fxr.watson.org: NETBSD3 sys/netinet6/ipsec.h

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.h

Version: - FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10

1 /* $NetBSD: ipsec.h,v 1.42.14.2 2005/09/03 06:56:04 snj Exp $ */ 2 /* $KAME: ipsec.h,v 1.51 2001/08/05 04:52:58 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * IPsec controller part. 35 */ 36 37 #ifndef _NETINET6_IPSEC_H_ 38 #define _NETINET6_IPSEC_H_ 39 40 #if defined(_KERNEL_OPT) 41 #include "opt_inet.h" 42 #endif 43 44 #include <net/pfkeyv2.h> 45 #include <netkey/keydb.h> 46 47 #ifdef _KERNEL 48 49 /* 50 * Security Policy Index 51 * NOTE: Ensure to be same address family and upper layer protocol. 52 * NOTE: ul_proto, port number, uid, gid: 53 * ANY: reserved for waldcard. 54 * 0 to (~0 - 1): is one of the number of each value. 55 */ 56 struct secpolicyindex { 57 struct sockaddr_storage src; /* IP src address for SP */ 58 struct sockaddr_storage dst; /* IP dst address for SP */ 59 u_int8_t prefs; /* prefix length in bits for src */ 60 u_int8_t prefd; /* prefix length in bits for dst */ 61 u_int16_t ul_proto; /* upper layer Protocol */ 62 #ifdef notyet 63 uid_t uids; 64 uid_t uidd; 65 gid_t gids; 66 gid_t gidd; 67 #endif 68 }; 69 70 /* Security Policy Data Base */ 71 struct secpolicy { 72 TAILQ_ENTRY(secpolicy) tailq; /* all SPD entries, both pcb/table */ 73 LIST_ENTRY(secpolicy) chain; /* SPD entries on table */ 74 75 u_int8_t dir; /* direction of packet flow */ 76 int readonly; /* write prohibited */ 77 int persist; /* will never be removed */ 78 int refcnt; /* reference count */ 79 struct secpolicyindex *spidx; /* selector - NULL if not valid */ 80 u_int16_t tag; /* PF tag */ 81 u_int32_t id; /* it identifies a policy in the SPD. */ 82 #define IPSEC_MANUAL_POLICYID_MAX 0x3fff 83 /* 84 * 1 - 0x3fff are reserved for user operation. 85 * 0 are reserved. Others are for kernel use. 86 */ 87 struct socket *so; /* backpointer to per-socket policy */ 88 u_int state; /* 0: dead, others: alive */ 89 #define IPSEC_SPSTATE_DEAD 0 90 #define IPSEC_SPSTATE_ALIVE 1 91 92 int policy; /* DISCARD, NONE or IPSEC, see below */ 93 struct ipsecrequest *req; 94 /* pointer to the ipsec request tree, */ 95 /* if policy == IPSEC else this value == NULL.*/ 96 97 /* 98 * lifetime handler. 99 * the policy can be used without limitiation if both lifetime and 100 * validtime are zero. 101 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime. 102 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime. 103 */ 104 long created; /* time created the policy */ 105 long lastused; /* updated every when kernel sends a packet */ 106 long lifetime; /* duration of the lifetime of this policy */ 107 long validtime; /* duration this policy is valid without use */ 108 }; 109 110 /* Request for IPsec */ 111 struct ipsecrequest { 112 struct ipsecrequest *next; 113 /* pointer to next structure */ 114 /* If NULL, it means the end of chain. */ 115 struct secasindex saidx;/* hint for search proper SA */ 116 /* if __ss_len == 0 then no address specified.*/ 117 u_int level; /* IPsec level defined below. */ 118 119 struct secasvar *sav; /* place holder of SA for use */ 120 struct secpolicy *sp; /* back pointer to SP */ 121 }; 122 123 /* security policy in PCB */ 124 struct inpcbpolicy { 125 struct secpolicy *sp_in; 126 struct secpolicy *sp_out; 127 int priv; /* privileged socket ? */ 128 129 /* cached policy */ 130 struct { 131 struct secpolicy *cachesp; 132 struct secpolicyindex cacheidx; 133 int cachehint; /* processing requirement hint: */ 134 #define IPSEC_PCBHINT_MAYBE 0 /* IPsec processing maybe required */ 135 #define IPSEC_PCBHINT_YES 1 /* IPsec processing is required */ 136 #define IPSEC_PCBHINT_NO 2 /* IPsec processing not required */ 137 u_int cachegen; /* spdgen when cache filled */ 138 } sp_cache[3]; /* XXX 3 == IPSEC_DIR_MAX */ 139 int sp_cacheflags; 140 #define IPSEC_PCBSP_CONNECTED 1 141 }; 142 143 #define IPSEC_PCB_SKIP_IPSEC(inpp, dir) \ 144 ((inpp)->sp_cache[(dir)].cachehint == IPSEC_PCBHINT_NO && \ 145 (inpp)->sp_cache[(dir)].cachegen == ipsec_spdgen) 146 147 /* SP acquiring list table. */ 148 struct secspacq { 149 LIST_ENTRY(secspacq) chain; 150 151 struct secpolicyindex spidx; 152 153 long created; /* for lifetime */ 154 int count; /* for lifetime */ 155 /* XXX: here is mbuf place holder to be sent ? */ 156 }; 157 158 struct ipsecaux { 159 struct socket *so; 160 int hdrs; /* # of ipsec headers */ 161 162 struct secpolicy *sp; 163 struct ipsecrequest *req; 164 }; 165 #endif /* _KERNEL */ 166 167 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */ 168 #define IPSEC_PORT_ANY 0 169 #define IPSEC_ULPROTO_ANY 255 170 #define IPSEC_PROTO_ANY 255 171 172 /* mode of security protocol */ 173 /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */ 174 #define IPSEC_MODE_ANY 0 /* i.e. wildcard. */ 175 #define IPSEC_MODE_TRANSPORT 1 176 #define IPSEC_MODE_TUNNEL 2 177 178 /* 179 * Direction of security policy. 180 * NOTE: Since INVALID is used just as flag. 181 * The other are used for loop counter too. 182 */ 183 #define IPSEC_DIR_ANY 0 184 #define IPSEC_DIR_INBOUND 1 185 #define IPSEC_DIR_OUTBOUND 2 186 #define IPSEC_DIR_MAX 3 187 #define IPSEC_DIR_INVALID 4 188 189 /* Policy level */ 190 /* 191 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB, 192 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD. 193 * DISCARD and NONE are allowed for system default. 194 */ 195 #define IPSEC_POLICY_DISCARD 0 /* discarding packet */ 196 #define IPSEC_POLICY_NONE 1 /* through IPsec engine */ 197 #define IPSEC_POLICY_IPSEC 2 /* do IPsec */ 198 #define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */ 199 #define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */ 200 201 /* Security protocol level */ 202 #define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */ 203 #define IPSEC_LEVEL_USE 1 /* use SA if present. */ 204 #define IPSEC_LEVEL_REQUIRE 2 /* require SA. */ 205 #define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */ 206 207 #define IPSEC_MANUAL_REQID_MAX 0x3fff 208 /* 209 * if security policy level == unique, this id 210 * indicate to a relative SA for use, else is 211 * zero. 212 * 1 - 0x3fff are reserved for manual keying. 213 * 0 are reserved for above reason. Others is 214 * for kernel use. 215 * Note that this id doesn't identify SA 216 * by only itself. 217 */ 218 #define IPSEC_REPLAYWSIZE 32 219 220 /* statistics for ipsec processing */ 221 struct ipsecstat { 222 u_quad_t in_success; /* succeeded inbound process */ 223 u_quad_t in_polvio; 224 /* security policy violation for inbound process */ 225 u_quad_t in_nosa; /* inbound SA is unavailable */ 226 u_quad_t in_inval; /* inbound processing failed due to EINVAL */ 227 u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */ 228 u_quad_t in_badspi; /* failed getting a SPI */ 229 u_quad_t in_ahreplay; /* AH replay check failed */ 230 u_quad_t in_espreplay; /* ESP replay check failed */ 231 u_quad_t in_ahauthsucc; /* AH authentication success */ 232 u_quad_t in_ahauthfail; /* AH authentication failure */ 233 u_quad_t in_espauthsucc; /* ESP authentication success */ 234 u_quad_t in_espauthfail; /* ESP authentication failure */ 235 u_quad_t in_esphist[256]; 236 u_quad_t in_ahhist[256]; 237 u_quad_t in_comphist[256]; 238 u_quad_t