kernel: Add option to control DS field behavior
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2016 Andreas Steffen
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup child_cfg child_cfg
21 * @{ @ingroup config
22 */
23
24 #ifndef CHILD_CFG_H_
25 #define CHILD_CFG_H_
26
27 typedef enum action_t action_t;
28 typedef enum child_cfg_option_t child_cfg_option_t;
29 typedef struct child_cfg_t child_cfg_t;
30 typedef struct child_cfg_create_t child_cfg_create_t;
31
32 #include <library.h>
33 #include <selectors/traffic_selector.h>
34 #include <crypto/proposal/proposal.h>
35 #include <kernel/kernel_ipsec.h>
36
37 /**
38 * Action to take when connection is loaded, DPD is detected or
39 * connection gets closed by peer.
40 */
41 enum action_t {
42 /** No action */
43 ACTION_NONE,
44 /** Route config to establish or reestablish on demand */
45 ACTION_ROUTE,
46 /** Start or restart config immediately */
47 ACTION_RESTART,
48 };
49
50 /**
51 * enum names for action_t.
52 */
53 extern enum_name_t *action_names;
54
55 /**
56 * A child_cfg_t defines the config template for a CHILD_SA.
57 *
58 * After creation, proposals and traffic selectors may be added to the config.
59 * A child_cfg object is referenced multiple times, and is not thread save.
60 * Reading from the object is save, adding things is not allowed while other
61 * threads may access the object.
62 * A reference counter handles the number of references hold to this config.
63 *
64 * @see peer_cfg_t to get an overview over the configurations.
65 */
66 struct child_cfg_t {
67
68 /**
69 * Get the name of the child_cfg.
70 *
71 * @return child_cfg's name
72 */
73 char *(*get_name) (child_cfg_t *this);
74
75 /**
76 * Add a proposal to the list.
77 *
78 * The proposals are stored by priority, first added
79 * is the most preferred. It is safe to add NULL as proposal, which has no
80 * effect. After add, proposal is owned by child_cfg.
81 *
82 * @param proposal proposal to add, or NULL
83 */
84 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
85
86 /**
87 * Get the list of proposals for the CHILD_SA.
88 *
89 * Resulting list and all of its proposals must be freed after use.
90 *
91 * @param strip_dh TRUE strip out diffie hellman groups
92 * @return list of proposals
93 */
94 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
95
96 /**
97 * Select a proposal from a supplied list.
98 *
99 * Returned propsal is newly created and must be destroyed after usage.
100 *
101 * @param proposals list from which proposals are selected
102 * @param strip_dh TRUE strip out diffie hellman groups
103 * @param private accept algorithms from a private range
104 * @param prefer_self whether to prefer configured or supplied proposals
105 * @return selected proposal, or NULL if nothing matches
106 */
107 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
108 bool strip_dh, bool private,
109 bool prefer_self);
110
111 /**
112 * Add a traffic selector to the config.
113 *
114 * Use the "local" parameter to add it for the local or the remote side.
115 * After add, traffic selector is owned by child_cfg.
116 *
117 * @param local TRUE for local side, FALSE for remote
118 * @param ts traffic_selector to add
119 */
120 void (*add_traffic_selector)(child_cfg_t *this, bool local,
121 traffic_selector_t *ts);
122
123 /**
124 * Get a list of traffic selectors to use for the CHILD_SA.
125 *
126 * The config contains two set of traffic selectors, one for the local
127 * side, one for the remote side.
128 * If a list with traffic selectors is supplied, these are used to narrow
129 * down the traffic selector list to the greatest common divisor.
130 * Some traffic selector may be "dymamic", meaning they are narrowed down
131 * to a specific address (host-to-host or virtual-IP setups). Use
132 * the "host" parameter to narrow such traffic selectors to that address.
133 * Resulted list and its traffic selectors must be destroyed after use.
134 *
135 * @param local TRUE for TS on local side, FALSE for remote
136 * @param supplied list with TS to select from, or NULL
137 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
138 * @param log FALSE to avoid logging details about the selection
139 * @return list containing the traffic selectors
140 */
141 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
142 linked_list_t *supplied,
143 linked_list_t *hosts, bool log);
144
145 /**
146 * Get the updown script to run for the CHILD_SA.
147 *
148 * @return path to updown script
149 */
150 char* (*get_updown)(child_cfg_t *this);
151
152 /**
153 * Get the lifetime configuration of a CHILD_SA.
154 *
155 * The rekey limits automatically contain a jitter to avoid simultaneous
156 * rekeying. These values will change with each call to this function.
157 *
158 * @param jitter subtract jitter value to randomize lifetimes
159 * @return lifetime_cfg_t (has to be freed)
160 */
161 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
162
163 /**
164 * Get the mode to use for the CHILD_SA.
165 *
166 * The mode is either tunnel, transport or BEET. The peer must agree
167 * on the method, fallback is tunnel mode.
168 *
169 * @return ipsec mode
170 */
171 ipsec_mode_t (*get_mode) (child_cfg_t *this);
172
173 /**
174 * Action to take to start CHILD_SA.
175 *
176 * @return start action
177 */
178 action_t (*get_start_action) (child_cfg_t *this);
179
180 /**
181 * Action to take on DPD.
182 *
183 * @return DPD action
184 */
185 action_t (*get_dpd_action) (child_cfg_t *this);
186
187 /**
188 * Get the HW offload mode to use for the CHILD_SA.
189 *
190 * @return hw offload mode
191 */
192 hw_offload_t (*get_hw_offload) (child_cfg_t *this);
193
194 /**
195 * Get the copy mode for the DS header field to use for the CHILD_SA.
