kernel-netlink: Support extended table IDs for custom routes
[strongswan.git] / src / libcharon / kernel / kernel_interface.h
1 /*
2 * Copyright (C) 2006-2016 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2012 Nanoteq Pty Ltd
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 /**
42 * @defgroup kernel_interface kernel_interface
43 * @{ @ingroup kernel
44 */
45
46 #ifndef KERNEL_INTERFACE_H_
47 #define KERNEL_INTERFACE_H_
48
49 typedef struct kernel_interface_t kernel_interface_t;
50 typedef enum kernel_feature_t kernel_feature_t;
51
52 #include <networking/host.h>
53 #include <crypto/prf_plus.h>
54
55 #include <kernel/kernel_listener.h>
56 #include <kernel/kernel_ipsec.h>
57 #include <kernel/kernel_net.h>
58
59 /**
60 * Default range for SPIs requested from kernels
61 */
62 #define KERNEL_SPI_MIN 0xc0000000
63 #define KERNEL_SPI_MAX 0xcfffffff
64
65 /**
66 * Bitfield of optional features a kernel backend supports.
67 *
68 * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each
69 * backend returns a subset of these features.
70 */
71 enum kernel_feature_t {
72 /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */
73 KERNEL_ESP_V3_TFC = (1<<0),
74 /** Networking requires an "exclude" route for IKE/ESP packets */
75 KERNEL_REQUIRE_EXCLUDE_ROUTE = (1<<1),
76 /** IPsec implementation requires UDP encapsulation of ESP packets */
77 KERNEL_REQUIRE_UDP_ENCAPSULATION = (1<<2),
78 /** IPsec backend does not require a policy reinstall on SA updates */
79 KERNEL_NO_POLICY_UPDATES = (1<<3),
80 /** IPsec backend supports installing SPIs on policies */
81 KERNEL_POLICY_SPI = (1<<4),
82 };
83
84 /**
85 * Constructor function for ipsec kernel interface
86 */
87 typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void);
88
89 /**
90 * Constructor function for network kernel interface
91 */
92 typedef kernel_net_t* (*kernel_net_constructor_t)(void);
93
94 /**
95 * Manager and wrapper for different kernel interfaces.
96 *
97 * The kernel interface handles the communication with the kernel
98 * for SA and policy management and interface and IP address management.
99 */
100 struct kernel_interface_t {
101
102 /**
103 * Get the feature set supported by the net and ipsec kernel backends.
104 *
105 * @return ORed feature-set of backends
106 */
107 kernel_feature_t (*get_features)(kernel_interface_t *this);
108
109 /**
110 * Get a SPI from the kernel.
111 *
112 * @param src source address of SA
113 * @param dst destination address of SA
114 * @param protocol protocol for SA (ESP/AH)
115 * @param spi allocated spi
116 * @return SUCCESS if operation completed
117 */
118 status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
119 uint8_t protocol, uint32_t *spi);
120
121 /**
122 * Get a Compression Parameter Index (CPI) from the kernel.
123 *
124 * @param src source address of SA
125 * @param dst destination address of SA
126 * @param cpi allocated cpi
127 * @return SUCCESS if operation completed
128 */
129 status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
130 uint16_t *cpi);
131
132 /**
133 * Allocate or confirm a reqid to use for a given SA pair.
134 *
135 * Each returned reqid by a successful call to alloc_reqid() must be
136 * released using release_reqid().
137 *
138 * The reqid parameter is an in/out parameter. If it points to non-zero,
139 * the reqid is confirmed and registered for use. If it points to zero,
140 * a reqid is allocated for the given selectors, and returned to reqid.
141 *
142 * @param local_ts traffic selectors of local side for SA
143 * @param remote_ts traffic selectors of remote side for SA
144 * @param mark_in inbound mark on SA
145 * @param mark_out outbound mark on SA
146 * @param if_id_in inbound interface ID on SA
147 * @param if_id_out outbound interface ID on SA
148 * @param reqid allocated reqid
149 * @return SUCCESS if reqid allocated
150 */
151 status_t (*alloc_reqid)(kernel_interface_t *this,
152 linked_list_t *local_ts, linked_list_t *remote_ts,
153 mark_t mark_in, mark_t mark_out, uint32_t if_id_in,
154 uint32_t if_id_out, uint32_t *reqid);
155
156 /**
157 * Release a previously allocated reqid.
158 *
159 * @param reqid reqid to release
160 * @param mark_in inbound mark on SA
161 * @param mark_out outbound mark on SA
162 * @param if_id_in inbound interface ID on SA
163 * @param if_id_out outbound interface ID on SA
164 * @return SUCCESS if reqid released
165 */
166 status_t (*release_reqid)(kernel_interface_t *this, uint32_t reqid,
167 mark_t mark_in, mark_t mark_out,
168 uint32_t if_id_in, uint32_t if_id_out);
169
170 /**
171 * Add an SA to the SAD.
