1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2#ifndef _LINUX_XFRM_H
3#define _LINUX_XFRM_H
4
5#include <linux/in6.h>
6#include <linux/types.h>
7
8/* All of the structures in this file may not change size as they are
9 * passed into the kernel from userspace via netlink sockets.
10 */
11
12/* Structure to encapsulate addresses. I do not want to use
13 * "standard" structure. My apologies.
14 */
15typedef union {
16 __be32 a4;
17 __be32 a6[4];
18 struct in6_addr in6;
19} xfrm_address_t;
20
21/* Ident of a specific xfrm_state. It is used on input to lookup
22 * the state by (spi,daddr,ah/esp) or to store information about
23 * spi, protocol and tunnel address on output.
24 */
25struct xfrm_id {
26 xfrm_address_t daddr;
27 __be32 spi;
28 __u8 proto;
29};
30
31struct xfrm_sec_ctx {
32 __u8 ctx_doi;
33 __u8 ctx_alg;
34 __u16 ctx_len;
35 __u32 ctx_sid;
36 char ctx_str[];
37};
38
39/* Security Context Domains of Interpretation */
40#define XFRM_SC_DOI_RESERVED 0
41#define XFRM_SC_DOI_LSM 1
42
43/* Security Context Algorithms */
44#define XFRM_SC_ALG_RESERVED 0
45#define XFRM_SC_ALG_SELINUX 1
46
47/* Selector, used as selector both on policy rules (SPD) and SAs. */
48
49struct xfrm_selector {
50 xfrm_address_t daddr;
51 xfrm_address_t saddr;
52 __be16 dport;
53 __be16 dport_mask;
54 __be16 sport;
55 __be16 sport_mask;
56 __u16 family;
57 __u8 prefixlen_d;
58 __u8 prefixlen_s;
59 __u8 proto;
60 int ifindex;
61 __kernel_uid32_t user;
62};
63
64#define XFRM_INF (~(__u64)0)
65
66struct xfrm_lifetime_cfg {
67 __u64 soft_byte_limit;
68 __u64 hard_byte_limit;
69 __u64 soft_packet_limit;
70 __u64 hard_packet_limit;
71 __u64 soft_add_expires_seconds;
72 __u64 hard_add_expires_seconds;
73 __u64 soft_use_expires_seconds;
74 __u64 hard_use_expires_seconds;
75};
76
77struct xfrm_lifetime_cur {
78 __u64 bytes;
79 __u64 packets;
80 __u64 add_time;
81 __u64 use_time;
82};
83
84struct xfrm_replay_state {
85 __u32 oseq;
86 __u32 seq;
87 __u32 bitmap;
88};
89
90#define XFRMA_REPLAY_ESN_MAX 4096
91
92struct xfrm_replay_state_esn {
93 unsigned int bmp_len;
94 __u32 oseq;
95 __u32 seq;
96 __u32 oseq_hi;
97 __u32 seq_hi;
98 __u32 replay_window;
99 __u32 bmp[];
100};
101
102struct xfrm_algo {
103 char alg_name[64];
104 unsigned int alg_key_len; /* in bits */
105 char alg_key[];
106};
107
108struct xfrm_algo_auth {
109 char alg_name[64];
110 unsigned int alg_key_len; /* in bits */
111 unsigned int alg_trunc_len; /* in bits */
112 char alg_key[];
113};
114
115struct xfrm_algo_aead {
116 char alg_name[64];
117 unsigned int alg_key_len; /* in bits */
118 unsigned int alg_icv_len; /* in bits */
119 char alg_key[];
120};
121
122struct xfrm_stats {
123 __u32 replay_window;
124 __u32 replay;
125 __u32 integrity_failed;
126};
127
128enum {
129 XFRM_POLICY_TYPE_MAIN = 0,
130 XFRM_POLICY_TYPE_SUB = 1,
131 XFRM_POLICY_TYPE_MAX = 2,
132 XFRM_POLICY_TYPE_ANY = 255
133};
134
135enum {
136 XFRM_POLICY_IN = 0,
137 XFRM_POLICY_OUT = 1,
138 XFRM_POLICY_FWD = 2,
139 XFRM_POLICY_MASK = 3,
140 XFRM_POLICY_MAX = 3
141};
142
143enum {
144 XFRM_SHARE_ANY, /* No limitations */
145 XFRM_SHARE_SESSION, /* For this session only */
146 XFRM_SHARE_USER, /* For this user only */
147 XFRM_SHARE_UNIQUE /* Use once */
148};
149
150#define XFRM_MODE_TRANSPORT 0
151#define XFRM_MODE_TUNNEL 1
152#define XFRM_MODE_ROUTEOPTIMIZATION 2
153#define XFRM_MODE_IN_TRIGGER 3
154#define XFRM_MODE_BEET 4
155#define XFRM_MODE_MAX 5
156
157/* Netlink configuration messages. */
158enum {
159 XFRM_MSG_BASE = 0x10,
160
161 XFRM_MSG_NEWSA = 0x10,
