1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
/* declarations of routines that interface with the kernel's IPsec mechanism
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "connections.h"
extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
/* Declare eroute things early enough for uses.
*
* Flags are encoded above the low-order byte of verbs.
* "real" eroutes are only outbound. Inbound eroutes don't exist,
* but an addflow with an INBOUND flag allows IPIP tunnels to be
* limited to appropriate source and destination addresses.
*/
#define ERO_MASK 0xFF
#define ERO_FLAG_SHIFT 8
#define ERO_DELETE SADB_X_DELFLOW
#define ERO_ADD SADB_X_ADDFLOW
#define ERO_REPLACE (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
struct pfkey_proto_info {
int proto;
int encapsulation;
unsigned reqid;
};
struct sadb_msg;
struct kernel_sa {
const ip_address *src;
const ip_address *dst;
const ip_subnet *src_client;
const ip_subnet *dst_client;
ipsec_spi_t spi;
unsigned proto;
unsigned satype;
unsigned transport_proto;
unsigned replay_window;
unsigned reqid;
unsigned authalg;
unsigned authkeylen;
char *authkey;
unsigned encalg;
unsigned enckeylen;
char *enckey;
unsigned compalg;
int encapsulation;
u_int16_t natt_sport, natt_dport;
u_int8_t transid, natt_type;
ip_address *natt_oa;
const char *text_said;
};
/* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
* Is there a PF_KEY equivalent?
*/
#ifndef EM_MAXRELSPIS
# define EM_MAXRELSPIS 4 /* AH ESP IPCOMP IPIP */
#endif
extern void record_and_initiate_opportunistic(const ip_subnet *
, const ip_subnet *
, int transport_proto
, const char *why);
extern void init_kernel(void);
extern void kernel_finalize(void);
extern bool trap_connection(struct connection *c);
extern void unroute_connection(struct connection *c);
extern bool assign_hold(struct connection *c
, struct spd_route *sr
, int transport_proto
, const ip_address *src, const ip_address *dst);
extern ipsec_spi_t shunt_policy_spi(struct connection *c, bool prospective);
struct state; /* forward declaration of tag */
extern ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid
, int proto
, struct spd_route *sr
, bool tunnel_mode);
extern ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel_mode);
extern bool install_inbound_ipsec_sa(struct state *st);
extern bool install_ipsec_sa(struct state *st, bool inbound_also);
extern void delete_ipsec_sa(struct state *st, bool inbound_only);
extern bool route_and_eroute(struct connection *c
, struct spd_route *sr
, struct state *st);
extern bool was_eroute_idle(struct state *st, time_t idle_max
, time_t *idle_time);
extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes
, time_t *use_time);
extern bool update_ipsec_sa(struct state *st);
|