From: Martin Willi <martin@strongswan.org>
Date: Thu, 19 Apr 2007 08:59:36 +0000 (-0000)
Subject: added most problematic linux headers to distribution
X-Git-Tag: 4.1.2~54
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=04a7b6d86840b888587d22d981bed5dded6865d6

added most problematic linux headers to distribution
  other/real linux header may be selected using --with-linux-headers=dir
---

diff --git a/configure.in b/configure.in
index c437fb3..3748756 100644
--- a/configure.in
+++ b/configure.in
@@ -86,6 +86,13 @@ AC_ARG_WITH(
     [AC_DEFINE_UNQUOTED(SIM_READER_LIB, "$withval")]
 )
 
+AC_ARG_WITH(
+    [linux-headers],
+    AS_HELP_STRING([--with-linux-headers=dir],[use the linux header files in dir instead of the supplied ones in "src/include"]),
+    [AC_SUBST(linuxdir, "$withval")], [AC_SUBST(linuxdir, "../include")]
+)
+AC_SUBST(LINUX_HEADERS)
+
 AC_ARG_ENABLE(
     [http],
     AS_HELP_STRING([--enable-http],[enable OCSP and fetching of Certificates and CRLs over HTTP (default is NO). Requires libcurl.]),
@@ -222,6 +229,7 @@ dnl ==============================
 AC_OUTPUT(
 	Makefile
 	src/Makefile
+	src/include/Makefile
 	src/libstrongswan/Makefile
 	src/libcrypto/Makefile
 	src/libfreeswan/Makefile
diff --git a/src/Makefile.am b/src/Makefile.am
index a3f90f3..204a211 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1 +1 @@
-SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
+SUBDIRS = include libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 64ebb35..2dad491 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -101,7 +101,8 @@ sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
 sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/task.c sa/tasks/task.h
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
 AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\"
 charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp -lpthread -lm -ldl
 
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
new file mode 100644
index 0000000..62d423e
--- /dev/null
+++ b/src/include/Makefile.am
@@ -0,0 +1 @@
+EXTRA_DIST = linux/ipsec.h linux/pfkeyv2.h linux/xfrm.h
diff --git a/src/include/linux/ipsec.h b/src/include/linux/ipsec.h
new file mode 100644
index 0000000..d3c5276
--- /dev/null
+++ b/src/include/linux/ipsec.h
@@ -0,0 +1,46 @@
+#ifndef _LINUX_IPSEC_H
+#define _LINUX_IPSEC_H
+
+/* The definitions, required to talk to KAME racoon IKE. */
+
+#include <linux/pfkeyv2.h>
+
+#define IPSEC_PORT_ANY		0
+#define IPSEC_ULPROTO_ANY	255
+#define IPSEC_PROTO_ANY		255
+
+enum {
+	IPSEC_MODE_ANY		= 0,	/* We do not support this for SA */
+	IPSEC_MODE_TRANSPORT	= 1,
+	IPSEC_MODE_TUNNEL	= 2
+};
+
+enum {
+	IPSEC_DIR_ANY		= 0,
+	IPSEC_DIR_INBOUND	= 1,
+	IPSEC_DIR_OUTBOUND	= 2,
+	IPSEC_DIR_FWD		= 3,	/* It is our own */
+	IPSEC_DIR_MAX		= 4,
+	IPSEC_DIR_INVALID	= 5
+};
+
+enum {
+	IPSEC_POLICY_DISCARD	= 0,
+	IPSEC_POLICY_NONE	= 1,
+	IPSEC_POLICY_IPSEC	= 2,
+	IPSEC_POLICY_ENTRUST	= 3,
+	IPSEC_POLICY_BYPASS	= 4
+};
+
+enum {
+	IPSEC_LEVEL_DEFAULT	= 0,
+	IPSEC_LEVEL_USE		= 1,
+	IPSEC_LEVEL_REQUIRE	= 2,
+	IPSEC_LEVEL_UNIQUE	= 3
+};
+
+#define IPSEC_MANUAL_REQID_MAX	0x3fff
+
+#define IPSEC_REPLAYWSIZE  32
+
+#endif	/* _LINUX_IPSEC_H */
diff --git a/src/include/linux/pfkeyv2.h b/src/include/linux/pfkeyv2.h
new file mode 100644
index 0000000..d5dd471
--- /dev/null
+++ b/src/include/linux/pfkeyv2.h
@@ -0,0 +1,348 @@
+/* PF_KEY user interface, this is defined by rfc2367 so
+ * do not make arbitrary modifications or else this header
+ * file will not be compliant.
