[thirdparty/strongswan.git] / src / libcharon / config / child_cfg.h

/*
 * Copyright (C) 2008-2019 Tobias Brunner
 * Copyright (C) 2016 Andreas Steffen
 * Copyright (C) 2005-2007 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup child_cfg child_cfg
 * @{ @ingroup config
 */

#ifndef CHILD_CFG_H_
#define CHILD_CFG_H_

typedef enum action_t action_t;
typedef enum child_cfg_option_t child_cfg_option_t;
typedef struct child_cfg_t child_cfg_t;
typedef struct child_cfg_create_t child_cfg_create_t;

#include <library.h>
#include <selectors/traffic_selector.h>
#include <crypto/proposal/proposal.h>
#include <kernel/kernel_ipsec.h>

/**
 * Action to take when connection is loaded, DPD is detected or
 * connection gets closed by peer.
 */
enum action_t {
	/** No action */
	ACTION_NONE = 0,
	/** Install trap policy to (re-)establish on demand */
	ACTION_TRAP = (1<<0),
	/** Start or restart immediately */
	ACTION_START = (1<<1),
};

/**
 * enum names for action_t.
 */
extern enum_name_t *action_names;

/**
 * A child_cfg_t defines the config template for a CHILD_SA.
 *
 * After creation, proposals and traffic selectors may be added to the config.
 * A child_cfg object is referenced multiple times, and is not thread save.
 * Reading from the object is save, adding things is not allowed while other
 * threads may access the object.
 * A reference counter handles the number of references hold to this config.
 *
 * @see peer_cfg_t to get an overview over the configurations.
 */
struct child_cfg_t {

	/**
	 * Get the name of the child_cfg.
	 *
	 * @return				child_cfg's name
	 */
	char *(*get_name) (child_cfg_t *this);

	/**
	 * Add a proposal to the list.
	 *
	 * The proposals are stored by priority, first added
	 * is the most preferred. It is safe to add NULL as proposal, which has no
	 * effect. After add, proposal is owned by child_cfg.
	 *
	 * @param proposal		proposal to add, or NULL
	 */
	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);

	/**
	 * Get the list of proposals for the CHILD_SA.
	 *
	 * Resulting list and all of its proposals must be freed after use.
	 *
	 * @param strip_ke		TRUE strip out key exchange methods
	 * @return				list of proposals
	 */
	linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_ke);

	/**
	 * Select a proposal from a supplied list.
	 *
	 * Returned proposal is newly created and must be destroyed after usage.
	 *
	 * @param proposals		list from which proposals are selected
	 * @param flags			flags to consider during proposal selection
	 * @return				selected proposal, or NULL if nothing matches
	 */
	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
								   proposal_selection_flag_t flags);

	/**
	 * Add a traffic selector to the config.
	 *
	 * Use the "local" parameter to add it for the local or the remote side.
	 * After add, traffic selector is owned by child_cfg.
	 *
	 * @param local			TRUE for local side, FALSE for remote
	 * @param ts			traffic_selector to add
	 */
	void (*add_traffic_selector)(child_cfg_t *this, bool local,
								 traffic_selector_t *ts);

	/**
	 * Get a list of traffic selectors to use for the CHILD_SA.
	 *
	 * The config contains two set of traffic selectors, one for the local
	 * side, one for the remote side.
	 * If a list with traffic selectors is supplied, these are used to narrow
	 * down the traffic selector list to the greatest common divisor.
	 * Some traffic selector may be "dynamic", meaning they are narrowed down
	 * to a specific address (host-to-host or virtual-IP setups). Use
	 * the "host" parameter to narrow such traffic selectors to that address.
	 * Resulted list and its traffic selectors must be destroyed after use.
	 *
	 * @param local			TRUE for TS on local side, FALSE for remote
	 * @param supplied		list with TS to select from, or NULL
	 * @param hosts			addresses to use for narrowing "dynamic" TS', host_t
	 * @param log			FALSE to avoid logging details about the selection
	 * @return				list containing the traffic selectors
	 */
	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
											linked_list_t *supplied,
											linked_list_t *hosts, bool log);

	/**
	 * Get the updown script to run for the CHILD_SA.
	 *
	 * @return				path to updown script
	 */
	char* (*get_updown)(child_cfg_t *this);

