Annotation of embedaddon/strongswan/src/libcharon/config/child_cfg.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2008-2019 Tobias Brunner
! 3: * Copyright (C) 2016 Andreas Steffen
! 4: * Copyright (C) 2005-2007 Martin Willi
! 5: * Copyright (C) 2005 Jan Hutter
! 6: * HSR Hochschule fuer Technik Rapperswil
! 7: *
! 8: * This program is free software; you can redistribute it and/or modify it
! 9: * under the terms of the GNU General Public License as published by the
! 10: * Free Software Foundation; either version 2 of the License, or (at your
! 11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 12: *
! 13: * This program is distributed in the hope that it will be useful, but
! 14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 16: * for more details.
! 17: */
! 18:
! 19: /**
! 20: * @defgroup child_cfg child_cfg
! 21: * @{ @ingroup config
! 22: */
! 23:
! 24: #ifndef CHILD_CFG_H_
! 25: #define CHILD_CFG_H_
! 26:
! 27: typedef enum action_t action_t;
! 28: typedef enum child_cfg_option_t child_cfg_option_t;
! 29: typedef struct child_cfg_t child_cfg_t;
! 30: typedef struct child_cfg_create_t child_cfg_create_t;
! 31:
! 32: #include <library.h>
! 33: #include <selectors/traffic_selector.h>
! 34: #include <crypto/proposal/proposal.h>
! 35: #include <kernel/kernel_ipsec.h>
! 36:
! 37: /**
! 38: * Action to take when connection is loaded, DPD is detected or
! 39: * connection gets closed by peer.
! 40: */
! 41: enum action_t {
! 42: /** No action */
! 43: ACTION_NONE,
! 44: /** Route config to establish or reestablish on demand */
! 45: ACTION_ROUTE,
! 46: /** Start or restart config immediately */
! 47: ACTION_RESTART,
! 48: };
! 49:
! 50: /**
! 51: * enum names for action_t.
! 52: */
! 53: extern enum_name_t *action_names;
! 54:
! 55: /**
! 56: * A child_cfg_t defines the config template for a CHILD_SA.
! 57: *
! 58: * After creation, proposals and traffic selectors may be added to the config.
! 59: * A child_cfg object is referenced multiple times, and is not thread save.
! 60: * Reading from the object is save, adding things is not allowed while other
! 61: * threads may access the object.
! 62: * A reference counter handles the number of references hold to this config.
! 63: *
! 64: * @see peer_cfg_t to get an overview over the configurations.
! 65: */
! 66: struct child_cfg_t {
! 67:
! 68: /**
! 69: * Get the name of the child_cfg.
! 70: *
! 71: * @return child_cfg's name
! 72: */
! 73: char *(*get_name) (child_cfg_t *this);
! 74:
! 75: /**
! 76: * Add a proposal to the list.
! 77: *
! 78: * The proposals are stored by priority, first added
! 79: * is the most preferred. It is safe to add NULL as proposal, which has no
! 80: * effect. After add, proposal is owned by child_cfg.
! 81: *
! 82: * @param proposal proposal to add, or NULL
! 83: */
! 84: void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
! 85:
! 86: /**
! 87: * Get the list of proposals for the CHILD_SA.
! 88: *
! 89: * Resulting list and all of its proposals must be freed after use.
! 90: *
! 91: * @param strip_dh TRUE strip out diffie hellman groups
! 92: * @return list of proposals
! 93: */
! 94: linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
! 95:
! 96: /**
! 97: * Select a proposal from a supplied list.
! 98: *
! 99: * Returned proposal is newly created and must be destroyed after usage.
! 100: *
! 101: * @param proposals list from which proposals are selected
! 102: * @param flags flags to consider during proposal selection
! 103: * @return selected proposal, or NULL if nothing matches
! 104: */
! 105: proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
! 106: proposal_selection_flag_t flags);
! 107:
! 108: /**
! 109: * Add a traffic selector to the config.
! 110: *
! 111: * Use the "local" parameter to add it for the local or the remote side.
! 112: * After add, traffic selector is owned by child_cfg.
! 113: *
! 114: * @param local TRUE for local side, FALSE for remote
! 115: * @param ts traffic_selector to add
! 116: */
! 117: void (*add_traffic_selector)(child_cfg_t *this, bool local,
! 118: traffic_selector_t *ts);
! 119:
! 120: /**
! 121: * Get a list of traffic selectors to use for the CHILD_SA.
! 122: *
! 123: * The config contains two set of traffic selectors, one for the local
! 124: * side, one for the remote side.
! 125: * If a list with traffic selectors is supplied, these are used to narrow
! 126: * down the traffic selector list to the greatest common divisor.
! 127: * Some traffic selector may be "dynamic", meaning they are narrowed down
! 128: * to a specific address (host-to-host or virtual-IP setups). Use
! 129: * the "host" parameter to narrow such traffic selectors to that address.
! 130: * Resulted list and its traffic selectors must be destroyed after use.
