1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2*4882a593Smuzhiyun #ifndef _LINUX_XFRM_H 3*4882a593Smuzhiyun #define _LINUX_XFRM_H 4*4882a593Smuzhiyun 5*4882a593Smuzhiyun #include <linux/in6.h> 6*4882a593Smuzhiyun #include <linux/types.h> 7*4882a593Smuzhiyun 8*4882a593Smuzhiyun /* All of the structures in this file may not change size as they are 9*4882a593Smuzhiyun * passed into the kernel from userspace via netlink sockets. 10*4882a593Smuzhiyun */ 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun /* Structure to encapsulate addresses. I do not want to use 13*4882a593Smuzhiyun * "standard" structure. My apologies. 14*4882a593Smuzhiyun */ 15*4882a593Smuzhiyun typedef union { 16*4882a593Smuzhiyun __be32 a4; 17*4882a593Smuzhiyun __be32 a6[4]; 18*4882a593Smuzhiyun struct in6_addr in6; 19*4882a593Smuzhiyun } xfrm_address_t; 20*4882a593Smuzhiyun 21*4882a593Smuzhiyun /* Ident of a specific xfrm_state. It is used on input to lookup 22*4882a593Smuzhiyun * the state by (spi,daddr,ah/esp) or to store information about 23*4882a593Smuzhiyun * spi, protocol and tunnel address on output. 24*4882a593Smuzhiyun */ 25*4882a593Smuzhiyun struct xfrm_id { 26*4882a593Smuzhiyun xfrm_address_t daddr; 27*4882a593Smuzhiyun __be32 spi; 28*4882a593Smuzhiyun __u8 proto; 29*4882a593Smuzhiyun }; 30*4882a593Smuzhiyun 31*4882a593Smuzhiyun struct xfrm_sec_ctx { 32*4882a593Smuzhiyun __u8 ctx_doi; 33*4882a593Smuzhiyun __u8 ctx_alg; 34*4882a593Smuzhiyun __u16 ctx_len; 35*4882a593Smuzhiyun __u32 ctx_sid; 36*4882a593Smuzhiyun char ctx_str[0]; 37*4882a593Smuzhiyun }; 38*4882a593Smuzhiyun 39*4882a593Smuzhiyun /* Security Context Domains of Interpretation */ 40*4882a593Smuzhiyun #define XFRM_SC_DOI_RESERVED 0 41*4882a593Smuzhiyun #define XFRM_SC_DOI_LSM 1 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun /* Security Context Algorithms */ 44*4882a593Smuzhiyun #define XFRM_SC_ALG_RESERVED 0 45*4882a593Smuzhiyun #define XFRM_SC_ALG_SELINUX 1 46*4882a593Smuzhiyun 47*4882a593Smuzhiyun /* Selector, used as selector both on policy rules (SPD) and SAs. */ 48*4882a593Smuzhiyun 49*4882a593Smuzhiyun struct xfrm_selector { 50*4882a593Smuzhiyun xfrm_address_t daddr; 51*4882a593Smuzhiyun xfrm_address_t saddr; 52*4882a593Smuzhiyun __be16 dport; 53*4882a593Smuzhiyun __be16 dport_mask; 54*4882a593Smuzhiyun __be16 sport; 55*4882a593Smuzhiyun __be16 sport_mask; 56*4882a593Smuzhiyun __u16 family; 57*4882a593Smuzhiyun __u8 prefixlen_d; 58*4882a593Smuzhiyun __u8 prefixlen_s; 59*4882a593Smuzhiyun __u8 proto; 60*4882a593Smuzhiyun int ifindex; 61*4882a593Smuzhiyun __kernel_uid32_t user; 62*4882a593Smuzhiyun }; 63*4882a593Smuzhiyun 64*4882a593Smuzhiyun #define XFRM_INF (~(__u64)0) 65*4882a593Smuzhiyun 66*4882a593Smuzhiyun struct xfrm_lifetime_cfg { 67*4882a593Smuzhiyun __u64 soft_byte_limit; 68*4882a593Smuzhiyun __u64 hard_byte_limit; 69*4882a593Smuzhiyun __u64 soft_packet_limit; 70*4882a593Smuzhiyun __u64 hard_packet_limit; 71*4882a593Smuzhiyun __u64 soft_add_expires_seconds; 72*4882a593Smuzhiyun __u64 hard_add_expires_seconds; 73*4882a593Smuzhiyun __u64 soft_use_expires_seconds; 74*4882a593Smuzhiyun __u64 hard_use_expires_seconds; 75*4882a593Smuzhiyun }; 76*4882a593Smuzhiyun 77*4882a593Smuzhiyun struct xfrm_lifetime_cur { 78*4882a593Smuzhiyun __u64 bytes; 79*4882a593Smuzhiyun __u64 packets; 80*4882a593Smuzhiyun __u64 add_time; 81*4882a593Smuzhiyun __u64 use_time; 82*4882a593Smuzhiyun }; 83*4882a593Smuzhiyun 84*4882a593Smuzhiyun struct xfrm_replay_state { 85*4882a593Smuzhiyun __u32 oseq; 86*4882a593Smuzhiyun __u32 seq; 87*4882a593Smuzhiyun __u32 bitmap; 88*4882a593Smuzhiyun }; 89*4882a593Smuzhiyun 90*4882a593Smuzhiyun #define XFRMA_REPLAY_ESN_MAX 4096 91*4882a593Smuzhiyun 92*4882a593Smuzhiyun struct xfrm_replay_state_esn { 93*4882a593Smuzhiyun unsigned int bmp_len; 94*4882a593Smuzhiyun __u32 oseq; 95*4882a593Smuzhiyun __u32 seq; 96*4882a593Smuzhiyun __u32 oseq_hi; 97*4882a593Smuzhiyun __u32 seq_hi; 98*4882a593Smuzhiyun __u32 replay_window; 99*4882a593Smuzhiyun __u32 bmp[0]; 100*4882a593Smuzhiyun }; 101*4882a593Smuzhiyun 102*4882a593Smuzhiyun struct xfrm_algo { 103*4882a593Smuzhiyun char alg_name[64]; 104*4882a593Smuzhiyun unsigned int alg_key_len; /* in bits */ 105*4882a593Smuzhiyun char alg_key[0]; 106*4882a593Smuzhiyun }; 107*4882a593Smuzhiyun 108*4882a593Smuzhiyun struct xfrm_algo_auth { 109*4882a593Smuzhiyun char alg_name[64]; 110*4882a593Smuzhiyun unsigned int alg_key_len; /* in bits */ 111*4882a593Smuzhiyun unsigned int alg_trunc_len; /* in bits */ 112*4882a593Smuzhiyun char alg_key[0]; 113*4882a593Smuzhiyun }; 114*4882a593Smuzhiyun 115*4882a593Smuzhiyun struct xfrm_algo_aead { 116*4882a593Smuzhiyun char alg_name[64]; 117*4882a593Smuzhiyun unsigned int alg_key_len; /* in bits */ 118*4882a593Smuzhiyun unsigned int alg_icv_len; /* in bits */ 119*4882a593Smuzhiyun char alg_key[0]; 120*4882a593Smuzhiyun }; 121*4882a593Smuzhiyun 122*4882a593Smuzhiyun struct xfrm_stats { 123*4882a593Smuzhiyun __u32 replay_window; 124*4882a593Smuzhiyun __u32 replay; 125*4882a593Smuzhiyun __u32 integrity_failed; 126*4882a593Smuzhiyun }; 127*4882a593Smuzhiyun 128*4882a593Smuzhiyun enum { 129*4882a593Smuzhiyun XFRM_POLICY_TYPE_MAIN = 0, 130*4882a593Smuzhiyun XFRM_POLICY_TYPE_SUB = 1, 131*4882a593Smuzhiyun XFRM_POLICY_TYPE_MAX = 2, 132*4882a593Smuzhiyun XFRM_POLICY_TYPE_ANY = 255 133*4882a593Smuzhiyun }; 134*4882a593Smuzhiyun 135*4882a593Smuzhiyun enum { 136*4882a593Smuzhiyun XFRM_POLICY_IN = 0, 137*4882a593Smuzhiyun XFRM_POLICY_OUT = 1, 138*4882a593Smuzhiyun XFRM_POLICY_FWD = 2, 139*4882a593Smuzhiyun XFRM_POLICY_MASK = 3, 140*4882a593Smuzhiyun XFRM_POLICY_MAX = 3 141*4882a593Smuzhiyun }; 142*4882a593Smuzhiyun 143*4882a593Smuzhiyun enum { 144*4882a593Smuzhiyun XFRM_SHARE_ANY, /* No limitations */ 145*4882a593Smuzhiyun XFRM_SHARE_SESSION, /* For this session only */ 146*4882a593Smuzhiyun XFRM_SHARE_USER, /* For this user only */ 147*4882a593Smuzhiyun XFRM_SHARE_UNIQUE /* Use once */ 148*4882a593Smuzhiyun }; 149*4882a593Smuzhiyun 150*4882a593Smuzhiyun #define XFRM_MODE_TRANSPORT 0 151*4882a593Smuzhiyun #define XFRM_MODE_TUNNEL 1 152*4882a593Smuzhiyun #define