4 * @brief Interface of policy_t.
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 typedef enum dpd_action_t dpd_action_t
;
28 typedef struct policy_t policy_t
;
31 #include <utils/identification.h>
32 #include <config/traffic_selector.h>
33 #include <config/proposal.h>
34 #include <sa/authenticators/authenticator.h>
35 #include <sa/authenticators/eap/eap_method.h>
39 * @brief Actions to take when a peer does not respond (dead peer detected).
41 * These values are the same as in pluto/starter, so do not modify them!
48 /** remove CHILD_SA without replacement */
50 /** route the CHILD_SA to resetup when needed */
52 /** restart CHILD_SA in a new IKE_SA, immediately */
57 * enum names for dpd_action_t.
59 extern enum_name_t
*dpd_action_names
;
62 * @brief Mode of an IPsec SA.
64 * These are equal to those defined in XFRM, so don't change.
69 /** transport mode, no inner address */
71 /** tunnel mode, inner and outer addresses */
73 /** BEET mode, tunnel mode but fixed, bound inner addresses */
78 * enum names for mode_t.
80 extern enum_name_t
*mode_names
;
83 * @brief A policy_t defines the policies to apply to CHILD_SAs.
85 * The given two IDs identify a policy. These rules define how
86 * child SAs may be set up and which traffic may be IPsec'ed.
96 * @brief Get the name of the policy.
98 * Returned object is not getting cloned.
100 * @param this calling object
101 * @return policy's name
103 char *(*get_name
) (policy_t
*this);
108 * Returned object is not getting cloned.
110 * @param this calling object
113 identification_t
*(*get_my_id
) (policy_t
*this);
116 * @brief Get peer id.
118 * Returned object is not getting cloned.
120 * @param this calling object
123 identification_t
*(*get_other_id
) (policy_t
*this);
128 * Returned object is not getting cloned.
130 * @param this calling object
133 identification_t
*(*get_my_ca
) (policy_t
*this);
136 * @brief Get peer ca.
138 * Returned object is not getting cloned.
140 * @param this calling object
143 identification_t
*(*get_other_ca
) (policy_t
*this);
146 * @brief Get the authentication method to use.
148 * @param this calling object
149 * @return authentication method
151 auth_method_t (*get_auth_method
) (policy_t
*this);
154 * @brief Get the EAP type to use for peer authentication.
156 * @param this calling object
157 * @return authentication method
159 eap_type_t (*get_eap_type
) (policy_t
*this);
162 * @brief Get configured traffic selectors for our site.
164 * Returns a list with all traffic selectors for the local
165 * site. List and items must be destroyed after usage.
167 * @param this calling object
168 * @return list with traffic selectors
170 linked_list_t
*(*get_my_traffic_selectors
) (policy_t
*this, host_t
*me
);
173 * @brief Get configured traffic selectors for others site.
175 * Returns a list with all traffic selectors for the remote
176 * site. List and items must be destroyed after usage.
178 * @param this calling object
179 * @return list with traffic selectors
181 linked_list_t
*(*get_other_traffic_selectors
) (policy_t
*this, host_t
* other
);
184 * @brief Select traffic selectors from a supplied list for local site.
186 * Resulted list and traffic selectors must be destroyed after usage.
187 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
188 * addresses we don't know in previous, an address may be supplied to
189 * replace these 0.0.0.0 addresses on-the-fly.
191 * @param this calling object
192 * @param supplied linked list with traffic selectors
193 * @param me host address used by us
194 * @return list containing the selected traffic selectors
196 linked_list_t
*(*select_my_traffic_selectors
) (policy_t
*this,
197 linked_list_t
*supplied
,
201 * @brief Select traffic selectors from a supplied list for remote site.
203 * Resulted list and traffic selectors must be destroyed after usage.
204 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
205 * addresses we don't know in previous, an address may be supplied to
206 * replace these 0.0.0.0 addresses on-the-fly.
208 * @param this calling object
209 * @param supplied linked list with traffic selectors
210 * @return list containing the selected traffic selectors
212 linked_list_t
*(*select_other_traffic_selectors
) (policy_t
*this,
213 linked_list_t
*supplied
,
217 * @brief Get the list of internally stored proposals.
219 * policy_t does store proposals for AH/ESP, IKE proposals are in
221 * Resulting list and all of its proposals must be freed after usage.
223 * @param this calling object
224 * @return lists with proposals
226 linked_list_t
*(*get_proposals
) (policy_t
*this);
229 * @brief Select a proposal from a supplied list.
231 * Returned propsal is newly created and must be destroyed after usage.
233 * @param this calling object
234 * @param proposals list from from wich proposals are selected
235 * @return selected proposal, or NULL if nothing matches
237 proposal_t
*(*select_proposal
) (policy_t
*this, linked_list_t
*proposals
);
240 * @brief Add a traffic selector to the list for local site.
242 * After add, traffic selector is owned by policy.
244 * @param this calling object
245 * @param traffic_selector traffic_selector to add
247 void (*add_my_traffic_selector
) (policy_t
*this, traffic_selector_t
*traffic_selector
);
250 * @brief Add a traffic selector to the list for remote site.
252 * After add, traffic selector is owned by policy.
254 * @param this calling object
255 * @param traffic_selector traffic_selector to add
257 void (*add_other_traffic_selector
) (policy_t
*this, traffic_selector_t
*traffic_selector
);
260 * @brief Add a proposal to the list.
262 * The proposals are stored by priority, first added
263 * is the most prefered.
264 * After add, proposal is owned by policy.
266 * @param this calling object
267 * @param proposal proposal to add
269 void (*add_proposal
) (policy_t
*this, proposal_t
*proposal
);
272 * @brief Add certification authorities.
274 * @param this calling object
275 * @param my_ca issuer of my certificate
276 * @param other_ca required issuer of the peer's certificate
278 void (*add_authorities
) (policy_t
*this, identification_t
*my_ca
, identification_t
*other_ca
);
281 * @brief Get updown script
283 * @param this calling object
284 * @return path to updown script
286 char* (*get_updown
) (policy_t
*this);
289 * @brief Get hostaccess flag
291 * @param this calling object
292 * @return value of hostaccess flag
294 bool (*get_hostaccess
) (policy_t
*this);
297 * @brief What should be done with a CHILD_SA, when other peer does not respond.
299 * @param this calling object
302 dpd_action_t (*get_dpd_action
) (policy_t
*this);
305 * @brief Get the lifetime of a policy, before rekeying starts.
307 * A call to this function automatically adds a jitter to
308 * avoid simultanous rekeying.
311 * @return lifetime in seconds
313 u_int32_t (*get_soft_lifetime
) (policy_t
*this);
316 * @brief Get the lifetime of a policy, before SA gets deleted.
319 * @return lifetime in seconds
321 u_int32_t (*get_hard_lifetime
) (policy_t
*this);
324 * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET.
327 * @return lifetime in seconds
329 mode_t (*get_mode
) (policy_t
*this);
332 * @brief Get a virtual IP for the local or the remote host.
334 * By supplying NULL as IP, an IP for the local host is requested. It
335 * may be %any or specific.
336 * By supplying %any as host, an IP from the pool is selected to be
337 * served to the peer.
338 * If a specified host is supplied, it is checked if this address
339 * is acceptable to serve to the peer. If so, it is returned. Otherwise,
340 * an alternative IP is returned.
341 * In any mode, this call may return NULL indicating virtual IP should
345 * @param suggestion NULL, %any or specific, see description
346 * @return clone of an IP to use, or NULL
348 host_t
* (*get_virtual_ip
) (policy_t
*this, host_t
*suggestion
);
351 * @brief Get a new reference.
353 * Get a new reference to this policy by increasing
354 * it's internal reference counter.
355 * Do not call get_ref or any other function until you
356 * already have a reference. Otherwise the object may get
357 * destroyed while calling get_ref(),
359 * @param this calling object
361 void (*get_ref
) (policy_t
*this);
364 * @brief Destroys the policy object.
366 * Decrements the internal reference counter and
367 * destroys the policy when it reaches zero.
369 * @param this calling object
371 void (*destroy
) (policy_t
*this);
375 * @brief Create a configuration object for IKE_AUTH and later.
377 * name-string gets cloned, ID's not.
378 * Virtual IPs are used if they are != NULL. A %any host means the virtual
379 * IP should be obtained from the other peer.
380 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
381 * same time, a jitter may be specified. Rekeying of an SA starts at
382 * (soft_lifetime - random(0, jitter)). After a successful rekeying,
383 * the hard_lifetime limit counter is reset. You should specify
384 * hard_lifetime > soft_lifetime > jitter.
385 * After a call to create, a reference is obtained (refcount = 1).
387 * @param name name of the policy
388 * @param my_id identification_t for ourselves
389 * @param other_id identification_t for the remote guy
390 * @param my_virtual_ip virtual IP for local host, or NULL
391 * @param other_virtual_ip virtual IP for remote host, or NULL
392 * @param auth_method Authentication method to use for our(!) auth data
393 * @param eap_type EAP type to use for peer authentication
394 * @param hard_lifetime lifetime before deleting an SA
395 * @param soft_lifetime lifetime before rekeying an SA
396 * @param jitter range of randomization time
397 * @param updown updown script to execute on up/down event
398 * @param hostaccess allow access to the host itself (used by the updown script)
399 * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
400 * @param dpd_action what to to with a CHILD_SA when other peer does not respond
401 * @return policy_t object
405 policy_t
*policy_create(char *name
,
406 identification_t
*my_id
, identification_t
*other_id
,
407 host_t
*my_virtual_ip
, host_t
*other_virtual_ip
,
408 auth_method_t auth_method
, eap_type_t eap_type
,
409 u_int32_t hard_lifetime
, u_int32_t soft_lifetime
,
410 u_int32_t jitter
, char *updown
, bool hostaccess
,
411 mode_t mode
, dpd_action_t dpd_action
);
413 #endif /* POLICY_H_ */