+ */
+
+#ifndef _LINUX_PFKEY2_H
+#define _LINUX_PFKEY2_H
+
+#include <linux/types.h>
+
+#define PF_KEY_V2		2
+#define PFKEYV2_REVISION	199806L
+
+struct sadb_msg {
+	uint8_t		sadb_msg_version;
+	uint8_t		sadb_msg_type;
+	uint8_t		sadb_msg_errno;
+	uint8_t		sadb_msg_satype;
+	uint16_t	sadb_msg_len;
+	uint16_t	sadb_msg_reserved;
+	uint32_t	sadb_msg_seq;
+	uint32_t	sadb_msg_pid;
+} __attribute__((packed));
+/* sizeof(struct sadb_msg) == 16 */
+
+struct sadb_ext {
+	uint16_t	sadb_ext_len;
+	uint16_t	sadb_ext_type;
+} __attribute__((packed));
+/* sizeof(struct sadb_ext) == 4 */
+
+struct sadb_sa {
+	uint16_t	sadb_sa_len;
+	uint16_t	sadb_sa_exttype;
+	uint32_t	sadb_sa_spi;
+	uint8_t		sadb_sa_replay;
+	uint8_t		sadb_sa_state;
+	uint8_t		sadb_sa_auth;
+	uint8_t		sadb_sa_encrypt;
+	uint32_t	sadb_sa_flags;
+} __attribute__((packed));
+/* sizeof(struct sadb_sa) == 16 */
+
+struct sadb_lifetime {
+	uint16_t	sadb_lifetime_len;
+	uint16_t	sadb_lifetime_exttype;
+	uint32_t	sadb_lifetime_allocations;
+	uint64_t	sadb_lifetime_bytes;
+	uint64_t	sadb_lifetime_addtime;
+	uint64_t	sadb_lifetime_usetime;
+} __attribute__((packed));
+/* sizeof(struct sadb_lifetime) == 32 */
+
+struct sadb_address {
+	uint16_t	sadb_address_len;
+	uint16_t	sadb_address_exttype;
+	uint8_t		sadb_address_proto;
+	uint8_t		sadb_address_prefixlen;
+	uint16_t	sadb_address_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_address) == 8 */
+
+struct sadb_key {
+	uint16_t	sadb_key_len;
+	uint16_t	sadb_key_exttype;
+	uint16_t	sadb_key_bits;
+	uint16_t	sadb_key_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_key) == 8 */
+
+struct sadb_ident {
+	uint16_t	sadb_ident_len;
+	uint16_t	sadb_ident_exttype;
+	uint16_t	sadb_ident_type;
+	uint16_t	sadb_ident_reserved;
+	uint64_t	sadb_ident_id;
+} __attribute__((packed));
+/* sizeof(struct sadb_ident) == 16 */
+
+struct sadb_sens {
+	uint16_t	sadb_sens_len;
+	uint16_t	sadb_sens_exttype;
+	uint32_t	sadb_sens_dpd;
+	uint8_t		sadb_sens_sens_level;
+	uint8_t		sadb_sens_sens_len;
+	uint8_t		sadb_sens_integ_level;
+	uint8_t		sadb_sens_integ_len;
+	uint32_t	sadb_sens_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_sens) == 16 */
+
+/* followed by:
+	uint64_t	sadb_sens_bitmap[sens_len];
+	uint64_t	sadb_integ_bitmap[integ_len];  */
+
+struct sadb_prop {
+	uint16_t	sadb_prop_len;
+	uint16_t	sadb_prop_exttype;
+	uint8_t		sadb_prop_replay;
+	uint8_t		sadb_prop_reserved[3];
+} __attribute__((packed));
+/* sizeof(struct sadb_prop) == 8 */
+
+/* followed by:
+	struct sadb_comb sadb_combs[(sadb_prop_len +
+		sizeof(uint64_t) - sizeof(struct sadb_prop)) /
+		sizeof(struct sadb_comb)]; */
+
+struct sadb_comb {
