Imported Upstream version 5.5.0

2 files changed, 149 insertions, 138 deletions

diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index cfe643f26..e002b4f0d 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
 
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -81,8 +91,6 @@ build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = ipsecdump$(EXEEXT)
 subdir = src/libcharon/plugins/kernel_wfp
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +104,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -211,12 +220,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -266,6 +277,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -300,6 +312,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -411,6 +424,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -479,7 +493,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_wfp/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_wfp/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -809,6 +822,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	tags tags-am uninstall uninstall-am \
 	uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index e1c429885..6ad26b72f 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -45,7 +45,7 @@ struct private_kernel_wfp_ipsec_t {
 	/**
 	 * Mix value to distribute SPI allocation randomly
 	 */
-	u_int32_t mixspi;
+	uint32_t mixspi;
 
 	/**
 	 * IKE bypass filters, as UINT64 filter LUID
@@ -103,16 +103,16 @@ struct private_kernel_wfp_ipsec_t {
  */
 typedef struct {
 	/** SPI for this SA */
-	u_int32_t spi;
+	uint32_t spi;
 	/** protocol, IPPROTO_ESP/IPPROTO_AH */
-	u_int8_t protocol;
+	uint8_t protocol;
 	/** hard lifetime of SA */
-	u_int32_t lifetime;
+	uint32_t lifetime;
 	/** destination host address for this SPI */
 	host_t *dst;
 	struct {
 		/** algorithm */
-		u_int16_t alg;
+		uint16_t alg;
 		/** key */
 		chunk_t key;
 	} integ, encr;
@@ -144,13 +144,13 @@ typedef struct {
 	/** policy destinaiton addresses */
 	traffic_selector_t *dst;
 	/** WFP allocated LUID for inbound filter ID */
-	u_int64_t policy_in;
+	uint64_t policy_in;
 	/** WFP allocated LUID for outbound filter ID */
-	u_int64_t policy_out;
+	uint64_t policy_out;
 	/** WFP allocated LUID for forward inbound filter ID, tunnel mode only */
-	u_int64_t policy_fwd_in;
+	uint64_t policy_fwd_in;
 	/** WFP allocated LUID for forward outbound filter ID, tunnel mode only */
-	u_int64_t policy_fwd_out;
+	uint64_t policy_fwd_out;
 	/** have installed a route for it? */
 	bool route;
 } sp_entry_t;
@@ -170,7 +170,7 @@ static void sp_entry_destroy(sp_entry_t *sp)
  */
 typedef struct {
 	/** reqid of entry */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** outer address on local host */
 	host_t *local;
 	/** outer address on remote host */
@@ -186,17 +186,17 @@ typedef struct {
 	/** UDP encapsulation */
 	bool encap;
 	/** provider context, for tunnel mode only */
-	u_int64_t provider;
+	uint64_t provider;
 	/** WFP allocated LUID for SA context */
-	u_int64_t sa_id;
+	uint64_t sa_id;
 	/** WFP allocated LUID for tunnel mode IP-IPv4 inbound filter */
-	u_int64_t ip_ipv4_in;
+	uint64_t ip_ipv4_in;
 	/** WFP allocated LUID for tunnel mode IP-IPv4 outbound filter */
-	u_int64_t ip_ipv4_out;
+	uint64_t ip_ipv4_out;
 	/** WFP allocated LUID for tunnel mode IP-IPv6 inbound filter */
-	u_int64_t ip_ipv6_in;
+	uint64_t ip_ipv6_in;
 	/** WFP allocated LUID for tunnel mode IP-IPv6 outbound filter */
-	u_int64_t ip_ipv6_out;
+	uint64_t ip_ipv6_out;
 } entry_t;
 