172 *
173 * This function does install a single SA for a single protocol in one
174 * direction.
175 *
176 * @param id data identifying this SA
177 * @param data data for this SA
178 * @return SUCCESS if operation completed
179 */
180 status_t (*add_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
181 kernel_ipsec_add_sa_t *data);
182
183 /**
184 * Update the hosts on an installed SA.
185 *
186 * We cannot directly update the destination address as the kernel
187 * requires the spi, the protocol AND the destination address (and family)
188 * to identify SAs. Therefore if the destination address changed we
189 * create a new SA and delete the old one.
190 *
191 * @param id data identifying this SA
192 * @param data updated data for this SA
193 * @return SUCCESS if operation completed, NOT_SUPPORTED if
194 * the kernel interface can't update the SA
195 */
196 status_t (*update_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
197 kernel_ipsec_update_sa_t *data);
198
199 /**
200 * Query the number of bytes processed by an SA from the SAD.
201 *
202 * @param id data identifying this SA
203 * @param data data to query the SA
204 * @param[out] bytes the number of bytes processed by SA
205 * @param[out] packets number of packets processed by SA
206 * @param[out] time last (monotonic) time of SA use
207 * @return SUCCESS if operation completed
208 */
209 status_t (*query_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
210 kernel_ipsec_query_sa_t *data, uint64_t *bytes,
211 uint64_t *packets, time_t *time);
212
213 /**
214 * Delete a previously installed SA from the SAD.
215 *
216 * @param id data identifying this SA
217 * @param data data to delete the SA
218 * @return SUCCESS if operation completed
219 */
220 status_t (*del_sa)(kernel_interface_t *this, kernel_ipsec_sa_id_t *id,
221 kernel_ipsec_del_sa_t *data);
222
223 /**
224 * Flush all SAs from the SAD.
225 *
226 * @return SUCCESS if operation completed
227 */
228 status_t (*flush_sas)(kernel_interface_t *this);
229
230 /**
231 * Add a policy to the SPD.
232 *
233 * @param id data identifying this policy
234 * @param data data for this policy
235 * @return SUCCESS if operation completed
236 */
237 status_t (*add_policy)(kernel_interface_t *this,
238 kernel_ipsec_policy_id_t *id,
239 kernel_ipsec_manage_policy_t *data);
240
241 /**
242 * Query the use time of a policy.
243 *
244 * The use time of a policy is the time the policy was used
245 * for the last time.
246 *
247 * @param id data identifying this policy
248 * @param data data to query the policy
249 * @param[out] use_time the monotonic timestamp of this SA's last use
250 * @return SUCCESS if operation completed
251 */
252 status_t (*query_policy)(kernel_interface_t *this,
253 kernel_ipsec_policy_id_t *id,
254 kernel_ipsec_query_policy_t *data,
255 time_t *use_time);
256
257 /**
258 * Remove a policy from the SPD.
259 *
260 * @param id data identifying this policy
261 * @param data data for this policy
262 * @return SUCCESS if operation completed
263 */
264 status_t (*del_policy)(kernel_interface_t *this,
265 kernel_ipsec_policy_id_t *id,
266 kernel_ipsec_manage_policy_t *data);
267
268 /**
269 * Flush all policies from the SPD.
270 *
271 * @return SUCCESS if operation completed
272 */
273 status_t (*flush_policies)(kernel_interface_t *this);
274
275 /**
276 * Get our outgoing source address for a destination.
277 *
278 * Does a route lookup to get the source address used to reach dest.
279 * The returned host is allocated and must be destroyed.
280 * An optional src address can be used to check if a route is available
281 * for the given source to dest.
282 *
283 * @param dest target destination address
284 * @param src source address to check, or NULL
285 * @return outgoing source address, NULL if unreachable
286 */
287 host_t* (*get_source_addr)(kernel_interface_t *this,
288 host_t *dest, host_t *src);
289
290 /**
291 * Get the next hop for a destination.
292 *
293 * Does a route lookup to get the next hop used to reach dest.
294 * The returned host is allocated and must be destroyed.
295 * An optional src address can be used to check if a route is available
296 * for the given source to dest.
297 *
298 * @param dest target destination address
299 * @param prefix prefix length if dest is a subnet, -1 for auto
300 * @param src source address to check, or NULL
301 * @param[out] iface allocated name of the interface to reach dest, if
302 * available (optional)
303 * @return next hop address, NULL if unreachable
304 */
305 host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest,
306 int prefix, host_t *src, char **iface);
307
308 /**
309 * Get the interface name of a local address. Interfaces that are down or
310 * ignored by config are not considered.