162#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
163 XFRM_MSG_DELSA,
164#define XFRM_MSG_DELSA XFRM_MSG_DELSA
165 XFRM_MSG_GETSA,
166#define XFRM_MSG_GETSA XFRM_MSG_GETSA
167
168 XFRM_MSG_NEWPOLICY,
169#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
170 XFRM_MSG_DELPOLICY,
171#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
172 XFRM_MSG_GETPOLICY,
173#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
174
175 XFRM_MSG_ALLOCSPI,
176#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
177 XFRM_MSG_ACQUIRE,
178#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
179 XFRM_MSG_EXPIRE,
180#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
181
182 XFRM_MSG_UPDPOLICY,
183#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
184 XFRM_MSG_UPDSA,
185#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
186
187 XFRM_MSG_POLEXPIRE,
188#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
189
190 XFRM_MSG_FLUSHSA,
191#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
192 XFRM_MSG_FLUSHPOLICY,
193#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
194
195 XFRM_MSG_NEWAE,
196#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
197 XFRM_MSG_GETAE,
198#define XFRM_MSG_GETAE XFRM_MSG_GETAE
199
200 XFRM_MSG_REPORT,
201#define XFRM_MSG_REPORT XFRM_MSG_REPORT
202
203 XFRM_MSG_MIGRATE,
204#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
205
206 XFRM_MSG_NEWSADINFO,
207#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
208 XFRM_MSG_GETSADINFO,
209#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
210
211 XFRM_MSG_NEWSPDINFO,
212#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
213 XFRM_MSG_GETSPDINFO,
214#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
215
216 XFRM_MSG_MAPPING,
217#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
218
219 XFRM_MSG_SETDEFAULT,
220#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
221 XFRM_MSG_GETDEFAULT,
222#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
223 __XFRM_MSG_MAX
224};
225#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
226
227#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
228
229/*
230 * Generic LSM security context for comunicating to user space
231 * NOTE: Same format as sadb_x_sec_ctx
232 */
233struct xfrm_user_sec_ctx {
234 __u16 len;
235 __u16 exttype;
236 __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */
237 __u8 ctx_doi;
238 __u16 ctx_len;
239};
240
241struct xfrm_user_tmpl {
242 struct xfrm_id id;
243 __u16 family;
244 xfrm_address_t saddr;
245 __u32 reqid;
246 __u8 mode;
247 __u8 share;
248 __u8 optional;
249 __u32 aalgos;
250 __u32 ealgos;
251 __u32 calgos;
252};
253
254struct xfrm_encap_tmpl {
255 __u16 encap_type;
256 __be16 encap_sport;
257 __be16 encap_dport;
258 xfrm_address_t encap_oa;
259};
260
261/* AEVENT flags */
262enum xfrm_ae_ftype_t {
263 XFRM_AE_UNSPEC,
264 XFRM_AE_RTHR=1, /* replay threshold*/
265 XFRM_AE_RVAL=2, /* replay value */
266 XFRM_AE_LVAL=4, /* lifetime value */
267 XFRM_AE_ETHR=8, /* expiry timer threshold */
268 XFRM_AE_CR=16, /* Event cause is replay update */
269 XFRM_AE_CE=32, /* Event cause is timer expiry */
270 XFRM_AE_CU=64, /* Event cause is policy update */
271 __XFRM_AE_MAX
272
273#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
274};
275
276struct xfrm_userpolicy_type {
277 __u8 type;
278 __u16 reserved1;
279 __u8 reserved2;
280};
281
282/* Netlink message attributes. */
283enum xfrm_attr_type_t {
284 XFRMA_UNSPEC,
285 XFRMA_ALG_AUTH, /* struct xfrm_algo */
286 XFRMA_ALG_CRYPT, /* struct xfrm_algo */