out_success; /* succeeded outbound process */ 239 u_quad_t out_polvio; 240 /* security policy violation for outbound process */ 241 u_quad_t out_nosa; /* outbound SA is unavailable */ 242 u_quad_t out_inval; /* outbound process failed due to EINVAL */ 243 u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */ 244 u_quad_t out_noroute; /* there is no route */ 245 u_quad_t out_esphist[256]; 246 u_quad_t out_ahhist[256]; 247 u_quad_t out_comphist[256]; 248 249 u_quad_t spdcachelookup; 250 u_quad_t spdcachemiss; 251 }; 252 253 /* 254 * Definitions for IPsec & Key sysctl operations. 255 */ 256 /* 257 * Names for IPsec & Key sysctl objects 258 */ 259 #define IPSECCTL_STATS 1 /* stats */ 260 #define IPSECCTL_DEF_POLICY 2 261 #define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */ 262 #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */ 263 #define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */ 264 #define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */ 265 #if 0 /* obsolete, do not reuse */ 266 #define IPSECCTL_INBOUND_CALL_IKE 7 267 #endif 268 #define IPSECCTL_AH_CLEARTOS 8 269 #define IPSECCTL_AH_OFFSETMASK 9 270 #define IPSECCTL_DFBIT 10 271 #define IPSECCTL_ECN 11 272 #define IPSECCTL_DEBUG 12 273 #define IPSECCTL_MAXID 13 274 275 #define IPSECCTL_NAMES { \ 276 { 0, 0 }, \ 277 { 0, 0 }, \ 278 { "def_policy", CTLTYPE_INT }, \ 279 { "esp_trans_deflev", CTLTYPE_INT }, \ 280 { "esp_net_deflev", CTLTYPE_INT }, \ 281 { "ah_trans_deflev", CTLTYPE_INT }, \ 282 { "ah_net_deflev", CTLTYPE_INT }, \ 283 { 0, 0 }, \ 284 { "ah_cleartos", CTLTYPE_INT }, \ 285 { "ah_offsetmask", CTLTYPE_INT }, \ 286 { "dfbit", CTLTYPE_INT }, \ 287 { "ecn", CTLTYPE_INT }, \ 288 { "debug", CTLTYPE_INT }, \ 289 } 290 291 #define IPSEC6CTL_NAMES { \ 292 { 0, 0 }, \ 293 { 0, 0 }, \ 294 { "def_policy", CTLTYPE_INT }, \ 295 { "esp_trans_deflev", CTLTYPE_INT }, \ 296 { "esp_net_deflev", CTLTYPE_INT }, \ 297 { "ah_trans_deflev", CTLTYPE_INT }, \ 298 { "ah_net_deflev", CTLTYPE_INT }, \ 299 { 0, 0 }, \ 300 { 0, 0 }, \ 301 { 0, 0 }, \ 302 { 0, 0 }, \ 303 { "ecn", CTLTYPE_INT }, \ 304 { "debug", CTLTYPE_INT }, \ 305 } 306 307 #ifdef _KERNEL 308 struct ipsec_output_state { 309 struct mbuf *m; 310 struct route *ro; 311 struct sockaddr *dst; 312 int encap; 313 }; 314 315 struct ipsec_history { 316 int ih_proto; 317 u_int32_t ih_spi; 318 }; 319 320 extern int ipsec_debug; 321 322 #ifdef INET 323 extern struct ipsecstat ipsecstat; 324 extern struct secpolicy *ip4_def_policy; 325 extern int ip4_esp_trans_deflev; 326 extern int ip4_esp_net_deflev; 327 extern int ip4_ah_trans_deflev; 328 extern int ip4_ah_net_deflev; 329 extern int ip4_ah_cleartos; 330 extern int ip4_ah_offsetmask; 331 extern int ip4_ipsec_dfbit; 332 extern int ip4_ipsec_ecn; 333 #endif 334 335 #ifdef INET6 336 extern struct ipsecstat ipsec6stat; 337 extern struct secpolicy *ip6_def_policy; 338 extern int ip6_esp_trans_deflev; 339 extern int ip6_esp_net_deflev; 340 extern int ip6_ah_trans_deflev; 341 extern int ip6_ah_net_deflev; 342 extern int ip6_ipsec_ecn; 343 #endif 344 345 #define ipseclog(x) do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0) 346 347 extern int ipsec_pcbconn __P((struct inpcbpolicy *)); 348 extern int ipsec_pcbdisconn __P((struct inpcbpolicy *)); 349 extern void ipsec_invalpcbcacheall __P((void)); 350 351 extern u_int ipsec_spdgen; 352 353 extern struct secpolicy *ipsec4_getpolicybysock 354 __P((struct mbuf *, u_int, struct socket *, int *)); 355 extern struct secpolicy *ipsec4_getpolicybyaddr 356 __P((struct mbuf *, u_int, int, int *)); 357 358 #ifdef INET6 359 extern struct secpolicy *ipsec6_getpolicybysock 360 __P((struct