 /**
@@ -206,7 +206,7 @@ typedef struct {
 	/** destination net of route */
 	host_t *dst;
 	/** prefix length of dst */
-	u_int8_t mask;
+	uint8_t mask;
 	/** source address for route */
 	host_t *src;
 	/** gateway of route, NULL if directly attached */
@@ -348,9 +348,9 @@ static FWPM_FILTER_CONDITION0 *append_condition(FWPM_FILTER_CONDITION0 *conds[],
 /**
  * Convert an IPv4 prefix to a host order subnet mask
  */
-static u_int32_t prefix2mask(u_int8_t prefix)
+static uint32_t prefix2mask(uint8_t prefix)
 {
-	u_int8_t netmask[4] = {};
+	uint8_t netmask[4] = {};
 	int i;
 
 	for (i = 0; i < sizeof(netmask); i++)
@@ -370,7 +370,7 @@ static u_int32_t prefix2mask(u_int8_t prefix)
  * Convert a 16-bit range to a WFP condition
  */
 static void range2cond(FWPM_FILTER_CONDITION0 *cond,
-					   u_int16_t from, u_int16_t to)
+					   uint16_t from, uint16_t to)
 {
 	if (from == to)
 	{
@@ -399,11 +399,11 @@ static bool ts2condition(traffic_selector_t *ts, const GUID *target,
 	FWPM_FILTER_CONDITION0 *cond;
 	FWP_BYTE_ARRAY16 *addr;
 	FWP_RANGE0 *range;
-	u_int16_t from_port, to_port;
+	uint16_t from_port, to_port;
 	void *from, *to;
-	u_int8_t proto;
+	uint8_t proto;
 	host_t *net;
-	u_int8_t prefix;
+	uint8_t prefix;
 
 	from = ts->get_from_address(ts).ptr;
 	to = ts->get_to_address(ts).ptr;
@@ -496,7 +496,7 @@ static bool ts2condition(traffic_selector_t *ts, const GUID *target,
 	{
 		if (target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
 		{
-			u_int8_t from_type, to_type, from_code, to_code;
+			uint8_t from_type, to_type, from_code, to_code;
 
 			from_type = traffic_selector_icmp_type(from_port);
 			to_type = traffic_selector_icmp_type(to_port);
@@ -736,7 +736,7 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
  */
 static bool install_ipip_ale(private_kernel_wfp_ipsec_t *this,
 							 host_t *local, host_t *remote, GUID *context,
-							 bool inbound, int proto, u_int64_t *filter_id)
+							 bool inbound, int proto, uint64_t *filter_id)
 {
 	traffic_selector_t *lts, *rts;
 	FWPM_FILTER_CONDITION0 *conds = NULL;
@@ -1013,7 +1013,7 @@ static bool install_sa(private_kernel_wfp_ipsec_t *this, entry_t *entry,
 		.ipVersion = version,
 	};
 	struct {
-		u_int16_t alg;
+		uint16_t alg;
 		chunk_t key;
 	} integ = {}, encr = {};
 	DWORD res;
@@ -1099,9 +1099,9 @@ static bool install_sa(private_kernel_wfp_ipsec_t *this, entry_t *entry,
  */
 static void host2address6(host_t *host, void *out)
 {
-	u_int32_t *src, *dst = out;
+	uint32_t *src, *dst = out;
 
-	src = (u_int32_t*)host->get_address(host).ptr;
+	src = (uint32_t*)host->get_address(host).ptr;
 
 	dst[0] = untoh32(&src[3]);
 	dst[1] = untoh32(&src[2]);
@@ -1273,7 +1273,7 @@ static bool generate_guid(private_kernel_wfp_ipsec_t *this, GUID *guid)
 	{
 		return FALSE;
 	}
-	ok = rng->get_bytes(rng, sizeof(GUID), (u_int8_t*)guid);
+	ok = rng->get_bytes(rng, sizeof(GUID), (uint8_t*)guid);
 	rng->destroy(rng);
 	return ok;
 }
@@ -1379,7 +1379,7 @@ static bool install_tunnel_sps(private_kernel_wfp_ipsec_t *this, entry_t *entry)
  * Reduce refcount, or uninstall a route if all refs gone
  */
 static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
-							host_t *dst, u_int8_t mask, host_t *src, host_t *gtw)
+							host_t *dst, uint8_t mask, host_t *src, host_t *gtw)
 {
 	route_t *route, key = {
 		.dst = dst,
@@ -1421,7 +1421,7 @@ static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
  * Install a single route, or refcount if exists
  */
 static bool install_route(private_kernel_wfp_ipsec_t *this,
-						  host_t *dst, u_int8_t mask, host_t *src, host_t *gtw)
+						  host_t *dst, uint8_t mask, host_t *src, host_t *gtw)
 {
 	route_t *route, key = {
 		.dst = dst,
@@ -1476,7 +1476,7 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this,
 						 bool add)
 {
 	host_t *src, *dst, *gtw;
-	u_int8_t mask;
+	uint8_t mask;
 	bool done;
 
