diff options
Diffstat (limited to 'src/libhydra/kernel/kernel_ipsec.h')
-rw-r--r-- | src/libhydra/kernel/kernel_ipsec.h | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index ef36efd11..ddb63283c 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2010 Tobias Brunner + * Copyright (C) 2006-2011 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -27,6 +27,7 @@ typedef enum ipsec_mode_t ipsec_mode_t; typedef enum policy_dir_t policy_dir_t; typedef enum policy_type_t policy_type_t; +typedef enum policy_priority_t policy_priority_t; typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct kernel_ipsec_t kernel_ipsec_t; typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t; @@ -36,6 +37,7 @@ typedef struct mark_t mark_t; #include <utils/host.h> #include <crypto/prf_plus.h> #include <selectors/traffic_selector.h> +#include <plugins/plugin.h> /** * Mode of an IPsec SA. @@ -47,6 +49,10 @@ enum ipsec_mode_t { MODE_TUNNEL, /** BEET mode, tunnel mode but fixed, bound inner addresses */ MODE_BEET, + /** passthrough policy for traffic without an IPsec SA */ + MODE_PASS, + /** drop policy discarding traffic */ + MODE_DROP }; /** @@ -86,6 +92,18 @@ enum policy_type_t { }; /** + * High-level priority of a policy. + */ +enum policy_priority_t { + /** Default priority */ + POLICY_PRIORITY_DEFAULT, + /** Priority for trap policies */ + POLICY_PRIORITY_ROUTED, + /** Priority for fallback drop policies */ + POLICY_PRIORITY_FALLBACK, +}; + +/** * IPComp transform IDs, as in RFC 4306 */ enum ipcomp_transform_t { @@ -288,6 +306,13 @@ struct kernel_ipsec_t { mark_t mark); /** + * Flush all SAs from the SAD. + * + * @return SUCCESS if operation completed + */ + status_t (*flush_sas) (kernel_ipsec_t *this); + + /** * Add a policy to the SPD. * * A policy is always associated to an SA. Traffic which matches a @@ -301,7 +326,7 @@ struct kernel_ipsec_t { * @param type type of policy, POLICY_(IPSEC|PASS|DROP) * @param sa details about the SA(s) tied to this policy * @param mark mark for this policy - * @param routed TRUE, if this policy is routed in the kernel + * @param priority priority of this policy * @return SUCCESS if operation completed */ status_t (*add_policy) (kernel_ipsec_t *this, @@ -309,7 +334,8 @@ struct kernel_ipsec_t { traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, policy_type_t type, - ipsec_sa_cfg_t *sa, mark_t mark, bool routed); + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); /** * Query the use time of a policy. @@ -342,15 +368,23 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) + * @param reqid unique ID of the associated SA * @param mark optional mark - * @param unrouted TRUE, if this policy is unrouted from the kernel + * @param priority priority of the policy * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, mark_t mark, - bool unrouted); + policy_dir_t direction, u_int32_t reqid, + mark_t mark, policy_priority_t priority); + + /** + * Flush all policies from the SPD. + * + * @return SUCCESS if operation completed + */ + status_t (*flush_policies) (kernel_ipsec_t *this); /** * Install a bypass policy for the given socket. @@ -367,4 +401,18 @@ struct kernel_ipsec_t { void (*destroy) (kernel_ipsec_t *this); }; +/** + * Helper function to (un-)register IPsec kernel interfaces from plugin features. + * + * This function is a plugin_feature_callback_t and can be used with the + * PLUGIN_CALLBACK macro to register an IPsec kernel interface constructor. + * + * @param plugin plugin registering the kernel interface + * @param feature associated plugin feature + * @param reg TRUE to register, FALSE to unregister + * @param data data passed to callback, an kernel_ipsec_constructor_t + */ +bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, + bool reg, void *data); + #endif /** KERNEL_IPSEC_H_ @}*/ |