added support for transport mode and (experimental!) BEET mode
[strongswan.git] / src / charon / config / policies / policy.h
1 /**
2 * @file policy.h
3 *
4 * @brief Interface of policy_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef POLICY_H_
25 #define POLICY_H_
26
27 typedef enum dpd_action_t dpd_action_t;
28 typedef struct policy_t policy_t;
29
30 #include <library.h>
31 #include <utils/identification.h>
32 #include <config/traffic_selector.h>
33 #include <config/proposal.h>
34 #include <sa/authenticators/authenticator.h>
35
36
37 /**
38 * @brief Actions to take when a peer does not respond (dead peer detected).
39 *
40 * These values are the same as in pluto/starter, so do not modify them!
41 *
42 * @ingroup config
43 */
44 enum dpd_action_t {
45 /** DPD disabled */
46 DPD_NONE,
47 /** remove CHILD_SA without replacement */
48 DPD_CLEAR,
49 /** route the CHILD_SA to resetup when needed */
50 DPD_ROUTE,
51 /** restart CHILD_SA in a new IKE_SA, immediately */
52 DPD_RESTART,
53 };
54
55 /**
56 * @brief Mode of an IPsec SA.
57 *
58 * These are equal to those defined in XFRM, so don't change.
59 *
60 * @ingroup config
61 */
62 enum mode_t {
63 /** transport mode, no inner address */
64 MODE_TRANSPORT = 0,
65 /** tunnel mode, inner and outer addresses */
66 MODE_TUNNEL = 1,
67 /** BEET mode, tunnel mode but fixed, bound inner addresses */
68 MODE_BEET = 4,
69 };
70
71 /**
72 * enum names for dpd_action_t.
73 */
74 extern enum_name_t *dpd_action_names;
75
76 /**
77 * @brief A policy_t defines the policies to apply to CHILD_SAs.
78 *
79 * The given two IDs identify a policy. These rules define how
80 * child SAs may be set up and which traffic may be IPsec'ed.
81 *
82 * @b Constructors:
83 * - policy_create()
84 *
85 * @ingroup config
86 */
87 struct policy_t {
88
89 /**
90 * @brief Get the name of the policy.
91 *
92 * Returned object is not getting cloned.
93 *
94 * @param this calling object
95 * @return policy's name
96 */
97 char *(*get_name) (policy_t *this);
98
99 /**
100 * @brief Get own id.
101 *
102 * Returned object is not getting cloned.
103 *
104 * @param this calling object
105 * @return own id
106 */
107 identification_t *(*get_my_id) (policy_t *this);
108
109 /**
110 * @brief Get peer id.
111 *
112 * Returned object is not getting cloned.
113 *
114 * @param this calling object
115 * @return other id
116 */
117 identification_t *(*get_other_id) (policy_t *this);
118
119 /**
120 * @brief Get own ca.
121 *
122 * Returned object is not getting cloned.
123 *
124 * @param this calling object
125 * @return own ca
126 */
127 identification_t *(*get_my_ca) (policy_t *this);
128
129 /**
130 * @brief Get peer ca.
131 *
132 * Returned object is not getting cloned.
133 *
134 * @param this calling object
135 * @return other ca
136 */
137 identification_t *(*get_other_ca) (policy_t *this);
138
139 /**
140 * @brief Get the authentication method to use.
141 *
142 * @param this calling object
143 * @return authentication method
144 */
145 auth_method_t (*get_auth_method) (policy_t *this);
146
147 /**
148 * @brief Get configured traffic selectors for our site.
149 *
150 * Returns a list with all traffic selectors for the local
151 * site. List and items must be destroyed after usage.
152 *
153 * @param this calling object
154 * @return list with traffic selectors
155 */
156 linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
157
158 /**
159 * @brief Get configured traffic selectors for others site.
160 *
161 * Returns a list with all traffic selectors for the remote
162 * site. List and items must be destroyed after usage.
163 *
164 * @param this calling object
165 * @return list with traffic selectors
166 */
167 linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
168
169 /**
170 * @brief Select traffic selectors from a supplied list for local site.
171 *
172 * Resulted list and traffic selectors must be destroyed after usage.
173 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
174 * addresses we don't know in previous, an address may be supplied to
175 * replace these 0.0.0.0 addresses on-the-fly.
176 *
177 * @param this calling object
178 * @param supplied linked list with traffic selectors
179 * @param me host address used by us
180 * @return list containing the selected traffic selectors
181 */
182 linked_list_t *(*select_my_traffic_selectors) (policy_t *this,
183 linked_list_t *supplied,
184 host_t *me);
185
186 /**
187 * @brief Select traffic selectors from a supplied list for remote site.
188 *
189 * Resulted list and traffic selectors must be destroyed after usage.
190 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
191 * addresses we don't know in previous, an address may be supplied to
192 * replace these 0.0.0.0 addresses on-the-fly.
193 *
194 * @param this calling object
195 * @param supplied linked list with traffic selectors
196 * @return list containing the selected traffic selectors
197 */
198 linked_list_t *(*select_other_traffic_selectors) (policy_t *this,
199 linked_list_t *supplied,
200 host_t *other);
201
202 /**
203 * @brief Get the list of internally stored proposals.
204 *
205 * policy_t does store proposals for AH/ESP, IKE proposals are in
206 * the connection_t.
207 * Resulting list and all of its proposals must be freed after usage.
208 *
209 * @param this calling object
210 * @return lists with proposals
211 */
212 linked_list_t *(*get_proposals) (policy_t *this);
213
214 /**
215 * @brief Select a proposal from a supplied list.
216 *
217 * Returned propsal is newly created and must be destroyed after usage.
218 *
219 * @param this calling object
220 * @param proposals list from from wich proposals are selected
221 * @return selected proposal, or NULL if nothing matches
222 */
223 proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
224
225 /**
226 * @brief Add a traffic selector to the list for local site.
227 *
228 * After add, traffic selector is owned by policy.
229 *
230 * @param this calling object
231 * @param traffic_selector traffic_selector to add
232 */
233 void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
234
235 /**
236 * @brief Add a traffic selector to the list for remote site.
237 *
238 * After add, traffic selector is owned by policy.
239 *
240 * @param this calling object
241 * @param traffic_selector traffic_selector to add
242 */
243 void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
244
245 /**
246 * @brief Add a proposal to the list.
247 *
248 * The proposals are stored by priority, first added
249 * is the most prefered.
250 * After add, proposal is owned by policy.
251 *
252 * @param this calling object
253 * @param proposal proposal to add
254 */
255 void (*add_proposal) (policy_t *this, proposal_t *proposal);
256
257 /**
258 * @brief Add certification authorities.
259 *
260 * @param this calling object
261 * @param my_ca issuer of my certificate
262 * @param other_ca required issuer of the peer's certificate
263 */
264 void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);
265
266 /**
267 * @brief Get updown script
268 *
269 * @param this calling object
270 * @return path to updown script
271 */
272 char* (*get_updown) (policy_t *this);
273
274 /**
275 * @brief Get hostaccess flag
276 *
277 * @param this calling object
278 * @return value of hostaccess flag
279 */
280 bool (*get_hostaccess) (policy_t *this);
281
282 /**
283 * @brief What should be done with a CHILD_SA, when other peer does not respond.
284 *
285 * @param this calling object
286 * @return dpd action
287 */
288 dpd_action_t (*get_dpd_action) (policy_t *this);
289
290 /**
291 * @brief Get the lifetime of a policy, before rekeying starts.
292 *
293 * A call to this function automatically adds a jitter to
294 * avoid simultanous rekeying.
295 *
296 * @param this policy
297 * @return lifetime in seconds
298 */
299 u_int32_t (*get_soft_lifetime) (policy_t *this);
300
301 /**
302 * @brief Get the lifetime of a policy, before SA gets deleted.
303 *
304 * @param this policy
305 * @return lifetime in seconds
306 */
307 u_int32_t (*get_hard_lifetime) (policy_t *this);
308
309 /**
310 * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET.
311 *
312 * @param this policy
313 * @return lifetime in seconds
314 */
315 mode_t (*get_mode) (policy_t *this);
316
317 /**
318 * @brief Get a new reference.
319 *
320 * Get a new reference to this policy by increasing
321 * it's internal reference counter.
322 * Do not call get_ref or any other function until you
323 * already have a reference. Otherwise the object may get
324 * destroyed while calling get_ref(),
325 *
326 * @param this calling object
327 */
328 void (*get_ref) (policy_t *this);
329
330 /**
331 * @brief Destroys the policy object.
332 *
333 * Decrements the internal reference counter and
334 * destroys the policy when it reaches zero.
335 *
336 * @param this calling object
337 */
338 void (*destroy) (policy_t *this);
339 };
340
341 /**
342 * @brief Create a configuration object for IKE_AUTH and later.
343 *
344 * name-string gets cloned, ID's not.
345 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
346 * same time, a jitter may be specified. Rekeying of an SA starts at
347 * (soft_lifetime - random(0, jitter)). After a successful rekeying,
348 * the hard_lifetime limit counter is reset. You should specify
349 * hard_lifetime > soft_lifetime > jitter.
350 * After a call to create, a reference is obtained (refcount = 1).
351 *
352 * @param name name of the policy
353 * @param my_id identification_t for ourselves
354 * @param other_id identification_t for the remote guy
355 * @param auth_method Authentication method to use for our(!) auth data
356 * @param hard_lifetime lifetime before deleting an SA
357 * @param soft_lifetime lifetime before rekeying an SA
358 * @param jitter range of randomization time
359 * @param updown updown script to execute on up/down event
360 * @param hostaccess allow access to the host itself (used by the updown script)
361 * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
362 * @param dpd_action what to to with a CHILD_SA when other peer does not respond
363 * @return policy_t object
364 *
365 * @ingroup config
366 */
367 policy_t *policy_create(char *name,
368 identification_t *my_id, identification_t *other_id,
369 auth_method_t auth_method,
370 u_int32_t hard_lifetime, u_int32_t soft_lifetime,
371 u_int32_t jitter, char *updown, bool hostaccess,
372 mode_t mode, dpd_action_t dpd_action);
373
374 #endif /* POLICY_H_ */