Annotation of embedaddon/strongswan/src/libcharon/kernel/kernel_interface.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2006-2016 Tobias Brunner
3: * Copyright (C) 2006 Daniel Roethlisberger
4: * Copyright (C) 2005-2006 Martin Willi
5: * Copyright (C) 2005 Jan Hutter
6: * HSR Hochschule fuer Technik Rapperswil
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: /*
20: * Copyright (c) 2012 Nanoteq Pty Ltd
21: *
22: * Permission is hereby granted, free of charge, to any person obtaining a copy
23: * of this software and associated documentation files (the "Software"), to deal
24: * in the Software without restriction, including without limitation the rights
25: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26: * copies of the Software, and to permit persons to whom the Software is
27: * furnished to do so, subject to the following conditions:
28: *
29: * The above copyright notice and this permission notice shall be included in
30: * all copies or substantial portions of the Software.
31: *
32: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38: * THE SOFTWARE.
39: */
40:
41: /**
42: * @defgroup kernel_interface kernel_interface
43: * @{ @ingroup kernel
44: */
45:
46: #ifndef KERNEL_INTERFACE_H_
47: #define KERNEL_INTERFACE_H_
48:
49: typedef struct kernel_interface_t kernel_interface_t;
50: typedef enum kernel_feature_t kernel_feature_t;
51:
52: #include <networking/host.h>
53: #include <crypto/prf_plus.h>
54:
55: #include <kernel/kernel_listener.h>
56: #include <kernel/kernel_ipsec.h>
57: #include <kernel/kernel_net.h>
58:
59: /**
60: * Default range for SPIs requested from kernels
61: */
62: #define KERNEL_SPI_MIN 0xc0000000
63: #define KERNEL_SPI_MAX 0xcfffffff
64:
65: /**
66: * Bitfield of optional features a kernel backend supports.
67: *
68: * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each
69: * backend returns a subset of these features.
70: */
71: enum kernel_feature_t {
72: /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
73: KERNEL_ESP_V3_TFC = (1<<0),
74: /** Networking requires an "exclude" route for IKE/ESP packets */
75: KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
76: /** IPsec implementation requires UDP encapsulation of ESP packets */
77: KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2),
78: /** IPsec backend does not require a policy reinstall on SA updates */
79: KERNEL_NO_POLICY_UPDATES = (1<<3),
80: /** IPsec backend supports installing SPIs on policies */
81: KERNEL_POLICY_SPI = (1<<4),
82: };
83:
84: /**
85: * Constructor function for ipsec kernel interface
86: */
87: typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
88:
89: /**
90: * Constructor function for network kernel interface
91: */
92: typedef kernel_net_t* (*kernel_net_constructor_t)(void);
93:
94: /**
95: * Manager and wrapper for different kernel interfaces.
96: *
97: * The kernel interface handles the communication with the kernel
98: * for SA and policy management and interface and IP address management.
99: */
100: struct kernel_interface_t {
101:
102: /**
103: * Get the feature set supported by the net and ipsec kernel backends.
104: *
105: * @return ORed feature-set of backends
106: */
107: kernel_feature_t (*get_features)(kernel_interface_t *this);
108:
109: /**
110: * Get a SPI from the kernel.
111: *
112: * @param src source address of SA
113: * @param dst destination address of SA
114: * @param protocol protocol for SA (ESP/AH)
115: * @param spi allocated spi
116: * @return SUCCESS if operation completed
117: */
118: status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
119: uint8_t protocol, uint32_t *spi);
120:
121: /**
122: * Get a Compression Parameter Index (CPI) from the kernel.
123: *
124: * @param src source address of SA
125: * @param dst destination address of SA
126: * @param cpi allocated cpi
127: * @return SUCCESS if operation completed
128: */
129: status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
130: uint16_t *cpi);
131:
132: /**
133: * Allocate or confirm a reqid to use for a given SA pair.
134: *
135: * Each returned reqid by a successful call to alloc_reqid() must be
136: * released using release_reqid().
