xref: /netbsd-src/sys/net/npf/npf_conn.h (revision b899bfd96fd2cbaf2befc9ce4aaed9b9c230837a) 
1432fd297Srmind /*-
2*b899bfd9Srmind  * Copyright (c) 2009-2020 The NetBSD Foundation, Inc.
3432fd297Srmind  * All rights reserved.
4432fd297Srmind  *
5432fd297Srmind  * This material is based upon work partially supported by The
6432fd297Srmind  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
7432fd297Srmind  *
8432fd297Srmind  * Redistribution and use in source and binary forms, with or without
9432fd297Srmind  * modification, are permitted provided that the following conditions
10432fd297Srmind  * are met:
11432fd297Srmind  * 1. Redistributions of source code must retain the above copyright
12432fd297Srmind  *    notice, this list of conditions and the following disclaimer.
13432fd297Srmind  * 2. Redistributions in binary form must reproduce the above copyright
14432fd297Srmind  *    notice, this list of conditions and the following disclaimer in the
15432fd297Srmind  *    documentation and/or other materials provided with the distribution.
16432fd297Srmind  *
17432fd297Srmind  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18432fd297Srmind  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19432fd297Srmind  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20432fd297Srmind  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21432fd297Srmind  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22432fd297Srmind  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23432fd297Srmind  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24432fd297Srmind  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25432fd297Srmind  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26432fd297Srmind  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27432fd297Srmind  * POSSIBILITY OF SUCH DAMAGE.
28432fd297Srmind  */
29432fd297Srmind 
30432fd297Srmind #ifndef _NPF_CONN_H_
31432fd297Srmind #define _NPF_CONN_H_
32432fd297Srmind 
33f75d79ebSchristos #if !defined(_KERNEL) && !defined(_NPF_STANDALONE)
34432fd297Srmind #error "kernel-level header only"
35432fd297Srmind #endif
36432fd297Srmind 
37432fd297Srmind #include <sys/types.h>
38432fd297Srmind 
39432fd297Srmind #include "npf_impl.h"
40432fd297Srmind 
41432fd297Srmind #if defined(__NPF_CONN_PRIVATE)
42432fd297Srmind 
43a02b7176Srmind /*
44432fd297Srmind  * The main connection tracking structure.
45432fd297Srmind  */
46432fd297Srmind struct npf_conn {
47432fd297Srmind 	/*
48dadc88e3Srmind 	 * Protocol, address length, the interface ID (if zero,
49dadc88e3Srmind 	 * then the state is global) and connection flags.
50432fd297Srmind 	 */
517750a572Schristos 	uint16_t		c_proto;
527750a572Schristos 	uint16_t		c_alen;
53dadc88e3Srmind 	unsigned		c_ifid;
54dadc88e3Srmind 	unsigned		c_flags;
55dadc88e3Srmind 
56dadc88e3Srmind 	/* Matching rule flags and ID. */
57dadc88e3Srmind 	unsigned		c_retfl;
58dadc88e3Srmind 	uint64_t		c_rid;
593d9a792dSrmind 
603d9a792dSrmind 	/*
613d9a792dSrmind 	 * Entry in the connection database/list.  The entry is
623d9a792dSrmind 	 * protected by npf_t::conn_lock.
633d9a792dSrmind 	 */
643d9a792dSrmind 	union {
65432fd297Srmind 		npf_conn_t *		c_next;
663d9a792dSrmind 		LIST_ENTRY(npf_conn)	c_entry;
673d9a792dSrmind 	};
68432fd297Srmind 
69432fd297Srmind 	/* Associated rule procedure or NAT (if any). */
70432fd297Srmind 	npf_rproc_t *		c_rproc;
71432fd297Srmind 	npf_nat_t *		c_nat;
72432fd297Srmind 
73432fd297Srmind 	/*
74dadc88e3Srmind 	 * The Reference count and the last activity time (used to
75dadc88e3Srmind 	 * calculate expiration time).  Note: *unsigned* 32-bit integer
76dadc88e3Srmind 	 * as a timestamp is sufficient for us.