! 131: *
! 132: * @param local TRUE for TS on local side, FALSE for remote
! 133: * @param supplied list with TS to select from, or NULL
! 134: * @param hosts addresses to use for narrowing "dynamic" TS', host_t
! 135: * @param log FALSE to avoid logging details about the selection
! 136: * @return list containing the traffic selectors
! 137: */
! 138: linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
! 139: linked_list_t *supplied,
! 140: linked_list_t *hosts, bool log);
! 141:
! 142: /**
! 143: * Get the updown script to run for the CHILD_SA.
! 144: *
! 145: * @return path to updown script
! 146: */
! 147: char* (*get_updown)(child_cfg_t *this);
! 148:
! 149: /**
! 150: * Get the lifetime configuration of a CHILD_SA.
! 151: *
! 152: * The rekey limits automatically contain a jitter to avoid simultaneous
! 153: * rekeying. These values will change with each call to this function.
! 154: *
! 155: * @param jitter subtract jitter value to randomize lifetimes
! 156: * @return lifetime_cfg_t (has to be freed)
! 157: */
! 158: lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
! 159:
! 160: /**
! 161: * Get the mode to use for the CHILD_SA.
! 162: *
! 163: * The mode is either tunnel, transport or BEET. The peer must agree
! 164: * on the method, fallback is tunnel mode.
! 165: *
! 166: * @return ipsec mode
! 167: */
! 168: ipsec_mode_t (*get_mode) (child_cfg_t *this);
! 169:
! 170: /**
! 171: * Action to take to start CHILD_SA.
! 172: *
! 173: * @return start action
! 174: */
! 175: action_t (*get_start_action) (child_cfg_t *this);
! 176:
! 177: /**
! 178: * Action to take on DPD.
! 179: *
! 180: * @return DPD action
! 181: */
! 182: action_t (*get_dpd_action) (child_cfg_t *this);
! 183:
! 184: /**
! 185: * Get the HW offload mode to use for the CHILD_SA.
! 186: *
! 187: * @return hw offload mode
! 188: */
! 189: hw_offload_t (*get_hw_offload) (child_cfg_t *this);
! 190:
! 191: /**
! 192: * Get the copy mode for the DS header field to use for the CHILD_SA.
! 193: *
! 194: * @return IP header copy mode
! 195: */
! 196: dscp_copy_t (*get_copy_dscp) (child_cfg_t *this);
! 197:
! 198: /**
! 199: * Action to take if CHILD_SA gets closed.
! 200: *
! 201: * @return close action
! 202: */
! 203: action_t (*get_close_action) (child_cfg_t *this);
! 204:
! 205: /**
! 206: * Get the DH group to use for CHILD_SA setup.
! 207: *
! 208: * @return dh group to use
! 209: */
! 210: diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
! 211:
! 212: /**
! 213: * Get the inactivity timeout value.
! 214: *
! 215: * @return inactivity timeout in s
! 216: */
! 217: uint32_t (*get_inactivity)(child_cfg_t *this);
! 218:
! 219: /**
! 220: * Specific reqid to use for CHILD_SA.
! 221: *
! 222: * @return reqid
! 223: */
! 224: uint32_t (*get_reqid)(child_cfg_t *this);
! 225:
! 226: /**
! 227: * Optional interface ID to set on policies/SAs.
! 228: *
! 229: * @param inbound TRUE for inbound, FALSE for outbound
! 230: * @return interface ID
! 231: */
! 232: uint32_t (*get_if_id)(child_cfg_t *this, bool inbound);
! 233:
! 234: /**
! 235: * Optional mark to set on policies/SAs.
! 236: *
! 237: * @param inbound TRUE for inbound, FALSE for outbound
! 238: * @return mark
! 239: */
! 240: mark_t (*get_mark)(child_cfg_t *this, bool inbound);
! 241:
! 242: /**
! 243: * Optional mark the SAs should apply after processing packets.
! 244: *
! 245: * @param inbound TRUE for inbound, FALSE for outbound
! 246: * @return mark
! 247: */
! 248: mark_t (*get_set_mark)(child_cfg_t *this, bool inbound);
! 249:
! 250: /**
! 251: * Get the TFC padding value to use for CHILD_SA.
! 252: *
! 253: * @return TFC padding, 0 to disable, -1 for MTU
! 254: */
! 255: uint32_t (*get_tfc)(child_cfg_t *this);
! 256:
! 257: /**
! 258: * Get optional manually-set IPsec policy priority
! 259: *
! 260: * @return manually-set IPsec policy priority (automatic if 0)
! 261: */
! 262: uint32_t (*get_manual_prio)(child_cfg_t *this);
! 263:
! 264: /**
! 265: * Get optional network interface restricting IPsec policy
! 266: *
! 267: * @return network interface)
! 268: */
! 269: char* (*get_interface)(child_cfg_t *this);
! 270:
! 271: /**
! 272: * Get anti-replay window size
! 273: *
! 274: * @return anti-replay window size
! 275: */
! 276: uint32_t (*get_replay_window)(child_cfg_t *this);
! 277:
! 278: /**
! 279: * Set anti-replay window size
! 280: *
! 281: * @param window anti-replay window size
! 282: */
! 283: void (*set_replay_window)(child_cfg_t *this, uint32_t window);
! 284:
! 285: /**
! 286: * Check if an option flag is set.
