Derive a dynamic TS to multiple virtual IPs
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup child_cfg child_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef CHILD_CFG_H_
24 #define CHILD_CFG_H_
25
26 typedef enum action_t action_t;
27 typedef struct child_cfg_t child_cfg_t;
28
29 #include <library.h>
30 #include <selectors/traffic_selector.h>
31 #include <config/proposal.h>
32 #include <kernel/kernel_ipsec.h>
33
34 /**
35 * Action to take when connection is loaded, DPD is detected or
36 * connection gets closed by peer.
37 */
38 enum action_t {
39 /** No action */
40 ACTION_NONE,
41 /** Route config to establish or reestablish on demand */
42 ACTION_ROUTE,
43 /** Start or restart config immediately */
44 ACTION_RESTART,
45 };
46
47 /**
48 * enum names for action_t.
49 */
50 extern enum_name_t *action_names;
51
52 /**
53 * A child_cfg_t defines the config template for a CHILD_SA.
54 *
55 * After creation, proposals and traffic selectors may be added to the config.
56 * A child_cfg object is referenced multiple times, and is not thread save.
57 * Reading from the object is save, adding things is not allowed while other
58 * threads may access the object.
59 * A reference counter handles the number of references hold to this config.
60 *
61 * @see peer_cfg_t to get an overview over the configurations.
62 */
63 struct child_cfg_t {
64
65 /**
66 * Get the name of the child_cfg.
67 *
68 * @return child_cfg's name
69 */
70 char *(*get_name) (child_cfg_t *this);
71
72 /**
73 * Add a proposal to the list.
74 *
75 * The proposals are stored by priority, first added
76 * is the most preferred.
77 * After add, proposal is owned by child_cfg.
78 *
79 * @param proposal proposal to add
80 */
81 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
82
83 /**
84 * Get the list of proposals for the CHILD_SA.
85 *
86 * Resulting list and all of its proposals must be freed after use.
87 *
88 * @param strip_dh TRUE strip out diffie hellman groups
89 * @return list of proposals
90 */
91 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
92
93 /**
94 * Select a proposal from a supplied list.
95 *
96 * Returned propsal is newly created and must be destroyed after usage.
97 *
98 * @param proposals list from which proposals are selected
99 * @param strip_dh TRUE strip out diffie hellman groups
100 * @param private accept algorithms from a private range
101 * @return selected proposal, or NULL if nothing matches
102 */
103 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
104 bool strip_dh, bool private);
105
106 /**
107 * Add a traffic selector to the config.
108 *
109 * Use the "local" parameter to add it for the local or the remote side.
110 * After add, traffic selector is owned by child_cfg.
111 *
112 * @param local TRUE for local side, FALSE for remote
113 * @param ts traffic_selector to add
114 */
115 void (*add_traffic_selector)(child_cfg_t *this, bool local,
116 traffic_selector_t *ts);
117
118 /**
119 * Get a list of traffic selectors to use for the CHILD_SA.
120 *
121 * The config contains two set of traffic selectors, one for the local
122 * side, one for the remote side.
123 * If a list with traffic selectors is supplied, these are used to narrow
124 * down the traffic selector list to the greatest common divisor.
125 * Some traffic selector may be "dymamic", meaning they are narrowed down
126 * to a specific address (host-to-host or virtual-IP setups). Use
127 * the "host" parameter to narrow such traffic selectors to that address.
128 * Resulted list and its traffic selectors must be destroyed after use.
129 *
130 * @param local TRUE for TS on local side, FALSE for remote
131 * @param supplied list with TS to select from, or NULL
132 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
133 * @return list containing the traffic selectors
134 */
135 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
136 linked_list_t *supplied,
137 linked_list_t *hosts);
138 /**
139 * Get the updown script to run for the CHILD_SA.
140 *
141 * @return path to updown script
142 */
143 char* (*get_updown)(child_cfg_t *this);
144
145 /**
146 * Should we allow access to the local host (gateway)?
147 *
148 * @return value of hostaccess flag
149 */
150 bool (*get_hostaccess) (child_cfg_t *this);
151
152 /**
153 * Get the lifetime configuration of a CHILD_SA.
154 *
155 * The rekey limits automatically contain a jitter to avoid simultaneous
156 * rekeying. These values will change with each call to this function.
157 *
158 * @return lifetime_cfg_t (has to be freed)
159 */
160 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
161
162 /**
163 * Get the mode to use for the CHILD_SA.