287 XFRMA_ALG_COMP, /* struct xfrm_algo */
288 XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */
289 XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
290 XFRMA_SA, /* struct xfrm_usersa_info */
291 XFRMA_POLICY, /*struct xfrm_userpolicy_info */
292 XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */
293 XFRMA_LTIME_VAL,
294 XFRMA_REPLAY_VAL,
295 XFRMA_REPLAY_THRESH,
296 XFRMA_ETIMER_THRESH,
297 XFRMA_SRCADDR, /* xfrm_address_t */
298 XFRMA_COADDR, /* xfrm_address_t */
299 XFRMA_LASTUSED, /* unsigned long */
300 XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */
301 XFRMA_MIGRATE,
302 XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */
303 XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */
304 XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */
305 XFRMA_MARK, /* struct xfrm_mark */
306 XFRMA_TFCPAD, /* __u32 */
307 XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_state_esn */
308 XFRMA_SA_EXTRA_FLAGS, /* __u32 */
309 XFRMA_PROTO, /* __u8 */
310 XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */
311 XFRMA_PAD,
312 XFRMA_OFFLOAD_DEV, /* struct xfrm_user_offload */
313 XFRMA_SET_MARK, /* __u32 */
314 XFRMA_SET_MARK_MASK, /* __u32 */
315 XFRMA_IF_ID, /* __u32 */
316 XFRMA_MTIMER_THRESH, /* __u32 in seconds for input SA */
317 __XFRMA_MAX
318
319#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */
320#define XFRMA_MAX (__XFRMA_MAX - 1)
321};
322
323struct xfrm_mark {
324 __u32 v; /* value */
325 __u32 m; /* mask */
326};
327
328enum xfrm_sadattr_type_t {
329 XFRMA_SAD_UNSPEC,
330 XFRMA_SAD_CNT,
331 XFRMA_SAD_HINFO,
332 __XFRMA_SAD_MAX
333
334#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
335};
336
337struct xfrmu_sadhinfo {
338 __u32 sadhcnt; /* current hash bkts */
339 __u32 sadhmcnt; /* max allowed hash bkts */
340};
341
342enum xfrm_spdattr_type_t {
343 XFRMA_SPD_UNSPEC,
344 XFRMA_SPD_INFO,
345 XFRMA_SPD_HINFO,
346 XFRMA_SPD_IPV4_HTHRESH,
347 XFRMA_SPD_IPV6_HTHRESH,
348 __XFRMA_SPD_MAX
349
350#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
351};
352
353struct xfrmu_spdinfo {
354 __u32 incnt;
355 __u32 outcnt;
356 __u32 fwdcnt;
357 __u32 inscnt;
358 __u32 outscnt;
359 __u32 fwdscnt;
360};
361
362struct xfrmu_spdhinfo {
363 __u32 spdhcnt;
364 __u32 spdhmcnt;
365};
366
367struct xfrmu_spdhthresh {
368 __u8 lbits;
369 __u8 rbits;
370};
371
372struct xfrm_usersa_info {
373 struct xfrm_selector sel;
374 struct xfrm_id id;
375 xfrm_address_t saddr;
376 struct xfrm_lifetime_cfg lft;
377 struct xfrm_lifetime_cur curlft;
378 struct xfrm_stats stats;
379 __u32 seq;
380 __u32 reqid;
381 __u16 family;
382 __u8 mode; /* XFRM_MODE_xxx */
383 __u8 replay_window;
384 __u8 flags;
385#define XFRM_STATE_NOECN 1
386#define XFRM_STATE_DECAP_DSCP 2
387#define XFRM_STATE_NOPMTUDISC 4
388#define XFRM_STATE_WILDRECV 8
389#define XFRM_STATE_ICMP 16
390#define XFRM_STATE_AF_UNSPEC 32
391#define XFRM_STATE_ALIGN4 64
392#define XFRM_STATE_ESN 128
393};
394
395#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
396#define XFRM_SA_XFLAG_OSEQ_MAY_WRAP 2
397
398struct xfrm_usersa_id {
399 xfrm_address_t daddr;
400 __be32 spi;
401 __u16 family;
402 __u8 proto;
403};
404
405struct xfrm_aevent_id {
406 struct xfrm_usersa_id sa_id;
407 xfrm_address_t saddr;
408 __u32 flags;
409 __u32 reqid;
410};
411
412struct xfrm_userspi_info {
413 struct xfrm_usersa_info info;
414 __u32 min;
415 __u32 max;
416};
417
418struct xfrm_userpolicy_info {
419 struct xfrm_selector sel;
420 struct xfrm_lifetime_cfg lft;
421 struct xfrm_lifetime_cur curlft;
