child-cfg: Add property for interface ID
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2019 Tobias Brunner
3 * Copyright (C) 2016 Andreas Steffen
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup child_cfg child_cfg
21 * @{ @ingroup config
22 */
23
24 #ifndef CHILD_CFG_H_
25 #define CHILD_CFG_H_
26
27 typedef enum action_t action_t;
28 typedef enum child_cfg_option_t child_cfg_option_t;
29 typedef struct child_cfg_t child_cfg_t;
30 typedef struct child_cfg_create_t child_cfg_create_t;
31
32 #include <library.h>
33 #include <selectors/traffic_selector.h>
34 #include <crypto/proposal/proposal.h>
35 #include <kernel/kernel_ipsec.h>
36
37 /**
38 * Action to take when connection is loaded, DPD is detected or
39 * connection gets closed by peer.
40 */
41 enum action_t {
42 /** No action */
43 ACTION_NONE,
44 /** Route config to establish or reestablish on demand */
45 ACTION_ROUTE,
46 /** Start or restart config immediately */
47 ACTION_RESTART,
48 };
49
50 /**
51 * enum names for action_t.
52 */
53 extern enum_name_t *action_names;
54
55 /**
56 * A child_cfg_t defines the config template for a CHILD_SA.
57 *
58 * After creation, proposals and traffic selectors may be added to the config.
59 * A child_cfg object is referenced multiple times, and is not thread save.
60 * Reading from the object is save, adding things is not allowed while other
61 * threads may access the object.
62 * A reference counter handles the number of references hold to this config.
63 *
64 * @see peer_cfg_t to get an overview over the configurations.
65 */
66 struct child_cfg_t {
67
68 /**
69 * Get the name of the child_cfg.
70 *
71 * @return child_cfg's name
72 */
73 char *(*get_name) (child_cfg_t *this);
74
75 /**
76 * Add a proposal to the list.
77 *
78 * The proposals are stored by priority, first added
79 * is the most preferred. It is safe to add NULL as proposal, which has no
80 * effect. After add, proposal is owned by child_cfg.
81 *
82 * @param proposal proposal to add, or NULL
83 */
84 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
85
86 /**
87 * Get the list of proposals for the CHILD_SA.
88 *
89 * Resulting list and all of its proposals must be freed after use.
90 *
91 * @param strip_dh TRUE strip out diffie hellman groups
92 * @return list of proposals
93 */
94 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
95
96 /**
97 * Select a proposal from a supplied list.
98 *
99 * Returned propsal is newly created and must be destroyed after usage.
100 *
101 * @param proposals list from which proposals are selected
102 * @param strip_dh TRUE strip out diffie hellman groups
103 * @param private accept algorithms from a private range
104 * @param prefer_self whether to prefer configured or supplied proposals
105 * @return selected proposal, or NULL if nothing matches
106 */
107 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
108 bool strip_dh, bool private,
109 bool prefer_self);
110
111 /**
112 * Add a traffic selector to the config.
113 *
114 * Use the "local" parameter to add it for the local or the remote side.
115 * After add, traffic selector is owned by child_cfg.
116 *
117 * @param local TRUE for local side, FALSE for remote
118 * @param ts traffic_selector to add
119 */
120 void (*add_traffic_selector)(child_cfg_t *this, bool local,
121 traffic_selector_t *ts);
122
123 /**
124 * Get a list of traffic selectors to use for the CHILD_SA.
125 *
126 * The config contains two set of traffic selectors, one for the local
127 * side, one for the remote side.
128 * If a list with traffic selectors is supplied, these are used to narrow
129 * down the traffic selector list to the greatest common divisor.
130 * Some traffic selector may be "dymamic", meaning they are narrowed down
131 * to a specific address (host-to-host or virtual-IP setups). Use
132 * the "host" parameter to narrow such traffic selectors to that address.
133 * Resulted list and its traffic selectors must be destroyed after use.