	/**
	 * Get the lifetime configuration of a CHILD_SA.
	 *
	 * The rekey limits automatically contain a jitter to avoid simultaneous
	 * rekeying. These values will change with each call to this function.
	 *
	 * @param jitter		subtract jitter value to randomize lifetimes
	 * @return				lifetime_cfg_t (has to be freed)
	 */
	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);

	/**
	 * Get the mode to use for the CHILD_SA.
	 *
	 * The mode is either tunnel, transport or BEET. The peer must agree
	 * on the method, fallback is tunnel mode.
	 *
	 * @return				ipsec mode
	 */
	ipsec_mode_t (*get_mode) (child_cfg_t *this);

	/**
	 * Action to take to start CHILD_SA.
	 *
	 * @return				start action
	 */
	action_t (*get_start_action) (child_cfg_t *this);

	/**
	 * Action to take on DPD.
	 *
	 * @return				DPD action
	 */
	action_t (*get_dpd_action) (child_cfg_t *this);

	/**
	 * Get the HW offload mode to use for the CHILD_SA.
	 *
	 * @return				hw offload mode
	 */
	hw_offload_t (*get_hw_offload) (child_cfg_t *this);

	/**
	 * Get the copy mode for the DS header field to use for the CHILD_SA.
	 *
	 * @return				IP header copy mode
	 */
	dscp_copy_t (*get_copy_dscp) (child_cfg_t *this);

	/**
	 * Action to take if CHILD_SA gets closed.
	 *
	 * @return				close action
	 */
	action_t (*get_close_action) (child_cfg_t *this);

	/**
	 * Get the first algorithm of a certain transform type that's contained in
	 * any of the configured proposals.
	 *
	 * For instance, use with KEY_EXCHANGE_METHOD to get the KE method to use
	 * for the CHILD_SA initiation.
	 *
	 * @param type			transform type to look for
	 * @return				algorithm identifier (0 for none)
	 */
	uint16_t (*get_algorithm)(child_cfg_t *this, transform_type_t type);

	/**
	 * Get the inactivity timeout value.
	 *
	 * @return				inactivity timeout in s
	 */
	uint32_t (*get_inactivity)(child_cfg_t *this);

	/**
	 * Specific reqid to use for CHILD_SA.
	 *
	 * @return				reqid
	 */
	uint32_t (*get_reqid)(child_cfg_t *this);

	/**
	 * Optional interface ID to set on policies/SAs.
	 *
	 * @param inbound		TRUE for inbound, FALSE for outbound
	 * @return				interface ID
	 */
	uint32_t (*get_if_id)(child_cfg_t *this, bool inbound);

	/**
	 * Optional mark to set on policies/SAs.
	 *
	 * @param inbound		TRUE for inbound, FALSE for outbound
	 * @return				mark
	 */
	mark_t (*get_mark)(child_cfg_t *this, bool inbound);

	/**
	 * Optional mark the SAs should apply after processing packets.
	 *
	 * @param inbound		TRUE for inbound, FALSE for outbound
	 * @return				mark
	 */
	mark_t (*get_set_mark)(child_cfg_t *this, bool inbound);

	/**
	 * Optional security label to be configured on policies.
	 *
	 * @return				label or NULL
	 */
	sec_label_t *(*get_label)(child_cfg_t *this);

	/**
	 * Get the mode in which the security label is used.
	 *
	 * @return				label mode (never SEC_LABEL_MODE_SYSTEM)
	 */
	sec_label_mode_t (*get_label_mode)(child_cfg_t *this);

	/**
	 * Select a security label from the given list that matches the configured
	 * label.
	 *
	 * This fails under the following conditions:
	 * - a label is configured but no labels are provided
	 * - no label is configured but at least one label is provided
	 * - the configured and provided labels don't match
	 *
	 * If no label is configured and none are provided, that's considered a
	 * success and label will be set to NULL.
	 *
	 * @param labels		list of labels to match
	 * @param log			FALSE to avoid logging details about the selection
	 * @param[out] label	selected label or NULL if no label necessary
	 * @param[out] exact	TRUE if there was an exact match
	 * @return				FALSE on failure
	 */
	bool (*select_label)(child_cfg_t *this, linked_list_t *labels, bool log,
						 sec_label_t **label, bool *exact);

