src.in4.s_addr
922393Syz155240 #define	is_daddr	is_dst.in4.s_addr
932393Syz155240 #define	is_icmp		is_ps.is_ics
942393Syz155240 #define	is_type		is_icmp.ici_type
952393Syz155240 #define	is_code		is_icmp.ici_code
962393Syz155240 #define	is_tcp		is_ps.is_ts
972393Syz155240 #define	is_udp		is_ps.is_us
982393Syz155240 #define is_send		is_tcp.ts_data[0].td_end
992393Syz155240 #define is_dend		is_tcp.ts_data[1].td_end
1002393Syz155240 #define is_maxswin	is_tcp.ts_data[0].td_maxwin
1012393Syz155240 #define is_maxdwin	is_tcp.ts_data[1].td_maxwin
1022393Syz155240 #define is_maxsend	is_tcp.ts_data[0].td_maxend
1032393Syz155240 #define is_maxdend	is_tcp.ts_data[1].td_maxend
1042393Syz155240 #define	is_swinscale	is_tcp.ts_data[0].td_winscale
1052393Syz155240 #define	is_dwinscale	is_tcp.ts_data[1].td_winscale
1062393Syz155240 #define	is_swinflags	is_tcp.ts_data[0].td_winflags
1072393Syz155240 #define	is_dwinflags	is_tcp.ts_data[1].td_winflags
1082393Syz155240 #define	is_sport	is_tcp.ts_sport
1092393Syz155240 #define	is_dport	is_tcp.ts_dport
1102393Syz155240 #define	is_ifpin	is_ifp[0]
1112393Syz155240 #define	is_ifpout	is_ifp[2]
1122393Syz155240 #define	is_gre		is_ps.is_ug
1132393Syz155240 #define	is_call		is_gre.gs_call
1142393Syz155240 
1152393Syz155240 #define	IS_WSPORT	SI_W_SPORT	/* 0x00100 */
1162393Syz155240 #define	IS_WDPORT	SI_W_DPORT	/* 0x00200 */
1172393Syz155240 #define	IS_WSADDR	SI_W_SADDR	/* 0x00400 */
1182393Syz155240 #define	IS_WDADDR	SI_W_DADDR	/* 0x00800 */
1192393Syz155240 #define	IS_NEWFR	SI_NEWFR	/* 0x01000 */
1202393Syz155240 #define	IS_CLONE	SI_CLONE	/* 0x02000 */
1212393Syz155240 #define	IS_CLONED	SI_CLONED	/* 0x04000 */
1222393Syz155240 #define	IS_TCPFSM			   0x10000
1232393Syz155240 #define	IS_STRICT			   0x20000
1242393Syz155240 #define	IS_ISNSYN			   0x40000
1252393Syz155240 #define	IS_ISNACK			   0x80000
1262393Syz155240 #define	IS_STATESYNC			   0x100000
1272393Syz155240 /*
1282393Syz155240  * IS_SC flags are for scan-operations that need to be recognised in state.
1292393Syz155240  */
1302393Syz155240 #define	IS_SC_CLIENT			0x10000000
1312393Syz155240 #define	IS_SC_SERVER			0x20000000
1322393Syz155240 #define	IS_SC_MATCHC			0x40000000
1332393Syz155240 #define	IS_SC_MATCHS			0x80000000
1342393Syz155240 #define	IS_SC_MATCHALL	(IS_SC_MATCHC|IS_SC_MATCHC)
1352393Syz155240 #define	IS_SC_ALL	(IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER)
1362393Syz155240 
1372393Syz155240 /*
1382393Syz155240  * Flags that can be passed into fr_addstate
1392393Syz155240  */
1402393Syz155240 #define	IS_INHERITED			0x0fffff00
1412393Syz155240 
1422393Syz155240 #define	TH_OPENING	(TH_SYN|TH_ACK)
1432393Syz155240 /*
1442393Syz155240  * is_flags:
1452393Syz155240  * Bits 0 - 3 are use as a mask with the current packet's bits to check for
1462393Syz155240  * whether it is short, tcp/udp, a fragment or the presence of IP options.
1472393Syz155240  * Bits 4 - 7 are set from the initial packet and contain what the packet
1482393Syz155240  * anded with bits 0-3 must match.
1492393Syz155240  * Bits 8,9 are used to indicate wildcard source/destination port matching.
1502393Syz155240  * Bits 10,11 are reserved for other wildcard flag compatibility.
1512393Syz155240  * Bits 12,13 are for scaning.
