1: /* $NetBSD: policy.h,v 1.8 2008/12/05 06:02:20 tteras Exp $ */
2:
3: /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #ifndef _POLICY_H
35: #define _POLICY_H
36:
37: #include <sys/queue.h>
38:
39:
40: #ifdef HAVE_SECCTX
41: #define MAX_CTXSTR_SIZE 50
42: struct security_ctx {
43: u_int8_t ctx_doi; /* Security Context DOI */
44: u_int8_t ctx_alg; /* Security Context Algorithm */
45: u_int16_t ctx_strlen; /* Security Context stringlength
46: * (includes terminating NULL)
47: */
48: char ctx_str[MAX_CTXSTR_SIZE]; /* Security Context string */
49: };
50: #endif
51:
52: /* refs. ipsec.h */
53: /*
54: * Security Policy Index
55: * NOTE: Ensure to be same address family and upper layer protocol.
56: * NOTE: ul_proto, port number, uid, gid:
57: * ANY: reserved for waldcard.
58: * 0 to (~0 - 1): is one of the number of each value.
59: */
60: struct policyindex {
61: u_int8_t dir; /* direction of packet flow, see blow */
62: struct sockaddr_storage src; /* IP src address for SP */
63: struct sockaddr_storage dst; /* IP dst address for SP */
64: u_int8_t prefs; /* prefix length in bits for src */
65: u_int8_t prefd; /* prefix length in bits for dst */
66: u_int16_t ul_proto; /* upper layer Protocol */
67: u_int32_t priority; /* priority for the policy */
68: u_int64_t created; /* Used for generated SPD entries deletion */
69: #ifdef HAVE_SECCTX
70: struct security_ctx sec_ctx; /* Security Context */
71: #endif
72: };
73:
74: /* Security Policy Data Base */
75: struct secpolicy {
76: TAILQ_ENTRY(secpolicy) chain;
77:
78: struct policyindex spidx; /* selector */
79: u_int32_t id; /* It's unique number on the system. */
80:
81: u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
82: struct ipsecrequest *req;
83: /* pointer to the ipsec request tree, */
84: /* if policy == IPSEC else this value == NULL.*/
85:
86: /* MIPv6 needs to perform negotiation of SA using different addresses
87: * than the endpoints of the SA (CoA for the source). In that case,
88: * MIGRATE msg provides that info (before movement occurs on the MN) */
89: struct sockaddr *local;
90: struct sockaddr *remote;
91: };
92:
93: /* Security Assocciation Index */
94: /* NOTE: Ensure to be same address family */
95: struct secasindex {
96: struct sockaddr_storage src; /* srouce address for SA */
97: struct sockaddr_storage dst; /* destination address for SA */
98: u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
99: u_int8_t mode; /* mode of protocol, see ipsec.h */
100: u_int32_t reqid; /* reqid id who owned this SA */
101: /* see IPSEC_MANUAL_REQID_MAX. */
102: };
103:
104: /* Request for IPsec */
105: struct ipsecrequest {
106: struct ipsecrequest *next;
107: /* pointer to next structure */
108: /* If NULL, it means the end of chain. */
109:
110: struct secasindex saidx;/* hint for search proper SA */
111: /* if __ss_len == 0 then no address specified.*/
112: u_int level; /* IPsec level defined below. */
113:
114: struct secpolicy *sp; /* back pointer to SP */
115: };
116:
117: #ifdef HAVE_PFKEY_POLICY_PRIORITY
118: #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx) \
119: do { \
120: bzero((idx), sizeof(struct policyindex)); \
121: (idx)->dir = (_dir); \
122: (idx)->prefs = (ps); \
123: (idx)->prefd = (pd); \
124: (idx)->ul_proto = (ulp); \
125: (idx)->priority = (_priority); \
126: (idx)->created = (_created); \
127: memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \
128: memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \
129: } while (0)
130: #else
131: #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx) \
132: do { \
133: bzero((idx), sizeof(struct policyindex)); \
134: (idx)->dir = (_dir); \
135: (idx)->prefs = (ps); \
136: (idx)->prefd = (pd); \
137: (idx)->ul_proto = (ulp); \
138: (idx)->created = (_created); \
139: memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \
140: memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \
141: } while (0)
142: #endif
143:
144: struct ph2handle;
145: struct policyindex;
146: extern struct secpolicy *getsp __P((struct policyindex *));
147: extern struct secpolicy *getsp_r __P((struct policyindex *));
148: struct secpolicy *getspbyspid __P((u_int32_t));
149: extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
150: extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
151: extern struct secpolicy *newsp __P((void));
152: extern void delsp __P((struct secpolicy *));
153: extern void delsp_bothdir __P((struct policyindex *));
154: extern void inssp __P((struct secpolicy *));
155: extern void remsp __P((struct secpolicy *));
156: extern void flushsp __P((void));
157: extern void initsp __P((void));
158: extern struct ipsecrequest *newipsecreq __P((void));
159:
160: extern const char *spidx2str __P((const struct policyindex *));
161: #ifdef HAVE_SECCTX
162: #include <selinux/selinux.h>
163: extern int get_security_context __P((vchar_t *, struct policyindex *));
164: extern void init_avc __P((void));
165: extern int within_range __P((security_context_t, security_context_t));
166: extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
167: #endif
168:
169: #endif /* _POLICY_H */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to policy.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon