libipsec: Support usage statistics and query_sa() on IPsec SAs
[strongswan.git] / src / libipsec / ipsec_sa_mgr.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ipsec_sa_mgr ipsec_sa_mgr
20 * @{ @ingroup libipsec
21 */
22
23 #ifndef IPSEC_SA_MGR_H_
24 #define IPSEC_SA_MGR_H_
25
26 #include "ipsec_sa.h"
27
28 #include <library.h>
29 #include <ipsec/ipsec_types.h>
30 #include <selectors/traffic_selector.h>
31 #include <networking/host.h>
32
33 typedef struct ipsec_sa_mgr_t ipsec_sa_mgr_t;
34
35 /**
36 * IPsec SA manager
37 *
38 * The first methods are modeled after those in kernel_ipsec_t.
39 */
40 struct ipsec_sa_mgr_t {
41
42 /**
43 * Allocate an SPI for an inbound IPsec SA
44 *
45 * @param src source address of the SA
46 * @param dst destination address of the SA
47 * @param protocol protocol of the SA (only ESP supported)
48 * @param reqid reqid for the SA
49 * @param spi the allocated SPI
50 * @return SUCCESS of operation successful
51 */
52 status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
53 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
54
55 /**
56 * Add a new SA
57 *
58 * @param src source address for this SA (gets cloned)
59 * @param dst destination address for this SA (gets cloned)
60 * @param spi SPI for this SA
61 * @param protocol protocol for this SA (only ESP is supported)
62 * @param reqid reqid for this SA
63 * @param mark mark for this SA (ignored)
64 * @param tfc Traffic Flow Confidentiality (not yet supported)
65 * @param lifetime lifetime for this SA
66 * @param enc_alg encryption algorithm for this SA
67 * @param enc_key encryption key for this SA
68 * @param int_alg integrity protection algorithm
69 * @param int_key integrity protection key
70 * @param mode mode for this SA (only tunnel mode is supported)
71 * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
72 * @param cpi CPI for IPcomp (ignored)
73 * @param initiator TRUE if initiator of the exchange creating this SA
74 * @param encap enable UDP encapsulation (must be TRUE)
75 * @param esn Extended Sequence Numbers (currently not supported)
76 * @param inbound TRUE if this is an inbound SA, FALSE otherwise
77 * @param src_ts source traffic selector
78 * @param dst_ts destination traffic selector
79 * @return SUCCESS if operation completed
80 */
81 status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
82 u_int32_t spi, u_int8_t protocol, u_int32_t reqid,
83 mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime,
84 u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
85 chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
86 u_int16_t cpi, bool initiator, bool encap, bool esn,
87 bool inbound, traffic_selector_t *src_ts,
88 traffic_selector_t *dst_ts);
89
90 /**
91 * Update the hosts on an installed SA.
92 *
93 * @param spi SPI of the SA
94 * @param protocol protocol for this SA (ESP/AH)
95 * @param cpi CPI for IPComp, 0 if no IPComp is used
96 * @param src current source address
97 * @param dst current destination address
98 * @param new_src new source address
99 * @param new_dst new destination address
100 * @param encap current use of UDP encapsulation
101 * @param new_encap new use of UDP encapsulation
102 * @param mark optional mark for this SA
103 * @return SUCCESS if operation completed
104 */
105 status_t (*update_sa)(ipsec_sa_mgr_t *this,
106 u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
107 host_t *src, host_t *dst,
108 host_t *new_src, host_t *new_dst,
109 bool encap, bool new_encap, mark_t mark);
110
111 /**
112 * Query the number of bytes processed by an SA from the SAD.
113 *
114 * @param src source address for this SA
115 * @param dst destination address for this SA
116 * @param spi SPI allocated by us or remote peer
117 * @param protocol protocol for this SA (ESP/AH)
118 * @param mark optional mark for this SA
119 * @param[out] bytes the number of bytes processed by SA
120 * @param[out] packets number of packets processed by SA
121 * @param[out] time last (monotonic) time of SA use
122 * @return SUCCESS if operation completed
123 */
124 status_t (*query_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
125 u_int32_t spi, u_int8_t protocol, mark_t mark,
126 u_int64_t *bytes, u_int64_t *packets, time_t *time);
127
128 /**
129 * Delete a previously added SA
130 *
131 * @param spi SPI of the SA
132 * @param src source address of the SA
133 * @param dst destination address of the SA
134 * @param protocol protocol of the SA
135 * @param cpi CPI for IPcomp
136 * @param mark optional mark
137 * @return SUCCESS if operation completed
138 */
139 status_t (*del_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
140 u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
141 mark_t mark);
142
143 /**
144 * Flush all SAs
145 *
146 * @return SUCCESS if operation completed
147 */
148 status_t (*flush_sas)(ipsec_sa_mgr_t *this);
149
150 /**
151 * Checkout an installed IPsec SA by SPI and destination address
152 * Can be used to find the correct SA for an inbound packet.
153 *
154 * The matching SA is locked until it is checked in using checkin().
155 * If the matching SA is already checked out, this call blocks until the
156 * SA is checked in.
157 *
158 * Since other threads may be waiting for the checked out SA, it should be
159 * checked in as soon as possible after use.
160 *
161 * @param spi SPI (e.g. of an inbound packet)
162 * @param dst destination address (e.g. of an inbound packet)
163 * @return the matching IPsec SA, or NULL if none is found
164 */
165 ipsec_sa_t *(*checkout_by_spi)(ipsec_sa_mgr_t *this, u_int32_t spi,
166 host_t *dst);
167
168 /**
169 * Checkout an installed IPsec SA by its reqid and inbound/outbound flag.
170 * Can be used to find the correct SA for an outbound packet.
171 *
172 * The matching SA is locked until it is checked in using checkin().
173 * If the matching SA is already checked out, this call blocks until the
174 * SA is checked in.
175 *
176 * Since other threads may be waiting for a checked out SA, it should be
177 * checked in as soon as possible after use.
178 *
179 * @param reqid reqid of the SA
180 * @param inbound TRUE for an inbound SA, FALSE for an outbound SA
181 * @return the matching IPsec SA, or NULL if none is found
182 */
183 ipsec_sa_t *(*checkout_by_reqid)(ipsec_sa_mgr_t *this, u_int32_t reqid,
184 bool inbound);
185
186 /**
187 * Checkin an SA after use.
188 *
189 * @param sa checked out SA
190 */
191 void (*checkin)(ipsec_sa_mgr_t *this, ipsec_sa_t *sa);
192
193 /**
194 * Destroy an ipsec_sa_mgr_t
195 */
196 void (*destroy)(ipsec_sa_mgr_t *this);
197
198 };
199
200 /**
201 * Create an ipsec_sa_mgr instance
202 *
203 * @return IPsec SA manager instance
204 */
205 ipsec_sa_mgr_t *ipsec_sa_mgr_create();
206
207 #endif /** IPSEC_SA_MGR_H_ @}*/