xfrm.h (12433B)
1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2#ifndef _LINUX_XFRM_H 3#define _LINUX_XFRM_H 4 5#include <linux/in6.h> 6#include <linux/types.h> 7 8/* All of the structures in this file may not change size as they are 9 * passed into the kernel from userspace via netlink sockets. 10 */ 11 12/* Structure to encapsulate addresses. I do not want to use 13 * "standard" structure. My apologies. 14 */ 15typedef union { 16 __be32 a4; 17 __be32 a6[4]; 18 struct in6_addr in6; 19} xfrm_address_t; 20 21/* Ident of a specific xfrm_state. It is used on input to lookup 22 * the state by (spi,daddr,ah/esp) or to store information about 23 * spi, protocol and tunnel address on output. 24 */ 25struct xfrm_id { 26 xfrm_address_t daddr; 27 __be32 spi; 28 __u8 proto; 29}; 30 31struct xfrm_sec_ctx { 32 __u8 ctx_doi; 33 __u8 ctx_alg; 34 __u16 ctx_len; 35 __u32 ctx_sid; 36 char ctx_str[0]; 37}; 38 39/* Security Context Domains of Interpretation */ 40#define XFRM_SC_DOI_RESERVED 0 41#define XFRM_SC_DOI_LSM 1 42 43/* Security Context Algorithms */ 44#define XFRM_SC_ALG_RESERVED 0 45#define XFRM_SC_ALG_SELINUX 1 46 47/* Selector, used as selector both on policy rules (SPD) and SAs. */ 48 49struct xfrm_selector { 50 xfrm_address_t daddr; 51 xfrm_address_t saddr; 52 __be16 dport; 53 __be16 dport_mask; 54 __be16 sport; 55 __be16 sport_mask; 56 __u16 family; 57 __u8 prefixlen_d; 58 __u8 prefixlen_s; 59 __u8 proto; 60 int ifindex; 61 __kernel_uid32_t user; 62}; 63 64#define XFRM_INF (~(__u64)0) 65 66struct xfrm_lifetime_cfg { 67 __u64 soft_byte_limit; 68 __u64 hard_byte_limit; 69 __u64 soft_packet_limit; 70 __u64 hard_packet_limit; 71 __u64 soft_add_expires_seconds; 72 __u64 hard_add_expires_seconds; 73 __u64 soft_use_expires_seconds; 74 __u64 hard_use_expires_seconds; 75}; 76 77struct xfrm_lifetime_cur { 78 __u64 bytes; 79 __u64 packets; 80 __u64 add_time; 81 __u64 use_time; 82}; 83 84struct xfrm_replay_state { 85 __u32 oseq; 86 __u32 seq; 87 __u32 bitmap; 88}; 89 90#define XFRMA_REPLAY_ESN_MAX 4096 91 92struct xfrm_replay_state_esn { 93 unsigned int bmp_len; 94 __u32 oseq; 95 __u32 seq; 96 __u32 oseq_hi; 97 __u32 seq_hi; 98 __u32 replay_window; 99 __u32 bmp[0]; 100}; 101 102struct xfrm_algo { 103 char alg_name[64]; 104 unsigned int alg_key_len; /* in bits */ 105 char alg_key[0]; 106}; 107 108struct xfrm_algo_auth { 109 char alg_name[64]; 110 unsigned int alg_key_len; /* in bits */ 111 unsigned int alg_trunc_len; /* in bits */ 112 char alg_key[0]; 113}; 114 115struct xfrm_algo_aead { 116 char alg_name[64]; 117 unsigned int alg_key_len; /* in bits */ 118 unsigned int alg_icv_len; /* in bits */ 119 char alg_key[0]; 120}; 121 122struct xfrm_stats { 123 __u32 replay_window; 124 __u32 replay; 125 __u32 integrity_failed; 126}; 127 128enum { 129 XFRM_POLICY_TYPE_MAIN = 0, 130 XFRM_POLICY_TYPE_SUB = 1, 131 XFRM_POLICY_TYPE_MAX = 2, 132 XFRM_POLICY_TYPE_ANY = 255 133}; 134 135enum { 136 XFRM_POLICY_IN = 0, 137 XFRM_POLICY_OUT = 1, 138 XFRM_POLICY_FWD = 2, 139 XFRM_POLICY_MASK = 3, 140 XFRM_POLICY_MAX = 3 141}; 142 143enum { 144 XFRM_SHARE_ANY, /* No limitations */ 145 XFRM_SHARE_SESSION, /* For this session only */ 146 XFRM_SHARE_USER, /* For this user only */ 147 XFRM_SHARE_UNIQUE /* Use once */ 148}; 149 150#define XFRM_MODE_TRANSPORT 0 151#define XFRM_MODE_TUNNEL 1 152#define XFRM_MODE_ROUTEOPTIMIZATION 2 153#define XFRM_MODE_IN_TRIGGER 3 154#define XFRM_MODE_BEET 4 155#define XFRM_MODE_MAX 5 156 157/* Netlink configuration messages. */ 158enum { 159 XFRM_MSG_BASE = 0x10, 160 161 XFRM_MSG_NEWSA = 0x10, 162#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA 163 XFRM_MSG_DELSA, 164#define XFRM_MSG_DELSA XFRM_MSG_DELSA 165 XFRM_MSG_GETSA, 166#define XFRM_MSG_GETSA XFRM_MSG_GETSA 167 168 XFRM_MSG_NEWPOLICY, 169#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY 170 XFRM_MSG_DELPOLICY, 171#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY 172 XFRM_MSG_GETPOLICY, 173#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY 174 175 XFRM_MSG_ALLOCSPI, 176#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI 177 XFRM_MSG_ACQUIRE, 178#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE 179 XFRM_MSG_EXPIRE, 180#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE 181 182 XFRM_MSG_UPDPOLICY, 183#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY 184 XFRM_MSG_UPDSA, 185#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA 186 187 XFRM_MSG_POLEXPIRE, 188#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE 189 190 XFRM_MSG_FLUSHSA, 191#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA 192 XFRM_MSG_FLUSHPOLICY, 193#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY 194 195 XFRM_MSG_NEWAE, 196#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE 197 XFRM_MSG_GETAE, 198#define XFRM_MSG_GETAE XFRM_MSG_GETAE 199 200 XFRM_MSG_REPORT, 201#define XFRM_MSG_REPORT XFRM_MSG_REPORT 202 203 XFRM_MSG_MIGRATE, 204#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE 205 206 XFRM_MSG_NEWSADINFO, 207#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO 208 XFRM_MSG_GETSADINFO, 209#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO 210 211 XFRM_MSG_NEWSPDINFO, 212#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO 213 XFRM_MSG_GETSPDINFO, 214#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO 215 216 XFRM_MSG_MAPPING, 217#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING 218 219 XFRM_MSG_SETDEFAULT, 220#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT 221 XFRM_MSG_GETDEFAULT, 222#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT 223 __XFRM_MSG_MAX 224}; 225#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) 226 227#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 228 229/* 230 * Generic LSM security context for comunicating to user space 231 * NOTE: Same format as sadb_x_sec_ctx 232 */ 233struct xfrm_user_sec_ctx { 234 __u16 len; 235 __u16 exttype; 236 __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ 237 __u8 ctx_doi; 238 __u16 ctx_len; 239}; 240 241struct xfrm_user_tmpl { 242 struct xfrm_id id; 243 __u16 family; 244 xfrm_address_t saddr; 245 __u32 reqid; 246 __u8 mode; 247 __u8 share; 248 __u8 optional; 249 __u32 aalgos; 250 __u32 ealgos; 251 __u32 calgos; 252}; 253 254struct xfrm_encap_tmpl { 255 __u16 encap_type; 256 __be16 encap_sport; 257 __be16 encap_dport; 258 xfrm_address_t encap_oa; 259}; 260 261/* AEVENT flags */ 262enum xfrm_ae_ftype_t { 263 XFRM_AE_UNSPEC, 264 XFRM_AE_RTHR=1, /* replay threshold*/ 265 XFRM_AE_RVAL=2, /* replay value */ 266 XFRM_AE_LVAL=4, /* lifetime value */ 267 XFRM_AE_ETHR=8, /* expiry timer threshold */ 268 XFRM_AE_CR=16, /* Event cause is replay update */ 269 XFRM_AE_CE=32, /* Event cause is timer expiry */ 270 XFRM_AE_CU=64, /* Event cause is policy update */ 271 __XFRM_AE_MAX 272 273#define XFRM_AE_MAX (__XFRM_AE_MAX - 1) 274}; 275 276struct xfrm_userpolicy_type { 277 __u8 type; 278 __u16 reserved1; 279 __u8 reserved2; 280}; 281 282/* Netlink message attributes. */ 283enum xfrm_attr_type_t { 284 XFRMA_UNSPEC, 285 XFRMA_ALG_AUTH, /* struct xfrm_algo */ 286 