[thirdparty/strongswan.git] / src / libhydra / kernel / kernel_ipsec.h

/*
 * Copyright (C) 2006-2010 Tobias Brunner
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005-2006 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup kernel_ipsec kernel_ipsec
 * @{ @ingroup hkernel
 */

#ifndef KERNEL_IPSEC_H_
#define KERNEL_IPSEC_H_

typedef enum ipsec_mode_t ipsec_mode_t;
typedef enum policy_dir_t policy_dir_t;
typedef enum policy_type_t policy_type_t;
typedef enum ipcomp_transform_t ipcomp_transform_t;
typedef struct kernel_ipsec_t kernel_ipsec_t;
typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
typedef struct lifetime_cfg_t lifetime_cfg_t;
typedef struct mark_t mark_t;

#include <utils/host.h>
#include <crypto/prf_plus.h>
#include <selectors/traffic_selector.h>

/**
 * Mode of an IPsec SA.
 */
enum ipsec_mode_t {
	/** transport mode, no inner address */
	MODE_TRANSPORT = 1,
	/** tunnel mode, inner and outer addresses */
	MODE_TUNNEL,
	/** BEET mode, tunnel mode but fixed, bound inner addresses */
	MODE_BEET,
	/** passthrough policy for traffic without an IPsec SA */
	MODE_PASS,
	/** drop policy discarding traffic */
	MODE_DROP
};

/**
 * enum names for ipsec_mode_t.
 */
extern enum_name_t *ipsec_mode_names;

/**
 * Direction of a policy. These are equal to those
 * defined in xfrm.h, but we want to stay implementation
 * neutral here.
 */
enum policy_dir_t {
	/** Policy for inbound traffic */
	POLICY_IN = 0,
	/** Policy for outbound traffic */
	POLICY_OUT = 1,
	/** Policy for forwarded traffic */
	POLICY_FWD = 2,
};

/**
 * enum names for policy_dir_t.
 */
extern enum_name_t *policy_dir_names;

/**
 * Type of a policy.
 */
enum policy_type_t {
	/** Normal IPsec policy */
	POLICY_IPSEC = 1,
	/** Passthrough policy (traffic is ignored by IPsec) */
	POLICY_PASS,
	/** Drop policy (traffic is discarded) */
	POLICY_DROP,
};

/**
 * IPComp transform IDs, as in RFC 4306
 */
enum ipcomp_transform_t {
	IPCOMP_NONE = 0,
	IPCOMP_OUI = 1,
	IPCOMP_DEFLATE = 2,
	IPCOMP_LZS = 3,
	IPCOMP_LZJH = 4,
};

/**
 * enum strings for ipcomp_transform_t.
 */
extern enum_name_t *ipcomp_transform_names;

/**
 * This struct contains details about IPsec SA(s) tied to a policy.
 */
struct ipsec_sa_cfg_t {
	/** mode of SA (tunnel, transport) */
	ipsec_mode_t mode;
	/** unique ID */
	u_int32_t reqid;
	/** details about ESP/AH */
	struct {
		/** TRUE if this protocol is used */
		bool use;
		/** SPI for ESP/AH */
		u_int32_t spi;
	} esp, ah;
	/** details about IPComp */
	struct {
		/** the IPComp transform used */
		u_int16_t transform;
		/** CPI for IPComp */
		u_int16_t cpi;
	} ipcomp;
};

/**
 * A lifetime_cfg_t defines the lifetime limits of an SA.
 *
 * Set any of these values to 0 to ignore.
 */
struct lifetime_cfg_t {
	struct {
		/** Limit before the SA gets invalid. */
		u_int64_t	life;
		/** Limit before the SA gets rekeyed. */
		u_int64_t	rekey;
		/** The range of a random value subtracted from rekey. */
		u_int64_t	jitter;
	} time, bytes, packets;
};

/**
 * A mark_t defines an optional mark in an IPsec SA.
 */
struct mark_t {
	/** Mark value */
	u_int32_t value;
	/** Mark mask */
	u_int32_t mask;
};

