Implemented IPsec policies restricted to given network interface
[strongswan.git] / src / libcharon / kernel / kernel_ipsec.h
1 /*
2 * Copyright (C) 2016 Andreas Steffen
3 * Copyright (C) 2006-2016 Tobias Brunner
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005-2006 Martin Willi
6 * Copyright (C) 2005 Jan Hutter
7 * HSR Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 /**
21 * @defgroup kernel_ipsec kernel_ipsec
22 * @{ @ingroup kernel
23 */
24
25 #ifndef KERNEL_IPSEC_H_
26 #define KERNEL_IPSEC_H_
27
28 typedef struct kernel_ipsec_t kernel_ipsec_t;
29 typedef struct kernel_ipsec_sa_id_t kernel_ipsec_sa_id_t;
30 typedef struct kernel_ipsec_add_sa_t kernel_ipsec_add_sa_t;
31 typedef struct kernel_ipsec_update_sa_t kernel_ipsec_update_sa_t;
32 typedef struct kernel_ipsec_query_sa_t kernel_ipsec_query_sa_t;
33 typedef struct kernel_ipsec_del_sa_t kernel_ipsec_del_sa_t;
34 typedef struct kernel_ipsec_policy_id_t kernel_ipsec_policy_id_t;
35 typedef struct kernel_ipsec_manage_policy_t kernel_ipsec_manage_policy_t;
36 typedef struct kernel_ipsec_query_policy_t kernel_ipsec_query_policy_t;
37
38 #include <networking/host.h>
39 #include <ipsec/ipsec_types.h>
40 #include <selectors/traffic_selector.h>
41 #include <plugins/plugin.h>
42 #include <kernel/kernel_interface.h>
43
44 /**
45 * Data required to identify an SA in the kernel
46 */
47 struct kernel_ipsec_sa_id_t {
48 /** Source address */
49 host_t *src;
50 /** Destination address */
51 host_t *dst;
52 /** SPI */
53 uint32_t spi;
54 /** Protocol (ESP/AH) */
55 uint8_t proto;
56 /** Optional mark */
57 mark_t mark;
58 };
59
60 /**
61 * Data required to add an SA to the kernel
62 */
63 struct kernel_ipsec_add_sa_t {
64 /** Reqid */
65 uint32_t reqid;
66 /** Mode (tunnel, transport...) */
67 ipsec_mode_t mode;
68 /** List of source traffic selectors */
69 linked_list_t *src_ts;
70 /** List of destination traffic selectors */
71 linked_list_t *dst_ts;
72 /** Network interface restricting policy */
73 char *interface;
74 /** Lifetime configuration */
75 lifetime_cfg_t *lifetime;
76 /** Encryption algorithm */
77 uint16_t enc_alg;
78 /** Encryption key */
79 chunk_t enc_key;
80 /** Integrity protection algorithm */
81 uint16_t int_alg;
82 /** Integrity protection key */
83 chunk_t int_key;
84 /** Anti-replay window size */
85 uint32_t replay_window;
86 /** Traffic Flow Confidentiality padding */
87 uint32_t tfc;
88 /** IPComp transform */
89 uint16_t ipcomp;
90 /** CPI for IPComp */
91 uint16_t cpi;
92 /** TRUE to enable UDP encapsulation for NAT traversal */
93 bool encap;
94 /** TRUE to use Extended Sequence Numbers */
95 bool esn;
96 /** TRUE if initiator of the exchange creating the SA */
97 bool initiator;
98 /** TRUE if this is an inbound SA */
99 bool inbound;
100 /** TRUE if an SPI has already been allocated for this SA */
101 bool update;
102 };
103
104 /**
105 * Data required to update the hosts of an SA in the kernel
106 */
107 struct kernel_ipsec_update_sa_t {
108 /** CPI in case IPComp is used */
109 uint16_t cpi;
110 /** New source address */
111 host_t *new_src;
112 /** New destination address */
113 host_t *new_dst;
114 /** TRUE if UDP encapsulation is currently enabled */
115 bool encap;
116 /** TRUE to enable UDP encapsulation */
117 bool new_encap;
118 };
119
120 /**
121 * Data required to query an SA in the kernel
122 */
123 struct kernel_ipsec_query_sa_t {
124 uint16_t cpi;
125 };
126
127 /**
128 * Data required to delete an SA in the kernel
129 */
130 struct kernel_ipsec_del_sa_t {
131 /** CPI in case IPComp is used */
132 uint16_t cpi;
133 };
134
135 /**
136 * Data identifying a policy in the kernel
