src/libstrongswan/ipsec/ipsec_types.h

   1 /*
   2  * Copyright (C) 2012-2013 Tobias Brunner
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 /**
  17  * @defgroup ipsec_types ipsec_types
  18  * @{ @ingroup ipsec
  19  */
  20
  21 #ifndef IPSEC_TYPES_H_
  22 #define IPSEC_TYPES_H_
  23
  24 typedef enum ipsec_mode_t ipsec_mode_t;
  25 typedef enum policy_dir_t policy_dir_t;
  26 typedef enum policy_type_t policy_type_t;
  27 typedef enum policy_priority_t policy_priority_t;
  28 typedef enum ipcomp_transform_t ipcomp_transform_t;
  29 typedef enum hw_offload_t hw_offload_t;
  30 typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
  31 typedef struct lifetime_cfg_t lifetime_cfg_t;
  32 typedef struct mark_t mark_t;
  33
  34 #include <library.h>
  35
  36 /**
  37  * Mode of an IPsec SA.
  38  */
  39 enum ipsec_mode_t {
  40         /** not using any encapsulation */
  41         MODE_NONE = 0,
  42         /** transport mode, no inner address */
  43         MODE_TRANSPORT = 1,
  44         /** tunnel mode, inner and outer addresses */
  45         MODE_TUNNEL,
  46         /** BEET mode, tunnel mode but fixed, bound inner addresses */
  47         MODE_BEET,
  48         /** passthrough policy for traffic without an IPsec SA */
  49         MODE_PASS,
  50         /** drop policy discarding traffic */
  51         MODE_DROP
  52 };
  53
  54 /**
  55  * enum names for ipsec_mode_t.
  56  */
  57 extern enum_name_t *ipsec_mode_names;
  58
  59 /**
  60  * Direction of a policy. These are equal to those
  61  * defined in xfrm.h, but we want to stay implementation
  62  * neutral here.
  63  */
  64 enum policy_dir_t {
  65         /** Policy for inbound traffic */
  66         POLICY_IN = 0,
  67         /** Policy for outbound traffic */
  68         POLICY_OUT = 1,
  69         /** Policy for forwarded traffic */
  70         POLICY_FWD = 2,
  71 };
  72
  73 /**
  74  * enum names for policy_dir_t.
  75  */
  76 extern enum_name_t *policy_dir_names;
  77
  78 /**
  79  * Type of a policy.
  80  */
  81 enum policy_type_t {
  82         /** Normal IPsec policy */
  83         POLICY_IPSEC = 1,
  84         /** Passthrough policy (traffic is ignored by IPsec) */
  85         POLICY_PASS,
  86         /** Drop policy (traffic is discarded) */
  87         POLICY_DROP,
  88 };
  89
  90 /**
  91  * High-level priority of a policy.
  92  */
  93 enum policy_priority_t {
  94         /** Priority for passthrough policies */
  95         POLICY_PRIORITY_PASS,
  96         /** Priority for regular IPsec policies */
  97         POLICY_PRIORITY_DEFAULT,
  98         /** Priority for trap policies */
  99         POLICY_PRIORITY_ROUTED,
 100         /** Priority for fallback drop policies */
 101         POLICY_PRIORITY_FALLBACK,
 102 };
 103
 104 /**
 105  * IPComp transform IDs, as in RFC 4306
 106  */
 107 enum ipcomp_transform_t {
 108         IPCOMP_NONE = 0,
 109         IPCOMP_OUI = 1,
 110         IPCOMP_DEFLATE = 2,
 111         IPCOMP_LZS = 3,
 112         IPCOMP_LZJH = 4,
 113 };
 114
 115 /**
 116  * enum strings for ipcomp_transform_t.
 117  */
 118 extern enum_name_t *ipcomp_transform_names;
 119
 120 /**
 121  * HW offload mode options
 122  */
 123 enum hw_offload_t {
 124         HW_OFFLOAD_NO = 0,
 125         HW_OFFLOAD_YES = 1,
 126         HW_OFFLOAD_AUTO = 2,
 127 };
 128
 129 /**
 130  * enum names for hw_offload_t.
 131  */
 132 extern enum_name_t *hw_offload_names;
 133
 134 /**
 135  * This struct contains details about IPsec SA(s) tied to a policy.
 136  */
 137 struct ipsec_sa_cfg_t {
 138         /** mode of SA (tunnel, transport) */
 139         ipsec_mode_t mode;
 140         /** unique ID */
 141         uint32_t reqid;
 142         /** number of policies of the same kind (in/out/fwd) attached to SA */
 143         uint32_t policy_count;
 144         /** details about ESP/AH */
 145         struct {
 146                 /** TRUE if this protocol is used */
 147                 bool use;
 148                 /** SPI for ESP/AH */
 149                 uint32_t spi;
 150         } esp, ah;
 151         /** details about IPComp */
 152         struct {
 153                 /** the IPComp transform used */
 154                 uint16_t transform;
 155                 /** CPI for IPComp */
 156                 uint16_t cpi;
 157         } ipcomp;
 158 };
 159
 160 /**
 161  * Compare two ipsec_sa_cfg_t objects for equality.
 162  *
 163  * @param a                     first object
 164  * @param b                     second object
 165  * @return                      TRUE if both objects are equal
 166  */
 167 bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b);
 168
 169 /**
 170  * A lifetime_cfg_t defines the lifetime limits of an SA.
 171  *
 172  * Set any of these values to 0 to ignore.
 173  */
 174 struct lifetime_cfg_t {
 175         struct {
 176                 /** Limit before the SA gets invalid. */
 177                 uint64_t        life;
 178                 /** Limit before the SA gets rekeyed. */
 179                 uint64_t        rekey;
 180                 /** The range of a random value subtracted from rekey. */
 181                 uint64_t        jitter;
 182         } time, bytes, packets;
 183 };
 184
 185 /**
 186  * A mark_t defines an optional mark in an IPsec SA.
 187  */
 188 struct mark_t {
 189         /** Mark value */
 190         uint32_t value;
 191         /** Mark mask */
 192         uint32_t mask;
 193 };
 194
 195 /**
 196  * Special mark value that uses a unique mark for each CHILD_SA (and direction)
 197  */
 198 #define MARK_UNIQUE (0xFFFFFFFF)
 199 #define MARK_UNIQUE_DIR (0xFFFFFFFE)
 200 #define MARK_IS_UNIQUE(m) ((m) == MARK_UNIQUE || (m) == MARK_UNIQUE_DIR)
 201
 202 /**
 203  * Try to parse a mark_t from the given string of the form mark[/mask].
 204  *
 205  * @param value         string to parse
 206  * @param mark          mark to fill
 207  * @return                      TRUE if parsing was successful
 208  */
 209 bool mark_from_string(const char *value, mark_t *mark);
 210
 211 #endif /** IPSEC_TYPES_H_ @}*/