/**
 * Interface to the ipsec subsystem of the kernel.
 *
 * The kernel ipsec interface handles the communication with the kernel
 * for SA and policy management. It allows setup of these, and provides
 * further the handling of kernel events.
 * Policy information are cached in the interface. This is necessary to do
 * reference counting. The Linux kernel does not allow the same policy
 * installed twice, but we need this as CHILD_SA exist multiple times
 * when rekeying. Thats why we do reference counting of policies.
 */
struct kernel_ipsec_t {

	/**
	 * Get a SPI from the kernel.
	 *
	 * @param src		source address of SA
	 * @param dst		destination address of SA
	 * @param protocol	protocol for SA (ESP/AH)
	 * @param reqid		unique ID for this SA
	 * @param spi		allocated spi
	 * @return				SUCCESS if operation completed
	 */
	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);

	/**
	 * Get a Compression Parameter Index (CPI) from the kernel.
	 *
	 * @param src		source address of SA
	 * @param dst		destination address of SA
	 * @param reqid		unique ID for the corresponding SA
	 * @param cpi		allocated cpi
	 * @return				SUCCESS if operation completed
	 */
	status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
						u_int32_t reqid, u_int16_t *cpi);

	/**
	 * Add an SA to the SAD.
	 *
	 * add_sa() may update an already allocated
	 * SPI (via get_spi). In this case, the replace
	 * flag must be set.
	 * This function does install a single SA for a
	 * single protocol in one direction.
	 *
	 * @param src			source address for this SA
	 * @param dst			destination address for this SA
	 * @param spi			SPI allocated by us or remote peer
	 * @param protocol		protocol for this SA (ESP/AH)
	 * @param reqid			unique ID for this SA
	 * @param mark			mark for this SA
	 * @param tfc			Traffic Flow Confidentiality padding for this SA
	 * @param lifetime		lifetime_cfg_t for this SA
	 * @param enc_alg		Algorithm to use for encryption (ESP only)
	 * @param enc_key		key to use for encryption
	 * @param int_alg		Algorithm to use for integrity protection
	 * @param int_key		key to use for integrity protection
	 * @param mode			mode of the SA (tunnel, transport)
	 * @param ipcomp		IPComp transform to use
	 * @param cpi			CPI for IPComp
	 * @param encap			enable UDP encapsulation for NAT traversal
	 * @param esn			TRUE to use Extended Sequence Numbers
	 * @param inbound		TRUE if this is an inbound SA
	 * @param src_ts		traffic selector with BEET source address
	 * @param dst_ts		traffic selector with BEET destination address
	 * @return				SUCCESS if operation completed
	 */
	status_t (*add_sa) (kernel_ipsec_t *this,
						host_t *src, host_t *dst, u_int32_t spi,
						u_int8_t protocol, u_int32_t reqid,
						mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime,
						u_int16_t enc_alg, chunk_t enc_key,
						u_int16_t int_alg, chunk_t int_key,
						ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
						bool encap, bool esn, bool inbound,
						traffic_selector_t *src_ts, traffic_selector_t *dst_ts);

	/**
	 * Update the hosts on an installed SA.
	 *
	 * We cannot directly update the destination address as the kernel
	 * requires the spi, the protocol AND the destination address (and family)
	 * to identify SAs. Therefore if the destination address changed we
	 * create a new SA and delete the old one.
	 *
	 * @param spi			SPI of the SA
	 * @param protocol		protocol for this SA (ESP/AH)
	 * @param cpi			CPI for IPComp, 0 if no IPComp is used
	 * @param src			current source address
	 * @param dst			current destination address
	 * @param new_src		new source address
	 * @param new_dst		new destination address
	 * @param encap			current use of UDP encapsulation
	 * @param new_encap		new use of UDP encapsulation
	 * @param mark			optional mark for this SA
	 * @return				SUCCESS if operation completed, NOT_SUPPORTED if
	 *					  the kernel interface can't update the SA
	 */
	status_t (*update_sa)(kernel_ipsec_t *this,
						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
						  host_t *src, host_t *dst,
						  host_t *new_src, host_t *new_dst,
						  bool encap, bool new_encap, mark_t mark);