XFRM_MODE_ROUTEOPTIMIZATION 2 153*4882a593Smuzhiyun #define XFRM_MODE_IN_TRIGGER 3 154*4882a593Smuzhiyun #define XFRM_MODE_BEET 4 155*4882a593Smuzhiyun #define XFRM_MODE_MAX 5 156*4882a593Smuzhiyun 157*4882a593Smuzhiyun /* Netlink configuration messages. */ 158*4882a593Smuzhiyun enum { 159*4882a593Smuzhiyun XFRM_MSG_BASE = 0x10, 160*4882a593Smuzhiyun 161*4882a593Smuzhiyun XFRM_MSG_NEWSA = 0x10, 162*4882a593Smuzhiyun #define XFRM_MSG_NEWSA XFRM_MSG_NEWSA 163*4882a593Smuzhiyun XFRM_MSG_DELSA, 164*4882a593Smuzhiyun #define XFRM_MSG_DELSA XFRM_MSG_DELSA 165*4882a593Smuzhiyun XFRM_MSG_GETSA, 166*4882a593Smuzhiyun #define XFRM_MSG_GETSA XFRM_MSG_GETSA 167*4882a593Smuzhiyun 168*4882a593Smuzhiyun XFRM_MSG_NEWPOLICY, 169*4882a593Smuzhiyun #define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY 170*4882a593Smuzhiyun XFRM_MSG_DELPOLICY, 171*4882a593Smuzhiyun #define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY 172*4882a593Smuzhiyun XFRM_MSG_GETPOLICY, 173*4882a593Smuzhiyun #define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY 174*4882a593Smuzhiyun 175*4882a593Smuzhiyun XFRM_MSG_ALLOCSPI, 176*4882a593Smuzhiyun #define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI 177*4882a593Smuzhiyun XFRM_MSG_ACQUIRE, 178*4882a593Smuzhiyun #define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE 179*4882a593Smuzhiyun XFRM_MSG_EXPIRE, 180*4882a593Smuzhiyun #define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE 181*4882a593Smuzhiyun 182*4882a593Smuzhiyun XFRM_MSG_UPDPOLICY, 183*4882a593Smuzhiyun #define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY 184*4882a593Smuzhiyun XFRM_MSG_UPDSA, 185*4882a593Smuzhiyun #define XFRM_MSG_UPDSA XFRM_MSG_UPDSA 186*4882a593Smuzhiyun 187*4882a593Smuzhiyun XFRM_MSG_POLEXPIRE, 188*4882a593Smuzhiyun #define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE 189*4882a593Smuzhiyun 190*4882a593Smuzhiyun XFRM_MSG_FLUSHSA, 191*4882a593Smuzhiyun #define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA 192*4882a593Smuzhiyun XFRM_MSG_FLUSHPOLICY, 193*4882a593Smuzhiyun #define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY 194*4882a593Smuzhiyun 195*4882a593Smuzhiyun XFRM_MSG_NEWAE, 196*4882a593Smuzhiyun #define XFRM_MSG_NEWAE XFRM_MSG_NEWAE 197*4882a593Smuzhiyun XFRM_MSG_GETAE, 198*4882a593Smuzhiyun #define XFRM_MSG_GETAE XFRM_MSG_GETAE 199*4882a593Smuzhiyun 200*4882a593Smuzhiyun XFRM_MSG_REPORT, 201*4882a593Smuzhiyun #define XFRM_MSG_REPORT XFRM_MSG_REPORT 202*4882a593Smuzhiyun 203*4882a593Smuzhiyun XFRM_MSG_MIGRATE, 204*4882a593Smuzhiyun #define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE 205*4882a593Smuzhiyun 206*4882a593Smuzhiyun XFRM_MSG_NEWSADINFO, 207*4882a593Smuzhiyun #define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO 208*4882a593Smuzhiyun XFRM_MSG_GETSADINFO, 209*4882a593Smuzhiyun #define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO 210*4882a593Smuzhiyun 211*4882a593Smuzhiyun XFRM_MSG_NEWSPDINFO, 212*4882a593Smuzhiyun #define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO 213*4882a593Smuzhiyun