1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
* Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
*/
#ifndef _INET_IPSECESP_H
#define _INET_IPSECESP_H
#include <inet/ip.h>
#include <inet/ipdrop.h>
#ifdef __cplusplus
extern "C" {
#endif
#ifdef _KERNEL
/* Named Dispatch Parameter Management Structure */
typedef struct ipsecespparam_s {
uint_t ipsecesp_param_min;
uint_t ipsecesp_param_max;
uint_t ipsecesp_param_value;
char *ipsecesp_param_name;
} ipsecespparam_t;
/*
* Stats. This may eventually become a full-blown SNMP MIB once that spec
* stabilizes.
*/
typedef struct esp_kstats_s {
kstat_named_t esp_stat_num_aalgs;
kstat_named_t esp_stat_good_auth;
kstat_named_t esp_stat_bad_auth;
kstat_named_t esp_stat_bad_padding;
kstat_named_t esp_stat_replay_failures;
kstat_named_t esp_stat_replay_early_failures;
kstat_named_t esp_stat_keysock_in;
kstat_named_t esp_stat_out_requests;
kstat_named_t esp_stat_acquire_requests;
kstat_named_t esp_stat_bytes_expired;
kstat_named_t esp_stat_out_discards;
kstat_named_t esp_stat_crypto_sync;
kstat_named_t esp_stat_crypto_async;
kstat_named_t esp_stat_crypto_failures;
kstat_named_t esp_stat_num_ealgs;
kstat_named_t esp_stat_bad_decrypt;
kstat_named_t esp_stat_sa_port_renumbers;
} esp_kstats_t;
/*
* espstack->esp_kstats is equal to espstack->esp_ksp->ks_data if
* kstat_create_netstack for espstack->esp_ksp succeeds, but when it
* fails, it will be NULL. Note this is done for all stack instances,
* so it *could* fail. hence a non-NULL checking is done for
* ESP_BUMP_STAT and ESP_DEBUMP_STAT
*/
#define ESP_BUMP_STAT(espstack, x) \
do { \
if (espstack->esp_kstats != NULL) \
(espstack->esp_kstats->esp_stat_ ## x).value.ui64++; \
_NOTE(CONSTCOND) \
} while (0)
#define ESP_DEBUMP_STAT(espstack, x) \
do { \
if (espstack->esp_kstats != NULL) \
(espstack->esp_kstats->esp_stat_ ## x).value.ui64--; \
_NOTE(CONSTCOND) \
} while (0)
/*
* IPSECESP stack instances
*/
struct ipsecesp_stack {
netstack_t *ipsecesp_netstack; /* Common netstack */
caddr_t ipsecesp_g_nd;
struct ipsecespparam_s *ipsecesp_params;
kmutex_t ipsecesp_param_lock; /* Protects params */
/* Packet dropper for ESP drops. */
ipdropper_t esp_dropper;
kstat_t *esp_ksp;
struct esp_kstats_s *esp_kstats;
/*
* Keysock instance of ESP. There can be only one per stack instance.
* Use atomic_cas_ptr() on this because I don't set it until
* KEYSOCK_HELLO comes down.
* Paired up with the esp_pfkey_q is the esp_event, which will age SAs.
*/
queue_t *esp_pfkey_q;
timeout_id_t esp_event;
sadbp_t esp_sadb;
};
typedef struct ipsecesp_stack ipsecesp_stack_t;
#define ipsecesp_debug ipsecesp_params[0].ipsecesp_param_value
#define ipsecesp_age_interval ipsecesp_params[1].ipsecesp_param_value
#define ipsecesp_age_int_max ipsecesp_params[1].ipsecesp_param_max
#define ipsecesp_reap_delay ipsecesp_params[2].ipsecesp_param_value
#define ipsecesp_replay_size ipsecesp_params[3].ipsecesp_param_value
#define ipsecesp_acquire_timeout \
ipsecesp_params[4].ipsecesp_param_value
#define ipsecesp_larval_timeout \
ipsecesp_params[5].ipsecesp_param_value
#define ipsecesp_default_soft_bytes \
ipsecesp_params[6].ipsecesp_param_value
#define ipsecesp_default_hard_bytes \
ipsecesp_params[7].ipsecesp_param_value
#define ipsecesp_default_soft_addtime \
ipsecesp_params[8].ipsecesp_param_value
#define ipsecesp_default_hard_addtime \
ipsecesp_params[9].ipsecesp_param_value
#define ipsecesp_default_soft_usetime \
ipsecesp_params[10].ipsecesp_param_value
#define ipsecesp_default_hard_usetime \
ipsecesp_params[11].ipsecesp_param_value
#define ipsecesp_log_unknown_spi \
ipsecesp_params[12].ipsecesp_param_value
#define ipsecesp_padding_check \
ipsecesp_params[13].ipsecesp_param_value
#define ipsecesp_nat_keepalive_interval \
ipsecesp_params[14].ipsecesp_param_value
#endif /* _KERNEL */
/*
* For now, only provide "aligned" version of header.
* If aligned version is needed, we'll go with the naming conventions then.
*/
typedef struct esph {
uint32_t esph_spi;
uint32_t esph_replay;
} esph_t;
/* No need for "old" ESP, just point a uint32_t *. */
#ifdef __cplusplus
}
#endif
#endif /* _INET_IPSECESP_H */
|
