Implemented IPsec policies restricted to given network interface
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2016 Andreas Steffen
3 * Copyright (C) 2008-2016 Tobias Brunner
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup child_cfg child_cfg
21 * @{ @ingroup config
22 */
23
24 #ifndef CHILD_CFG_H_
25 #define CHILD_CFG_H_
26
27 typedef enum action_t action_t;
28 typedef struct child_cfg_t child_cfg_t;
29 typedef struct child_cfg_create_t child_cfg_create_t;
30
31 #include <library.h>
32 #include <selectors/traffic_selector.h>
33 #include <config/proposal.h>
34 #include <kernel/kernel_ipsec.h>
35
36 /**
37 * Action to take when connection is loaded, DPD is detected or
38 * connection gets closed by peer.
39 */
40 enum action_t {
41 /** No action */
42 ACTION_NONE,
43 /** Route config to establish or reestablish on demand */
44 ACTION_ROUTE,
45 /** Start or restart config immediately */
46 ACTION_RESTART,
47 };
48
49 /**
50 * enum names for action_t.
51 */
52 extern enum_name_t *action_names;
53
54 /**
55 * A child_cfg_t defines the config template for a CHILD_SA.
56 *
57 * After creation, proposals and traffic selectors may be added to the config.
58 * A child_cfg object is referenced multiple times, and is not thread save.
59 * Reading from the object is save, adding things is not allowed while other
60 * threads may access the object.
61 * A reference counter handles the number of references hold to this config.
62 *
63 * @see peer_cfg_t to get an overview over the configurations.
64 */
65 struct child_cfg_t {
66
67 /**
68 * Get the name of the child_cfg.
69 *
70 * @return child_cfg's name
71 */
72 char *(*get_name) (child_cfg_t *this);
73
74 /**
75 * Add a proposal to the list.
76 *
77 * The proposals are stored by priority, first added
78 * is the most preferred. It is safe to add NULL as proposal, which has no
79 * effect. After add, proposal is owned by child_cfg.
80 *
81 * @param proposal proposal to add, or NULL
82 */
83 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
84
85 /**
86 * Get the list of proposals for the CHILD_SA.
87 *
88 * Resulting list and all of its proposals must be freed after use.
89 *
90 * @param strip_dh TRUE strip out diffie hellman groups
91 * @return list of proposals
92 */
93 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
94
95 /**
96 * Select a proposal from a supplied list.
97 *
98 * Returned propsal is newly created and must be destroyed after usage.
99 *
100 * @param proposals list from which proposals are selected
101 * @param strip_dh TRUE strip out diffie hellman groups
102 * @param private accept algorithms from a private range
103 * @return selected proposal, or NULL if nothing matches
104 */
105 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
106 bool strip_dh, bool private);
107
108 /**
109 * Add a traffic selector to the config.
110 *
111 * Use the "local" parameter to add it for the local or the remote side.
112 * After add, traffic selector is owned by child_cfg.
113 *
114 * @param local TRUE for local side, FALSE for remote
115 * @param ts traffic_selector to add
116 */
117 void (*add_traffic_selector)(child_cfg_t *this, bool local,
118 traffic_selector_t *ts);
119
120 /**
121 * Get a list of traffic selectors to use for the CHILD_SA.
122 *
123 * The config contains two set of traffic selectors, one for the local
124 * side, one for the remote side.
125 * If a list with traffic selectors is supplied, these are used to narrow
126 * down the traffic selector list to the greatest common divisor.
127 * Some traffic selector may be "dymamic", meaning they are narrowed down
128 * to a specific address (host-to-host or virtual-IP setups). Use
129 * the "host" parameter to narrow such traffic selectors to that address.
130 * Resulted list and its traffic selectors must be destroyed after use.
131 *
132 * @param local TRUE for TS on local side, FALSE for remote
133 * @param supplied list with TS to select from, or NULL
134 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
135 * @return list containing the traffic selectors
136 */
137 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
138 linked_list_t *supplied,
139 linked_list_t *hosts);
140 /**
141 * Get the updown script to run for the CHILD_SA.
142 *
143 * @return path to updown script
144 */
145 char* (*get_updown)(child_cfg_t *this);
146
147 /**
148 * Should we allow access to the local host (gateway)?
149 *
150 * @return value of hostaccess flag
151 */
152 bool (*get_hostaccess) (child_cfg_t *this);
153
154 /**
155 * Get the lifetime configuration of a CHILD_SA.
156 *
157 * The rekey limits automatically contain a jitter to avoid simultaneous
158 * rekeying. These values will change with each call to this function.
159 *
160 * @return lifetime_cfg_t (has to be freed)
161 */
162 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
163
164 /**
165 * Get the mode to use for the CHILD_SA.
166 *
167 * The mode is either tunnel, transport or BEET. The peer must agree
168 * on the method, fallback is tunnel mode.
169 *
170 * @return ipsec mode
171 */
172 ipsec_mode_t (*get_mode) (child_cfg_t *this);
173
174 /**
175 * Action to take to start CHILD_SA.
