1/*-
2 * Copyright (c) 2009-2020 The NetBSD Foundation, Inc.
3 * All rights reserved.
4 *
5 * This material is based upon work partially supported by The
6 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30#ifndef _NPF_CONN_H_
31#define _NPF_CONN_H_
32
33#if !defined(_KERNEL) && !defined(_NPF_STANDALONE)
34#error "kernel-level header only"
35#endif
36
37#include <sys/types.h>
38
39#include "npf_impl.h"
40
41#if defined(__NPF_CONN_PRIVATE)
42
43/*
44 * The main connection tracking structure.
45 */
46struct npf_conn {
47	/*
48	 * Protocol, address length, the interface ID (if zero,
49	 * then the state is global) and connection flags.
50	 */
51	uint16_t		c_proto;
52	uint16_t		c_alen;
53	unsigned		c_ifid;
54	unsigned		c_flags;
55
56	/* Matching rule flags and ID. */
57	unsigned		c_retfl;
58	uint64_t		c_rid;
59
60	/*
61	 * Entry in the connection database/list.  The entry is
62	 * protected by npf_t::conn_lock.
63	 */
64	union {
65		npf_conn_t *		c_next;
66		LIST_ENTRY(npf_conn)	c_entry;
67	};
68
69	/* Associated rule procedure or NAT (if any). */
70	npf_rproc_t *		c_rproc;
71	npf_nat_t *		c_nat;
72
73	/*
74	 * The Reference count and the last activity time (used to
75	 * calculate expiration time).  Note: *unsigned* 32-bit integer
76	 * as a timestamp is sufficient for us.
77	 */
78	unsigned		c_refcnt;
79	uint32_t		c_atime;
80
81	/* The protocol state and lock. */
82	kmutex_t		c_lock;
83	npf_state_t		c_state;
84
85	/*
86	 * Connection "forwards" and "backwards" keys.  They are accessed
87	 * as npf_connkey_t, see below and npf_conn_getkey().
88	 */
89	uint32_t		c_keys[];
90};
91
92typedef struct {
93	int	connkey_interface;
94	int	connkey_direction;
95} npf_conn_params_t;
96
97#endif
98
99/*
100 * Connection key interface.
101 *
102 * See the key layout description in the npf_connkey.c source file.
103 */
104
105#define	NPF_CONNKEY_V4WORDS	(2 + ((sizeof(struct in_addr) * 2) >> 2))
106#define	NPF_CONNKEY_V6WORDS	(2 + ((sizeof(struct in6_addr) * 2) >> 2))
107#define	NPF_CONNKEY_MAXWORDS	(NPF_CONNKEY_V6WORDS)
108
109#define	NPF_CONNKEY_ALEN(key)	(((key)->ck_key[0] >> 28) << 2)
110#define	NPF_CONNKEY_LEN(key)	(8 + (NPF_CONNKEY_ALEN(key) * 2))
111
112typedef struct npf_connkey {
113	/* Warning: ck_key has a variable length -- see above. */
114	uint32_t		ck_key[NPF_CONNKEY_MAXWORDS];
115} npf_connkey_t;
116
117unsigned	npf_conn_conkey(const npf_cache_t *, npf_connkey_t *,
118		    const unsigned, const npf_flow_t);
119npf_connkey_t *	npf_conn_getforwkey(npf_conn_t *);
120npf_connkey_t *	npf_conn_getbackkey(npf_conn_t *, unsigned);
121void		npf_conn_adjkey(npf_connkey_t *, const npf_addr_t *,
122		    const uint16_t, const unsigned);
123unsigned	npf_connkey_setkey(npf_connkey_t *, unsigned, unsigned,
124		    const void *, const uint16_t *, const npf_flow_t);
125void		npf_connkey_getkey(const npf_connkey_t *, unsigned *,
126		    unsigned *, npf_addr_t *, uint16_t *);
127unsigned	npf_connkey_import(npf_t *, const nvlist_t *, npf_connkey_t *);
128nvlist_t *	npf_connkey_export(npf_t *, const npf_connkey_t *);
129void		npf_connkey_print(const npf_connkey_t *);
130
131/*
132 * Connection tracking interface.
133 */
134void		npf_conn_init(npf_t *);
135void		npf_conn_fini(npf_t *);
136void		npf_conn_tracking(npf_t *, bool);
137void		npf_conn_load(npf_t *, npf_conndb_t *, bool);
138
139npf_conn_t *	npf_conn_lookup(const npf_cache_t *, const unsigned, npf_flow_t *);
140npf_conn_t *	npf_conn_inspect(npf_cache_t *, const unsigned, int *);
141npf_conn_t *	npf_conn_establish(npf_cache_t *, const unsigned, bool);
142void		npf_conn_release(npf_conn_t *);
143void		npf_conn_destroy(npf_t *, npf_conn_t *);
144void		npf_conn_expire(npf_conn_t *);
145bool		npf_conn_pass(const npf_conn_t *, npf_match_info_t *,
146		    npf_rproc_t **);
147void		npf_conn_setpass(npf_conn_t *, const npf_match_info_t *,
148		    npf_rproc_t *);
149int		npf_conn_setnat(const npf_cache_t *, npf_conn_t *,
150		    npf_nat_t *, unsigned);
151npf_nat_t *	npf_conn_getnat(const npf_conn_t *);
152bool		npf_conn_expired(npf_t *, const npf_conn_t *, uint64_t);
153void		npf_conn_remove(npf_conndb_t *, npf_conn_t *);
154void		npf_conn_worker(npf_t *);
155int		npf_conn_import(npf_t *, npf_conndb_t *, const nvlist_t *,
156		    npf_ruleset_t *);
157int		npf_conn_find(npf_t *, const nvlist_t *, nvlist_t *);
158void		npf_conn_print(npf_conn_t *);
159
160/*
161 * Connection database (aka state table) interface.
162 */
163void		npf_conndb_sysinit(npf_t *);
164void		npf_conndb_sysfini(npf_t *);
165
166npf_conndb_t *	npf_conndb_create(void);
167void		npf_conndb_destroy(npf_conndb_t *);
168
169npf_conn_t *	npf_conndb_lookup(npf_t *, const npf_connkey_t *, npf_flow_t *);
170bool		npf_conndb_insert(npf_conndb_t *, const npf_connkey_t *,
171		    npf_conn_t *, npf_flow_t);
172npf_conn_t *	npf_conndb_remove(npf_conndb_t *, npf_connkey_t *);
173
174void		npf_conndb_enqueue(npf_conndb_t *, npf_conn_t *);
175npf_conn_t *	npf_conndb_getlist(npf_conndb_t *);
176npf_conn_t *	npf_conndb_getnext(npf_conndb_t *, npf_conn_t *);
177int		npf_conndb_export(npf_t *, nvlist_t *);
178void		npf_conndb_gc(npf_t *, npf_conndb_t *, bool, bool);
179
180#endif	/* _NPF_CONN_H_ */
181