linux/include/freeswan/ipsec_param.h

   1 /*
   2  * @(#) FreeSWAN tunable paramaters
   3  *
   4  * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
   5  *                 and Michael Richardson  <mcr@freeswan.org>
   6  *
   7  * This program is free software; you can redistribute it and/or modify it
   8  * under the terms of the GNU General Public License as published by the
   9  * Free Software Foundation; either version 2 of the License, or (at your
  10  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  11  *
  12  * This program is distributed in the hope that it will be useful, but
  13  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  14  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  15  * for more details.
  16  *
  17  * RCSID $Id: ipsec_param.h,v 1.2 2004/04/28 08:07:11 as Exp $
  18  *
  19  */
  20
  21 /*
  22  * This file provides a set of #define's which may be tuned by various
  23  * people/configurations. It keeps all compile-time tunables in one place.
  24  *
  25  * This file should be included before all other IPsec kernel-only files.
  26  *
  27  */
  28
  29 #ifndef _IPSEC_PARAM_H_
  30
  31 #ifdef __KERNEL__
  32 #include "ipsec_kversion.h"
  33
  34 /* Set number of ipsecX virtual devices here. */
  35 /* This must be < exp(field width of IPSEC_DEV_FORMAT) */
  36 /* It must also be reasonable so as not to overload the memory and CPU */
  37 /* constraints of the host. */
  38 #define IPSEC_NUM_IF    4
  39 /* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
  40 /* With "ipsec" being 5 characters, that means 10 is the max field width */
  41 /* but machine memory and CPU constraints are not likely to tollerate */
  42 /* more than 3 digits.  The default is one digit. */
  43 /* Update: userland scripts get upset if they can't find "ipsec0", so */
  44 /* for now, no "0"-padding should be used (which would have been helpful */
  45 /* to make text-searches work */
  46 #define IPSEC_DEV_FORMAT "ipsec%d"
  47 /* For, say, 500 virtual ipsec devices, I would recommend: */
  48 /* #define IPSEC_NUM_IF 500 */
  49 /* #define IPSEC_DEV_FORMAT "ipsec%03d" */
  50 /* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */
  51
  52 /* use dynamic ipsecX device allocation */
  53 #ifndef CONFIG_IPSEC_DYNDEV
  54 #define CONFIG_IPSEC_DYNDEV 1
  55 #endif /* CONFIG_IPSEC_DYNDEV */
  56
  57
  58 #ifdef CONFIG_IPSEC_BIGGATE
  59 # define SADB_HASHMOD   8069
  60 #else /* CONFIG_IPSEC_BIGGATE */
  61 # define SADB_HASHMOD   257
  62 #endif /* CONFIG_IPSEC_BIGGATE */
  63 #endif /* __KERNEL__ */
  64
  65 /*
  66  * This is for the SA reference table. This number is related to the
  67  * maximum number of SAs that KLIPS can concurrently deal with, plus enough
  68  * space for keeping expired SAs around.
  69  *
  70  * TABLE_MAX_WIDTH is the number of bits that we will use.
  71  * MAIN_TABLE_WIDTH is the number of bits used for the primary index table.
  72  *
  73  */
  74 #ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH
  75 # define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
  76 #endif
  77
  78 #ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
  79 # define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
  80 #endif
  81
  82 #ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
  83 # define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
  84 #endif
  85
  86 #ifndef IPSEC_SA_REF_CODE
  87 # define IPSEC_SA_REF_CODE 1
  88 #endif
  89
  90 #ifdef __KERNEL__
  91 /* This is defined for 2.4, but not 2.2.... */
  92 #ifndef ARPHRD_VOID
  93 # define ARPHRD_VOID 0xFFFF
  94 #endif
  95
  96 /*
  97  * Worry about PROC_FS stuff
  98  */
  99 #if defined(PROC_FS_2325)
 100 /* kernel 2.4 */
 101 # define IPSEC_PROC_LAST_ARG ,int *eof,void *data
 102 # define IPSEC_PROCFS_DEBUG_NO_STATIC
 103 # define IPSEC_PROC_SUBDIRS
 104 #else
 105 /* kernel <2.4 */
 106 # define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC
 107
 108 # ifndef PROC_NO_DUMMY
 109 #  define IPSEC_PROC_LAST_ARG , int dummy