137 */
138 struct kernel_ipsec_policy_id_t {
139 /** Direction of traffic */
140 policy_dir_t dir;
141 /** Source traffic selector */
142 traffic_selector_t *src_ts;
143 /** Destination traffic selector */
144 traffic_selector_t *dst_ts;
145 /** Optional mark */
146 mark_t mark;
147 /** Network interface restricting policy */
148 char *interface;
149 };
150
151 /**
152 * Data required to add/delete a policy to/from the kernel
153 */
154 struct kernel_ipsec_manage_policy_t {
155 /** Type of policy */
156 policy_type_t type;
157 /** Priority class */
158 policy_priority_t prio;
159 /** Manually-set priority (automatic if set to 0) */
160 uint32_t manual_prio;
161 /** Source address of the SA(s) tied to this policy */
162 host_t *src;
163 /** Destination address of the SA(s) tied to this policy */
164 host_t *dst;
165 /** Details about the SA(s) tied to this policy */
166 ipsec_sa_cfg_t *sa;
167 };
168
169 /**
170 * Data required to query a policy in the kernel
171 */
172 struct kernel_ipsec_query_policy_t {
173 };
174
175 /**
176 * Interface to the ipsec subsystem of the kernel.
177 *
178 * The kernel ipsec interface handles the communication with the kernel
179 * for SA and policy management. It allows setup of these, and provides
180 * further the handling of kernel events.
181 * Policy information are cached in the interface. This is necessary to do
182 * reference counting. The Linux kernel does not allow the same policy
183 * installed twice, but we need this as CHILD_SA exist multiple times
184 * when rekeying. Thats why we do reference counting of policies.
185 */
186 struct kernel_ipsec_t {
187
188 /**
189 * Get the feature set supported by this kernel backend.
190 *
191 * @return ORed feature-set of backend
192 */
193 kernel_feature_t (*get_features)(kernel_ipsec_t *this);
194
195 /**
196 * Get a SPI from the kernel.
197 *
198 * @param src source address of SA
199 * @param dst destination address of SA
200 * @param protocol protocol for SA (ESP/AH)
201 * @param spi allocated spi
202 * @return SUCCESS if operation completed
203 */
204 status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
205 uint8_t protocol, uint32_t *spi);
206
207 /**
208 * Get a Compression Parameter Index (CPI) from the kernel.
209 *
210 * @param src source address of SA
211 * @param dst destination address of SA
212 * @param cpi allocated cpi
213 * @return SUCCESS if operation completed
214 */
215 status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
216 uint16_t *cpi);
217
218 /**
219 * Add an SA to the SAD.
220 *
221 * This function does install a single SA for a single protocol in one
222 * direction.
223 *
224 * @param id data identifying this SA
225 * @param data data for this SA
226 * @return SUCCESS if operation completed
227 */
228 status_t (*add_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
229 kernel_ipsec_add_sa_t *data);
230
231 /**
232 * Update the hosts on an installed SA.
233 *
234 * We cannot directly update the destination address as the kernel
235 * requires the spi, the protocol AND the destination address (and family)
236 * to identify SAs. Therefore if the destination address changed we
237 * create a new SA and delete the old one.
238 *
239 * @param id data identifying this SA
240 * @param data updated data for this SA
241 * @return SUCCESS if operation completed, NOT_SUPPORTED if
242 * the kernel interface can't update the SA
243 */
244 status_t (*update_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
245 kernel_ipsec_update_sa_t *data);
246
247 /**
248 * Query the number of bytes processed by an SA from the SAD.
