xfrm.h revision 1d35a1273d97bf140fc0c770e58933cf1e9bb1b1
1#ifndef _LINUX_XFRM_H 2#define _LINUX_XFRM_H 3 4#include <linux/types.h> 5 6/* All of the structures in this file may not change size as they are 7 * passed into the kernel from userspace via netlink sockets. 8 */ 9 10/* Structure to encapsulate addresses. I do not want to use 11 * "standard" structure. My apologies. 12 */ 13typedef union 14{ 15 __u32 a4; 16 __u32 a6[4]; 17} xfrm_address_t; 18 19/* Ident of a specific xfrm_state. It is used on input to lookup 20 * the state by (spi,daddr,ah/esp) or to store information about 21 * spi, protocol and tunnel address on output. 22 */ 23struct xfrm_id 24{ 25 xfrm_address_t daddr; 26 __u32 spi; 27 __u8 proto; 28}; 29 30struct xfrm_sec_ctx { 31 __u8 ctx_doi; 32 __u8 ctx_alg; 33 __u16 ctx_len; 34 __u32 ctx_sid; 35 char ctx_str[0]; 36}; 37 38/* Security Context Domains of Interpretation */ 39#define XFRM_SC_DOI_RESERVED 0 40#define XFRM_SC_DOI_LSM 1 41 42/* Security Context Algorithms */ 43#define XFRM_SC_ALG_RESERVED 0 44#define XFRM_SC_ALG_SELINUX 1 45 46/* Selector, used as selector both on policy rules (SPD) and SAs. */ 47 48struct xfrm_selector 49{ 50 xfrm_address_t daddr; 51 xfrm_address_t saddr; 52 __u16 dport; 53 __u16 dport_mask; 54 __u16 sport; 55 __u16 sport_mask; 56 __u16 family; 57 __u8 prefixlen_d; 58 __u8 prefixlen_s; 59 __u8 proto; 60 int ifindex; 61 uid_t user; 62}; 63 64#define XFRM_INF (~(__u64)0) 65 66struct xfrm_lifetime_cfg 67{ 68 __u64 soft_byte_limit; 69 __u64 hard_byte_limit; 70 __u64 soft_packet_limit; 71 __u64 hard_packet_limit; 72 __u64 soft_add_expires_seconds; 73 __u64 hard_add_expires_seconds; 74 __u64 soft_use_expires_seconds; 75 __u64 hard_use_expires_seconds; 76}; 77 78struct xfrm_lifetime_cur 79{ 80 __u64 bytes; 81 __u64 packets; 82 __u64 add_time; 83 __u64 use_time; 84}; 85 86struct xfrm_replay_state 87{ 88 __u32 oseq; 89 __u32 seq; 90 __u32 bitmap; 91}; 92 93struct xfrm_algo { 94 char alg_name[64]; 95 int alg_key_len; /* in bits */ 96 char alg_key[0]; 97}; 98 99struct xfrm_stats { 100 __u32 replay_window; 101 __u32 replay; 102 __u32 integrity_failed; 103}; 104 105enum 106{ 107 XFRM_POLICY_IN = 0, 108 XFRM_POLICY_OUT = 1, 109 XFRM_POLICY_FWD = 2, 110 XFRM_POLICY_MAX = 3 111}; 112 113enum 114{ 115 XFRM_SHARE_ANY, /* No limitations */ 116 XFRM_SHARE_SESSION, /* For this session only */ 117 XFRM_SHARE_USER, /* For this user only */ 118 XFRM_SHARE_UNIQUE /* Use once */ 119}; 120 121#define XFRM_MODE_TRANSPORT 0 122#define XFRM_MODE_TUNNEL 1 123#define XFRM_MODE_MAX 2 124 125/* Netlink configuration messages. */ 126enum { 127 XFRM_MSG_BASE = 0x10, 128 129 XFRM_MSG_NEWSA = 0x10, 130#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA 131 XFRM_MSG_DELSA, 132#define XFRM_MSG_DELSA XFRM_MSG_DELSA 133 XFRM_MSG_GETSA, 134#define XFRM_MSG_GETSA XFRM_MSG_GETSA 135 136 XFRM_MSG_NEWPOLICY, 137#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY 138 XFRM_MSG_DELPOLICY, 139#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY 140 XFRM_MSG_GETPOLICY, 141#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY 142 143 XFRM_MSG_ALLOCSPI, 144#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI 145 XFRM_MSG_ACQUIRE, 146#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE 147 XFRM_MSG_EXPIRE, 148#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE 149 150 XFRM_MSG_UPDPOLICY, 151#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY 152 XFRM_MSG_UPDSA, 153#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA 154 155 XFRM_MSG_POLEXPIRE, 156#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE 157 158 XFRM_MSG_FLUSHSA, 159#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA 160 XFRM_MSG_FLUSHPOLICY, 161#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY 162 163 XFRM_MSG_NEWAE, 164#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE 165 XFRM_MSG_GETAE, 166#define XFRM_MSG_GETAE XFRM_MSG_GETAE 167 __XFRM_MSG_MAX 168}; 169#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) 170 171#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 172 173/* 174 * Generic LSM security context for comunicating to user space 175 * NOTE: Same format as sadb_x_sec_ctx 176 */ 177struct xfrm_user_sec_ctx { 178 __u16 len; 179 __u16 exttype; 180 __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ 181 __u8 ctx_doi; 182 __u16 ctx_len; 183}; 184 185struct xfrm_user_tmpl { 186 struct xfrm_id id; 187 __u16 family; 188 xfrm_address_t saddr; 189 __u32 reqid; 190 __u8 mode; 191 __u8 share; 192 __u8 optional; 193 __u32 aalgos; 194 __u32 ealgos; 195 __u32 calgos; 196}; 197 198struct xfrm_encap_tmpl { 199 __u16 encap_type; 200 __u16 encap_sport; 201 __u16 encap_dport; 202 xfrm_address_t encap_oa; 203}; 204 205/* AEVENT flags */ 206enum xfrm_ae_ftype_t { 207 XFRM_AE_UNSPEC, 208 XFRM_AE_RTHR=1, /* replay threshold*/ 209 XFRM_AE_RVAL=2, /* replay value */ 210 XFRM_AE_LVAL=4, /* lifetime value */ 211 XFRM_AE_ETHR=8, /* expiry timer threshold */ 212 XFRM_AE_CR=16, /* Event cause is replay update */ 213 XFRM_AE_CE=32, /* Event cause is timer expiry */ 214 XFRM_AE_CU=64, /* Event cause is policy update */ 215 __XFRM_AE_MAX 216 217#define XFRM_AE_MAX (__XFRM_AE_MAX - 1) 218}; 219 220/* Netlink message attributes. */ 221enum xfrm_attr_type_t { 222 XFRMA_UNSPEC, 223 XFRMA_ALG_AUTH, /* struct xfrm_algo */ 224 XFRMA_ALG_CRYPT, /* struct xfrm_algo */ 225 XFRMA_ALG_COMP, /* struct xfrm_algo */ 226 XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ 227 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 228 XFRMA_SA, 229 XFRMA_POLICY, 230 XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ 231 XFRMA_LTIME_VAL, 232 XFRMA_REPLAY_VAL, 233 XFRMA_REPLAY_THRESH, 234 XFRMA_ETIMER_THRESH, 235 __XFRMA_MAX 236 237#define XFRMA_MAX (__XFRMA_MAX - 1) 238}; 239 240struct xfrm_usersa_info { 241 struct xfrm_selector sel; 242 struct xfrm_id id; 243 xfrm_address_t saddr; 244 struct xfrm_lifetime_cfg lft; 245 struct xfrm_lifetime_cur curlft; 246 struct xfrm_stats stats; 247 __u32 seq; 248 __u32 reqid; 249 __u16 family; 250 __u8 mode; /* 0=transport,1=tunnel */ 251 __u8 replay_window; 252 __u8 flags; 253#define XFRM_STATE_NOECN 1 254#define XFRM_STATE_DECAP_DSCP 2 255#define XFRM_STATE_NOPMTUDISC 4 256}; 257 258struct xfrm_usersa_id { 259 xfrm_address_t daddr; 260 __u32 spi; 261 __u16 family; 262 __u8 proto; 263}; 264 265struct xfrm_aevent_id { 266 struct xfrm_usersa_id sa_id; 267 __u32 flags; 268}; 269 270struct xfrm_userspi_info { 271 struct xfrm_usersa_info info; 272 __u32 min; 273 __u32 max; 274}; 275 276struct xfrm_userpolicy_info { 277 struct xfrm_selector sel; 278 struct xfrm_lifetime_cfg lft; 279 struct xfrm_lifetime_cur curlft; 280 __u32 priority; 281 __u32 index; 282 __u8 dir; 283 __u8 action; 284#define XFRM_POLICY_ALLOW 0 285#define XFRM_POLICY_BLOCK 1 286 __u8 flags; 287#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 288 __u8 share; 289}; 290 291struct xfrm_userpolicy_id { 292 struct xfrm_selector sel; 293 __u32 index; 294 __u8 dir; 295}; 296 297struct xfrm_user_acquire { 298 struct xfrm_id id; 299 xfrm_address_t saddr; 300 struct xfrm_selector sel; 301 struct xfrm_userpolicy_info policy; 302 __u32 aalgos; 303 __u32 ealgos; 304 __u32 calgos; 305 __u32 seq; 306}; 307 308struct xfrm_user_expire { 309 struct xfrm_usersa_info state; 310 __u8 hard; 311}; 312 313struct xfrm_user_polexpire { 314 struct xfrm_userpolicy_info pol; 315 __u8 hard; 316}; 317 318struct xfrm_usersa_flush { 319 __u8 proto; 320}; 321 322/* backwards compatibility for userspace */ 323#define XFRMGRP_ACQUIRE 1 324#define XFRMGRP_EXPIRE 2 325#define XFRMGRP_SA 4 326#define XFRMGRP_POLICY 8 327 328enum xfrm_nlgroups { 329 XFRMNLGRP_NONE, 330#define XFRMNLGRP_NONE XFRMNLGRP_NONE 331 XFRMNLGRP_ACQUIRE, 332#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE 333 XFRMNLGRP_EXPIRE, 334#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE 335 XFRMNLGRP_SA, 336#define XFRMNLGRP_SA XFRMNLGRP_SA 337 XFRMNLGRP_POLICY, 338#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY 339 XFRMNLGRP_AEVENTS, 340#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS 341 __XFRMNLGRP_MAX 342}; 343#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) 344 345#endif /* _LINUX_XFRM_H */ 346