Annotation of embedaddon/strongswan/src/libcharon/config/child_cfg.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2008-2019 Tobias Brunner
3: * Copyright (C) 2016 Andreas Steffen
4: * Copyright (C) 2005-2007 Martin Willi
5: * Copyright (C) 2005 Jan Hutter
6: * HSR Hochschule fuer Technik Rapperswil
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: /**
20: * @defgroup child_cfg child_cfg
21: * @{ @ingroup config
22: */
23:
24: #ifndef CHILD_CFG_H_
25: #define CHILD_CFG_H_
26:
27: typedef enum action_t action_t;
28: typedef enum child_cfg_option_t child_cfg_option_t;
29: typedef struct child_cfg_t child_cfg_t;
30: typedef struct child_cfg_create_t child_cfg_create_t;
31:
32: #include <library.h>
33: #include <selectors/traffic_selector.h>
34: #include <crypto/proposal/proposal.h>
35: #include <kernel/kernel_ipsec.h>
36:
37: /**
38: * Action to take when connection is loaded, DPD is detected or
39: * connection gets closed by peer.
40: */
41: enum action_t {
42: /** No action */
43: ACTION_NONE,
44: /** Route config to establish or reestablish on demand */
45: ACTION_ROUTE,
46: /** Start or restart config immediately */
47: ACTION_RESTART,
48: };
49:
50: /**
51: * enum names for action_t.
52: */
53: extern enum_name_t *action_names;
54:
55: /**
56: * A child_cfg_t defines the config template for a CHILD_SA.
57: *
58: * After creation, proposals and traffic selectors may be added to the config.
59: * A child_cfg object is referenced multiple times, and is not thread save.
60: * Reading from the object is save, adding things is not allowed while other
61: * threads may access the object.
62: * A reference counter handles the number of references hold to this config.
63: *
64: * @see peer_cfg_t to get an overview over the configurations.
65: */
66: struct child_cfg_t {
67:
68: /**
69: * Get the name of the child_cfg.
70: *
71: * @return child_cfg's name
72: */
73: char *(*get_name) (child_cfg_t *this);
74:
75: /**
76: * Add a proposal to the list.
77: *
78: * The proposals are stored by priority, first added
79: * is the most preferred. It is safe to add NULL as proposal, which has no
80: * effect. After add, proposal is owned by child_cfg.
81: *
82: * @param proposal proposal to add, or NULL
83: */
84: void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
85:
86: /**
87: * Get the list of proposals for the CHILD_SA.
88: *
89: * Resulting list and all of its proposals must be freed after use.
90: *
91: * @param strip_dh TRUE strip out diffie hellman groups
92: * @return list of proposals
93: */
94: linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
95:
96: /**
97: * Select a proposal from a supplied list.
98: *
99: * Returned proposal is newly created and must be destroyed after usage.
100: *
101: * @param proposals list from which proposals are selected
102: * @param flags flags to consider during proposal selection
103: * @return selected proposal, or NULL if nothing matches
104: */
105: proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
106: proposal_selection_flag_t flags);
107:
108: /**
109: * Add a traffic selector to the config.
110: *
111: * Use the "local" parameter to add it for the local or the remote side.
112: * After add, traffic selector is owned by child_cfg.
113: *
114: * @param local TRUE for local side, FALSE for remote
115: * @param ts traffic_selector to add
116: */
117: void (*add_traffic_selector)(child_cfg_t *this, bool local,
118: traffic_selector_t *ts);
119:
120: /**
121: * Get a list of traffic selectors to use for the CHILD_SA.
122: *
123: * The config contains two set of traffic selectors, one for the local
124: * side, one for the remote side.
125: * If a list with traffic selectors is supplied, these are used to narrow
126: * down the traffic selector list to the greatest common divisor.
127: * Some traffic selector may be "dynamic", meaning they are narrowed down
128: * to a specific address (host-to-host or virtual-IP setups). Use
129: * the "host" parameter to narrow such traffic selectors to that address.
130: * Resulted list and its traffic selectors must be destroyed after use.
