ike-vendor: Add option to send Cisco FLexVPN vendor ID
[strongswan.git] / src / libstrongswan / ipsec / ipsec_types.h
1 /*
2 * Copyright (C) 2012-2013 Tobias Brunner
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup ipsec_types ipsec_types
18 * @{ @ingroup ipsec
19 */
20
21 #ifndef IPSEC_TYPES_H_
22 #define IPSEC_TYPES_H_
23
24 typedef enum ipsec_mode_t ipsec_mode_t;
25 typedef enum policy_dir_t policy_dir_t;
26 typedef enum policy_type_t policy_type_t;
27 typedef enum policy_priority_t policy_priority_t;
28 typedef enum ipcomp_transform_t ipcomp_transform_t;
29 typedef enum hw_offload_t hw_offload_t;
30 typedef enum dscp_copy_t dscp_copy_t;
31 typedef enum mark_op_t mark_op_t;
32 typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
33 typedef struct lifetime_cfg_t lifetime_cfg_t;
34 typedef struct mark_t mark_t;
35
36 #include <library.h>
37
38 /**
39 * Mode of an IPsec SA.
40 */
41 enum ipsec_mode_t {
42 /** not using any encapsulation */
43 MODE_NONE = 0,
44 /** transport mode, no inner address */
45 MODE_TRANSPORT = 1,
46 /** tunnel mode, inner and outer addresses */
47 MODE_TUNNEL,
48 /** BEET mode, tunnel mode but fixed, bound inner addresses */
49 MODE_BEET,
50 /** passthrough policy for traffic without an IPsec SA */
51 MODE_PASS,
52 /** drop policy discarding traffic */
53 MODE_DROP
54 };
55
56 /**
57 * enum names for ipsec_mode_t.
58 */
59 extern enum_name_t *ipsec_mode_names;
60
61 /**
62 * Direction of a policy. These are equal to those
63 * defined in xfrm.h, but we want to stay implementation
64 * neutral here.
65 */
66 enum policy_dir_t {
67 /** Policy for inbound traffic */
68 POLICY_IN = 0,
69 /** Policy for outbound traffic */
70 POLICY_OUT = 1,
71 /** Policy for forwarded traffic */
72 POLICY_FWD = 2,
73 };
74
75 /**
76 * enum names for policy_dir_t.
77 */
78 extern enum_name_t *policy_dir_names;
79
80 /**
81 * Type of a policy.
82 */
83 enum policy_type_t {
84 /** Normal IPsec policy */
85 POLICY_IPSEC = 1,
86 /** Passthrough policy (traffic is ignored by IPsec) */
87 POLICY_PASS,
88 /** Drop policy (traffic is discarded) */
89 POLICY_DROP,
90 };
91
92 /**
93 * High-level priority of a policy.
94 */
95 enum policy_priority_t {
96 /** Priority for passthrough policies */
97 POLICY_PRIORITY_PASS,
98 /** Priority for regular IPsec policies */
99 POLICY_PRIORITY_DEFAULT,
100 /** Priority for trap policies */
101 POLICY_PRIORITY_ROUTED,
102 /** Priority for fallback drop policies */
103 POLICY_PRIORITY_FALLBACK,
104 };
105
106 /**
107 * IPComp transform IDs, as in RFC 4306
108 */
109 enum ipcomp_transform_t {
110 IPCOMP_NONE = 0,
111 IPCOMP_OUI = 1,
112 IPCOMP_DEFLATE = 2,
113 IPCOMP_LZS = 3,
114 IPCOMP_LZJH = 4,
115 };
116
117 /**
118 * enum strings for ipcomp_transform_t.
119 */
120 extern enum_name_t *ipcomp_transform_names;
121
122 /**
123 * HW offload mode options
124 */
125 enum hw_offload_t {
126 HW_OFFLOAD_NO = 0,
127 HW_OFFLOAD_YES = 1,
128 HW_OFFLOAD_AUTO = 2,
129 };
130
131 /**
132 * enum names for hw_offload_t.
133 */
134 extern enum_name_t *hw_offload_names;
135
136 /**
137 * DSCP header field copy behavior (the default is not to copy from outer
138 * to inner header)
139 */
140 enum dscp_copy_t {
141 DSCP_COPY_OUT_ONLY,
142 DSCP_COPY_IN_ONLY,
143 DSCP_COPY_YES,
144 DSCP_COPY_NO,
145 };
146
147 /**
148 * enum strings for dscp_copy_t.