77432fd297Srmind 	 */
78dadc88e3Srmind 	unsigned		c_refcnt;
79dadc88e3Srmind 	uint32_t		c_atime;
80dadc88e3Srmind 
81dadc88e3Srmind 	/* The protocol state and lock. */
82432fd297Srmind 	kmutex_t		c_lock;
83432fd297Srmind 	npf_state_t		c_state;
840def1972Srmind 
850def1972Srmind 	/*
86dadc88e3Srmind 	 * Connection "forwards" and "backwards" keys.  They are accessed
87dadc88e3Srmind 	 * as npf_connkey_t, see below and npf_conn_getkey().
880def1972Srmind 	 */
89dadc88e3Srmind 	uint32_t		c_keys[];
90432fd297Srmind };
91432fd297Srmind 
92*b899bfd9Srmind typedef struct {
93*b899bfd9Srmind 	int	connkey_interface;
94*b899bfd9Srmind 	int	connkey_direction;
95*b899bfd9Srmind } npf_conn_params_t;
96*b899bfd9Srmind 
9704ad65d9Srmind #endif
9804ad65d9Srmind 
99dadc88e3Srmind /*
100dadc88e3Srmind  * Connection key interface.
101dadc88e3Srmind  *
102dadc88e3Srmind  * See the key layout description in the npf_connkey.c source file.
103dadc88e3Srmind  */
104dadc88e3Srmind 
105dadc88e3Srmind #define	NPF_CONNKEY_V4WORDS	(2 + ((sizeof(struct in_addr) * 2) >> 2))
106dadc88e3Srmind #define	NPF_CONNKEY_V6WORDS	(2 + ((sizeof(struct in6_addr) * 2) >> 2))
107dadc88e3Srmind #define	NPF_CONNKEY_MAXWORDS	(NPF_CONNKEY_V6WORDS)
108dadc88e3Srmind 
109*b899bfd9Srmind #define	NPF_CONNKEY_ALEN(key)	(((key)->ck_key[0] >> 28) << 2)
110dadc88e3Srmind #define	NPF_CONNKEY_LEN(key)	(8 + (NPF_CONNKEY_ALEN(key) * 2))
111dadc88e3Srmind 
11204ad65d9Srmind typedef struct npf_connkey {
113dadc88e3Srmind 	/* Warning: ck_key has a variable length -- see above. */
114dadc88e3Srmind 	uint32_t		ck_key[NPF_CONNKEY_MAXWORDS];
11504ad65d9Srmind } npf_connkey_t;
116dadc88e3Srmind 
117*b899bfd9Srmind unsigned	npf_conn_conkey(const npf_cache_t *, npf_connkey_t *,
118*b899bfd9Srmind 		    const unsigned, const npf_flow_t);
119dadc88e3Srmind npf_connkey_t *	npf_conn_getforwkey(npf_conn_t *);
120dadc88e3Srmind npf_connkey_t *	npf_conn_getbackkey(npf_conn_t *, unsigned);
121dadc88e3Srmind void		npf_conn_adjkey(npf_connkey_t *, const npf_addr_t *,
122*b899bfd9Srmind 		    const uint16_t, const unsigned);
123*b899bfd9Srmind unsigned	npf_connkey_setkey(npf_connkey_t *, unsigned, unsigned,
124*b899bfd9Srmind 		    const void *, const uint16_t *, const npf_flow_t);
125*b899bfd9Srmind void		npf_connkey_getkey(const npf_connkey_t *, unsigned *,
126*b899bfd9Srmind 		    unsigned *, npf_addr_t *, uint16_t *);
127*b899bfd9Srmind unsigned	npf_connkey_import(npf_t *, const nvlist_t *, npf_connkey_t *);
128*b899bfd9Srmind nvlist_t *	npf_connkey_export(npf_t *, const npf_connkey_t *);
129dadc88e3Srmind void		npf_connkey_print(const npf_connkey_t *);
130dadc88e3Srmind 
131432fd297Srmind /*
132432fd297Srmind  * Connection tracking interface.