XFRMA_ALG_CRYPT, /* struct xfrm_algo */ 287 XFRMA_ALG_COMP, /* struct xfrm_algo */ 288 XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ 289 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 290 XFRMA_SA, /* struct xfrm_usersa_info */ 291 XFRMA_POLICY, /*struct xfrm_userpolicy_info */ 292 XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ 293 XFRMA_LTIME_VAL, 294 XFRMA_REPLAY_VAL, 295 XFRMA_REPLAY_THRESH, 296 XFRMA_ETIMER_THRESH, 297 XFRMA_SRCADDR, /* xfrm_address_t */ 298 XFRMA_COADDR, /* xfrm_address_t */ 299 XFRMA_LASTUSED, /* unsigned long */ 300 XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ 301 XFRMA_MIGRATE, 302 XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ 303 XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ 304 XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ 305 XFRMA_MARK, /* struct xfrm_mark */ 306 XFRMA_TFCPAD, /* __u32 */ 307 XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_state_esn */ 308 XFRMA_SA_EXTRA_FLAGS, /* __u32 */ 309 XFRMA_PROTO, /* __u8 */ 310 XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */ 311 XFRMA_PAD, 312 XFRMA_OFFLOAD_DEV, /* struct xfrm_user_offload */ 313 XFRMA_SET_MARK, /* __u32 */ 314 XFRMA_SET_MARK_MASK, /* __u32 */ 315 XFRMA_IF_ID, /* __u32 */ 316 XFRMA_MTIMER_THRESH, /* __u32 in seconds for input SA */ 317 __XFRMA_MAX 318 319#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */ 320#define XFRMA_MAX (__XFRMA_MAX - 1) 321}; 322 323struct xfrm_mark { 324 __u32 v; /* value */ 325 __u32 m; /* mask */ 326}; 327 328enum xfrm_sadattr_type_t { 329 XFRMA_SAD_UNSPEC, 330 XFRMA_SAD_CNT, 331 XFRMA_SAD_HINFO, 332 __XFRMA_SAD_MAX 333 334#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1) 335}; 336 337struct xfrmu_sadhinfo { 338 __u32 sadhcnt; /* current hash bkts */ 339 __u32 sadhmcnt; /* max allowed hash bkts */ 340}; 341 342enum xfrm_spdattr_type_t { 343 XFRMA_SPD_UNSPEC, 344 XFRMA_SPD_INFO, 345 XFRMA_SPD_HINFO, 346 XFRMA_SPD_IPV4_HTHRESH, 347 XFRMA_SPD_IPV6_HTHRESH, 348 __XFRMA_SPD_MAX 349 350#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1) 351}; 352 353struct xfrmu_spdinfo { 354 __u32 incnt; 355 __u32 outcnt; 356 __u32 fwdcnt; 357 __u32 inscnt; 358 __u32 outscnt; 359 __u32 fwdscnt; 360}; 361 362struct xfrmu_spdhinfo { 363 __u32 spdhcnt; 364 __u32 spdhmcnt; 365}; 366 367struct xfrmu_spdhthresh { 368 __u8 lbits; 369 __u8 rbits; 370}; 371 372struct xfrm_usersa_info { 373 struct xfrm_selector sel; 374 struct xfrm_id id; 375 xfrm_address_t saddr; 376 struct xfrm_lifetime_cfg lft; 377 struct xfrm_lifetime_cur curlft; 378 struct xfrm_stats stats; 379 __u32 seq; 380 __u32 reqid; 381 __u16 family; 382 __u8 mode; /* XFRM_MODE_xxx */ 383 __u8 replay_window; 384 __u8 flags; 385#define XFRM_STATE_NOECN 1 386#define XFRM_STATE_DECAP_DSCP 2 387#define XFRM_STATE_NOPMTUDISC 4 388#define XFRM_STATE_WILDRECV 8 389#define XFRM_STATE_ICMP 16 390#define XFRM_STATE_AF_UNSPEC 32 391#define XFRM_STATE_ALIGN4 64 392#define XFRM_STATE_ESN 128 393}; 394 395#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1 396#define XFRM_SA_XFLAG_OSEQ_MAY_WRAP 2 397 398struct xfrm_usersa_id { 399 xfrm_address_t daddr; 400 __be32 spi; 401 __u16 family; 402 __u8 proto; 403}; 404 405struct xfrm_aevent_id { 406 struct xfrm_usersa_id sa_id; 407 xfrm_address_t saddr; 408 __u32 flags; 409 __u32 reqid; 410}; 411 412struct xfrm_userspi_info { 413 struct xfrm_usersa_info info; 414 __u32 min; 415 __u32 max; 416}; 417 418struct xfrm_userpolicy_info { 419 struct xfrm_selector sel; 420 struct xfrm_lifetime_cfg lft; 421 