1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
/*
* Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2012 Giuliano Grassi
* Copyright (C) 2012 Ralf Sager
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup ipsec_policy_mgr ipsec_policy_mgr
* @{ @ingroup libipsec
*/
#ifndef IPSEC_POLICY_MGR_H_
#define IPSEC_POLICY_MGR_H_
#include "ipsec_policy.h"
#include "ip_packet.h"
#include <library.h>
#include <networking/host.h>
#include <collections/linked_list.h>
#include <ipsec/ipsec_types.h>
#include <selectors/traffic_selector.h>
typedef struct ipsec_policy_mgr_t ipsec_policy_mgr_t;
/**
* IPsec policy manager
*
* The first methods are modeled after those in kernel_ipsec_t.
*
* @note Only policies of type POLICY_IPSEC are currently used, also policies
* with direction POLICY_FWD are ignored. Any packets that do not match an
* installed policy will be dropped.
*/
struct ipsec_policy_mgr_t {
/**
* Add a policy
*
* A policy is always associated to an SA. Traffic which matches a
* policy is handled by the SA with the same reqid.
*
* @param src source address of SA
* @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
* @param type type of policy, POLICY_(IPSEC|PASS|DROP)
* @param sa details about the SA(s) tied to this policy
* @param mark mark for this policy
* @param priority priority of this policy
* @return SUCCESS if operation completed
*/
status_t (*add_policy)(ipsec_policy_mgr_t *this,
host_t *src, host_t *dst, traffic_selector_t *src_ts,
traffic_selector_t *dst_ts, policy_dir_t direction,
policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
policy_priority_t priority);
/**
* Remove a policy
*
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_(IN|OUT|FWD)
* @param reqid unique ID of the associated SA
* @param mark optional mark
* @param priority priority of the policy
* @return SUCCESS if operation completed
*/
status_t (*del_policy)(ipsec_policy_mgr_t *this,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t reqid, mark_t mark,
policy_priority_t priority);
/**
* Flush all policies
*
* @return SUCCESS if operation completed
*/
status_t (*flush_policies)(ipsec_policy_mgr_t *this);
/**
* Find the policy that matches the given IP packet best
*
* @param packet IP packet to match
* @param inbound TRUE for an inbound packet
* @param reqid require a policy with a specific reqid, 0 for any
* @return reference to the policy, or NULL if none found
*/
ipsec_policy_t *(*find_by_packet)(ipsec_policy_mgr_t *this,
ip_packet_t *packet, bool inbound,
u_int32_t reqid);
/**
* Destroy an ipsec_policy_mgr_t
*/
void (*destroy)(ipsec_policy_mgr_t *this);
};
/**
* Create an ipsec_policy_mgr instance
*
* @return ipsec_policy_mgr
*/
ipsec_policy_mgr_t *ipsec_policy_mgr_create();
#endif /** IPSEC_POLICY_MGR_H_ @}*/
|
