Commit f60dc6b1 authored by David S. Miller's avatar David S. Miller

[IPSEC]: Netlink xfrm configuration interface.

parent 1b84cb26
...@@ -70,6 +70,7 @@ struct in_addr { ...@@ -70,6 +70,7 @@ struct in_addr {
#define IP_MTU 14 #define IP_MTU 14
#define IP_FREEBIND 15 #define IP_FREEBIND 15
#define IP_IPSEC_POLICY 16 #define IP_IPSEC_POLICY 16
#define IP_XFRM_POLICY 17
/* BSD compatibility */ /* BSD compatibility */
#define IP_RECVRETOPTS IP_RETOPTS #define IP_RECVRETOPTS IP_RETOPTS
......
...@@ -91,6 +91,22 @@ struct xfrm_stats { ...@@ -91,6 +91,22 @@ struct xfrm_stats {
__u32 integrity_failed; __u32 integrity_failed;
}; };
enum
{
XFRM_POLICY_IN = 0,
XFRM_POLICY_OUT = 1,
XFRM_POLICY_FWD = 2,
XFRM_POLICY_MAX = 3
};
enum
{
XFRM_SHARE_ANY, /* No limitations */
XFRM_SHARE_SESSION, /* For this session only */
XFRM_SHARE_USER, /* For this user only */
XFRM_SHARE_UNIQUE /* Use once */
};
/* Netlink configuration messages. */ /* Netlink configuration messages. */
#define XFRM_MSG_BASE 0x10 #define XFRM_MSG_BASE 0x10
...@@ -104,8 +120,9 @@ struct xfrm_stats { ...@@ -104,8 +120,9 @@ struct xfrm_stats {
#define XFRM_MSG_ALLOCSPI (RTM_BASE + 6) #define XFRM_MSG_ALLOCSPI (RTM_BASE + 6)
#define XFRM_MSG_ACQUIRE (RTM_BASE + 7) #define XFRM_MSG_ACQUIRE (RTM_BASE + 7)
#define XFRM_MSG_EXPIRE (RTM_BASE + 8)
#define XFRM_MSG_MAX (XFRM_MSG_ACQUIRE+1) #define XFRM_MSG_MAX (XFRM_MSG_EXPIRE+1)
struct xfrm_user_tmpl { struct xfrm_user_tmpl {
struct xfrm_id id; struct xfrm_id id;
...@@ -113,6 +130,7 @@ struct xfrm_user_tmpl { ...@@ -113,6 +130,7 @@ struct xfrm_user_tmpl {
__u16 reqid; __u16 reqid;
__u8 mode; __u8 mode;
__u8 share; __u8 share;
__u8 optional;
__u32 aalgos; __u32 aalgos;
__u32 ealgos; __u32 ealgos;
__u32 calgos; __u32 calgos;
...@@ -135,9 +153,9 @@ struct xfrm_usersa_info { ...@@ -135,9 +153,9 @@ struct xfrm_usersa_info {
struct xfrm_lifetime_cfg lft; struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft; struct xfrm_lifetime_cur curlft;
struct xfrm_stats stats; struct xfrm_stats stats;
__u32 seq;
__u16 family; __u16 family;
__u16 reqid; __u16 reqid;
__u8 sa_type;
__u8 mode; /* 0=transport,1=tunnel */ __u8 mode; /* 0=transport,1=tunnel */
__u8 replay_window; __u8 replay_window;
}; };
...@@ -148,15 +166,26 @@ struct xfrm_usersa_id { ...@@ -148,15 +166,26 @@ struct xfrm_usersa_id {
__u8 proto; __u8 proto;
}; };
struct xfrm_userspi_info {
struct xfrm_usersa_info info;
u32 min;
u32 max;
};
struct xfrm_userpolicy_info { struct xfrm_userpolicy_info {
struct xfrm_selector sel; struct xfrm_selector sel;
struct xfrm_id id;
struct xfrm_lifetime_cfg lft; struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft; struct xfrm_lifetime_cur curlft;
__u32 priority;
__u32 index; __u32 index;
__u16 family; __u16 family;
__u8 dir; __u8 dir;
__u8 action; __u8 action;
#define XFRM_POLICY_ALLOW 0
