xfrm.h revision 8f8a36487119a3cd1afe86a9649704aca088567b 
1#ifndef _LINUX_XFRM_H
2#define _LINUX_XFRM_H
3
4#include <linux/types.h>
5
6/* All of the structures in this file may not change size as they are
7 * passed into the kernel from userspace via netlink sockets.
8 */
9
10/* Structure to encapsulate addresses. I do not want to use
11 * "standard" structure. My apologies.
12 */
13typedef union
14{
15	__u32		a4;
16	__u32		a6[4];
17} xfrm_address_t;
18
19/* Ident of a specific xfrm_state. It is used on input to lookup
20 * the state by (spi,daddr,ah/esp) or to store information about
21 * spi, protocol and tunnel address on output.
22 */
23struct xfrm_id
24{
25	xfrm_address_t	daddr;
26	__u32		spi;
27	__u8		proto;
28};
29
30struct xfrm_sec_ctx {
31	__u8	ctx_doi;
32	__u8	ctx_alg;
33	__u16	ctx_len;
34	__u32	ctx_sid;
35	char	ctx_str[0];
36};
37
38/* Security Context Domains of Interpretation */
39#define XFRM_SC_DOI_RESERVED 0
40#define XFRM_SC_DOI_LSM 1
41
42/* Security Context Algorithms */
43#define XFRM_SC_ALG_RESERVED 0
44#define XFRM_SC_ALG_SELINUX 1
45
46/* Selector, used as selector both on policy rules (SPD) and SAs. */
47
48struct xfrm_selector
49{
50	xfrm_address_t	daddr;
51	xfrm_address_t	saddr;
52	__u16	dport;
53	__u16	dport_mask;
54	__u16	sport;
55	__u16	sport_mask;
56	__u16	family;
57	__u8	prefixlen_d;
58	__u8	prefixlen_s;
59	__u8	proto;
60	int	ifindex;
61	uid_t	user;
62};
63
64#define XFRM_INF (~(__u64)0)
65
66struct xfrm_lifetime_cfg
67{
68	__u64	soft_byte_limit;
69	__u64	hard_byte_limit;
70	__u64	soft_packet_limit;
71	__u64	hard_packet_limit;
72	__u64	soft_add_expires_seconds;
73	__u64	hard_add_expires_seconds;
74	__u64	soft_use_expires_seconds;
75	__u64	hard_use_expires_seconds;
76};
77
78struct xfrm_lifetime_cur
79{
80	__u64	bytes;
81	__u64	packets;
82	__u64	add_time;
83	__u64	use_time;
84};
85
86struct xfrm_replay_state
87{
88	__u32	oseq;
89	__u32	seq;
90	__u32	bitmap;
91};
92
93struct xfrm_algo {
94	char	alg_name[64];
95	int	alg_key_len;    /* in bits */
96	char	alg_key[0];
97};
98
99struct xfrm_stats {
100	__u32	replay_window;
101	__u32	replay;
102	__u32	integrity_failed;
103};
104
105enum
106{
107	XFRM_POLICY_IN	= 0,
108	XFRM_POLICY_OUT	= 1,
109	XFRM_POLICY_FWD	= 2,
110	XFRM_POLICY_MAX	= 3
111};
112
113enum
114{
115	XFRM_SHARE_ANY,		/* No limitations */
116	XFRM_SHARE_SESSION,	/* For this session only */
117	XFRM_SHARE_USER,	/* For this user only */
118	XFRM_SHARE_UNIQUE	/* Use once */
119};
120
121/* Netlink configuration messages.  */
122enum {
123	XFRM_MSG_BASE = 0x10,
124
125	XFRM_MSG_NEWSA = 0x10,
126#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
127	XFRM_MSG_DELSA,
128#define XFRM_MSG_DELSA XFRM_MSG_DELSA
129	XFRM_MSG_GETSA,
130#define XFRM_MSG_GETSA XFRM_MSG_GETSA
131
132	XFRM_MSG_NEWPOLICY,
133#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
134	XFRM_MSG_DELPOLICY,
135#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
136	XFRM_MSG_GETPOLICY,
137#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
138
139	XFRM_MSG_ALLOCSPI,
140#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
141	XFRM_MSG_ACQUIRE,
142#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
143	XFRM_MSG_EXPIRE,
144#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
145
146	XFRM_MSG_UPDPOLICY,
147#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
148	XFRM_MSG_UPDSA,
149#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
150
151	XFRM_MSG_POLEXPIRE,
152#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
153
154	XFRM_MSG_FLUSHSA,
155#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
156	XFRM_MSG_FLUSHPOLICY,
157#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
158
159	XFRM_MSG_NEWAE,
160#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
161	XFRM_MSG_GETAE,
162#define XFRM_MSG_GETAE XFRM_MSG_GETAE
163	__XFRM_MSG_MAX
164};
165#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
166
167#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
168
169/*
170 * Generic LSM security context for comunicating to user space
171 * NOTE: Same format as sadb_x_sec_ctx
172 */
173struct xfrm_user_sec_ctx {