249 *
250 * @param id data identifying this SA
251 * @param data data to query the SA
252 * @param[out] bytes the number of bytes processed by SA
253 * @param[out] packets number of packets processed by SA
254 * @param[out] time last (monotonic) time of SA use
255 * @return SUCCESS if operation completed
256 */
257 status_t (*query_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
258 kernel_ipsec_query_sa_t *data, uint64_t *bytes,
259 uint64_t *packets, time_t *time);
260
261 /**
262 * Delete a previously installed SA from the SAD.
263 *
264 * @param id data identifying this SA
265 * @param data data to delete the SA
266 * @return SUCCESS if operation completed
267 */
268 status_t (*del_sa)(kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
269 kernel_ipsec_del_sa_t *data);
270
271 /**
272 * Flush all SAs from the SAD.
273 *
274 * @return SUCCESS if operation completed
275 */
276 status_t (*flush_sas)(kernel_ipsec_t *this);
277
278 /**
279 * Add a policy to the SPD.
280 *
281 * @param id data identifying this policy
282 * @param data data for this policy
283 * @return SUCCESS if operation completed
284 */
285 status_t (*add_policy)(kernel_ipsec_t *this,
286 kernel_ipsec_policy_id_t *id,
287 kernel_ipsec_manage_policy_t *data);
288
289 /**
290 * Query the use time of a policy.
291 *
292 * The use time of a policy is the time the policy was used for the last
293 * time. It is not the system time, but a monotonic timestamp as returned
294 * by time_monotonic.
295 *
296 * @param id data identifying this policy
297 * @param data data to query the policy
298 * @param[out] use_time the monotonic timestamp of this SA's last use
299 * @return SUCCESS if operation completed
300 */
301 status_t (*query_policy)(kernel_ipsec_t *this,
302 kernel_ipsec_policy_id_t *id,
303 kernel_ipsec_query_policy_t *data,
304 time_t *use_time);
305
306 /**
307 * Remove a policy from the SPD.
308 *
309 * @param id data identifying this policy
310 * @param data data for this policy
311 * @return SUCCESS if operation completed
312 */
313 status_t (*del_policy)(kernel_ipsec_t *this,
314 kernel_ipsec_policy_id_t *id,
315 kernel_ipsec_manage_policy_t *data);
316
317 /**
318 * Flush all policies from the SPD.
319 *
320 * @return SUCCESS if operation completed
321 */
322 status_t (*flush_policies)(kernel_ipsec_t *this);
323
324 /**
325 * Install a bypass policy for the given socket.
326 *
327 * @param fd socket file descriptor to setup policy for
328 * @param family protocol family of the socket
329 * @return TRUE of policy set up successfully
330 */
331 bool (*bypass_socket)(kernel_ipsec_t *this, int fd, int family);
332
333 /**
334 * Enable decapsulation of ESP-in-UDP packets for the given port/socket.
335 *
336 * @param fd socket file descriptor
337 * @param family protocol family of the socket
338 * @param port the UDP port
339 * @return TRUE if UDP decapsulation was enabled successfully
340 */
341 bool (*enable_udp_decap)(kernel_ipsec_t *this, int fd, int family,
342 uint16_t port);
343
344 /**
345 * Destroy the implementation.
346 */
347 void (*destroy)(kernel_ipsec_t *this);
348 };
349
350 /**
351 * Helper function to (un-)register IPsec kernel interfaces from plugin features.
352 *
353 * This function is a plugin_feature_callback_t and can be used with the
354 * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor.
355 *
356 * @param plugin plugin registering the kernel interface
357 * @param feature associated plugin feature
358 * @param reg TRUE to register, FALSE to unregister
359 * @param data data passed to callback, an kernel_ipsec_constructor_t
360 */
361 bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
362 bool reg, void *data);
363
364 #endif /** KERNEL_IPSEC_H_ @}*/