1#ifndef _LINUX_XFRM_H 2#define _LINUX_XFRM_H 3 4#include <linux/in6.h> 5#include <linux/types.h> 6 7/* All of the structures in this file may not change size as they are 8 * passed into the kernel from userspace via netlink sockets. 9 */ 10 11/* Structure to encapsulate addresses. I do not want to use 12 * "standard" structure. My apologies. 13 */ 14typedef union { 15 __be32 a4; 16 __be32 a6[4]; 17 struct in6_addr in6; 18} xfrm_address_t; 19 20/* Ident of a specific xfrm_state. It is used on input to lookup 21 * the state by (spi,daddr,ah/esp) or to store information about 22 * spi, protocol and tunnel address on output. 23 */ 24struct xfrm_id { 25 xfrm_address_t daddr; 26 __be32 spi; 27 __u8 proto; 28}; 29 30struct xfrm_sec_ctx { 31 __u8 ctx_doi; 32 __u8 ctx_alg; 33 __u16 ctx_len; 34 __u32 ctx_sid; 35 char ctx_str[0]; 36}; 37 38/* Security Context Domains of Interpretation */ 39#define XFRM_SC_DOI_RESERVED 0 40#define XFRM_SC_DOI_LSM 1 41 42/* Security Context Algorithms */ 43#define XFRM_SC_ALG_RESERVED 0 44#define XFRM_SC_ALG_SELINUX 1 45 46/* Selector, used as selector both on policy rules (SPD) and SAs. */ 47 48struct xfrm_selector { 49 xfrm_address_t daddr; 50 xfrm_address_t saddr; 51 __be16 dport; 52 __be16 dport_mask; 53 __be16 sport; 54 __be16 sport_mask; 55 __u16 family; 56 __u8 prefixlen_d; 57 __u8 prefixlen_s; 58 __u8 proto; 59 int ifindex; 60 __kernel_uid32_t user; 61}; 62 63#define XFRM_INF (~(__u64)0) 64 65struct xfrm_lifetime_cfg { 66 __u64 soft_byte_limit; 67 __u64 hard_byte_limit; 68 __u64 soft_packet_limit; 69 __u64 hard_packet_limit; 70 __u64 soft_add_expires_seconds; 71 __u64 hard_add_expires_seconds; 72 __u64 soft_use_expires_seconds; 73 __u64 hard_use_expires_seconds; 74}; 75 76struct xfrm_lifetime_cur { 77 __u64 bytes; 78 __u64 packets; 79 __u64 add_time; 80 __u64 use_time; 81}; 82 83struct xfrm_replay_state { 84 __u32 oseq; 85 __u32 seq; 86 __u32 bitmap; 87}; 88 89#define XFRMA_REPLAY_ESN_MAX 4096 90 91struct xfrm_replay_state_esn { 92 unsigned int bmp_len; 93 __u32 oseq; 94 __u32 seq; 95 __u32 oseq_hi; 96 __u32 seq_hi; 97 __u32 replay_window; 98 __u32 bmp[0]; 99}; 100 101struct xfrm_algo { 102 char alg_name[64]; 103 unsigned int alg_key_len; /* in bits */ 104 char alg_key[0]; 105}; 106 107struct xfrm_algo_auth { 108 char alg_name[64]; 109 unsigned int alg_key_len; /* in bits */ 110 unsigned int alg_trunc_len; /* in bits */ 111 char alg_key[0]; 112}; 113 114struct xfrm_algo_aead { 115 char alg_name[64]; 116 unsigned int alg_key_len; /* in bits */ 117 unsigned int alg_icv_len; /* in bits */ 118 char alg_key[0]; 119}; 120 121struct xfrm_stats { 122 __u32 replay_window; 123 __u32 replay; 124 __u32 integrity_failed; 125}; 126 127enum { 128 XFRM_POLICY_TYPE_MAIN = 0, 129 XFRM_POLICY_TYPE_SUB = 1, 130 XFRM_POLICY_TYPE_MAX = 2, 131 XFRM_POLICY_TYPE_ANY = 255 132}; 133 134enum { 135 XFRM_POLICY_IN = 0, 136 XFRM_POLICY_OUT = 1, 137 XFRM_POLICY_FWD = 2, 138 XFRM_POLICY_MASK = 3, 139 XFRM_POLICY_MAX = 3 140}; 141 142enum { 143 XFRM_SHARE_ANY, /* No limitations */ 144 XFRM_SHARE_SESSION, /* For this session only */ 145 XFRM_SHARE_USER, /* For this user only */ 146 XFRM_SHARE_UNIQUE /* Use once */ 147}; 148 149#define XFRM_MODE_TRANSPORT 0 150#define XFRM_MODE_TUNNEL 1 151#define XFRM_MODE_ROUTEOPTIMIZATION 2 152#define XFRM_MODE_IN_TRIGGER 3 153#define XFRM_MODE_BEET 4 154#define XFRM_MODE_MAX 5 155 156/* Netlink configuration messages. */ 157enum { 158 XFRM_MSG_BASE = 0x10, 159 160 XFRM_MSG_NEWSA = 0x10, 161#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA 162 XFRM_MSG_DELSA, 163#define XFRM_MSG_DELSA XFRM_MSG_DELSA 164 XFRM_MSG_GETSA, 165#define XFRM_MSG_GETSA XFRM_MSG_GETSA 166 167 XFRM_MSG_NEWPOLICY, 168#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY 169 XFRM_MSG_DELPOLICY, 170#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY 171 XFRM_MSG_GETPOLICY, 172#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY 173 174 XFRM_MSG_ALLOCSPI, 175#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI 176 XFRM_MSG_ACQUIRE, 177#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE 178 XFRM_MSG_EXPIRE, 179#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE 180 181 XFRM_MSG_UPDPOLICY, 182#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY 183 XFRM_MSG_UPDSA, 184#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA 185 186 XFRM_MSG_POLEXPIRE, 187#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE 188 189 XFRM_MSG_FLUSHSA, 190#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA 191 XFRM_MSG_FLUSHPOLICY, 192#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY 193 194 XFRM_MSG_NEWAE, 195#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE 196 XFRM_MSG_GETAE, 197#define XFRM_MSG_GETAE XFRM_MSG_GETAE 198 199 XFRM_MSG_REPORT, 200#define XFRM_MSG_REPORT XFRM_MSG_REPORT 201 202 XFRM_MSG_MIGRATE, 203#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE 204 205 XFRM_MSG_NEWSADINFO, 206#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO 207 XFRM_MSG_GETSADINFO, 208#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO 209 210 XFRM_MSG_NEWSPDINFO, 211#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO 212 XFRM_MSG_GETSPDINFO, 213#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO 214 215 XFRM_MSG_MAPPING, 216#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING 217 __XFRM_MSG_MAX 218}; 219#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) 220 221#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 222 223/* 224 * Generic LSM security context for comunicating to user space 225 * NOTE: Same format as sadb_x_sec_ctx 226 */ 227struct xfrm_user_sec_ctx { 228 __u16 len; 229 __u16 exttype; 230 __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ 231 __u8 ctx_doi; 232 __u16 ctx_len; 233}; 234 235struct xfrm_user_tmpl { 236 struct xfrm_id id; 237 __u16 family; 238 xfrm_address_t saddr; 239 __u32 reqid; 240 __u8 mode; 241 __u8 share; 242 __u8 optional; 243 __u32 aalgos; 244 __u32 ealgos; 245 __u32 calgos; 246}; 247 248struct xfrm_encap_tmpl { 249 __u16 encap_type; 250 __be16 encap_sport; 251 __be16 encap_dport; 252 xfrm_address_t encap_oa; 253}; 254 255/* AEVENT flags */ 256enum xfrm_ae_ftype_t { 257 XFRM_AE_UNSPEC, 258 XFRM_AE_RTHR=1, /* replay threshold*/ 259 XFRM_AE_RVAL=2, /* replay value */ 260 XFRM_AE_LVAL=4, /* lifetime value */ 261 XFRM_AE_ETHR=8, /* expiry timer threshold */ 262 XFRM_AE_CR=16, /* Event cause is replay update */ 263 XFRM_AE_CE=32, /* Event cause is timer