174	__u16			len;
175	__u16			exttype;
176	__u8			ctx_alg;  /* LSMs: e.g., selinux == 1 */
177	__u8			ctx_doi;
178	__u16			ctx_len;
179};
180
181struct xfrm_user_tmpl {
182	struct xfrm_id		id;
183	__u16			family;
184	xfrm_address_t		saddr;
185	__u32			reqid;
186	__u8			mode;
187	__u8			share;
188	__u8			optional;
189	__u32			aalgos;
190	__u32			ealgos;
191	__u32			calgos;
192};
193
194struct xfrm_encap_tmpl {
195	__u16		encap_type;
196	__u16		encap_sport;
197	__u16		encap_dport;
198	xfrm_address_t	encap_oa;
199};
200
201/* AEVENT flags  */
202enum xfrm_ae_ftype_t {
203	XFRM_AE_UNSPEC,
204	XFRM_AE_RTHR=1,	/* replay threshold*/
205	XFRM_AE_RVAL=2, /* replay value */
206	XFRM_AE_LVAL=4, /* lifetime value */
207	XFRM_AE_ETHR=8, /* expiry timer threshold */
208	XFRM_AE_CR=16, /* Event cause is replay update */
209	XFRM_AE_CE=32, /* Event cause is timer expiry */
210	XFRM_AE_CU=64, /* Event cause is policy update */
211	__XFRM_AE_MAX
212
213#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
214};
215
216/* Netlink message attributes.  */
217enum xfrm_attr_type_t {
218	XFRMA_UNSPEC,
219	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
220	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
221	XFRMA_ALG_COMP,		/* struct xfrm_algo */
222	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
223	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
224	XFRMA_SA,
225	XFRMA_POLICY,
226	XFRMA_SEC_CTX,		/* struct xfrm_sec_ctx */
227	XFRMA_LTIME_VAL,
228	XFRMA_REPLAY_VAL,
229	XFRMA_REPLAY_THRESH,
230	XFRMA_ETIMER_THRESH,
231	__XFRMA_MAX
232
233#define XFRMA_MAX (__XFRMA_MAX - 1)
234};
235
236struct xfrm_usersa_info {
237	struct xfrm_selector		sel;
238	struct xfrm_id			id;
239	xfrm_address_t			saddr;
240	struct xfrm_lifetime_cfg	lft;
241	struct xfrm_lifetime_cur	curlft;
242	struct xfrm_stats		stats;
243	__u32				seq;
244	__u32				reqid;
245	__u16				family;
246	__u8				mode; /* 0=transport,1=tunnel */
247	__u8				replay_window;
248	__u8				flags;
249#define XFRM_STATE_NOECN	1
250#define XFRM_STATE_DECAP_DSCP	2
251#define XFRM_STATE_NOPMTUDISC	4
252};
253
254struct xfrm_usersa_id {
255	xfrm_address_t			daddr;
256	__u32				spi;
257	__u16				family;
258	__u8				proto;
259};
260
261struct xfrm_aevent_id {
262	struct xfrm_usersa_id		sa_id;
263	__u32				flags;
264};
265
266struct xfrm_userspi_info {
267	struct xfrm_usersa_info		info;
268	__u32				min;
269	__u32				max;
270};
271
272struct xfrm_userpolicy_info {
273	struct xfrm_selector		sel;
274	struct xfrm_lifetime_cfg	lft;
275	struct xfrm_lifetime_cur	curlft;
276	__u32				priority;
277	__u32				index;
278	__u8				dir;
279	__u8				action;
280#define XFRM_POLICY_ALLOW	0
281#define XFRM_POLICY_BLOCK	1
282	__u8				flags;
283#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
284	__u8				share;
285};
286
287struct xfrm_userpolicy_id {
288	struct xfrm_selector		sel;
289	__u32				index;
290	__u8				dir;
291};
292
293struct xfrm_user_acquire {
294	struct xfrm_id			id;
295	xfrm_address_t			saddr;
296	struct xfrm_selector		sel;
297	struct xfrm_userpolicy_info	policy;
298	__u32				aalgos;
299	__u32				ealgos;
300	__u32				calgos;
301	__u32				seq;
302};
303
304struct xfrm_user_expire {
305	struct xfrm_usersa_info		state;
306	__u8				hard;
307};
308
309struct xfrm_user_polexpire {
310	struct xfrm_userpolicy_info	pol;
311	__u8				hard;
312};
313
314struct xfrm_usersa_flush {
315	__u8				proto;
316};
317
318/* backwards compatibility for userspace */
319#define XFRMGRP_ACQUIRE		1
320#define XFRMGRP_EXPIRE		2
321#define XFRMGRP_SA		4
322#define XFRMGRP_POLICY		8
323
324enum xfrm_nlgroups {
325	XFRMNLGRP_NONE,
326#define XFRMNLGRP_NONE		XFRMNLGRP_NONE
327	XFRMNLGRP_ACQUIRE,
328#define XFRMNLGRP_ACQUIRE	XFRMNLGRP_ACQUIRE
329	XFRMNLGRP_EXPIRE,
330#define XFRMNLGRP_EXPIRE	XFRMNLGRP_EXPIRE
331	XFRMNLGRP_SA,
332#define XFRMNLGRP_SA		XFRMNLGRP_SA
333	XFRMNLGRP_POLICY,
334#define XFRMNLGRP_POLICY	XFRMNLGRP_POLICY
335	XFRMNLGRP_AEVENTS,
336#define XFRMNLGRP_AEVENTS	XFRMNLGRP_AEVENTS
337	__XFRMNLGRP_MAX
338};
339#define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
340
341#endif /* _LINUX_XFRM_H */
342