137: *
138: * The reqid parameter is an in/out parameter. If it points to non-zero,
139: * the reqid is confirmed and registered for use. If it points to zero,
140: * a reqid is allocated for the given selectors, and returned to reqid.
141: *
142: * @param local_ts traffic selectors of local side for SA
143: * @param remote_ts traffic selectors of remote side for SA
144: * @param mark_in inbound mark on SA
145: * @param mark_out outbound mark on SA
146: * @param if_id_in inbound interface ID on SA
147: * @param if_id_out outbound interface ID on SA
148: * @param reqid allocated reqid
149: * @return SUCCESS if reqid allocated
150: */
151: status_t (*alloc_reqid)(kernel_interface_t *this,
152: linked_list_t *local_ts, linked_list_t *remote_ts,
153: mark_t mark_in, mark_t mark_out, uint32_t if_id_in,
154: uint32_t if_id_out, uint32_t *reqid);
155:
156: /**
157: * Release a previously allocated reqid.
158: *
159: * @param reqid reqid to release
160: * @param mark_in inbound mark on SA
161: * @param mark_out outbound mark on SA
162: * @param if_id_in inbound interface ID on SA
163: * @param if_id_out outbound interface ID on SA
164: * @return SUCCESS if reqid released
165: */
166: status_t (*release_reqid)(kernel_interface_t *this, uint32_t reqid,
167: mark_t mark_in, mark_t mark_out,
168: uint32_t if_id_in, uint32_t if_id_out);
169:
170: /**
171: * Add an SA to the SAD.
172: *
173: * This function does install a single SA for a single protocol in one
174: * direction.
175: *
176: * @param id data identifying this SA
177: * @param data data for this SA
178: * @return SUCCESS if operation completed
179: */
180: status_t (*add_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
181: kernel_ipsec_add_sa_t *data);
182:
183: /**
184: * Update the hosts on an installed SA.
185: *
186: * We cannot directly update the destination address as the kernel
187: * requires the spi, the protocol AND the destination address (and family)
188: * to identify SAs. Therefore if the destination address changed we
189: * create a new SA and delete the old one.
190: *
191: * @param id data identifying this SA
192: * @param data updated data for this SA
193: * @return SUCCESS if operation completed, NOT_SUPPORTED if
194: * the kernel interface can't update the SA
195: */
196: status_t (*update_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
197: kernel_ipsec_update_sa_t *data);
198:
199: /**
200: * Query the number of bytes processed by an SA from the SAD.
201: *
202: * @param id data identifying this SA
203: * @param data data to query the SA
204: * @param[out] bytes the number of bytes processed by SA
205: * @param[out] packets number of packets processed by SA
206: * @param[out] time last (monotonic) time of SA use
207: * @return SUCCESS if operation completed
208: */
209: status_t (*query_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
210: kernel_ipsec_query_sa_t *data, uint64_t *bytes,
211: uint64_t *packets, time_t *time);
212:
213: /**
214: * Delete a previously installed SA from the SAD.
215: *
216: * @param id data identifying this SA
217: * @param data data to delete the SA
218: * @return SUCCESS if operation completed
219: */
220: status_t (*del_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
221: kernel_ipsec_del_sa_t *data);
222:
223: /**
224: * Flush all SAs from the SAD.
225: *
226: * @return SUCCESS if operation completed
227: */
228: status_t (*flush_sas)(kernel_interface_t *this);
229:
230: /**
231: * Add a policy to the SPD.
232: *
233: * @param id data identifying this policy
234: * @param data data for this policy
235: * @return SUCCESS if operation completed
236: */
237: status_t (*add_policy)(kernel_interface_t *this,
238: kernel_ipsec_policy_id_t *id,
239: kernel_ipsec_manage_policy_t *data);
240:
241: /**
242: * Query the use time of a policy.
243: *
244: * The use time of a policy is the time the policy was used
245: * for the last time.
