![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to xfrm.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / include / linux|
Return to xfrm.h CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / include / linux |
1.1 misho 1: #ifndef _LINUX_XFRM_H
2: #define _LINUX_XFRM_H
3:
4: #include <linux/types.h>
5:
6: /* All of the structures in this file may not change size as they are
7: * passed into the kernel from userspace via netlink sockets.
8: */
9:
10: /* Structure to encapsulate addresses. I do not want to use
11: * "standard" structure. My apologies.
12: */
13: typedef union {
14: __be32 a4;
15: __be32 a6[4];
16: } xfrm_address_t;
17:
18: /* Ident of a specific xfrm_state. It is used on input to lookup
19: * the state by (spi,daddr,ah/esp) or to store information about
20: * spi, protocol and tunnel address on output.
21: */
22: struct xfrm_id {
23: xfrm_address_t daddr;
24: __be32 spi;
25: __u8 proto;
26: };
27:
28: struct xfrm_sec_ctx {
29: __u8 ctx_doi;
30: __u8 ctx_alg;
31: __u16 ctx_len;
32: __u32 ctx_sid;
33: char ctx_str[0];
34: };
35:
36: /* Security Context Domains of Interpretation */
37: #define XFRM_SC_DOI_RESERVED 0
38: #define XFRM_SC_DOI_LSM 1
39:
40: /* Security Context Algorithms */
41: #define XFRM_SC_ALG_RESERVED 0
42: #define XFRM_SC_ALG_SELINUX 1
43:
44: /* Selector, used as selector both on policy rules (SPD) and SAs. */
45:
46: struct xfrm_selector {
47: xfrm_address_t daddr;
48: xfrm_address_t saddr;
49: __be16 dport;
50: __be16 dport_mask;
51: __be16 sport;
52: __be16 sport_mask;
53: __u16 family;
54: __u8 prefixlen_d;
55: __u8 prefixlen_s;
56: __u8 proto;
57: int ifindex;
58: __kernel_uid32_t user;
59: };
60:
61: #define XFRM_INF (~(__u64)0)
62:
63: struct xfrm_lifetime_cfg {
64: __u64 soft_byte_limit;
65: __u64 hard_byte_limit;
66: __u64 soft_packet_limit;
67: __u64 hard_packet_limit;
68: __u64 soft_add_expires_seconds;
69: __u64 hard_add_expires_seconds;
70: __u64 soft_use_expires_seconds;
71: __u64 hard_use_expires_seconds;
72: };
73:
74: struct xfrm_lifetime_cur {
75: __u64 bytes;
76: __u64 packets;
77: __u64 add_time;
78: __u64 use_time;
79: };
80:
81: struct xfrm_replay_state {
82: __u32 oseq;
83: __u32 seq;
84: __u32 bitmap;
85: };
86:
87: #define XFRMA_REPLAY_ESN_MAX 4096
88:
89: struct xfrm_replay_state_esn {
90: unsigned int bmp_len;
91: __u32 oseq;
92: __u32 seq;
93: __u32 oseq_hi;
94: __u32 seq_hi;
95: __u32 replay_window;
96: __u32 bmp[0];
97: };
98:
99: struct xfrm_algo {
100: char alg_name[64];
101: unsigned int alg_key_len; /* in bits */
102: char alg_key[0];
103: };
104:
105: struct xfrm_algo_auth {
106: char alg_name[64];
107: unsigned int alg_key_len; /* in bits */
108: unsigned int alg_trunc_len; /* in bits */
109: char alg_key[0];
110: };
111:
112: struct xfrm_algo_aead {
113: char alg_name[64];
114: unsigned int alg_key_len; /* in bits */
115: unsigned int alg_icv_len; /* in bits */
116: char alg_key[0];
117: };
118:
119: struct xfrm_stats {
120: __u32 replay_window;
121: __u32 replay;
122: __u32 integrity_failed;
123: };
124:
125: enum {
126: XFRM_POLICY_TYPE_MAIN = 0,
127: XFRM_POLICY_TYPE_SUB = 1,
128: XFRM_POLICY_TYPE_MAX = 2,
129: XFRM_POLICY_TYPE_ANY = 255
130: };
131:
132: enum {
133: XFRM_POLICY_IN = 0,
134: XFRM_POLICY_OUT = 1,
135: XFRM_POLICY_FWD = 2,
136: XFRM_POLICY_MASK = 3,
137: XFRM_POLICY_MAX = 3
138: };
139:
140: enum {
141: XFRM_SHARE_ANY, /* No limitations */
142: XFRM_SHARE_SESSION, /* For this session only */
143: XFRM_SHARE_USER, /* For this user only */
144: XFRM_SHARE_UNIQUE /* Use once */
145: };
146:
147: #define XFRM_MODE_TRANSPORT 0