 	if (!dst_ts->to_subnet(dst_ts, &dst, &mask))
@@ -1489,7 +1489,7 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this,
 		dst->destroy(dst);
 		return FALSE;
 	}
-	gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local);
+	gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local, NULL);
 	if (add)
 	{
 		done = install_route(this, dst, mask, src, gtw);
@@ -1578,7 +1578,7 @@ static bool install(private_kernel_wfp_ipsec_t *this, entry_t *entry)
  */
 typedef struct {
 	/** reqid this trap is installed for */
-	u_int32_t reqid;
+	uint32_t reqid;
 	/** is this a forward policy trap for tunnel mode? */
 	bool fwd;
 	/** do we have installed a route for this trap policy? */
@@ -1629,7 +1629,7 @@ static u_int hash_trap(trap_t *trap)
 static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
 					traffic_selector_t *src, traffic_selector_t *dst)
 {
-	u_int32_t reqid = 0;
+	uint32_t reqid = 0;
 	trap_t *trap, key = {
 		.filter_id = filter_id,
 	};
@@ -1654,7 +1654,7 @@ static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
  * Create a single host traffic selector from an FWP address definition
  */
 static traffic_selector_t *addr2ts(FWP_IP_VERSION version, void *data,
-					u_int8_t protocol, u_int16_t from_port, u_int16_t to_port)
+					uint8_t protocol, uint16_t from_port, uint16_t to_port)
 {
 	ts_type_t type;
 	UINT32 ints[4];
@@ -1689,9 +1689,9 @@ static void WINAPI event_callback(void *user, const FWPM_NET_EVENT1 *event)
 {
 	private_kernel_wfp_ipsec_t *this = user;
 	traffic_selector_t *local = NULL, *remote = NULL;
-	u_int8_t protocol = 0;
-	u_int16_t from_local = 0, to_local = 65535;
-	u_int16_t from_remote = 0, to_remote = 65535;
+	uint8_t protocol = 0;
+	uint16_t from_local = 0, to_local = 65535;
+	uint16_t from_remote = 0, to_remote = 65535;
 
 	if ((event->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET) &&
 		(event->header.flags & FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET))
@@ -1861,7 +1861,7 @@ static bool uninstall_trap(private_kernel_wfp_ipsec_t *this, trap_t *trap)
  * Create and install a new trap entry
  */
 static bool add_trap(private_kernel_wfp_ipsec_t *this,
-					 u_int32_t reqid, bool fwd, host_t *local, host_t *remote,
+					 uint32_t reqid, bool fwd, host_t *local, host_t *remote,
 					 traffic_selector_t *src, traffic_selector_t *dst)
 {
 	trap_t *trap;
@@ -1893,7 +1893,7 @@ static bool add_trap(private_kernel_wfp_ipsec_t *this,
  * Uninstall and remove a new trap entry
  */
 static bool remove_trap(private_kernel_wfp_ipsec_t *this,
-						u_int32_t reqid, bool fwd,
+						uint32_t reqid, bool fwd,
 						traffic_selector_t *src, traffic_selector_t *dst)
 {
 	enumerator_t *enumerator;
@@ -1949,10 +1949,10 @@ static bool init_spi(private_kernel_wfp_ipsec_t *this)
 	{
 		return FALSE;
 	}
-	ok = rng->get_bytes(rng, sizeof(this->nextspi), (u_int8_t*)&this->nextspi);
+	ok = rng->get_bytes(rng, sizeof(this->nextspi), (uint8_t*)&this->nextspi);
 	if (ok)
 	{
-		ok = rng->get_bytes(rng, sizeof(this->mixspi), (u_int8_t*)&this->mixspi);
+		ok = rng->get_bytes(rng, sizeof(this->mixspi), (uint8_t*)&this->mixspi);
 	}
 	rng->destroy(rng);
 	return ok;
@@ -1966,7 +1966,7 @@ static u_int permute(u_int x, u_int p)
 	u_int qr;
 
