1 /* $NetBSD: policy.h,v 1.3 2005/11/21 14:20:29 manu Exp $ */ 2 3 /* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifndef _POLICY_H 35 #define _POLICY_H 36 37 #include <sys/queue.h> 38 39 /* refs. ipsec.h */ 40 /* 41 * Security Policy Index 42 * NOTE: Ensure to be same address family and upper layer protocol. 43 * NOTE: ul_proto, port number, uid, gid: 44 * ANY: reserved for waldcard. 45 * 0 to (~0 - 1): is one of the number of each value. 46 */ 47 struct policyindex { 48 u_int8_t dir; /* direction of packet flow, see blow */ 49 struct sockaddr_storage src; /* IP src address for SP */ 50 struct sockaddr_storage dst; /* IP dst address for SP */ 51 u_int8_t prefs; /* prefix length in bits for src */ 52 u_int8_t prefd; /* prefix length in bits for dst */ 53 u_int16_t ul_proto; /* upper layer Protocol */ 54 u_int32_t priority; /* priority for the policy */ 55 }; 56 57 /* Security Policy Data Base */ 58 struct secpolicy { 59 TAILQ_ENTRY(secpolicy) chain; 60 61 struct policyindex spidx; /* selector */ 62 u_int32_t id; /* It's unique number on the system. */ 63 64 u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */ 65 struct ipsecrequest *req; 66 /* pointer to the ipsec request tree, */ 67 /* if policy == IPSEC else this value == NULL.*/ 68 }; 69 70 /* Security Assocciation Index */ 71 /* NOTE: Ensure to be same address family */ 72 struct secasindex { 73 struct sockaddr_storage src; /* srouce address for SA */ 74 struct sockaddr_storage dst; /* destination address for SA */ 75 u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ 76 u_int8_t mode; /* mode of protocol, see ipsec.h */ 77 u_int32_t reqid; /* reqid id who owned this SA */ 78 /* see IPSEC_MANUAL_REQID_MAX. */ 79 }; 80 81 /* Request for IPsec */ 82 struct ipsecrequest { 83 struct ipsecrequest *next; 84 /* pointer to next structure */ 85 /* If NULL, it means the end of chain. */ 86 87 struct secasindex saidx;/* hint for search proper SA */ 88 /* if __ss_len == 0 then no address specified.*/ 89 u_int level; /* IPsec level defined below. */ 90 91 struct secpolicy *sp; /* back pointer to SP */ 92 }; 93 94 #ifdef HAVE_PFKEY_POLICY_PRIORITY 95 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, idx) \ 96 do { \ 97 bzero((idx), sizeof(struct policyindex)); \ 98 (idx)->dir = (_dir); \ 99 (idx)->prefs = (ps); \ 100 (idx)->prefd = (pd); \ 101 (idx)->ul_proto = (ulp); \ 102 (idx)->priority = (_priority); \ 103 memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ 104 memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ 105 } while (0) 106 #else 107 #define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \ 108 do { \ 109 bzero((idx), sizeof(struct policyindex)); \ 110 (idx)->dir = (_dir); \ 111 (idx)->prefs = (ps); \ 112 (idx)->prefd = (pd); \ 113 (idx)->ul_proto = (ulp); \ 114 memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \ 115 memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \ 116 } while (0) 117 #endif 118 119 struct ph2handle; 120 struct policyindex; 121 extern struct secpolicy *getsp __P((struct policyindex *)); 122 extern struct secpolicy *getsp_r __P((struct policyindex *)); 123 struct secpolicy *getspbyspid __P((u_int32_t)); 124 extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *)); 125 extern int cmpspidxwild __P((struct policyindex *, struct policyindex *)); 126 extern struct secpolicy *newsp __P((void)); 127 extern void delsp __P((struct secpolicy *)); 128 extern void delsp_bothdir __P((struct policyindex *)); 129 extern void inssp __P((struct secpolicy *)); 130 extern void remsp __P((struct secpolicy *)); 131 extern void flushsp __P((void)); 132 extern void initsp __P((void)); 133 extern struct ipsecrequest *newipsecreq __P((void)); 134 135 extern const char *spidx2str __P((const struct policyindex *)); 136 137 #endif /* _POLICY_H */ 138