1522393Syz155240  */
1532393Syz155240 
1542393Syz155240 typedef	struct	ipstate_save	{
1552393Syz155240 	void	*ips_next;
1562393Syz155240 	struct	ipstate	ips_is;
1572393Syz155240 	struct	frentry	ips_fr;
1582393Syz155240 } ipstate_save_t;
1592393Syz155240 
1602393Syz155240 #define	ips_rule	ips_is.is_rule
1612393Syz155240 
1622393Syz155240 
1632393Syz155240 typedef	struct	ipslog	{
1642393Syz155240 	U_QUAD_T	isl_pkts[4];
1652393Syz155240 	U_QUAD_T	isl_bytes[4];
1662393Syz155240 	i6addr_t	isl_src;
1672393Syz155240 	i6addr_t	isl_dst;
1682393Syz155240 	u_32_t	isl_tag;
1692393Syz155240 	u_short	isl_type;
1702393Syz155240 	union {
1712393Syz155240 		u_short	isl_filler[2];
1722393Syz155240 		u_short	isl_ports[2];
1732393Syz155240 		u_short	isl_icmp;
1742393Syz155240 	} isl_ps;
1752393Syz155240 	u_char	isl_v;
1762393Syz155240 	u_char	isl_p;
1772393Syz155240 	u_char	isl_flags;
1782393Syz155240 	u_char	isl_state[2];
1792393Syz155240 	u_32_t	isl_rulen;
1802393Syz155240 	char	isl_group[FR_GROUPLEN];
1812393Syz155240 } ipslog_t;
1822393Syz155240 
1832393Syz155240 #define	isl_sport	isl_ps.isl_ports[0]
1842393Syz155240 #define	isl_dport	isl_ps.isl_ports[1]
1852393Syz155240 #define	isl_itype	isl_ps.isl_icmp
1862393Syz155240 
1872393Syz155240 #define	ISL_NEW			0
1882393Syz155240 #define	ISL_CLONE		1
1892393Syz155240 #define	ISL_EXPIRE		0xffff
1902393Syz155240 #define	ISL_FLUSH		0xfffe
1912393Syz155240 #define	ISL_REMOVE		0xfffd
1922393Syz155240 #define	ISL_INTERMEDIATE	0xfffc
1932393Syz155240 #define	ISL_KILLED		0xfffb
1942393Syz155240 #define	ISL_ORPHAN		0xfffa
1952393Syz155240 
1962393Syz155240 
1972393Syz155240 typedef	struct	ips_stat {
1982393Syz155240 	u_long	iss_hits;
1992393Syz155240 	u_long	iss_miss;
2002393Syz155240 	u_long	iss_max;
2012393Syz155240 	u_long	iss_maxref;
2022393Syz155240 	u_long	iss_tcp;
2032393Syz155240 	u_long	iss_udp;
2042393Syz155240 	u_long	iss_icmp;
2052393Syz155240 	u_long	iss_nomem;
2062393Syz155240 	u_long	iss_expire;
2072393Syz155240 	u_long	iss_fin;
2082393Syz155240 	u_long	iss_active;
2092393Syz155240 	u_long	iss_logged;
2102393Syz155240 	u_long	iss_logfail;
2112393Syz155240 	u_long	iss_inuse;
2122393Syz155240 	u_long	iss_wild;
2132393Syz155240 	u_long	iss_killed;
2142393Syz155240 	u_long	iss_ticks;
2152393Syz155240 	u_long	iss_bucketfull;
2162393Syz155240 	int	iss_statesize;
2172393Syz155240 	int	iss_statemax;
2182393Syz155240 	ipstate_t **iss_table;
2192393Syz155240 	ipstate_t *iss_list;
2202393Syz155240 	u_long	*iss_bucketlen;
2217432SJohn.Ojemann@Sun.COM 	u_int	iss_orphans;
2222393Syz155240 } ips_stat_t;
2232393Syz155240 
2246252San207044 typedef struct port_pair {
2256252San207044 	uint16_t	pp_sport;
2266252San207044 	uint16_t	pp_dport;
2276252San207044 } port_pair_t;
2286252San207044 
2293448Sdh155122 extern	int	fr_stateinit __P((ipf_stack_t *));
2302393Syz155240 extern	ipstate_t *fr_addstate __P((fr_info_t *, ipstate_t **, u_int));
2312393Syz155240 extern	frentry_t *fr_checkstate __P((struct fr_info *, u_32_t *));
2322393Syz155240 extern	ipstate_t *fr_stlookup __P((fr_info_t *, tcphdr_t *, ipftq_t **));
2333448Sdh155122 extern	void	fr_statesync __P((int, int, void *, char *, ipf_stack_t *));
2343448Sdh155122 extern	void	fr_timeoutstate __P((ipf_stack_t *));
2352393Syz155240 extern	int	fr_tcp_age __P((struct ipftqent *, struct fr_info *,
2362393Syz155240 				struct ipftq *, int));
2372393Syz155240 extern	int	fr_tcpinwindow __P((struct fr_info *, struct tcpdata *,
2382393Syz155240 				    struct tcpdata *, tcphdr_t *, int));
2393448Sdh155122 extern	void	fr_stateunload __P((ipf_stack_t *));
2403448Sdh155122 extern	void	ipstate_log __P((struct ipstate *, u_int, ipf_stack_t *));
2413448Sdh155122 extern	int	fr_state_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *, ipf_stack_t *));
2423448Sdh155122 extern	void	fr_stinsert __P((struct ipstate *, int, ipf_stack_t *));
2433448Sdh155122 extern	void	fr_sttab_init __P((struct ipftq *, ipf_stack_t *));
2442393Syz155240 extern	void	fr_sttab_destroy __P((struct ipftq *));
2452393Syz155240 extern	void	fr_updatestate __P((fr_info_t *, ipstate_t *, ipftq_t *));
2465417Sjojemann extern	void	fr_statederef __P((ipstate_t **, ipf_stack_t *));
2473448Sdh155122 extern	void	fr_setstatequeue __P((ipstate_t *, int, ipf_stack_t *));
2488170SJohn.Ojemann@Sun.COM extern	int	fr_delstate __P((ipstate_t *, int, ipf_stack_t *));
24911105SAlexandr.Nedvedicky@Sun.COM #if SOLARIS2 >= 10
25011105SAlexandr.Nedvedicky@Sun.COM extern	void	fr_stateifindexsync __P((void *, void *, ipf_stack_t *));
25111105SAlexandr.Nedvedicky@Sun.COM #endif
2522393Syz155240 
2532393Syz155240 #endif /* __IP_STATE_H__ */
254