9505e53fd5bc3a8aa2ded9a7dfc27d7af5e13c76
[strongswan.git] / src / charon / config / policies / policy.h
1 /**
2 * @file policy.h
3 *
4 * @brief Interface of policy_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef POLICY_H_
25 #define POLICY_H_
26
27 #include <types.h>
28 #include <utils/identification.h>
29 #include <config/traffic_selector.h>
30 #include <config/proposal.h>
31 #include <encoding/payloads/auth_payload.h>
32
33
34 typedef struct policy_t policy_t;
35
36 /**
37 * @brief A policy_t defines the policies to apply to CHILD_SAs.
38 *
39 * The given two IDs identify a policy. These rules define how
40 * child SAs may be set up and which traffic may be IPsec'ed.
41 *
42 * @b Constructors:
43 * - policy_create()
44 *
45 * @ingroup config
46 */
47 struct policy_t {
48
49 /**
50 * @brief Get the name of the policy.
51 *
52 * Returned object is not getting cloned.
53 *
54 * @param this calling object
55 * @return policy's name
56 */
57 char *(*get_name) (policy_t *this);
58
59 /**
60 * @brief Get own id to use for identification.
61 *
62 * Returned object is not getting cloned.
63 *
64 * @param this calling object
65 * @return own id
66 */
67 identification_t *(*get_my_id) (policy_t *this);
68
69 /**
70 * @brief Get id of communication partner.
71 *
72 * Returned object is not getting cloned.
73 *
74 * @param this calling object
75 * @return other id
76 */
77 identification_t *(*get_other_id) (policy_t *this);
78
79 /**
80 * @brief Get configured traffic selectors for our site.
81 *
82 * Returns a list with all traffic selectors for the local
83 * site. List and items must be destroyed after usage.
84 *
85 * @param this calling object
86 * @return list with traffic selectors
87 */
88 linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
89
90 /**
91 * @brief Get configured traffic selectors for others site.
92 *
93 * Returns a list with all traffic selectors for the remote
94 * site. List and items must be destroyed after usage.
95 *
96 * @param this calling object
97 * @return list with traffic selectors
98 */
99 linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
100
101 /**
102 * @brief Select traffic selectors from a supplied list for local site.
103 *
104 * Resulted list and traffic selectors must be destroyed after usage.
105 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
106 * addresses we don't know in previous, an address may be supplied to
107 * replace these 0.0.0.0 addresses on-the-fly.
108 *
109 * @param this calling object
110 * @param supplied linked list with traffic selectors
111 * @param me host address used by us
112 * @return list containing the selected traffic selectors
113 */
114 linked_list_t *(*select_my_traffic_selectors) (policy_t *this,
115 linked_list_t *supplied,
116 host_t *me);
117
118 /**
119 * @brief Select traffic selectors from a supplied list for remote site.
120 *
121 * Resulted list and traffic selectors must be destroyed after usage.
122 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
123 * addresses we don't know in previous, an address may be supplied to
124 * replace these 0.0.0.0 addresses on-the-fly.
125 *
126 * @param this calling object
127 * @param supplied linked list with traffic selectors
128 * @return list containing the selected traffic selectors
129 */
130 linked_list_t *(*select_other_traffic_selectors) (policy_t *this,
131 linked_list_t *supplied,
132 host_t *other);
133
134 /**
135 * @brief Get the list of internally stored proposals.
136 *
137 * policy_t does store proposals for AH/ESP, IKE proposals are in
138 * the connection_t.
139 * Resulting list and all of its proposals must be freed after usage.
140 *
141 * @param this calling object
142 * @return lists with proposals
143 */
144 linked_list_t *(*get_proposals) (policy_t *this);
145
146 /**
147 * @brief Select a proposal from a supplied list.
148 *
149 * Returned propsal is newly created and must be destroyed after usage.
150 *
151 * @param this calling object
152 * @param proposals list from from wich proposals are selected
153 * @return selected proposal, or NULL if nothing matches
154 */
155 proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
156
157 /**
158 * @brief Add a traffic selector to the list for local site.
159 *
160 * After add, traffic selector is owned by policy.
161 *
162 * @param this calling object
163 * @param traffic_selector traffic_selector to add
164 */
165 void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
166
167 /**
168 * @brief Add a traffic selector to the list for remote site.
169 *
170 * After add, traffic selector is owned by policy.
171 *
172 * @param this calling object
173 * @param traffic_selector traffic_selector to add
174 */
175 void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
176
177 /**
178 * @brief Add a proposal to the list.
179 *
180 * The proposals are stored by priority, first added
181 * is the most prefered.
182 * After add, proposal is owned by policy.
183 *
184 * @param this calling object
185 * @param proposal proposal to add
186 */
187 void (*add_proposal) (policy_t *this, proposal_t *proposal);
188
189 /**
190 * @brief Add certification authorities.
191 *
192 * @param this calling object
193 * @param my_ca issuer of my certificate
194 * @param other_ca required issuer of the peer's certificate
195 */
196 void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);
197
198 /**
199 * @brief Get updown script
200 *
201 * @param this calling object
202 * @return path to updown script
203 */
204 char* (*get_updown) (policy_t *this);
205
206 /**
207 * @brief Get the lifetime of a policy, before rekeying starts.
208 *
209 * A call to this function automatically adds a jitter to
210 * avoid simultanous rekeying.
211 *
212 * @param this policy
213 * @return lifetime in seconds
214 */
215 u_int32_t (*get_soft_lifetime) (policy_t *this);
216
217 /**
218 * @brief Get the lifetime of a policy, before SA gets deleted.
219 *
220 * @param this policy
221 * @return lifetime in seconds
222 */
223 u_int32_t (*get_hard_lifetime) (policy_t *this);
224
225 /**
226 * @brief Get a new reference.
227 *
228 * Get a new reference to this policy by increasing
229 * it's internal reference counter.
230 * Do not call get_ref or any other function until you
231 * already have a reference. Otherwise the object may get
232 * destroyed while calling get_ref(),
233 *
234 * @param this calling object
235 */
236 void (*get_ref) (policy_t *this);
237
238 /**
239 * @brief Destroys the policy object.
240 *
241 * Decrements the internal reference counter and
242 * destroys the policy when it reaches zero.
243 *
244 * @param this calling object
245 */
246 void (*destroy) (policy_t *this);
247 };
248
249 /**
250 * @brief Create a configuration object for IKE_AUTH and later.
251 *
252 * name-string gets cloned, ID's not.
253 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
254 * same time, a jitter may be specified. Rekeying of an SA starts at
255 * (soft_lifetime - random(0, jitter)). After a successful rekeying,
256 * the hard_lifetime limit counter is reset. You should specify
257 * hard_lifetime > soft_lifetime > jitter.
258 * After a call to create, a reference is obtained (refcount = 1).
259 *
260 * @param name name of the policy
261 * @param my_id identification_t for ourselves
262 * @param other_id identification_t for the remote guy
263 * @param hard_lifetime lifetime before deleting an SA
264 * @param soft_lifetime lifetime before rekeying an SA
265 * @param jitter range of randomization time
266 * @param updown updown script to execute on up/down event
267 * @param dpd_route should the connection go to routed state if DPD detected?
268 * @return policy_t object
269 *
270 * @ingroup config
271 */
272 policy_t *policy_create(char *name,
273 identification_t *my_id, identification_t *other_id,
274 u_int32_t hard_lifetime, u_int32_t soft_lifetime,
275 u_int32_t jitter, char *updown, bool dpd_route);
276
277 #endif /* POLICY_H_ */