struct xfrm_lifetime_cur curlft; 422 __u32 priority; 423 __u32 index; 424 __u8 dir; 425 __u8 action; 426#define XFRM_POLICY_ALLOW 0 427#define XFRM_POLICY_BLOCK 1 428 __u8 flags; 429#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 430 /* Automatically expand selector to include matching ICMP payloads. */ 431#define XFRM_POLICY_ICMP 2 432 __u8 share; 433}; 434 435struct xfrm_userpolicy_id { 436 struct xfrm_selector sel; 437 __u32 index; 438 __u8 dir; 439}; 440 441struct xfrm_user_acquire { 442 struct xfrm_id id; 443 xfrm_address_t saddr; 444 struct xfrm_selector sel; 445 struct xfrm_userpolicy_info policy; 446 __u32 aalgos; 447 __u32 ealgos; 448 __u32 calgos; 449 __u32 seq; 450}; 451 452struct xfrm_user_expire { 453 struct xfrm_usersa_info state; 454 __u8 hard; 455}; 456 457struct xfrm_user_polexpire { 458 struct xfrm_userpolicy_info pol; 459 __u8 hard; 460}; 461 462struct xfrm_usersa_flush { 463 __u8 proto; 464}; 465 466struct xfrm_user_report { 467 __u8 proto; 468 struct xfrm_selector sel; 469}; 470 471/* Used by MIGRATE to pass addresses IKE should use to perform 472 * SA negotiation with the peer */ 473struct xfrm_user_kmaddress { 474 xfrm_address_t local; 475 xfrm_address_t remote; 476 __u32 reserved; 477 __u16 family; 478}; 479 480struct xfrm_user_migrate { 481 xfrm_address_t old_daddr; 482 xfrm_address_t old_saddr; 483 xfrm_address_t new_daddr; 484 xfrm_address_t new_saddr; 485 __u8 proto; 486 __u8 mode; 487 __u16 reserved; 488 __u32 reqid; 489 __u16 old_family; 490 __u16 new_family; 491}; 492 493struct xfrm_user_mapping { 494 struct xfrm_usersa_id id; 495 __u32 reqid; 496 xfrm_address_t old_saddr; 497 xfrm_address_t new_saddr; 498 __be16 old_sport; 499 __be16 new_sport; 500}; 501 502struct xfrm_address_filter { 503 xfrm_address_t saddr; 504 xfrm_address_t daddr; 505 __u16 family; 506 __u8 splen; 507 __u8 dplen; 508}; 509 510struct xfrm_user_offload { 511 int ifindex; 512 __u8 flags; 513}; 514/* This flag was exposed without any kernel code that supporting it. 515 * Unfortunately, strongswan has the code that uses sets this flag, 516 * which makes impossible to reuse this bit. 517 * 518 * So leave it here to make sure that it won't be reused by mistake. 519 */ 520#define XFRM_OFFLOAD_IPV6 1 521#define XFRM_OFFLOAD_INBOUND 2 522 523struct xfrm_userpolicy_default { 524#define XFRM_USERPOLICY_UNSPEC 0 525#define XFRM_USERPOLICY_BLOCK 1 526#define XFRM_USERPOLICY_ACCEPT 2 527 __u8 in; 528 __u8 fwd; 529 __u8 out; 530}; 531 532#ifndef __KERNEL__ 533/* backwards compatibility for userspace */ 534#define XFRMGRP_ACQUIRE 1 535#define XFRMGRP_EXPIRE 2 536#define XFRMGRP_SA 4 537#define XFRMGRP_POLICY 8 538#define XFRMGRP_REPORT 0x20 539#endif 540 541enum xfrm_nlgroups { 542 XFRMNLGRP_NONE, 543#define XFRMNLGRP_NONE XFRMNLGRP_NONE 544 XFRMNLGRP_ACQUIRE, 545#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE 546 XFRMNLGRP_EXPIRE, 547#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE 548 XFRMNLGRP_SA, 549#define XFRMNLGRP_SA XFRMNLGRP_SA 550 XFRMNLGRP_POLICY, 551#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY 552 XFRMNLGRP_AEVENTS, 553#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS 554 XFRMNLGRP_REPORT, 555#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT 556 XFRMNLGRP_MIGRATE, 557#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE 558 XFRMNLGRP_MAPPING, 559#define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING 560 __XFRMNLGRP_MAX 561}; 562#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) 563 564#endif /* _LINUX_XFRM_H */