xfrm.h revision 8f8a36487119a3cd1afe86a9649704aca088567b
1#ifndef _LINUX_XFRM_H 2#define _LINUX_XFRM_H 3 4#include <linux/types.h> 5 6/* All of the structures in this file may not change size as they are 7 * passed into the kernel from userspace via netlink sockets. 8 */ 9 10/* Structure to encapsulate addresses. I do not want to use 11 * "standard" structure. My apologies. 12 */ 13typedef union 14{ 15 __u32 a4; 16 __u32 a6[4]; 17} xfrm_address_t; 18 19/* Ident of a specific xfrm_state. It is used on input to lookup 20 * the state by (spi,daddr,ah/esp) or to store information about 21 * spi, protocol and tunnel address on output. 22 */ 23struct xfrm_id 24{ 25 xfrm_address_t daddr; 26 __u32 spi; 27 __u8 proto; 28}; 29 30struct xfrm_sec_ctx { 31 __u8 ctx_doi; 32 __u8 ctx_alg; 33 __u16 ctx_len; 34 __u32 ctx_sid; 35 char ctx_str[0]; 36}; 37 38/* Security Context Domains of Interpretation */ 39#define XFRM_SC_DOI_RESERVED 0 40#define XFRM_SC_DOI_LSM 1 41 42/* Security Context Algorithms */ 43#define XFRM_SC_ALG_RESERVED 0 44#define XFRM_SC_ALG_SELINUX 1 45 46/* Selector, used as selector both on policy rules (SPD) and SAs. */ 47 48struct xfrm_selector 49{ 50 xfrm_address_t daddr; 51 xfrm_address_t saddr; 52 __u16 dport; 53 __u16 dport_mask; 54 __u16 sport; 55 __u16 sport_mask; 56 __u16 family; 57 __u8 prefixlen_d; 58 __u8 prefixlen_s; 59 __u8 proto; 60 int ifindex; 61 uid_t user; 62}; 63 64#define XFRM_INF (~(__u64)0) 65 66struct xfrm_lifetime_cfg 67{ 68 __u64 soft_byte_limit; 69 __u64 hard_byte_limit; 70 __u64 soft_packet_limit; 71 __u64 hard_packet_limit; 72 __u64 soft_add_expires_seconds; 73 __u64 hard_add_expires_seconds; 74 __u64 soft_use_expires_seconds; 75 __u64 hard_use_expires_seconds; 76}; 77 78struct xfrm_lifetime_cur 79{ 80 __u64 bytes; 81 __u64 packets; 82 __u64 add_time; 83 __u64 use_time; 84}; 85 86struct xfrm_replay_state 87{ 88 __u32 oseq; 89 __u32 seq; 90 __u32 bitmap; 91}; 92 93struct xfrm_algo { 94 char alg_name[64]; 95 int alg_key_len; /* in bits */ 96 char alg_key[0]; 97}; 98 99struct xfrm_stats { 100 __u32 replay_window; 101 __u32 replay; 102 __u32 integrity_failed; 103}; 104 105enum 106{ 107 XFRM_POLICY_IN = 0, 108 XFRM_POLICY_OUT = 1, 109 XFRM_POLICY_FWD = 2, 110 XFRM_POLICY_MAX = 3 111}; 112 113enum 114{ 115 XFRM_SHARE_ANY, /* No limitations */ 116 XFRM_SHARE_SESSION, /* For this session only */ 117 XFRM_SHARE_USER, /* For this user only */ 118 XFRM_SHARE_UNIQUE /* Use once */ 119}; 120 121/* Netlink configuration messages. */ 122enum { 123 XFRM_MSG_BASE = 0x10, 124 125 XFRM_MSG_NEWSA = 0x10, 126#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA 127 XFRM_MSG_DELSA, 128#define XFRM_MSG_DELSA XFRM_MSG_DELSA 129 XFRM_MSG_GETSA, 130#define XFRM_MSG_GETSA XFRM_MSG_GETSA 131 132 XFRM_MSG_NEWPOLICY, 133#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY 134 XFRM_MSG_DELPOLICY, 135#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY 136 XFRM_MSG_GETPOLICY, 137#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY 138 139 XFRM_MSG_ALLOCSPI, 140#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI 141 XFRM_MSG_ACQUIRE, 142#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE 143 XFRM_MSG_EXPIRE, 144#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE 145 146 XFRM_MSG_UPDPOLICY, 147#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY 148 XFRM_MSG_UPDSA, 149#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA 150 151 XFRM_MSG_POLEXPIRE, 152#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE 153 154 XFRM_MSG_FLUSHSA, 155#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA 156 XFRM_MSG_FLUSHPOLICY, 157#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY 158 159 XFRM_MSG_NEWAE, 160#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE 161 XFRM_MSG_GETAE, 162#define XFRM_MSG_GETAE XFRM_MSG_GETAE 163 __XFRM_MSG_MAX 164}; 165#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) 166 167#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 168 169/* 170 * Generic LSM security context for comunicating to user space 171 * NOTE: Same format