311 *
312 * @param host address to get interface name from
313 * @param name allocated interface name (optional)
314 * @return TRUE if interface found and usable
315 */
316 bool (*get_interface)(kernel_interface_t *this, host_t *host, char **name);
317
318 /**
319 * Creates an enumerator over all local addresses.
320 *
321 * This function blocks an internal cached address list until the
322 * enumerator gets destroyed.
323 * The hosts are read-only, do not modify of free.
324 *
325 * @param which a combination of address types to enumerate
326 * @return enumerator over host_t's
327 */
328 enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
329 kernel_address_type_t which);
330
331 /**
332 * Creates an enumerator over all local subnets.
333 *
334 * Local subnets are subnets the host is directly connected to.
335 *
336 * The enumerator returns the network, subnet mask and interface.
337 *
338 * @return enumerator over host_t*, uint8_t, char*
339 */
340 enumerator_t *(*create_local_subnet_enumerator)(kernel_interface_t *this);
341
342 /**
343 * Add a virtual IP to an interface.
344 *
345 * Virtual IPs are attached to an interface. If an IP is added multiple
346 * times, the IP is refcounted and not removed until del_ip() was called
347 * as many times as add_ip().
348 *
349 * @param virtual_ip virtual ip address to assign
350 * @param prefix prefix length to install IP with, -1 for auto
351 * @param iface interface to install virtual IP on
352 * @return SUCCESS if operation completed
353 */
354 status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, int prefix,
355 char *iface);
356
357 /**
358 * Remove a virtual IP from an interface.
359 *
360 * The kernel interface uses refcounting, see add_ip().
361 *
362 * @param virtual_ip virtual ip address to remove
363 * @param prefix prefix length of the IP to uninstall, -1 for auto
364 * @param wait TRUE to wait untily IP is gone
365 * @return SUCCESS if operation completed
366 */
367 status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
368 int prefix, bool wait);
369
370 /**
371 * Add a route.
372 *
373 * @param dst_net destination net
374 * @param prefixlen destination net prefix length
375 * @param gateway gateway for this route
376 * @param src_ip source ip of the route
377 * @param if_name name of the interface the route is bound to
378 * @return SUCCESS if operation completed
379 * ALREADY_DONE if the route already exists
380 */
381 status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net,
382 uint8_t prefixlen, host_t *gateway, host_t *src_ip,
383 char *if_name);
384
385 /**
386 * Delete a route.
387 *
388 * @param dst_net destination net
389 * @param prefixlen destination net prefix length
390 * @param gateway gateway for this route
391 * @param src_ip source ip of the route
392 * @param if_name name of the interface the route is bound to
393 * @return SUCCESS if operation completed
394 */
395 status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net,
396 uint8_t prefixlen, host_t *gateway, host_t *src_ip,
397 char *if_name);
398
399 /**
400 * Set up a bypass policy for a given socket.
401 *
402 * @param fd socket file descriptor to setup policy for
403 * @param family protocol family of the socket
404 * @return TRUE if policy set up successfully
405 */
406 bool (*bypass_socket)(kernel_interface_t *this, int fd, int family);
407
408 /**
409 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
410 *
411 * @param fd socket file descriptor
412 * @param family protocol family of the socket
413 * @param port the UDP port
414 * @return TRUE if UDP decapsulation was enabled successfully
415 */
416 bool (*enable_udp_decap)(kernel_interface_t *this, int fd, int family,
417 uint16_t port);
418
419
420 /**
421 * manager methods
422 */
423
424 /**
425 * Verifies that the given interface is usable and not excluded by
426 * configuration.
427 *
428 * @param iface interface name
429 * @return TRUE if usable
430 */
431 bool (*is_interface_usable)(kernel_interface_t *this, const char *iface);
432
433 /**
434 * Check if interfaces are excluded by config.
435 *
436 * @return TRUE if no interfaces are exclued by config
437 */
438 bool (*all_interfaces_usable)(kernel_interface_t *this);
439
440 /**
441 * Tries to find an IP address of a local interface that is included in the
442 * supplied traffic selector.
443 *
444 * @param ts traffic selector
445 * @param ip returned IP address (has to be destroyed)
446 * @param vip set to TRUE if returned address is a virtual IP
447 * @return SUCCESS if address found
448 */
449 status_t (*get_address_by_ts)(kernel_interface_t *this,
450 traffic_selector_t *ts, host_t **ip, bool *vip);
451
452 /**
453 * Register an ipsec kernel interface constructor on the manager.
454 *
455 * @param create constructor to register
456 * @return TRUE if the ipsec kernel interface was registered
457 * successfully, FALSE if an interface was already
458 * registered or the registration failed
459 */
460 bool (*add_ipsec_interface)(kernel_interface_t *this,
461 kernel_ipsec_constructor_t create);
462
463 /**
464 * Unregister an ipsec kernel interface constructor.