148: #define XFRM_MODE_TUNNEL 1
149: #define XFRM_MODE_ROUTEOPTIMIZATION 2
150: #define XFRM_MODE_IN_TRIGGER 3
151: #define XFRM_MODE_BEET 4
152: #define XFRM_MODE_MAX 5
153:
154: /* Netlink configuration messages. */
155: enum {
156: XFRM_MSG_BASE = 0x10,
157:
158: XFRM_MSG_NEWSA = 0x10,
159: #define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
160: XFRM_MSG_DELSA,
161: #define XFRM_MSG_DELSA XFRM_MSG_DELSA
162: XFRM_MSG_GETSA,
163: #define XFRM_MSG_GETSA XFRM_MSG_GETSA
164:
165: XFRM_MSG_NEWPOLICY,
166: #define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
167: XFRM_MSG_DELPOLICY,
168: #define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
169: XFRM_MSG_GETPOLICY,
170: #define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
171:
172: XFRM_MSG_ALLOCSPI,
173: #define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
174: XFRM_MSG_ACQUIRE,
175: #define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
176: XFRM_MSG_EXPIRE,
177: #define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
178:
179: XFRM_MSG_UPDPOLICY,
180: #define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
181: XFRM_MSG_UPDSA,
182: #define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
183:
184: XFRM_MSG_POLEXPIRE,
185: #define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
186:
187: XFRM_MSG_FLUSHSA,
188: #define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
189: XFRM_MSG_FLUSHPOLICY,
190: #define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
191:
192: XFRM_MSG_NEWAE,
193: #define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
194: XFRM_MSG_GETAE,
195: #define XFRM_MSG_GETAE XFRM_MSG_GETAE
196:
197: XFRM_MSG_REPORT,
198: #define XFRM_MSG_REPORT XFRM_MSG_REPORT
199:
200: XFRM_MSG_MIGRATE,
201: #define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
202:
203: XFRM_MSG_NEWSADINFO,
204: #define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
205: XFRM_MSG_GETSADINFO,
206: #define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
207:
208: XFRM_MSG_NEWSPDINFO,
209: #define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
210: XFRM_MSG_GETSPDINFO,
211: #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
212:
213: XFRM_MSG_MAPPING,
214: #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
215: __XFRM_MSG_MAX
216: };
217: #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
218:
219: #define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
220:
221: /*
222: * Generic LSM security context for communicating to user space
223: * NOTE: Same format as sadb_x_sec_ctx
224: */
225: struct xfrm_user_sec_ctx {
226: __u16 len;
227: __u16 exttype;
228: __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */
229: __u8 ctx_doi;
230: __u16 ctx_len;
231: };
232:
233: struct xfrm_user_tmpl {
234: struct xfrm_id id;
235: __u16 family;
236: xfrm_address_t saddr;
237: __u32 reqid;
238: __u8 mode;
239: __u8 share;
240: __u8 optional;
241: __u32 aalgos;
242: __u32 ealgos;
243: __u32 calgos;
244: };
245:
246: struct xfrm_encap_tmpl {
247: __u16 encap_type;
248: __be16 encap_sport;
249: __be16 encap_dport;
250: xfrm_address_t encap_oa;
251: };
252:
253: /* AEVENT flags */
254: enum xfrm_ae_ftype_t {
255: XFRM_AE_UNSPEC,
256: XFRM_AE_RTHR=1, /* replay threshold*/
257: XFRM_AE_RVAL=2, /* replay value */
258: XFRM_AE_LVAL=4, /* lifetime value */
259: XFRM_AE_ETHR=8, /* expiry timer threshold */
260: XFRM_AE_CR=16, /* Event cause is replay update */
261: XFRM_AE_CE=32, /* Event cause is timer expiry */
262: XFRM_AE_CU=64, /* Event cause is policy update */
263: __XFRM_AE_MAX
264:
