Annotation of embedaddon/ipsec-tools/src/racoon/policy.h, revision 1.1
1.1 ! misho 1: /* $NetBSD: policy.h,v 1.8 2008/12/05 06:02:20 tteras Exp $ */
! 2:
! 3: /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
! 4:
! 5: /*
! 6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
! 7: * All rights reserved.
! 8: *
! 9: * Redistribution and use in source and binary forms, with or without
! 10: * modification, are permitted provided that the following conditions
! 11: * are met:
! 12: * 1. Redistributions of source code must retain the above copyright
! 13: * notice, this list of conditions and the following disclaimer.
! 14: * 2. Redistributions in binary form must reproduce the above copyright
! 15: * notice, this list of conditions and the following disclaimer in the
! 16: * documentation and/or other materials provided with the distribution.
! 17: * 3. Neither the name of the project nor the names of its contributors
! 18: * may be used to endorse or promote products derived from this software
! 19: * without specific prior written permission.
! 20: *
! 21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 31: * SUCH DAMAGE.
! 32: */
! 33:
! 34: #ifndef _POLICY_H
! 35: #define _POLICY_H
! 36:
! 37: #include <sys/queue.h>
! 38:
! 39:
! 40: #ifdef HAVE_SECCTX
! 41: #define MAX_CTXSTR_SIZE 50
! 42: struct security_ctx {
! 43: u_int8_t ctx_doi; /* Security Context DOI */
! 44: u_int8_t ctx_alg; /* Security Context Algorithm */
! 45: u_int16_t ctx_strlen; /* Security Context stringlength
! 46: * (includes terminating NULL)
! 47: */
! 48: char ctx_str[MAX_CTXSTR_SIZE]; /* Security Context string */
! 49: };
! 50: #endif
! 51:
! 52: /* refs. ipsec.h */
! 53: /*
! 54: * Security Policy Index
! 55: * NOTE: Ensure to be same address family and upper layer protocol.
! 56: * NOTE: ul_proto, port number, uid, gid:
! 57: * ANY: reserved for waldcard.
! 58: * 0 to (~0 - 1): is one of the number of each value.
! 59: */
! 60: struct policyindex {
! 61: u_int8_t dir; /* direction of packet flow, see blow */
! 62: struct sockaddr_storage src; /* IP src address for SP */
! 63: struct sockaddr_storage dst; /* IP dst address for SP */
! 64: u_int8_t prefs; /* prefix length in bits for src */
! 65: u_int8_t prefd; /* prefix length in bits for dst */
! 66: u_int16_t ul_proto; /* upper layer Protocol */
! 67: u_int32_t priority; /* priority for the policy */
! 68: u_int64_t created; /* Used for generated SPD entries deletion */
! 69: #ifdef HAVE_SECCTX
! 70: struct security_ctx sec_ctx; /* Security Context */
! 71: #endif
! 72: };
! 73:
! 74: /* Security Policy Data Base */
! 75: struct secpolicy {
! 76: TAILQ_ENTRY(secpolicy) chain;
! 77:
! 78: struct policyindex spidx; /* selector */
! 79: u_int32_t id; /* It's unique number on the system. */
! 80:
! 81: u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
! 82: struct ipsecrequest *req;
! 83: /* pointer to the ipsec request tree, */
! 84: /* if policy == IPSEC else this value == NULL.*/
! 85:
! 86: /* MIPv6 needs to perform negotiation of SA using different addresses
! 87: * than the endpoints of the SA (CoA for the source). In that case,
! 88: * MIGRATE msg provides that info (before movement occurs on the MN) */
! 89: struct sockaddr *local;
! 90: struct sockaddr *remote;
! 91: };
! 92:
! 93: /* Security Assocciation Index */
! 94: /* NOTE: Ensure to be same address family */
! 95: struct secasindex {
! 96: struct sockaddr_storage src; /* srouce address for SA */
! 97: struct sockaddr_storage dst; /* destination address for SA */
! 98: u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
! 99: u_int8_t mode; /* mode of protocol, see ipsec.h */
! 100: u_int32_t reqid; /* reqid id who owned this SA */
! 101: /* see IPSEC_MANUAL_REQID_MAX. */
! 102: };
! 103:
! 104: /* Request for IPsec */
! 105: struct ipsecrequest {
! 106: struct ipsecrequest *next;
! 107: /* pointer to next structure */
! 108: /* If NULL, it means the end of chain. */
! 109:
! 110: struct secasindex saidx;/* hint for search proper SA */
! 111: /* if __ss_len == 0 then no address specified.*/
! 112: u_int level; /* IPsec level defined below. */
! 113:
! 114: struct secpolicy *sp; /* back pointer to SP */
! 115: };
! 116:
! 117: #ifdef HAVE_PFKEY_POLICY_PRIORITY
! 118: #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx) \
! 119: do { \
! 120: bzero((idx), sizeof(struct policyindex)); \
! 121: (idx)->dir = (_dir); \
! 122: (idx)->prefs = (ps); \
! 123: (idx)->prefd = (pd); \
! 124: (idx)->ul_proto = (ulp); \
! 125: (idx)->priority = (_priority); \
! 126: (idx)->created = (_created); \
! 127: memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \
! 128: memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \
! 129: } while (0)
! 130: #else
! 131: #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx) \
! 132: do { \
! 133: bzero((idx), sizeof(struct policyindex)); \
! 134: (idx)->dir = (_dir); \
! 135: (idx)->prefs = (ps); \
! 136: (idx)->prefd = (pd); \
! 137: (idx)->ul_proto = (ulp); \
! 138: (idx)->created = (_created); \
! 139: memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \
! 140: memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \
! 141: } while (0)
! 142: #endif
! 143:
! 144: struct ph2handle;
! 145: struct policyindex;
! 146: extern struct secpolicy *getsp __P((struct policyindex *));
! 147: extern struct secpolicy *getsp_r __P((struct policyindex *));
! 148: struct secpolicy *getspbyspid __P((u_int32_t));
! 149: extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
! 150: extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
! 151: extern struct secpolicy *newsp __P((void));
! 152: extern void delsp __P((struct secpolicy *));
! 153: extern void delsp_bothdir __P((struct policyindex *));
! 154: extern void inssp __P((struct secpolicy *));
! 155: extern void remsp __P((struct secpolicy *));
! 156: extern void flushsp __P((void));
! 157: extern void initsp __P((void));
! 158: extern struct ipsecrequest *newipsecreq __P((void));
! 159:
! 160: extern const char *spidx2str __P((const struct policyindex *));
! 161: #ifdef HAVE_SECCTX
! 162: #include <selinux/selinux.h>
! 163: extern int get_security_context __P((vchar_t *, struct policyindex *));
! 164: extern void init_avc __P((void));
! 165: extern int within_range __P((security_context_t, security_context_t));
! 166: extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
! 167: #endif
! 168:
! 169: #endif /* _POLICY_H */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>