mbuf *, u_int, struct socket *, int *)); 361 extern struct secpolicy *ipsec6_getpolicybyaddr 362 __P((struct mbuf *, u_int, int, int *)); 363 #endif /* INET6 */ 364 365 struct inpcb; 366 #ifdef INET6 367 struct in6pcb; 368 #endif 369 extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **)); 370 extern int ipsec_copy_pcbpolicy 371 __P((struct inpcbpolicy *, struct inpcbpolicy *)); 372 extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int)); 373 374 extern int ipsec4_set_policy __P((struct inpcb *, int, caddr_t, size_t, int)); 375 extern int ipsec4_get_policy __P((struct inpcb *, caddr_t, size_t, 376 struct mbuf **)); 377 extern int ipsec4_delete_pcbpolicy __P((struct inpcb *)); 378 extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *)); 379 extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *)); 380 381 #ifdef INET6 382 extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *)); 383 extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *)); 384 extern int ipsec6_set_policy __P((struct in6pcb *, int, caddr_t, size_t, int)); 385 extern int ipsec6_get_policy __P((struct in6pcb *, caddr_t, size_t, 386 struct mbuf **)); 387 extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *)); 388 #endif /* INET6 */ 389 390 struct secas; 391 struct tcpcb; 392 struct tcp6cb; 393 extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *)); 394 extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *)); 395 396 extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *)); 397 extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *)); 398 #ifdef INET6 399 extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *)); 400 extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *)); 401 #endif 402 403 struct ip; 404 #ifdef INET6 405 struct ip6_hdr; 406 #endif 407 extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t)); 408 #ifdef INET6 409 extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t)); 410 #endif 411 extern const char *ipsec_logsastr __P((struct secasvar *)); 412 413 extern void ipsec_dumpmbuf __P((struct mbuf *)); 414 415 extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *, 416 int)); 417 #ifdef INET6 418 extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *, 419 struct mbuf *, struct secpolicy *, int, int *)); 420 extern int ipsec6_output_tunnel __P((struct ipsec_output_state *, 421 struct secpolicy *, int)); 422 #endif 423 extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secasvar *)); 424 #ifdef INET6 425 extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int, 426 struct secasvar *)); 427 #endif 428 extern struct mbuf *ipsec_copypkt __P((struct mbuf *)); 429 extern void ipsec_delaux __P((struct mbuf *)); 430 extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t)); 431 extern int ipsec_getnhist __P((struct mbuf *)); 432 extern struct ipsec_history *ipsec_gethist __P((struct mbuf *, int *)); 433 extern void ipsec_clearhist __P((struct mbuf *)); 434 435 extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t)); 436 extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t)); 437 438 #endif /* _KERNEL */ 439 440 #ifndef _KERNEL 441 typedef void *ipsec_policy_t; 442 extern ipsec_policy_t ipsec_set_policy __P((const char *, int)); 443 extern int ipsec_get_policylen __P((ipsec_policy_t)); 444 extern char *ipsec_dump_policy __P((ipsec_policy_t, const char *)); 445 446 extern const char *ipsec_strerror __P((void)); 447 #endif /* !_KERNEL */ 448 449 #endif /* _NETINET6_IPSEC_H_ */

Cache object: 0cb894d1dab819580d8ce7e705ac242d

FreeBSD/Linux Kernel Cross Reference sys/netinet6/ipsec.h

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.h