src/libstrongswan/ipsec/ipsec_types.h

   1 /*
   2  * Copyright (C) 2012-2013 Tobias Brunner
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 /**
  17  * @defgroup ipsec_types ipsec_types
  18  * @{ @ingroup ipsec
  19  */
  20
  21 #ifndef IPSEC_TYPES_H_
  22 #define IPSEC_TYPES_H_
  23
  24 typedef enum ipsec_mode_t ipsec_mode_t;
  25 typedef enum policy_dir_t policy_dir_t;
  26 typedef enum policy_type_t policy_type_t;
  27 typedef enum policy_priority_t policy_priority_t;
  28 typedef enum ipcomp_transform_t ipcomp_transform_t;
  29 typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
  30 typedef struct lifetime_cfg_t lifetime_cfg_t;
  31 typedef struct mark_t mark_t;
  32
  33 #include <library.h>
  34
  35 /**
  36  * Mode of an IPsec SA.
  37  */
  38 enum ipsec_mode_t {
  39         /** not using any encapsulation */
  40         MODE_NONE = 0,
  41         /** transport mode, no inner address */
  42         MODE_TRANSPORT = 1,
  43         /** tunnel mode, inner and outer addresses */
  44         MODE_TUNNEL,
  45         /** BEET mode, tunnel mode but fixed, bound inner addresses */
  46         MODE_BEET,
  47         /** passthrough policy for traffic without an IPsec SA */
  48         MODE_PASS,
  49         /** drop policy discarding traffic */
  50         MODE_DROP
  51 };
  52
  53 /**
  54  * enum names for ipsec_mode_t.
  55  */
  56 extern enum_name_t *ipsec_mode_names;
  57
  58 /**
  59  * Direction of a policy. These are equal to those
  60  * defined in xfrm.h, but we want to stay implementation
  61  * neutral here.
  62  */
  63 enum policy_dir_t {
  64         /** Policy for inbound traffic */
  65         POLICY_IN = 0,
  66         /** Policy for outbound traffic */
  67         POLICY_OUT = 1,
  68         /** Policy for forwarded traffic */
  69         POLICY_FWD = 2,
  70 };
  71
  72 /**
  73  * enum names for policy_dir_t.
  74  */
  75 extern enum_name_t *policy_dir_names;
  76
  77 /**
  78  * Type of a policy.
  79  */
  80 enum policy_type_t {
  81         /** Normal IPsec policy */
  82         POLICY_IPSEC = 1,
  83         /** Passthrough policy (traffic is ignored by IPsec) */
  84         POLICY_PASS,
  85         /** Drop policy (traffic is discarded) */
  86         POLICY_DROP,
  87 };
  88
  89 /**
  90  * High-level priority of a policy.
  91  */
  92 enum policy_priority_t {
  93         /** Priority for passthrough policies */
  94         POLICY_PRIORITY_PASS,
  95         /** Priority for regular IPsec policies */
  96         POLICY_PRIORITY_DEFAULT,
  97         /** Priority for trap policies */
  98         POLICY_PRIORITY_ROUTED,
  99         /** Priority for fallback drop policies */
 100         POLICY_PRIORITY_FALLBACK,
 101 };
 102
 103 /**
 104  * IPComp transform IDs, as in RFC 4306
 105  */
 106 enum ipcomp_transform_t {
 107         IPCOMP_NONE = 0,
 108         IPCOMP_OUI = 1,
 109         IPCOMP_DEFLATE = 2,
 110         IPCOMP_LZS = 3,
 111         IPCOMP_LZJH = 4,
 112 };
 113
 114 /**
 115  * enum strings for ipcomp_transform_t.
 116  */
 117 extern enum_name_t *ipcomp_transform_names;
 118
 119 /**
 120  * This struct contains details about IPsec SA(s) tied to a policy.
 121  */
 122 struct ipsec_sa_cfg_t {
 123         /** mode of SA (tunnel, transport) */
 124         ipsec_mode_t mode;
 125         /** unique ID */
 126         u_int32_t reqid;
 127         /** number of policies of the same kind (in/out/fwd) attached to SA */
 128         u_int32_t policy_count;
 129         /** details about ESP/AH */
 130         struct {
 131                 /** TRUE if this protocol is used */
 132                 bool use;
 133                 /** SPI for ESP/AH */
 134                 u_int32_t spi;
 135         } esp, ah;
 136         /** details about IPComp */
 137         struct {
 138                 /** the IPComp transform used */
 139                 u_int16_t transform;
 140                 /** CPI for IPComp */
 141                 u_int16_t cpi;
 142         } ipcomp;
 143 };
 144
 145 /**
 146  * A lifetime_cfg_t defines the lifetime limits of an SA.
 147  *
 148  * Set any of these values to 0 to ignore.
 149  */
 150 struct lifetime_cfg_t {
 151         struct {
 152                 /** Limit before the SA gets invalid. */
 153                 u_int64_t       life;
 154                 /** Limit before the SA gets rekeyed. */
 155                 u_int64_t       rekey;
 156                 /** The range of a random value subtracted from rekey. */
 157                 u_int64_t       jitter;
 158         } time, bytes, packets;
 159 };
 160
 161 /**
 162  * A mark_t defines an optional mark in an IPsec SA.
 163  */
 164 struct mark_t {
 165         /** Mark value */
 166         u_int32_t value;
 167         /** Mark mask */
 168         u_int32_t mask;
 169 };
 170
 171 /**
 172  * Special mark value that uses a unique mark for each CHILD_SA
 173  */
 174 #define MARK_UNIQUE (0xFFFFFFFF)
 175
 176 /**
 177  * Try to parse a mark_t from the given string of the form mark[/mask].
 178  *
 179  * @param value         string to parse
 180  * @param mark          mark to fill
 181  * @return                      TRUE if parsing was successful
 182  */
 183 bool mark_from_string(const char *value, mark_t *mark);
 184
 185 #endif /** IPSEC_TYPES_H_ @}*/