Imported Upstream version 4.6.4

author: Yves-Alexis Perez <corsac@corsac.net> 2012-06-28 21:16:07 +0200
committer: Yves-Alexis Perez <corsac@corsac.net> 2012-06-28 21:16:07 +0200
commit: b34738ed08c2227300d554b139e2495ca5da97d6 (patch)
tree: 62f33b52820f2e49f0e53c0f8c636312037c8054 /src/libhydra/kernel/kernel_ipsec.h
parent: 0a9d51a49042a68daa15b0c74a2b7f152f52606b (diff)
download: vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.tar.gz
vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.zip
1 files changed, 54 insertions, 6 deletions
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index ef36efd11..ddb63283c 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2011 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -27,6 +27,7 @@
 typedef enum ipsec_mode_t ipsec_mode_t;
 typedef enum policy_dir_t policy_dir_t;
 typedef enum policy_type_t policy_type_t;
+typedef enum policy_priority_t policy_priority_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
 typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
@@ -36,6 +37,7 @@ typedef struct mark_t mark_t;
 #include <utils/host.h>
 #include <crypto/prf_plus.h>
 #include <selectors/traffic_selector.h>
+#include <plugins/plugin.h>
 
 /**
  * Mode of an IPsec SA.
@@ -47,6 +49,10 @@ enum ipsec_mode_t {
 	MODE_TUNNEL,
 	/** BEET mode, tunnel mode but fixed, bound inner addresses */
 	MODE_BEET,
+	/** passthrough policy for traffic without an IPsec SA */
+	MODE_PASS,
+	/** drop policy discarding traffic */
+	MODE_DROP
 };
 
 /**
@@ -86,6 +92,18 @@ enum policy_type_t {
 };
 
 /**
+ * High-level priority of a policy.
+ */
+enum policy_priority_t {
+	/** Default priority */
+	POLICY_PRIORITY_DEFAULT,
+	/** Priority for trap policies */
+	POLICY_PRIORITY_ROUTED,
+	/** Priority for fallback drop policies */
+	POLICY_PRIORITY_FALLBACK,
+};
+
+/**
  * IPComp transform IDs, as in RFC 4306
  */
 enum ipcomp_transform_t {
@@ -288,6 +306,13 @@ struct kernel_ipsec_t {
 						mark_t mark);
 
 	/**
+	 * Flush all SAs from the SAD.
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_sas) (kernel_ipsec_t *this);
+
+	/**
 	 * Add a policy to the SPD.
 	 *
 	 * A policy is always associated to an SA. Traffic which matches a
@@ -301,7 +326,7 @@ struct kernel_ipsec_t {
 	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
 	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			mark for this policy
-	 * @param routed		TRUE, if this policy is routed in the kernel
+	 * @param priority		priority of this policy
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_policy) (kernel_ipsec_t *this,
@@ -309,7 +334,8 @@ struct kernel_ipsec_t {
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, policy_type_t type,
-							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
+							ipsec_sa_cfg_t *sa, mark_t mark,
+							policy_priority_t priority);
 
 	/**
 	 * Query the use time of a policy.
@@ -342,15 +368,23 @@ struct kernel_ipsec_t {
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param reqid			unique ID of the associated SA
 	 * @param mark			optional mark
-	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
+	 * @param priority		priority of the policy
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy) (kernel_ipsec_t *this,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, mark_t mark,
-							bool unrouted);
+							policy_dir_t direction, u_int32_t reqid,
+							mark_t mark, policy_priority_t priority);
+
+	/**
+	 * Flush all policies from the SPD.
+	 *
+	 * @return				SUCCESS if operation completed
+	 */
+	status_t (*flush_policies) (kernel_ipsec_t *this);
 
 	/**
 	 * Install a bypass policy for the given socket.
@@ -367,4 +401,18 @@ struct kernel_ipsec_t {
 	void (*destroy) (kernel_ipsec_t *this);
 };
 
+/**
+ * Helper function to (un-)register IPsec kernel interfaces from plugin features.
+ *
+ * This function is a plugin_feature_callback_t and can be used with the
+ * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor.
+ *
+ * @param plugin		plugin registering the kernel interface
+ * @param feature		associated plugin feature
+ * @param reg			TRUE to register, FALSE to unregister
+ * @param data			data passed to callback, an kernel_ipsec_constructor_t
+ */
+bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
+						   bool reg, void *data);
+
 #endif /** KERNEL_IPSEC_H_ @}*/
author	Yves-Alexis Perez <corsac@corsac.net>	2012-06-28 21:16:07 +0200
committer	Yves-Alexis Perez <corsac@corsac.net>	2012-06-28 21:16:07 +0200
commit	b34738ed08c2227300d554b139e2495ca5da97d6 (patch)
tree	62f33b52820f2e49f0e53c0f8c636312037c8054 /src/libhydra/kernel/kernel_ipsec.h
parent	0a9d51a49042a68daa15b0c74a2b7f152f52606b (diff)
download	vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.tar.gz vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.zip