164 *
165 * The mode is either tunnel, transport or BEET. The peer must agree
166 * on the method, fallback is tunnel mode.
167 *
168 * @return ipsec mode
169 */
170 ipsec_mode_t (*get_mode) (child_cfg_t *this);
171
172 /**
173 * Action to take to start CHILD_SA.
174 *
175 * @return start action
176 */
177 action_t (*get_start_action) (child_cfg_t *this);
178
179 /**
180 * Action to take on DPD.
181 *
182 * @return DPD action
183 */
184 action_t (*get_dpd_action) (child_cfg_t *this);
185
186 /**
187 * Action to take if CHILD_SA gets closed.
188 *
189 * @return close action
190 */
191 action_t (*get_close_action) (child_cfg_t *this);
192
193 /**
194 * Get the DH group to use for CHILD_SA setup.
195 *
196 * @return dh group to use
197 */
198 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
199
200 /**
201 * Check whether IPComp should be used, if the other peer supports it.
202 *
203 * @return TRUE, if IPComp should be used
204 * FALSE, otherwise
205 */
206 bool (*use_ipcomp)(child_cfg_t *this);
207
208 /**
209 * Get the inactivity timeout value.
210 *
211 * @return inactivity timeout in s
212 */
213 u_int32_t (*get_inactivity)(child_cfg_t *this);
214
215 /**
216 * Specific reqid to use for CHILD_SA
217 *
218 * @return reqid
219 */
220 u_int32_t (*get_reqid)(child_cfg_t *this);
221
222 /**
223 * Optional mark for CHILD_SA
224 *
225 * @param inbound TRUE for inbound, FALSE for outbound
226 * @return mark
227 */
228 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
229
230 /**
231 * Get the TFC padding value to use for CHILD_SA.
232 *
233 * @return TFC padding, 0 to disable, -1 for MTU
234 */
235 u_int32_t (*get_tfc)(child_cfg_t *this);
236
237 /**
238 * Sets two options needed for Mobile IPv6 interoperability
239 *
240 * @param proxy_mode use IPsec transport proxy mode (default FALSE)
241 * @param install_policy install IPsec kernel policies (default TRUE)
242 */
243 void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
244 bool install_policy);
245
246 /**
247 * Check whether IPsec transport SA should be set up in proxy mode
248 *
249 * @return TRUE, if proxy mode should be used
250 * FALSE, otherwise
251 */
252 bool (*use_proxy_mode)(child_cfg_t *this);
253
254 /**
255 * Check whether IPsec policies should be installed in the kernel
256 *
257 * @return TRUE, if IPsec kernel policies should be installed
258 * FALSE, otherwise
259 */
260 bool (*install_policy)(child_cfg_t *this);
261
262 /**
263 * Increase the reference count.
264 *
265 * @return reference to this
266 */
267 child_cfg_t* (*get_ref) (child_cfg_t *this);
268
269 /**
270 * Destroys the child_cfg object.
271 *
272 * Decrements the internal reference counter and
273 * destroys the child_cfg when it reaches zero.
274 */
275 void (*destroy) (child_cfg_t *this);
276 };
277
278 /**
279 * Create a configuration template for CHILD_SA setup.
280 *
281 * The "name" string gets cloned.
282 *
283 * The lifetime_cfg_t object gets cloned.
284 * To prevent two peers to start rekeying at the same time, a jitter may be
285 * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
286 *
287 * After a call to create, a reference is obtained (refcount = 1).
288 *
289 * @param name name of the child_cfg
290 * @param lifetime lifetime_cfg_t for this child_cfg
291 * @param updown updown script to execute on up/down event
292 * @param hostaccess TRUE to allow access to the local host
293 * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
294 * @param start_action start action
295 * @param dpd_action DPD action
296 * @param close_action close action
297 * @param ipcomp use IPComp, if peer supports it
298 * @param inactivity inactivity timeout in s before closing a CHILD_SA
299 * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign
300 * @param mark_in optional inbound mark (can be NULL)
301 * @param mark_out optional outbound mark (can be NULL)
302 * @param tfc TFC padding size, 0 to disable, -1 to pad to PMTU
303 * @return child_cfg_t object
304 */
305 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
306 char *updown, bool hostaccess,
307 ipsec_mode_t mode, action_t start_action,
308 action_t dpd_action, action_t close_action,
309 bool ipcomp, u_int32_t inactivity, u_int32_t reqid,
310 mark_t *mark_in, mark_t *mark_out, u_int32_t tfc);
311
312 #endif /** CHILD_CFG_H_ @}*/