expiry */ 264 XFRM_AE_CU=64, /* Event cause is policy update */ 265 __XFRM_AE_MAX 266 267#define XFRM_AE_MAX (__XFRM_AE_MAX - 1) 268}; 269 270struct xfrm_userpolicy_type { 271 __u8 type; 272 __u16 reserved1; 273 __u8 reserved2; 274}; 275 276/* Netlink message attributes. */ 277enum xfrm_attr_type_t { 278 XFRMA_UNSPEC, 279 XFRMA_ALG_AUTH, /* struct xfrm_algo */ 280 XFRMA_ALG_CRYPT, /* struct xfrm_algo */ 281 XFRMA_ALG_COMP, /* struct xfrm_algo */ 282 XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ 283 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 284 XFRMA_SA, /* struct xfrm_usersa_info */ 285 XFRMA_POLICY, /*struct xfrm_userpolicy_info */ 286 XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ 287 XFRMA_LTIME_VAL, 288 XFRMA_REPLAY_VAL, 289 XFRMA_REPLAY_THRESH, 290 XFRMA_ETIMER_THRESH, 291 XFRMA_SRCADDR, /* xfrm_address_t */ 292 XFRMA_COADDR, /* xfrm_address_t */ 293 XFRMA_LASTUSED, /* unsigned long */ 294 XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ 295 XFRMA_MIGRATE, 296 XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ 297 XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ 298 XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ 299 XFRMA_MARK, /* struct xfrm_mark */ 300 XFRMA_TFCPAD, /* __u32 */ 301 XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_esn */ 302 XFRMA_SA_EXTRA_FLAGS, /* __u32 */ 303 XFRMA_PROTO, /* __u8 */ 304 XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */ 305 __XFRMA_MAX 306 307#define XFRMA_MAX (__XFRMA_MAX - 1) 308}; 309 310struct xfrm_mark { 311 __u32 v; /* value */ 312 __u32 m; /* mask */ 313}; 314 315enum xfrm_sadattr_type_t { 316 XFRMA_SAD_UNSPEC, 317 XFRMA_SAD_CNT, 318 XFRMA_SAD_HINFO, 319 __XFRMA_SAD_MAX 320 321#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1) 322}; 323 324struct xfrmu_sadhinfo { 325 __u32 sadhcnt; /* current hash bkts */ 326 __u32 sadhmcnt; /* max allowed hash bkts */ 327}; 328 329enum xfrm_spdattr_type_t { 330 XFRMA_SPD_UNSPEC, 331 XFRMA_SPD_INFO, 332 XFRMA_SPD_HINFO, 333 XFRMA_SPD_IPV4_HTHRESH, 334 XFRMA_SPD_IPV6_HTHRESH, 335 __XFRMA_SPD_MAX 336 337#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1) 338}; 339 340struct xfrmu_spdinfo { 341 __u32 incnt; 342 __u32 outcnt; 343 __u32 fwdcnt; 344 __u32 inscnt; 345 __u32 outscnt; 346 __u32 fwdscnt; 347}; 348 349struct xfrmu_spdhinfo { 350 __u32 spdhcnt; 351 __u32 spdhmcnt; 352}; 353 354struct xfrmu_spdhthresh { 355 __u8 lbits; 356 __u8 rbits; 357}; 358 359struct xfrm_usersa_info { 360 struct xfrm_selector sel; 361 struct xfrm_id id; 362 xfrm_address_t saddr; 363 struct xfrm_lifetime_cfg lft; 364 struct xfrm_lifetime_cur curlft; 365 struct xfrm_stats stats; 366 __u32 seq; 367 __u32 reqid; 368 __u16 family; 369 __u8 mode; /* XFRM_MODE_xxx */ 370 __u8 replay_window; 371 __u8 flags; 372#define XFRM_STATE_NOECN 1 373#define XFRM_STATE_DECAP_DSCP 2 374#define XFRM_STATE_NOPMTUDISC 4 375#define XFRM_STATE_WILDRECV 8 376#define XFRM_STATE_ICMP 16 377#define XFRM_STATE_AF_UNSPEC 32 378#define XFRM_STATE_ALIGN4 64 379#define XFRM_STATE_ESN 128 380}; 381 382#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1 383 384struct xfrm_usersa_id { 385 xfrm_address_t daddr; 386 __be32 spi; 387 __u16 family; 388 __u8 proto; 389}; 390 