1#ifndef _LINUX_XFRM_H
2#define _LINUX_XFRM_H
3
4#include <linux/in6.h>
5#include <linux/types.h>
6
7/* All of the structures in this file may not change size as they are
8 * passed into the kernel from userspace via netlink sockets.
9 */
10
11/* Structure to encapsulate addresses. I do not want to use
12 * "standard" structure. My apologies.
13 */
14typedef union {
15	__be32		a4;
16	__be32		a6[4];
17	struct in6_addr	in6;
18} xfrm_address_t;
19
20/* Ident of a specific xfrm_state. It is used on input to lookup
21 * the state by (spi,daddr,ah/esp) or to store information about
22 * spi, protocol and tunnel address on output.
23 */
24struct xfrm_id {
25	xfrm_address_t	daddr;
26	__be32		spi;
27	__u8		proto;
28};
29
30struct xfrm_sec_ctx {
31	__u8	ctx_doi;
32	__u8	ctx_alg;
33	__u16	ctx_len;
34	__u32	ctx_sid;
35	char	ctx_str[0];
36};
37
38/* Security Context Domains of Interpretation */
39#define XFRM_SC_DOI_RESERVED 0
40#define XFRM_SC_DOI_LSM 1
41
42/* Security Context Algorithms */
43#define XFRM_SC_ALG_RESERVED 0
44#define XFRM_SC_ALG_SELINUX 1
45
46/* Selector, used as selector both on policy rules (SPD) and SAs. */
47
48struct xfrm_selector {
49	xfrm_address_t	daddr;
50	xfrm_address_t	saddr;
51	__be16	dport;
52	__be16	dport_mask;
53	__be16	sport;
54	__be16	sport_mask;
55	__u16	family;
56	__u8	prefixlen_d;
57	__u8	prefixlen_s;
58	__u8	proto;
59	int	ifindex;
60	__kernel_uid32_t	user;
61};
62
63#define XFRM_INF (~(__u64)0)
64
65struct xfrm_lifetime_cfg {
66	__u64	soft_byte_limit;
67	__u64	hard_byte_limit;
68	__u64	soft_packet_limit;
69	__u64	hard_packet_limit;
70	__u64	soft_add_expires_seconds;
71	__u64	hard_add_expires_seconds;
72	__u64	soft_use_expires_seconds;
73	__u64	hard_use_expires_seconds;
74};
75
76struct xfrm_lifetime_cur {
77	__u64	bytes;
78	__u64	packets;
79	__u64	add_time;
80	__u64	use_time;
81};
82
83struct xfrm_replay_state {
84	__u32	oseq;
85	__u32	seq;
86	__u32	bitmap;
87};
88
89#define XFRMA_REPLAY_ESN_MAX	4096
90
91struct xfrm_replay_state_esn {
92	unsigned int	bmp_len;
93	__u32		oseq;
94	__u32		seq;
95	__u32		oseq_hi;
96	__u32		seq_hi;
97	__u32		replay_window;
98	__u32		bmp[0];
99};
100
101struct xfrm_algo {
102	char		alg_name[64];
103	unsigned int	alg_key_len;    /* in bits */
104	char		alg_key[0];
105};
106
107struct xfrm_algo_auth {
108	char		alg_name[64];
109	unsigned int	alg_key_len;    /* in bits */
110	unsigned int	alg_trunc_len;  /* in bits */
111	char		alg_key[0];
112};
113
114struct xfrm_algo_aead {
115	char		alg_name[64];
116	unsigned int	alg_key_len;	/* in bits */
117	unsigned int	alg_icv_len;	/* in bits */
118	char		alg_key[0];
119};
120
121struct xfrm_stats {
122	__u32	replay_window;
123	__u32	replay;
124	__u32	integrity_failed;
125};
126
127enum {
128	XFRM_POLICY_TYPE_MAIN	= 0,
129	XFRM_POLICY_TYPE_SUB	= 1,
130	XFRM_POLICY_TYPE_MAX	= 2,
131	XFRM_POLICY_TYPE_ANY	= 255
132};
133
134enum {
135	XFRM_POLICY_IN	= 0,
136	XFRM_POLICY_OUT	= 1,
137	XFRM_POLICY_FWD	= 2,
138	XFRM_POLICY_MASK = 3,
139	XFRM_POLICY_MAX	= 3
140};
141
142enum {
143	XFRM_SHARE_ANY,		/* No limitations */
144	XFRM_SHARE_SESSION,	/* For this session only */
145	XFRM_SHARE_USER,	/* For this user only */
146	XFRM_SHARE_UNIQUE	/* Use once */
147};
148
149#define XFRM_MODE_TRANSPORT 0
150#define XFRM_MODE_TUNNEL 1
