]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libcharon/kernel/kernel_interface.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
support of xfrm marks for IKEv2
[thirdparty/strongswan.git] / src / libcharon / kernel / kernel_interface.h
CommitLineData
3ebebc5e 1/*
888af963 2 * Copyright (C) 2006-2009 Tobias Brunner
d4aad554 3 * Copyright (C) 2006 Daniel Roethlisberger
c71d53ba
MW		 4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
3ebebc5e
MW		 6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
552cc11b
MW		 17 */
18
19/**
20 * @defgroup kernel_interface kernel_interface
21 * @{ @ingroup kernel
3ebebc5e
MW		 22 */
23
24#ifndef KERNEL_INTERFACE_H_
25#define KERNEL_INTERFACE_H_
26
382b4817
MW		 27typedef struct kernel_interface_t kernel_interface_t;
28
68621281 29#include <utils/host.h>
5c131a01 30#include <crypto/prf_plus.h>
ba425b87 31#include <encoding/payloads/proposal_substructure.h>
3ebebc5e 32
507f26f6
TB		 33#include <kernel/kernel_ipsec.h>
34#include <kernel/kernel_net.h>
92ee45a0 35
92ee45a0 36/**
507f26f6 37 * Constructor function for ipsec kernel interface
92ee45a0 38 */
507f26f6
TB		 39typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
40
41/**
42 * Constructor function for network kernel interface
43 */
44typedef kernel_net_t* (*kernel_net_constructor_t)(void);
1396815a 45
3ebebc5e 46/**
507f26f6 47 * Manager and wrapper for different kernel interfaces.
7daf5226 48 *
aa5a35a0 49 * The kernel interface handles the communication with the kernel
507f26f6 50 * for SA and policy management and interface and IP address management.
3ebebc5e
MW		 51 */
52struct kernel_interface_t {
53
3febcf15 54 /**
552cc11b 55 * Get a SPI from the kernel.
1396815a 56 *
aa5a35a0
MW		 57 * @param src source address of SA
58 * @param dst destination address of SA
59 * @param protocol protocol for SA (ESP/AH)
60 * @param reqid unique ID for this SA
552cc11b
MW		 61 * @param spi allocated spi
62 * @return SUCCESS if operation completed
3febcf15 63 */
7daf5226 64 status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
aeeb4f4f 65 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
7daf5226 66
d4aad554
TB		 67 /**
68 * Get a Compression Parameter Index (CPI) from the kernel.
7daf5226 69 *
d4aad554
TB		 70 * @param src source address of SA
71 * @param dst destination address of SA
72 * @param reqid unique ID for the corresponding SA
73 * @param cpi allocated cpi
74 * @return SUCCESS if operation completed
75 */
7daf5226 76 status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
d4aad554 77 u_int32_t reqid, u_int16_t *cpi);
7daf5226 78
3febcf15 79 /**
552cc11b 80 * Add an SA to the SAD.
888af963 81 *
aa5a35a0
MW		 82 * add_sa() may update an already allocated
83 * SPI (via get_spi). In this case, the replace
32b6500f 84 * flag must be set.
aa5a35a0 85 * This function does install a single SA for a
888af963
TB		 86 * single protocol in one direction.
87 *
32b6500f
MW		 88 * @param src source address for this SA
89 * @param dst destination address for this SA
90 * @param spi SPI allocated by us or remote peer
91 * @param protocol protocol for this SA (ESP/AH)
92 * @param reqid unique ID for this SA
ee26c537 93 * @param mark optional mark for this SA
888af963 94 * @param lifetime lifetime_cfg_t for this SA
32b6500f 95 * @param enc_alg Algorithm to use for encryption (ESP only)
e517b4b1 96 * @param enc_key key to use for encryption
32b6500f 97 * @param int_alg Algorithm to use for integrity protection
e517b4b1 98 * @param int_key key to use for integrity protection
7652be89 99 * @param mode mode of the SA (tunnel, transport)
d4aad554 100 * @param ipcomp IPComp transform to use
ea625fab 101 * @param cpi CPI for IPComp
fc2d1c42 102 * @param encap enable UDP encapsulation for NAT traversal
ea625fab 103 * @param inbound TRUE if this is an inbound SA
6ec949e0
MW		 104 * @param src_ts traffic selector with BEET source address
105 * @param dst_ts traffic selector with BEET destination address
552cc11b 106 * @return SUCCESS if operation completed
3febcf15 107 */
aeeb4f4f
MW		 108 status_t (*add_sa) (kernel_interface_t *this,
109 host_t *src, host_t *dst, u_int32_t spi,
ee26c537 110 protocol_id_t protocol, u_int32_t reqid, mark_t mark,
888af963
TB		 111 lifetime_cfg_t *lifetime,
112 u_int16_t enc_alg, chunk_t enc_key,
113 u_int16_t int_alg, chunk_t int_key,
ea625fab 114 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
6ec949e0
MW		 115 bool encap, bool inbound,
116 traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
7daf5226 117
1396815a 118 /**
552cc11b 119 * Update the hosts on an installed SA.
1396815a 120 *
92ee45a0
MW		 121 * We cannot directly update the destination address as the kernel
122 * requires the spi, the protocol AND the destination address (and family)
123 * to identify SAs. Therefore if the destination address changed we
124 * create a new SA and delete the old one.
1396815a 125 *
92ee45a0
MW		 126 * @param spi SPI of the SA
127 * @param protocol protocol for this SA (ESP/AH)
ea625fab 128 * @param cpi CPI for IPComp, 0 if no IPComp is used
2b3100b5
MW		 129 * @param src current source address
130 * @param dst current destination address
131 * @param new_src new source address
132 * @param new_dst new destination address
ea625fab
TB		 133 * @param encap current use of UDP encapsulation
134 * @param new_encap new use of UDP encapsulation
ee26c537 135 * @param mark optional mark for this SA
ea625fab 136 * @return SUCCESS if operation completed, NOT_SUPPORTED if
323f9f99 137 * the kernel interface can't update the SA
1396815a 138 */
2b3100b5 139 status_t (*update_sa)(kernel_interface_t *this,
ea625fab 140 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
7daf5226 141 host_t *src, host_t *dst,
ea625fab 142 host_t *new_src, host_t *new_dst,
ee26c537 143 bool encap, bool new_encap, mark_t mark);
7daf5226 144
2ad51539
AS		 145 /**
146 * Query the number of bytes processed by an SA from the SAD.
7daf5226 147 *
2ad51539
AS		 148 * @param src source address for this SA
149 * @param dst destination address for this SA
150 * @param spi SPI allocated by us or remote peer
151 * @param protocol protocol for this SA (ESP/AH)
ee26c537 152 * @param mark optional mark for this SA
2ad51539
AS		 153 * @param[out] bytes the number of bytes processed by SA
154 * @return SUCCESS if operation completed
155 */
156 status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
ee26c537
AS		 157 u_int32_t spi, protocol_id_t protocol, mark_t mark,
158 u_int64_t *bytes);
7daf5226 159
aa5a35a0 160 /**
507f26f6 161 * Delete a previously installed SA from the SAD.
7daf5226 162 *
d24a74c5 163 * @param src source address for this SA
aeeb4f4f
MW		 164 * @param dst destination address for this SA
165 * @param spi SPI allocated by us or remote peer
166 * @param protocol protocol for this SA (ESP/AH)
ea625fab 167 * @param cpi CPI for IPComp or 0
ee26c537 168 * @param mark optional mark for this SA
552cc11b 169 * @return SUCCESS if operation completed
aa5a35a0 170 */
d24a74c5 171 status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
ee26c537
AS		 172 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
173 mark_t mark);
7daf5226 174
aa5a35a0 175 /**
552cc11b 176 * Add a policy to the SPD.
7daf5226 177 *
92ee45a0
MW		 178 * A policy is always associated to an SA. Traffic which matches a
179 * policy is handled by the SA with the same reqid.
7daf5226 180 *
92ee45a0
MW		 181 * @param src source address of SA
182 * @param dst dest address of SA
183 * @param src_ts traffic selector to match traffic source
184 * @param dst_ts traffic selector to match traffic dest
185 * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
ea625fab 186 * @param spi SPI of SA
b543bef5 187 * @param protocol protocol to use to protect traffic (AH/ESP)
507f26f6 188 * @param reqid unique ID of an SA to use to enforce policy
ee26c537 189 * @param mark mark for this policy
7652be89 190 * @param mode mode of SA (tunnel, transport)
d4aad554 191 * @param ipcomp the IPComp transform used
ea625fab
TB		 192 * @param cpi CPI for IPComp
193 * @param routed TRUE, if this policy is routed in the kernel
552cc11b 194 * @return SUCCESS if operation completed
aa5a35a0 195 */
92ee45a0 196 status_t (*add_policy) (kernel_interface_t *this,
aeeb4f4f 197 host_t *src, host_t *dst,
92ee45a0
MW		 198 traffic_selector_t *src_ts,
199 traffic_selector_t *dst_ts,
ea625fab
TB		 200 policy_dir_t direction, u_int32_t spi,
201 protocol_id_t protocol, u_int32_t reqid,
ee26c537
AS		 202 mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
203 u_int16_t cpi, bool routed);
7daf5226 204
92ee45a0 205 /**
552cc11b 206 * Query the use time of a policy.
92ee45a0
MW		 207 *
208 * The use time of a policy is the time the policy was used
209 * for the last time.
7daf5226 210 *
92ee45a0
MW		 211 * @param src_ts traffic selector to match traffic source
212 * @param dst_ts traffic selector to match traffic dest
213 * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
ee26c537 214 * @param mark optional mark
92ee45a0 215 * @param[out] use_time the time of this SA's last use
552cc11b 216 * @return SUCCESS if operation completed
92ee45a0
MW		 217 */
218 status_t (*query_policy) (kernel_interface_t *this,
7daf5226 219 traffic_selector_t *src_ts,
92ee45a0 220 traffic_selector_t *dst_ts,
ee26c537
AS		 221 policy_dir_t direction, mark_t mark,
222 u_int32_t *use_time);
7daf5226 223
aa5a35a0 224 /**
552cc11b 225 * Remove a policy from the SPD.
aeeb4f4f 226 *
92ee45a0
MW		 227 * The kernel interface implements reference counting for policies.
228 * If the same policy is installed multiple times (in the case of rekeying),
229 * the reference counter is increased. del_policy() decreases the ref counter
230 * and removes the policy only when no more references are available.
231 *
92ee45a0
MW		 232 * @param src_ts traffic selector to match traffic source
233 * @param dst_ts traffic selector to match traffic dest
234 * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
ee26c537 235 * @param mark optional mark
ea625fab 236 * @param unrouted TRUE, if this policy is unrouted from the kernel
552cc11b 237 * @return SUCCESS if operation completed
aa5a35a0 238 */
aeeb4f4f 239 status_t (*del_policy) (kernel_interface_t *this,
7daf5226 240 traffic_selector_t *src_ts,
92ee45a0 241 traffic_selector_t *dst_ts,
ee26c537 242 policy_dir_t direction, mark_t mark,
ea625fab 243 bool unrouted);
7daf5226 244
7068410b 245 /**
552cc11b 246 * Get our outgoing source address for a destination.
7068410b
MW		 247 *
248 * Does a route lookup to get the source address used to reach dest.
249 * The returned host is allocated and must be destroyed.
ce5b1708
MW		 250 * An optional src address can be used to check if a route is available
251 * for given source to dest.
7068410b 252 *
7068410b 253 * @param dest target destination address
ce5b1708 254 * @param src source address to check, or NULL
7068410b
MW		 255 * @return outgoing source address, NULL if unreachable
256 */
ce5b1708
MW		 257 host_t* (*get_source_addr)(kernel_interface_t *this,
258 host_t *dest, host_t *src);
7daf5226 259
507f26f6
TB		 260 /**
261 * Get the next hop for a destination.
262 *
263 * Does a route lookup to get the next hop used to reach dest.
264 * The returned host is allocated and must be destroyed.
265 *
266 * @param dest target destination address
267 * @return next hop address, NULL if unreachable
268 */
269 host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
7daf5226 270
373b8a60 271 /**
552cc11b 272 * Get the interface name of a local address.
373b8a60 273 *
373b8a60
MW		 274 * @param host address to get interface name from
275 * @return allocated interface name, or NULL if not found
276 */
277 char* (*get_interface) (kernel_interface_t *this, host_t *host);
7daf5226 278
373b8a60 279 /**
507f26f6 280 * Creates an enumerator over all local addresses.
7daf5226 281 *
02b3ec0a 282 * This function blocks an internal cached address list until the
507f26f6
TB		 283 * enumerator gets destroyed.
284 * The hosts are read-only, do not modify of free.
7daf5226 285 *
507f26f6
TB		 286 * @param include_down_ifaces TRUE to enumerate addresses from down interfaces
287 * @param include_virtual_ips TRUE to enumerate virtual ip addresses
288 * @return enumerator over host_t's
373b8a60 289 */
507f26f6
TB		 290 enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
291 bool include_down_ifaces, bool include_virtual_ips);
7daf5226 292
c60c7694 293 /**
552cc11b 294 * Add a virtual IP to an interface.
c60c7694
MW		 295 *
296 * Virtual IPs are attached to an interface. If an IP is added multiple
297 * times, the IP is refcounted and not removed until del_ip() was called
298 * as many times as add_ip().
373b8a60 299 * The virtual IP is attached to the interface where the iface_ip is found.
c60c7694 300 *
c60c7694 301 * @param virtual_ip virtual ip address to assign
373b8a60 302 * @param iface_ip IP of an interface to attach virtual IP
552cc11b 303 * @return SUCCESS if operation completed
c60c7694
MW		 304 */
305 status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
373b8a60 306 host_t *iface_ip);
7daf5226 307
c60c7694 308 /**
552cc11b 309 * Remove a virtual IP from an interface.
c60c7694
MW		 310 *
311 * The kernel interface uses refcounting, see add_ip().
312 *
c60c7694 313 * @param virtual_ip virtual ip address to assign
552cc11b 314 * @return SUCCESS if operation completed
c60c7694 315 */
17d92e97 316 status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
7daf5226 317
3ebebc5e 318 /**
507f26f6 319 * Add a route.
7daf5226 320 *
507f26f6
TB		 321 * @param dst_net destination net
322 * @param prefixlen destination net prefix length
323 * @param gateway gateway for this route
324 * @param src_ip sourc ip of the route
325 * @param if_name name of the interface the route is bound to
326 * @return SUCCESS if operation completed
327 * ALREADY_DONE if the route already exists
328 */
329 status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
330 host_t *gateway, host_t *src_ip, char *if_name);
7daf5226 331
507f26f6
TB		 332 /**
333 * Delete a route.
7daf5226 334 *
507f26f6
TB		 335 * @param dst_net destination net
336 * @param prefixlen destination net prefix length
337 * @param gateway gateway for this route
338 * @param src_ip sourc ip of the route
339 * @param if_name name of the interface the route is bound to
340 * @return SUCCESS if operation completed
341 */
342 status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
343 host_t *gateway, host_t *src_ip, char *if_name);
7daf5226 344
54f81859
MW		 345 /**
346 * Set up a bypass policy for a given socket.
347 *
348 * @param fd socket file descriptor to setup policy for
349 * @param family protocol family of the socket
350 * @return TRUE of policy set up successfully
351 */
352 bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
353
507f26f6
TB		 354 /**
355 * manager methods
356 */
7daf5226 357
1adaa02b
TB		 358 /**
359 * Tries to find an ip address of a local interface that is included in the
360 * supplied traffic selector.
7daf5226 361 *
1adaa02b
TB		 362 * @param ts traffic selector
363 * @param ip returned ip (has to be destroyed)
364 * @return SUCCESS if address found
365 */
366 status_t (*get_address_by_ts) (kernel_interface_t *this,
367 traffic_selector_t *ts, host_t **ip);
7daf5226 368
507f26f6
TB		 369 /**
370 * Register an ipsec kernel interface constructor on the manager.
371 *
372 * @param create constructor to register
373 */
374 void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
7daf5226 375
507f26f6
TB		 376 /**
377 * Unregister an ipsec kernel interface constructor.
378 *
379 * @param create constructor to unregister
380 */
381 void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
7daf5226 382
507f26f6
TB		 383 /**
384 * Register a network kernel interface constructor on the manager.
385 *
386 * @param create constructor to register
387 */
388 void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
7daf5226 389
507f26f6
TB		 390 /**
391 * Unregister a network kernel interface constructor.
392 *
393 * @param create constructor to unregister
394 */
395 void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
7daf5226 396
507f26f6
TB		 397 /**
398 * Destroys a kernel_interface_manager_t object.
3ebebc5e 399 */
507f26f6 400 void (*destroy) (kernel_interface_t *this);
3ebebc5e
MW		 401};
402
403/**
552cc11b 404 * Creates an object of type kernel_interface_t.
3ebebc5e 405 */
f768bdc3 406kernel_interface_t *kernel_interface_create(void);
3ebebc5e 407
1490ff4d 408#endif /** KERNEL_INTERFACE_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.