4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
27 #ifndef _INET_IPSECAH_H
28 #define _INET_IPSECAH_H
31 #include <inet/ipdrop.h>
40 /* Named Dispatch Parameter Management Structure */
41 typedef struct ipsecahparam_s
{
42 uint_t ipsecah_param_min
;
43 uint_t ipsecah_param_max
;
44 uint_t ipsecah_param_value
;
45 char *ipsecah_param_name
;
49 * Stats. This may eventually become a full-blown SNMP MIB once that spec
52 typedef struct ah_kstats_s
54 kstat_named_t ah_stat_num_aalgs
;
55 kstat_named_t ah_stat_good_auth
;
56 kstat_named_t ah_stat_bad_auth
;
57 kstat_named_t ah_stat_replay_failures
;
58 kstat_named_t ah_stat_replay_early_failures
;
59 kstat_named_t ah_stat_keysock_in
;
60 kstat_named_t ah_stat_out_requests
;
61 kstat_named_t ah_stat_acquire_requests
;
62 kstat_named_t ah_stat_bytes_expired
;
63 kstat_named_t ah_stat_out_discards
;
64 kstat_named_t ah_stat_crypto_sync
;
65 kstat_named_t ah_stat_crypto_async
;
66 kstat_named_t ah_stat_crypto_failures
;
70 * ahstack->ah_kstats is equal to ahstack->ah_ksp->ks_data if
71 * kstat_create_netstack for ahstack->ah_ksp succeeds, but when it
72 * fails, it will be NULL. Note this is done for all stack instances,
73 * so it *could* fail. hence a non-NULL checking is done for
74 * AH_BUMP_STAT and AH_DEBUMP_STAT
76 #define AH_BUMP_STAT(ahstack, x) \
78 if (ahstack->ah_kstats != NULL) \
79 (ahstack->ah_kstats->ah_stat_ ## x).value.ui64++; \
82 #define AH_DEBUMP_STAT(ahstack, x) \
84 if (ahstack->ah_kstats != NULL) \
85 (ahstack->ah_kstats->ah_stat_ ## x).value.ui64--; \
90 * IPSECAH stack instances
92 struct ipsecah_stack
{
93 netstack_t
*ipsecah_netstack
; /* Common netstack */
96 ipsecahparam_t
*ipsecah_params
;
97 kmutex_t ipsecah_param_lock
; /* Protects params */
101 /* Packet dropper for AH drops. */
102 ipdropper_t ah_dropper
;
105 ah_kstats_t
*ah_kstats
;
108 * Keysock instance of AH. There can be only one per stack instance.
109 * Use atomic_cas_ptr() on this because I don't set it until
110 * KEYSOCK_HELLO comes down.
111 * Paired up with the ah_pfkey_q is the ah_event, which will age SAs.
114 timeout_id_t ah_event
;
116 typedef struct ipsecah_stack ipsecah_stack_t
;
118 #define ipsecah_debug ipsecah_params[0].ipsecah_param_value
119 #define ipsecah_age_interval ipsecah_params[1].ipsecah_param_value
120 #define ipsecah_age_int_max ipsecah_params[1].ipsecah_param_max
121 #define ipsecah_reap_delay ipsecah_params[2].ipsecah_param_value
122 #define ipsecah_replay_size ipsecah_params[3].ipsecah_param_value
123 #define ipsecah_acquire_timeout ipsecah_params[4].ipsecah_param_value
124 #define ipsecah_larval_timeout ipsecah_params[5].ipsecah_param_value
125 #define ipsecah_default_soft_bytes ipsecah_params[6].ipsecah_param_value
126 #define ipsecah_default_hard_bytes ipsecah_params[7].ipsecah_param_value
127 #define ipsecah_default_soft_addtime ipsecah_params[8].ipsecah_param_value
128 #define ipsecah_default_hard_addtime ipsecah_params[9].ipsecah_param_value
129 #define ipsecah_default_soft_usetime ipsecah_params[10].ipsecah_param_value
130 #define ipsecah_default_hard_usetime ipsecah_params[11].ipsecah_param_value
131 #define ipsecah_log_unknown_spi ipsecah_params[12].ipsecah_param_value
136 * For now, only provide "aligned" version of header.
137 * If aligned version is needed, we'll go with the naming conventions then.
143 uint16_t ah_reserved
;
148 #define AH_BASELEN 12
149 #define AH_TOTAL_LEN(ah) (((ah)->ah_length << 2) + AH_BASELEN - \
150 sizeof ((ah)->ah_replay))
152 /* "Old" AH, without replay. For 1827-29 compatibility. */
154 typedef struct ahold
{
157 uint16_t ah_reserved
;
161 #define AHOLD_BASELEN 8
162 #define AHOLD_TOTAL_LEN(ah) (((ah)->ah_length << 2) + AH_BASELEN)
168 #endif /* _INET_IPSECAH_H */