151#define XFRM_MODE_ROUTEOPTIMIZATION 2
152#define XFRM_MODE_IN_TRIGGER 3
153#define XFRM_MODE_BEET 4
154#define XFRM_MODE_MAX 5
155
156/* Netlink configuration messages.  */
157enum {
158	XFRM_MSG_BASE = 0x10,
159
160	XFRM_MSG_NEWSA = 0x10,
161#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
162	XFRM_MSG_DELSA,
163#define XFRM_MSG_DELSA XFRM_MSG_DELSA
164	XFRM_MSG_GETSA,
165#define XFRM_MSG_GETSA XFRM_MSG_GETSA
166
167	XFRM_MSG_NEWPOLICY,
168#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
169	XFRM_MSG_DELPOLICY,
170#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
171	XFRM_MSG_GETPOLICY,
172#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
173
174	XFRM_MSG_ALLOCSPI,
175#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
176	XFRM_MSG_ACQUIRE,
177#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
178	XFRM_MSG_EXPIRE,
179#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
180
181	XFRM_MSG_UPDPOLICY,
182#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
183	XFRM_MSG_UPDSA,
184#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
185
186	XFRM_MSG_POLEXPIRE,
187#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
188
189	XFRM_MSG_FLUSHSA,
190#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
191	XFRM_MSG_FLUSHPOLICY,
192#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
193
194	XFRM_MSG_NEWAE,
195#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
196	XFRM_MSG_GETAE,
197#define XFRM_MSG_GETAE XFRM_MSG_GETAE
198
199	XFRM_MSG_REPORT,
200#define XFRM_MSG_REPORT XFRM_MSG_REPORT
201
202	XFRM_MSG_MIGRATE,
203#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
204
205	XFRM_MSG_NEWSADINFO,
206#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
207	XFRM_MSG_GETSADINFO,
208#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
209
210	XFRM_MSG_NEWSPDINFO,
211#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
212	XFRM_MSG_GETSPDINFO,
213#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
214
215	XFRM_MSG_MAPPING,
216#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
217	__XFRM_MSG_MAX
218};
219#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
220
221#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
222
223/*
224 * Generic LSM security context for comunicating to user space
225 * NOTE: Same format as sadb_x_sec_ctx
226 */
227struct xfrm_user_sec_ctx {
228	__u16			len;
229	__u16			exttype;
230	__u8			ctx_alg;  /* LSMs: e.g., selinux == 1 */
231	__u8			ctx_doi;
232	__u16			ctx_len;
233};
234
235struct xfrm_user_tmpl {
236	struct xfrm_id		id;
237	__u16			family;
238	xfrm_address_t		saddr;
239	__u32			reqid;
240	__u8			mode;
241	__u8			share;
242	__u8			optional;
243	__u32			aalgos;
244	__u32			ealgos;
245	__u32			calgos;
246};
247
248struct xfrm_encap_tmpl {
249	__u16		encap_type;
250	__be16		encap_sport;
251	__be16		encap_dport;
252	xfrm_address_t	encap_oa;
253};
254
255/* AEVENT flags  */
256enum xfrm_ae_ftype_t {
257	XFRM_AE_UNSPEC,
258	XFRM_AE_RTHR=1,	/* replay threshold*/
259	XFRM_AE_RVAL=2, /* replay value */
260	XFRM_AE_LVAL=4, /* lifetime value */
261	XFRM_AE_ETHR=8, /* expiry timer threshold */
262	XFRM_AE_CR=16, /* Event cause is replay update */
263	XFRM_AE_CE=32, /* Event cause is timer expiry */
264	XFRM_AE_CU=64, /* Event cause is policy update */
