xfrm.h source code [linux/include/uapi/linux/xfrm.h]

1	/ SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note /
2	#ifndef _LINUX_XFRM_H
3	#define _LINUX_XFRM_H
4
5	#include <linux/in6.h>
6	#include <linux/types.h>
7	#include <linux/stddef.h>
8
9	/ All of the structures in this file may not change size as they are*
10	* passed into the kernel from userspace via netlink sockets.
11	*/
12
13	/ Structure to encapsulate addresses. I do not want to use*
14	* "standard" structure. My apologies.
15	*/
16	typedef union {
17	__be32 a4;
18	__be32 a6[`4`];
19	struct in6_addr in6;
20	} xfrm_address_t;
21
22	/ Ident of a specific xfrm_state. It is used on input to lookup*
23	* the state by (spi,daddr,ah/esp) or to store information about
24	* spi, protocol and tunnel address on output.
25	*/
26	struct xfrm_id {
27	xfrm_address_t daddr;
28	__be32 spi;
29	__u8 proto;
30	};
31
32	struct xfrm_sec_ctx {
33	__u8 ctx_doi;
34	__u8 ctx_alg;
35	__u16 ctx_len;
36	__u32 ctx_sid;
37	char ctx_str[] __counted_by(ctx_len);
38	};
39
40	/ Security Context Domains of Interpretation /
41	#define XFRM_SC_DOI_RESERVED 0
42	#define XFRM_SC_DOI_LSM 1
43
44	/ Security Context Algorithms /
45	#define XFRM_SC_ALG_RESERVED 0
46	#define XFRM_SC_ALG_SELINUX 1
47
48	/ Selector, used as selector both on policy rules (SPD) and SAs. /
49
50	struct xfrm_selector {
51	xfrm_address_t daddr;
52	xfrm_address_t saddr;
53	__be16 dport;
54	__be16 dport_mask;
55	__be16 sport;
56	__be16 sport_mask;
57	__u16 family;
58	__u8 prefixlen_d;
59	__u8 prefixlen_s;
60	__u8 proto;
61	int ifindex;
62	__kernel_uid32_t user;
63	};
64
65	#define XFRM_INF (~(__u64)0)
66
67	struct xfrm_lifetime_cfg {
68	__u64 soft_byte_limit;
69	__u64 hard_byte_limit;
70	__u64 soft_packet_limit;
71	__u64 hard_packet_limit;
72	__u64 soft_add_expires_seconds;
73	__u64 hard_add_expires_seconds;
74	__u64 soft_use_expires_seconds;
75	__u64 hard_use_expires_seconds;
76	};
77
78	struct xfrm_lifetime_cur {
79	__u64 bytes;
80	__u64 packets;
81	__u64 add_time;
82	__u64 use_time;
83	};
84
85	struct xfrm_replay_state {
86	__u32 oseq;
87	__u32 seq;
88	__u32 bitmap;
89	};
90
91	#define XFRMA_REPLAY_ESN_MAX 4096
92
93	struct xfrm_replay_state_esn {
94	unsigned int bmp_len;
95	__u32 oseq;
96	__u32 seq;
97	__u32 oseq_hi;
98	__u32 seq_hi;
99	__u32 replay_window;
100	__u32 bmp[];
101	};
102
103	struct xfrm_algo {
104	char alg_name[`64`];
105	unsigned int alg_key_len; / in bits /
106	char alg_key[];
107	};
108
109	struct xfrm_algo_auth {
110	char alg_name[`64`];
111	unsigned int alg_key_len; / in bits /
112	unsigned int alg_trunc_len; / in bits /
113	char alg_key[];
114	};
115
116	struct xfrm_algo_aead {
117	char alg_name[`64`];
118	unsigned int alg_key_len; / in bits /
119	unsigned int alg_icv_len; / in bits /
120	char alg_key[];
121	};
122
123	struct xfrm_stats {
124	__u32 replay_window;
125	__u32 replay;
126	__u32 integrity_failed;
127	};
128
129	enum {