176 *
177 * @return start action
178 */
179 action_t (*get_start_action) (child_cfg_t *this);
180
181 /**
182 * Action to take on DPD.
183 *
184 * @return DPD action
185 */
186 action_t (*get_dpd_action) (child_cfg_t *this);
187
188 /**
189 * Action to take if CHILD_SA gets closed.
190 *
191 * @return close action
192 */
193 action_t (*get_close_action) (child_cfg_t *this);
194
195 /**
196 * Get the DH group to use for CHILD_SA setup.
197 *
198 * @return dh group to use
199 */
200 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
201
202 /**
203 * Check whether IPComp should be used, if the other peer supports it.
204 *
205 * @return TRUE, if IPComp should be used
206 * FALSE, otherwise
207 */
208 bool (*use_ipcomp)(child_cfg_t *this);
209
210 /**
211 * Get the inactivity timeout value.
212 *
213 * @return inactivity timeout in s
214 */
215 uint32_t (*get_inactivity)(child_cfg_t *this);
216
217 /**
218 * Specific reqid to use for CHILD_SA.
219 *
220 * @return reqid
221 */
222 uint32_t (*get_reqid)(child_cfg_t *this);
223
224 /**
225 * Optional mark for CHILD_SA.
226 *
227 * @param inbound TRUE for inbound, FALSE for outbound
228 * @return mark
229 */
230 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
231
232 /**
233 * Get the TFC padding value to use for CHILD_SA.
234 *
235 * @return TFC padding, 0 to disable, -1 for MTU
236 */
237 uint32_t (*get_tfc)(child_cfg_t *this);
238
239 /**
240 * Get optional manually-set IPsec policy priority
241 *
242 * @return manually-set IPsec policy priority (automatic if 0)
243 */
244 uint32_t (*get_manual_prio)(child_cfg_t *this);
245
246 /**
247 * Get optional network interface restricting IPsec policy
248 *
249 * @return network interface)
250 */
251 char* (*get_interface)(child_cfg_t *this);
252
253 /**
254 * Get anti-replay window size
255 *
256 * @return anti-replay window size
257 */
258 uint32_t (*get_replay_window)(child_cfg_t *this);
259
260 /**
261 * Set anti-replay window size
262 *
263 * @param window anti-replay window size
264 */
265 void (*set_replay_window)(child_cfg_t *this, uint32_t window);
266
267 /**
268 * Check whether IPsec transport SA should be set up in proxy mode.
269 *
270 * @return TRUE, if proxy mode should be used
271 * FALSE, otherwise
272 */
273 bool (*use_proxy_mode)(child_cfg_t *this);
274
275 /**
276 * Check whether IPsec policies should be installed in the kernel.
277 *
278 * @return TRUE, if IPsec kernel policies should be installed
279 * FALSE, otherwise
280 */
281 bool (*install_policy)(child_cfg_t *this);
282
283 /**
284 * Check if two child_cfg objects are equal.
285 *
286 * @param other candidate to check for equality against this
287 * @return TRUE if equal
288 */
289 bool (*equals)(child_cfg_t *this, child_cfg_t *other);
290
291 /**
292 * Increase the reference count.
293 *
294 * @return reference to this
295 */
296 child_cfg_t* (*get_ref) (child_cfg_t *this);
297
298 /**
299 * Destroys the child_cfg object.
300 *
301 * Decrements the internal reference counter and
302 * destroys the child_cfg when it reaches zero.
303 */
304 void (*destroy) (child_cfg_t *this);
305 };
306
307
308 /**
309 * Data passed to the constructor of a child_cfg_t object.
310 */
311 struct child_cfg_create_t {
312 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
313 uint32_t reqid;
314 /** Optional inbound mark */
315 mark_t mark_in;
316 /** Optional outbound mark */
317 mark_t mark_out;
318 /** Mode to propose for CHILD_SA */
319 ipsec_mode_t mode;
320 /** Use IPsec transport proxy mode */
321 bool proxy_mode;
322 /** Use IPComp, if peer supports it */
323 bool ipcomp;
324 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
325 uint32_t tfc;
326 /** Optional manually-set IPsec policy priority */
327 uint32_t priority;
328 /** Optional network interface restricting IPsec policy (cloned) */
329 char *interface;
330 /** lifetime_cfg_t for this child_cfg */
331 lifetime_cfg_t lifetime;
332 /** Inactivity timeout in s before closing a CHILD_SA */
333 uint32_t inactivity;
334 /** Start action */
335 action_t start_action;
336 /** DPD action */
337 action_t dpd_action;
338 /** Close action */
339 action_t close_action;
340 /** updown script to execute on up/down event (cloned) */
341 char *updown;
342 /** TRUE to allow access to the local host */
343 bool hostaccess;
344 /** Don't install IPsec policies */
345 bool suppress_policies;
346 };
347
348 /**
349 * Create a configuration template for CHILD_SA setup.
350 *
351 * After a call to create, a reference is obtained (refcount = 1).
352 *
353 * @param name name of the child_cfg (cloned)
354 * @param data data for this child_cfg
355 * @return child_cfg_t object
356 */
357 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
358
359 #endif /** CHILD_CFG_H_ @}*/