265	__XFRM_AE_MAX
266
267#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
268};
269
270struct xfrm_userpolicy_type {
271	__u8		type;
272	__u16		reserved1;
273	__u8		reserved2;
274};
275
276/* Netlink message attributes.  */
277enum xfrm_attr_type_t {
278	XFRMA_UNSPEC,
279	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
280	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
281	XFRMA_ALG_COMP,		/* struct xfrm_algo */
282	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
283	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
284	XFRMA_SA,		/* struct xfrm_usersa_info  */
285	XFRMA_POLICY,		/*struct xfrm_userpolicy_info */
286	XFRMA_SEC_CTX,		/* struct xfrm_sec_ctx */
287	XFRMA_LTIME_VAL,
288	XFRMA_REPLAY_VAL,
289	XFRMA_REPLAY_THRESH,
290	XFRMA_ETIMER_THRESH,
291	XFRMA_SRCADDR,		/* xfrm_address_t */
292	XFRMA_COADDR,		/* xfrm_address_t */
293	XFRMA_LASTUSED,		/* unsigned long  */
294	XFRMA_POLICY_TYPE,	/* struct xfrm_userpolicy_type */
295	XFRMA_MIGRATE,
296	XFRMA_ALG_AEAD,		/* struct xfrm_algo_aead */
297	XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
298	XFRMA_ALG_AUTH_TRUNC,	/* struct xfrm_algo_auth */
299	XFRMA_MARK,		/* struct xfrm_mark */
300	XFRMA_TFCPAD,		/* __u32 */
301	XFRMA_REPLAY_ESN_VAL,	/* struct xfrm_replay_esn */
302	XFRMA_SA_EXTRA_FLAGS,	/* __u32 */
303	XFRMA_PROTO,		/* __u8 */
304	XFRMA_ADDRESS_FILTER,	/* struct xfrm_address_filter */
305	__XFRMA_MAX
306
307#define XFRMA_MAX (__XFRMA_MAX - 1)
308};
309
310struct xfrm_mark {
311	__u32           v; /* value */
312	__u32           m; /* mask */
313};
314
315enum xfrm_sadattr_type_t {
316	XFRMA_SAD_UNSPEC,
317	XFRMA_SAD_CNT,
318	XFRMA_SAD_HINFO,
319	__XFRMA_SAD_MAX
320
321#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
322};
323
324struct xfrmu_sadhinfo {
325	__u32 sadhcnt; /* current hash bkts */
326	__u32 sadhmcnt; /* max allowed hash bkts */
327};
328
329enum xfrm_spdattr_type_t {
330	XFRMA_SPD_UNSPEC,
331	XFRMA_SPD_INFO,
332	XFRMA_SPD_HINFO,
333	XFRMA_SPD_IPV4_HTHRESH,
334	XFRMA_SPD_IPV6_HTHRESH,
335	__XFRMA_SPD_MAX
336
337#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
338};
339
340struct xfrmu_spdinfo {
341	__u32 incnt;
342	__u32 outcnt;
343	__u32 fwdcnt;
344	__u32 inscnt;
345	__u32 outscnt;
346	__u32 fwdscnt;
347};
348
349struct xfrmu_spdhinfo {
350	__u32 spdhcnt;
351	__u32 spdhmcnt;
352};
353
354struct xfrmu_spdhthresh {
355	__u8 lbits;
356	__u8 rbits;
357};
358
359struct xfrm_usersa_info {
360	struct xfrm_selector		sel;
361	struct xfrm_id			id;
362	xfrm_address_t			saddr;
363	struct xfrm_lifetime_cfg	lft;
364	struct xfrm_lifetime_cur	curlft;
365	struct xfrm_stats		stats;
366	__u32				seq;
367	__u32				reqid;
368	__u16				family;
369	__u8				mode;		/* XFRM_MODE_xxx */
370	__u8				replay_window;
371	__u8				flags;
372#define XFRM_STATE_NOECN	1
373#define XFRM_STATE_DECAP_DSCP	2
374#define XFRM_STATE_NOPMTUDISC	4
375#define XFRM_STATE_WILDRECV	8
376#define XFRM_STATE_ICMP		16
377#define XFRM_STATE_AF_UNSPEC	32
378#define XFRM_STATE_ALIGN4	64
379#define XFRM_STATE_ESN		128
380};
381
382#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP	1
383
384struct xfrm_usersa_id {
385	xfrm_address_t			daddr;
386	__be32				spi;
387	__u16				family;
388	__u8				proto;
389};
390
391struct xfrm_aevent_id {