134 *
135 * @param local TRUE for TS on local side, FALSE for remote
136 * @param supplied list with TS to select from, or NULL
137 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
138 * @param log FALSE to avoid logging details about the selection
139 * @return list containing the traffic selectors
140 */
141 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
142 linked_list_t *supplied,
143 linked_list_t *hosts, bool log);
144
145 /**
146 * Get the updown script to run for the CHILD_SA.
147 *
148 * @return path to updown script
149 */
150 char* (*get_updown)(child_cfg_t *this);
151
152 /**
153 * Get the lifetime configuration of a CHILD_SA.
154 *
155 * The rekey limits automatically contain a jitter to avoid simultaneous
156 * rekeying. These values will change with each call to this function.
157 *
158 * @param jitter subtract jitter value to randomize lifetimes
159 * @return lifetime_cfg_t (has to be freed)
160 */
161 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
162
163 /**
164 * Get the mode to use for the CHILD_SA.
165 *
166 * The mode is either tunnel, transport or BEET. The peer must agree
167 * on the method, fallback is tunnel mode.
168 *
169 * @return ipsec mode
170 */
171 ipsec_mode_t (*get_mode) (child_cfg_t *this);
172
173 /**
174 * Action to take to start CHILD_SA.
175 *
176 * @return start action
177 */
178 action_t (*get_start_action) (child_cfg_t *this);
179
180 /**
181 * Action to take on DPD.
182 *
183 * @return DPD action
184 */
185 action_t (*get_dpd_action) (child_cfg_t *this);
186
187 /**
188 * Get the HW offload mode to use for the CHILD_SA.
189 *
190 * @return hw offload mode
191 */
192 hw_offload_t (*get_hw_offload) (child_cfg_t *this);
193
194 /**
195 * Get the copy mode for the DS header field to use for the CHILD_SA.
196 *
197 * @return IP header copy mode
198 */
199 dscp_copy_t (*get_copy_dscp) (child_cfg_t *this);
200
201 /**
202 * Action to take if CHILD_SA gets closed.
203 *
204 * @return close action
205 */
206 action_t (*get_close_action) (child_cfg_t *this);
207
208 /**
209 * Get the DH group to use for CHILD_SA setup.
210 *
211 * @return dh group to use
212 */
213 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
214
215 /**
216 * Get the inactivity timeout value.
217 *
218 * @return inactivity timeout in s
219 */
220 uint32_t (*get_inactivity)(child_cfg_t *this);
221
222 /**
223 * Specific reqid to use for CHILD_SA.
224 *
225 * @return reqid
226 */
227 uint32_t (*get_reqid)(child_cfg_t *this);
228
229 /**
230 * Optional interface ID to set on policies/SAs.
231 *
232 * @param inbound TRUE for inbound, FALSE for outbound
233 * @return interface ID
234 */
235 uint32_t (*get_if_id)(child_cfg_t *this, bool inbound);
236
237 /**
238 * Optional mark to set on policies/SAs.
239 *
240 * @param inbound TRUE for inbound, FALSE for outbound
241 * @return mark
242 */
243 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
244
245 /**
246 * Optional mark the SAs should apply after processing packets.
247 *
248 * @param inbound TRUE for inbound, FALSE for outbound
249 * @return mark
250 */
251 mark_t (*get_set_mark)(child_cfg_t *this, bool inbound);
252
253 /**
254 * Get the TFC padding value to use for CHILD_SA.
255 *
256 * @return TFC padding, 0 to disable, -1 for MTU
257 */
258 uint32_t (*get_tfc)(child_cfg_t *this);
259
260 /**
261 * Get optional manually-set IPsec policy priority
262 *
263 * @return manually-set IPsec policy priority (automatic if 0)
264 */
265 uint32_t (*get_manual_prio)(child_cfg_t *this);
266
267 /**
268 * Get optional network interface restricting IPsec policy
269 *
270 * @return network interface)
271 */
272 char* (*get_interface)(child_cfg_t *this);
273
274 /**
275 * Get anti-replay window size
276 *
277 * @return anti-replay window size
278 */
279 uint32_t (*get_replay_window)(child_cfg_t *this);
280
281 /**
282 * Set anti-replay window size
283 *
284 * @param window anti-replay window size
285 */
286 void (*set_replay_window)(child_cfg_t *this, uint32_t window);
287
288 /**
289 * Check if an option flag is set.