133432fd297Srmind  */
1347750a572Schristos void		npf_conn_init(npf_t *);
135f75d79ebSchristos void		npf_conn_fini(npf_t *);
136f75d79ebSchristos void		npf_conn_tracking(npf_t *, bool);
137f75d79ebSchristos void		npf_conn_load(npf_t *, npf_conndb_t *, bool);
138432fd297Srmind 
139*b899bfd9Srmind npf_conn_t *	npf_conn_lookup(const npf_cache_t *, const unsigned, npf_flow_t *);
140*b899bfd9Srmind npf_conn_t *	npf_conn_inspect(npf_cache_t *, const unsigned, int *);
141*b899bfd9Srmind npf_conn_t *	npf_conn_establish(npf_cache_t *, const unsigned, bool);
142432fd297Srmind void		npf_conn_release(npf_conn_t *);
1433d9a792dSrmind void		npf_conn_destroy(npf_t *, npf_conn_t *);
144432fd297Srmind void		npf_conn_expire(npf_conn_t *);
145923e6ee2Schristos bool		npf_conn_pass(const npf_conn_t *, npf_match_info_t *,
146923e6ee2Schristos 		    npf_rproc_t **);
147923e6ee2Schristos void		npf_conn_setpass(npf_conn_t *, const npf_match_info_t *,
148923e6ee2Schristos 		    npf_rproc_t *);
149432fd297Srmind int		npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
15004ad65d9Srmind 		    npf_nat_t *, unsigned);
151*b899bfd9Srmind npf_nat_t *	npf_conn_getnat(const npf_conn_t *);
152dadc88e3Srmind bool		npf_conn_expired(npf_t *, const npf_conn_t *, uint64_t);
1533d9a792dSrmind void		npf_conn_remove(npf_conndb_t *, npf_conn_t *);
154f75d79ebSchristos void		npf_conn_worker(npf_t *);
15539013e66Srmind int		npf_conn_import(npf_t *, npf_conndb_t *, const nvlist_t *,
156a02b7176Srmind 		    npf_ruleset_t *);
157*b899bfd9Srmind int		npf_conn_find(npf_t *, const nvlist_t *, nvlist_t *);
158dadc88e3Srmind void		npf_conn_print(npf_conn_t *);
159432fd297Srmind 
160432fd297Srmind /*
161432fd297Srmind  * Connection database (aka state table) interface.
162432fd297Srmind  */
163dadc88e3Srmind void		npf_conndb_sysinit(npf_t *);
164dadc88e3Srmind void		npf_conndb_sysfini(npf_t *);
165dadc88e3Srmind 
166432fd297Srmind npf_conndb_t *	npf_conndb_create(void);
167432fd297Srmind void		npf_conndb_destroy(npf_conndb_t *);
168432fd297Srmind 
169*b899bfd9Srmind npf_conn_t *	npf_conndb_lookup(npf_t *, const npf_connkey_t *, npf_flow_t *);
170dadc88e3Srmind bool		npf_conndb_insert(npf_conndb_t *, const npf_connkey_t *,
171*b899bfd9Srmind 		    npf_conn_t *, npf_flow_t);
172f75d79ebSchristos npf_conn_t *	npf_conndb_remove(npf_conndb_t *, npf_connkey_t *);
173432fd297Srmind 
174432fd297Srmind void		npf_conndb_enqueue(npf_conndb_t *, npf_conn_t *);
175432fd297Srmind npf_conn_t *	npf_conndb_getlist(npf_conndb_t *);
1763d9a792dSrmind npf_conn_t *	npf_conndb_getnext(npf_conndb_t *, npf_conn_t *);
17739013e66Srmind int		npf_conndb_export(npf_t *, nvlist_t *);
1783d9a792dSrmind void		npf_conndb_gc(npf_t *, npf_conndb_t *, bool, bool);
179432fd297Srmind 
180432fd297Srmind #endif	/* _NPF_CONN_H_ */
181