	/**
	 * Get the TFC padding value to use for CHILD_SA.
	 *
	 * @return				TFC padding, 0 to disable, -1 for MTU
	 */
	uint32_t (*get_tfc)(child_cfg_t *this);

	/**
	 * Get optional manually-set IPsec policy priority
	 *
	 * @return				manually-set IPsec policy priority (automatic if 0)
	 */
	uint32_t (*get_manual_prio)(child_cfg_t *this);

	/**
	 * Get optional network interface restricting IPsec policy
	 *
	 * @return				network interface)
	 */
	char* (*get_interface)(child_cfg_t *this);

	/**
	 * Get anti-replay window size
	 *
	 * @return				anti-replay window size
	 */
	uint32_t (*get_replay_window)(child_cfg_t *this);

	/**
	 * Set anti-replay window size
	 *
	 * @param window        anti-replay window size
	 */
	void (*set_replay_window)(child_cfg_t *this, uint32_t window);

	/**
	 * Check if an option flag is set.
	 *
	 * @param option		option flag to check
	 * @return				TRUE if option flag set, FALSE otherwise
	 */
	bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);

	/**
	 * Check if two child_cfg objects are equal.
	 *
	 * @param other			candidate to check for equality against this
	 * @return				TRUE if equal
	 */
	bool (*equals)(child_cfg_t *this, child_cfg_t *other);

	/**
	 * Increase the reference count.
	 *
	 * @return				reference to this
	 */
	child_cfg_t* (*get_ref) (child_cfg_t *this);

	/**
	 * Destroys the child_cfg object.
	 *
	 * Decrements the internal reference counter and
	 * destroys the child_cfg when it reaches zero.
	 */
	void (*destroy) (child_cfg_t *this);
};

/**
 * Option flags that may be set on a child_cfg_t object
 */
enum child_cfg_option_t {

	/** Use IPsec transport proxy mode */
	OPT_PROXY_MODE = (1<<0),

	/** Use IPComp, if peer supports it */
	OPT_IPCOMP = (1<<1),

	/** Allow access to the local host */
	OPT_HOSTACCESS = (1<<2),

	/** Don't install any IPsec policies */
	OPT_NO_POLICIES = (1<<3),

	/** Install outbound FWD IPsec policies to bypass drop policies */
	OPT_FWD_OUT_POLICIES = (1<<4),

	/** Force 96-bit truncation for SHA-256 */
	OPT_SHA256_96 = (1<<5),

	/** Set mark on inbound SAs */
	OPT_MARK_IN_SA = (1<<6),

	/** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
	OPT_NO_COPY_DF = (1<<7),

	/** Disable copying the ECN header field in tunnel mode */
	OPT_NO_COPY_ECN = (1<<8),

	/** Enable per-CPU CHILD_SAs */
	OPT_PER_CPU_SAS = (1<<9),

	/** Enable UDP encapsulation for per-CPU CHILD_SAs */
	OPT_PER_CPU_SAS_ENCAP = (1<<10),
};

/**
 * Data passed to the constructor of a child_cfg_t object.
 */
struct child_cfg_create_t {
	/** Options set for CHILD_SA */
	child_cfg_option_t options;
	/** Specific reqid to use for CHILD_SA, 0 for auto assignment */
	uint32_t reqid;
	/** Optional inbound interface ID */
	uint32_t if_id_in;
	/** Optional outbound interface ID */
	uint32_t if_id_out;
	/** Optional inbound mark */
	mark_t mark_in;
	/** Optional outbound mark */
	mark_t mark_out;
	/** Optional inbound mark the SA should apply to traffic */
	mark_t set_mark_in;
	/** Optional outbound mark the SA should apply to traffic */
	mark_t set_mark_out;
	/** Optional security label configured on policies (cloned) */
	sec_label_t *label;
	/** Optional security label mode */
	sec_label_mode_t label_mode;
	/** Mode to propose for CHILD_SA */
	ipsec_mode_t mode;
	/** TFC padding size, 0 to disable, -1 to pad to PMTU */
	uint32_t tfc;
	/** Optional manually-set IPsec policy priority */
	uint32_t priority;
	/** Optional network interface restricting IPsec policy (cloned) */
	char *interface;
	/** lifetime_cfg_t for this child_cfg */
	lifetime_cfg_t lifetime;
	/** Inactivity timeout in s before closing a CHILD_SA */
	uint32_t inactivity;
	/** Start action */
	action_t start_action;
	/** DPD action */
	action_t dpd_action;
	/** Close action */
	action_t close_action;
	/** updown script to execute on up/down event (cloned) */
	char *updown;
	/** HW offload mode */
	hw_offload_t hw_offload;
	/** How to handle the DS header field in tunnel mode */
	dscp_copy_t copy_dscp;
};

