xfrm.h revision 1d35a1273d97bf140fc0c770e58933cf1e9bb1b1 
1#ifndef _LINUX_XFRM_H
2#define _LINUX_XFRM_H
3
4#include <linux/types.h>
5
6/* All of the structures in this file may not change size as they are
7 * passed into the kernel from userspace via netlink sockets.
8 */
9
10/* Structure to encapsulate addresses. I do not want to use
11 * "standard" structure. My apologies.
12 */
13typedef union
14{
15	__u32		a4;
16	__u32		a6[4];
17} xfrm_address_t;
18
19/* Ident of a specific xfrm_state. It is used on input to lookup
20 * the state by (spi,daddr,ah/esp) or to store information about
21 * spi, protocol and tunnel address on output.
22 */
23struct xfrm_id
24{
25	xfrm_address_t	daddr;
26	__u32		spi;
27	__u8		proto;
28};
29
30struct xfrm_sec_ctx {
31	__u8	ctx_doi;
32	__u8	ctx_alg;
33	__u16	ctx_len;
34	__u32	ctx_sid;
35	char	ctx_str[0];
36};
37
38/* Security Context Domains of Interpretation */
39#define XFRM_SC_DOI_RESERVED 0
40#define XFRM_SC_DOI_LSM 1
41
42/* Security Context Algorithms */
43#define XFRM_SC_ALG_RESERVED 0
44#define XFRM_SC_ALG_SELINUX 1
45
46/* Selector, used as selector both on policy rules (SPD) and SAs. */
47
48struct xfrm_selector
49{
50	xfrm_address_t	daddr;
51	xfrm_address_t	saddr;
52	__u16	dport;
53	__u16	dport_mask;
54	__u16	sport;
55	__u16	sport_mask;
56	__u16	family;
57	__u8	prefixlen_d;
58	__u8	prefixlen_s;
59	__u8	proto;
60	int	ifindex;
61	uid_t	user;
62};
63
64#define XFRM_INF (~(__u64)0)
65
66struct xfrm_lifetime_cfg
67{
68	__u64	soft_byte_limit;
69	__u64	hard_byte_limit;
70	__u64	soft_packet_limit;
71	__u64	hard_packet_limit;
72	__u64	soft_add_expires_seconds;
73	__u64	hard_add_expires_seconds;
74	__u64	soft_use_expires_seconds;
75	__u64	hard_use_expires_seconds;
76};
77
78struct xfrm_lifetime_cur
79{
80	__u64	bytes;
81	__u64	packets;
82	__u64	add_time;
83	__u64	use_time;
84};
85
86struct xfrm_replay_state
87{
88	__u32	oseq;
89	__u32	seq;
90	__u32	bitmap;
91};
92
93struct xfrm_algo {
94	char	alg_name[64];
95	int	alg_key_len;    /* in bits */
96	char	alg_key[0];
97};
98
99struct xfrm_stats {
100	__u32	replay_window;
101	__u32	replay;
102	__u32	integrity_failed;
103};
104
105enum
106{
107	XFRM_POLICY_IN	= 0,
108	XFRM_POLICY_OUT	= 1,
109	XFRM_POLICY_FWD	= 2,
110	XFRM_POLICY_MAX	= 3
111};
112
113enum
114{
115	XFRM_SHARE_ANY,		/* No limitations */
116	XFRM_SHARE_SESSION,	/* For this session only */
117	XFRM_SHARE_USER,	/* For this user only */
118	XFRM_SHARE_UNIQUE	/* Use once */
119};
120
121#define XFRM_MODE_TRANSPORT 0
122#define XFRM_MODE_TUNNEL 1
123#define XFRM_MODE_MAX 2
124
125/* Netlink configuration messages.  */
126enum {
127	XFRM_MSG_BASE = 0x10,
128
129	XFRM_MSG_NEWSA = 0x10,
130#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
131	XFRM_MSG_DELSA,
132#define XFRM_MSG_DELSA XFRM_MSG_DELSA
133	XFRM_MSG_GETSA,
134#define XFRM_MSG_GETSA XFRM_MSG_GETSA
135
136	XFRM_MSG_NEWPOLICY,
137#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
138	XFRM_MSG_DELPOLICY,
139#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
140	XFRM_MSG_GETPOLICY,
141#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
142
143	XFRM_MSG_ALLOCSPI,
144#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
145	XFRM_MSG_ACQUIRE,
146#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
147	XFRM_MSG_EXPIRE,
148#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
149
150	XFRM_MSG_UPDPOLICY,
151#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
152	XFRM_MSG_UPDSA,
153#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
154
155	XFRM_MSG_POLEXPIRE,
156#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
157
158	XFRM_MSG_FLUSHSA,
159#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
160	XFRM_MSG_FLUSHPOLICY,
161#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
162
163	XFRM_MSG_NEWAE,
164#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
165	XFRM_MSG_GETAE,
166#define XFRM_MSG_GETAE XFRM_MSG_GETAE
167	__XFRM_MSG_MAX
168};
169#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
170
171#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
172
173/*
174 * Generic LSM security context for comunicating to user space
175 * NOTE: Same format as sadb_x_sec_ctx
176 */
177struct xfrm_user_sec_ctx {
178	__u16			len;
179	__u16			exttype;
180	__u8			ctx_alg;  /* LSMs: e.g., selinux == 1 */
181	__u8			ctx_doi;
182	__u16			ctx_len;
183};
184
185struct xfrm_user_tmpl {
186	struct xfrm_id		id;
187	__u16			family;
188	xfrm_address_t		saddr;
189	__u32			reqid;
190	__u8			mode;
191	__u8			share;
192	__u8			optional;
193	__u32			aalgos;
194	__u32			ealgos;
195	__u32			calgos;
196};
197
198struct xfrm_encap_tmpl {
199	__u16		encap_type;
200	__u16		encap_sport;
201	__u16		encap_dport;
202	xfrm_address_t	encap_oa;
203};
204
205/* AEVENT flags  */
206enum xfrm_ae_ftype_t {
207	XFRM_AE_UNSPEC,
208	XFRM_AE_RTHR=1,	/* replay threshold*/
209	XFRM_AE_RVAL=2, /* replay value */
210	XFRM_AE_LVAL=4, /* lifetime value */
211	XFRM_AE_ETHR=8, /* expiry timer threshold */
212	XFRM_AE_CR=16, /* Event cause is replay update */
213	XFRM_AE_CE=32, /* Event cause is timer expiry */
214	XFRM_AE_CU=64, /* Event cause is policy update */
215	__XFRM_AE_MAX
216
217#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
218};
219
220/* Netlink message attributes.  */
221enum xfrm_attr_type_t {
222	XFRMA_UNSPEC,
223	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
224	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
225	XFRMA_ALG_COMP,		/* struct xfrm_algo */
226	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
227	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
228	XFRMA_SA,
229	XFRMA_POLICY,
230	XFRMA_SEC_CTX,		/* struct xfrm_sec_ctx */
231	XFRMA_LTIME_VAL,
232	XFRMA_REPLAY_VAL,
233	XFRMA_REPLAY_THRESH,
234	XFRMA_ETIMER_THRESH,
235	__XFRMA_MAX
236
237#define XFRMA_MAX (__XFRMA_MAX - 1)
238};
239
240struct xfrm_usersa_info {
241	struct xfrm_selector		sel;
242	struct xfrm_id			id;
243	xfrm_address_t			saddr;
244	struct xfrm_lifetime_cfg	lft;
245	struct xfrm_lifetime_cur	curlft;
246	struct xfrm_stats		stats;
247	__u32				seq;
248	__u32				reqid;
249	__u16				family;
250	__u8				mode; /* 0=transport,1=tunnel */
251	__u8				replay_window;
252	__u8				flags;
253#define XFRM_STATE_NOECN	1
254#define XFRM_STATE_DECAP_DSCP	2
255#define XFRM_STATE_NOPMTUDISC	4
256};
257
258struct xfrm_usersa_id {
259	xfrm_address_t			daddr;
260	__u32				spi;
261	__u16				family;
262	__u8				proto;
263};
264
265struct xfrm_aevent_id {
266	struct xfrm_usersa_id		sa_id;
267	__u32				flags;
268};
269
270struct xfrm_userspi_info {
271	struct xfrm_usersa_info		info;
272	__u32				min;
273	__u32				max;
274};
275
276struct xfrm_userpolicy_info {
277	struct xfrm_selector		sel;
278	struct xfrm_lifetime_cfg	lft;
279	struct xfrm_lifetime_cur	curlft;
280	__u32				priority;
281	__u32				index;
282	__u8				dir;
283	__u8				action;
284#define XFRM_POLICY_ALLOW	0
285#define XFRM_POLICY_BLOCK	1
286	__u8				flags;
287#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
288	__u8				share;
289};
290
291struct xfrm_userpolicy_id {
292	struct xfrm_selector		sel;
293	__u32				index;
294	__u8				dir;
295};
296
297struct xfrm_user_acquire {
298	struct xfrm_id			id;
299	xfrm_address_t			saddr;
300	struct xfrm_selector		sel;
301	struct xfrm_userpolicy_info	policy;
302	__u32				aalgos;
303	__u32				ealgos;
304	__u32				calgos;
305	__u32				seq;
306};
307
308struct xfrm_user_expire {
309	struct xfrm_usersa_info		state;
310	__u8				hard;
311};
312
313struct xfrm_user_polexpire {
314	struct xfrm_userpolicy_info	pol;
315	__u8				hard;
316};
317
318struct xfrm_usersa_flush {
319	__u8				proto;
320};
321
322/* backwards compatibility for userspace */
323#define XFRMGRP_ACQUIRE		1
324#define XFRMGRP_EXPIRE		2
325#define XFRMGRP_SA		4
326#define XFRMGRP_POLICY		8
327
328enum xfrm_nlgroups {
329	XFRMNLGRP_NONE,
330#define XFRMNLGRP_NONE		XFRMNLGRP_NONE
331	XFRMNLGRP_ACQUIRE,
332#define XFRMNLGRP_ACQUIRE	XFRMNLGRP_ACQUIRE
333	XFRMNLGRP_EXPIRE,
334#define XFRMNLGRP_EXPIRE	XFRMNLGRP_EXPIRE
335	XFRMNLGRP_SA,
336#define XFRMNLGRP_SA		XFRMNLGRP_SA
337	XFRMNLGRP_POLICY,
338#define XFRMNLGRP_POLICY	XFRMNLGRP_POLICY
339	XFRMNLGRP_AEVENTS,
340#define XFRMNLGRP_AEVENTS	XFRMNLGRP_AEVENTS
341	__XFRMNLGRP_MAX
342};
343#define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
344
345#endif /* _LINUX_XFRM_H */
346