as sadb_x_sec_ctx 172 */ 173struct xfrm_user_sec_ctx { 174 __u16 len; 175 __u16 exttype; 176 __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ 177 __u8 ctx_doi; 178 __u16 ctx_len; 179}; 180 181struct xfrm_user_tmpl { 182 struct xfrm_id id; 183 __u16 family; 184 xfrm_address_t saddr; 185 __u32 reqid; 186 __u8 mode; 187 __u8 share; 188 __u8 optional; 189 __u32 aalgos; 190 __u32 ealgos; 191 __u32 calgos; 192}; 193 194struct xfrm_encap_tmpl { 195 __u16 encap_type; 196 __u16 encap_sport; 197 __u16 encap_dport; 198 xfrm_address_t encap_oa; 199}; 200 201/* AEVENT flags */ 202enum xfrm_ae_ftype_t { 203 XFRM_AE_UNSPEC, 204 XFRM_AE_RTHR=1, /* replay threshold*/ 205 XFRM_AE_RVAL=2, /* replay value */ 206 XFRM_AE_LVAL=4, /* lifetime value */ 207 XFRM_AE_ETHR=8, /* expiry timer threshold */ 208 XFRM_AE_CR=16, /* Event cause is replay update */ 209 XFRM_AE_CE=32, /* Event cause is timer expiry */ 210 XFRM_AE_CU=64, /* Event cause is policy update */ 211 __XFRM_AE_MAX 212 213#define XFRM_AE_MAX (__XFRM_AE_MAX - 1) 214}; 215 216/* Netlink message attributes. */ 217enum xfrm_attr_type_t { 218 XFRMA_UNSPEC, 219 XFRMA_ALG_AUTH, /* struct xfrm_algo */ 220 XFRMA_ALG_CRYPT, /* struct xfrm_algo */ 221 XFRMA_ALG_COMP, /* struct xfrm_algo */ 222 XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ 223 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 224 XFRMA_SA, 225 XFRMA_POLICY, 226 XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ 227 XFRMA_LTIME_VAL, 228 XFRMA_REPLAY_VAL, 229 XFRMA_REPLAY_THRESH, 230 XFRMA_ETIMER_THRESH, 231 __XFRMA_MAX 232 233#define XFRMA_MAX (__XFRMA_MAX - 1) 234}; 235 236struct xfrm_usersa_info { 237 struct xfrm_selector sel; 238 struct xfrm_id id; 239 xfrm_address_t saddr; 240 struct xfrm_lifetime_cfg lft; 241 struct xfrm_lifetime_cur curlft; 242 struct xfrm_stats stats; 243 __u32 seq; 244 __u32 reqid; 245 __u16 family; 246 __u8 mode; /* 0=transport,1=tunnel */ 247 __u8 replay_window; 248 __u8 flags; 249#define XFRM_STATE_NOECN 1 250#define XFRM_STATE_DECAP_DSCP 2 251#define XFRM_STATE_NOPMTUDISC 4 252}; 253 254struct xfrm_usersa_id { 255 xfrm_address_t daddr; 256 __u32 spi; 257 __u16 family; 258 __u8 proto; 259}; 260 261struct xfrm_aevent_id { 262 struct xfrm_usersa_id sa_id; 263 __u32 flags; 264}; 265 266struct xfrm_userspi_info { 267 struct xfrm_usersa_info info; 268 __u32 min; 269 __u32 max; 270}; 271 272struct xfrm_userpolicy_info { 273 struct xfrm_selector sel; 274 struct xfrm_lifetime_cfg lft; 275 struct xfrm_lifetime_cur curlft; 276 __u32 priority; 277 __u32 index; 278 __u8 dir; 279 __u8 action; 280#define XFRM_POLICY_ALLOW 0 281#define XFRM_POLICY_BLOCK 1 282 __u8 flags; 283#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 284 __u8 share; 285}; 286 287struct xfrm_userpolicy_id { 288 struct xfrm_selector sel; 289 __u32 index; 290 __u8 dir; 291}; 292 293struct xfrm_user_acquire { 294 struct xfrm_id id; 295 xfrm_address_t saddr; 296 struct xfrm_selector sel; 297 struct xfrm_userpolicy_info policy; 298 __u32 aalgos; 299 __u32 ealgos; 300 __u32 calgos; 301 __u32 seq; 302}; 303 304struct xfrm_user_expire { 305 struct xfrm_usersa_info state; 306 __u8 hard; 307}; 308 309struct xfrm_user_polexpire { 310 struct xfrm_userpolicy_info pol; 311 __u8 hard; 312}; 313 314struct xfrm_usersa_flush { 315 __u8 proto; 316}; 317 318/* backwards compatibility for userspace */ 319#define XFRMGRP_ACQUIRE 1 320#define XFRMGRP_EXPIRE 2 321#define XFRMGRP_SA 4 322#define XFRMGRP_POLICY 8 323 324enum xfrm_nlgroups { 325 XFRMNLGRP_NONE, 326#define XFRMNLGRP_NONE XFRMNLGRP_NONE 327 XFRMNLGRP_ACQUIRE, 328#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE 329 XFRMNLGRP_EXPIRE, 330#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE 331 XFRMNLGRP_SA, 332#define XFRMNLGRP_SA XFRMNLGRP_SA 333 XFRMNLGRP_POLICY, 334#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY 335 XFRMNLGRP_AEVENTS, 336#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS 337 __XFRMNLGRP_MAX 338}; 339#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) 340 341#endif /* _LINUX_XFRM_H */ 342