1/* $NetBSD: ip_state.h,v 1.3 2012/07/22 14:27:51 darrenr Exp $ */
2
3/*
4 * Copyright (C) 2012 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 *
8 * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
9 * Id: ip_state.h,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp
10 */
11#ifndef _NETINET_IP_STATE_H_
12#define _NETINET_IP_STATE_H_
13
14#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
15# define SIOCDELST _IOW('r', 61, struct ipfobj)
16#else
17# define SIOCDELST _IOW(r, 61, struct ipfobj)
18#endif
19
20struct ipscan;
21
22#ifndef IPSTATE_SIZE
23# define IPSTATE_SIZE 5737
24#endif
25#ifndef IPSTATE_MAX
26# define IPSTATE_MAX 4013 /* Maximum number of states held */
27#endif
28
29#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
30 (((s1) == (d2)) && ((d1) == (s2))))
31#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
32 (s2).s_addr, (d2).s_addr)
33
34
35typedef struct ipstate {
36 ipfmutex_t is_lock;
37 struct ipstate *is_next;
38 struct ipstate **is_pnext;
39 struct ipstate *is_hnext;
40 struct ipstate **is_phnext;
41 struct ipstate **is_me;
42 void *is_ifp[4];
43 void *is_sync;
44 frentry_t *is_rule;
45 struct ipftq *is_tqehead[2];
46 struct ipscan *is_isc;
47 U_QUAD_T is_pkts[4];
48 U_QUAD_T is_bytes[4];
49 U_QUAD_T is_icmppkts[4];
50 struct ipftqent is_sti;
51 u_int is_frage[2];
52 int is_ref; /* reference count */
53 int is_isninc[2];
54 u_short is_sumd[2];
55 i6addr_t is_src;
56 i6addr_t is_dst;
57 u_int is_pass;
58 u_char is_p; /* Protocol */
59 u_char is_v;
60 int is_family;
61 u_32_t is_hv;
62 u_32_t is_tag;
63 u_32_t is_opt[2]; /* packet options set */
64 u_32_t is_optmsk[2]; /* " " mask */
65 u_short is_sec; /* security options set */
66 u_short is_secmsk; /* " " mask */
67 u_short is_auth; /* authentication options set */
68 u_short is_authmsk; /* " " mask */
69 union {
70 icmpinfo_t is_ics;
71 tcpinfo_t is_ts;
72 udpinfo_t is_us;
73 greinfo_t is_ug;
74 } is_ps;
75 u_32_t is_flags;
76 int is_flx[2][2];
77 u_32_t is_rulen; /* rule number when created */
78 u_32_t is_s0[2];
79 u_short is_smsk[2];
80 frdest_t is_dif;
81 frdest_t is_tifs[2];
82 char is_group[FR_GROUPLEN];
83 char is_sbuf[2][16];
84 char is_ifname[4][LIFNAMSIZ];
85} ipstate_t;
86
87#define is_die is_sti.tqe_die
88#define is_state is_sti.tqe_state
89#define is_touched is_sti.tqe_touched
90#define is_saddr is_src.in4.s_addr
91#define is_daddr is_dst.in4.s_addr
92#define is_icmp is_ps.is_ics
93#define is_type is_icmp.ici_type
94#define is_tcp is_ps.is_ts
95#define is_udp is_ps.is_us
96#define is_send is_tcp.ts_data[0].td_end
97#define is_dend is_tcp.ts_data[1].td_end
98#define is_maxswin is_tcp.ts_data[0].td_maxwin
99#define is_maxdwin is_tcp.ts_data[1].td_maxwin
100#define is_maxsend is_tcp.ts_data[0].td_maxend
101#define is_maxdend is_tcp.ts_data[1].td_maxend
102#define is_swinscale is_tcp.ts_data[0].td_winscale
103#define is_dwinscale is_tcp.ts_data[1].td_winscale
104#define is_swinflags is_tcp.ts_data[0].td_winflags
105#define is_dwinflags is_tcp.ts_data[1].td_winflags
106#define is_sport is_tcp.ts_sport
107#define is_dport is_tcp.ts_dport
108#define is_ifpin is_ifp[0]
109#define is_ifpout is_ifp[2]
110#define is_gre is_ps.is_ug
111#define is_call is_gre.gs_call
112
113#define IS_WSPORT SI_W_SPORT /* 0x00100 */
114#define IS_WDPORT SI_W_DPORT /* 0x00200 */
115#define IS_WSADDR SI_W_SADDR /* 0x00400 */
116#define IS_WDADDR SI_W_DADDR /* 0x00800 */
117#define IS_NEWFR SI_NEWFR /* 0x01000 */
118#define IS_CLONE SI_CLONE /* 0x02000 */
119#define IS_CLONED SI_CLONED /* 0x04000 */
120#define IS_TCPFSM 0x10000
121#define IS_STRICT 0x20000
122#define IS_ISNSYN 0x40000
123#define IS_ISNACK 0x80000
124#define IS_STATESYNC 0x100000
125#define IS_LOOSE 0x200000
126/*
127 * IS_SC flags are for scan-operations that need to be recognised in state.