#define XFRM_POLICY_BLOCK 1
__u8 flags;
#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
__u8 share;
}; };
struct xfrm_userpolicy_id { struct xfrm_userpolicy_id {
...@@ -165,4 +194,22 @@ struct xfrm_userpolicy_id { ...@@ -165,4 +194,22 @@ struct xfrm_userpolicy_id {
__u8 dir; __u8 dir;
}; };
struct xfrm_user_acquire {
struct xfrm_id id;
xfrm_address_t saddr;
struct xfrm_userpolicy_info policy;
__u32 aalgos;
__u32 ealgos;
__u32 calgos;
__u32 seq;
};
struct xfrm_user_expire {
struct xfrm_usersa_info state;
__u8 hard;
};
#define XFRMGRP_ACQUIRE 1
#define XFRMGRP_EXPIRE 2
#endif /* _LINUX_XFRM_H */ #endif /* _LINUX_XFRM_H */
...@@ -187,22 +187,6 @@ struct xfrm_tmpl ...@@ -187,22 +187,6 @@ struct xfrm_tmpl
#define XFRM_MAX_DEPTH 3 #define XFRM_MAX_DEPTH 3
enum
{
XFRM_SHARE_ANY, /* No limitations */
XFRM_SHARE_SESSION, /* For this session only */
XFRM_SHARE_USER, /* For this user only */
XFRM_SHARE_UNIQUE /* Use once */
};
enum
{
XFRM_POLICY_IN = 0,
XFRM_POLICY_OUT = 1,
XFRM_POLICY_FWD = 2,
XFRM_POLICY_MAX = 3
};
struct xfrm_policy struct xfrm_policy
{ {
struct xfrm_policy *next; struct xfrm_policy *next;
...@@ -218,10 +202,7 @@ struct xfrm_policy ...@@ -218,10 +202,7 @@ struct xfrm_policy
struct xfrm_lifetime_cur curlft; struct xfrm_lifetime_cur curlft;
struct dst_entry *bundles; struct dst_entry *bundles;
__u8 action; __u8 action;
#define XFRM_POLICY_ALLOW 0
#define XFRM_POLICY_BLOCK 1
__u8 flags; __u8 flags;
#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
__u8 dead; __u8 dead;
__u8 xfrm_nr; __u8 xfrm_nr;
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
......
...@@ -362,5 +362,13 @@ config INET_ESP ...@@ -362,5 +362,13 @@ config INET_ESP
If unsure, say Y. If unsure, say Y.
config XFRM_USER
tristate "IP: IPsec user configuration interface"
---help---
Support for IPsec user configuration interface used
by native Linux tools.
If unsure, say Y.
source "net/ipv4/netfilter/Kconfig" source "net/ipv4/netfilter/Kconfig"
...@@ -20,6 +20,7 @@ obj-$(CONFIG_INET_AH) += ah.o ...@@ -20,6 +20,7 @@ obj-$(CONFIG_INET_AH) += ah.o
obj-$(CONFIG_INET_ESP) += esp.o obj-$(CONFIG_INET_ESP) += esp.o
obj-$(CONFIG_IP_PNP) += ipconfig.o obj-$(CONFIG_IP_PNP) += ipconfig.o
obj-$(CONFIG_NETFILTER) += netfilter/ obj-$(CONFIG_NETFILTER) += netfilter/
obj-$(CONFIG_XFRM_USER) += xfrm_user.o
obj-y += xfrm_policy.o xfrm_state.o xfrm_input.o obj-y += xfrm_policy.o xfrm_state.o xfrm_input.o
......
...@@ -626,6 +626,7 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt ...@@ -626,6 +626,7 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
break; break;
case IP_IPSEC_POLICY: case IP_IPSEC_POLICY:
case IP_XFRM_POLICY:
err = xfrm_user_policy(sk, optname, optval, optlen); err = xfrm_user_policy(sk, optname, optval, optlen);
break; break;
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment