[thirdparty/strongswan.git] / src / libcharon / kernel / kernel_ipsec.h

/*
 * Copyright (C) 2016 Andreas Steffen
 * Copyright (C) 2006-2018 Tobias Brunner
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005-2006 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup kernel_ipsec kernel_ipsec
 * @{ @ingroup kernel
 */

#ifndef KERNEL_IPSEC_H_
#define KERNEL_IPSEC_H_

typedef struct kernel_ipsec_t kernel_ipsec_t;
typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t;
typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t;
typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t;
typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t;
typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t;
typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t;
typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t;
typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t;

#include <networking/host.h>
#include <ipsec/ipsec_types.h>
#include <selectors/traffic_selector.h>
#include <selectors/sec_label.h>
#include <plugins/plugin.h>
#include <kernel/kernel_interface.h>

/**
 * Data required to identify an SA in the kernel
 */
struct kernel_ipsec_sa_id_t {
	/** Source address */
	host_t *src;
	/** Destination address */
	host_t *dst;
	/** SPI */
	uint32_t spi;
	/** Protocol (ESP/AH) */
	uint8_t proto;
	/** Optional mark */
	mark_t mark;
	/** Optional interface ID */
	uint32_t if_id;
};

/**
 * Data required to add an SA to the kernel
 */
struct kernel_ipsec_add_sa_t {
	/** Reqid */
	uint32_t reqid;
	/** Mode (tunnel, transport...) */
	ipsec_mode_t mode;
	/** List of source traffic selectors */
	linked_list_t *src_ts;
	/** List of destination traffic selectors */
	linked_list_t *dst_ts;
	/** Network interface restricting policy */
	char *interface;
	/** Lifetime configuration */
	lifetime_cfg_t *lifetime;
	/** Encryption algorithm */
	uint16_t enc_alg;
	/** Encryption key */
	chunk_t enc_key;
	/** Integrity protection algorithm */
	uint16_t int_alg;
	/** Integrity protection key */
	chunk_t int_key;
	/** Anti-replay window size */
	uint32_t replay_window;
	/** Traffic Flow Confidentiality padding */
	uint32_t tfc;
	/** IPComp transform */
	uint16_t ipcomp;
	/** CPI for IPComp */
	uint16_t cpi;
	/** TRUE to enable UDP encapsulation for NAT traversal */
	bool encap;
	/** HW offload mode */
	hw_offload_t hw_offload;
	/** Mark the SA should apply to packets after processing */
	mark_t mark;
	/** Security label to match or apply */
	sec_label_t *label;
	/** TRUE to use Extended Sequence Numbers */
	bool esn;
	/** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */
	bool copy_df;
	/** TRUE to copy the ECN header field to/from the outer header */
	bool copy_ecn;
	/** Whether to copy the DSCP header field to/from the outer header */
	dscp_copy_t copy_dscp;
	/** TRUE if initiator of the exchange creating the SA */
	bool initiator;
	/** TRUE if this is an inbound SA */
	bool inbound;
	/** TRUE if an SPI has already been allocated for this SA */
	bool update;
};

/**
 * Data required to update the hosts of an SA in the kernel
 */
struct kernel_ipsec_update_sa_t {
	/** CPI in case IPComp is used */
	uint16_t cpi;
	/** New source address */
	host_t *new_src;
	/** New destination address */
	host_t *new_dst;
	/** TRUE if UDP encapsulation is currently enabled */
	bool encap;
	/** TRUE to enable UDP encapsulation */
	bool new_encap;
	/** New reqid, or 0 if unchanged */
	uint32_t new_reqid;
};

/**
 * Data required to query an SA in the kernel
 */
struct kernel_ipsec_query_sa_t {
	uint16_t cpi;
};

/**
 * Data required to delete an SA in the kernel
 */
struct kernel_ipsec_del_sa_t {
	/** CPI in case IPComp is used */
	uint16_t cpi;
};

/**
 * Data identifying a policy in the kernel
 */
struct kernel_ipsec_policy_id_t {
	/** Direction of traffic */
	policy_dir_t dir;
	/** Source traffic selector */
	traffic_selector_t *src_ts;
	/** Destination traffic selector */
	traffic_selector_t *dst_ts;
	/** Optional mark */
	mark_t mark;
	/** Optional interface ID */
	uint32_t if_id;
	/** Network interface restricting policy */
	char *interface;
	/** Security label restricting policy */
	sec_label_t *label;
};

/**
 * Data required to add/delete a policy to/from the kernel
 */
struct kernel_ipsec_manage_policy_t {
	/** Type of policy */
	policy_type_t type;
	/** Priority class */
	policy_priority_t prio;
	/** Manually-set priority (automatic if set to 0) */
	uint32_t manual_prio;
	/** HW offload mode */
	hw_offload_t hw_offload;
	/** Source address of the SA(s) tied to this policy */
	host_t *src;
	/** Destination address of the SA(s) tied to this policy */
	host_t *dst;
	/** Details about the SA(s) tied to this policy */
	ipsec_sa_cfg_t *sa;
};

/**
 * Data required to query a policy in the kernel
 */
struct kernel_ipsec_query_policy_t {
};

/**
 * Interface to the ipsec subsystem of the kernel.
 *
 * The kernel ipsec interface handles the communication with the kernel
 * for SA and policy management. It allows setup of these, and provides
 * further the handling of kernel events.
 * Policy information are cached in the interface. This is necessary to do
 * reference counting. The Linux kernel does not allow the same policy
 * installed twice, but we need this as CHILD_SA exist multiple times
 * when rekeying. That's why we do reference counting of policies.
 */
struct kernel_ipsec_t {

	/**
	 * Get the feature set supported by this kernel backend.
	 *
	 * @return				ORed feature-set of backend
	 */
	kernel_feature_t (*get_features)(kernel_ipsec_t *this);

	/**
	 * Get a SPI from the kernel.
	 *
	 * @param src		source address of SA
	 * @param dst		destination address of SA
	 * @param protocol	protocol for SA (ESP/AH)
	 * @param spi		allocated spi
	 * @return			SUCCESS if operation completed
	 */
	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
						uint8_t protocol, uint32_t *spi);

	/**
	 * Get a Compression Parameter Index (CPI) from the kernel.
	 *
	 * @param src		source address of SA
	 * @param dst		destination address of SA
	 * @param cpi		allocated cpi
	 * @return			SUCCESS if operation completed
	 */
	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
						uint16_t *cpi);

	/**
	 * Add an SA to the SAD.
	 *
	 * This function does install a single SA for a single protocol in one
	 * direction.
	 *
	 * @param id			data identifying this SA
	 * @param data			data for this SA
	 * @return				SUCCESS if operation completed
	 */
	status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
					   kernel_ipsec_add_sa_t *data);

	/**
	 * Update the hosts on an installed SA.
	 *
	 * We cannot directly update the destination address as the kernel
	 * requires the spi, the protocol AND the destination address (and family)
	 * to identify SAs. Therefore if the destination address changed we
	 * create a new SA and delete the old one.
	 *
	 * @param id			data identifying this SA
	 * @param data			updated data for this SA
	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
	 *						the kernel interface can't update the SA
	 */
	status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
						  kernel_ipsec_update_sa_t *data);

	/**
	 * Query the number of bytes processed by an SA from the SAD.
	 *
	 * @param id			data identifying this SA
	 * @param data			data to query the SA
	 * @param[out] bytes	the number of bytes processed by SA
	 * @param[out] packets	number of packets processed by SA
	 * @param[out] time		last (monotonic) time of SA use
	 * @return				SUCCESS if operation completed
	 */
	status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
						 kernel_ipsec_query_sa_t *data, uint64_t *bytes,
						 uint64_t *packets, time_t *time);

	/**
	 * Delete a previously installed SA from the SAD.
	 *
	 * @param id			data identifying this SA
	 * @param data			data to delete the SA
	 * @return				SUCCESS if operation completed
	 */
	status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
					   kernel_ipsec_del_sa_t *data);

	/**
	 * Flush all SAs from the SAD.
	 *
	 * @return				SUCCESS if operation completed
	 */
	status_t (*flush_sas)(kernel_ipsec_t *this);

	/**
	 * Add a policy to the SPD.
	 *
	 * @param id			data identifying this policy
	 * @param data			data for this policy
	 * @return				SUCCESS if operation completed
	 */
	status_t (*add_policy)(kernel_ipsec_t *this,
						   kernel_ipsec_policy_id_t *id,
						   kernel_ipsec_manage_policy_t *data);

	/**
	 * Query the use time of a policy.
	 *
	 * The use time of a policy is the time the policy was used for the last
	 * time. It is not the system time, but a monotonic timestamp as returned
	 * by time_monotonic.
	 *
	 * @param id			data identifying this policy
	 * @param data			data to query the policy
	 * @param[out] use_time	the monotonic timestamp of this SA's last use
	 * @return				SUCCESS if operation completed
	 */
	status_t (*query_policy)(kernel_ipsec_t *this,
							 kernel_ipsec_policy_id_t *id,
							 kernel_ipsec_query_policy_t *data,
							 time_t *use_time);

	/**
	 * Remove a policy from the SPD.
	 *
	 * @param id			data identifying this policy
	 * @param data			data for this policy
	 * @return				SUCCESS if operation completed
	 */
	status_t (*del_policy)(kernel_ipsec_t *this,
						   kernel_ipsec_policy_id_t *id,
						   kernel_ipsec_manage_policy_t *data);

	/**
	 * Flush all policies from the SPD.
	 *
	 * @return				SUCCESS if operation completed
	 */
	status_t (*flush_policies)(kernel_ipsec_t *this);

	/**
	 * Install a bypass policy for the given socket.
	 *
	 * @param fd			socket file descriptor to setup policy for
	 * @param family		protocol family of the socket
	 * @return				TRUE of policy set up successfully
	 */
	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);

	/**
	 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
	 *
	 * @param fd			socket file descriptor
	 * @param family		protocol family of the socket
	 * @param port			the UDP port
	 * @return				TRUE if UDP decapsulation was enabled successfully
	 */
	bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
							 uint16_t port);

	/**
	 * Destroy the implementation.
	 */
	void (*destroy)(kernel_ipsec_t *this);
};

/**
 * Helper function to (un-)register IPsec kernel interfaces from plugin features.
 *
 * This function is a plugin_feature_callback_t and can be used with the
 * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor.
 *
 * @param plugin		plugin registering the kernel interface
 * @param feature		associated plugin feature
 * @param reg			TRUE to register, FALSE to unregister
 * @param data			data passed to callback, an kernel_ipsec_constructor_t
 */
bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
						   bool reg, void *data);

#endif /** KERNEL_IPSEC_H_ @}*/
Commit	Line	Data
507f26f6	1	/*
7f57c4f9	2	* Copyright (C) 2016 Andreas Steffen
9cee688f	3	* Copyright (C) 2006-2018 Tobias Brunner
507f26f6 TB	4	* Copyright (C) 2006 Daniel Roethlisberger
	5	* Copyright (C) 2005-2006 Martin Willi
	6	* Copyright (C) 2005 Jan Hutter
19ef2aec TB	7	*
19ef2aec TB	8	* Copyright (C) secunet Security Networks AG
507f26f6 TB	9	*
	10	* This program is free software; you can redistribute it and/or modify it
	11	* under the terms of the GNU General Public License as published by the
	12	* Free Software Foundation; either version 2 of the License, or (at your
	13	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	14	*
	15	* This program is distributed in the hope that it will be useful, but
	16	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	17	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	18	* for more details.
507f26f6 TB	19	*/
	20
	21	/**
	22	* @defgroup kernel_ipsec kernel_ipsec
8394ea2a	23	* @{ @ingroup kernel
507f26f6 TB	24	*/
	25
	26	#ifndef KERNEL_IPSEC_H_
	27	#define KERNEL_IPSEC_H_
	28
507f26f6	29	typedef struct kernel_ipsec_t kernel_ipsec_t;
89da06ac TB	30	typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t;
	31	typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t;
	32	typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t;
	33	typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t;
	34	typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t;
	35	typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t;
	36	typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t;
	37	typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t;
507f26f6	38
2e7cc07e	39	#include <networking/host.h>
156f7e9b	40	#include <ipsec/ipsec_types.h>
6f449d2e	41	#include <selectors/traffic_selector.h>
bf0542c4	42	#include <selectors/sec_label.h>
29d30991	43	#include <plugins/plugin.h>
76f7d80e	44	#include <kernel/kernel_interface.h>
507f26f6	45
89da06ac TB	46	/**
	47	* Data required to identify an SA in the kernel
	48	*/
	49	struct kernel_ipsec_sa_id_t {
	50	/** Source address */
	51	host_t *src;
	52	/** Destination address */
	53	host_t *dst;
	54	/** SPI */
	55	uint32_t spi;
	56	/** Protocol (ESP/AH) */
	57	uint8_t proto;
	58	/** Optional mark */
	59	mark_t mark;
b32c3ce8 TB	60	/** Optional interface ID */
b32c3ce8 TB	61	uint32_t if_id;
89da06ac TB	62	};
	63
	64	/**
	65	* Data required to add an SA to the kernel
	66	*/
	67	struct kernel_ipsec_add_sa_t {
	68	/** Reqid */
	69	uint32_t reqid;
	70	/** Mode (tunnel, transport...) */
	71	ipsec_mode_t mode;
	72	/** List of source traffic selectors */
	73	linked_list_t *src_ts;
	74	/** List of destination traffic selectors */
	75	linked_list_t *dst_ts;
c26e4330 AS	76	/** Network interface restricting policy */
c26e4330 AS	77	char *interface;
89da06ac TB	78	/** Lifetime configuration */
	79	lifetime_cfg_t *lifetime;
	80	/** Encryption algorithm */
	81	uint16_t enc_alg;
	82	/** Encryption key */
	83	chunk_t enc_key;
	84	/** Integrity protection algorithm */
	85	uint16_t int_alg;
	86	/** Integrity protection key */
	87	chunk_t int_key;
	88	/** Anti-replay window size */
	89	uint32_t replay_window;
	90	/** Traffic Flow Confidentiality padding */
	91	uint32_t tfc;
	92	/** IPComp transform */
	93	uint16_t ipcomp;
	94	/** CPI for IPComp */
	95	uint16_t cpi;
	96	/** TRUE to enable UDP encapsulation for NAT traversal */
	97	bool encap;
af1eeda0	98	/** HW offload mode */
8ced1570	99	hw_offload_t hw_offload;
9cee688f TB	100	/** Mark the SA should apply to packets after processing */
9cee688f TB	101	mark_t mark;
bf0542c4 TB	102	/** Security label to match or apply */
bf0542c4 TB	103	sec_label_t *label;
89da06ac TB	104	/** TRUE to use Extended Sequence Numbers */
89da06ac TB	105	bool esn;
dc8b015d TB	106	/** TRUE to copy the DF bit to the outer IPv4 header in tunnel mode */
	107	bool copy_df;
	108	/** TRUE to copy the ECN header field to/from the outer header */
	109	bool copy_ecn;
c993eaf9 TB	110	/** Whether to copy the DSCP header field to/from the outer header */
c993eaf9 TB	111	dscp_copy_t copy_dscp;
89da06ac TB	112	/** TRUE if initiator of the exchange creating the SA */
	113	bool initiator;
	114	/** TRUE if this is an inbound SA */
	115	bool inbound;
	116	/** TRUE if an SPI has already been allocated for this SA */
	117	bool update;
	118	};
	119
	120	/**
	121	* Data required to update the hosts of an SA in the kernel
	122	*/
	123	struct kernel_ipsec_update_sa_t {
	124	/** CPI in case IPComp is used */
	125	uint16_t cpi;
	126	/** New source address */
	127	host_t *new_src;
	128	/** New destination address */
	129	host_t *new_dst;
	130	/** TRUE if UDP encapsulation is currently enabled */
	131	bool encap;
	132	/** TRUE to enable UDP encapsulation */
	133	bool new_encap;
1b3af3e3 TB	134	/** New reqid, or 0 if unchanged */
1b3af3e3 TB	135	uint32_t new_reqid;
89da06ac TB	136	};
	137
	138	/**
	139	* Data required to query an SA in the kernel
	140	*/
	141	struct kernel_ipsec_query_sa_t {
	142	uint16_t cpi;
	143	};
	144
	145	/**
	146	* Data required to delete an SA in the kernel
	147	*/
	148	struct kernel_ipsec_del_sa_t {
	149	/** CPI in case IPComp is used */
	150	uint16_t cpi;
	151	};
	152
	153	/**
	154	* Data identifying a policy in the kernel
	155	*/
	156	struct kernel_ipsec_policy_id_t {
	157	/** Direction of traffic */
	158	policy_dir_t dir;
	159	/** Source traffic selector */
	160	traffic_selector_t *src_ts;
	161	/** Destination traffic selector */
	162	traffic_selector_t *dst_ts;
	163	/** Optional mark */
	164	mark_t mark;
b32c3ce8 TB	165	/** Optional interface ID */
b32c3ce8 TB	166	uint32_t if_id;
c26e4330 AS	167	/** Network interface restricting policy */
c26e4330 AS	168	char *interface;
bf0542c4 TB	169	/** Security label restricting policy */
bf0542c4 TB	170	sec_label_t *label;
89da06ac TB	171	};
	172
	173	/**
	174	* Data required to add/delete a policy to/from the kernel
	175	*/
	176	struct kernel_ipsec_manage_policy_t {
	177	/** Type of policy */
	178	policy_type_t type;
	179	/** Priority class */
	180	policy_priority_t prio;
7f57c4f9 AS	181	/** Manually-set priority (automatic if set to 0) */
7f57c4f9 AS	182	uint32_t manual_prio;
af1eeda0 TB	183	/** HW offload mode */
af1eeda0 TB	184	hw_offload_t hw_offload;
89da06ac TB	185	/** Source address of the SA(s) tied to this policy */
	186	host_t *src;
	187	/** Destination address of the SA(s) tied to this policy */
	188	host_t *dst;
	189	/** Details about the SA(s) tied to this policy */
	190	ipsec_sa_cfg_t *sa;
	191	};
	192
	193	/**
	194	* Data required to query a policy in the kernel
	195	*/
	196	struct kernel_ipsec_query_policy_t {
	197	};
	198
507f26f6 TB	199	/**
507f26f6 TB	200	* Interface to the ipsec subsystem of the kernel.
7daf5226	201	*
507f26f6	202	* The kernel ipsec interface handles the communication with the kernel
7daf5226	203	* for SA and policy management. It allows setup of these, and provides
507f26f6 TB	204	* further the handling of kernel events.
	205	* Policy information are cached in the interface. This is necessary to do
	206	* reference counting. The Linux kernel does not allow the same policy
	207	* installed twice, but we need this as CHILD_SA exist multiple times
527b3f0c	208	* when rekeying. That's why we do reference counting of policies.
507f26f6 TB	209	*/
507f26f6 TB	210	struct kernel_ipsec_t {
7daf5226	211
76f7d80e MW	212	/**
	213	* Get the feature set supported by this kernel backend.
	214	*
	215	* @return ORed feature-set of backend
	216	*/
	217	kernel_feature_t (get_features)(kernel_ipsec_t this);
	218
507f26f6 TB	219	/**
	220	* Get a SPI from the kernel.
	221	*
507f26f6 TB	222	* @param src source address of SA
	223	* @param dst destination address of SA
	224	* @param protocol protocol for SA (ESP/AH)
507f26f6	225	* @param spi allocated spi
2a1c9e20	226	* @return SUCCESS if operation completed
507f26f6	227	*/
7daf5226	228	status_t (get_spi)(kernel_ipsec_t this, host_t src, host_t dst,
b12c53ce	229	uint8_t protocol, uint32_t *spi);
7daf5226	230
507f26f6 TB	231	/**
507f26f6 TB	232	* Get a Compression Parameter Index (CPI) from the kernel.
7daf5226	233	*
507f26f6 TB	234	* @param src source address of SA
507f26f6 TB	235	* @param dst destination address of SA
507f26f6	236	* @param cpi allocated cpi
2a1c9e20	237	* @return SUCCESS if operation completed
507f26f6	238	*/
7daf5226	239	status_t (get_cpi)(kernel_ipsec_t this, host_t src, host_t dst,
b12c53ce	240	uint16_t *cpi);
7daf5226	241
507f26f6 TB	242	/**
507f26f6 TB	243	* Add an SA to the SAD.
888af963	244	*
d05d85fe MW	245	* This function does install a single SA for a single protocol in one
d05d85fe MW	246	* direction.
888af963	247	*
89da06ac TB	248	* @param id data identifying this SA
89da06ac TB	249	* @param data data for this SA
507f26f6 TB	250	* @return SUCCESS if operation completed
507f26f6 TB	251	*/
89da06ac TB	252	status_t (add_sa)(kernel_ipsec_t this, kernel_ipsec_sa_id_t *id,
89da06ac TB	253	kernel_ipsec_add_sa_t *data);
7daf5226	254
507f26f6 TB	255	/**
	256	* Update the hosts on an installed SA.
	257	*
	258	* We cannot directly update the destination address as the kernel
	259	* requires the spi, the protocol AND the destination address (and family)
	260	* to identify SAs. Therefore if the destination address changed we
	261	* create a new SA and delete the old one.
	262	*
89da06ac TB	263	* @param id data identifying this SA
89da06ac TB	264	* @param data updated data for this SA
ea625fab	265	* @return SUCCESS if operation completed, NOT_SUPPORTED if
89da06ac	266	* the kernel interface can't update the SA
507f26f6	267	*/
89da06ac TB	268	status_t (update_sa)(kernel_ipsec_t this, kernel_ipsec_sa_id_t *id,
89da06ac TB	269	kernel_ipsec_update_sa_t *data);
7daf5226	270
2ad51539 AS	271	/**
2ad51539 AS	272	* Query the number of bytes processed by an SA from the SAD.
7daf5226	273	*
89da06ac TB	274	* @param id data identifying this SA
89da06ac TB	275	* @param data data to query the SA
2ad51539	276	* @param[out] bytes the number of bytes processed by SA
7eeeb1c7	277	* @param[out] packets number of packets processed by SA
c99458e9	278	* @param[out] time last (monotonic) time of SA use
2ad51539 AS	279	* @return SUCCESS if operation completed
2ad51539 AS	280	*/
89da06ac TB	281	status_t (query_sa)(kernel_ipsec_t this, kernel_ipsec_sa_id_t *id,
	282	kernel_ipsec_query_sa_t data, uint64_t bytes,
	283	uint64_t packets, time_t time);
7daf5226	284
507f26f6	285	/**
89da06ac	286	* Delete a previously installed SA from the SAD.
7daf5226	287	*
89da06ac TB	288	* @param id data identifying this SA
89da06ac TB	289	* @param data data to delete the SA
507f26f6 TB	290	* @return SUCCESS if operation completed
507f26f6 TB	291	*/
89da06ac TB	292	status_t (del_sa)(kernel_ipsec_t this, kernel_ipsec_sa_id_t *id,
89da06ac TB	293	kernel_ipsec_del_sa_t *data);
7daf5226	294
0b0f466b TB	295	/**
	296	* Flush all SAs from the SAD.
	297	*
	298	* @return SUCCESS if operation completed
	299	*/
89da06ac	300	status_t (flush_sas)(kernel_ipsec_t this);
0b0f466b	301
507f26f6 TB	302	/**
507f26f6 TB	303	* Add a policy to the SPD.
7daf5226	304	*
89da06ac TB	305	* @param id data identifying this policy
89da06ac TB	306	* @param data data for this policy
507f26f6 TB	307	* @return SUCCESS if operation completed
507f26f6 TB	308	*/
89da06ac TB	309	status_t (add_policy)(kernel_ipsec_t this,
	310	kernel_ipsec_policy_id_t *id,
	311	kernel_ipsec_manage_policy_t *data);
7daf5226	312
507f26f6 TB	313	/**
	314	* Query the use time of a policy.
	315	*
6180a558 MW	316	* The use time of a policy is the time the policy was used for the last
	317	* time. It is not the system time, but a monotonic timestamp as returned
	318	* by time_monotonic.
7daf5226	319	*
89da06ac TB	320	* @param id data identifying this policy
89da06ac TB	321	* @param data data to query the policy
6180a558	322	* @param[out] use_time the monotonic timestamp of this SA's last use
507f26f6 TB	323	* @return SUCCESS if operation completed
507f26f6 TB	324	*/
89da06ac TB	325	status_t (query_policy)(kernel_ipsec_t this,
	326	kernel_ipsec_policy_id_t *id,
	327	kernel_ipsec_query_policy_t *data,
	328	time_t *use_time);
7daf5226	329
507f26f6 TB	330	/**
	331	* Remove a policy from the SPD.
	332	*
89da06ac TB	333	* @param id data identifying this policy
89da06ac TB	334	* @param data data for this policy
507f26f6 TB	335	* @return SUCCESS if operation completed
507f26f6 TB	336	*/
89da06ac TB	337	status_t (del_policy)(kernel_ipsec_t this,
	338	kernel_ipsec_policy_id_t *id,
	339	kernel_ipsec_manage_policy_t *data);
7daf5226	340
0b0f466b TB	341	/**
	342	* Flush all policies from the SPD.
	343	*
	344	* @return SUCCESS if operation completed
	345	*/
89da06ac	346	status_t (flush_policies)(kernel_ipsec_t this);
0b0f466b	347
54f81859 MW	348	/**
	349	* Install a bypass policy for the given socket.
	350	*
	351	* @param fd socket file descriptor to setup policy for
	352	* @param family protocol family of the socket
	353	* @return TRUE of policy set up successfully
	354	*/
	355	bool (bypass_socket)(kernel_ipsec_t this, int fd, int family);
	356
e49abced TB	357	/**
	358	* Enable decapsulation of ESP-in-UDP packets for the given port/socket.
	359	*
	360	* @param fd socket file descriptor
	361	* @param family protocol family of the socket
	362	* @param port the UDP port
	363	* @return TRUE if UDP decapsulation was enabled successfully
	364	*/
	365	bool (enable_udp_decap)(kernel_ipsec_t this, int fd, int family,
b12c53ce	366	uint16_t port);
e49abced	367
507f26f6 TB	368	/**
	369	* Destroy the implementation.
	370	*/
89da06ac	371	void (destroy)(kernel_ipsec_t this);
507f26f6 TB	372	};
507f26f6 TB	373
29d30991 MW	374	/**
	375	* Helper function to (un-)register IPsec kernel interfaces from plugin features.
	376	*
	377	* This function is a plugin_feature_callback_t and can be used with the
	378	* PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor.
	379	*
	380	* @param plugin plugin registering the kernel interface
	381	* @param feature associated plugin feature
	382	* @param reg TRUE to register, FALSE to unregister
	383	* @param data data passed to callback, an kernel_ipsec_constructor_t
	384	*/
	385	bool kernel_ipsec_register(plugin_t plugin, plugin_feature_t feature,
	386	bool reg, void *data);
	387
1490ff4d	388	#endif /** KERNEL_IPSEC_H_ @}*/