	/**
	 * Query the number of bytes processed by an SA from the SAD.
	 *
	 * @param src			source address for this SA
	 * @param dst			destination address for this SA
	 * @param spi			SPI allocated by us or remote peer
	 * @param protocol		protocol for this SA (ESP/AH)
	 * @param mark			optional mark for this SA
	 * @param[out] bytes	the number of bytes processed by SA
	 * @return				SUCCESS if operation completed
	 */
	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
						  u_int32_t spi, u_int8_t protocol, mark_t mark,
						  u_int64_t *bytes);

	/**
	 * Delete a previusly installed SA from the SAD.
	 *
	 * @param src			source address for this SA
	 * @param dst			destination address for this SA
	 * @param spi			SPI allocated by us or remote peer
	 * @param protocol		protocol for this SA (ESP/AH)
	 * @param cpi			CPI for IPComp or 0
	 * @param mark			optional mark for this SA
	 * @return				SUCCESS if operation completed
	 */
	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
						mark_t mark);

	/**
	 * Add a policy to the SPD.
	 *
	 * A policy is always associated to an SA. Traffic which matches a
	 * policy is handled by the SA with the same reqid.
	 *
	 * @param src			source address of SA
	 * @param dst			dest address of SA
	 * @param src_ts		traffic selector to match traffic source
	 * @param dst_ts		traffic selector to match traffic dest
	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
	 * @param sa			details about the SA(s) tied to this policy
	 * @param mark			mark for this policy
	 * @param routed		TRUE, if this policy is routed in the kernel
	 * @return				SUCCESS if operation completed
	 */
	status_t (*add_policy) (kernel_ipsec_t *this,
							host_t *src, host_t *dst,
							traffic_selector_t *src_ts,
							traffic_selector_t *dst_ts,
							policy_dir_t direction, policy_type_t type,
							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);

	/**
	 * Query the use time of a policy.
	 *
	 * The use time of a policy is the time the policy was used for the last
	 * time. It is not the system time, but a monotonic timestamp as returned
	 * by time_monotonic.
	 *
	 * @param src_ts		traffic selector to match traffic source
	 * @param dst_ts		traffic selector to match traffic dest
	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
	 * @param mark			optional mark
	 * @param[out] use_time	the monotonic timestamp of this SA's last use
	 * @return				SUCCESS if operation completed
	 */
	status_t (*query_policy) (kernel_ipsec_t *this,
							  traffic_selector_t *src_ts,
							  traffic_selector_t *dst_ts,
							  policy_dir_t direction, mark_t mark,
							  u_int32_t *use_time);

	/**
	 * Remove a policy from the SPD.
	 *
	 * The kernel interface implements reference counting for policies.
	 * If the same policy is installed multiple times (in the case of rekeying),
	 * the reference counter is increased. del_policy() decreases the ref counter
	 * and removes the policy only when no more references are available.
	 *
	 * @param src_ts		traffic selector to match traffic source
	 * @param dst_ts		traffic selector to match traffic dest
	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
	 * @param mark			optional mark
	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
	 * @return				SUCCESS if operation completed
	 */
	status_t (*del_policy) (kernel_ipsec_t *this,
							traffic_selector_t *src_ts,
							traffic_selector_t *dst_ts,
							policy_dir_t direction, mark_t mark,
							bool unrouted);

	/**
	 * Install a bypass policy for the given socket.
	 *
	 * @param fd			socket file descriptor to setup policy for
	 * @param family		protocol family of the socket
	 * @return				TRUE of policy set up successfully
	 */
	bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);

	/**
	 * Destroy the implementation.
	 */
	void (*destroy) (kernel_ipsec_t *this);
};