/**
 * Create a configuration template for CHILD_SA setup.
 *
 * After a call to create, a reference is obtained (refcount = 1).
 *
 * @param name				name of the child_cfg (cloned)
 * @param data				data for this child_cfg
 * @return					child_cfg_t object
 */
child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);

#endif /** CHILD_CFG_H_ @}*/
Commit	Line	Data
e0fe7651	1	/*
72c96dbf	2	* Copyright (C) 2008-2019 Tobias Brunner
7f57c4f9	3	* Copyright (C) 2016 Andreas Steffen
e0fe7651 MW	4	* Copyright (C) 2005-2007 Martin Willi
e0fe7651 MW	5	* Copyright (C) 2005 Jan Hutter
19ef2aec TB	6	*
19ef2aec TB	7	* Copyright (C) secunet Security Networks AG
e0fe7651 MW	8	*
	9	* This program is free software; you can redistribute it and/or modify it
	10	* under the terms of the GNU General Public License as published by the
	11	* Free Software Foundation; either version 2 of the License, or (at your
	12	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	13	*
	14	* This program is distributed in the hope that it will be useful, but
	15	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	16	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	17	* for more details.
552cc11b MW	18	*/
	19
	20	/**
	21	* @defgroup child_cfg child_cfg
	22	* @{ @ingroup config
e0fe7651 MW	23	*/
	24
	25	#ifndef CHILD_CFG_H_
	26	#define CHILD_CFG_H_
	27
96926b00	28	typedef enum action_t action_t;
749ac175	29	typedef enum child_cfg_option_t child_cfg_option_t;
e0fe7651	30	typedef struct child_cfg_t child_cfg_t;
8a00a845	31	typedef struct child_cfg_create_t child_cfg_create_t;
e0fe7651 MW	32
e0fe7651 MW	33	#include <library.h>
1125a0be	34	#include <selectors/traffic_selector.h>
2307bffe	35	#include <crypto/proposal/proposal.h>
a341a68f	36	#include <kernel/kernel_ipsec.h>
e0fe7651	37
96926b00	38	/**
c616d84c AS	39	* Action to take when connection is loaded, DPD is detected or
c616d84c AS	40	* connection gets closed by peer.
96926b00 MW	41	*/
	42	enum action_t {
	43	/** No action */
4f4d4021 TB	44	ACTION_NONE = 0,
	45	/** Install trap policy to (re-)establish on demand */
	46	ACTION_TRAP = (1<<0),
	47	/** Start or restart immediately */
	48	ACTION_START = (1<<1),
96926b00 MW	49	};
	50
	51	/**
	52	* enum names for action_t.
	53	*/
	54	extern enum_name_t *action_names;
	55
e0fe7651	56	/**
552cc11b	57	* A child_cfg_t defines the config template for a CHILD_SA.
e0fe7651 MW	58	*
	59	* After creation, proposals and traffic selectors may be added to the config.
	60	* A child_cfg object is referenced multiple times, and is not thread save.
3b138b84	61	* Reading from the object is save, adding things is not allowed while other
7daf5226	62	* threads may access the object.
e0fe7651	63	* A reference counter handles the number of references hold to this config.
3b138b84 MW	64	*
3b138b84 MW	65	* @see peer_cfg_t to get an overview over the configurations.
e0fe7651 MW	66	*/
e0fe7651 MW	67	struct child_cfg_t {
7daf5226	68
e0fe7651	69	/**
552cc11b	70	* Get the name of the child_cfg.
7daf5226	71	*
e0fe7651 MW	72	* @return child_cfg's name
	73	*/
	74	char (get_name) (child_cfg_t *this);
7daf5226	75
e0fe7651	76	/**
7daf5226 MW	77	* Add a proposal to the list.
7daf5226 MW	78	*
e0fe7651	79	* The proposals are stored by priority, first added
356846db MW	80	* is the most preferred. It is safe to add NULL as proposal, which has no
356846db MW	81	* effect. After add, proposal is owned by child_cfg.
7daf5226	82	*
356846db	83	* @param proposal proposal to add, or NULL
e0fe7651 MW	84	*/
e0fe7651 MW	85	void (add_proposal) (child_cfg_t this, proposal_t *proposal);
7daf5226	86
e0fe7651	87	/**
552cc11b	88	* Get the list of proposals for the CHILD_SA.
e0fe7651 MW	89	*
e0fe7651 MW	90	* Resulting list and all of its proposals must be freed after use.
7daf5226	91	*
3af7c6db	92	* @param strip_ke TRUE strip out key exchange methods
e0fe7651 MW	93	* @return list of proposals
e0fe7651 MW	94	*/
3af7c6db	95	linked_list_t* (get_proposals)(child_cfg_t this, bool strip_ke);
7daf5226	96
e0fe7651	97	/**
552cc11b	98	* Select a proposal from a supplied list.
e0fe7651	99	*
b3ab7a48	100	* Returned proposal is newly created and must be destroyed after usage.
7daf5226	101	*
f3bb1bd0	102	* @param proposals list from which proposals are selected
f930b732	103	* @param flags flags to consider during proposal selection
e0fe7651 MW	104	* @return selected proposal, or NULL if nothing matches
e0fe7651 MW	105	*/
1fd5383e	106	proposal_t* (select_proposal)(child_cfg_tthis, linked_list_t *proposals,
f930b732	107	proposal_selection_flag_t flags);
7daf5226	108
e0fe7651	109	/**
552cc11b	110	* Add a traffic selector to the config.
7daf5226	111	*
e0fe7651 MW	112	* Use the "local" parameter to add it for the local or the remote side.
e0fe7651 MW	113	* After add, traffic selector is owned by child_cfg.
7daf5226	114	*
e0fe7651 MW	115	* @param local TRUE for local side, FALSE for remote
	116	* @param ts traffic_selector to add
	117	*/
	118	void (add_traffic_selector)(child_cfg_t this, bool local,
	119	traffic_selector_t *ts);
7daf5226	120
e0fe7651	121	/**
552cc11b	122	* Get a list of traffic selectors to use for the CHILD_SA.
7daf5226	123	*
e0fe7651 MW	124	* The config contains two set of traffic selectors, one for the local
	125	* side, one for the remote side.
	126	* If a list with traffic selectors is supplied, these are used to narrow
	127	* down the traffic selector list to the greatest common divisor.
b3ab7a48	128	* Some traffic selector may be "dynamic", meaning they are narrowed down
e0fe7651 MW	129	* to a specific address (host-to-host or virtual-IP setups). Use
	130	* the "host" parameter to narrow such traffic selectors to that address.
	131	* Resulted list and its traffic selectors must be destroyed after use.
7daf5226	132	*
e0fe7651 MW	133	* @param local TRUE for TS on local side, FALSE for remote
e0fe7651 MW	134	* @param supplied list with TS to select from, or NULL
7ee37114	135	* @param hosts addresses to use for narrowing "dynamic" TS', host_t
84cdfbc9	136	* @param log FALSE to avoid logging details about the selection
e0fe7651 MW	137	* @return list containing the traffic selectors
	138	*/
	139	linked_list_t (get_traffic_selectors)(child_cfg_t *this, bool local,
	140	linked_list_t *supplied,
84cdfbc9 TB	141	linked_list_t *hosts, bool log);
84cdfbc9 TB	142
e0fe7651	143	/**
552cc11b	144	* Get the updown script to run for the CHILD_SA.
7daf5226	145	*
e0fe7651 MW	146	* @return path to updown script
	147	*/
	148	char* (get_updown)(child_cfg_t this);
7daf5226	149
e0fe7651	150	/**
caf87c7d	151	* Get the lifetime configuration of a CHILD_SA.
e0fe7651	152	*
caf87c7d TB	153	* The rekey limits automatically contain a jitter to avoid simultaneous
	154	* rekeying. These values will change with each call to this function.
	155	*
b1df6312	156	* @param jitter subtract jitter value to randomize lifetimes
caf87c7d	157	* @return lifetime_cfg_t (has to be freed)
e0fe7651	158	*/
b1df6312	159	lifetime_cfg_t* (get_lifetime) (child_cfg_t this, bool jitter);
7daf5226	160
e0fe7651	161	/**
552cc11b	162	* Get the mode to use for the CHILD_SA.
e0fe7651 MW	163	*
	164	* The mode is either tunnel, transport or BEET. The peer must agree
	165	* on the method, fallback is tunnel mode.
7daf5226	166	*
96926b00	167	* @return ipsec mode
e0fe7651	168	*/
a341a68f	169	ipsec_mode_t (get_mode) (child_cfg_t this);
7daf5226	170
c616d84c AS	171	/**
	172	* Action to take to start CHILD_SA.
	173	*
	174	* @return start action
	175	*/
	176	action_t (get_start_action) (child_cfg_t this);
	177
96926b00	178	/**
348af092	179	* Action to take on DPD.
96926b00	180	*
348af092	181	* @return DPD action
7daf5226	182	*/
348af092	183	action_t (get_dpd_action) (child_cfg_t this);
7daf5226	184
8ced1570 AN	185	/**
	186	* Get the HW offload mode to use for the CHILD_SA.
	187	*
	188	* @return hw offload mode
	189	*/
	190	hw_offload_t (get_hw_offload) (child_cfg_t this);
	191
c993eaf9 TB	192	/**
	193	* Get the copy mode for the DS header field to use for the CHILD_SA.
	194	*
	195	* @return IP header copy mode
	196	*/
	197	dscp_copy_t (get_copy_dscp) (child_cfg_t this);
	198
348af092 MW	199	/**
	200	* Action to take if CHILD_SA gets closed.
	201	*
	202	* @return close action
7daf5226	203	*/
348af092	204	action_t (get_close_action) (child_cfg_t this);
7daf5226	205
1fd5383e	206	/**
ec350ebb TB	207	* Get the first algorithm of a certain transform type that's contained in
ec350ebb TB	208	* any of the configured proposals.
7daf5226	209	*
ec350ebb TB	210	* For instance, use with KEY_EXCHANGE_METHOD to get the KE method to use
	211	* for the CHILD_SA initiation.
	212	*
	213	* @param type transform type to look for
	214	* @return algorithm identifier (0 for none)
1fd5383e	215	*/
ec350ebb	216	uint16_t (get_algorithm)(child_cfg_t this, transform_type_t type);
7daf5226	217
71da0017 MW	218	/**
	219	* Get the inactivity timeout value.
	220	*
	221	* @return inactivity timeout in s
	222	*/
b12c53ce	223	uint32_t (get_inactivity)(child_cfg_t this);
71da0017	224
277fcf9f	225	/**
0ceb2888	226	* Specific reqid to use for CHILD_SA.
277fcf9f RB	227	*
	228	* @return reqid
	229	*/
b12c53ce	230	uint32_t (get_reqid)(child_cfg_t this);
277fcf9f	231
72c96dbf TB	232	/**
	233	* Optional interface ID to set on policies/SAs.
	234	*
	235	* @param inbound TRUE for inbound, FALSE for outbound
	236	* @return interface ID
	237	*/
	238	uint32_t (get_if_id)(child_cfg_t this, bool inbound);
	239
ee26c537	240	/**
fa4d4012	241	* Optional mark to set on policies/SAs.
ee26c537	242	*
6f449d2e	243	* @param inbound TRUE for inbound, FALSE for outbound
ee26c537 AS	244	* @return mark
	245	*/
	246	mark_t (get_mark)(child_cfg_t this, bool inbound);
	247
fa4d4012 TB	248	/**
	249	* Optional mark the SAs should apply after processing packets.
	250	*
	251	* @param inbound TRUE for inbound, FALSE for outbound
	252	* @return mark
	253	*/
	254	mark_t (get_set_mark)(child_cfg_t this, bool inbound);
	255
ef72ac88 TB	256	/**
	257	* Optional security label to be configured on policies.
	258	*
	259	* @return label or NULL
	260	*/
	261	sec_label_t (get_label)(child_cfg_t *this);
	262
	263	/**
	264	* Get the mode in which the security label is used.
	265	*
	266	* @return label mode (never SEC_LABEL_MODE_SYSTEM)
	267	*/
	268	sec_label_mode_t (get_label_mode)(child_cfg_t this);
	269
63d4bd07 TB	270	/**
	271	* Select a security label from the given list that matches the configured
	272	* label.
	273	*
	274	* This fails under the following conditions:
	275	* - a label is configured but no labels are provided
	276	* - no label is configured but at least one label is provided
	277	* - the configured and provided labels don't match
	278	*
	279	* If no label is configured and none are provided, that's considered a
	280	* success and label will be set to NULL.
	281	*
	282	* @param labels list of labels to match
	283	* @param log FALSE to avoid logging details about the selection
8eaddbb8 TB	284	* @param[out] label selected label or NULL if no label necessary
8eaddbb8 TB	285	* @param[out] exact TRUE if there was an exact match
63d4bd07 TB	286	* @return FALSE on failure
	287	*/
	288	bool (select_label)(child_cfg_t this, linked_list_t *labels, bool log,
	289	sec_label_t *label, bool exact);
	290
37788b1d MW	291	/**
	292	* Get the TFC padding value to use for CHILD_SA.
	293	*
	294	* @return TFC padding, 0 to disable, -1 for MTU
	295	*/
b12c53ce	296	uint32_t (get_tfc)(child_cfg_t this);
37788b1d	297
7f57c4f9 AS	298	/**
	299	* Get optional manually-set IPsec policy priority
	300	*
	301	* @return manually-set IPsec policy priority (automatic if 0)
	302	*/
	303	uint32_t (get_manual_prio)(child_cfg_t this);
	304
c26e4330 AS	305	/**
	306	* Get optional network interface restricting IPsec policy
	307	*
	308	* @return network interface)
	309	*/
	310	char* (get_interface)(child_cfg_t this);
	311
bdcaa5e6 MW	312	/**
	313	* Get anti-replay window size
	314	*
	315	* @return anti-replay window size
	316	*/
b12c53ce	317	uint32_t (get_replay_window)(child_cfg_t this);
bdcaa5e6 MW	318
	319	/**
	320	* Set anti-replay window size
	321	*
749ac175	322	* @param window anti-replay window size
bdcaa5e6	323	*/
b12c53ce	324	void (set_replay_window)(child_cfg_t this, uint32_t window);
bdcaa5e6	325
91db979c	326	/**
749ac175	327	* Check if an option flag is set.
c98e48cf	328	*
749ac175 TB	329	* @param option option flag to check
749ac175 TB	330	* @return TRUE if option flag set, FALSE otherwise
c98e48cf	331	*/
749ac175	332	bool (has_option)(child_cfg_t this, child_cfg_option_t option);
c98e48cf	333
3af23606 TB	334	/**
	335	* Check if two child_cfg objects are equal.
	336	*
	337	* @param other candidate to check for equality against this
	338	* @return TRUE if equal
	339	*/
	340	bool (equals)(child_cfg_t this, child_cfg_t *other);
	341
e0fe7651	342	/**
ff683671	343	* Increase the reference count.
e0fe7651	344	*
ff683671	345	* @return reference to this
e0fe7651	346	*/
ff683671	347	child_cfg_t* (get_ref) (child_cfg_t this);
7daf5226	348
e0fe7651	349	/**
552cc11b	350	* Destroys the child_cfg object.
e0fe7651 MW	351	*
	352	* Decrements the internal reference counter and
	353	* destroys the child_cfg when it reaches zero.
e0fe7651 MW	354	*/
	355	void (destroy) (child_cfg_t this);
	356	};
	357
749ac175 TB	358	/**
	359	* Option flags that may be set on a child_cfg_t object
	360	*/
	361	enum child_cfg_option_t {
	362
	363	/** Use IPsec transport proxy mode */
	364	OPT_PROXY_MODE = (1<<0),
	365
	366	/** Use IPComp, if peer supports it */
	367	OPT_IPCOMP = (1<<1),
	368
	369	/** Allow access to the local host */
	370	OPT_HOSTACCESS = (1<<2),
	371
	372	/** Don't install any IPsec policies */
	373	OPT_NO_POLICIES = (1<<3),
	374
	375	/** Install outbound FWD IPsec policies to bypass drop policies */
	376	OPT_FWD_OUT_POLICIES = (1<<4),
4a175830	377
7637633b	378	/** Force 96-bit truncation for SHA-256 */
8ced1570	379	OPT_SHA256_96 = (1<<5),
ea43f8ff TB	380
ea43f8ff TB	381	/** Set mark on inbound SAs */
8ced1570	382	OPT_MARK_IN_SA = (1<<6),
dc8b015d TB	383
	384	/** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
	385	OPT_NO_COPY_DF = (1<<7),
	386
	387	/** Disable copying the ECN header field in tunnel mode */
	388	OPT_NO_COPY_ECN = (1<<8),
09caacd5 TB	389
	390	/** Enable per-CPU CHILD_SAs */
	391	OPT_PER_CPU_SAS = (1<<9),
38eb8787 TB	392
	393	/** Enable UDP encapsulation for per-CPU CHILD_SAs */
	394	OPT_PER_CPU_SAS_ENCAP = (1<<10),
749ac175	395	};
8a00a845 TB	396
	397	/**
	398	* Data passed to the constructor of a child_cfg_t object.
	399	*/
	400	struct child_cfg_create_t {
749ac175 TB	401	/** Options set for CHILD_SA */
749ac175 TB	402	child_cfg_option_t options;
8a00a845 TB	403	/** Specific reqid to use for CHILD_SA, 0 for auto assignment */
8a00a845 TB	404	uint32_t reqid;
72c96dbf TB	405	/** Optional inbound interface ID */
	406	uint32_t if_id_in;
	407	/** Optional outbound interface ID */
	408	uint32_t if_id_out;
8a00a845 TB	409	/** Optional inbound mark */
	410	mark_t mark_in;
	411	/** Optional outbound mark */
	412	mark_t mark_out;
fa4d4012 TB	413	/** Optional inbound mark the SA should apply to traffic */
	414	mark_t set_mark_in;
	415	/** Optional outbound mark the SA should apply to traffic */
	416	mark_t set_mark_out;
ef72ac88 TB	417	/** Optional security label configured on policies (cloned) */
	418	sec_label_t *label;
	419	/** Optional security label mode */
	420	sec_label_mode_t label_mode;
8a00a845 TB	421	/** Mode to propose for CHILD_SA */
8a00a845 TB	422	ipsec_mode_t mode;
8a00a845 TB	423	/** TFC padding size, 0 to disable, -1 to pad to PMTU */
8a00a845 TB	424	uint32_t tfc;
7f57c4f9 AS	425	/** Optional manually-set IPsec policy priority */
7f57c4f9 AS	426	uint32_t priority;
c26e4330 AS	427	/** Optional network interface restricting IPsec policy (cloned) */
c26e4330 AS	428	char *interface;
8a00a845 TB	429	/** lifetime_cfg_t for this child_cfg */
	430	lifetime_cfg_t lifetime;
	431	/** Inactivity timeout in s before closing a CHILD_SA */
	432	uint32_t inactivity;
	433	/** Start action */
	434	action_t start_action;
	435	/** DPD action */
	436	action_t dpd_action;
	437	/** Close action */
	438	action_t close_action;
	439	/** updown script to execute on up/down event (cloned) */
	440	char *updown;
8ced1570 AN	441	/** HW offload mode */
8ced1570 AN	442	hw_offload_t hw_offload;
c993eaf9 TB	443	/** How to handle the DS header field in tunnel mode */
c993eaf9 TB	444	dscp_copy_t copy_dscp;
8a00a845 TB	445	};
8a00a845 TB	446
e0fe7651	447	/**
552cc11b	448	* Create a configuration template for CHILD_SA setup.
7daf5226	449	*
e0fe7651	450	* After a call to create, a reference is obtained (refcount = 1).
7daf5226	451	*
8a00a845 TB	452	* @param name name of the child_cfg (cloned)
8a00a845 TB	453	* @param data data for this child_cfg
277fcf9f	454	* @return child_cfg_t object
e0fe7651	455	*/
8a00a845	456	child_cfg_t child_cfg_create(char name, child_cfg_create_t *data);
e0fe7651	457
1490ff4d	458	#endif /** CHILD_CFG_H_ @}*/