246: *
247: * @param id data identifying this policy
248: * @param data data to query the policy
249: * @param[out] use_time the monotonic timestamp of this SA's last use
250: * @return SUCCESS if operation completed
251: */
252: status_t (*query_policy)(kernel_interface_t *this,
253: kernel_ipsec_policy_id_t *id,
254: kernel_ipsec_query_policy_t *data,
255: time_t *use_time);
256:
257: /**
258: * Remove a policy from the SPD.
259: *
260: * @param id data identifying this policy
261: * @param data data for this policy
262: * @return SUCCESS if operation completed
263: */
264: status_t (*del_policy)(kernel_interface_t *this,
265: kernel_ipsec_policy_id_t *id,
266: kernel_ipsec_manage_policy_t *data);
267:
268: /**
269: * Flush all policies from the SPD.
270: *
271: * @return SUCCESS if operation completed
272: */
273: status_t (*flush_policies)(kernel_interface_t *this);
274:
275: /**
276: * Get our outgoing source address for a destination.
277: *
278: * Does a route lookup to get the source address used to reach dest.
279: * The returned host is allocated and must be destroyed.
280: * An optional src address can be used to check if a route is available
281: * for the given source to dest.
282: *
283: * @param dest target destination address
284: * @param src source address to check, or NULL
285: * @return outgoing source address, NULL if unreachable
286: */
287: host_t* (*get_source_addr)(kernel_interface_t *this,
288: host_t *dest, host_t *src);
289:
290: /**
291: * Get the next hop for a destination.
292: *
293: * Does a route lookup to get the next hop used to reach dest.
294: * The returned host is allocated and must be destroyed.
295: * An optional src address can be used to check if a route is available
296: * for the given source to dest.
297: *
298: * @param dest target destination address
299: * @param prefix prefix length if dest is a subnet, -1 for auto
300: * @param src source address to check, or NULL
301: * @param[out] iface allocated name of the interface to reach dest, if
302: * available (optional)
303: * @return next hop address, NULL if unreachable
304: */
305: host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest,
306: int prefix, host_t *src, char **iface);
307:
308: /**
309: * Get the interface name of a local address. Interfaces that are down or
310: * ignored by config are not considered.
311: *
312: * @param host address to get interface name from
313: * @param name allocated interface name (optional)
314: * @return TRUE if interface found and usable
315: */
316: bool (*get_interface)(kernel_interface_t *this, host_t *host, char **name);
317:
318: /**
319: * Creates an enumerator over all local addresses.
320: *
321: * This function blocks an internal cached address list until the
322: * enumerator gets destroyed.
323: * The hosts are read-only, do not modify of free.
324: *
325: * @param which a combination of address types to enumerate
326: * @return enumerator over host_t's
327: */
328: enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
329: kernel_address_type_t which);
330:
331: /**
332: * Creates an enumerator over all local subnets.
333: *
334: * Local subnets are subnets the host is directly connected to.
335: *
336: * The enumerator returns the network, subnet mask and interface.
337: *
338: * @return enumerator over host_t*, uint8_t, char*
339: */
340: enumerator_t *(*create_local_subnet_enumerator)(kernel_interface_t *this);
341:
342: /**
343: * Add a virtual IP to an interface.
344: *
345: * Virtual IPs are attached to an interface. If an IP is added multiple
346: * times, the IP is refcounted and not removed until del_ip() was called
347: * as many times as add_ip().
348: *
349: * @param virtual_ip virtual ip address to assign
350: * @param prefix prefix length to install IP with, -1 for auto
351: * @param iface interface to install virtual IP on
352: * @return SUCCESS if operation completed
353: */
354: status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix,
355: char *iface);
356:
357: /**
358: * Remove a virtual IP from an interface.
359: *
360: * The kernel interface uses refcounting, see add_ip().
361: *
362: * @param virtual_ip virtual ip address to remove
363: * @param prefix prefix length of the IP to uninstall, -1 for auto
364: * @param wait TRUE to wait until IP is gone
365: * @return SUCCESS if operation completed
366: */
367: status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
368: int prefix, bool wait);
369:
370: /**
371: * Add a route.
372: *
373: * @param dst_net destination net
374: * @param prefixlen destination net prefix length
375: * @param gateway gateway for this route
376: * @param src_ip source ip of the route
377: * @param if_name name of the interface the route is bound to
378: * @param pass TRUE if route is installed for passthrough policy
379: * @return SUCCESS if operation completed
380: * ALREADY_DONE if the route already exists
381: */
382: status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net,
383: uint8_t prefixlen, host_t *gateway, host_t *src_ip,
384: char *if_name, bool pass);
385:
386: /**
387: * Delete a route.
388: *
389: * @param dst_net destination net
390: * @param prefixlen destination net prefix length
391: * @param gateway gateway for this route
392: * @param src_ip source ip of the route
393: * @param if_name name of the interface the route is bound to
394: * @param pass TRUE if route was installed for passthrough policy
395: * @return SUCCESS if operation completed
396: */
397: status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net,
398: uint8_t prefixlen, host_t *gateway, host_t *src_ip,
399: char *if_name, bool pass);
400:
401: /**
402: * Set up a bypass policy for a given socket.
403: *
404: * @param fd socket file descriptor to setup policy for
405: * @param family protocol family of the socket
406: * @return TRUE if policy set up successfully
407: */
408: bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
409:
410: /**
411: * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
412: *
413: * @param fd socket file descriptor
414: * @param family protocol family of the socket
415: * @param port the UDP port
416: * @return TRUE if UDP decapsulation was enabled successfully
417: */
418: bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family,
419: uint16_t port);
420:
421:
422: /**
423: * manager methods
424: */
425:
426: /**
427: * Verifies that the given interface is usable and not excluded by
428: * configuration.
429: *
430: * @param iface interface name
431: * @return TRUE if usable
432: */
433: bool (*is_interface_usable)(kernel_interface_t *this, const char *iface);
434:
435: /**
436: * Check if interfaces are excluded by config.
437: *
438: * @return TRUE if no interfaces are excluded by config
439: */
440: bool (*all_interfaces_usable)(kernel_interface_t *this);
441:
442: /**
443: * Tries to find an IP address of a local interface that is included in the
444: * supplied traffic selector.
445: *
446: * @param ts traffic selector
447: * @param ip returned IP address (has to be destroyed)
448: * @param vip set to TRUE if returned address is a virtual IP
449: * @return SUCCESS if address found
450: */
451: status_t (*get_address_by_ts)(kernel_interface_t *this,
452: traffic_selector_t *ts, host_t **ip, bool *vip);
453:
454: /**
455: * Register an ipsec kernel interface constructor on the manager.
456: *
457: * @param create constructor to register
458: * @return TRUE if the ipsec kernel interface was registered
459: * successfully, FALSE if an interface was already
460: * registered or the registration failed
461: */
462: bool (*add_ipsec_interface)(kernel_interface_t *this,
463: kernel_ipsec_constructor_t create);
464:
465: /**
466: * Unregister an ipsec kernel interface constructor.
467: *
468: * @param create constructor to unregister
469: * @return TRUE if the ipsec kernel interface was unregistered
470: * successfully, FALSE otherwise
471: */
472: bool (*remove_ipsec_interface)(kernel_interface_t *this,
473: kernel_ipsec_constructor_t create);
474:
475: /**
476: * Register a network kernel interface constructor on the manager.
477: *
478: * @param create constructor to register
479: * @return TRUE if the kernel net interface was registered
480: * successfully, FALSE if an interface was already
481: * registered or the registration failed
482: */
483: bool (*add_net_interface)(kernel_interface_t *this,
484: kernel_net_constructor_t create);
485:
486: /**
487: * Unregister a network kernel interface constructor.
488: *
489: * @param create constructor to unregister
490: * @return TRUE if the kernel net interface was unregistered
491: * successfully, FALSE otherwise
492: */
493: bool (*remove_net_interface)(kernel_interface_t *this,
494: kernel_net_constructor_t create);
495:
496: /**
497: * Add a listener to the kernel interface.
498: *
499: * @param listener listener to add
500: */
501: void (*add_listener)(kernel_interface_t *this,
502: kernel_listener_t *listener);
503:
504: /**
505: * Remove a listener from the kernel interface.
506: *
507: * @param listener listener to remove
508: */
509: void (*remove_listener)(kernel_interface_t *this,
510: kernel_listener_t *listener);
511:
512: /**
513: * Raise an acquire event.
514: *
515: * @param reqid reqid of the policy to acquire
516: * @param src_ts source traffic selector
517: * @param dst_ts destination traffic selector
518: */
519: void (*acquire)(kernel_interface_t *this, uint32_t reqid,
520: traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
521:
522: /**
523: * Raise an expire event.
524: *
525: * @param protocol protocol of the expired SA
526: * @param spi spi of the expired SA
527: * @param dst destination address of expired SA
528: * @param hard TRUE if it is a hard expire, FALSE otherwise
529: */
530: void (*expire)(kernel_interface_t *this, uint8_t protocol, uint32_t spi,
531: host_t *dst, bool hard);
532:
533: /**
534: * Raise a mapping event.
535: *
536: * @param protocol protocol of affected SA
537: * @param spi spi of the SA
538: * @param dst original destination address of SA
539: * @param remote new remote host
540: */
541: void (*mapping)(kernel_interface_t *this, uint8_t protocol, uint32_t spi,
542: host_t *dst, host_t *remote);
543:
544: /**
545: * Raise a migrate event.
546: *
547: * @param reqid reqid of the policy
548: * @param src_ts source traffic selector
549: * @param dst_ts destination traffic selector
550: * @param direction direction of the policy (in|out)
551: * @param local local host address to be used in the IKE_SA
552: * @param remote remote host address to be used in the IKE_SA
553: */
554: void (*migrate)(kernel_interface_t *this, uint32_t reqid,
555: traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
556: policy_dir_t direction, host_t *local, host_t *remote);
557:
558: /**
559: * Raise a roam event.
560: *
561: * @param address TRUE if address list, FALSE if routing changed
562: */
563: void (*roam)(kernel_interface_t *this, bool address);
564:
565: /**
566: * Raise a tun event.
567: *
568: * @param tun TUN device
569: * @param created TRUE if created, FALSE if going to be destroyed
570: */
571: void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created);
572:
573: /**
574: * Register a new algorithm with the kernel interface.
575: *
576: * @param alg_id the IKE id of the algorithm
577: * @param type the transform type of the algorithm
578: * @param kernel_id the kernel id of the algorithm
579: * @param kernel_name the kernel name of the algorithm
580: */
581: void (*register_algorithm)(kernel_interface_t *this, uint16_t alg_id,
582: transform_type_t type, uint16_t kernel_id,
583: char *kernel_name);
584:
585: /**
586: * Return the kernel-specific id and/or name for an algorithms depending on
587: * the arguments specified.
588: *
589: * @param alg_id the IKE id of the algorithm
590: * @param type the transform type of the algorithm
591: * @param kernel_id the kernel id of the algorithm (optional)
592: * @param kernel_name the kernel name of the algorithm (optional)
593: * @return TRUE if algorithm was found
594: */
595: bool (*lookup_algorithm)(kernel_interface_t *this, uint16_t alg_id,
596: transform_type_t type, uint16_t *kernel_id,
597: char **kernel_name);
598:
599: /**
600: * Destroys a kernel_interface_t object.
601: */
602: void (*destroy) (kernel_interface_t *this);
603: };
604:
605: /**
606: * Creates an object of type kernel_interface_t.
607: */
608: kernel_interface_t *kernel_interface_create(void);
609:
610: #endif /** KERNEL_INTERFACE_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>