diff options
Diffstat (limited to 'src/starter/confread.h')
| -rw-r--r-- | src/starter/confread.h | 136 |
1 files changed, 69 insertions, 67 deletions
diff --git a/src/starter/confread.h b/src/starter/confread.h index 9cb919ce5..0690bed4e 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -16,12 +16,14 @@ #ifndef _IPSEC_CONFREAD_H_ #define _IPSEC_CONFREAD_H_ -#ifndef _FREESWAN_H -#include <freeswan.h> -#endif +#include <kernel/kernel_ipsec.h> #include "ipsec-parser.h" -#include "interfaces.h" + +/** to mark seen keywords */ +typedef u_int64_t seen_t; +#define SEEN_NONE 0; +#define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base))) typedef enum { STARTUP_NO, @@ -39,21 +41,59 @@ typedef enum { } starter_state_t; typedef enum { - KEY_EXCHANGE_IKE, - KEY_EXCHANGE_IKEV1, - KEY_EXCHANGE_IKEV2 + /* shared with ike_version_t */ + KEY_EXCHANGE_IKE = 0, + KEY_EXCHANGE_IKEV1 = 1, + KEY_EXCHANGE_IKEV2 = 2, } keyexchange_t; typedef enum { STRICT_NO, STRICT_YES, - STRICT_IFURI + STRICT_IFURI, } strict_t; +typedef enum { + CERT_ALWAYS_SEND, + CERT_SEND_IF_ASKED, + CERT_NEVER_SEND, + CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */ + CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */ +} certpolicy_t; + +typedef enum { + DPD_ACTION_NONE, + DPD_ACTION_CLEAR, + DPD_ACTION_HOLD, + DPD_ACTION_RESTART, + DPD_ACTION_UNKNOW, +} dpd_action_t; + +typedef enum { + /* same as in ike_cfg.h */ + FRAGMENTATION_NO, + FRAGMENTATION_YES, + FRAGMENTATION_FORCE, +} fragmentation_t; + +typedef enum { + /* IPsec options */ + SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */ + SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */ + + /* IKE and other other options */ + SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */ + SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */ + SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */ + SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */ + SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */ + SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */ +} sa_option_t; + typedef struct starter_end starter_end_t; struct starter_end { - lset_t seen; + seen_t seen; char *auth; char *auth2; char *id; @@ -64,29 +104,22 @@ struct starter_end { char *ca; char *ca2; char *groups; + char *groups2; char *cert_policy; - char *iface; char *host; - ip_address addr; u_int ikeport; - ip_address nexthop; char *subnet; - bool has_client; - bool has_client_wildcard; - bool has_port_wildcard; - bool has_natip; - bool has_virt; bool modecfg; certpolicy_t sendcert; bool firewall; bool hostaccess; bool allow_any; - bool dns_failed; char *updown; - u_int16_t port; + u_int16_t from_port; + u_int16_t to_port; u_int8_t protocol; char *sourceip; - int sourceip_mask; + char *dns; }; typedef struct also also_t; @@ -100,7 +133,7 @@ struct also { typedef struct starter_conn starter_conn_t; struct starter_conn { - lset_t seen; + seen_t seen; char *name; also_t *also; kw_list_t *kw; @@ -109,35 +142,36 @@ struct starter_conn { starter_state_t state; keyexchange_t keyexchange; - u_int32_t eap_type; - u_int32_t eap_vendor; char *eap_identity; char *aaa_identity; char *xauth_identity; - lset_t policy; + char *authby; + ipsec_mode_t mode; + bool proxy_mode; + fragmentation_t fragmentation; + u_int ikedscp; + sa_option_t options; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; time_t sa_rekey_margin; - u_int64_t sa_ipsec_life_bytes; - u_int64_t sa_ipsec_margin_bytes; - u_int64_t sa_ipsec_life_packets; - u_int64_t sa_ipsec_margin_packets; + u_int64_t sa_ipsec_life_bytes; + u_int64_t sa_ipsec_margin_bytes; + u_int64_t sa_ipsec_life_packets; + u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; u_int32_t reqid; mark_t mark_in; mark_t mark_out; u_int32_t tfc; - sa_family_t addr_family; - sa_family_t tunnel_addr_family; bool install_policy; + bool aggressive; starter_end_t left, right; unsigned long id; char *esp; char *ike; - char *pfsgroup; time_t dpd_delay; time_t dpd_timeout; @@ -158,7 +192,7 @@ struct starter_conn { typedef struct starter_ca starter_ca_t; struct starter_ca { - lset_t seen; + seen_t seen; char *name; also_t *also; kw_list_t *kw; @@ -167,13 +201,11 @@ struct starter_ca { starter_state_t state; char *cacert; - char *ldaphost; - char *ldapbase; char *crluri; char *crluri2; char *ocspuri; char *ocspuri2; - char *certuribase; + char *certuribase; bool strict; @@ -184,43 +216,14 @@ typedef struct starter_config starter_config_t; struct starter_config { struct { - lset_t seen; - char **interfaces; - char *dumpdir; - bool charonstart; - bool plutostart; - - /* pluto/charon keywords */ - char **plutodebug; + seen_t seen; + bool charonstart; char *charondebug; - char *prepluto; - char *postpluto; - char *plutostderrlog; bool uniqueids; - u_int overridemtu; - time_t crlcheckinterval; bool cachecrls; strict_t strictcrlpolicy; - bool nocrsend; - bool nat_traversal; - time_t keep_alive; - u_int force_keepalive; - char *virtual_private; - char *pkcs11module; - char *pkcs11initargs; - bool pkcs11keepstate; - bool pkcs11proxy; - - /* KLIPS keywords */ - char **klipsdebug; - bool fragicmp; - char *packetdefault; - bool hidetos; } setup; - /* information about the default route */ - defaultroute_t defaultroute; - /* number of encountered parsing errors */ u_int err; u_int non_fatal_err; @@ -245,4 +248,3 @@ extern starter_config_t *confread_load(const char *file); extern void confread_free(starter_config_t *cfg); #endif /* _IPSEC_CONFREAD_H_ */ - |