422 __u32 priority;
423 __u32 index;
424 __u8 dir;
425 __u8 action;
426#define XFRM_POLICY_ALLOW 0
427#define XFRM_POLICY_BLOCK 1
428 __u8 flags;
429#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
430 /* Automatically expand selector to include matching ICMP payloads. */
431#define XFRM_POLICY_ICMP 2
432 __u8 share;
433};
434
435struct xfrm_userpolicy_id {
436 struct xfrm_selector sel;
437 __u32 index;
438 __u8 dir;
439};
440
441struct xfrm_user_acquire {
442 struct xfrm_id id;
443 xfrm_address_t saddr;
444 struct xfrm_selector sel;
445 struct xfrm_userpolicy_info policy;
446 __u32 aalgos;
447 __u32 ealgos;
448 __u32 calgos;
449 __u32 seq;
450};
451
452struct xfrm_user_expire {
453 struct xfrm_usersa_info state;
454 __u8 hard;
455};
456
457struct xfrm_user_polexpire {
458 struct xfrm_userpolicy_info pol;
459 __u8 hard;
460};
461
462struct xfrm_usersa_flush {
463 __u8 proto;
464};
465
466struct xfrm_user_report {
467 __u8 proto;
468 struct xfrm_selector sel;
469};
470
471/* Used by MIGRATE to pass addresses IKE should use to perform
472 * SA negotiation with the peer */
473struct xfrm_user_kmaddress {
474 xfrm_address_t local;
475 xfrm_address_t remote;
476 __u32 reserved;
477 __u16 family;
478};
479
480struct xfrm_user_migrate {
481 xfrm_address_t old_daddr;
482 xfrm_address_t old_saddr;
483 xfrm_address_t new_daddr;
484 xfrm_address_t new_saddr;
485 __u8 proto;
486 __u8 mode;
487 __u16 reserved;
488 __u32 reqid;
489 __u16 old_family;
490 __u16 new_family;
491};
492
493struct xfrm_user_mapping {
494 struct xfrm_usersa_id id;
495 __u32 reqid;
496 xfrm_address_t old_saddr;
497 xfrm_address_t new_saddr;
498 __be16 old_sport;
499 __be16 new_sport;
500};
501
502struct xfrm_address_filter {
503 xfrm_address_t saddr;
504 xfrm_address_t daddr;
505 __u16 family;
506 __u8 splen;
507 __u8 dplen;
508};
509
510struct xfrm_user_offload {
511 int ifindex;
512 __u8 flags;
513};
514/* This flag was exposed without any kernel code that supports it.
515 * Unfortunately, strongswan has the code that sets this flag,
516 * which makes it impossible to reuse this bit.
517 *
518 * So leave it here to make sure that it won't be reused by mistake.
519 */
520#define XFRM_OFFLOAD_IPV6 1
521#define XFRM_OFFLOAD_INBOUND 2
522
523struct xfrm_userpolicy_default {
524#define XFRM_USERPOLICY_UNSPEC 0
525#define XFRM_USERPOLICY_BLOCK 1
526#define XFRM_USERPOLICY_ACCEPT 2
527 __u8 in;
528 __u8 fwd;
529 __u8 out;
530};
531
532#ifndef __KERNEL__
533/* backwards compatibility for userspace */
534#define XFRMGRP_ACQUIRE 1
535#define XFRMGRP_EXPIRE 2
536#define XFRMGRP_SA 4
537#define XFRMGRP_POLICY 8
538#define XFRMGRP_REPORT 0x20
539#endif
540
541enum xfrm_nlgroups {
542 XFRMNLGRP_NONE,
543#define XFRMNLGRP_NONE XFRMNLGRP_NONE
544 XFRMNLGRP_ACQUIRE,
545#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE
546 XFRMNLGRP_EXPIRE,
547#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE
548 XFRMNLGRP_SA,
549#define XFRMNLGRP_SA XFRMNLGRP_SA
550 XFRMNLGRP_POLICY,
551#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY
552 XFRMNLGRP_AEVENTS,
553#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS
554 XFRMNLGRP_REPORT,
555#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT
556 XFRMNLGRP_MIGRATE,
557#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE
558 XFRMNLGRP_MAPPING,
559#define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING
560 __XFRMNLGRP_MAX
561};
562#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)
563
564#endif /* _LINUX_XFRM_H */
565

source code of linux/include/uapi/linux/xfrm.h