131: *
132: * @param local TRUE for TS on local side, FALSE for remote
133: * @param supplied list with TS to select from, or NULL
134: * @param hosts addresses to use for narrowing "dynamic" TS', host_t
135: * @param log FALSE to avoid logging details about the selection
136: * @return list containing the traffic selectors
137: */
138: linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
139: linked_list_t *supplied,
140: linked_list_t *hosts, bool log);
141:
142: /**
143: * Get the updown script to run for the CHILD_SA.
144: *
145: * @return path to updown script
146: */
147: char* (*get_updown)(child_cfg_t *this);
148:
149: /**
150: * Get the lifetime configuration of a CHILD_SA.
151: *
152: * The rekey limits automatically contain a jitter to avoid simultaneous
153: * rekeying. These values will change with each call to this function.
154: *
155: * @param jitter subtract jitter value to randomize lifetimes
156: * @return lifetime_cfg_t (has to be freed)
157: */
158: lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
159:
160: /**
161: * Get the mode to use for the CHILD_SA.
162: *
163: * The mode is either tunnel, transport or BEET. The peer must agree
164: * on the method, fallback is tunnel mode.
165: *
166: * @return ipsec mode
167: */
168: ipsec_mode_t (*get_mode) (child_cfg_t *this);
169:
170: /**
171: * Action to take to start CHILD_SA.
172: *
173: * @return start action
174: */
175: action_t (*get_start_action) (child_cfg_t *this);
176:
177: /**
178: * Action to take on DPD.
179: *
180: * @return DPD action
181: */
182: action_t (*get_dpd_action) (child_cfg_t *this);
183:
184: /**
185: * Get the HW offload mode to use for the CHILD_SA.
186: *
187: * @return hw offload mode
188: */
189: hw_offload_t (*get_hw_offload) (child_cfg_t *this);
190:
191: /**
192: * Get the copy mode for the DS header field to use for the CHILD_SA.
193: *
194: * @return IP header copy mode
195: */
196: dscp_copy_t (*get_copy_dscp) (child_cfg_t *this);
197:
198: /**
199: * Action to take if CHILD_SA gets closed.
200: *
201: * @return close action
202: */
203: action_t (*get_close_action) (child_cfg_t *this);
204:
205: /**
206: * Get the DH group to use for CHILD_SA setup.
207: *
208: * @return dh group to use
209: */
210: diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
211:
212: /**
213: * Get the inactivity timeout value.
214: *
215: * @return inactivity timeout in s
216: */
217: uint32_t (*get_inactivity)(child_cfg_t *this);
218:
219: /**
220: * Specific reqid to use for CHILD_SA.
221: *
222: * @return reqid
223: */
224: uint32_t (*get_reqid)(child_cfg_t *this);
225:
226: /**
227: * Optional interface ID to set on policies/SAs.
228: *
229: * @param inbound TRUE for inbound, FALSE for outbound
230: * @return interface ID
231: */
232: uint32_t (*get_if_id)(child_cfg_t *this, bool inbound);
233:
234: /**
235: * Optional mark to set on policies/SAs.
236: *
237: * @param inbound TRUE for inbound, FALSE for outbound
238: * @return mark
239: */
240: mark_t (*get_mark)(child_cfg_t *this, bool inbound);
241:
242: /**
243: * Optional mark the SAs should apply after processing packets.
244: *
245: * @param inbound TRUE for inbound, FALSE for outbound
246: * @return mark
247: */
248: mark_t (*get_set_mark)(child_cfg_t *this, bool inbound);
249:
250: /**
251: * Get the TFC padding value to use for CHILD_SA.
252: *
253: * @return TFC padding, 0 to disable, -1 for MTU
254: */
255: uint32_t (*get_tfc)(child_cfg_t *this);
256:
257: /**
258: * Get optional manually-set IPsec policy priority
259: *
260: * @return manually-set IPsec policy priority (automatic if 0)
261: */
262: uint32_t (*get_manual_prio)(child_cfg_t *this);
263:
264: /**
265: * Get optional network interface restricting IPsec policy
266: *
267: * @return network interface)
268: */
269: char* (*get_interface)(child_cfg_t *this);
270:
271: /**
272: * Get anti-replay window size
273: *
274: * @return anti-replay window size
275: */
276: uint32_t (*get_replay_window)(child_cfg_t *this);
277:
278: /**
279: * Set anti-replay window size
280: *
281: * @param window anti-replay window size
282: */
283: void (*set_replay_window)(child_cfg_t *this, uint32_t window);
284:
285: /**
286: * Check if an option flag is set.
