Dr Andrew Scott
G7VAV
Senior Lecturer
School of Computing
and Communications
D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
School of Computing
and Communications
D35 InfoLab21
Lancaster University
Lancaster, LA1 4WA
United Kingdom
| June 2025 | ||||||
| Mo | Tu | We | Th | Fr | Sa | Su |
| 26 | 27 | 28 | 29 | 30 | 31 | 1 |
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 1 | 2 | 3 | 4 | 5 | 6 |
xfrm.h
001: #ifndef _LINUX_XFRM_H 002: #define _LINUX_XFRM_H 003: 004: #include <linux/types.h> 005: 006: /* All of the structures in this file may not change size as they are 007: * passed into the kernel from userspace via netlink sockets. 008: */ 009: 010: /* Structure to encapsulate addresses. I do not want to use 011: * "standard" structure. My apologies. 012: */ 013: typedef union { 014: __be32 a4; 015: __be32 a6[4]; 016: } xfrm_address_t; 017: 018: /* Ident of a specific xfrm_state. It is used on input to lookup 019: * the state by (spi,daddr,ah/esp) or to store information about 020: * spi, protocol and tunnel address on output. 021: */ 022: struct xfrm_id { 023: xfrm_address_t daddr; 024: __be32 spi; 025: __u8 proto; 026: }; 027: 028: struct xfrm_sec_ctx { 029: __u8 ctx_doi; 030: __u8 ctx_alg; 031: __u16 ctx_len; 032: __u32 ctx_sid; 033: char ctx_str[0]; 034: }; 035: 036: /* Security Context Domains of Interpretation */ 037: #define XFRM_SC_DOI_RESERVED 0 038: #define XFRM_SC_DOI_LSM 1 039: 040: /* Security Context Algorithms */ 041: #define XFRM_SC_ALG_RESERVED 0 042: #define XFRM_SC_ALG_SELINUX 1 043: 044: /* Selector, used as selector both on policy rules (SPD) and SAs. */ 045: 046: struct xfrm_selector { 047: xfrm_address_t daddr; 048: xfrm_address_t saddr; 049: __be16 dport; 050: __be16 dport_mask; 051: __be16 sport; 052: __be16 sport_mask; 053: __u16 family; 054: __u8 prefixlen_d; 055: __u8 prefixlen_s; 056: __u8 proto; 057: int ifindex; 058: __kernel_uid32_t user; 059: }; 060: 061: #define XFRM_INF (~(__u64)0) 062: 063: struct xfrm_lifetime_cfg { 064: __u64 soft_byte_limit; 065: __u64 hard_byte_limit; 066: __u64 soft_packet_limit; 067: __u64 hard_packet_limit; 068: __u64 soft_add_expires_seconds; 069: __u64 hard_add_expires_seconds; 070: __u64 soft_use_expires_seconds; 071: __u64 hard_use_expires_seconds; 072: }; 073: 074: struct xfrm_lifetime_cur { 075: __u64 bytes; 076: __u64 packets; 077: __u64 add_time; 078: __u64 use_time; 079: }; 080: 081: struct xfrm_replay_state { 082: __u32 oseq; 083: __u32 seq; 084: __u32 bitmap; 085: }; 086: 087: struct xfrm_replay_state_esn { 088: unsigned int bmp_len; 089: __u32 oseq; 090: __u32 seq; 091: __u32 oseq_hi; 092: __u32 seq_hi; 093: __u32 replay_window; 094: __u32 bmp[0]; 095: }; 096: 097: struct xfrm_algo { 098: char alg_name[64]; 099: unsigned int alg_key_len; /* in bits */ 100: char alg_key[0]; 101: }; 102: 103: struct xfrm_algo_auth { 104: char alg_name[64]; 105: unsigned int alg_key_len; /* in bits */ 106: unsigned int alg_trunc_len; /* in bits */ 107: char alg_key[0]; 108: }; 109: 110: struct xfrm_algo_aead { 111: char alg_name[64]; 112: unsigned int alg_key_len; /* in bits */ 113: unsigned int alg_icv_len; /* in bits */ 114: char alg_key[0]; 115: }; 116: 117: struct xfrm_stats { 118: __u32 replay_window; 119: __u32 replay; 120: __u32 integrity_failed; 121: }; 122: 123: enum { 124: XFRM_POLICY_TYPE_MAIN = 0, 125: XFRM_POLICY_TYPE_SUB = 1, 126: XFRM_POLICY_TYPE_MAX = 2, 127: XFRM_POLICY_TYPE_ANY = 255 