1 /* $NetBSD: ip_state.h,v 1.3 2012/07/22 14:27:51 darrenr Exp $ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 * 8 * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed 9 * Id: ip_state.h,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp 10 */ 11 #ifndef _NETINET_IP_STATE_H_ 12 #define _NETINET_IP_STATE_H_ 13 14 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) 15 # define SIOCDELST _IOW('r', 61, struct ipfobj) 16 #else 17 # define SIOCDELST _IOW(r, 61, struct ipfobj) 18 #endif 19 20 struct ipscan; 21 22 #ifndef IPSTATE_SIZE 23 # define IPSTATE_SIZE 5737 24 #endif 25 #ifndef IPSTATE_MAX 26 # define IPSTATE_MAX 4013 /* Maximum number of states held */ 27 #endif 28 29 #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ 30 (((s1) == (d2)) && ((d1) == (s2)))) 31 #define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ 32 (s2).s_addr, (d2).s_addr) 33 34 35 typedef struct ipstate { 36 ipfmutex_t is_lock; 37 struct ipstate *is_next; 38 struct ipstate **is_pnext; 39 struct ipstate *is_hnext; 40 struct ipstate **is_phnext; 41 struct ipstate **is_me; 42 void *is_ifp[4]; 43 void *is_sync; 44 frentry_t *is_rule; 45 struct ipftq *is_tqehead[2]; 46 struct ipscan *is_isc; 47 U_QUAD_T is_pkts[4]; 48 U_QUAD_T is_bytes[4]; 49 U_QUAD_T is_icmppkts[4]; 50 struct ipftqent is_sti; 51 u_int is_frage[2]; 52 int is_ref; /* reference count */ 53 int is_isninc[2]; 54 u_short is_sumd[2]; 55 i6addr_t is_src; 56 i6addr_t is_dst; 57 u_int is_pass; 58 u_char is_p; /* Protocol */ 59 u_char is_v; 60 int is_family; 61 u_32_t is_hv; 62 u_32_t is_tag; 63 u_32_t is_opt[2]; /* packet options set */ 64 u_32_t is_optmsk[2]; /* " " mask */ 65 u_short is_sec; /* security options set */ 66 u_short is_secmsk; /* " " mask */ 67 u_short is_auth; /* authentication options set */ 68 u_short is_authmsk; /* " " mask */ 69 union { 70 icmpinfo_t is_ics; 71 tcpinfo_t is_ts; 72 udpinfo_t is_us; 73 greinfo_t is_ug; 74 } is_ps; 75 u_32_t is_flags; 76 int is_flx[2][2]; 77 u_32_t is_rulen; /* rule number when created */ 78 u_32_t is_s0[2]; 79 u_short is_smsk[2]; 80 frdest_t is_dif; 81 frdest_t is_tifs[2]; 82 char is_group[FR_GROUPLEN]; 83 char is_sbuf[2][16]; 84 char is_ifname[4][LIFNAMSIZ]; 85 } ipstate_t; 86 87 #define is_die is_sti.tqe_die 88 #define is_state is_sti.tqe_state 89 #define is_touched is_sti.tqe_touched 90 #define is_saddr is_src.in4.s_addr 91 #define is_daddr is_dst.in4.s_addr 92 #define is_icmp is_ps.is_ics 93 #define is_type is_icmp.ici_type 94 #define is_tcp is_ps.is_ts 95 #define is_udp is_ps.is_us 96 #define is_send is_tcp.ts_data[0].td_end 97 #define is_dend is_tcp.ts_data[1].td_end 98 #define is_maxswin is_tcp.ts_data[0].td_maxwin 99 #define is_maxdwin is_tcp.ts_data[1].td_maxwin 100 #define is_maxsend is_tcp.ts_data[0].td_maxend 101 #define is_maxdend is_tcp.ts_data[1].td_maxend 102 #define is_swinscale is_tcp.ts_data[0].td_winscale 103 #define is_dwinscale is_tcp.ts_data[1].td_winscale 104 #define is_swinflags is_tcp.ts_data[0].td_winflags 105 #define is_dwinflags is_tcp.ts_data[1].td_winflags 106 #define is_sport is_tcp.ts_sport 107 #define is_dport is_tcp.ts_dport 108 #define is_ifpin is_ifp[0] 109 #define is_ifpout is_ifp[2] 110 #define is_gre is_ps.is_ug 111 #define is_call is_gre.gs_call 112 113 #define IS_WSPORT SI_W_SPORT /* 0x00100 */ 114 #define IS_WDPORT SI_W_DPORT /* 0x00200 */ 115 #define IS_WSADDR SI_W_SADDR /* 0x00400 */ 116 #define IS_WDADDR SI_W_DADDR /* 0x00800 */ 117 #define IS_NEWFR SI_NEWFR /* 0x01000 */ 118 #define IS_CLONE SI_CLONE /* 0x02000 */ 119 #define IS_CLONED SI_CLONED /* 0x04000 */ 120 #define IS_TCPFSM 0x10000 121 #define IS_STRICT 0x20000 122 #define IS_ISNSYN 0x40000 123 #define IS_ISNACK 0x80000 124 #define IS_STATESYNC 0x100000 125 #define IS_LOOSE 0x200000 126 /* 127 * IS_SC flags are for scan-operations that need to be recognised in state. 128 */ 129 #define IS_SC_CLIENT 0x10000000 130 #define IS_SC_SERVER 0x20000000 131 #define IS_SC_MATCHC 0x40000000 132 #define IS_SC_MATCHS 0x80000000 133 #define IS_SC_MATCHALL (IS_SC_MATCHC|IS_SC_MATCHC) 134 #define IS_SC_ALL (IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER) 135 136 /* 137 * Flags that can be passed into ipf_addstate 138 */ 139 #define IS_INHERITED 0x0fffff00 140 141 #define TH_OPENING (TH_SYN|TH_ACK) 142 /* 143 * is_flags: 144 * Bits 0 - 3 are use as a mask with the current packet's bits to check for 145 * whether it is short, tcp/udp, a fragment or the presence of IP options. 146 * Bits 4 - 7 are set from the initial packet and contain what the packet 147 * anded with bits 0-3 must match. 148 * Bits 8,9 are used to indicate wildcard source/destination port matching. 149 * Bits 10,11 are reserved for other wildcard flag compatibility. 150 * Bits 12,13 are for scaning. 151 */ 152 153 typedef struct ipstate_save { 154 void *ips_next; 155 struct ipstate ips_is; 156 struct frentry ips_fr; 157 } ipstate_save_t; 158 159 #define ips_rule ips_is.is_rule 160 161 162 typedef struct ipslog { 163 U_QUAD_T isl_pkts[4]; 164 U_QUAD_T isl_bytes[4]; 165 i6addr_t isl_src; 166 i6addr_t isl_dst; 167 u_32_t isl_tag; 168 u_short isl_type; 169 union { 170 u_short isl_filler[2]; 171 u_short isl_ports[2]; 172 u_short isl_icmp; 173 } isl_ps; 174 u_char isl_v; 175 u_char isl_p; 176 u_char isl_flags; 177 u_char isl_state[2]; 178 u_32_t isl_rulen; 179 char isl_group[FR_GROUPLEN]; 180 } ipslog_t; 181 182 #define isl_sport isl_ps.isl_ports[0] 183 #define isl_dport isl_ps.isl_ports[1] 184 #define isl_itype isl_ps.isl_icmp 185 186 #define ISL_NEW 0 187 #define ISL_CLONE 1 188 #define ISL_STATECHANGE 2 189 #define ISL_EXPIRE 0xffff 190 #define ISL_FLUSH 0xfffe 191 #define ISL_REMOVE 0xfffd 192 #define ISL_INTERMEDIATE 0xfffc 193 #define ISL_KILLED 0xfffb 194 #define ISL_ORPHAN 0xfffa 195 #define ISL_UNLOAD 0xfff9 196 197 198 typedef struct ips_stat { 199 u_int iss_active; 200 u_int iss_active_proto[256]; 201 u_long iss_add_bad; 202 u_long iss_add_dup; 203 u_long iss_add_locked; 204 u_long iss_add_oow; 205 u_long iss_bucket_full; 206 u_long iss_check_bad; 207 u_long iss_check_miss; 208 u_long iss_check_nattag; 209 u_long iss_check_notag; 210 u_long iss_clone_nomem; 211 u_long iss_cloned; 212 u_long iss_expire; 213 u_long iss_fin; 214 u_long iss_flush_all; 215 u_long iss_flush_closing; 216 u_long iss_flush_queue; 217 u_long iss_flush_state; 218 u_long iss_flush_timeout; 219 u_long iss_hits; 220 u_long iss_icmp6_icmperr; 221 u_long iss_icmp6_miss; 222 u_long iss_icmp6_notinfo; 223 u_long iss_icmp6_notquery; 224 u_long iss_icmp_bad; 225 u_long iss_icmp_banned; 226 u_long iss_icmp_headblock; 227 u_long iss_icmp_hits; 228 u_long iss_icmp_icmperr; 229 u_long iss_icmp_miss; 230 u_long iss_icmp_notquery; 231 u_long iss_icmp_short; 232 u_long iss_icmp_toomany; 233 u_int iss_inuse; 234 ipstate_t *iss_list; 235 u_long iss_log_fail; 236 u_long iss_log_ok; 237 u_long iss_lookup_badifp; 238 u_long iss_lookup_badport; 239 u_long iss_lookup_miss; 240 u_long iss_max; 241 u_long iss_max_ref; 242 u_long iss_max_track; 243 u_long iss_miss_mask; 244 u_long iss_nomem; 245 u_long iss_oow; 246 u_long iss_orphan; 247 u_long iss_proto[256]; 248 u_long iss_scan_block; 249 u_long iss_state_max; 250 u_long iss_state_size; 251 u_long iss_states[IPF_TCP_NSTATES]; 252 ipstate_t **iss_table; 253 u_long iss_tcp_closing; 254 u_long iss_tcp_oow; 255 u_long iss_tcp_rstadd; 256 u_long iss_tcp_toosmall; 257 u_long iss_tcp_badopt; 258 u_long iss_tcp_fsm; 259 u_long iss_tcp_strict; 260 ipftq_t *iss_tcptab; 261 u_int iss_ticks; 262 u_long iss_wild; 263 u_long iss_winsack; 264 u_int *iss_bucketlen; 265 } ips_stat_t; 266 267 268 typedef struct ipf_state_softc_s { 269 ipfmutex_t ipf_stinsert; 270 int ipf_state_logging; 271 int ipf_state_lock; 272 int ipf_state_doflush; 273 u_int ipf_state_inited; 274 u_int ipf_state_max; 275 u_int ipf_state_maxbucket; 276 u_int ipf_state_size; 277 u_int ipf_state_wm_freq; 278 u_int ipf_state_wm_high; 279 u_int ipf_state_wm_low; 280 u_int ipf_state_wm_last; 281 u_long *ipf_state_seed; 282 ipstate_t *ipf_state_list; 283 ipstate_t **ipf_state_table; 284 ipftuneable_t *ipf_state_tune; 285 ipftq_t *ipf_state_usertq; 286 ipftq_t ipf_state_pending; 287 ipftq_t ipf_state_deletetq; 288 ipftq_t ipf_state_udptq; 289 ipftq_t ipf_state_udpacktq; 290 ipftq_t ipf_state_iptq; 291 ipftq_t ipf_state_icmptq; 292 ipftq_t ipf_state_icmpacktq; 293 ipftq_t ipf_state_tcptq[IPF_TCP_NSTATES]; 294 ips_stat_t ipf_state_stats; 295 } ipf_state_softc_t; 296 297 298 #ifndef _KERNEL 299 extern void ipf_state_dump(ipf_main_softc_t *, void *); 300 #endif 301 extern int ipf_tcp_age(struct ipftqent *, struct fr_info *, 302 struct ipftq *, int, int); 303 extern int ipf_tcpinwindow(struct fr_info *, struct tcpdata *, 304 struct tcpdata *, tcphdr_t *, int); 305 306 extern int ipf_state_add(ipf_main_softc_t *, fr_info_t *, 307 ipstate_t **, u_int); 308 extern frentry_t *ipf_state_check(struct fr_info *, u_32_t *); 309 extern void ipf_state_deref(ipf_main_softc_t *, ipstate_t **); 310 extern void ipf_state_expire(ipf_main_softc_t *); 311 extern int ipf_state_flush(ipf_main_softc_t *, int, int); 312 extern ipstate_t *ipf_state_lookup(fr_info_t *, tcphdr_t *, ipftq_t **); 313 extern int ipf_state_init(void); 314 extern int ipf_state_insert(ipf_main_softc_t *, struct ipstate *, int); 315 extern int ipf_state_ioctl(ipf_main_softc_t *, void *, ioctlcmd_t, int, int, void *); 316 extern void ipf_state_log(ipf_main_softc_t *, struct ipstate *, u_int); 317 extern int ipf_state_matchflush(ipf_main_softc_t *, void *); 318 extern int ipf_state_rehash(ipf_main_softc_t *, ipftuneable_t *, ipftuneval_t *); 319 extern void ipf_state_setqueue(ipf_main_softc_t *, ipstate_t *, int); 320 extern void ipf_state_setpending(ipf_main_softc_t *, ipstate_t *); 321 extern int ipf_state_settimeout(struct ipf_main_softc_s *, ipftuneable_t *, ipftuneval_t *); 322 extern void ipf_state_sync(ipf_main_softc_t *, void *); 323 extern void ipf_state_update(fr_info_t *, ipstate_t *); 324 325 extern void ipf_sttab_init(ipf_main_softc_t *, struct ipftq *); 326 extern void ipf_sttab_destroy(struct ipftq *); 327 extern void ipf_state_setlock(void *, int); 328 extern int ipf_state_main_load(void); 329 extern int ipf_state_main_unload(void); 330 extern void *ipf_state_soft_create(ipf_main_softc_t *); 331 extern void ipf_state_soft_destroy(ipf_main_softc_t *, void *); 332 extern int ipf_state_soft_init(ipf_main_softc_t *, void *); 333 extern int ipf_state_soft_fini(ipf_main_softc_t *, void *); 334 extern int ipf_state_main_load(void); 335 extern ipftq_t *ipf_state_add_tq(ipf_main_softc_t *, int); 336 337 #endif /* _NETINET_IP_STATE_H_ */ 338