465 *
466 * @param create constructor to unregister
467 * @return TRUE if the ipsec kernel interface was unregistered
468 * successfully, FALSE otherwise
469 */
470 bool (*remove_ipsec_interface)(kernel_interface_t *this,
471 kernel_ipsec_constructor_t create);
472
473 /**
474 * Register a network kernel interface constructor on the manager.
475 *
476 * @param create constructor to register
477 * @return TRUE if the kernel net interface was registered
478 * successfully, FALSE if an interface was already
479 * registered or the registration failed
480 */
481 bool (*add_net_interface)(kernel_interface_t *this,
482 kernel_net_constructor_t create);
483
484 /**
485 * Unregister a network kernel interface constructor.
486 *
487 * @param create constructor to unregister
488 * @return TRUE if the kernel net interface was unregistered
489 * successfully, FALSE otherwise
490 */
491 bool (*remove_net_interface)(kernel_interface_t *this,
492 kernel_net_constructor_t create);
493
494 /**
495 * Add a listener to the kernel interface.
496 *
497 * @param listener listener to add
498 */
499 void (*add_listener)(kernel_interface_t *this,
500 kernel_listener_t *listener);
501
502 /**
503 * Remove a listener from the kernel interface.
504 *
505 * @param listener listener to remove
506 */
507 void (*remove_listener)(kernel_interface_t *this,
508 kernel_listener_t *listener);
509
510 /**
511 * Raise an acquire event.
512 *
513 * @param reqid reqid of the policy to acquire
514 * @param src_ts source traffic selector
515 * @param dst_ts destination traffic selector
516 */
517 void (*acquire)(kernel_interface_t *this, uint32_t reqid,
518 traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
519
520 /**
521 * Raise an expire event.
522 *
523 * @param protocol protocol of the expired SA
524 * @param spi spi of the expired SA
525 * @param dst destination address of expired SA
526 * @param hard TRUE if it is a hard expire, FALSE otherwise
527 */
528 void (*expire)(kernel_interface_t *this, uint8_t protocol, uint32_t spi,
529 host_t *dst, bool hard);
530
531 /**
532 * Raise a mapping event.
533 *
534 * @param protocol protocol of affected SA
535 * @param spi spi of the SA
536 * @param dst original destination address of SA
537 * @param remote new remote host
538 */
539 void (*mapping)(kernel_interface_t *this, uint8_t protocol, uint32_t spi,
540 host_t *dst, host_t *remote);
541
542 /**
543 * Raise a migrate event.
544 *
545 * @param reqid reqid of the policy
546 * @param src_ts source traffic selector
547 * @param dst_ts destination traffic selector
548 * @param direction direction of the policy (in|out)
549 * @param local local host address to be used in the IKE_SA
550 * @param remote remote host address to be used in the IKE_SA
551 */
552 void (*migrate)(kernel_interface_t *this, uint32_t reqid,
553 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
554 policy_dir_t direction, host_t *local, host_t *remote);
555
556 /**
557 * Raise a roam event.
558 *
559 * @param address TRUE if address list, FALSE if routing changed
560 */
561 void (*roam)(kernel_interface_t *this, bool address);
562
563 /**
564 * Raise a tun event.
565 *
566 * @param tun TUN device
567 * @param created TRUE if created, FALSE if going to be destroyed
568 */
569 void (*tun)(kernel_interface_t *this, tun_device_t *tun, bool created);
570
571 /**
572 * Register a new algorithm with the kernel interface.
573 *
574 * @param alg_id the IKE id of the algorithm
575 * @param type the transform type of the algorithm
576 * @param kernel_id the kernel id of the algorithm
577 * @param kernel_name the kernel name of the algorithm
578 */
579 void (*register_algorithm)(kernel_interface_t *this, uint16_t alg_id,
580 transform_type_t type, uint16_t kernel_id,
581 char *kernel_name);
582
583 /**
584 * Return the kernel-specific id and/or name for an algorithms depending on
585 * the arguments specified.
586 *
587 * @param alg_id the IKE id of the algorithm
588 * @param type the transform type of the algorithm
589 * @param kernel_id the kernel id of the algorithm (optional)
590 * @param kernel_name the kernel name of the algorithm (optional)
591 * @return TRUE if algorithm was found
592 */
593 bool (*lookup_algorithm)(kernel_interface_t *this, uint16_t alg_id,
594 transform_type_t type, uint16_t *kernel_id,
595 char **kernel_name);
596
597 /**
598 * Destroys a kernel_interface_t object.
599 */
600 void (*destroy) (kernel_interface_t *this);
601 };
602
603 /**
604 * Creates an object of type kernel_interface_t.
605 */
606 kernel_interface_t *kernel_interface_create(void);
607
608 #endif /** KERNEL_INTERFACE_H_ @}*/