128: }; 129: 130: enum { 131: XFRM_POLICY_IN = 0, 132: XFRM_POLICY_OUT = 1, 133: XFRM_POLICY_FWD = 2, 134: XFRM_POLICY_MASK = 3, 135: XFRM_POLICY_MAX = 3 136: }; 137: 138: enum { 139: XFRM_SHARE_ANY, /* No limitations */ 140: XFRM_SHARE_SESSION, /* For this session only */ 141: XFRM_SHARE_USER, /* For this user only */ 142: XFRM_SHARE_UNIQUE /* Use once */ 143: }; 144: 145: #define XFRM_MODE_TRANSPORT 0 146: #define XFRM_MODE_TUNNEL 1 147: #define XFRM_MODE_ROUTEOPTIMIZATION 2 148: #define XFRM_MODE_IN_TRIGGER 3 149: #define XFRM_MODE_BEET 4 150: #define XFRM_MODE_MAX 5 151: 152: /* Netlink configuration messages. */ 153: enum { 154: XFRM_MSG_BASE = 0x10, 155: 156: XFRM_MSG_NEWSA = 0x10, 157: #define XFRM_MSG_NEWSA XFRM_MSG_NEWSA 158: XFRM_MSG_DELSA, 159: #define XFRM_MSG_DELSA XFRM_MSG_DELSA 160: XFRM_MSG_GETSA, 161: #define XFRM_MSG_GETSA XFRM_MSG_GETSA 162: 163: XFRM_MSG_NEWPOLICY, 164: #define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY 165: XFRM_MSG_DELPOLICY, 166: #define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY 167: XFRM_MSG_GETPOLICY, 168: #define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY 169: 170: XFRM_MSG_ALLOCSPI, 171: #define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI 172: XFRM_MSG_ACQUIRE, 173: #define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE 174: XFRM_MSG_EXPIRE, 175: #define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE 176: 177: XFRM_MSG_UPDPOLICY, 178: #define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY 179: XFRM_MSG_UPDSA, 180: #define XFRM_MSG_UPDSA XFRM_MSG_UPDSA 181: 182: XFRM_MSG_POLEXPIRE, 183: #define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE 184: 185: XFRM_MSG_FLUSHSA, 186: #define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA 187: XFRM_MSG_FLUSHPOLICY, 188: #define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY 189: 190: XFRM_MSG_NEWAE, 191: #define XFRM_MSG_NEWAE XFRM_MSG_NEWAE 192: XFRM_MSG_GETAE, 193: #define XFRM_MSG_GETAE XFRM_MSG_GETAE 194: 195: XFRM_MSG_REPORT, 196: #define XFRM_MSG_REPORT XFRM_MSG_REPORT 197: 198: XFRM_MSG_MIGRATE, 199: #define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE 200: 201: XFRM_MSG_NEWSADINFO, 202: #define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO 203: XFRM_MSG_GETSADINFO, 204: #define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO 205: 206: XFRM_MSG_NEWSPDINFO, 207: #define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO 208: XFRM_MSG_GETSPDINFO, 209: #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO 210: 211: XFRM_MSG_MAPPING, 212: #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING 213: __XFRM_MSG_MAX 214: }; 215: #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) 216: 217: #define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 218: 219: /* 220: * Generic LSM security context for comunicating to user space 221: * NOTE: Same format as sadb_x_sec_ctx 222: */ 223: struct xfrm_user_sec_ctx { 224: __u16 len; 225: __u16 exttype; 226: __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ 227: __u8 ctx_doi; 228: __u16 ctx_len; 229: }; 230: 231: struct xfrm_user_tmpl { 232: struct xfrm_id id; 233: __u16 family; 234: xfrm_address_t saddr; 235: __u32 reqid; 236: __u8 mode; 237: __u8 share; 238: __u8 optional; 239: __u32 aalgos; 240: __u32 ealgos; 241: __u32 calgos; 242: }; 243: 244: struct xfrm_encap_tmpl { 245: __u16 encap_type; 246: __be16 encap_sport; 