/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _NET_PFPOLICY_H
#define _NET_PFPOLICY_H
/*
* Definitions and structures for PF_POLICY version 1.
*
* This local protocol provides an interface allowing utilities to
* manage a system's IPsec System Policy Database; see RFC2401 for a
* conceptual overview of the SPD.
* The basic encoding is modelled on PF_KEY version 2; see pfkeyv2.h
* and RFC2367 for more information.
*/
#ifdef __cplusplus
extern "C" {
#endif
/*
* one of these, followed by some number of extensions. Each
* extension type appears at most once in a message. spd_msg_len
* contains the total length of the message including header.
*/
typedef struct spd_msg
{
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} spd_msg_u;
} spd_msg_t;
/*
* Command numbers, found in spd_msg_type.
*/
#define SPD_RESERVED 0
/*
* Well-known policy db instances, found in spd_msg_spdid
*/
/*
* The spd_msg_t is followed by extensions, which start with the
* following header; each extension structure includes the length and
* type fields internally as an overlay to simplify parsing and
* construction.
*/
typedef struct spd_ext
{
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} spd_ext_u;
} spd_ext_t;
/*
* Extension numbers, found in spd_ext_type.
*/
/*
* base policy rule (attributes which every rule has)
*
* spd_rule_index MBZ on a SPD_ADD, and is assigned by the kernel.
* subsequent deletes can operate either by specifying selectors or by
* specifying a non-zero rule index.
*/
struct spd_rule
{
};
/*
* Flags for spd_rule.spd_rule_flags
*/
/* Only applies to tunnel policy heads. */
/*
* Address selectors. Different from PF_KEY because we want a
*/
typedef struct spd_address {
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
/*
* .. followed by 4 bytes of IPv4 or 16 bytes of IPv6 address,
* padded up to next uint64_t
*/
#define spd_address_len \
#define spd_address_exttype \
#define spd_address_af \
#define spd_address_prefixlen \
#define spd_address_reserved2 \
/*
* Protocol selector
*/
struct spd_proto
{
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} spd_proto_u;
};
/*
* Port selector. We only support minport==maxport at present.
*/
struct spd_portrange
{
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
} spd_ports_u;
};
/*
* ICMP type selector.
*/
struct spd_typecode
{
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define spd_typecode_len \
#define spd_typecode_exttype \
#define spd_typecode_type \
#define spd_typecode_type_end \
#define spd_typecode_code \
#define spd_typecode_code_end \
};
/*
* Actions, specifying what happens to packets which match selectors.
* This extension is followed by some number of spd_attribute tag-value pairs
* which encode one or more alternative policies; see below for
* the encoding used.
*/
struct spd_ext_actions
{
/* Union is for guaranteeing 64-bit alignment. */
union {
struct {
#define spd_actions_len \
#define spd_actions_exttype \
#define spd_actions_count \
#define spd_actions_reserved \
};
/*
* Extensible encoding for requested SA attributes.
* To allow additional attributes to be added, we use a simple-to-interpret
* (tag, value) encoding to fill in attributes in a list of alternatives.
*
* We fill in alternatives one at a time, starting with most-preferred,
* proceeding to least-preferred.
*
* Conceptually, we are filling in attributes of a "template", and
* then copying that template value into the list of alternatives when
* we see a SPD_ATTR_END or SPD_ATTR_NEXT.
*
* The template is not changed by SPD_ATTR_NEXT, so that attributes common to
* all alternatives need only be mentioned once.
*
* spd_actions_count is the maximum number of alternatives present; it
* should be one greater than the number of SPD_ATTR_NEXT opcodes
* present in the sequence.
*/
struct spd_attribute
{
union {
struct {
};
/*
* These flags are used by the kernel algorithm structures and by ipsecalgs(1m).
* ALG_FLAG_KERNELCHECKED is used by ipsecalgs(1m) to tag ipsecalgent_t as
* kernel verified. ALG_FLAG_VALID is only meaningful if set by the kernel.
*/
/*
* An interface extension identifies a network interface.
* It is used for configuring Tunnel Mode policies on a tunnelling
* interface for now.
*/
typedef struct spd_if_s {
union {
struct {
union {
} spd_if_iu;
} spd_if_u;
} spd_if_t;
/*
* Minimum, maximum key lengths in bits.
*/
/*
* IPsec action types (in SPD_ATTR_TYPE attribute)
*/
/*
* Action flags (in SPD_ATTR_FLAGS attribute)
*/
/*
* SW crypto execution modes.
*/
/*
* SPD_DUMP protocol:
*
* We do not want to force an stack to have to read-lock the entire
* SPD for the duration of the dump, but we want management apps to be
* able to get a consistent snapshot of the SPD.
*
* Therefore, we make optimistic locking assumptions.
*
* The response to a SPD_DUMP request consists of multiple spd_msg
* records, all with spd_msg_type == SPD_DUMP and spd_msg_{seq,pid}
* matching the request.
*
* There is one header, then a sequence of policy rule records (one
* rule per record), then a trailer.
*
* The header and trailer both contain a single SPD_EXT_RULESET
* containing a version number and rule count. The dump was "good" if
* header version == trailer version, and the number of rules read by
* the application matches the rule count in the trailer. The rule
* count in the header is unused and should be set to zero.
*
* In between, each rule record contains a set of extensions which, if
* used in an SPD_ADD request, would recreate an equivalent rule.
*
* If rules were added to the SPD during the dump, the dump may be
* truncated or otherwise incomplete; the management application
* should re-try the dump in this case.
*/
/*
* Ruleset extension, used at the start and end of a SPD_DUMP.
*/
typedef struct spd_ruleset_ext
{
/*
* Diagnostic codes. These supplement error messages. Be sure to
* update libipsecutil's spdsock_diag() if you change any of these.
*/
#define SPD_DIAGNOSTIC_NONE 0
/*
* Helper macros.
*/
#ifdef __cplusplus
}
#endif
#endif /* _NET_PFPOLICY_H */