libipsec: check for a policy with the reqid of the SA on decapsulation
[strongswan.git] / src / libipsec / ipsec_policy_mgr.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ipsec_policy_mgr ipsec_policy_mgr
20 * @{ @ingroup libipsec
21 */
22
23 #ifndef IPSEC_POLICY_MGR_H_
24 #define IPSEC_POLICY_MGR_H_
25
26 #include "ipsec_policy.h"
27 #include "ip_packet.h"
28
29 #include <library.h>
30 #include <networking/host.h>
31 #include <collections/linked_list.h>
32 #include <ipsec/ipsec_types.h>
33 #include <selectors/traffic_selector.h>
34
35 typedef struct ipsec_policy_mgr_t ipsec_policy_mgr_t;
36
37 /**
38 * IPsec policy manager
39 *
40 * The first methods are modeled after those in kernel_ipsec_t.
41 *
42 * @note Only policies of type POLICY_IPSEC are currently used, also policies
43 * with direction POLICY_FWD are ignored. Any packets that do not match an
44 * installed policy will be dropped.
45 */
46 struct ipsec_policy_mgr_t {
47
48 /**
49 * Add a policy
50 *
51 * A policy is always associated to an SA. Traffic which matches a
52 * policy is handled by the SA with the same reqid.
53 *
54 * @param src source address of SA
55 * @param dst dest address of SA
56 * @param src_ts traffic selector to match traffic source
57 * @param dst_ts traffic selector to match traffic dest
58 * @param direction direction of traffic, POLICY_(IN|OUT|FWD)
59 * @param type type of policy, POLICY_(IPSEC|PASS|DROP)
60 * @param sa details about the SA(s) tied to this policy
61 * @param mark mark for this policy
62 * @param priority priority of this policy
63 * @return SUCCESS if operation completed
64 */
65 status_t (*add_policy)(ipsec_policy_mgr_t *this,
66 host_t *src, host_t *dst, traffic_selector_t *src_ts,
67 traffic_selector_t *dst_ts, policy_dir_t direction,
68 policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
69 policy_priority_t priority);
70
71 /**
72 * Remove a policy
73 *
74 * @param src_ts traffic selector to match traffic source
75 * @param dst_ts traffic selector to match traffic dest
76 * @param direction direction of traffic, POLICY_(IN|OUT|FWD)
77 * @param reqid unique ID of the associated SA
78 * @param mark optional mark
79 * @param priority priority of the policy
80 * @return SUCCESS if operation completed
81 */
82 status_t (*del_policy)(ipsec_policy_mgr_t *this,
83 traffic_selector_t *src_ts,
84 traffic_selector_t *dst_ts,
85 policy_dir_t direction, u_int32_t reqid, mark_t mark,
86 policy_priority_t priority);
87
88 /**
89 * Flush all policies
90 *
91 * @return SUCCESS if operation completed
92 */
93 status_t (*flush_policies)(ipsec_policy_mgr_t *this);
94
95 /**
96 * Find the policy that matches the given IP packet best
97 *
98 * @param packet IP packet to match
99 * @param inbound TRUE for an inbound packet
100 * @param reqid require a policy with a specific reqid, 0 for any
101 * @return reference to the policy, or NULL if none found
102 */
103 ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this,
104 ip_packet_t *packet, bool inbound,
105 u_int32_t reqid);
106
107 /**
108 * Destroy an ipsec_policy_mgr_t
109 */
110 void (*destroy)(ipsec_policy_mgr_t *this);
111
112 };
113
114 /**
115 * Create an ipsec_policy_mgr instance
116 *
117 * @return ipsec_policy_mgr
118 */
119 ipsec_policy_mgr_t *ipsec_policy_mgr_create();
120
121 #endif /** IPSEC_POLICY_MGR_H_ @}*/