247: __be16 encap_dport; 248: xfrm_address_t encap_oa; 249: }; 250: 251: /* AEVENT flags */ 252: enum xfrm_ae_ftype_t { 253: XFRM_AE_UNSPEC, 254: XFRM_AE_RTHR=1, /* replay threshold*/ 255: XFRM_AE_RVAL=2, /* replay value */ 256: XFRM_AE_LVAL=4, /* lifetime value */ 257: XFRM_AE_ETHR=8, /* expiry timer threshold */ 258: XFRM_AE_CR=16, /* Event cause is replay update */ 259: XFRM_AE_CE=32, /* Event cause is timer expiry */ 260: XFRM_AE_CU=64, /* Event cause is policy update */ 261: __XFRM_AE_MAX 262: 263: #define XFRM_AE_MAX (__XFRM_AE_MAX - 1) 264: }; 265: 266: struct xfrm_userpolicy_type { 267: __u8 type; 268: __u16 reserved1; 269: __u8 reserved2; 270: }; 271: 272: /* Netlink message attributes. */ 273: enum xfrm_attr_type_t { 274: XFRMA_UNSPEC, 275: XFRMA_ALG_AUTH, /* struct xfrm_algo */ 276: XFRMA_ALG_CRYPT, /* struct xfrm_algo */ 277: XFRMA_ALG_COMP, /* struct xfrm_algo */ 278: XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ 279: XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 280: XFRMA_SA, /* struct xfrm_usersa_info */ 281: XFRMA_POLICY, /*struct xfrm_userpolicy_info */ 282: XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ 283: XFRMA_LTIME_VAL, 284: XFRMA_REPLAY_VAL, 285: XFRMA_REPLAY_THRESH, 286: XFRMA_ETIMER_THRESH, 287: XFRMA_SRCADDR, /* xfrm_address_t */ 288: XFRMA_COADDR, /* xfrm_address_t */ 289: XFRMA_LASTUSED, /* unsigned long */ 290: XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ 291: XFRMA_MIGRATE, 292: XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ 293: XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ 294: XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ 295: XFRMA_MARK, /* struct xfrm_mark */ 296: XFRMA_TFCPAD, /* __u32 */ 297: XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_esn */ 298: __XFRMA_MAX 299: 300: #define XFRMA_MAX (__XFRMA_MAX - 1) 301: }; 302: 303: struct xfrm_mark { 304: __u32 v; /* value */ 305: __u32 m; /* mask */ 306: }; 307: 308: enum xfrm_sadattr_type_t { 309: XFRMA_SAD_UNSPEC, 310: XFRMA_SAD_CNT, 311: XFRMA_SAD_HINFO, 312: __XFRMA_SAD_MAX 313: 314: #define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1) 315: }; 316: 317: struct xfrmu_sadhinfo { 318: __u32 sadhcnt; /* current hash bkts */ 319: __u32 sadhmcnt; /* max allowed hash bkts */ 320: }; 321: 322: enum xfrm_spdattr_type_t { 323: XFRMA_SPD_UNSPEC, 324: XFRMA_SPD_INFO, 325: XFRMA_SPD_HINFO, 326: __XFRMA_SPD_MAX 327: 328: #define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1) 329: }; 330: 331: struct xfrmu_spdinfo { 332: __u32 incnt; 333: __u32 outcnt; 334: __u32 fwdcnt; 335: __u32 inscnt; 336: __u32 outscnt; 337: __u32 fwdscnt; 338: }; 339: 340: struct xfrmu_spdhinfo { 341: __u32 spdhcnt; 342: __u32 spdhmcnt; 343: }; 344: 345: struct xfrm_usersa_info { 346: struct xfrm_selector sel; 347: struct xfrm_id id; 348: xfrm_address_t saddr; 349: struct xfrm_lifetime_cfg lft; 350: struct xfrm_lifetime_cur curlft; 351: struct xfrm_stats stats; 352: __u32 seq; 353: __u32 reqid; 354: __u16 family; 355: __u8 mode; /* XFRM_MODE_xxx */ 356: __u8 replay_window; 357: __u8 flags; 358: #define XFRM_STATE_NOECN 1 359: #define XFRM_STATE_DECAP_DSCP 2 360: #define XFRM_STATE_NOPMTUDISC 4 361: #define XFRM_STATE_WILDRECV 8 362: #define XFRM_STATE_ICMP 16 363: #define XFRM_STATE_AF_UNSPEC 32 364: #define XFRM_STATE_ALIGN4 64 365: #define XFRM_STATE_ESN 128 366: }; 367: 368: struct xfrm_usersa_id { 369: xfrm_address_t daddr; 370: __be32 spi; 371: __u16 family; 372: __u8 proto; 373: }; 374: 375: struct xfrm_aevent_id { 376: struct xfrm_usersa_id sa_id; 377: xfrm_address_t saddr; 378: __u32 flags; 379: __u32 reqid; 380: }; 381: 382: struct xfrm_userspi_info { 383: struct xfrm_usersa_info info; 384: __u32 min; 385: __u32 max; 386: }; 387: 388: struct xfrm_userpolicy_info { 389: struct xfrm_selector sel; 390: struct xfrm_lifetime_cfg lft; 391: struct xfrm_lifetime_cur curlft; 392: __u32 priority; 393: __u32 index; 394: __u8 dir; 395: __u8 action; 396: #define XFRM_POLICY_ALLOW 0 397: #define XFRM_POLICY_BLOCK 1 398: __u8 flags; 399: #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 400: /* Automatically expand selector to include matching ICMP payloads. */ 401: #define XFRM_POLICY_ICMP 2 402: __u8 share; 403: }; 404: 405: struct xfrm_userpolicy_id { 406: struct xfrm_selector sel; 407: __u32 index; 408: __u8 dir; 409: }; 410: 411: struct xfrm_user_acquire { 412: struct xfrm_id id; 413: xfrm_address_t saddr; 414: struct xfrm_selector sel; 415: struct xfrm_userpolicy_info policy; 416: __u32 aalgos; 417: __u32 ealgos; 418: __u32 calgos; 419: __u32 seq; 420: }; 421: 422: struct xfrm_user_expire { 423: struct xfrm_usersa_info state; 424: __u8 hard; 425: }; 426: 427: struct xfrm_user_polexpire { 428: struct xfrm_userpolicy_info pol; 429: __u8 hard; 430: }; 431: 432: struct xfrm_usersa_flush { 433: __u8 proto; 434: }; 435: 436: struct xfrm_user_report { 437: __u8 proto; 438: struct xfrm_selector sel; 439: }; 440: 441: /* Used by MIGRATE to pass addresses IKE should use to perform 442: * SA negotiation with the peer */ 443: struct xfrm_user_kmaddress { 444: xfrm_address_t local; 445: xfrm_address_t remote; 446: __u32 reserved; 447: __u16 family; 448: }; 449: 450: struct xfrm_user_migrate { 451: xfrm_address_t old_daddr; 452: xfrm_address_t old_saddr; 453: xfrm_address_t new_daddr; 454: xfrm_address_t new_saddr; 455: __u8 proto; 456: __u8 mode; 457: __u16 reserved; 458: __u32 reqid; 459: __u16 old_family; 460: __u16 new_family; 461: }; 462: 463: struct xfrm_user_mapping { 464: struct xfrm_usersa_id id; 465: __u32 reqid; 466: xfrm_address_t old_saddr; 467: xfrm_address_t new_saddr; 468: __be16 old_sport; 469: __be16 new_sport; 470: }; 471: 472: /* backwards compatibility for userspace */ 473: #define XFRMGRP_ACQUIRE 1 474: #define XFRMGRP_EXPIRE 2 475: #define XFRMGRP_SA 4 476: #define XFRMGRP_POLICY 8 477: #define XFRMGRP_REPORT 0x20 478: 479: enum xfrm_nlgroups { 480: XFRMNLGRP_NONE, 481: #define XFRMNLGRP_NONE XFRMNLGRP_NONE 482: XFRMNLGRP_ACQUIRE, 483: #define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE 484: XFRMNLGRP_EXPIRE, 485: #define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE 486: XFRMNLGRP_SA, 487: #define XFRMNLGRP_SA XFRMNLGRP_SA 488: XFRMNLGRP_POLICY, 489: #define XFRMNLGRP_POLICY XFRMNLGRP_POLICY 490: XFRMNLGRP_AEVENTS, 491: #define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS 492: XFRMNLGRP_REPORT, 493: #define XFRMNLGRP_REPORT XFRMNLGRP_REPORT 494: XFRMNLGRP_MIGRATE, 495: #define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE 496: XFRMNLGRP_MAPPING, 497: #define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING 498: __XFRMNLGRP_MAX 499: }; 500: #define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) 501: 502: #endif /* _LINUX_XFRM_H */ 503:
for client
(none)
© Andrew Scott 2006 -
2025,
All Rights Reserved
All Rights Reserved
Andrew Scott