128 */
129#define IS_SC_CLIENT 0x10000000
130#define IS_SC_SERVER 0x20000000
131#define IS_SC_MATCHC 0x40000000
132#define IS_SC_MATCHS 0x80000000
133#define IS_SC_MATCHALL (IS_SC_MATCHC|IS_SC_MATCHC)
134#define IS_SC_ALL (IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER)
135
136/*
137 * Flags that can be passed into ipf_addstate
138 */
139#define IS_INHERITED 0x0fffff00
140
141#define TH_OPENING (TH_SYN|TH_ACK)
142/*
143 * is_flags:
144 * Bits 0 - 3 are use as a mask with the current packet's bits to check for
145 * whether it is short, tcp/udp, a fragment or the presence of IP options.
146 * Bits 4 - 7 are set from the initial packet and contain what the packet
147 * anded with bits 0-3 must match.
148 * Bits 8,9 are used to indicate wildcard source/destination port matching.
149 * Bits 10,11 are reserved for other wildcard flag compatibility.
150 * Bits 12,13 are for scaning.
151 */
152
153typedef struct ipstate_save {
154 void *ips_next;
155 struct ipstate ips_is;
156 struct frentry ips_fr;
157} ipstate_save_t;
158
159#define ips_rule ips_is.is_rule
160
161
162typedef struct ipslog {
163 U_QUAD_T isl_pkts[4];
164 U_QUAD_T isl_bytes[4];
165 i6addr_t isl_src;
166 i6addr_t isl_dst;
167 u_32_t isl_tag;
168 u_short isl_type;
169 union {
170 u_short isl_filler[2];
171 u_short isl_ports[2];
172 u_short isl_icmp;
173 } isl_ps;
174 u_char isl_v;
175 u_char isl_p;
176 u_char isl_flags;
177 u_char isl_state[2];
178 u_32_t isl_rulen;
179 char isl_group[FR_GROUPLEN];
180} ipslog_t;
181
182#define isl_sport isl_ps.isl_ports[0]
183#define isl_dport isl_ps.isl_ports[1]
184#define isl_itype isl_ps.isl_icmp
185
186#define ISL_NEW 0
187#define ISL_CLONE 1
188#define ISL_STATECHANGE 2
189#define ISL_EXPIRE 0xffff
190#define ISL_FLUSH 0xfffe
191#define ISL_REMOVE 0xfffd
192#define ISL_INTERMEDIATE 0xfffc
193#define ISL_KILLED 0xfffb
194#define ISL_ORPHAN 0xfffa
195#define ISL_UNLOAD 0xfff9
196
197
198typedef struct ips_stat {
199 u_int iss_active;
200 u_int iss_active_proto[256];
201 u_long iss_add_bad;
202 u_long iss_add_dup;
203 u_long iss_add_locked;
204 u_long iss_add_oow;
205 u_long iss_bucket_full;
206 u_long iss_check_bad;
207 u_long iss_check_miss;
208 u_long iss_check_nattag;
209 u_long iss_check_notag;
210 u_long iss_clone_nomem;
211 u_long iss_cloned;
212 u_long iss_expire;
213 u_long iss_fin;
214 u_long iss_flush_all;
215 u_long iss_flush_closing;
216 u_long iss_flush_queue;
217 u_long iss_flush_state;
218 u_long iss_flush_timeout;
219 u_long iss_hits;
220 u_long iss_icmp6_icmperr;
221 u_long iss_icmp6_miss;
222 u_long iss_icmp6_notinfo;
223 u_long iss_icmp6_notquery;
224 u_long iss_icmp_bad;
225 u_long iss_icmp_banned;
226 u_long iss_icmp_headblock;
227 u_long iss_icmp_hits;
228 u_long iss_icmp_icmperr;
229 u_long iss_icmp_miss;
230 u_long iss_icmp_notquery;
231 u_long iss_icmp_short;
232 u_long iss_icmp_toomany;
233 u_int iss_inuse;
234 ipstate_t *iss_list;
235 u_long iss_log_fail;
236 u_long iss_log_ok;
237 u_long iss_lookup_badifp;
238 u_long iss_lookup_badport;
239 u_long iss_lookup_miss;
240 u_long iss_max;
241 u_long iss_max_ref;
242 u_long iss_max_track;
243 u_long iss_miss_mask;
244 u_long iss_nomem;
245 u_long iss_oow;
246 u_long iss_orphan;
247 u_long iss_proto[256];
248 u_long iss_scan_block;
249 u_long iss_state_max;
250 u_long iss_state_size;
251 u_long iss_states[IPF_TCP_NSTATES];