149 */
150 extern enum_name_t *dscp_copy_names;
151
152 /**
153 * This struct contains details about IPsec SA(s) tied to a policy.
154 */
155 struct ipsec_sa_cfg_t {
156 /** mode of SA (tunnel, transport) */
157 ipsec_mode_t mode;
158 /** unique ID */
159 uint32_t reqid;
160 /** number of policies of the same kind (in/out/fwd) attached to SA */
161 uint32_t policy_count;
162 /** details about ESP/AH */
163 struct {
164 /** TRUE if this protocol is used */
165 bool use;
166 /** SPI for ESP/AH */
167 uint32_t spi;
168 } esp, ah;
169 /** details about IPComp */
170 struct {
171 /** the IPComp transform used */
172 uint16_t transform;
173 /** CPI for IPComp */
174 uint16_t cpi;
175 } ipcomp;
176 };
177
178 /**
179 * Compare two ipsec_sa_cfg_t objects for equality.
180 *
181 * @param a first object
182 * @param b second object
183 * @return TRUE if both objects are equal
184 */
185 bool ipsec_sa_cfg_equals(ipsec_sa_cfg_t *a, ipsec_sa_cfg_t *b);
186
187 /**
188 * A lifetime_cfg_t defines the lifetime limits of an SA.
189 *
190 * Set any of these values to 0 to ignore.
191 */
192 struct lifetime_cfg_t {
193 struct {
194 /** Limit before the SA gets invalid. */
195 uint64_t life;
196 /** Limit before the SA gets rekeyed. */
197 uint64_t rekey;
198 /** The range of a random value subtracted from rekey. */
199 uint64_t jitter;
200 } time, bytes, packets;
201 };
202
203 /**
204 * A mark_t defines an optional mark in an IPsec SA.
205 */
206 struct mark_t {
207 /** Mark value */
208 uint32_t value;
209 /** Mark mask */
210 uint32_t mask;
211 };
212
213 /**
214 * Special mark value that uses a unique mark for each CHILD_SA (and direction)
215 */
216 #define MARK_UNIQUE (0xFFFFFFFF)
217 #define MARK_UNIQUE_DIR (0xFFFFFFFE)
218 #define MARK_SAME (0xFFFFFFFF)
219 #define MARK_IS_UNIQUE(m) ((m) == MARK_UNIQUE || (m) == MARK_UNIQUE_DIR)
220
221 /**
222 * Special mark operations to accept when parsing marks.
223 */
224 enum mark_op_t {
225 /** none of the following */
226 MARK_OP_NONE = 0,
227 /** %unique and %unique-dir */
228 MARK_OP_UNIQUE = (1<<0),
229 /** %same */
230 MARK_OP_SAME = (1<<1),
231 };
232
233 /**
234 * Try to parse a mark_t from the given string of the form mark[/mask].
235 *
236 * @param value string to parse
237 * @param ops operations to accept
238 * @param mark mark to fill
239 * @return TRUE if parsing was successful
240 */
241 bool mark_from_string(const char *value, mark_op_t ops, mark_t *mark);
242
243 /**
244 * Special interface ID values to allocate a unique ID for each CHILD_SA/dir
245 */
246 #define IF_ID_UNIQUE (0xFFFFFFFF)
247 #define IF_ID_UNIQUE_DIR (0xFFFFFFFE)
248 #define IF_ID_IS_UNIQUE(m) ((m) == IF_ID_UNIQUE || (m) == IF_ID_UNIQUE_DIR)
249
250 /**
251 * Try to parse an interface ID from the given string.
252 *
253 * @param value string to parse
254 * @param if_id interface ID to fill
255 * @return TRUE if parsing was successful
256 */
257 bool if_id_from_string(const char *value, uint32_t *if_id);
258
259 /**
260 * Allocate up to two unique interface IDs depending on the given values.
261 *
262 * @param[out] in inbound interface ID
263 * @param[out] out outbound interface ID
264 */
265 void allocate_unique_if_ids(uint32_t *in, uint32_t *out);
266
267 #endif /** IPSEC_TYPES_H_ @}*/