392	struct xfrm_usersa_id		sa_id;
393	xfrm_address_t			saddr;
394	__u32				flags;
395	__u32				reqid;
396};
397
398struct xfrm_userspi_info {
399	struct xfrm_usersa_info		info;
400	__u32				min;
401	__u32				max;
402};
403
404struct xfrm_userpolicy_info {
405	struct xfrm_selector		sel;
406	struct xfrm_lifetime_cfg	lft;
407	struct xfrm_lifetime_cur	curlft;
408	__u32				priority;
409	__u32				index;
410	__u8				dir;
411	__u8				action;
412#define XFRM_POLICY_ALLOW	0
413#define XFRM_POLICY_BLOCK	1
414	__u8				flags;
415#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
416	/* Automatically expand selector to include matching ICMP payloads. */
417#define XFRM_POLICY_ICMP	2
418	__u8				share;
419};
420
421struct xfrm_userpolicy_id {
422	struct xfrm_selector		sel;
423	__u32				index;
424	__u8				dir;
425};
426
427struct xfrm_user_acquire {
428	struct xfrm_id			id;
429	xfrm_address_t			saddr;
430	struct xfrm_selector		sel;
431	struct xfrm_userpolicy_info	policy;
432	__u32				aalgos;
433	__u32				ealgos;
434	__u32				calgos;
435	__u32				seq;
436};
437
438struct xfrm_user_expire {
439	struct xfrm_usersa_info		state;
440	__u8				hard;
441};
442
443struct xfrm_user_polexpire {
444	struct xfrm_userpolicy_info	pol;
445	__u8				hard;
446};
447
448struct xfrm_usersa_flush {
449	__u8				proto;
450};
451
452struct xfrm_user_report {
453	__u8				proto;
454	struct xfrm_selector		sel;
455};
456
457/* Used by MIGRATE to pass addresses IKE should use to perform
458 * SA negotiation with the peer */
459struct xfrm_user_kmaddress {
460	xfrm_address_t                  local;
461	xfrm_address_t                  remote;
462	__u32				reserved;
463	__u16				family;
464};
465
466struct xfrm_user_migrate {
467	xfrm_address_t			old_daddr;
468	xfrm_address_t			old_saddr;
469	xfrm_address_t			new_daddr;
470	xfrm_address_t			new_saddr;
471	__u8				proto;
472	__u8				mode;
473	__u16				reserved;
474	__u32				reqid;
475	__u16				old_family;
476	__u16				new_family;
477};
478
479struct xfrm_user_mapping {
480	struct xfrm_usersa_id		id;
481	__u32				reqid;
482	xfrm_address_t			old_saddr;
483	xfrm_address_t			new_saddr;
484	__be16				old_sport;
485	__be16				new_sport;
486};
487
488struct xfrm_address_filter {
489	xfrm_address_t			saddr;
490	xfrm_address_t			daddr;
491	__u16				family;
492	__u8				splen;
493	__u8				dplen;
494};
495
496/* backwards compatibility for userspace */
497#define XFRMGRP_ACQUIRE		1
498#define XFRMGRP_EXPIRE		2
499#define XFRMGRP_SA		4
500#define XFRMGRP_POLICY		8
501#define XFRMGRP_REPORT		0x20
502
503enum xfrm_nlgroups {
504	XFRMNLGRP_NONE,
505#define XFRMNLGRP_NONE		XFRMNLGRP_NONE
506	XFRMNLGRP_ACQUIRE,
507#define XFRMNLGRP_ACQUIRE	XFRMNLGRP_ACQUIRE
508	XFRMNLGRP_EXPIRE,
509#define XFRMNLGRP_EXPIRE	XFRMNLGRP_EXPIRE
510	XFRMNLGRP_SA,
511#define XFRMNLGRP_SA		XFRMNLGRP_SA
512	XFRMNLGRP_POLICY,
513#define XFRMNLGRP_POLICY	XFRMNLGRP_POLICY
514	XFRMNLGRP_AEVENTS,
515#define XFRMNLGRP_AEVENTS	XFRMNLGRP_AEVENTS
516	XFRMNLGRP_REPORT,
517#define XFRMNLGRP_REPORT	XFRMNLGRP_REPORT
518	XFRMNLGRP_MIGRATE,
519#define XFRMNLGRP_MIGRATE	XFRMNLGRP_MIGRATE
520	XFRMNLGRP_MAPPING,
521#define XFRMNLGRP_MAPPING	XFRMNLGRP_MAPPING
522	__XFRMNLGRP_MAX
523};
524#define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
525
526#endif /* _LINUX_XFRM_H */
527