 	x = x % p;
-	qr = ((u_int64_t)x * x) % p;
+	qr = ((uint64_t)x * x) % p;
 	if (x <= p / 2)
 	{
 		return qr;
@@ -1976,7 +1976,7 @@ static u_int permute(u_int x, u_int p)
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int8_t protocol, u_int32_t *spi)
+	uint8_t protocol, uint32_t *spi)
 {
 	/* To avoid sequencial SPIs, we use a one-to-one permuation function on
 	 * an incrementing counter, that is a full period PRNG for the range we
@@ -1993,7 +1993,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 
 METHOD(kernel_ipsec_t, get_cpi, status_t,
 	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int16_t *cpi)
+	uint16_t *cpi)
 {
 	return NOT_SUPPORTED;
 }
@@ -2005,7 +2005,7 @@ typedef struct {
 	/* backref to kernel backend */
 	private_kernel_wfp_ipsec_t *this;
 	/* SPI of expiring SA */
-	u_int32_t spi;
+	uint32_t spi;
 	/* destination address of expiring SA */
 	host_t *dst;
 	/* is this a hard expire, or a rekey request? */
@@ -2027,7 +2027,7 @@ static void expire_data_destroy(expire_data_t *data)
 static job_requeue_t expire_job(expire_data_t *data)
 {
 	private_kernel_wfp_ipsec_t *this = data->this;
-	u_int8_t protocol;
+	uint8_t protocol;
 	entry_t *entry = NULL;
 	sa_entry_t key = {
 		.spi = data->spi,
@@ -2074,8 +2074,8 @@ static job_requeue_t expire_job(expire_data_t *data)
 /**
  * Schedule an expire event for an SA
  */
-static void schedule_expire(private_kernel_wfp_ipsec_t *this, u_int32_t spi,
-							host_t *dst, u_int32_t lifetime, bool hard)
+static void schedule_expire(private_kernel_wfp_ipsec_t *this, uint32_t spi,
+							host_t *dst, uint32_t lifetime, bool hard)
 {
 	expire_data_t *data;
 
@@ -2093,57 +2093,55 @@ static void schedule_expire(private_kernel_wfp_ipsec_t *this, u_int32_t spi,
 }
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
-	u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-	u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
-	bool initiator, bool encap, bool esn, bool inbound, bool update,
-	linked_list_t *src_ts, linked_list_t *dst_ts)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
 {
 	host_t *local, *remote;
 	entry_t *entry;
 
-	if (inbound)
+	if (data->inbound)
 	{
 		/* comes first, create new entry */
-		local = dst->clone(dst);
-		remote = src->clone(src);
+		local = id->dst->clone(id->dst);
+		remote = id->src->clone(id->src);
 
 		INIT(entry,
-			.reqid = reqid,
+			.reqid = data->reqid,
 			.isa = {
-				.spi = spi,
+				.spi = id->spi,
 				.dst = local,
-				.protocol = protocol,
-				.lifetime = lifetime->time.life,
+				.protocol = id->proto,
+				.lifetime = data->lifetime->time.life,
 				.encr = {
-					.alg = enc_alg,
-					.key = chunk_clone(enc_key),
+					.alg = data->enc_alg,
+					.key = chunk_clone(data->enc_key),
 				},
 				.integ = {
-					.alg = int_alg,
-					.key = chunk_clone(int_key),
+					.alg = data->int_alg,
+					.key = chunk_clone(data->int_key),
 				},
 			},
 			.sps = array_create(0, 0),
 			.local = local,
 			.remote = remote,
-			.mode = mode,
-			.encap = encap,
+			.mode = data->mode,
+			.encap = data->encap,
 		);
 
-		if (lifetime->time.life)
+		if (data->lifetime->time.life)
 		{
-			schedule_expire(this, spi, local, lifetime->time.life, TRUE);
+			schedule_expire(this, id->spi, local,
+							data->lifetime->time.life, TRUE);
 		}
-		if (lifetime->time.rekey && lifetime->time.rekey != lifetime->time.life)
+		if (data->lifetime->time.rekey &&
+			data->lifetime->time.rekey != data->lifetime->time.life)
 		{
-			schedule_expire(this, spi, local, lifetime->time.rekey, FALSE);
+			schedule_expire(this, id->spi, local,
+							data->lifetime->time.rekey, FALSE);
 		}
 
 		this->mutex->lock(this->mutex);
-		this->tsas->put(this->tsas, (void*)(uintptr_t)reqid, entry);
+		this->tsas->put(this->tsas, (void*)(uintptr_t)data->reqid, entry);
 		this->isas->put(this->isas, &entry->isa, entry);
 		this->mutex->unlock(this->mutex);
 	}
@@ -2151,29 +2149,29 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	{
 		/* comes after inbound, update entry */
 		this->mutex->lock(this->mutex);
-		entry = this->tsas->remove(this->tsas, (void*)(uintptr_t)reqid);
+		entry = this->tsas->remove(this->tsas, (void*)(uintptr_t)data->reqid);
 		this->mutex->unlock(this->mutex);
 
 		if (!entry)
 		{
 			DBG1(DBG_KNL, "adding outbound SA failed, no inbound SA found "
-				 "for reqid %u ", reqid);
+				 "for reqid %u ", data->reqid);
 			return NOT_FOUND;
 		}
 		/* TODO: should we check for local/remote, mode etc.? */
 
 		entry->osa = (sa_entry_t){
-			.spi = spi,
+			.spi = id->spi,
 			.dst = entry->remote,
-			.protocol = protocol,
-			.lifetime = lifetime->time.life,
+			.protocol = id->proto,
+			.lifetime = data->lifetime->time.life,
 			.encr = {
-				.alg = enc_alg,
-				.key = chunk_clone(enc_key),
+				.alg = data->enc_alg,
+				.key = chunk_clone(data->enc_key),
 			},
 			.integ = {
-				.alg = int_alg,
-				.key = chunk_clone(int_key),
+				.alg = data->int_alg,
+				.key = chunk_clone(data->int_key),
 			},
 		};
 
@@ -2186,14 +2184,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
-	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
-	bool encap, bool new_encap, mark_t mark)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
 {
 	entry_t *entry;
 	sa_entry_t key = {
-		.dst = dst,
-		.spi = spi,
+		.dst = id->dst,
+		.spi = id->spi,
 	};
 	UINT64 sa_id = 0;
 	IPSEC_SA_CONTEXT1 *ctx;
@@ -2233,16 +2230,16 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 		DBG1(DBG_KNL, "getting WFP SA context for updated failed: 0x%08x", res);
 		return FAILED;
 	}
-	if (!hosts2traffic(this, new_dst, new_src, &ctx->inboundSa->traffic) ||
-		!hosts2traffic(this, new_dst, new_src, &ctx->outboundSa->traffic))
+	if (!hosts2traffic(this, data->new_dst, data->new_src, &ctx->inboundSa->traffic) ||
+		!hosts2traffic(this, data->new_dst, data->new_src, &ctx->outboundSa->traffic))
 	{
 		FwpmFreeMemory0((void**)&ctx);
 		return FAILED;
 	}
 
-	if (new_encap != encap)
+	if (data->new_encap != data->encap)
 	{
-		if (new_encap)
+		if (data->new_encap)
 		{
 			ctx->inboundSa->udpEncapsulation = &ports;
 			ctx->outboundSa->udpEncapsulation = &ports;
@@ -2273,8 +2270,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 		entry->local->destroy(entry->local);
 		entry->remote->destroy(entry->remote);
-		entry->local = new_dst->clone(new_dst);
-		entry->remote = new_src->clone(new_src);
+		entry->local = data->new_dst->clone(data->new_dst);
+		entry->remote = data->new_src->clone(data->new_src);
 		entry->isa.dst = entry->local;
 		entry->osa.dst = entry->remote;
 
@@ -2290,9 +2287,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
-	u_int64_t *packets, time_t *time)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
 {
 	/* It does not seem that WFP provides any means of getting per-SA traffic
 	 * statistics. IPsecGetStatistics0/1() provides global stats, and
@@ -2302,13 +2299,13 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
 {
 	entry_t *entry;
 	sa_entry_t key = {
-		.dst = dst,
-		.spi = spi,
+		.dst = id->dst,
+		.spi = id->spi,
 	};
 
 	this->mutex->lock(this->mutex);
@@ -2341,25 +2338,23 @@ METHOD(kernel_ipsec_t, flush_sas, status_t,
 }
 
 METHOD(kernel_ipsec_t, add_policy, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
-	policy_priority_t priority)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
 	status_t status = SUCCESS;
 	entry_t *entry;
 	sp_entry_t *sp;
 	sa_entry_t key = {
-		.spi = sa->esp.use ? sa->esp.spi : sa->ah.spi,
-		.dst = dst,
+		.spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
+		.dst = data->dst,
 	};
 
-	if (sa->esp.use && sa->ah.use)
+	if (data->sa->esp.use && data->sa->ah.use)
 	{
 		return NOT_SUPPORTED;
 	}
 
-	switch (type)
+	switch (data->type)
 	{
 		case POLICY_IPSEC:
 			break;
@@ -2368,7 +2363,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			return NOT_SUPPORTED;
 	}
 
-	switch (direction)
+	switch (id->dir)
 	{
 		case POLICY_OUT:
 			break;
@@ -2380,18 +2375,20 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			return NOT_SUPPORTED;
 	}
 
-	switch (priority)
+	switch (data->prio)
 	{
 		case POLICY_PRIORITY_DEFAULT:
 			break;
 		case POLICY_PRIORITY_ROUTED:
-			if (!add_trap(this, sa->reqid, FALSE, src, dst, src_ts, dst_ts))
+			if (!add_trap(this, data->sa->reqid, FALSE, data->src, data->dst,
+						  id->src_ts, id->dst_ts))
 			{
 				return FAILED;
 			}
-			if (sa->mode == MODE_TUNNEL)
+			if (data->sa->mode == MODE_TUNNEL)
 			{
-				if (!add_trap(this, sa->reqid, TRUE, src, dst, src_ts, dst_ts))
+				if (!add_trap(this, data->sa->reqid, TRUE, data->src, data->dst,
+							  id->src_ts, id->dst_ts))
 				{
 					return FAILED;
 				}
@@ -2406,14 +2403,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	entry = this->osas->get(this->osas, &key);
 	if (entry)
 	{
-		if (sa->mode == MODE_TUNNEL || array_count(entry->sps) == 0)
+		if (data->sa->mode == MODE_TUNNEL || array_count(entry->sps) == 0)
 		{
 			INIT(sp,
-				.src = src_ts->clone(src_ts),
-				.dst = dst_ts->clone(dst_ts),
+				.src = id->src_ts->clone(id->src_ts),
+				.dst = id->dst_ts->clone(id->dst_ts),
 			);
 			array_insert(entry->sps, -1, sp);
-			if (array_count(entry->sps) == sa->policy_count)
+			if (array_count(entry->sps) == data->sa->policy_count)
 			{
 				if (!install(this, entry))
 				{
@@ -2442,25 +2439,24 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 }
 
 METHOD(kernel_ipsec_t, query_policy, status_t,
-	private_kernel_wfp_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
-	time_t *use_time)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
 {
 	/* see query_sa() for some notes */
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
-	private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
-	mark_t mark, policy_priority_t priority)
+	private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
 {
-	if (direction == POLICY_OUT && priority == POLICY_PRIORITY_ROUTED)
+	if (id->dir == POLICY_OUT && data->prio == POLICY_PRIORITY_ROUTED)
 	{
-		if (remove_trap(this, sa->reqid, FALSE, src_ts, dst_ts))
+		if (remove_trap(this, data->sa->reqid, FALSE, id->src_ts,
+						id->dst_ts))
 		{
-			remove_trap(this, sa->reqid, TRUE, src_ts, dst_ts);
+			remove_trap(this, data->sa->reqid, TRUE, id->src_ts,
+						id->dst_ts);
 			return SUCCESS;
 		}
 		return NOT_FOUND;
@@ -2479,7 +2475,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
  * Add a bypass policy for a specific UDP port
  */
 static bool add_bypass(private_kernel_wfp_ipsec_t *this,
-					   int family, u_int16_t port, bool inbound, UINT64 *luid)
+					   int family, uint16_t port, bool inbound, UINT64 *luid)
 {
 	FWPM_FILTER_CONDITION0 *cond, *conds = NULL;
 	int count = 0;
@@ -2547,7 +2543,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 	} saddr;
 	int addrlen = sizeof(saddr);
 	UINT64 filter_out, filter_in = 0;
-	u_int16_t port;
+	uint16_t port;
 
 	if (getsockname(fd, &saddr.sa, &addrlen) == SOCKET_ERROR)
 	{
@@ -2584,7 +2580,7 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
 }
 
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
-	private_kernel_wfp_ipsec_t *this, int fd, int family, u_int16_t port)
+	private_kernel_wfp_ipsec_t *this, int fd, int family, uint16_t port)
 {
 	return FALSE;
 }