 110 # else
 111 #  define IPSEC_PROC_LAST_ARG
 112 # endif /* !PROC_NO_DUMMY */
 113 #endif /* PROC_FS_2325 */
 114
 115 #if !defined(LINUX_KERNEL_HAS_SNPRINTF)
 116 /* GNU CPP specific! */
 117 # define snprintf(buf, len, fmt...) sprintf(buf, ##fmt)
 118 #endif /* !LINUX_KERNEL_HAS_SNPRINTF */
 119
 120 #ifdef SPINLOCK
 121 # ifdef SPINLOCK_23
 122 #  include <linux/spinlock.h> /* *lock* */
 123 # else /* SPINLOCK_23 */
 124 #  include <asm/spinlock.h> /* *lock* */
 125 # endif /* SPINLOCK_23 */
 126 #endif /* SPINLOCK */
 127
 128 #ifndef KLIPS_FIXES_DES_PARITY
 129 # define KLIPS_FIXES_DES_PARITY 1
 130 #endif /* !KLIPS_FIXES_DES_PARITY */
 131
 132 /* we don't really want to print these unless there are really big problems */
 133 #ifndef KLIPS_DIVULGE_CYPHER_KEY
 134 # define KLIPS_DIVULGE_CYPHER_KEY 0
 135 #endif /* !KLIPS_DIVULGE_CYPHER_KEY */
 136
 137 #ifndef KLIPS_DIVULGE_HMAC_KEY
 138 # define KLIPS_DIVULGE_HMAC_KEY 0
 139 #endif /* !KLIPS_DIVULGE_HMAC_KEY */
 140
 141 #ifndef IPSEC_DISALLOW_IPOPTIONS
 142 # define IPSEC_DISALLOW_IPOPTIONS 1
 143 #endif /* !KLIPS_DIVULGE_HMAC_KEY */
 144
 145 /* extra toggles for regression testing */
 146 #ifdef CONFIG_IPSEC_REGRESS
 147
 148 /*
 149  * should pfkey_acquire() become 100% lossy?
 150  *
 151  */
 152 extern int sysctl_ipsec_regress_pfkey_lossage;
 153 #ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
 154 # ifdef CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE
 155 #  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
 156 # else /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
 157 /* not by default! */
 158 #  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
 159 # endif /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
 160 #endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
 161
 162 #endif /* CONFIG_IPSEC_REGRESS */
 163
 164 /*
 165  * debugging routines.
 166  */
 167 #ifdef CONFIG_IPSEC_DEBUG
 168 extern void ipsec_print_ip(struct iphdr *ip);
 169
 170         #define KLIPS_PRINT(flag, format, args...) \
 171                 ((flag) ? printk(KERN_INFO format , ## args) : 0)
 172         #define KLIPS_PRINTMORE(flag, format, args...) \
 173                 ((flag) ? printk(format , ## args) : 0)
 174         #define KLIPS_IP_PRINT(flag, ip) \
 175                 ((flag) ? ipsec_print_ip(ip) : 0)
 176 #else /* CONFIG_IPSEC_DEBUG */
 177         #define KLIPS_PRINT(flag, format, args...) do ; while(0)
 178         #define KLIPS_PRINTMORE(flag, format, args...) do ; while(0)
 179         #define KLIPS_IP_PRINT(flag, ip) do ; while(0)
 180 #endif /* CONFIG_IPSEC_DEBUG */
 181
 182
 183 /*
 184  * Stupid kernel API differences in APIs. Not only do some
 185  * kernels not have ip_select_ident, but some have differing APIs,
 186  * and SuSE has one with one parameter, but no way of checking to
 187  * see what is really what.
 188  */
 189
 190 #ifdef SUSE_LINUX_2_4_19_IS_STUPID
 191 #define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
 192 #else
 193
 194 /* simplest case, nothing */
 195 #if !defined(IP_SELECT_IDENT)
 196 #define KLIPS_IP_SELECT_IDENT(iph, skb)  do { iph->id = htons(ip_id_count++); } while(0)
 197 #endif
 198
 199 /* kernels > 2.3.37-ish */
 200 #if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
 201 #define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
 202 #endif
 203
 204 /* kernels > 2.4.2 */
 205 #if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
 206 #define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
 207 #endif
 208
 209 #endif /* SUSE_LINUX_2_4_19_IS_STUPID */
 210
 211 /*
 212  * make klips fail test:east-espiv-01.
 213  * exploit is at testing/attacks/espiv
 214  *
 215  */
 216 #define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0
 217
 218
 219 /* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */
 220 #ifndef IP_FRAGMENT_LINEARIZE
 221 # define IP_FRAGMENT_LINEARIZE 0
 222 #endif /* IP_FRAGMENT_LINEARIZE */
 223 #endif /* __KERNEL__ */
 224
 225 #define _IPSEC_PARAM_H_
 226 #endif /* _IPSEC_PARAM_H_ */