2 * @(#) FreeSWAN tunable paramaters
4 * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
5 * and Michael Richardson <mcr@freeswan.org>
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * RCSID $Id: ipsec_param.h,v 1.2 2004/04/28 08:07:11 as Exp $
22 * This file provides a set of #define's which may be tuned by various
23 * people/configurations. It keeps all compile-time tunables in one place.
25 * This file should be included before all other IPsec kernel-only files.
29 #ifndef _IPSEC_PARAM_H_
32 #include "ipsec_kversion.h"
34 /* Set number of ipsecX virtual devices here. */
35 /* This must be < exp(field width of IPSEC_DEV_FORMAT) */
36 /* It must also be reasonable so as not to overload the memory and CPU */
37 /* constraints of the host. */
38 #define IPSEC_NUM_IF 4
39 /* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
40 /* With "ipsec" being 5 characters, that means 10 is the max field width */
41 /* but machine memory and CPU constraints are not likely to tollerate */
42 /* more than 3 digits. The default is one digit. */
43 /* Update: userland scripts get upset if they can't find "ipsec0", so */
44 /* for now, no "0"-padding should be used (which would have been helpful */
45 /* to make text-searches work */
46 #define IPSEC_DEV_FORMAT "ipsec%d"
47 /* For, say, 500 virtual ipsec devices, I would recommend: */
48 /* #define IPSEC_NUM_IF 500 */
49 /* #define IPSEC_DEV_FORMAT "ipsec%03d" */
50 /* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */
52 /* use dynamic ipsecX device allocation */
53 #ifndef CONFIG_IPSEC_DYNDEV
54 #define CONFIG_IPSEC_DYNDEV 1
55 #endif /* CONFIG_IPSEC_DYNDEV */
58 #ifdef CONFIG_IPSEC_BIGGATE
59 # define SADB_HASHMOD 8069
60 #else /* CONFIG_IPSEC_BIGGATE */
61 # define SADB_HASHMOD 257
62 #endif /* CONFIG_IPSEC_BIGGATE */
63 #endif /* __KERNEL__ */
66 * This is for the SA reference table. This number is related to the
67 * maximum number of SAs that KLIPS can concurrently deal with, plus enough
68 * space for keeping expired SAs around.
70 * TABLE_MAX_WIDTH is the number of bits that we will use.
71 * MAIN_TABLE_WIDTH is the number of bits used for the primary index table.
74 #ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH
75 # define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
78 #ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
79 # define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
82 #ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
83 # define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
86 #ifndef IPSEC_SA_REF_CODE
87 # define IPSEC_SA_REF_CODE 1
91 /* This is defined for 2.4, but not 2.2.... */
93 # define ARPHRD_VOID 0xFFFF
97 * Worry about PROC_FS stuff
99 #if defined(PROC_FS_2325)
101 # define IPSEC_PROC_LAST_ARG ,int *eof,void *data
102 # define IPSEC_PROCFS_DEBUG_NO_STATIC
103 # define IPSEC_PROC_SUBDIRS
106 # define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC
108 # ifndef PROC_NO_DUMMY
109 # define IPSEC_PROC_LAST_ARG , int dummy
111 # define IPSEC_PROC_LAST_ARG
112 # endif /* !PROC_NO_DUMMY */
113 #endif /* PROC_FS_2325 */
115 #if !defined(LINUX_KERNEL_HAS_SNPRINTF)
116 /* GNU CPP specific! */
117 # define snprintf(buf, len, fmt...) sprintf(buf, ##fmt)
118 #endif /* !LINUX_KERNEL_HAS_SNPRINTF */
122 # include <linux/spinlock.h> /* *lock* */
123 # else /* SPINLOCK_23 */
124 # include <asm/spinlock.h> /* *lock* */
125 # endif /* SPINLOCK_23 */
126 #endif /* SPINLOCK */
128 #ifndef KLIPS_FIXES_DES_PARITY
129 # define KLIPS_FIXES_DES_PARITY 1
130 #endif /* !KLIPS_FIXES_DES_PARITY */
132 /* we don't really want to print these unless there are really big problems */
133 #ifndef KLIPS_DIVULGE_CYPHER_KEY
134 # define KLIPS_DIVULGE_CYPHER_KEY 0
135 #endif /* !KLIPS_DIVULGE_CYPHER_KEY */
137 #ifndef KLIPS_DIVULGE_HMAC_KEY
138 # define KLIPS_DIVULGE_HMAC_KEY 0
139 #endif /* !KLIPS_DIVULGE_HMAC_KEY */
141 #ifndef IPSEC_DISALLOW_IPOPTIONS
142 # define IPSEC_DISALLOW_IPOPTIONS 1
143 #endif /* !KLIPS_DIVULGE_HMAC_KEY */
145 /* extra toggles for regression testing */
146 #ifdef CONFIG_IPSEC_REGRESS
149 * should pfkey_acquire() become 100% lossy?
152 extern int sysctl_ipsec_regress_pfkey_lossage
;
153 #ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
154 # ifdef CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE
155 # define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
156 # else /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
157 /* not by default! */
158 # define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
159 # endif /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
160 #endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
162 #endif /* CONFIG_IPSEC_REGRESS */
165 * debugging routines.
167 #ifdef CONFIG_IPSEC_DEBUG
168 extern void ipsec_print_ip(struct iphdr
*ip
);
170 #define KLIPS_PRINT(flag, format, args...) \
171 ((flag) ? printk(KERN_INFO format , ## args) : 0)
172 #define KLIPS_PRINTMORE(flag, format, args...) \
173 ((flag) ? printk(format , ## args) : 0)
174 #define KLIPS_IP_PRINT(flag, ip) \
175 ((flag) ? ipsec_print_ip(ip) : 0)
176 #else /* CONFIG_IPSEC_DEBUG */
177 #define KLIPS_PRINT(flag, format, args...) do ; while(0)
178 #define KLIPS_PRINTMORE(flag, format, args...) do ; while(0)
179 #define KLIPS_IP_PRINT(flag, ip) do ; while(0)
180 #endif /* CONFIG_IPSEC_DEBUG */
184 * Stupid kernel API differences in APIs. Not only do some
185 * kernels not have ip_select_ident, but some have differing APIs,
186 * and SuSE has one with one parameter, but no way of checking to
187 * see what is really what.
190 #ifdef SUSE_LINUX_2_4_19_IS_STUPID
191 #define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
194 /* simplest case, nothing */
195 #if !defined(IP_SELECT_IDENT)
196 #define KLIPS_IP_SELECT_IDENT(iph, skb) do { iph->id = htons(ip_id_count++); } while(0)
199 /* kernels > 2.3.37-ish */
200 #if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
201 #define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
204 /* kernels > 2.4.2 */
205 #if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
206 #define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
209 #endif /* SUSE_LINUX_2_4_19_IS_STUPID */
212 * make klips fail test:east-espiv-01.
213 * exploit is at testing/attacks/espiv
216 #define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0
219 /* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */
220 #ifndef IP_FRAGMENT_LINEARIZE
221 # define IP_FRAGMENT_LINEARIZE 0
222 #endif /* IP_FRAGMENT_LINEARIZE */
223 #endif /* __KERNEL__ */
225 #define _IPSEC_PARAM_H_
226 #endif /* _IPSEC_PARAM_H_ */