+	uint8_t		sadb_comb_auth;
+	uint8_t		sadb_comb_encrypt;
+	uint16_t	sadb_comb_flags;
+	uint16_t	sadb_comb_auth_minbits;
+	uint16_t	sadb_comb_auth_maxbits;
+	uint16_t	sadb_comb_encrypt_minbits;
+	uint16_t	sadb_comb_encrypt_maxbits;
+	uint32_t	sadb_comb_reserved;
+	uint32_t	sadb_comb_soft_allocations;
+	uint32_t	sadb_comb_hard_allocations;
+	uint64_t	sadb_comb_soft_bytes;
+	uint64_t	sadb_comb_hard_bytes;
+	uint64_t	sadb_comb_soft_addtime;
+	uint64_t	sadb_comb_hard_addtime;
+	uint64_t	sadb_comb_soft_usetime;
+	uint64_t	sadb_comb_hard_usetime;
+} __attribute__((packed));
+/* sizeof(struct sadb_comb) == 72 */
+
+struct sadb_supported {
+	uint16_t	sadb_supported_len;
+	uint16_t	sadb_supported_exttype;
+	uint32_t	sadb_supported_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_supported) == 8 */
+
+/* followed by:
+	struct sadb_alg sadb_algs[(sadb_supported_len +
+		sizeof(uint64_t) - sizeof(struct sadb_supported)) /
+		sizeof(struct sadb_alg)]; */
+
+struct sadb_alg {
+	uint8_t		sadb_alg_id;
+	uint8_t		sadb_alg_ivlen;
+	uint16_t	sadb_alg_minbits;
+	uint16_t	sadb_alg_maxbits;
+	uint16_t	sadb_alg_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_alg) == 8 */
+
+struct sadb_spirange {
+	uint16_t	sadb_spirange_len;
+	uint16_t	sadb_spirange_exttype;
+	uint32_t	sadb_spirange_min;
+	uint32_t	sadb_spirange_max;
+	uint32_t	sadb_spirange_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_spirange) == 16 */
+
+struct sadb_x_kmprivate {
+	uint16_t	sadb_x_kmprivate_len;
+	uint16_t	sadb_x_kmprivate_exttype;
+	uint32_t	sadb_x_kmprivate_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_kmprivate) == 8 */
+
+struct sadb_x_sa2 {
+	uint16_t	sadb_x_sa2_len;
+	uint16_t	sadb_x_sa2_exttype;
+	uint8_t		sadb_x_sa2_mode;
+	uint8_t		sadb_x_sa2_reserved1;
+	uint16_t	sadb_x_sa2_reserved2;
+	uint32_t	sadb_x_sa2_sequence;
+	uint32_t	sadb_x_sa2_reqid;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_sa2) == 16 */
+
+struct sadb_x_policy {
+	uint16_t	sadb_x_policy_len;
+	uint16_t	sadb_x_policy_exttype;
+	uint16_t	sadb_x_policy_type;
+	uint8_t		sadb_x_policy_dir;
+	uint8_t		sadb_x_policy_reserved;
+	uint32_t	sadb_x_policy_id;
+	uint32_t	sadb_x_policy_priority;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_policy) == 16 */
+
+struct sadb_x_ipsecrequest {
+	uint16_t	sadb_x_ipsecrequest_len;
+	uint16_t	sadb_x_ipsecrequest_proto;
+	uint8_t		sadb_x_ipsecrequest_mode;
+	uint8_t		sadb_x_ipsecrequest_level;
+	uint16_t	sadb_x_ipsecrequest_reserved1;
+	uint32_t	sadb_x_ipsecrequest_reqid;
+	uint32_t	sadb_x_ipsecrequest_reserved2;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_ipsecrequest) == 16 */
+
+/* This defines the TYPE of Nat Traversal in use.  Currently only one
+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06
+ */
+struct sadb_x_nat_t_type {
+	uint16_t	sadb_x_nat_t_type_len;
+	uint16_t	sadb_x_nat_t_type_exttype;
+	uint8_t		sadb_x_nat_t_type_type;
+	uint8_t		sadb_x_nat_t_type_reserved[3];
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_type) == 8 */
+
+/* Pass a NAT Traversal port (Source or Dest port) */
+struct sadb_x_nat_t_port {
+	uint16_t	sadb_x_nat_t_port_len;
+	uint16_t	sadb_x_nat_t_port_exttype;
+	uint16_t	sadb_x_nat_t_port_port;
+	uint16_t	sadb_x_nat_t_port_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_port) == 8 */
+
+/* Generic LSM security context */
+struct sadb_x_sec_ctx {
+	uint16_t	sadb_x_sec_len;
+	uint16_t	sadb_x_sec_exttype;
+	uint8_t		sadb_x_ctx_alg;  /* LSMs: e.g., selinux == 1 */
+	uint8_t		sadb_x_ctx_doi;
+	uint16_t	sadb_x_ctx_len;
+} __attribute__((packed));
+/* sizeof(struct sadb_sec_ctx) = 8 */
+
+/* Message types */
+#define SADB_RESERVED		0
+#define SADB_GETSPI		1
+#define SADB_UPDATE		2
+#define SADB_ADD		3
+#define SADB_DELETE		4
+#define SADB_GET		5
+#define SADB_ACQUIRE		6
+#define SADB_REGISTER		7
+#define SADB_EXPIRE		8
+#define SADB_FLUSH		9
+#define SADB_DUMP		10
+#define SADB_X_PROMISC		11
+#define SADB_X_PCHANGE		12
+#define SADB_X_SPDUPDATE	13
+#define SADB_X_SPDADD		14
+#define SADB_X_SPDDELETE	15
+#define SADB_X_SPDGET		16
+#define SADB_X_SPDACQUIRE	17
+#define SADB_X_SPDDUMP		18
+#define SADB_X_SPDFLUSH		19
+#define SADB_X_SPDSETIDX	20
+#define SADB_X_SPDEXPIRE	21
+#define SADB_X_SPDDELETE2	22
+#define SADB_X_NAT_T_NEW_MAPPING	23
+#define SADB_MAX		23
+
+/* Security Association flags */
+#define SADB_SAFLAGS_PFS	1
+#define SADB_SAFLAGS_NOPMTUDISC	0x20000000
+#define SADB_SAFLAGS_DECAP_DSCP	0x40000000
+#define SADB_SAFLAGS_NOECN	0x80000000
+
+/* Security Association states */
+#define SADB_SASTATE_LARVAL	0
+#define SADB_SASTATE_MATURE	1
+#define SADB_SASTATE_DYING	2
+#define SADB_SASTATE_DEAD	3
+#define SADB_SASTATE_MAX	3
+
+/* Security Association types */
+#define SADB_SATYPE_UNSPEC	0
+#define SADB_SATYPE_AH		2
+#define SADB_SATYPE_ESP		3
+#define SADB_SATYPE_RSVP	5
+#define SADB_SATYPE_OSPFV2	6
+#define SADB_SATYPE_RIPV2	7
+#define SADB_SATYPE_MIP		8
+#define SADB_X_SATYPE_IPCOMP	9
+#define SADB_SATYPE_MAX		9
+
+/* Authentication algorithms */
+#define SADB_AALG_NONE			0
+#define SADB_AALG_MD5HMAC		2
+#define SADB_AALG_SHA1HMAC		3
+#define SADB_X_AALG_SHA2_256HMAC	5
+#define SADB_X_AALG_SHA2_384HMAC	6
+#define SADB_X_AALG_SHA2_512HMAC	7
+#define SADB_X_AALG_RIPEMD160HMAC	8
+#define SADB_X_AALG_NULL		251	/* kame */
+#define SADB_AALG_MAX			251
+
+/* Encryption algorithms */
+#define SADB_EALG_NONE			0
+#define SADB_EALG_DESCBC		2
+#define SADB_EALG_3DESCBC		3
+#define SADB_X_EALG_CASTCBC		6
+#define SADB_X_EALG_BLOWFISHCBC		7
+#define SADB_EALG_NULL			11
+#define SADB_X_EALG_AESCBC		12
+#define SADB_EALG_MAX                   253 /* last EALG */
+/* private allocations should use 249-255 (RFC2407) */
+#define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
+#define SADB_X_EALG_TWOFISHCBC  253     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
+
+/* Compression algorithms */
+#define SADB_X_CALG_NONE		0
+#define SADB_X_CALG_OUI			1
+#define SADB_X_CALG_DEFLATE		2
+#define SADB_X_CALG_LZS			3
+#define SADB_X_CALG_LZJH		4
+#define SADB_X_CALG_MAX			4
+
+/* Extension Header values */
+#define SADB_EXT_RESERVED		0
+#define SADB_EXT_SA			1
+#define SADB_EXT_LIFETIME_CURRENT	2
+#define SADB_EXT_LIFETIME_HARD		3
+#define SADB_EXT_LIFETIME_SOFT		4
+#define SADB_EXT_ADDRESS_SRC		5
+#define SADB_EXT_ADDRESS_DST		6
+#define SADB_EXT_ADDRESS_PROXY		7
+#define SADB_EXT_KEY_AUTH		8
+#define SADB_EXT_KEY_ENCRYPT		9
+#define SADB_EXT_IDENTITY_SRC		10
+#define SADB_EXT_IDENTITY_DST		11
+#define SADB_EXT_SENSITIVITY		12
+#define SADB_EXT_PROPOSAL		13
+#define SADB_EXT_SUPPORTED_AUTH		14
+#define SADB_EXT_SUPPORTED_ENCRYPT	15
+#define SADB_EXT_SPIRANGE		16
+#define SADB_X_EXT_KMPRIVATE		17
+#define SADB_X_EXT_POLICY		18
+#define SADB_X_EXT_SA2			19
+/* The next four entries are for setting up NAT Traversal */
+#define SADB_X_EXT_NAT_T_TYPE		20
+#define SADB_X_EXT_NAT_T_SPORT		21
+#define SADB_X_EXT_NAT_T_DPORT		22
+#define SADB_X_EXT_NAT_T_OA		23
+#define SADB_X_EXT_SEC_CTX		24
+#define SADB_EXT_MAX			24
+
+/* Identity Extension values */
+#define SADB_IDENTTYPE_RESERVED	0
+#define SADB_IDENTTYPE_PREFIX	1
+#define SADB_IDENTTYPE_FQDN	2
+#define SADB_IDENTTYPE_USERFQDN	3
+#define SADB_IDENTTYPE_MAX	3
+
+#endif /* !(_LINUX_PFKEY2_H) */
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
new file mode 100644
index 0000000..ea5b042
--- /dev/null
+++ b/src/include/linux/xfrm.h
@@ -0,0 +1,341 @@
+#ifndef _LINUX_XFRM_H
+#define _LINUX_XFRM_H
+
+#include <linux/types.h>
+
+/* All of the structures in this file may not change size as they are
+ * passed into the kernel from userspace via netlink sockets.
+ */
+
+/* Structure to encapsulate addresses. I do not want to use
+ * "standard" structure. My apologies.
+ */
+typedef union
+{
+	__u32		a4;
+	__u32		a6[4];
+} xfrm_address_t;
+
+/* Ident of a specific xfrm_state. It is used on input to lookup
+ * the state by (spi,daddr,ah/esp) or to store information about
+ * spi, protocol and tunnel address on output.
+ */
+struct xfrm_id
+{
+	xfrm_address_t	daddr;
+	__u32		spi;
+	__u8		proto;
+};
+
+struct xfrm_sec_ctx {
+	__u8	ctx_doi;
+	__u8	ctx_alg;
+	__u16	ctx_len;
+	__u32	ctx_sid;
+	char	ctx_str[0];
+};
+
+/* Security Context Domains of Interpretation */
+#define XFRM_SC_DOI_RESERVED 0
+#define XFRM_SC_DOI_LSM 1
+
+/* Security Context Algorithms */
+#define XFRM_SC_ALG_RESERVED 0
+#define XFRM_SC_ALG_SELINUX 1
+
+/* Selector, used as selector both on policy rules (SPD) and SAs. */
+
+struct xfrm_selector
+{
+	xfrm_address_t	daddr;
+	xfrm_address_t	saddr;
+	__u16	dport;
+	__u16	dport_mask;
+	__u16	sport;
+	__u16	sport_mask;
+	__u16	family;
+	__u8	prefixlen_d;
+	__u8	prefixlen_s;
+	__u8	proto;
+	int	ifindex;
+	uid_t	user;
+};
+
+#define XFRM_INF (~(__u64)0)
+
+struct xfrm_lifetime_cfg
+{
+	__u64	soft_byte_limit;
+	__u64	hard_byte_limit;
+	__u64	soft_packet_limit;
+	__u64	hard_packet_limit;
+	__u64	soft_add_expires_seconds;
+	__u64	hard_add_expires_seconds;
+	__u64	soft_use_expires_seconds;
+	__u64	hard_use_expires_seconds;
+};
+
+struct xfrm_lifetime_cur
+{
+	__u64	bytes;
+	__u64	packets;
+	__u64	add_time;
+	__u64	use_time;
+};
+
+struct xfrm_replay_state
+{
+	__u32	oseq;
+	__u32	seq;
+	__u32	bitmap;
+};
+
+struct xfrm_algo {
+	char	alg_name[64];
+	int	alg_key_len;    /* in bits */
+	char	alg_key[0];
+};
+
+struct xfrm_stats {
+	__u32	replay_window;
+	__u32	replay;
+	__u32	integrity_failed;
+};
+
+enum
+{
+	XFRM_POLICY_IN	= 0,
+	XFRM_POLICY_OUT	= 1,
+	XFRM_POLICY_FWD	= 2,
+	XFRM_POLICY_MAX	= 3
+};
+
+enum
+{
+	XFRM_SHARE_ANY,		/* No limitations */
+	XFRM_SHARE_SESSION,	/* For this session only */
+	XFRM_SHARE_USER,	/* For this user only */
+	XFRM_SHARE_UNIQUE	/* Use once */
+};
+
+/* Netlink configuration messages.  */
+enum {
+	XFRM_MSG_BASE = 0x10,
+
+	XFRM_MSG_NEWSA = 0x10,
+#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
+	XFRM_MSG_DELSA,
+#define XFRM_MSG_DELSA XFRM_MSG_DELSA
+	XFRM_MSG_GETSA,
+#define XFRM_MSG_GETSA XFRM_MSG_GETSA
+
+	XFRM_MSG_NEWPOLICY,
+#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
+	XFRM_MSG_DELPOLICY,
+#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
+	XFRM_MSG_GETPOLICY,
+#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
+
+	XFRM_MSG_ALLOCSPI,
+#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
+	XFRM_MSG_ACQUIRE,
+#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
+	XFRM_MSG_EXPIRE,
+#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
+
+	XFRM_MSG_UPDPOLICY,
+#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
+	XFRM_MSG_UPDSA,
+#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
+
+	XFRM_MSG_POLEXPIRE,
+#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
+
+	XFRM_MSG_FLUSHSA,
+#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
+	XFRM_MSG_FLUSHPOLICY,
+#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
+
+	XFRM_MSG_NEWAE,
+#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
+	XFRM_MSG_GETAE,
+#define XFRM_MSG_GETAE XFRM_MSG_GETAE
+	__XFRM_MSG_MAX
+};
+#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
+
+#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
+
+/*
+ * Generic LSM security context for comunicating to user space
+ * NOTE: Same format as sadb_x_sec_ctx
+ */
+struct xfrm_user_sec_ctx {
+	__u16			len;
+	__u16			exttype;
+	__u8			ctx_alg;  /* LSMs: e.g., selinux == 1 */
+	__u8			ctx_doi;
+	__u16			ctx_len;
+};
+
+struct xfrm_user_tmpl {
+	struct xfrm_id		id;
+	__u16			family;
+	xfrm_address_t		saddr;
+	__u32			reqid;
+	__u8			mode;
+	__u8			share;
+	__u8			optional;
+	__u32			aalgos;
+	__u32			ealgos;
+	__u32			calgos;
+};
+
+struct xfrm_encap_tmpl {
+	__u16		encap_type;
+	__u16		encap_sport;
+	__u16		encap_dport;
+	xfrm_address_t	encap_oa;
+};
+
+/* AEVENT flags  */
+enum xfrm_ae_ftype_t {
+	XFRM_AE_UNSPEC,
+	XFRM_AE_RTHR=1,	/* replay threshold*/
+	XFRM_AE_RVAL=2, /* replay value */
+	XFRM_AE_LVAL=4, /* lifetime value */
+	XFRM_AE_ETHR=8, /* expiry timer threshold */
+	XFRM_AE_CR=16, /* Event cause is replay update */
+	XFRM_AE_CE=32, /* Event cause is timer expiry */
+	XFRM_AE_CU=64, /* Event cause is policy update */
+	__XFRM_AE_MAX
+
+#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
+};
+
+/* Netlink message attributes.  */
+enum xfrm_attr_type_t {
+	XFRMA_UNSPEC,
+	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
+	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
+	XFRMA_ALG_COMP,		/* struct xfrm_algo */
+	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
+	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
+	XFRMA_SA,
+	XFRMA_POLICY,
+	XFRMA_SEC_CTX,		/* struct xfrm_sec_ctx */
+	XFRMA_LTIME_VAL,
+	XFRMA_REPLAY_VAL,
+	XFRMA_REPLAY_THRESH,
+	XFRMA_ETIMER_THRESH,
+	__XFRMA_MAX
+
+#define XFRMA_MAX (__XFRMA_MAX - 1)
+};
+
+struct xfrm_usersa_info {
+	struct xfrm_selector		sel;
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_lifetime_cfg	lft;
+	struct xfrm_lifetime_cur	curlft;
+	struct xfrm_stats		stats;
+	__u32				seq;
+	__u32				reqid;
+	__u16				family;
+	__u8				mode; /* 0=transport,1=tunnel */
+	__u8				replay_window;
+	__u8				flags;
+#define XFRM_STATE_NOECN	1
+#define XFRM_STATE_DECAP_DSCP	2
+#define XFRM_STATE_NOPMTUDISC	4
+};
+
+struct xfrm_usersa_id {
+	xfrm_address_t			daddr;
+	__u32				spi;
+	__u16				family;
+	__u8				proto;
+};
+
+struct xfrm_aevent_id {
+	struct xfrm_usersa_id		sa_id;
+	__u32				flags;
+};
+
+struct xfrm_userspi_info {
+	struct xfrm_usersa_info		info;
+	__u32				min;
+	__u32				max;
+};
+
+struct xfrm_userpolicy_info {
+	struct xfrm_selector		sel;
+	struct xfrm_lifetime_cfg	lft;
+	struct xfrm_lifetime_cur	curlft;
+	__u32				priority;
+	__u32				index;
+	__u8				dir;
+	__u8				action;
+#define XFRM_POLICY_ALLOW	0
+#define XFRM_POLICY_BLOCK	1
+	__u8				flags;
+#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
+	__u8				share;
+};
+
+struct xfrm_userpolicy_id {
+	struct xfrm_selector		sel;
+	__u32				index;
+	__u8				dir;
+};
+
+struct xfrm_user_acquire {
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_selector		sel;
+	struct xfrm_userpolicy_info	policy;
+	__u32				aalgos;
+	__u32				ealgos;
+	__u32				calgos;
+	__u32				seq;
+};
+
+struct xfrm_user_expire {
+	struct xfrm_usersa_info		state;
+	__u8				hard;
+};
+
+struct xfrm_user_polexpire {
+	struct xfrm_userpolicy_info	pol;
+	__u8				hard;
+};
+
+struct xfrm_usersa_flush {
+	__u8				proto;
+};
+
+/* backwards compatibility for userspace */
+#define XFRMGRP_ACQUIRE		1
+#define XFRMGRP_EXPIRE		2
+#define XFRMGRP_SA		4
+#define XFRMGRP_POLICY		8
+
+enum xfrm_nlgroups {
+	XFRMNLGRP_NONE,
+#define XFRMNLGRP_NONE		XFRMNLGRP_NONE
+	XFRMNLGRP_ACQUIRE,
+#define XFRMNLGRP_ACQUIRE	XFRMNLGRP_ACQUIRE
+	XFRMNLGRP_EXPIRE,
+#define XFRMNLGRP_EXPIRE	XFRMNLGRP_EXPIRE
+	XFRMNLGRP_SA,
+#define XFRMNLGRP_SA		XFRMNLGRP_SA
+	XFRMNLGRP_POLICY,
+#define XFRMNLGRP_POLICY	XFRMNLGRP_POLICY
+	XFRMNLGRP_AEVENTS,
+#define XFRMNLGRP_AEVENTS	XFRMNLGRP_AEVENTS
+	__XFRMNLGRP_MAX
+};
+#define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
+
+#endif /* _LINUX_XFRM_H */