#endif /** KERNEL_IPSEC_H_ @}*/
Commit	Line	Data
507f26f6	1	/*
9f166d9a	2	* Copyright (C) 2006-2010 Tobias Brunner
507f26f6 TB	3	* Copyright (C) 2006 Daniel Roethlisberger
	4	* Copyright (C) 2005-2006 Martin Willi
	5	* Copyright (C) 2005 Jan Hutter
	6	* Hochschule fuer Technik Rapperswil
	7	*
	8	* This program is free software; you can redistribute it and/or modify it
	9	* under the terms of the GNU General Public License as published by the
	10	* Free Software Foundation; either version 2 of the License, or (at your
	11	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	12	*
	13	* This program is distributed in the hope that it will be useful, but
	14	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	15	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	16	* for more details.
507f26f6 TB	17	*/
	18
	19	/**
	20	* @defgroup kernel_ipsec kernel_ipsec
6f449d2e	21	* @{ @ingroup hkernel
507f26f6 TB	22	*/
	23
	24	#ifndef KERNEL_IPSEC_H_
	25	#define KERNEL_IPSEC_H_
	26
a341a68f	27	typedef enum ipsec_mode_t ipsec_mode_t;
507f26f6	28	typedef enum policy_dir_t policy_dir_t;
bd7a2f3b	29	typedef enum policy_type_t policy_type_t;
08c0d340	30	typedef enum ipcomp_transform_t ipcomp_transform_t;
507f26f6	31	typedef struct kernel_ipsec_t kernel_ipsec_t;
34cf6def	32	typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
6f449d2e TB	33	typedef struct lifetime_cfg_t lifetime_cfg_t;
6f449d2e TB	34	typedef struct mark_t mark_t;
507f26f6 TB	35
	36	#include <utils/host.h>
	37	#include <crypto/prf_plus.h>
6f449d2e	38	#include <selectors/traffic_selector.h>
507f26f6	39
a341a68f	40	/**
08c0d340	41	* Mode of an IPsec SA.
a341a68f TB	42	*/
	43	enum ipsec_mode_t {
	44	/** transport mode, no inner address */
d24a74c5	45	MODE_TRANSPORT = 1,
a341a68f	46	/** tunnel mode, inner and outer addresses */
d24a74c5	47	MODE_TUNNEL,
a341a68f	48	/** BEET mode, tunnel mode but fixed, bound inner addresses */
d24a74c5	49	MODE_BEET,
f8799170 AS	50	/** passthrough policy for traffic without an IPsec SA */
	51	MODE_PASS,
	52	/** drop policy discarding traffic */
	53	MODE_DROP
a341a68f TB	54	};
	55
	56	/**
	57	* enum names for ipsec_mode_t.
	58	*/
	59	extern enum_name_t *ipsec_mode_names;
	60
507f26f6 TB	61	/**
	62	* Direction of a policy. These are equal to those
	63	* defined in xfrm.h, but we want to stay implementation
	64	* neutral here.
	65	*/
	66	enum policy_dir_t {
	67	/** Policy for inbound traffic */
	68	POLICY_IN = 0,
	69	/** Policy for outbound traffic */
	70	POLICY_OUT = 1,
	71	/** Policy for forwarded traffic */
	72	POLICY_FWD = 2,
	73	};
	74
1adaa02b TB	75	/**
	76	* enum names for policy_dir_t.
	77	*/
	78	extern enum_name_t *policy_dir_names;
	79
bd7a2f3b TB	80	/**
	81	* Type of a policy.
	82	*/
	83	enum policy_type_t {
	84	/** Normal IPsec policy */
	85	POLICY_IPSEC = 1,
	86	/** Passthrough policy (traffic is ignored by IPsec) */
	87	POLICY_PASS,
	88	/** Drop policy (traffic is discarded) */
	89	POLICY_DROP,
	90	};
	91
08c0d340 TB	92	/**
	93	* IPComp transform IDs, as in RFC 4306
	94	*/
	95	enum ipcomp_transform_t {
	96	IPCOMP_NONE = 0,
	97	IPCOMP_OUI = 1,
	98	IPCOMP_DEFLATE = 2,
	99	IPCOMP_LZS = 3,
	100	IPCOMP_LZJH = 4,
	101	};
	102
	103	/**
	104	* enum strings for ipcomp_transform_t.
	105	*/
	106	extern enum_name_t *ipcomp_transform_names;
	107
34cf6def TB	108	/**
	109	* This struct contains details about IPsec SA(s) tied to a policy.
	110	*/
	111	struct ipsec_sa_cfg_t {
	112	/** mode of SA (tunnel, transport) */
	113	ipsec_mode_t mode;
	114	/** unique ID */
	115	u_int32_t reqid;
	116	/** details about ESP/AH */
	117	struct {
	118	/** TRUE if this protocol is used */
	119	bool use;
	120	/** SPI for ESP/AH */
	121	u_int32_t spi;
	122	} esp, ah;
	123	/** details about IPComp */
	124	struct {
	125	/** the IPComp transform used */
	126	u_int16_t transform;
	127	/** CPI for IPComp */
	128	u_int16_t cpi;
	129	} ipcomp;
	130	};
	131
6f449d2e TB	132	/**
	133	* A lifetime_cfg_t defines the lifetime limits of an SA.
	134	*
	135	* Set any of these values to 0 to ignore.
	136	*/
	137	struct lifetime_cfg_t {
	138	struct {
	139	/** Limit before the SA gets invalid. */
	140	u_int64_t life;
	141	/** Limit before the SA gets rekeyed. */
	142	u_int64_t rekey;
	143	/** The range of a random value subtracted from rekey. */
	144	u_int64_t jitter;
	145	} time, bytes, packets;
	146	};
	147
	148	/**
	149	* A mark_t defines an optional mark in an IPsec SA.
	150	*/
	151	struct mark_t {
	152	/** Mark value */
	153	u_int32_t value;
	154	/** Mark mask */
	155	u_int32_t mask;
	156	};
	157
507f26f6 TB	158	/**
507f26f6 TB	159	* Interface to the ipsec subsystem of the kernel.
7daf5226	160	*
507f26f6	161	* The kernel ipsec interface handles the communication with the kernel
7daf5226	162	* for SA and policy management. It allows setup of these, and provides
507f26f6 TB	163	* further the handling of kernel events.
	164	* Policy information are cached in the interface. This is necessary to do
	165	* reference counting. The Linux kernel does not allow the same policy
	166	* installed twice, but we need this as CHILD_SA exist multiple times
	167	* when rekeying. Thats why we do reference counting of policies.
	168	*/
	169	struct kernel_ipsec_t {
7daf5226	170
507f26f6 TB	171	/**
	172	* Get a SPI from the kernel.
	173	*
507f26f6 TB	174	* @param src source address of SA
	175	* @param dst destination address of SA
	176	* @param protocol protocol for SA (ESP/AH)
	177	* @param reqid unique ID for this SA
	178	* @param spi allocated spi
	179	* @return SUCCESS if operation completed
	180	*/
7daf5226	181	status_t (get_spi)(kernel_ipsec_t this, host_t src, host_t dst,
9f166d9a	182	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
7daf5226	183
507f26f6 TB	184	/**
507f26f6 TB	185	* Get a Compression Parameter Index (CPI) from the kernel.
7daf5226	186	*
507f26f6 TB	187	* @param src source address of SA
	188	* @param dst destination address of SA
	189	* @param reqid unique ID for the corresponding SA
	190	* @param cpi allocated cpi
	191	* @return SUCCESS if operation completed
	192	*/
7daf5226	193	status_t (get_cpi)(kernel_ipsec_t this, host_t src, host_t dst,
507f26f6	194	u_int32_t reqid, u_int16_t *cpi);
7daf5226	195
507f26f6 TB	196	/**
507f26f6 TB	197	* Add an SA to the SAD.
888af963	198	*
507f26f6 TB	199	* add_sa() may update an already allocated
	200	* SPI (via get_spi). In this case, the replace
	201	* flag must be set.
	202	* This function does install a single SA for a
888af963 TB	203	* single protocol in one direction.
888af963 TB	204	*
507f26f6 TB	205	* @param src source address for this SA
	206	* @param dst destination address for this SA
	207	* @param spi SPI allocated by us or remote peer
	208	* @param protocol protocol for this SA (ESP/AH)
	209	* @param reqid unique ID for this SA
ee26c537	210	* @param mark mark for this SA
d86bb6ef	211	* @param tfc Traffic Flow Confidentiality padding for this SA
888af963	212	* @param lifetime lifetime_cfg_t for this SA
507f26f6	213	* @param enc_alg Algorithm to use for encryption (ESP only)
e517b4b1	214	* @param enc_key key to use for encryption
507f26f6	215	* @param int_alg Algorithm to use for integrity protection
e517b4b1	216	* @param int_key key to use for integrity protection