130	XFRM_POLICY_TYPE_MAIN = `0`,
131	XFRM_POLICY_TYPE_SUB = `1`,
132	XFRM_POLICY_TYPE_MAX = `2`,
133	XFRM_POLICY_TYPE_ANY = `255`
134	};
135
136	enum {
137	XFRM_POLICY_IN = `0`,
138	XFRM_POLICY_OUT = `1`,
139	XFRM_POLICY_FWD = `2`,
140	XFRM_POLICY_MASK = `3`,
141	XFRM_POLICY_MAX = `3`
142	};
143
144	enum {
145	XFRM_SHARE_ANY, / No limitations /
146	XFRM_SHARE_SESSION, / For this session only /
147	XFRM_SHARE_USER, / For this user only /
148	XFRM_SHARE_UNIQUE / Use once /
149	};
150
151	#define XFRM_MODE_TRANSPORT 0
152	#define XFRM_MODE_TUNNEL 1
153	#define XFRM_MODE_ROUTEOPTIMIZATION 2
154	#define XFRM_MODE_IN_TRIGGER 3
155	#define XFRM_MODE_BEET 4
156	#define XFRM_MODE_MAX 5
157
158	/ Netlink configuration messages. /
159	enum {
160	XFRM_MSG_BASE = `0x10`,
161
162	XFRM_MSG_NEWSA = `0x10`,
163	#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
164	XFRM_MSG_DELSA,
165	#define XFRM_MSG_DELSA XFRM_MSG_DELSA
166	XFRM_MSG_GETSA,
167	#define XFRM_MSG_GETSA XFRM_MSG_GETSA
168
169	XFRM_MSG_NEWPOLICY,
170	#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
171	XFRM_MSG_DELPOLICY,
172	#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
173	XFRM_MSG_GETPOLICY,
174	#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
175
176	XFRM_MSG_ALLOCSPI,
177	#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
178	XFRM_MSG_ACQUIRE,
179	#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
180	XFRM_MSG_EXPIRE,
181	#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
182
183	XFRM_MSG_UPDPOLICY,
184	#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
185	XFRM_MSG_UPDSA,
186	#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
187
188	XFRM_MSG_POLEXPIRE,
189	#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
190
191	XFRM_MSG_FLUSHSA,
192	#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
193	XFRM_MSG_FLUSHPOLICY,
194	#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
195
196	XFRM_MSG_NEWAE,
197	#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
198	XFRM_MSG_GETAE,
199	#define XFRM_MSG_GETAE XFRM_MSG_GETAE
200
201	XFRM_MSG_REPORT,
202	#define XFRM_MSG_REPORT XFRM_MSG_REPORT
203
204	XFRM_MSG_MIGRATE,
205	#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
206
207	XFRM_MSG_NEWSADINFO,
208	#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
209	XFRM_MSG_GETSADINFO,
210	#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
211
212	XFRM_MSG_NEWSPDINFO,
213	#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
214	XFRM_MSG_GETSPDINFO,
215	#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
216
217	XFRM_MSG_MAPPING,
218	#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
219
220	XFRM_MSG_SETDEFAULT,
221	#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
222	XFRM_MSG_GETDEFAULT,
223	#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
224	__XFRM_MSG_MAX
225	};
226	#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
227
228	#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
229
230	/*
231	* Generic LSM security context for comunicating to user space
232	* NOTE: Same format as sadb_x_sec_ctx
233	*/
234	struct xfrm_user_sec_ctx {
235	__u16 len;
236	__u16 exttype;
237	__u8 ctx_alg; / LSMs: e.g., selinux == 1 /
238	__u8 ctx_doi;
239	__u16 ctx_len;
240	};
241
242	struct xfrm_user_tmpl {
243	struct xfrm_id id;
244	__u16 family;
245	xfrm_address_t saddr;
246	__u32 reqid;
247	__u8 mode;
248	__u8 share;
249	__u8 optional;
250	__u32 aalgos;
251	__u32 ealgos;
252	__u32 calgos;
253	};
254
255	struct xfrm_encap_tmpl {
256	__u16 encap_type;
257	__be16 encap_sport;
258	__be16 encap_dport;
259	xfrm_address_t encap_oa;
260	};
261
262	/ AEVENT flags /
263	enum xfrm_ae_ftype_t {
264	XFRM_AE_UNSPEC,
265	XFRM_AE_RTHR=`1`, / replay threshold/
266	XFRM_AE_RVAL=`2`, / replay value /
267	XFRM_AE_LVAL=`4`, / lifetime value /
268	XFRM_AE_ETHR=`8`, / expiry timer threshold /
269	XFRM_AE_CR=`16`, / Event cause is replay update /
270	XFRM_AE_CE=`32`, / Event cause is timer expiry /
271	XFRM_AE_CU=`64`, / Event cause is policy update /
272	__XFRM_AE_MAX
273
274	#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
275	};
276
277	struct xfrm_userpolicy_type {
278	__u8 type;
279	__u16 reserved1;
280	__u8 reserved2;
281	};
282
283	/ Netlink message attributes. /
284	enum xfrm_attr_type_t {
285	XFRMA_UNSPEC,
286	XFRMA_ALG_AUTH, / struct xfrm_algo /
287	XFRMA_ALG_CRYPT, / struct xfrm_algo /
288	XFRMA_ALG_COMP, / struct xfrm_algo /
289	XFRMA_ENCAP, / struct xfrm_algo + struct xfrm_encap_tmpl /
290	XFRMA_TMPL, / 1 or more struct xfrm_user_tmpl /
291	XFRMA_SA, / struct xfrm_usersa_info /
292	XFRMA_POLICY, /struct xfrm_userpolicy_info /
293	XFRMA_SEC_CTX, / struct xfrm_sec_ctx /
294	XFRMA_LTIME_VAL,
295	XFRMA_REPLAY_VAL,
296	XFRMA_REPLAY_THRESH,
297	XFRMA_ETIMER_THRESH,
298	XFRMA_SRCADDR, / xfrm_address_t /
299	XFRMA_COADDR, / xfrm_address_t /
300	XFRMA_LASTUSED, / __u64 /
301	XFRMA_POLICY_TYPE, / struct xfrm_userpolicy_type /
302	XFRMA_MIGRATE,
303	XFRMA_ALG_AEAD, / struct xfrm_algo_aead /
304	XFRMA_KMADDRESS, / struct xfrm_user_kmaddress /
305	XFRMA_ALG_AUTH_TRUNC, / struct xfrm_algo_auth /
306	XFRMA_MARK, / struct xfrm_mark /
307	XFRMA_TFCPAD, / __u32 /
308	XFRMA_REPLAY_ESN_VAL, / struct xfrm_replay_state_esn /
309	XFRMA_SA_EXTRA_FLAGS, / __u32 /
310	XFRMA_PROTO, / __u8 /
311	XFRMA_ADDRESS_FILTER, / struct xfrm_address_filter /
312	XFRMA_PAD,
313	XFRMA_OFFLOAD_DEV, / struct xfrm_user_offload /
314	XFRMA_SET_MARK, / __u32 /
315	XFRMA_SET_MARK_MASK, / __u32 /
316	XFRMA_IF_ID, / __u32 /
317	XFRMA_MTIMER_THRESH, / __u32 in seconds for input SA /
318	__XFRMA_MAX
319
320	#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */
321	#define XFRMA_MAX (__XFRMA_MAX - 1)
322	};
323
324	struct xfrm_mark {
325	__u32 v; / value /
326	__u32 m; / mask /
327	};
328
329	enum xfrm_sadattr_type_t {
330	XFRMA_SAD_UNSPEC,
331	XFRMA_SAD_CNT,
332	XFRMA_SAD_HINFO,
333	__XFRMA_SAD_MAX
334
335	#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
336	};
337
338	struct xfrmu_sadhinfo {
339	__u32 sadhcnt; / current hash bkts /
340	__u32 sadhmcnt; / max allowed hash bkts /
341	};
342
343	enum xfrm_spdattr_type_t {
344	XFRMA_SPD_UNSPEC,
345	XFRMA_SPD_INFO,
346	XFRMA_SPD_HINFO,
347	XFRMA_SPD_IPV4_HTHRESH,
348	XFRMA_SPD_IPV6_HTHRESH,
349	__XFRMA_SPD_MAX
350
351	#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
352	};
353
354	struct xfrmu_spdinfo {
355	__u32 incnt;
356	__u32 outcnt;
357	__u32 fwdcnt;
358	__u32 inscnt;
359	__u32 outscnt;
360	__u32 fwdscnt;
361	};
362
363	struct xfrmu_spdhinfo {
364	__u32 spdhcnt;
365	__u32 spdhmcnt;
366	};
367
368	struct xfrmu_spdhthresh {
369	__u8 lbits;
370	__u8 rbits;
371	};
372
373	struct xfrm_usersa_info {
374	struct xfrm_selector sel;
375	struct xfrm_id id;
376	xfrm_address_t saddr;
377	struct xfrm_lifetime_cfg lft;
378	struct xfrm_lifetime_cur curlft;
379	struct xfrm_stats stats;
380	__u32 seq;
381	__u32 reqid;
382	__u16 family;
383	__u8 mode; / XFRM_MODE_xxx /
384	__u8 replay_window;
385	__u8 flags;
386	#define XFRM_STATE_NOECN 1
387	#define XFRM_STATE_DECAP_DSCP 2
388	#define XFRM_STATE_NOPMTUDISC 4
389	#define XFRM_STATE_WILDRECV 8
390	#define XFRM_STATE_ICMP 16
391	#define XFRM_STATE_AF_UNSPEC 32
392	#define XFRM_STATE_ALIGN4 64
393	#define XFRM_STATE_ESN 128
394	};
395
396	#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
397	#define XFRM_SA_XFLAG_OSEQ_MAY_WRAP 2
398
399	struct xfrm_usersa_id {
400	xfrm_address_t daddr;
401	__be32 spi;
402	__u16 family;
403	__u8 proto;
404	};
405
406	struct xfrm_aevent_id {
407	struct xfrm_usersa_id sa_id;
408	xfrm_address_t saddr;
409	__u32 flags;
410	__u32 reqid;
411	};
412
413	struct xfrm_userspi_info {
414	struct xfrm_usersa_info info;
415	__u32 min;
416	__u32 max;
417	};
418
419	struct xfrm_userpolicy_info {
420	struct xfrm_selector sel;
421	struct xfrm_lifetime_cfg lft;
422	struct xfrm_lifetime_cur curlft;
423	__u32 priority;
424	__u32 index;
425	__u8 dir;
426	__u8 action;
427	#define XFRM_POLICY_ALLOW 0
428	#define XFRM_POLICY_BLOCK 1
429	__u8 flags;
430	#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
431	/ Automatically expand selector to include matching ICMP payloads. /
432	#define XFRM_POLICY_ICMP 2
433	__u8 share;
434	};
435
436	struct xfrm_userpolicy_id {
437	struct xfrm_selector sel;
438	__u32 index;
439	__u8 dir;
440	};
441
442	struct xfrm_user_acquire {
443	struct xfrm_id id;
444	xfrm_address_t saddr;
445	struct xfrm_selector sel;
446	struct xfrm_userpolicy_info policy;
447	__u32 aalgos;
448	__u32 ealgos;
449	__u32 calgos;
450	__u32 seq;
451	};
452
453	struct xfrm_user_expire {
454	struct xfrm_usersa_info state;
455	__u8 hard;
456	};
457
458	struct xfrm_user_polexpire {
459	struct xfrm_userpolicy_info pol;
460	__u8 hard;
461	};
462
463	struct xfrm_usersa_flush {
464	__u8 proto;
465	};
466
