1145522Sdarrenr/* $FreeBSD: releng/10.2/sys/contrib/ipfilter/netinet/ip_state.h 255332 2013-09-06 23:11:19Z cy $ */ 2145522Sdarrenr 353642Sguido/* 4255332Scy * Copyright (C) 2012 by Darren Reed. 553642Sguido * 680482Sdarrenr * See the IPFILTER.LICENCE file for details on licencing. 753642Sguido * 853642Sguido * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed 957126Sguido * $FreeBSD: releng/10.2/sys/contrib/ipfilter/netinet/ip_state.h 255332 2013-09-06 23:11:19Z cy $ 10172776Sdarrenr * Id: ip_state.h,v 2.68.2.10 2007/10/16 09:33:24 darrenr Exp $ 1153642Sguido */ 1253642Sguido#ifndef __IP_STATE_H__ 1353642Sguido#define __IP_STATE_H__ 1453642Sguido 15153876Sguido#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51) 16145522Sdarrenr# define SIOCDELST _IOW('r', 61, struct ipfobj) 1760854Sdarrenr#else 18145522Sdarrenr# define SIOCDELST _IOW(r, 61, struct ipfobj) 1960854Sdarrenr#endif 2060854Sdarrenr 21145522Sdarrenrstruct ipscan; 22145522Sdarrenr 2380482Sdarrenr#ifndef IPSTATE_SIZE 2480482Sdarrenr# define IPSTATE_SIZE 5737 2580482Sdarrenr#endif 2680482Sdarrenr#ifndef IPSTATE_MAX 2780482Sdarrenr# define IPSTATE_MAX 4013 /* Maximum number of states held */ 2880482Sdarrenr#endif 2953642Sguido 30255332Scy#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ 31255332Scy (((s1) == (d2)) && ((d1) == (s2)))) 32255332Scy#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ 33255332Scy (s2).s_addr, (d2).s_addr) 3453642Sguido 3553642Sguido 3653642Sguidotypedef struct ipstate { 37145522Sdarrenr ipfmutex_t is_lock; 3853642Sguido struct ipstate *is_next; 3960854Sdarrenr struct ipstate **is_pnext; 4060854Sdarrenr struct ipstate *is_hnext; 4160854Sdarrenr struct ipstate **is_phnext; 4292685Sdarrenr struct ipstate **is_me; 43145522Sdarrenr void *is_ifp[4]; 44145522Sdarrenr void *is_sync; 4595418Sdarrenr frentry_t *is_rule; 46145522Sdarrenr struct ipftq *is_tqehead[2]; 47145522Sdarrenr struct ipscan *is_isc; 48145522Sdarrenr U_QUAD_T is_pkts[4]; 49145522Sdarrenr U_QUAD_T is_bytes[4]; 50145522Sdarrenr U_QUAD_T is_icmppkts[4]; 51145522Sdarrenr struct ipftqent is_sti; 52145522Sdarrenr u_int is_frage[2]; 53145522Sdarrenr int is_ref; /* reference count */ 54145522Sdarrenr int is_isninc[2]; 55145522Sdarrenr u_short is_sumd[2]; 56145522Sdarrenr i6addr_t is_src; 57145522Sdarrenr i6addr_t is_dst; 5895418Sdarrenr u_int is_pass; 5953642Sguido u_char is_p; /* Protocol */ 60145522Sdarrenr u_char is_v; 61255332Scy int is_family; 62145522Sdarrenr u_32_t is_hv; 63145522Sdarrenr u_32_t is_tag; 64153876Sguido u_32_t is_opt[2]; /* packet options set */ 65153876Sguido u_32_t is_optmsk[2]; /* " " mask */ 6653642Sguido u_short is_sec; /* security options set */ 6753642Sguido u_short is_secmsk; /* " " mask */ 6853642Sguido u_short is_auth; /* authentication options set */ 6953642Sguido u_short is_authmsk; /* " " mask */ 7053642Sguido union { 71145522Sdarrenr icmpinfo_t is_ics; 72145522Sdarrenr tcpinfo_t is_ts; 73145522Sdarrenr udpinfo_t is_us; 74145522Sdarrenr greinfo_t is_ug; 7553642Sguido } is_ps; 76145522Sdarrenr u_32_t is_flags; 77145522Sdarrenr int is_flx[2][2]; 78145522Sdarrenr u_32_t is_rulen; /* rule number when created */ 79145522Sdarrenr u_32_t is_s0[2]; 80145522Sdarrenr u_short is_smsk[2]; 81255332Scy frdest_t is_dif; 82255332Scy frdest_t is_tifs[2]; 83145522Sdarrenr char is_group[FR_GROUPLEN]; 84145522Sdarrenr char is_sbuf[2][16]; 85145522Sdarrenr char is_ifname[4][LIFNAMSIZ]; 8653642Sguido} ipstate_t; 8753642Sguido 88145522Sdarrenr#define is_die is_sti.tqe_die 89145522Sdarrenr#define is_state is_sti.tqe_state 90145522Sdarrenr#define is_touched is_sti.tqe_touched 9160854Sdarrenr#define is_saddr is_src.in4.s_addr 9260854Sdarrenr#define is_daddr is_dst.in4.s_addr 9360854Sdarrenr#define is_icmp is_ps.is_ics 94145522Sdarrenr#define is_type is_icmp.ici_type 9560854Sdarrenr#define is_tcp is_ps.is_ts 9660854Sdarrenr#define is_udp is_ps.is_us 9760854Sdarrenr#define is_send is_tcp.ts_data[0].td_end 9860854Sdarrenr#define is_dend is_tcp.ts_data[1].td_end 9953642Sguido#define is_maxswin is_tcp.ts_data[0].td_maxwin 10053642Sguido#define is_maxdwin is_tcp.ts_data[1].td_maxwin 10153642Sguido#define is_maxsend is_tcp.ts_data[0].td_maxend 10253642Sguido#define is_maxdend is_tcp.ts_data[1].td_maxend 103145522Sdarrenr#define is_swinscale is_tcp.ts_data[0].td_winscale 104145522Sdarrenr#define is_dwinscale is_tcp.ts_data[1].td_winscale 105145522Sdarrenr#define is_swinflags is_tcp.ts_data[0].td_winflags 106145522Sdarrenr#define is_dwinflags is_tcp.ts_data[1].td_winflags 10753642Sguido#define is_sport is_tcp.ts_sport 10853642Sguido#define is_dport is_tcp.ts_dport 10960854Sdarrenr#define is_ifpin is_ifp[0] 11092685Sdarrenr#define is_ifpout is_ifp[2] 111145522Sdarrenr#define is_gre is_ps.is_ug 112145522Sdarrenr#define is_call is_gre.gs_call 11353642Sguido 114145522Sdarrenr#define IS_WSPORT SI_W_SPORT /* 0x00100 */ 115145522Sdarrenr#define IS_WDPORT SI_W_DPORT /* 0x00200 */ 116145522Sdarrenr#define IS_WSADDR SI_W_SADDR /* 0x00400 */ 117145522Sdarrenr#define IS_WDADDR SI_W_DADDR /* 0x00800 */ 118145522Sdarrenr#define IS_NEWFR SI_NEWFR /* 0x01000 */ 119145522Sdarrenr#define IS_CLONE SI_CLONE /* 0x02000 */ 120145522Sdarrenr#define IS_CLONED SI_CLONED /* 0x04000 */ 121145522Sdarrenr#define IS_TCPFSM 0x10000 122145522Sdarrenr#define IS_STRICT 0x20000 123145522Sdarrenr#define IS_ISNSYN 0x40000 124145522Sdarrenr#define IS_ISNACK 0x80000 125145522Sdarrenr#define IS_STATESYNC 0x100000 126255332Scy#define IS_LOOSE 0x200000 127145522Sdarrenr/* 128145522Sdarrenr * IS_SC flags are for scan-operations that need to be recognised in state. 129145522Sdarrenr */ 130145522Sdarrenr#define IS_SC_CLIENT 0x10000000 131145522Sdarrenr#define IS_SC_SERVER 0x20000000 132145522Sdarrenr#define IS_SC_MATCHC 0x40000000 133145522Sdarrenr#define IS_SC_MATCHS 0x80000000 134145522Sdarrenr#define IS_SC_MATCHALL (IS_SC_MATCHC|IS_SC_MATCHC) 135145522Sdarrenr#define IS_SC_ALL (IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER) 136145522Sdarrenr 137145522Sdarrenr/* 138255332Scy * Flags that can be passed into ipf_addstate 139145522Sdarrenr */ 140145522Sdarrenr#define IS_INHERITED 0x0fffff00 141145522Sdarrenr 14253642Sguido#define TH_OPENING (TH_SYN|TH_ACK) 14353642Sguido/* 14453642Sguido * is_flags: 14553642Sguido * Bits 0 - 3 are use as a mask with the current packet's bits to check for 14653642Sguido * whether it is short, tcp/udp, a fragment or the presence of IP options. 14753642Sguido * Bits 4 - 7 are set from the initial packet and contain what the packet 14853642Sguido * anded with bits 0-3 must match. 14953642Sguido * Bits 8,9 are used to indicate wildcard source/destination port matching. 150145522Sdarrenr * Bits 10,11 are reserved for other wildcard flag compatibility. 151145522Sdarrenr * Bits 12,13 are for scaning. 15253642Sguido */ 15353642Sguido 15460854Sdarrenrtypedef struct ipstate_save { 15560854Sdarrenr void *ips_next; 15660854Sdarrenr struct ipstate ips_is; 15760854Sdarrenr struct frentry ips_fr; 15860854Sdarrenr} ipstate_save_t; 15953642Sguido 16060854Sdarrenr#define ips_rule ips_is.is_rule 16160854Sdarrenr 16260854Sdarrenr 16353642Sguidotypedef struct ipslog { 164145522Sdarrenr U_QUAD_T isl_pkts[4]; 165145522Sdarrenr U_QUAD_T isl_bytes[4]; 166145522Sdarrenr i6addr_t isl_src; 167145522Sdarrenr i6addr_t isl_dst; 168145522Sdarrenr u_32_t isl_tag; 16953642Sguido u_short isl_type; 17053642Sguido union { 17153642Sguido u_short isl_filler[2]; 17253642Sguido u_short isl_ports[2]; 17353642Sguido u_short isl_icmp; 17453642Sguido } isl_ps; 17560854Sdarrenr u_char isl_v; 17660854Sdarrenr u_char isl_p; 17760854Sdarrenr u_char isl_flags; 17860854Sdarrenr u_char isl_state[2]; 179102520Sdarrenr u_32_t isl_rulen; 180145522Sdarrenr char isl_group[FR_GROUPLEN]; 18153642Sguido} ipslog_t; 18253642Sguido 18353642Sguido#define isl_sport isl_ps.isl_ports[0] 18453642Sguido#define isl_dport isl_ps.isl_ports[1] 18553642Sguido#define isl_itype isl_ps.isl_icmp 18653642Sguido 187145522Sdarrenr#define ISL_NEW 0 188145522Sdarrenr#define ISL_CLONE 1 189255332Scy#define ISL_STATECHANGE 2 190145522Sdarrenr#define ISL_EXPIRE 0xffff 191145522Sdarrenr#define ISL_FLUSH 0xfffe 192145522Sdarrenr#define ISL_REMOVE 0xfffd 193145522Sdarrenr#define ISL_INTERMEDIATE 0xfffc 194145522Sdarrenr#define ISL_KILLED 0xfffb 195145522Sdarrenr#define ISL_ORPHAN 0xfffa 196170268Sdarrenr#define ISL_UNLOAD 0xfff9 19753642Sguido 19853642Sguido 19953642Sguidotypedef struct ips_stat { 200255332Scy u_int iss_active; 201255332Scy u_int iss_active_proto[256]; 202255332Scy u_long iss_add_bad; 203255332Scy u_long iss_add_dup; 204255332Scy u_long iss_add_locked; 205255332Scy u_long iss_add_oow; 206255332Scy u_long iss_bucket_full; 207255332Scy u_long iss_check_bad; 208255332Scy u_long iss_check_miss; 209255332Scy u_long iss_check_nattag; 210255332Scy u_long iss_check_notag; 211255332Scy u_long iss_clone_nomem; 212255332Scy u_long iss_cloned; 213255332Scy u_long iss_expire; 214255332Scy u_long iss_fin; 215255332Scy u_long iss_flush_all; 216255332Scy u_long iss_flush_closing; 217255332Scy u_long iss_flush_queue; 218255332Scy u_long iss_flush_state; 219255332Scy u_long iss_flush_timeout; 22053642Sguido u_long iss_hits; 221255332Scy u_long iss_icmp6_icmperr; 222255332Scy u_long iss_icmp6_miss; 223255332Scy u_long iss_icmp6_notinfo; 224255332Scy u_long iss_icmp6_notquery; 225255332Scy u_long iss_icmp_bad; 226255332Scy u_long iss_icmp_banned; 227255332Scy u_long iss_icmp_headblock; 228255332Scy u_long iss_icmp_hits; 229255332Scy u_long iss_icmp_icmperr; 230255332Scy u_long iss_icmp_miss; 231255332Scy u_long iss_icmp_notquery; 232255332Scy u_long iss_icmp_short; 233255332Scy u_long iss_icmp_toomany; 234255332Scy u_int iss_inuse; 235255332Scy ipstate_t *iss_list; 236255332Scy u_long iss_log_fail; 237255332Scy u_long iss_log_ok; 238255332Scy u_long iss_lookup_badifp; 239255332Scy u_long iss_lookup_badport; 240255332Scy u_long iss_lookup_miss; 24153642Sguido u_long iss_max; 242255332Scy u_long iss_max_ref; 243255332Scy u_long iss_max_track; 244255332Scy u_long iss_miss_mask; 24553642Sguido u_long iss_nomem; 246255332Scy u_long iss_oow; 247255332Scy u_long iss_orphan; 248255332Scy u_long iss_proto[256]; 249255332Scy u_long iss_scan_block; 250255332Scy u_long iss_state_max; 251255332Scy u_long iss_state_size; 252255332Scy u_long iss_states[IPF_TCP_NSTATES]; 25353642Sguido ipstate_t **iss_table; 254255332Scy u_long iss_tcp_closing; 255255332Scy u_long iss_tcp_oow; 256255332Scy u_long iss_tcp_rstadd; 257255332Scy u_long iss_tcp_toosmall; 258255332Scy u_long iss_tcp_badopt; 259255332Scy u_long iss_tcp_fsm; 260255332Scy u_long iss_tcp_strict; 261170268Sdarrenr ipftq_t *iss_tcptab; 262255332Scy u_int iss_ticks; 263255332Scy u_long iss_wild; 264255332Scy u_long iss_winsack; 265255332Scy u_int *iss_bucketlen; 26653642Sguido} ips_stat_t; 26753642Sguido 26853642Sguido 269255332Scytypedef struct ipf_state_softc_s { 270255332Scy ipfmutex_t ipf_stinsert; 271255332Scy int ipf_state_logging; 272255332Scy int ipf_state_lock; 273255332Scy int ipf_state_doflush; 274255332Scy u_int ipf_state_inited; 275255332Scy u_int ipf_state_max; 276255332Scy u_int ipf_state_maxbucket; 277255332Scy u_int ipf_state_size; 278255332Scy u_int ipf_state_wm_freq; 279255332Scy u_int ipf_state_wm_high; 280255332Scy u_int ipf_state_wm_low; 281255332Scy u_int ipf_state_wm_last; 282255332Scy u_long *ipf_state_seed; 283255332Scy ipstate_t *ipf_state_list; 284255332Scy ipstate_t **ipf_state_table; 285255332Scy ipftuneable_t *ipf_state_tune; 286255332Scy ipftq_t *ipf_state_usertq; 287255332Scy ipftq_t ipf_state_pending; 288255332Scy ipftq_t ipf_state_deletetq; 289255332Scy ipftq_t ipf_state_udptq; 290255332Scy ipftq_t ipf_state_udpacktq; 291255332Scy ipftq_t ipf_state_iptq; 292255332Scy ipftq_t ipf_state_icmptq; 293255332Scy ipftq_t ipf_state_icmpacktq; 294255332Scy ipftq_t ipf_state_tcptq[IPF_TCP_NSTATES]; 295255332Scy ips_stat_t ipf_state_stats; 296255332Scy} ipf_state_softc_t; 297145522Sdarrenr 298255332Scy 299255332Scy#ifndef _KERNEL 300255332Scyextern void ipf_state_dump __P((ipf_main_softc_t *, void *)); 301255332Scy#endif 302255332Scyextern int ipf_tcp_age __P((struct ipftqent *, struct fr_info *, 303255332Scy struct ipftq *, int, int)); 304255332Scyextern int ipf_tcpinwindow __P((struct fr_info *, struct tcpdata *, 305145522Sdarrenr struct tcpdata *, tcphdr_t *, int)); 30653642Sguido 307255332Scyextern int ipf_state_add __P((ipf_main_softc_t *, fr_info_t *, 308255332Scy ipstate_t **, u_int)); 309255332Scyextern frentry_t *ipf_state_check __P((struct fr_info *, u_32_t *)); 310255332Scyextern void ipf_state_deref __P((ipf_main_softc_t *, ipstate_t **)); 311255332Scyextern void ipf_state_expire __P((ipf_main_softc_t *)); 312255332Scyextern int ipf_state_flush __P((ipf_main_softc_t *, int, int)); 313255332Scyextern ipstate_t *ipf_state_lookup __P((fr_info_t *, tcphdr_t *, ipftq_t **)); 314255332Scyextern int ipf_state_init __P((void)); 315255332Scyextern int ipf_state_insert __P((ipf_main_softc_t *, struct ipstate *, int)); 316255332Scyextern int ipf_state_ioctl __P((ipf_main_softc_t *, caddr_t, ioctlcmd_t, int, int, void *)); 317255332Scyextern void ipf_state_log __P((ipf_main_softc_t *, struct ipstate *, u_int)); 318255332Scyextern int ipf_state_matchflush __P((ipf_main_softc_t *, caddr_t)); 319255332Scyextern int ipf_state_rehash __P((ipf_main_softc_t *, ipftuneable_t *, ipftuneval_t *)); 320255332Scyextern void ipf_state_setqueue __P((ipf_main_softc_t *, ipstate_t *, int)); 321255332Scyextern void ipf_state_setpending __P((ipf_main_softc_t *, ipstate_t *)); 322255332Scyextern int ipf_state_settimeout __P((struct ipf_main_softc_s *, ipftuneable_t *, ipftuneval_t *)); 323255332Scyextern void ipf_state_sync __P((ipf_main_softc_t *, void *)); 324255332Scyextern void ipf_state_update __P((fr_info_t *, ipstate_t *)); 325255332Scy 326255332Scyextern void ipf_sttab_init __P((ipf_main_softc_t *, struct ipftq *)); 327255332Scyextern void ipf_sttab_destroy __P((struct ipftq *)); 328255332Scyextern void ipf_state_setlock __P((void *, int)); 329255332Scyextern int ipf_state_main_load __P((void)); 330255332Scyextern int ipf_state_main_unload __P((void)); 331255332Scyextern void *ipf_state_soft_create __P((ipf_main_softc_t *)); 332255332Scyextern void ipf_state_soft_destroy __P((ipf_main_softc_t *, void *)); 333255332Scyextern int ipf_state_soft_init __P((ipf_main_softc_t *, void *)); 334255332Scyextern int ipf_state_soft_fini __P((ipf_main_softc_t *, void *)); 335255332Scyextern ipftq_t *ipf_state_add_tq __P((ipf_main_softc_t *, int)); 336255332Scy 33753642Sguido#endif /* __IP_STATE_H__ */ 338