252 ipstate_t **iss_table;
253 u_long iss_tcp_closing;
254 u_long iss_tcp_oow;
255 u_long iss_tcp_rstadd;
256 u_long iss_tcp_toosmall;
257 u_long iss_tcp_badopt;
258 u_long iss_tcp_fsm;
259 u_long iss_tcp_strict;
260 ipftq_t *iss_tcptab;
261 u_int iss_ticks;
262 u_long iss_wild;
263 u_long iss_winsack;
264 u_int *iss_bucketlen;
265} ips_stat_t;
266
267
268typedef struct ipf_state_softc_s {
269 ipfmutex_t ipf_stinsert;
270 int ipf_state_logging;
271 int ipf_state_lock;
272 int ipf_state_doflush;
273 u_int ipf_state_inited;
274 u_int ipf_state_max;
275 u_int ipf_state_maxbucket;
276 u_int ipf_state_size;
277 u_int ipf_state_wm_freq;
278 u_int ipf_state_wm_high;
279 u_int ipf_state_wm_low;
280 u_int ipf_state_wm_last;
281 u_long *ipf_state_seed;
282 ipstate_t *ipf_state_list;
283 ipstate_t **ipf_state_table;
284 ipftuneable_t *ipf_state_tune;
285 ipftq_t *ipf_state_usertq;
286 ipftq_t ipf_state_pending;
287 ipftq_t ipf_state_deletetq;
288 ipftq_t ipf_state_udptq;
289 ipftq_t ipf_state_udpacktq;
290 ipftq_t ipf_state_iptq;
291 ipftq_t ipf_state_icmptq;
292 ipftq_t ipf_state_icmpacktq;
293 ipftq_t ipf_state_tcptq[IPF_TCP_NSTATES];
294 ips_stat_t ipf_state_stats;
295} ipf_state_softc_t;
296
297
298#ifndef _KERNEL
299extern void ipf_state_dump(ipf_main_softc_t *, void *);
300#endif
301extern int ipf_tcp_age(struct ipftqent *, struct fr_info *,
302 struct ipftq *, int, int);
303extern int ipf_tcpinwindow(struct fr_info *, struct tcpdata *,
304 struct tcpdata *, tcphdr_t *, int);
305
306extern int ipf_state_add(ipf_main_softc_t *, fr_info_t *,
307 ipstate_t **, u_int);
308extern frentry_t *ipf_state_check(struct fr_info *, u_32_t *);
309extern void ipf_state_deref(ipf_main_softc_t *, ipstate_t **);
310extern void ipf_state_expire(ipf_main_softc_t *);
311extern int ipf_state_flush(ipf_main_softc_t *, int, int);
312extern ipstate_t *ipf_state_lookup(fr_info_t *, tcphdr_t *, ipftq_t **);
313extern int ipf_state_init(void);
314extern int ipf_state_insert(ipf_main_softc_t *, struct ipstate *, int);
315extern int ipf_state_ioctl(ipf_main_softc_t *, void *, ioctlcmd_t, int, int, void *);
316extern void ipf_state_log(ipf_main_softc_t *, struct ipstate *, u_int);
317extern int ipf_state_matchflush(ipf_main_softc_t *, void *);
318extern int ipf_state_rehash(ipf_main_softc_t *, ipftuneable_t *, ipftuneval_t *);
319extern void ipf_state_setqueue(ipf_main_softc_t *, ipstate_t *, int);
320extern void ipf_state_setpending(ipf_main_softc_t *, ipstate_t *);
321extern int ipf_state_settimeout(struct ipf_main_softc_s *, ipftuneable_t *, ipftuneval_t *);
322extern void ipf_state_sync(ipf_main_softc_t *, void *);
323extern void ipf_state_update(fr_info_t *, ipstate_t *);
324
325extern void ipf_sttab_init(ipf_main_softc_t *, struct ipftq *);
326extern void ipf_sttab_destroy(struct ipftq *);
327extern void ipf_state_setlock(void *, int);
328extern int ipf_state_main_load(void);
329extern int ipf_state_main_unload(void);
330extern void *ipf_state_soft_create(ipf_main_softc_t *);
331extern void ipf_state_soft_destroy(ipf_main_softc_t *, void *);
332extern int ipf_state_soft_init(ipf_main_softc_t *, void *);
333extern int ipf_state_soft_fini(ipf_main_softc_t *, void *);
334extern int ipf_state_main_load(void);
335extern ipftq_t *ipf_state_add_tq(ipf_main_softc_t *, int);
336
337#endif /* _NETINET_IP_STATE_H_ */
338