467	struct xfrm_user_report {
468	__u8 proto;
469	struct xfrm_selector sel;
470	};
471
472	/ Used by MIGRATE to pass addresses IKE should use to perform*
473	* SA negotiation with the peer */
474	struct xfrm_user_kmaddress {
475	xfrm_address_t local;
476	xfrm_address_t remote;
477	__u32 reserved;
478	__u16 family;
479	};
480
481	struct xfrm_user_migrate {
482	xfrm_address_t old_daddr;
483	xfrm_address_t old_saddr;
484	xfrm_address_t new_daddr;
485	xfrm_address_t new_saddr;
486	__u8 proto;
487	__u8 mode;
488	__u16 reserved;
489	__u32 reqid;
490	__u16 old_family;
491	__u16 new_family;
492	};
493
494	struct xfrm_user_mapping {
495	struct xfrm_usersa_id id;
496	__u32 reqid;
497	xfrm_address_t old_saddr;
498	xfrm_address_t new_saddr;
499	__be16 old_sport;
500	__be16 new_sport;
501	};
502
503	struct xfrm_address_filter {
504	xfrm_address_t saddr;
505	xfrm_address_t daddr;
506	__u16 family;
507	__u8 splen;
508	__u8 dplen;
509	};
510
511	struct xfrm_user_offload {
512	int ifindex;
513	__u8 flags;
514	};
515	/ This flag was exposed without any kernel code that supports it.*
516	* Unfortunately, strongswan has the code that sets this flag,
517	* which makes it impossible to reuse this bit.
518	*
519	* So leave it here to make sure that it won't be reused by mistake.
520	*/
521	#define XFRM_OFFLOAD_IPV6 1
522	#define XFRM_OFFLOAD_INBOUND 2
523	/ Two bits above are relevant for state path only, while*
524	* offload is used for both policy and state flows.
525	*
526	* In policy offload mode, they are free and can be safely reused.
527	*/
528	#define XFRM_OFFLOAD_PACKET 4
529
530	struct xfrm_userpolicy_default {
531	#define XFRM_USERPOLICY_UNSPEC 0
532	#define XFRM_USERPOLICY_BLOCK 1
533	#define XFRM_USERPOLICY_ACCEPT 2
534	__u8 in;
535	__u8 fwd;
536	__u8 out;
537	};
538
539	#ifndef __KERNEL__
540	/ backwards compatibility for userspace /
541	#define XFRMGRP_ACQUIRE 1
542	#define XFRMGRP_EXPIRE 2
543	#define XFRMGRP_SA 4
544	#define XFRMGRP_POLICY 8
545	#define XFRMGRP_REPORT 0x20
546	#endif
547
548	enum xfrm_nlgroups {
549	XFRMNLGRP_NONE,
550	#define XFRMNLGRP_NONE XFRMNLGRP_NONE
551	XFRMNLGRP_ACQUIRE,
552	#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE
553	XFRMNLGRP_EXPIRE,
554	#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE
555	XFRMNLGRP_SA,
556	#define XFRMNLGRP_SA XFRMNLGRP_SA
557	XFRMNLGRP_POLICY,
558	#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY
559	XFRMNLGRP_AEVENTS,
560	#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS
561	XFRMNLGRP_REPORT,
562	#define XFRMNLGRP_REPORT XFRMNLGRP_REPORT
563	XFRMNLGRP_MIGRATE,
564	#define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE
565	XFRMNLGRP_MAPPING,
566	#define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING
567	__XFRMNLGRP_MAX
568	};
569	#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)
570
571	#endif /* _LINUX_XFRM_H */
572

source code of linux/include/uapi/linux/xfrm.h