290 *
291 * @param option option flag to check
292 * @return TRUE if option flag set, FALSE otherwise
293 */
294 bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
295
296 /**
297 * Check if two child_cfg objects are equal.
298 *
299 * @param other candidate to check for equality against this
300 * @return TRUE if equal
301 */
302 bool (*equals)(child_cfg_t *this, child_cfg_t *other);
303
304 /**
305 * Increase the reference count.
306 *
307 * @return reference to this
308 */
309 child_cfg_t* (*get_ref) (child_cfg_t *this);
310
311 /**
312 * Destroys the child_cfg object.
313 *
314 * Decrements the internal reference counter and
315 * destroys the child_cfg when it reaches zero.
316 */
317 void (*destroy) (child_cfg_t *this);
318 };
319
320 /**
321 * Option flags that may be set on a child_cfg_t object
322 */
323 enum child_cfg_option_t {
324
325 /** Use IPsec transport proxy mode */
326 OPT_PROXY_MODE = (1<<0),
327
328 /** Use IPComp, if peer supports it */
329 OPT_IPCOMP = (1<<1),
330
331 /** Allow access to the local host */
332 OPT_HOSTACCESS = (1<<2),
333
334 /** Don't install any IPsec policies */
335 OPT_NO_POLICIES = (1<<3),
336
337 /** Install outbound FWD IPsec policies to bypass drop policies */
338 OPT_FWD_OUT_POLICIES = (1<<4),
339
340 /** Force 96-bit truncation for SHA-256 */
341 OPT_SHA256_96 = (1<<5),
342
343 /** Set mark on inbound SAs */
344 OPT_MARK_IN_SA = (1<<6),
345
346 /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
347 OPT_NO_COPY_DF = (1<<7),
348
349 /** Disable copying the ECN header field in tunnel mode */
350 OPT_NO_COPY_ECN = (1<<8),
351 };
352
353 /**
354 * Data passed to the constructor of a child_cfg_t object.
355 */
356 struct child_cfg_create_t {
357 /** Options set for CHILD_SA */
358 child_cfg_option_t options;
359 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
360 uint32_t reqid;
361 /** Optional inbound interface ID */
362 uint32_t if_id_in;
363 /** Optional outbound interface ID */
364 uint32_t if_id_out;
365 /** Optional inbound mark */
366 mark_t mark_in;
367 /** Optional outbound mark */
368 mark_t mark_out;
369 /** Optional inbound mark the SA should apply to traffic */
370 mark_t set_mark_in;
371 /** Optional outbound mark the SA should apply to traffic */
372 mark_t set_mark_out;
373 /** Mode to propose for CHILD_SA */
374 ipsec_mode_t mode;
375 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
376 uint32_t tfc;
377 /** Optional manually-set IPsec policy priority */
378 uint32_t priority;
379 /** Optional network interface restricting IPsec policy (cloned) */
380 char *interface;
381 /** lifetime_cfg_t for this child_cfg */
382 lifetime_cfg_t lifetime;
383 /** Inactivity timeout in s before closing a CHILD_SA */
384 uint32_t inactivity;
385 /** Start action */
386 action_t start_action;
387 /** DPD action */
388 action_t dpd_action;
389 /** Close action */
390 action_t close_action;
391 /** updown script to execute on up/down event (cloned) */
392 char *updown;
393 /** HW offload mode */
394 hw_offload_t hw_offload;
395 /** How to handle the DS header field in tunnel mode */
396 dscp_copy_t copy_dscp;
397 };
398
399 /**
400 * Create a configuration template for CHILD_SA setup.
401 *
402 * After a call to create, a reference is obtained (refcount = 1).
403 *
404 * @param name name of the child_cfg (cloned)
405 * @param data data for this child_cfg
406 * @return child_cfg_t object
407 */
408 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
409
410 #endif /** CHILD_CFG_H_ @}*/