56ffab59737d03d77fc808ab3740f11805aec6f2
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2016 Andreas Steffen
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup child_cfg child_cfg
21 * @{ @ingroup config
22 */
23
24 #ifndef CHILD_CFG_H_
25 #define CHILD_CFG_H_
26
27 typedef enum action_t action_t;
28 typedef enum child_cfg_option_t child_cfg_option_t;
29 typedef struct child_cfg_t child_cfg_t;
30 typedef struct child_cfg_create_t child_cfg_create_t;
31
32 #include <library.h>
33 #include <selectors/traffic_selector.h>
34 #include <config/proposal.h>
35 #include <kernel/kernel_ipsec.h>
36
37 /**
38 * Action to take when connection is loaded, DPD is detected or
39 * connection gets closed by peer.
40 */
41 enum action_t {
42 /** No action */
43 ACTION_NONE,
44 /** Route config to establish or reestablish on demand */
45 ACTION_ROUTE,
46 /** Start or restart config immediately */
47 ACTION_RESTART,
48 };
49
50 /**
51 * enum names for action_t.
52 */
53 extern enum_name_t *action_names;
54
55 /**
56 * A child_cfg_t defines the config template for a CHILD_SA.
57 *
58 * After creation, proposals and traffic selectors may be added to the config.
59 * A child_cfg object is referenced multiple times, and is not thread save.
60 * Reading from the object is save, adding things is not allowed while other
61 * threads may access the object.
62 * A reference counter handles the number of references hold to this config.
63 *
64 * @see peer_cfg_t to get an overview over the configurations.
65 */
66 struct child_cfg_t {
67
68 /**
69 * Get the name of the child_cfg.
70 *
71 * @return child_cfg's name
72 */
73 char *(*get_name) (child_cfg_t *this);
74
75 /**
76 * Add a proposal to the list.
77 *
78 * The proposals are stored by priority, first added
79 * is the most preferred. It is safe to add NULL as proposal, which has no
80 * effect. After add, proposal is owned by child_cfg.
81 *
82 * @param proposal proposal to add, or NULL
83 */
84 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
85
86 /**
87 * Get the list of proposals for the CHILD_SA.
88 *
89 * Resulting list and all of its proposals must be freed after use.
90 *
91 * @param strip_dh TRUE strip out diffie hellman groups
92 * @return list of proposals
93 */
94 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
95
96 /**
97 * Select a proposal from a supplied list.
98 *
99 * Returned propsal is newly created and must be destroyed after usage.
100 *
101 * @param proposals list from which proposals are selected
102 * @param strip_dh TRUE strip out diffie hellman groups
103 * @param private accept algorithms from a private range
104 * @param prefer_self whether to prefer configured or supplied proposals
105 * @return selected proposal, or NULL if nothing matches
106 */
107 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
108 bool strip_dh, bool private,
109 bool prefer_self);
110
111 /**
112 * Add a traffic selector to the config.
113 *
114 * Use the "local" parameter to add it for the local or the remote side.
115 * After add, traffic selector is owned by child_cfg.
116 *
117 * @param local TRUE for local side, FALSE for remote
118 * @param ts traffic_selector to add
119 */
120 void (*add_traffic_selector)(child_cfg_t *this, bool local,
121 traffic_selector_t *ts);
122
123 /**
124 * Get a list of traffic selectors to use for the CHILD_SA.
125 *
126 * The config contains two set of traffic selectors, one for the local
127 * side, one for the remote side.
128 * If a list with traffic selectors is supplied, these are used to narrow
129 * down the traffic selector list to the greatest common divisor.
130 * Some traffic selector may be "dymamic", meaning they are narrowed down
131 * to a specific address (host-to-host or virtual-IP setups). Use
132 * the "host" parameter to narrow such traffic selectors to that address.
133 * Resulted list and its traffic selectors must be destroyed after use.
134 *
135 * @param local TRUE for TS on local side, FALSE for remote
136 * @param supplied list with TS to select from, or NULL
137 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
138 * @return list containing the traffic selectors
139 */
140 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
141 linked_list_t *supplied,
142 linked_list_t *hosts);
143 /**
144 * Get the updown script to run for the CHILD_SA.
145 *
146 * @return path to updown script
147 */
148 char* (*get_updown)(child_cfg_t *this);
149
150 /**
151 * Get the lifetime configuration of a CHILD_SA.
152 *
153 * The rekey limits automatically contain a jitter to avoid simultaneous
154 * rekeying. These values will change with each call to this function.
155 *
156 * @param jitter subtract jitter value to randomize lifetimes
157 * @return lifetime_cfg_t (has to be freed)
158 */
159 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
160
161 /**
162 * Get the mode to use for the CHILD_SA.
163 *
164 * The mode is either tunnel, transport or BEET. The peer must agree
165 * on the method, fallback is tunnel mode.
166 *
167 * @return ipsec mode
168 */
169 ipsec_mode_t (*get_mode) (child_cfg_t *this);
170
171 /**
172 * Action to take to start CHILD_SA.
173 *
174 * @return start action
175 */
176 action_t (*get_start_action) (child_cfg_t *this);
177
178 /**
179 * Action to take on DPD.
180 *
181 * @return DPD action
182 */
183 action_t (*get_dpd_action) (child_cfg_t *this);
184
185 /**
186 * Action to take if CHILD_SA gets closed.
187 *
188 * @return close action
189 */
190 action_t (*get_close_action) (child_cfg_t *this);
191
192 /**
193 * Get the DH group to use for CHILD_SA setup.
194 *
195 * @return dh group to use
196 */
197 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
198
199 /**
200 * Get the inactivity timeout value.
201 *
202 * @return inactivity timeout in s
203 */
204 uint32_t (*get_inactivity)(child_cfg_t *this);
205
206 /**
207 * Specific reqid to use for CHILD_SA.
208 *
209 * @return reqid
210 */
211 uint32_t (*get_reqid)(child_cfg_t *this);
212
213 /**
214 * Optional mark for CHILD_SA.
215 *
216 * @param inbound TRUE for inbound, FALSE for outbound
217 * @return mark
218 */
219 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
220
221 /**
222 * Get the TFC padding value to use for CHILD_SA.
223 *
224 * @return TFC padding, 0 to disable, -1 for MTU
225 */
226 uint32_t (*get_tfc)(child_cfg_t *this);
227
228 /**
229 * Get optional manually-set IPsec policy priority
230 *
231 * @return manually-set IPsec policy priority (automatic if 0)
232 */
233 uint32_t (*get_manual_prio)(child_cfg_t *this);
234
235 /**
236 * Get optional network interface restricting IPsec policy
237 *
238 * @return network interface)
239 */
240 char* (*get_interface)(child_cfg_t *this);
241
242 /**
243 * Get anti-replay window size
244 *
245 * @return anti-replay window size
246 */
247 uint32_t (*get_replay_window)(child_cfg_t *this);
248
249 /**
250 * Set anti-replay window size
251 *
252 * @param window anti-replay window size
253 */
254 void (*set_replay_window)(child_cfg_t *this, uint32_t window);
255
256 /**
257 * Check if an option flag is set.
258 *
259 * @param option option flag to check
260 * @return TRUE if option flag set, FALSE otherwise
261 */
262 bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
263
264 /**
265 * Check if two child_cfg objects are equal.
266 *
267 * @param other candidate to check for equality against this
268 * @return TRUE if equal
269 */
270 bool (*equals)(child_cfg_t *this, child_cfg_t *other);
271
272 /**
273 * Increase the reference count.
274 *
275 * @return reference to this
276 */
277 child_cfg_t* (*get_ref) (child_cfg_t *this);
278
279 /**
280 * Destroys the child_cfg object.
281 *
282 * Decrements the internal reference counter and
283 * destroys the child_cfg when it reaches zero.
284 */
285 void (*destroy) (child_cfg_t *this);
286 };
287
288 /**
289 * Option flags that may be set on a child_cfg_t object
290 */
291 enum child_cfg_option_t {
292
293 /** Use IPsec transport proxy mode */
294 OPT_PROXY_MODE = (1<<0),
295
296 /** Use IPComp, if peer supports it */
297 OPT_IPCOMP = (1<<1),
298
299 /** Allow access to the local host */
300 OPT_HOSTACCESS = (1<<2),
301
302 /** Don't install any IPsec policies */
303 OPT_NO_POLICIES = (1<<3),
304
305 /** Install outbound FWD IPsec policies to bypass drop policies */
306 OPT_FWD_OUT_POLICIES = (1<<4),
307
308 /** Enable hardware offload, if supported by the IPsec backend */
309 OPT_HW_OFFLOAD = (1<<5),
310 };
311
312 /**
313 * Data passed to the constructor of a child_cfg_t object.
314 */
315 struct child_cfg_create_t {
316 /** Options set for CHILD_SA */
317 child_cfg_option_t options;
318 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
319 uint32_t reqid;
320 /** Optional inbound mark */
321 mark_t mark_in;
322 /** Optional outbound mark */
323 mark_t mark_out;
324 /** Mode to propose for CHILD_SA */
325 ipsec_mode_t mode;
326 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
327 uint32_t tfc;
328 /** Optional manually-set IPsec policy priority */
329 uint32_t priority;
330 /** Optional network interface restricting IPsec policy (cloned) */
331 char *interface;
332 /** lifetime_cfg_t for this child_cfg */
333 lifetime_cfg_t lifetime;
334 /** Inactivity timeout in s before closing a CHILD_SA */
335 uint32_t inactivity;
336 /** Start action */
337 action_t start_action;
338 /** DPD action */
339 action_t dpd_action;
340 /** Close action */
341 action_t close_action;
342 /** updown script to execute on up/down event (cloned) */
343 char *updown;
344 };
345
346 /**
347 * Create a configuration template for CHILD_SA setup.
348 *
349 * After a call to create, a reference is obtained (refcount = 1).
350 *
351 * @param name name of the child_cfg (cloned)
352 * @param data data for this child_cfg
353 * @return child_cfg_t object
354 */
355 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
356
357 #endif /** CHILD_CFG_H_ @}*/