507f26f6 TB	217	* @param mode mode of the SA (tunnel, transport)
507f26f6 TB	218	* @param ipcomp IPComp transform to use
ea625fab	219	* @param cpi CPI for IPComp
507f26f6	220	* @param encap enable UDP encapsulation for NAT traversal
4876d4f3	221	* @param esn TRUE to use Extended Sequence Numbers
ea625fab	222	* @param inbound TRUE if this is an inbound SA
6ec949e0 MW	223	* @param src_ts traffic selector with BEET source address
6ec949e0 MW	224	* @param dst_ts traffic selector with BEET destination address
507f26f6 TB	225	* @return SUCCESS if operation completed
	226	*/
	227	status_t (add_sa) (kernel_ipsec_t this,
	228	host_t src, host_t dst, u_int32_t spi,
9f166d9a	229	u_int8_t protocol, u_int32_t reqid,
d86bb6ef	230	mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime,
888af963 TB	231	u_int16_t enc_alg, chunk_t enc_key,
888af963 TB	232	u_int16_t int_alg, chunk_t int_key,
ea625fab	233	ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
4876d4f3	234	bool encap, bool esn, bool inbound,
6ec949e0	235	traffic_selector_t src_ts, traffic_selector_t dst_ts);
7daf5226	236
507f26f6 TB	237	/**
	238	* Update the hosts on an installed SA.
	239	*
	240	* We cannot directly update the destination address as the kernel
	241	* requires the spi, the protocol AND the destination address (and family)
	242	* to identify SAs. Therefore if the destination address changed we
	243	* create a new SA and delete the old one.
	244	*
	245	* @param spi SPI of the SA
	246	* @param protocol protocol for this SA (ESP/AH)
ea625fab	247	* @param cpi CPI for IPComp, 0 if no IPComp is used
507f26f6 TB	248	* @param src current source address
	249	* @param dst current destination address
	250	* @param new_src new source address
	251	* @param new_dst new destination address
ea625fab TB	252	* @param encap current use of UDP encapsulation
ea625fab TB	253	* @param new_encap new use of UDP encapsulation
ee26c537	254	* @param mark optional mark for this SA
ea625fab	255	* @return SUCCESS if operation completed, NOT_SUPPORTED if
323f9f99	256	* the kernel interface can't update the SA
507f26f6 TB	257	*/
507f26f6 TB	258	status_t (update_sa)(kernel_ipsec_t this,
9f166d9a	259	u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
7daf5226	260	host_t src, host_t dst,
ea625fab	261	host_t new_src, host_t new_dst,
ee26c537	262	bool encap, bool new_encap, mark_t mark);
7daf5226	263
2ad51539 AS	264	/**
2ad51539 AS	265	* Query the number of bytes processed by an SA from the SAD.
7daf5226	266	*
2ad51539 AS	267	* @param src source address for this SA
	268	* @param dst destination address for this SA
	269	* @param spi SPI allocated by us or remote peer
	270	* @param protocol protocol for this SA (ESP/AH)
ee26c537	271	* @param mark optional mark for this SA
2ad51539 AS	272	* @param[out] bytes the number of bytes processed by SA
	273	* @return SUCCESS if operation completed
	274	*/
	275	status_t (query_sa) (kernel_ipsec_t this, host_t src, host_t dst,
9f166d9a	276	u_int32_t spi, u_int8_t protocol, mark_t mark,
ee26c537	277	u_int64_t *bytes);
7daf5226	278
507f26f6 TB	279	/**
507f26f6 TB	280	* Delete a previusly installed SA from the SAD.
7daf5226	281	*
d24a74c5	282	* @param src source address for this SA
507f26f6 TB	283	* @param dst destination address for this SA
	284	* @param spi SPI allocated by us or remote peer
	285	* @param protocol protocol for this SA (ESP/AH)
ea625fab	286	* @param cpi CPI for IPComp or 0
ee26c537	287	* @param mark optional mark for this SA
507f26f6 TB	288	* @return SUCCESS if operation completed
507f26f6 TB	289	*/
d24a74c5	290	status_t (del_sa) (kernel_ipsec_t this, host_t src, host_t dst,