196 *
197 * @return IP header copy mode
198 */
199 dscp_copy_t (*get_copy_dscp) (child_cfg_t *this);
200
201 /**
202 * Action to take if CHILD_SA gets closed.
203 *
204 * @return close action
205 */
206 action_t (*get_close_action) (child_cfg_t *this);
207
208 /**
209 * Get the DH group to use for CHILD_SA setup.
210 *
211 * @return dh group to use
212 */
213 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
214
215 /**
216 * Get the inactivity timeout value.
217 *
218 * @return inactivity timeout in s
219 */
220 uint32_t (*get_inactivity)(child_cfg_t *this);
221
222 /**
223 * Specific reqid to use for CHILD_SA.
224 *
225 * @return reqid
226 */
227 uint32_t (*get_reqid)(child_cfg_t *this);
228
229 /**
230 * Optional mark for CHILD_SA.
231 *
232 * @param inbound TRUE for inbound, FALSE for outbound
233 * @return mark
234 */
235 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
236
237 /**
238 * Get the TFC padding value to use for CHILD_SA.
239 *
240 * @return TFC padding, 0 to disable, -1 for MTU
241 */
242 uint32_t (*get_tfc)(child_cfg_t *this);
243
244 /**
245 * Get optional manually-set IPsec policy priority
246 *
247 * @return manually-set IPsec policy priority (automatic if 0)
248 */
249 uint32_t (*get_manual_prio)(child_cfg_t *this);
250
251 /**
252 * Get optional network interface restricting IPsec policy
253 *
254 * @return network interface)
255 */
256 char* (*get_interface)(child_cfg_t *this);
257
258 /**
259 * Get anti-replay window size
260 *
261 * @return anti-replay window size
262 */
263 uint32_t (*get_replay_window)(child_cfg_t *this);
264
265 /**
266 * Set anti-replay window size
267 *
268 * @param window anti-replay window size
269 */
270 void (*set_replay_window)(child_cfg_t *this, uint32_t window);
271
272 /**
273 * Check if an option flag is set.
274 *
275 * @param option option flag to check
276 * @return TRUE if option flag set, FALSE otherwise
277 */
278 bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
279
280 /**
281 * Check if two child_cfg objects are equal.
282 *
283 * @param other candidate to check for equality against this
284 * @return TRUE if equal
285 */
286 bool (*equals)(child_cfg_t *this, child_cfg_t *other);
287
288 /**
289 * Increase the reference count.
290 *
291 * @return reference to this
292 */
293 child_cfg_t* (*get_ref) (child_cfg_t *this);
294
295 /**
296 * Destroys the child_cfg object.
297 *
298 * Decrements the internal reference counter and
299 * destroys the child_cfg when it reaches zero.
300 */
301 void (*destroy) (child_cfg_t *this);
302 };
303
304 /**
305 * Option flags that may be set on a child_cfg_t object
306 */
307 enum child_cfg_option_t {
308
309 /** Use IPsec transport proxy mode */
310 OPT_PROXY_MODE = (1<<0),
311
312 /** Use IPComp, if peer supports it */
313 OPT_IPCOMP = (1<<1),
314
315 /** Allow access to the local host */
316 OPT_HOSTACCESS = (1<<2),
317
318 /** Don't install any IPsec policies */
319 OPT_NO_POLICIES = (1<<3),
320
321 /** Install outbound FWD IPsec policies to bypass drop policies */
322 OPT_FWD_OUT_POLICIES = (1<<4),
323
324 /** Force 96-bit truncation for SHA-256 */
325 OPT_SHA256_96 = (1<<5),
326
327 /** Set mark on inbound SAs */
328 OPT_MARK_IN_SA = (1<<6),
329
330 /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
331 OPT_NO_COPY_DF = (1<<7),
332
333 /** Disable copying the ECN header field in tunnel mode */
334 OPT_NO_COPY_ECN = (1<<8),
335 };
336
337 /**
338 * Data passed to the constructor of a child_cfg_t object.
339 */
340 struct child_cfg_create_t {
341 /** Options set for CHILD_SA */
342 child_cfg_option_t options;
343 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
344 uint32_t reqid;
345 /** Optional inbound mark */
346 mark_t mark_in;
347 /** Optional outbound mark */
348 mark_t mark_out;
349 /** Mode to propose for CHILD_SA */
350 ipsec_mode_t mode;
351 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
352 uint32_t tfc;
353 /** Optional manually-set IPsec policy priority */
354 uint32_t priority;
355 /** Optional network interface restricting IPsec policy (cloned) */
356 char *interface;
357 /** lifetime_cfg_t for this child_cfg */
358 lifetime_cfg_t lifetime;
359 /** Inactivity timeout in s before closing a CHILD_SA */
360 uint32_t inactivity;
361 /** Start action */
362 action_t start_action;
363 /** DPD action */
364 action_t dpd_action;
365 /** Close action */
366 action_t close_action;
367 /** updown script to execute on up/down event (cloned) */
368 char *updown;
369 /** HW offload mode */
370 hw_offload_t hw_offload;
371 /** How to handle the DS header field in tunnel mode */
372 dscp_copy_t copy_dscp;
373 };
374
375 /**
376 * Create a configuration template for CHILD_SA setup.
377 *
378 * After a call to create, a reference is obtained (refcount = 1).
379 *
380 * @param name name of the child_cfg (cloned)
381 * @param data data for this child_cfg
382 * @return child_cfg_t object
383 */
384 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
385
386 #endif /** CHILD_CFG_H_ @}*/