child-cfg: Add setting that controls whether outbound FWD policies are installed
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2016 Andreas Steffen
3 * Copyright (C) 2008-2016 Tobias Brunner
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup child_cfg child_cfg
21 * @{ @ingroup config
22 */
23
24 #ifndef CHILD_CFG_H_
25 #define CHILD_CFG_H_
26
27 typedef enum action_t action_t;
28 typedef struct child_cfg_t child_cfg_t;
29 typedef struct child_cfg_create_t child_cfg_create_t;
30
31 #include <library.h>
32 #include <selectors/traffic_selector.h>
33 #include <config/proposal.h>
34 #include <kernel/kernel_ipsec.h>
35
36 /**
37 * Action to take when connection is loaded, DPD is detected or
38 * connection gets closed by peer.
39 */
40 enum action_t {
41 /** No action */
42 ACTION_NONE,
43 /** Route config to establish or reestablish on demand */
44 ACTION_ROUTE,
45 /** Start or restart config immediately */
46 ACTION_RESTART,
47 };
48
49 /**
50 * enum names for action_t.
51 */
52 extern enum_name_t *action_names;
53
54 /**
55 * A child_cfg_t defines the config template for a CHILD_SA.
56 *
57 * After creation, proposals and traffic selectors may be added to the config.
58 * A child_cfg object is referenced multiple times, and is not thread save.
59 * Reading from the object is save, adding things is not allowed while other
60 * threads may access the object.
61 * A reference counter handles the number of references hold to this config.
62 *
63 * @see peer_cfg_t to get an overview over the configurations.
64 */
65 struct child_cfg_t {
66
67 /**
68 * Get the name of the child_cfg.
69 *
70 * @return child_cfg's name
71 */
72 char *(*get_name) (child_cfg_t *this);
73
74 /**
75 * Add a proposal to the list.
76 *
77 * The proposals are stored by priority, first added
78 * is the most preferred. It is safe to add NULL as proposal, which has no
79 * effect. After add, proposal is owned by child_cfg.
80 *
81 * @param proposal proposal to add, or NULL
82 */
83 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
84
85 /**
86 * Get the list of proposals for the CHILD_SA.
87 *
88 * Resulting list and all of its proposals must be freed after use.
89 *
90 * @param strip_dh TRUE strip out diffie hellman groups
91 * @return list of proposals
92 */
93 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
94
95 /**
96 * Select a proposal from a supplied list.
97 *
98 * Returned propsal is newly created and must be destroyed after usage.
99 *
100 * @param proposals list from which proposals are selected
101 * @param strip_dh TRUE strip out diffie hellman groups
102 * @param private accept algorithms from a private range
103 * @param prefer_self whether to prefer configured or supplied proposals
104 * @return selected proposal, or NULL if nothing matches
105 */
106 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
107 bool strip_dh, bool private,
108 bool prefer_self);
109
110 /**
111 * Add a traffic selector to the config.
112 *
113 * Use the "local" parameter to add it for the local or the remote side.
114 * After add, traffic selector is owned by child_cfg.
115 *
116 * @param local TRUE for local side, FALSE for remote
117 * @param ts traffic_selector to add
118 */
119 void (*add_traffic_selector)(child_cfg_t *this, bool local,
120 traffic_selector_t *ts);
121
122 /**
123 * Get a list of traffic selectors to use for the CHILD_SA.
124 *
125 * The config contains two set of traffic selectors, one for the local
126 * side, one for the remote side.
127 * If a list with traffic selectors is supplied, these are used to narrow
128 * down the traffic selector list to the greatest common divisor.
129 * Some traffic selector may be "dymamic", meaning they are narrowed down
130 * to a specific address (host-to-host or virtual-IP setups). Use
131 * the "host" parameter to narrow such traffic selectors to that address.
132 * Resulted list and its traffic selectors must be destroyed after use.
133 *
134 * @param local TRUE for TS on local side, FALSE for remote
135 * @param supplied list with TS to select from, or NULL
136 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
137 * @return list containing the traffic selectors
138 */
139 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
140 linked_list_t *supplied,
141 linked_list_t *hosts);
142 /**
143 * Get the updown script to run for the CHILD_SA.
144 *
145 * @return path to updown script
146 */
147 char* (*get_updown)(child_cfg_t *this);
148
149 /**
150 * Should we allow access to the local host (gateway)?
151 *
152 * @return value of hostaccess flag
153 */
154 bool (*get_hostaccess) (child_cfg_t *this);
155
156 /**
157 * Get the lifetime configuration of a CHILD_SA.
158 *
159 * The rekey limits automatically contain a jitter to avoid simultaneous
160 * rekeying. These values will change with each call to this function.
161 *
162 * @param jitter subtract jitter value to randomize lifetimes
163 * @return lifetime_cfg_t (has to be freed)
164 */
165 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
166
167 /**
168 * Get the mode to use for the CHILD_SA.
169 *
170 * The mode is either tunnel, transport or BEET. The peer must agree
171 * on the method, fallback is tunnel mode.
172 *
173 * @return ipsec mode
174 */
175 ipsec_mode_t (*get_mode) (child_cfg_t *this);
176
177 /**
178 * Action to take to start CHILD_SA.
179 *
180 * @return start action
181 */
182 action_t (*get_start_action) (child_cfg_t *this);
183
184 /**
185 * Action to take on DPD.