287: *
288: * @param option option flag to check
289: * @return TRUE if option flag set, FALSE otherwise
290: */
291: bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
292:
293: /**
294: * Check if two child_cfg objects are equal.
295: *
296: * @param other candidate to check for equality against this
297: * @return TRUE if equal
298: */
299: bool (*equals)(child_cfg_t *this, child_cfg_t *other);
300:
301: /**
302: * Increase the reference count.
303: *
304: * @return reference to this
305: */
306: child_cfg_t* (*get_ref) (child_cfg_t *this);
307:
308: /**
309: * Destroys the child_cfg object.
310: *
311: * Decrements the internal reference counter and
312: * destroys the child_cfg when it reaches zero.
313: */
314: void (*destroy) (child_cfg_t *this);
315: };
316:
317: /**
318: * Option flags that may be set on a child_cfg_t object
319: */
320: enum child_cfg_option_t {
321:
322: /** Use IPsec transport proxy mode */
323: OPT_PROXY_MODE = (1<<0),
324:
325: /** Use IPComp, if peer supports it */
326: OPT_IPCOMP = (1<<1),
327:
328: /** Allow access to the local host */
329: OPT_HOSTACCESS = (1<<2),
330:
331: /** Don't install any IPsec policies */
332: OPT_NO_POLICIES = (1<<3),
333:
334: /** Install outbound FWD IPsec policies to bypass drop policies */
335: OPT_FWD_OUT_POLICIES = (1<<4),
336:
337: /** Force 96-bit truncation for SHA-256 */
338: OPT_SHA256_96 = (1<<5),
339:
340: /** Set mark on inbound SAs */
341: OPT_MARK_IN_SA = (1<<6),
342:
343: /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
344: OPT_NO_COPY_DF = (1<<7),
345:
346: /** Disable copying the ECN header field in tunnel mode */
347: OPT_NO_COPY_ECN = (1<<8),
348: };
349:
350: /**
351: * Data passed to the constructor of a child_cfg_t object.
352: */
353: struct child_cfg_create_t {
354: /** Options set for CHILD_SA */
355: child_cfg_option_t options;
356: /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
357: uint32_t reqid;
358: /** Optional inbound interface ID */
359: uint32_t if_id_in;
360: /** Optional outbound interface ID */
361: uint32_t if_id_out;
362: /** Optional inbound mark */
363: mark_t mark_in;
364: /** Optional outbound mark */
365: mark_t mark_out;
366: /** Optional inbound mark the SA should apply to traffic */
367: mark_t set_mark_in;
368: /** Optional outbound mark the SA should apply to traffic */
369: mark_t set_mark_out;
370: /** Mode to propose for CHILD_SA */
371: ipsec_mode_t mode;
372: /** TFC padding size, 0 to disable, -1 to pad to PMTU */
373: uint32_t tfc;
374: /** Optional manually-set IPsec policy priority */
375: uint32_t priority;
376: /** Optional network interface restricting IPsec policy (cloned) */
377: char *interface;
378: /** lifetime_cfg_t for this child_cfg */
379: lifetime_cfg_t lifetime;
380: /** Inactivity timeout in s before closing a CHILD_SA */
381: uint32_t inactivity;
382: /** Start action */
383: action_t start_action;
384: /** DPD action */
385: action_t dpd_action;
386: /** Close action */
387: action_t close_action;
388: /** updown script to execute on up/down event (cloned) */
389: char *updown;
390: /** HW offload mode */
391: hw_offload_t hw_offload;
392: /** How to handle the DS header field in tunnel mode */
393: dscp_copy_t copy_dscp;
394: };
395:
396: /**
397: * Create a configuration template for CHILD_SA setup.
398: *
399: * After a call to create, a reference is obtained (refcount = 1).
400: *
401: * @param name name of the child_cfg (cloned)
402: * @param data data for this child_cfg
403: * @return child_cfg_t object
404: */
405: child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
406:
407: #endif /** CHILD_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to child_cfg.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / config