]>
Commit | Line | Data |
---|---|---|
3ebebc5e | 1 | /* |
888af963 | 2 | * Copyright (C) 2006-2009 Tobias Brunner |
d4aad554 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
c71d53ba MW |
4 | * Copyright (C) 2005-2006 Martin Willi |
5 | * Copyright (C) 2005 Jan Hutter | |
3ebebc5e MW |
6 | * Hochschule fuer Technik Rapperswil |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
552cc11b MW |
17 | */ |
18 | ||
19 | /** | |
20 | * @defgroup kernel_interface kernel_interface | |
21 | * @{ @ingroup kernel | |
3ebebc5e MW |
22 | */ |
23 | ||
24 | #ifndef KERNEL_INTERFACE_H_ | |
25 | #define KERNEL_INTERFACE_H_ | |
26 | ||
382b4817 MW |
27 | typedef struct kernel_interface_t kernel_interface_t; |
28 | ||
68621281 | 29 | #include <utils/host.h> |
5c131a01 | 30 | #include <crypto/prf_plus.h> |
ba425b87 | 31 | #include <encoding/payloads/proposal_substructure.h> |
3ebebc5e | 32 | |
507f26f6 TB |
33 | #include <kernel/kernel_ipsec.h> |
34 | #include <kernel/kernel_net.h> | |
92ee45a0 | 35 | |
92ee45a0 | 36 | /** |
507f26f6 | 37 | * Constructor function for ipsec kernel interface |
92ee45a0 | 38 | */ |
507f26f6 TB |
39 | typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void); |
40 | ||
41 | /** | |
42 | * Constructor function for network kernel interface | |
43 | */ | |
44 | typedef kernel_net_t* (*kernel_net_constructor_t)(void); | |
1396815a | 45 | |
3ebebc5e | 46 | /** |
507f26f6 | 47 | * Manager and wrapper for different kernel interfaces. |
7daf5226 | 48 | * |
aa5a35a0 | 49 | * The kernel interface handles the communication with the kernel |
507f26f6 | 50 | * for SA and policy management and interface and IP address management. |
3ebebc5e MW |
51 | */ |
52 | struct kernel_interface_t { | |
53 | ||
3febcf15 | 54 | /** |
552cc11b | 55 | * Get a SPI from the kernel. |
1396815a | 56 | * |
aa5a35a0 MW |
57 | * @param src source address of SA |
58 | * @param dst destination address of SA | |
59 | * @param protocol protocol for SA (ESP/AH) | |
60 | * @param reqid unique ID for this SA | |
552cc11b MW |
61 | * @param spi allocated spi |
62 | * @return SUCCESS if operation completed | |
3febcf15 | 63 | */ |
7daf5226 | 64 | status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, |
aeeb4f4f | 65 | protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); |
7daf5226 | 66 | |
d4aad554 TB |
67 | /** |
68 | * Get a Compression Parameter Index (CPI) from the kernel. | |
7daf5226 | 69 | * |
d4aad554 TB |
70 | * @param src source address of SA |
71 | * @param dst destination address of SA | |
72 | * @param reqid unique ID for the corresponding SA | |
73 | * @param cpi allocated cpi | |
74 | * @return SUCCESS if operation completed | |
75 | */ | |
7daf5226 | 76 | status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst, |
d4aad554 | 77 | u_int32_t reqid, u_int16_t *cpi); |
7daf5226 | 78 | |
3febcf15 | 79 | /** |
552cc11b | 80 | * Add an SA to the SAD. |
888af963 | 81 | * |
aa5a35a0 MW |
82 | * add_sa() may update an already allocated |
83 | * SPI (via get_spi). In this case, the replace | |
32b6500f | 84 | * flag must be set. |
aa5a35a0 | 85 | * This function does install a single SA for a |
888af963 TB |
86 | * single protocol in one direction. |
87 | * | |
32b6500f MW |
88 | * @param src source address for this SA |
89 | * @param dst destination address for this SA | |
90 | * @param spi SPI allocated by us or remote peer | |
91 | * @param protocol protocol for this SA (ESP/AH) | |
92 | * @param reqid unique ID for this SA | |
ee26c537 | 93 | * @param mark optional mark for this SA |
888af963 | 94 | * @param lifetime lifetime_cfg_t for this SA |
32b6500f | 95 | * @param enc_alg Algorithm to use for encryption (ESP only) |
e517b4b1 | 96 | * @param enc_key key to use for encryption |
32b6500f | 97 | * @param int_alg Algorithm to use for integrity protection |
e517b4b1 | 98 | * @param int_key key to use for integrity protection |
7652be89 | 99 | * @param mode mode of the SA (tunnel, transport) |
d4aad554 | 100 | * @param ipcomp IPComp transform to use |
ea625fab | 101 | * @param cpi CPI for IPComp |
fc2d1c42 | 102 | * @param encap enable UDP encapsulation for NAT traversal |
ea625fab | 103 | * @param inbound TRUE if this is an inbound SA |
6ec949e0 MW |
104 | * @param src_ts traffic selector with BEET source address |
105 | * @param dst_ts traffic selector with BEET destination address | |
552cc11b | 106 | * @return SUCCESS if operation completed |
3febcf15 | 107 | */ |
aeeb4f4f MW |
108 | status_t (*add_sa) (kernel_interface_t *this, |
109 | host_t *src, host_t *dst, u_int32_t spi, | |
ee26c537 | 110 | protocol_id_t protocol, u_int32_t reqid, mark_t mark, |
888af963 TB |
111 | lifetime_cfg_t *lifetime, |
112 | u_int16_t enc_alg, chunk_t enc_key, | |
113 | u_int16_t int_alg, chunk_t int_key, | |
ea625fab | 114 | ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, |
6ec949e0 MW |
115 | bool encap, bool inbound, |
116 | traffic_selector_t *src_ts, traffic_selector_t *dst_ts); | |
7daf5226 | 117 | |
1396815a | 118 | /** |
552cc11b | 119 | * Update the hosts on an installed SA. |
1396815a | 120 | * |
92ee45a0 MW |
121 | * We cannot directly update the destination address as the kernel |
122 | * requires the spi, the protocol AND the destination address (and family) | |
123 | * to identify SAs. Therefore if the destination address changed we | |
124 | * create a new SA and delete the old one. | |
1396815a | 125 | * |
92ee45a0 MW |
126 | * @param spi SPI of the SA |
127 | * @param protocol protocol for this SA (ESP/AH) | |
ea625fab | 128 | * @param cpi CPI for IPComp, 0 if no IPComp is used |
2b3100b5 MW |
129 | * @param src current source address |
130 | * @param dst current destination address | |
131 | * @param new_src new source address | |
132 | * @param new_dst new destination address | |
ea625fab TB |
133 | * @param encap current use of UDP encapsulation |
134 | * @param new_encap new use of UDP encapsulation | |
ee26c537 | 135 | * @param mark optional mark for this SA |
ea625fab | 136 | * @return SUCCESS if operation completed, NOT_SUPPORTED if |
323f9f99 | 137 | * the kernel interface can't update the SA |
1396815a | 138 | */ |
2b3100b5 | 139 | status_t (*update_sa)(kernel_interface_t *this, |
ea625fab | 140 | u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, |
7daf5226 | 141 | host_t *src, host_t *dst, |
ea625fab | 142 | host_t *new_src, host_t *new_dst, |
ee26c537 | 143 | bool encap, bool new_encap, mark_t mark); |
7daf5226 | 144 | |
2ad51539 AS |
145 | /** |
146 | * Query the number of bytes processed by an SA from the SAD. | |
7daf5226 | 147 | * |
2ad51539 AS |
148 | * @param src source address for this SA |
149 | * @param dst destination address for this SA | |
150 | * @param spi SPI allocated by us or remote peer | |
151 | * @param protocol protocol for this SA (ESP/AH) | |
ee26c537 | 152 | * @param mark optional mark for this SA |
2ad51539 AS |
153 | * @param[out] bytes the number of bytes processed by SA |
154 | * @return SUCCESS if operation completed | |
155 | */ | |
156 | status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, | |
ee26c537 AS |
157 | u_int32_t spi, protocol_id_t protocol, mark_t mark, |
158 | u_int64_t *bytes); | |
7daf5226 | 159 | |
aa5a35a0 | 160 | /** |
507f26f6 | 161 | * Delete a previously installed SA from the SAD. |
7daf5226 | 162 | * |
d24a74c5 | 163 | * @param src source address for this SA |
aeeb4f4f MW |
164 | * @param dst destination address for this SA |
165 | * @param spi SPI allocated by us or remote peer | |
166 | * @param protocol protocol for this SA (ESP/AH) | |
ea625fab | 167 | * @param cpi CPI for IPComp or 0 |
ee26c537 | 168 | * @param mark optional mark for this SA |
552cc11b | 169 | * @return SUCCESS if operation completed |
aa5a35a0 | 170 | */ |
d24a74c5 | 171 | status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, |
ee26c537 AS |
172 | u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, |
173 | mark_t mark); | |
7daf5226 | 174 | |
aa5a35a0 | 175 | /** |
552cc11b | 176 | * Add a policy to the SPD. |
7daf5226 | 177 | * |
92ee45a0 MW |
178 | * A policy is always associated to an SA. Traffic which matches a |
179 | * policy is handled by the SA with the same reqid. | |
7daf5226 | 180 | * |
92ee45a0 MW |
181 | * @param src source address of SA |
182 | * @param dst dest address of SA | |
183 | * @param src_ts traffic selector to match traffic source | |
184 | * @param dst_ts traffic selector to match traffic dest | |
185 | * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD | |
ea625fab | 186 | * @param spi SPI of SA |
b543bef5 | 187 | * @param protocol protocol to use to protect traffic (AH/ESP) |
507f26f6 | 188 | * @param reqid unique ID of an SA to use to enforce policy |
ee26c537 | 189 | * @param mark mark for this policy |
7652be89 | 190 | * @param mode mode of SA (tunnel, transport) |
d4aad554 | 191 | * @param ipcomp the IPComp transform used |
ea625fab TB |
192 | * @param cpi CPI for IPComp |
193 | * @param routed TRUE, if this policy is routed in the kernel | |
552cc11b | 194 | * @return SUCCESS if operation completed |
aa5a35a0 | 195 | */ |
92ee45a0 | 196 | status_t (*add_policy) (kernel_interface_t *this, |
aeeb4f4f | 197 | host_t *src, host_t *dst, |
92ee45a0 MW |
198 | traffic_selector_t *src_ts, |
199 | traffic_selector_t *dst_ts, | |
ea625fab TB |
200 | policy_dir_t direction, u_int32_t spi, |
201 | protocol_id_t protocol, u_int32_t reqid, | |
ee26c537 AS |
202 | mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, |
203 | u_int16_t cpi, bool routed); | |
7daf5226 | 204 | |
92ee45a0 | 205 | /** |
552cc11b | 206 | * Query the use time of a policy. |
92ee45a0 MW |
207 | * |
208 | * The use time of a policy is the time the policy was used | |
209 | * for the last time. | |
7daf5226 | 210 | * |
92ee45a0 MW |
211 | * @param src_ts traffic selector to match traffic source |
212 | * @param dst_ts traffic selector to match traffic dest | |
213 | * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD | |
ee26c537 | 214 | * @param mark optional mark |
92ee45a0 | 215 | * @param[out] use_time the time of this SA's last use |
552cc11b | 216 | * @return SUCCESS if operation completed |
92ee45a0 MW |
217 | */ |
218 | status_t (*query_policy) (kernel_interface_t *this, | |
7daf5226 | 219 | traffic_selector_t *src_ts, |
92ee45a0 | 220 | traffic_selector_t *dst_ts, |
ee26c537 AS |
221 | policy_dir_t direction, mark_t mark, |
222 | u_int32_t *use_time); | |
7daf5226 | 223 | |
aa5a35a0 | 224 | /** |
552cc11b | 225 | * Remove a policy from the SPD. |
aeeb4f4f | 226 | * |
92ee45a0 MW |
227 | * The kernel interface implements reference counting for policies. |
228 | * If the same policy is installed multiple times (in the case of rekeying), | |
229 | * the reference counter is increased. del_policy() decreases the ref counter | |
230 | * and removes the policy only when no more references are available. | |
231 | * | |
92ee45a0 MW |
232 | * @param src_ts traffic selector to match traffic source |
233 | * @param dst_ts traffic selector to match traffic dest | |
234 | * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD | |
ee26c537 | 235 | * @param mark optional mark |
ea625fab | 236 | * @param unrouted TRUE, if this policy is unrouted from the kernel |
552cc11b | 237 | * @return SUCCESS if operation completed |
aa5a35a0 | 238 | */ |
aeeb4f4f | 239 | status_t (*del_policy) (kernel_interface_t *this, |
7daf5226 | 240 | traffic_selector_t *src_ts, |
92ee45a0 | 241 | traffic_selector_t *dst_ts, |
ee26c537 | 242 | policy_dir_t direction, mark_t mark, |
ea625fab | 243 | bool unrouted); |
7daf5226 | 244 | |
7068410b | 245 | /** |
552cc11b | 246 | * Get our outgoing source address for a destination. |
7068410b MW |
247 | * |
248 | * Does a route lookup to get the source address used to reach dest. | |
249 | * The returned host is allocated and must be destroyed. | |
ce5b1708 MW |
250 | * An optional src address can be used to check if a route is available |
251 | * for given source to dest. | |
7068410b | 252 | * |
7068410b | 253 | * @param dest target destination address |
ce5b1708 | 254 | * @param src source address to check, or NULL |
7068410b MW |
255 | * @return outgoing source address, NULL if unreachable |
256 | */ | |
ce5b1708 MW |
257 | host_t* (*get_source_addr)(kernel_interface_t *this, |
258 | host_t *dest, host_t *src); | |
7daf5226 | 259 | |
507f26f6 TB |
260 | /** |
261 | * Get the next hop for a destination. | |
262 | * | |
263 | * Does a route lookup to get the next hop used to reach dest. | |
264 | * The returned host is allocated and must be destroyed. | |
265 | * | |
266 | * @param dest target destination address | |
267 | * @return next hop address, NULL if unreachable | |
268 | */ | |
269 | host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest); | |
7daf5226 | 270 | |
373b8a60 | 271 | /** |
552cc11b | 272 | * Get the interface name of a local address. |
373b8a60 | 273 | * |
373b8a60 MW |
274 | * @param host address to get interface name from |
275 | * @return allocated interface name, or NULL if not found | |
276 | */ | |
277 | char* (*get_interface) (kernel_interface_t *this, host_t *host); | |
7daf5226 | 278 | |
373b8a60 | 279 | /** |
507f26f6 | 280 | * Creates an enumerator over all local addresses. |
7daf5226 | 281 | * |
02b3ec0a | 282 | * This function blocks an internal cached address list until the |
507f26f6 TB |
283 | * enumerator gets destroyed. |
284 | * The hosts are read-only, do not modify of free. | |
7daf5226 | 285 | * |
507f26f6 TB |
286 | * @param include_down_ifaces TRUE to enumerate addresses from down interfaces |
287 | * @param include_virtual_ips TRUE to enumerate virtual ip addresses | |
288 | * @return enumerator over host_t's | |
373b8a60 | 289 | */ |
507f26f6 TB |
290 | enumerator_t *(*create_address_enumerator) (kernel_interface_t *this, |
291 | bool include_down_ifaces, bool include_virtual_ips); | |
7daf5226 | 292 | |
c60c7694 | 293 | /** |
552cc11b | 294 | * Add a virtual IP to an interface. |
c60c7694 MW |
295 | * |
296 | * Virtual IPs are attached to an interface. If an IP is added multiple | |
297 | * times, the IP is refcounted and not removed until del_ip() was called | |
298 | * as many times as add_ip(). | |
373b8a60 | 299 | * The virtual IP is attached to the interface where the iface_ip is found. |
c60c7694 | 300 | * |
c60c7694 | 301 | * @param virtual_ip virtual ip address to assign |
373b8a60 | 302 | * @param iface_ip IP of an interface to attach virtual IP |
552cc11b | 303 | * @return SUCCESS if operation completed |
c60c7694 MW |
304 | */ |
305 | status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, | |
373b8a60 | 306 | host_t *iface_ip); |
7daf5226 | 307 | |
c60c7694 | 308 | /** |
552cc11b | 309 | * Remove a virtual IP from an interface. |
c60c7694 MW |
310 | * |
311 | * The kernel interface uses refcounting, see add_ip(). | |
312 | * | |
c60c7694 | 313 | * @param virtual_ip virtual ip address to assign |
552cc11b | 314 | * @return SUCCESS if operation completed |
c60c7694 | 315 | */ |
17d92e97 | 316 | status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip); |
7daf5226 | 317 | |
3ebebc5e | 318 | /** |
507f26f6 | 319 | * Add a route. |
7daf5226 | 320 | * |
507f26f6 TB |
321 | * @param dst_net destination net |
322 | * @param prefixlen destination net prefix length | |
323 | * @param gateway gateway for this route | |
324 | * @param src_ip sourc ip of the route | |
325 | * @param if_name name of the interface the route is bound to | |
326 | * @return SUCCESS if operation completed | |
327 | * ALREADY_DONE if the route already exists | |
328 | */ | |
329 | status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen, | |
330 | host_t *gateway, host_t *src_ip, char *if_name); | |
7daf5226 | 331 | |
507f26f6 TB |
332 | /** |
333 | * Delete a route. | |
7daf5226 | 334 | * |
507f26f6 TB |
335 | * @param dst_net destination net |
336 | * @param prefixlen destination net prefix length | |
337 | * @param gateway gateway for this route | |
338 | * @param src_ip sourc ip of the route | |
339 | * @param if_name name of the interface the route is bound to | |
340 | * @return SUCCESS if operation completed | |
341 | */ | |
342 | status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen, | |
343 | host_t *gateway, host_t *src_ip, char *if_name); | |
7daf5226 | 344 | |
54f81859 MW |
345 | /** |
346 | * Set up a bypass policy for a given socket. | |
347 | * | |
348 | * @param fd socket file descriptor to setup policy for | |
349 | * @param family protocol family of the socket | |
350 | * @return TRUE of policy set up successfully | |
351 | */ | |
352 | bool (*bypass_socket)(kernel_interface_t *this, int fd, int family); | |
353 | ||
507f26f6 TB |
354 | /** |
355 | * manager methods | |
356 | */ | |
7daf5226 | 357 | |
1adaa02b TB |
358 | /** |
359 | * Tries to find an ip address of a local interface that is included in the | |
360 | * supplied traffic selector. | |
7daf5226 | 361 | * |
1adaa02b TB |
362 | * @param ts traffic selector |
363 | * @param ip returned ip (has to be destroyed) | |
364 | * @return SUCCESS if address found | |
365 | */ | |
366 | status_t (*get_address_by_ts) (kernel_interface_t *this, | |
367 | traffic_selector_t *ts, host_t **ip); | |
7daf5226 | 368 | |
507f26f6 TB |
369 | /** |
370 | * Register an ipsec kernel interface constructor on the manager. | |
371 | * | |
372 | * @param create constructor to register | |
373 | */ | |
374 | void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); | |
7daf5226 | 375 | |
507f26f6 TB |
376 | /** |
377 | * Unregister an ipsec kernel interface constructor. | |
378 | * | |
379 | * @param create constructor to unregister | |
380 | */ | |
381 | void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); | |
7daf5226 | 382 | |
507f26f6 TB |
383 | /** |
384 | * Register a network kernel interface constructor on the manager. | |
385 | * | |
386 | * @param create constructor to register | |
387 | */ | |
388 | void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); | |
7daf5226 | 389 | |
507f26f6 TB |
390 | /** |
391 | * Unregister a network kernel interface constructor. | |
392 | * | |
393 | * @param create constructor to unregister | |
394 | */ | |
395 | void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); | |
7daf5226 | 396 | |
507f26f6 TB |
397 | /** |
398 | * Destroys a kernel_interface_manager_t object. | |
3ebebc5e | 399 | */ |
507f26f6 | 400 | void (*destroy) (kernel_interface_t *this); |
3ebebc5e MW |
401 | }; |
402 | ||
403 | /** | |
552cc11b | 404 | * Creates an object of type kernel_interface_t. |
3ebebc5e | 405 | */ |
f768bdc3 | 406 | kernel_interface_t *kernel_interface_create(void); |
3ebebc5e | 407 | |
1490ff4d | 408 | #endif /** KERNEL_INTERFACE_H_ @}*/ |