! 287: *
! 288: * @param option option flag to check
! 289: * @return TRUE if option flag set, FALSE otherwise
! 290: */
! 291: bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
! 292:
! 293: /**
! 294: * Check if two child_cfg objects are equal.
! 295: *
! 296: * @param other candidate to check for equality against this
! 297: * @return TRUE if equal
! 298: */
! 299: bool (*equals)(child_cfg_t *this, child_cfg_t *other);
! 300:
! 301: /**
! 302: * Increase the reference count.
! 303: *
! 304: * @return reference to this
! 305: */
! 306: child_cfg_t* (*get_ref) (child_cfg_t *this);
! 307:
! 308: /**
! 309: * Destroys the child_cfg object.
! 310: *
! 311: * Decrements the internal reference counter and
! 312: * destroys the child_cfg when it reaches zero.
! 313: */
! 314: void (*destroy) (child_cfg_t *this);
! 315: };
! 316:
! 317: /**
! 318: * Option flags that may be set on a child_cfg_t object
! 319: */
! 320: enum child_cfg_option_t {
! 321:
! 322: /** Use IPsec transport proxy mode */
! 323: OPT_PROXY_MODE = (1<<0),
! 324:
! 325: /** Use IPComp, if peer supports it */
! 326: OPT_IPCOMP = (1<<1),
! 327:
! 328: /** Allow access to the local host */
! 329: OPT_HOSTACCESS = (1<<2),
! 330:
! 331: /** Don't install any IPsec policies */
! 332: OPT_NO_POLICIES = (1<<3),
! 333:
! 334: /** Install outbound FWD IPsec policies to bypass drop policies */
! 335: OPT_FWD_OUT_POLICIES = (1<<4),
! 336:
! 337: /** Force 96-bit truncation for SHA-256 */
! 338: OPT_SHA256_96 = (1<<5),
! 339:
! 340: /** Set mark on inbound SAs */
! 341: OPT_MARK_IN_SA = (1<<6),
! 342:
! 343: /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
! 344: OPT_NO_COPY_DF = (1<<7),
! 345:
! 346: /** Disable copying the ECN header field in tunnel mode */
! 347: OPT_NO_COPY_ECN = (1<<8),
! 348: };
! 349:
! 350: /**
! 351: * Data passed to the constructor of a child_cfg_t object.
! 352: */
! 353: struct child_cfg_create_t {
! 354: /** Options set for CHILD_SA */
! 355: child_cfg_option_t options;
! 356: /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
! 357: uint32_t reqid;
! 358: /** Optional inbound interface ID */
! 359: uint32_t if_id_in;
! 360: /** Optional outbound interface ID */
! 361: uint32_t if_id_out;
! 362: /** Optional inbound mark */
! 363: mark_t mark_in;
! 364: /** Optional outbound mark */
! 365: mark_t mark_out;
! 366: /** Optional inbound mark the SA should apply to traffic */
! 367: mark_t set_mark_in;
! 368: /** Optional outbound mark the SA should apply to traffic */
! 369: mark_t set_mark_out;
! 370: /** Mode to propose for CHILD_SA */
! 371: ipsec_mode_t mode;
! 372: /** TFC padding size, 0 to disable, -1 to pad to PMTU */
! 373: uint32_t tfc;
! 374: /** Optional manually-set IPsec policy priority */
! 375: uint32_t priority;
! 376: /** Optional network interface restricting IPsec policy (cloned) */
! 377: char *interface;
! 378: /** lifetime_cfg_t for this child_cfg */
! 379: lifetime_cfg_t lifetime;
! 380: /** Inactivity timeout in s before closing a CHILD_SA */
! 381: uint32_t inactivity;
! 382: /** Start action */
! 383: action_t start_action;
! 384: /** DPD action */
! 385: action_t dpd_action;
! 386: /** Close action */
! 387: action_t close_action;
! 388: /** updown script to execute on up/down event (cloned) */
! 389: char *updown;
! 390: /** HW offload mode */
! 391: hw_offload_t hw_offload;
! 392: /** How to handle the DS header field in tunnel mode */
! 393: dscp_copy_t copy_dscp;
! 394: };
! 395:
! 396: /**
! 397: * Create a configuration template for CHILD_SA setup.
! 398: *
! 399: * After a call to create, a reference is obtained (refcount = 1).
! 400: *
! 401: * @param name name of the child_cfg (cloned)
! 402: * @param data data for this child_cfg
! 403: * @return child_cfg_t object
! 404: */
! 405: child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
! 406:
! 407: #endif /** CHILD_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>