9f166d9a	291	u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
ee26c537	292	mark_t mark);
7daf5226	293
507f26f6 TB	294	/**
507f26f6 TB	295	* Add a policy to the SPD.
7daf5226	296	*
507f26f6 TB	297	* A policy is always associated to an SA. Traffic which matches a
507f26f6 TB	298	* policy is handled by the SA with the same reqid.
7daf5226	299	*
507f26f6 TB	300	* @param src source address of SA
	301	* @param dst dest address of SA
	302	* @param src_ts traffic selector to match traffic source
	303	* @param dst_ts traffic selector to match traffic dest
211943be	304	* @param direction direction of traffic, POLICY_(IN\|OUT\|FWD)
bd7a2f3b	305	* @param type type of policy, POLICY_(IPSEC\|PASS\|DROP)
34cf6def	306	* @param sa details about the SA(s) tied to this policy
ee26c537	307	* @param mark mark for this policy
ea625fab	308	* @param routed TRUE, if this policy is routed in the kernel
507f26f6 TB	309	* @return SUCCESS if operation completed
	310	*/
	311	status_t (add_policy) (kernel_ipsec_t this,
	312	host_t src, host_t dst,
	313	traffic_selector_t *src_ts,
	314	traffic_selector_t *dst_ts,
bd7a2f3b	315	policy_dir_t direction, policy_type_t type,
34cf6def	316	ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
7daf5226	317
507f26f6 TB	318	/**
	319	* Query the use time of a policy.
	320	*
6180a558 MW	321	* The use time of a policy is the time the policy was used for the last
	322	* time. It is not the system time, but a monotonic timestamp as returned
	323	* by time_monotonic.
7daf5226	324	*
507f26f6 TB	325	* @param src_ts traffic selector to match traffic source
507f26f6 TB	326	* @param dst_ts traffic selector to match traffic dest
211943be	327	* @param direction direction of traffic, POLICY_(IN\|OUT\|FWD)
ee26c537	328	* @param mark optional mark
6180a558	329	* @param[out] use_time the monotonic timestamp of this SA's last use
507f26f6 TB	330	* @return SUCCESS if operation completed
	331	*/
	332	status_t (query_policy) (kernel_ipsec_t this,
7daf5226	333	traffic_selector_t *src_ts,
507f26f6	334	traffic_selector_t *dst_ts,
ee26c537 AS	335	policy_dir_t direction, mark_t mark,
ee26c537 AS	336	u_int32_t *use_time);
7daf5226	337
507f26f6 TB	338	/**
	339	* Remove a policy from the SPD.
	340	*
	341	* The kernel interface implements reference counting for policies.
	342	* If the same policy is installed multiple times (in the case of rekeying),
	343	* the reference counter is increased. del_policy() decreases the ref counter
	344	* and removes the policy only when no more references are available.
	345	*
	346	* @param src_ts traffic selector to match traffic source
	347	* @param dst_ts traffic selector to match traffic dest
211943be	348	* @param direction direction of traffic, POLICY_(IN\|OUT\|FWD)
ee26c537	349	* @param mark optional mark
ea625fab	350	* @param unrouted TRUE, if this policy is unrouted from the kernel
507f26f6 TB	351	* @return SUCCESS if operation completed
	352	*/
	353	status_t (del_policy) (kernel_ipsec_t this,
7daf5226	354	traffic_selector_t *src_ts,
507f26f6	355	traffic_selector_t *dst_ts,
ee26c537	356	policy_dir_t direction, mark_t mark,
ea625fab	357	bool unrouted);
7daf5226	358
54f81859 MW	359	/**
	360	* Install a bypass policy for the given socket.
	361	*
	362	* @param fd socket file descriptor to setup policy for
	363	* @param family protocol family of the socket
	364	* @return TRUE of policy set up successfully
	365	*/
	366	bool (bypass_socket)(kernel_ipsec_t this, int fd, int family);
	367
507f26f6 TB	368	/**
	369	* Destroy the implementation.
	370	*/
	371	void (destroy) (kernel_ipsec_t this);
	372	};
	373
1490ff4d	374	#endif /** KERNEL_IPSEC_H_ @}*/