186 *
187 * @return DPD action
188 */
189 action_t (*get_dpd_action) (child_cfg_t *this);
190
191 /**
192 * Action to take if CHILD_SA gets closed.
193 *
194 * @return close action
195 */
196 action_t (*get_close_action) (child_cfg_t *this);
197
198 /**
199 * Get the DH group to use for CHILD_SA setup.
200 *
201 * @return dh group to use
202 */
203 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
204
205 /**
206 * Check whether IPComp should be used, if the other peer supports it.
207 *
208 * @return TRUE, if IPComp should be used
209 * FALSE, otherwise
210 */
211 bool (*use_ipcomp)(child_cfg_t *this);
212
213 /**
214 * Get the inactivity timeout value.
215 *
216 * @return inactivity timeout in s
217 */
218 uint32_t (*get_inactivity)(child_cfg_t *this);
219
220 /**
221 * Specific reqid to use for CHILD_SA.
222 *
223 * @return reqid
224 */
225 uint32_t (*get_reqid)(child_cfg_t *this);
226
227 /**
228 * Optional mark for CHILD_SA.
229 *
230 * @param inbound TRUE for inbound, FALSE for outbound
231 * @return mark
232 */
233 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
234
235 /**
236 * Get the TFC padding value to use for CHILD_SA.
237 *
238 * @return TFC padding, 0 to disable, -1 for MTU
239 */
240 uint32_t (*get_tfc)(child_cfg_t *this);
241
242 /**
243 * Get optional manually-set IPsec policy priority
244 *
245 * @return manually-set IPsec policy priority (automatic if 0)
246 */
247 uint32_t (*get_manual_prio)(child_cfg_t *this);
248
249 /**
250 * Get optional network interface restricting IPsec policy
251 *
252 * @return network interface)
253 */
254 char* (*get_interface)(child_cfg_t *this);
255
256 /**
257 * Get anti-replay window size
258 *
259 * @return anti-replay window size
260 */
261 uint32_t (*get_replay_window)(child_cfg_t *this);
262
263 /**
264 * Set anti-replay window size
265 *
266 * @param window anti-replay window size
267 */
268 void (*set_replay_window)(child_cfg_t *this, uint32_t window);
269
270 /**
271 * Check whether IPsec transport SA should be set up in proxy mode.
272 *
273 * @return TRUE, if proxy mode should be used
274 * FALSE, otherwise
275 */
276 bool (*use_proxy_mode)(child_cfg_t *this);
277
278 /**
279 * Check whether IPsec policies should be installed in the kernel.
280 *
281 * @return TRUE, if IPsec kernel policies should be installed
282 * FALSE, otherwise
283 */
284 bool (*install_policy)(child_cfg_t *this);
285
286 /**
287 * Check whether outbound FWD IPsec policies should be installed.
288 *
289 * @return TRUE, if outbound FWD policies should be installed
290 * FALSE, otherwise
291 */
292 bool (*install_fwd_out_policy)(child_cfg_t *this);
293
294 /**
295 * Check if two child_cfg objects are equal.
296 *
297 * @param other candidate to check for equality against this
298 * @return TRUE if equal
299 */
300 bool (*equals)(child_cfg_t *this, child_cfg_t *other);
301
302 /**
303 * Increase the reference count.
304 *
305 * @return reference to this
306 */
307 child_cfg_t* (*get_ref) (child_cfg_t *this);
308
309 /**
310 * Destroys the child_cfg object.
311 *
312 * Decrements the internal reference counter and
313 * destroys the child_cfg when it reaches zero.
314 */
315 void (*destroy) (child_cfg_t *this);
316 };
317
318
319 /**
320 * Data passed to the constructor of a child_cfg_t object.
321 */
322 struct child_cfg_create_t {
323 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
324 uint32_t reqid;
325 /** Optional inbound mark */
326 mark_t mark_in;
327 /** Optional outbound mark */
328 mark_t mark_out;
329 /** Mode to propose for CHILD_SA */
330 ipsec_mode_t mode;
331 /** Use IPsec transport proxy mode */
332 bool proxy_mode;
333 /** Use IPComp, if peer supports it */
334 bool ipcomp;
335 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
336 uint32_t tfc;
337 /** Optional manually-set IPsec policy priority */
338 uint32_t priority;
339 /** Optional network interface restricting IPsec policy (cloned) */
340 char *interface;
341 /** lifetime_cfg_t for this child_cfg */
342 lifetime_cfg_t lifetime;
343 /** Inactivity timeout in s before closing a CHILD_SA */
344 uint32_t inactivity;
345 /** Start action */
346 action_t start_action;
347 /** DPD action */
348 action_t dpd_action;
349 /** Close action */
350 action_t close_action;
351 /** updown script to execute on up/down event (cloned) */
352 char *updown;
353 /** TRUE to allow access to the local host */
354 bool hostaccess;
355 /** Don't install IPsec policies */
356 bool suppress_policies;
357 /** Install outbound FWD IPsec policies to bypass drop policies */
358 bool fwd_out_policies;
359 };
360
361 /**
362 * Create a configuration template for CHILD_SA setup.
363 *
364 * After a call to create, a reference is obtained (refcount = 1).
365 *
366 * @param name name of the child_cfg (cloned)
367 * @param data data for this child_cfg
368 * @return child_cfg_t object
369 */
370 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
371
372 #endif /** CHILD_CFG_H_ @}*/