391struct xfrm_aevent_id { 392 struct xfrm_usersa_id sa_id; 393 xfrm_address_t saddr; 394 __u32 flags; 395 __u32 reqid; 396}; 397 398struct xfrm_userspi_info { 399 struct xfrm_usersa_info info; 400 __u32 min; 401 __u32 max; 402}; 403 404struct xfrm_userpolicy_info { 405 struct xfrm_selector sel; 406 struct xfrm_lifetime_cfg lft; 407 struct xfrm_lifetime_cur curlft; 408 __u32 priority; 409 __u32 index; 410 __u8 dir; 411 __u8 action; 412#define XFRM_POLICY_ALLOW 0 413#define XFRM_POLICY_BLOCK 1 414 __u8 flags; 415#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 416 /* Automatically expand selector to include matching ICMP payloads. */ 417#define XFRM_POLICY_ICMP 2 418 __u8 share; 419}; 420 421struct xfrm_userpolicy_id { 422 struct xfrm_selector sel; 423 __u32 index; 424 __u8 dir; 425}; 426 427struct xfrm_user_acquire { 428 struct xfrm_id id; 429 xfrm_address_t saddr; 430 struct xfrm_selector sel; 431 struct xfrm_userpolicy_info policy; 432 __u32 aalgos; 433 __u32 ealgos; 434 __u32 calgos; 435 __u32 seq; 436}; 437 438struct xfrm_user_expire { 439 struct xfrm_usersa_info state; 440 __u8 hard; 441}; 442 443struct xfrm_user_polexpire { 444 struct xfrm_userpolicy_info pol; 445 __u8 hard; 446}; 447 448struct xfrm_usersa_flush { 449 __u8 proto; 450}; 451 452struct xfrm_user_report { 453 __u8 proto; 454 struct xfrm_selector sel; 455}; 456 457/* Used by MIGRATE to pass addresses IKE should use to perform 458 * SA negotiation with the peer */ 459struct xfrm_user_kmaddress { 460 xfrm_address_t local; 461 xfrm_address_t remote; 462 __u32 reserved; 463 __u16 family; 464}; 465 466struct xfrm_user_migrate { 467 xfrm_address_t old_daddr; 468 xfrm_address_t old_saddr; 469 xfrm_address_t new_daddr; 470 xfrm_address_t new_saddr; 471 __u8 proto; 472 __u8 mode; 473 __u16 reserved; 474 __u32 reqid; 475 __u16 old_family; 476 __u16 new_family; 477}; 478 479struct xfrm_user_mapping { 480 struct xfrm_usersa_id id; 481 __u32 reqid; 482 xfrm_address_t old_saddr; 483 xfrm_address_t new_saddr; 484 __be16 old_sport; 485 __be16 new_sport; 486}; 487 488struct xfrm_address_filter { 489 xfrm_address_t saddr; 490 xfrm_address_t daddr; 491 __u16 family; 492 __u8 splen; 493 __u8 dplen; 494}; 495 496/* backwards compatibility for userspace */ 497#define XFRMGRP_ACQUIRE 1 498#define XFRMGRP_EXPIRE 2 499#define XFRMGRP_SA 4 500#define XFRMGRP_POLICY 8 501#define XFRMGRP_REPORT 0x20 502 503enum xfrm_nlgroups { 504 XFRMNLGRP_NONE, 505#define XFRMNLGRP_NONE XFRMNLGRP_NONE 506 XFRMNLGRP_ACQUIRE, 507#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE 508 XFRMNLGRP_EXPIRE, 509#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE 510 XFRMNLGRP_SA, 511#define XFRMNLGRP_SA XFRMNLGRP_SA 512 XFRMNLGRP_POLICY, 513#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY 514 XFRMNLGRP_AEVENTS, 515#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS 516 XFRMNLGRP_REPORT, 517#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT 518 XFRMNLGRP_MIGRATE, 519#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE 520 XFRMNLGRP_MAPPING, 521#define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING 522 __XFRMNLGRP_MAX 523}; 524#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) 525 526#endif /* _LINUX_XFRM_H */ 527