265: #define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
266: };
267:
268: struct xfrm_userpolicy_type {
269: __u8 type;
270: __u16 reserved1;
271: __u8 reserved2;
272: };
273:
274: /* Netlink message attributes. */
275: enum xfrm_attr_type_t {
276: XFRMA_UNSPEC,
277: XFRMA_ALG_AUTH, /* struct xfrm_algo */
278: XFRMA_ALG_CRYPT, /* struct xfrm_algo */
279: XFRMA_ALG_COMP, /* struct xfrm_algo */
280: XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */
281: XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
282: XFRMA_SA, /* struct xfrm_usersa_info */
283: XFRMA_POLICY, /*struct xfrm_userpolicy_info */
284: XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */
285: XFRMA_LTIME_VAL,
286: XFRMA_REPLAY_VAL,
287: XFRMA_REPLAY_THRESH,
288: XFRMA_ETIMER_THRESH,
289: XFRMA_SRCADDR, /* xfrm_address_t */
290: XFRMA_COADDR, /* xfrm_address_t */
291: XFRMA_LASTUSED, /* unsigned long */
292: XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */
293: XFRMA_MIGRATE,
294: XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */
295: XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */
296: XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */
297: XFRMA_MARK, /* struct xfrm_mark */
298: XFRMA_TFCPAD, /* __u32 */
299: XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_state_esn */
300: XFRMA_SA_EXTRA_FLAGS, /* __u32 */
301: XFRMA_PROTO, /* __u8 */
302: XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */
303: XFRMA_PAD,
304: XFRMA_OFFLOAD_DEV, /* struct xfrm_state_offload */
305: XFRMA_SET_MARK, /* __u32 */
306: XFRMA_SET_MARK_MASK, /* __u32 */
307: XFRMA_IF_ID, /* __u32 */
308: __XFRMA_MAX
309:
310: #define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */
311: #define XFRMA_MAX (__XFRMA_MAX - 1)
312: };
313:
314: struct xfrm_mark {
315: __u32 v; /* value */
316: __u32 m; /* mask */
317: };
318:
319: enum xfrm_sadattr_type_t {
320: XFRMA_SAD_UNSPEC,
321: XFRMA_SAD_CNT,
322: XFRMA_SAD_HINFO,
323: __XFRMA_SAD_MAX
324:
325: #define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
326: };
327:
328: struct xfrmu_sadhinfo {
329: __u32 sadhcnt; /* current hash bkts */
330: __u32 sadhmcnt; /* max allowed hash bkts */
331: };
332:
333: enum xfrm_spdattr_type_t {
334: XFRMA_SPD_UNSPEC,
335: XFRMA_SPD_INFO,
336: XFRMA_SPD_HINFO,
337: XFRMA_SPD_IPV4_HTHRESH,
338: XFRMA_SPD_IPV6_HTHRESH,
339: __XFRMA_SPD_MAX
340:
341: #define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
342: };
343:
344: struct xfrmu_spdinfo {
345: __u32 incnt;
346: __u32 outcnt;
347: __u32 fwdcnt;
348: __u32 inscnt;
349: __u32 outscnt;
350: __u32 fwdscnt;
351: };
352:
353: struct xfrmu_spdhinfo {
354: __u32 spdhcnt;
355: __u32 spdhmcnt;
356: };
357:
358: struct xfrmu_spdhthresh {
359: __u8 lbits;
360: __u8 rbits;
361: };
362:
363: struct xfrm_usersa_info {
364: struct xfrm_selector sel;
365: struct xfrm_id id;
366: xfrm_address_t saddr;
367: struct xfrm_lifetime_cfg lft;
368: struct xfrm_lifetime_cur curlft;
369: struct xfrm_stats stats;
370: __u32 seq;
371: __u32 reqid;
372: __u16 family;
373: __u8 mode; /* XFRM_MODE_xxx */
374: __u8 replay_window;
375: __u8 flags;
376: #define XFRM_STATE_NOECN 1
377: #define XFRM_STATE_DECAP_DSCP 2
378: #define XFRM_STATE_NOPMTUDISC 4
379: #define XFRM_STATE_WILDRECV 8
380: #define XFRM_STATE_ICMP 16
381: #define XFRM_STATE_AF_UNSPEC 32
382: #define XFRM_STATE_ALIGN4 64
383: #define XFRM_STATE_ESN 128
384: };
385:
386: #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
387:
388: struct xfrm_usersa_id {
389: xfrm_address_t daddr;
390: __be32 spi;
391: __u16 family;
392: __u8 proto;
393: };
394:
395: struct xfrm_aevent_id {
396: struct xfrm_usersa_id sa_id;
397: xfrm_address_t saddr;
398: __u32 flags;
399: __u32 reqid;
400: };
401:
402: struct xfrm_userspi_info {
403: struct xfrm_usersa_info info;
404: __u32 min;
405: __u32 max;
406: };
407:
408: struct xfrm_userpolicy_info {
409: struct xfrm_selector sel;
410: struct xfrm_lifetime_cfg lft;
411: struct xfrm_lifetime_cur curlft;
412: __u32 priority;
413: __u32 index;
414: __u8 dir;
415: __u8 action;
416: #define XFRM_POLICY_ALLOW 0
417: #define XFRM_POLICY_BLOCK 1
418: __u8 flags;
419: #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
420: /* Automatically expand selector to include matching ICMP payloads. */
421: #define XFRM_POLICY_ICMP 2
422: __u8 share;
423: };
424:
425: struct xfrm_userpolicy_id {
426: struct xfrm_selector sel;
427: __u32 index;
428: __u8 dir;
429: };
430:
431: struct xfrm_user_acquire {
432: struct xfrm_id id;
433: xfrm_address_t saddr;
434: struct xfrm_selector sel;
435: struct xfrm_userpolicy_info policy;
436: __u32 aalgos;
437: __u32 ealgos;
438: __u32 calgos;
439: __u32 seq;
440: };
441:
442: struct xfrm_user_expire {
443: struct xfrm_usersa_info state;
444: __u8 hard;
445: };
446:
447: struct xfrm_user_polexpire {
448: struct xfrm_userpolicy_info pol;
449: __u8 hard;
450: };
451:
452: struct xfrm_usersa_flush {
453: __u8 proto;
454: };
455:
456: struct xfrm_user_report {
457: __u8 proto;
458: struct xfrm_selector sel;
459: };
460:
461: /* Used by MIGRATE to pass addresses IKE should use to perform
462: * SA negotiation with the peer */
463: struct xfrm_user_kmaddress {
464: xfrm_address_t local;
465: xfrm_address_t remote;
466: __u32 reserved;
467: __u16 family;
468: };
469:
470: struct xfrm_user_migrate {
471: xfrm_address_t old_daddr;
472: xfrm_address_t old_saddr;
473: xfrm_address_t new_daddr;
474: xfrm_address_t new_saddr;
475: __u8 proto;
476: __u8 mode;
477: __u16 reserved;
478: __u32 reqid;
479: __u16 old_family;
480: __u16 new_family;
481: };
482:
483: struct xfrm_user_mapping {
484: struct xfrm_usersa_id id;
485: __u32 reqid;
486: xfrm_address_t old_saddr;
487: xfrm_address_t new_saddr;
488: __be16 old_sport;
489: __be16 new_sport;
490: };
491:
492: struct xfrm_address_filter {
493: xfrm_address_t saddr;
494: xfrm_address_t daddr;
495: __u16 family;
496: __u8 splen;
497: __u8 dplen;
498: };
499:
500: struct xfrm_user_offload {
501: int ifindex;
502: __u8 flags;
503: };
504: #define XFRM_OFFLOAD_IPV6 1
505: #define XFRM_OFFLOAD_INBOUND 2
506:
507: #ifndef __KERNEL__
508: /* backwards compatibility for userspace */
509: #define XFRMGRP_ACQUIRE 1
510: #define XFRMGRP_EXPIRE 2
511: #define XFRMGRP_SA 4
512: #define XFRMGRP_POLICY 8
513: #define XFRMGRP_REPORT 0x20
514: #endif
515:
516: enum xfrm_nlgroups {
517: XFRMNLGRP_NONE,
518: #define XFRMNLGRP_NONE XFRMNLGRP_NONE
519: XFRMNLGRP_ACQUIRE,
520: #define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE
521: XFRMNLGRP_EXPIRE,
522: #define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE
523: XFRMNLGRP_SA,
524: #define XFRMNLGRP_SA XFRMNLGRP_SA
525: XFRMNLGRP_POLICY,
526: #define XFRMNLGRP_POLICY XFRMNLGRP_POLICY
527: XFRMNLGRP_AEVENTS,
528: #define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS
529: XFRMNLGRP_REPORT,
530: #define XFRMNLGRP_REPORT XFRMNLGRP_REPORT
531: XFRMNLGRP_MIGRATE,
532: #define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE
533: XFRMNLGRP_MAPPING,
534: #define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING
535: __XFRMNLGRP_MAX
536: };
537: #define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)
538:
539: #endif /* _LINUX_XFRM_H */