XFRM_MSG_GETSPDINFO, 214*4882a593Smuzhiyun #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO 215*4882a593Smuzhiyun 216*4882a593Smuzhiyun XFRM_MSG_MAPPING, 217*4882a593Smuzhiyun #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING 218*4882a593Smuzhiyun __XFRM_MSG_MAX 219*4882a593Smuzhiyun }; 220*4882a593Smuzhiyun #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) 221*4882a593Smuzhiyun 222*4882a593Smuzhiyun #define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) 223*4882a593Smuzhiyun 224*4882a593Smuzhiyun /* 225*4882a593Smuzhiyun * Generic LSM security context for comunicating to user space 226*4882a593Smuzhiyun * NOTE: Same format as sadb_x_sec_ctx 227*4882a593Smuzhiyun */ 228*4882a593Smuzhiyun struct xfrm_user_sec_ctx { 229*4882a593Smuzhiyun __u16 len; 230*4882a593Smuzhiyun __u16 exttype; 231*4882a593Smuzhiyun __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ 232*4882a593Smuzhiyun __u8 ctx_doi; 233*4882a593Smuzhiyun __u16 ctx_len; 234*4882a593Smuzhiyun }; 235*4882a593Smuzhiyun 236*4882a593Smuzhiyun struct xfrm_user_tmpl { 237*4882a593Smuzhiyun struct xfrm_id id; 238*4882a593Smuzhiyun __u16 family; 239*4882a593Smuzhiyun xfrm_address_t saddr; 240*4882a593Smuzhiyun __u32 reqid; 241*4882a593Smuzhiyun __u8 mode; 242*4882a593Smuzhiyun __u8 share; 243*4882a593Smuzhiyun __u8 optional; 244*4882a593Smuzhiyun __u32 aalgos; 245*4882a593Smuzhiyun __u32 ealgos; 246*4882a593Smuzhiyun __u32 calgos; 247*4882a593Smuzhiyun }; 248*4882a593Smuzhiyun 249*4882a593Smuzhiyun struct xfrm_encap_tmpl { 250*4882a593Smuzhiyun __u16 encap_type; 251*4882a593Smuzhiyun __be16 encap_sport; 252*4882a593Smuzhiyun __be16 encap_dport; 253*4882a593Smuzhiyun xfrm_address_t encap_oa; 254*4882a593Smuzhiyun }; 255*4882a593Smuzhiyun 256*4882a593Smuzhiyun /* AEVENT flags */ 257*4882a593Smuzhiyun enum xfrm_ae_ftype_t { 258*4882a593Smuzhiyun XFRM_AE_UNSPEC, 259*4882a593Smuzhiyun XFRM_AE_RTHR=1, /* replay threshold*/ 260*4882a593Smuzhiyun XFRM_AE_RVAL=2, /* replay value */ 261*4882a593Smuzhiyun XFRM_AE_LVAL=4, /* lifetime value */ 262*4882a593Smuzhiyun XFRM_AE_ETHR=8, /* expiry timer threshold */ 263*4882a593Smuzhiyun XFRM_AE_CR=16, /* Event cause is replay update */ 264*4882a593Smuzhiyun XFRM_AE_CE=32, /* Event cause is timer expiry */ 265*4882a593Smuzhiyun XFRM_AE_CU=64, /* Event cause is policy update */ 266*4882a593Smuzhiyun __XFRM_AE_MAX 267*4882a593Smuzhiyun 268*4882a593Smuzhiyun #define XFRM_AE_MAX (__XFRM_AE_MAX - 1) 269*4882a593Smuzhiyun }; 270*4882a593Smuzhiyun 271*4882a593Smuzhiyun struct xfrm_userpolicy_type { 272*4882a593Smuzhiyun __u8 type; 273*4882a593Smuzhiyun __u16 reserved1; 274*4882a593Smuzhiyun __u8 reserved2; 275*4882a593Smuzhiyun }; 276*4882a593Smuzhiyun 277*4882a593Smuzhiyun /* Netlink message attributes. */ 278*4882a593Smuzhiyun enum xfrm_attr_type_t { 279*4882a593Smuzhiyun XFRMA_UNSPEC, 280*4882a593Smuzhiyun XFRMA_ALG_AUTH, /* struct xfrm_algo */ 281*4882a593Smuzhiyun XFRMA_ALG_CRYPT, /* struct xfrm_algo */ 282*4882a593Smuzhiyun XFRMA_ALG_COMP, /* struct xfrm_algo */ 283*4882a593Smuzhiyun XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ 284*4882a593Smuzhiyun XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ 285*4882a593Smuzhiyun XFRMA_SA, /* struct xfrm_usersa_info */ 286*4882a593Smuzhiyun XFRMA_POLICY, /*struct xfrm_userpolicy_info */ 287*4882a593Smuzhiyun XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ 288*4882a593Smuzhiyun XFRMA_LTIME_VAL, 289*4882a593Smuzhiyun XFRMA_REPLAY_VAL, 290*4882a593Smuzhiyun XFRMA_REPLAY_THRESH, 291*4882a593Smuzhiyun XFRMA_ETIMER_THRESH, 292*4882a593Smuzhiyun XFRMA_SRCADDR, /* xfrm_address_t */ 293*4882a593Smuzhiyun XFRMA_COADDR, /* xfrm_address_t */ 294*4882a593Smuzhiyun XFRMA_LASTUSED, /* unsigned long */ 295*4882a593Smuzhiyun XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ 296*4882a593Smuzhiyun XFRMA_MIGRATE, 297*4882a593Smuzhiyun XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ 298*4882a593Smuzhiyun XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ 299*4882a593Smuzhiyun XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ 300*4882a593Smuzhiyun XFRMA_MARK, /* struct xfrm_mark */ 301*4882a593Smuzhiyun XFRMA_TFCPAD, /* __u32 */ 302*4882a593Smuzhiyun XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_state_esn */ 303*4882a593Smuzhiyun XFRMA_SA_EXTRA_FLAGS, /* __u32 */ 304*4882a593Smuzhiyun XFRMA_PROTO, /* __u8 */ 305*4882a593Smuzhiyun XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */ 306*4882a593Smuzhiyun XFRMA_PAD, 307*4882a593Smuzhiyun XFRMA_OFFLOAD_DEV, /* struct xfrm_user_offload */ 308*4882a593Smuzhiyun XFRMA_SET_MARK, /* __u32 */ 309*4882a593Smuzhiyun XFRMA_SET_MARK_MASK, /* __u32 */ 310*4882a593Smuzhiyun XFRMA_IF_ID, /* __u32 */ 311*4882a593Smuzhiyun __XFRMA_MAX 312*4882a593Smuzhiyun 313*4882a593Smuzhiyun #define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */ 314*4882a593Smuzhiyun #define XFRMA_MAX (__XFRMA_MAX - 1) 315*4882a593Smuzhiyun }; 316*4882a593Smuzhiyun 317*4882a593Smuzhiyun struct xfrm_mark { 318*4882a593Smuzhiyun __u32 v; /* value */ 319*4882a593Smuzhiyun __u32 m; /* mask */ 320*4882a593Smuzhiyun }; 321*4882a593Smuzhiyun 322*4882a593Smuzhiyun enum xfrm_sadattr_type_t { 323*4882a593Smuzhiyun XFRMA_SAD_UNSPEC, 324*4882a593Smuzhiyun XFRMA_SAD_CNT, 325*4882a593Smuzhiyun XFRMA_SAD_HINFO, 326*4882a593Smuzhiyun __XFRMA_SAD_MAX 327*4882a593Smuzhiyun 328*4882a593Smuzhiyun #define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1) 329*4882a593Smuzhiyun }; 330*4882a593Smuzhiyun 331*4882a593Smuzhiyun struct xfrmu_sadhinfo { 332*4882a593Smuzhiyun __u32 sadhcnt; /* current hash bkts */ 333*4882a593Smuzhiyun __u32 sadhmcnt; /* max allowed hash bkts */ 334*4882a593Smuzhiyun }; 335*4882a593Smuzhiyun 336*4882a593Smuzhiyun enum xfrm_spdattr_type_t { 337*4882a593Smuzhiyun XFRMA_SPD_UNSPEC, 338*4882a593Smuzhiyun XFRMA_SPD_INFO, 339*4882a593Smuzhiyun XFRMA_SPD_HINFO, 340*4882a593Smuzhiyun XFRMA_SPD_IPV4_HTHRESH, 341*4882a593Smuzhiyun XFRMA_SPD_IPV6_HTHRESH, 342*4882a593Smuzhiyun __XFRMA_SPD_MAX 343*4882a593Smuzhiyun 344*4882a593Smuzhiyun #define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1) 345*4882a593Smuzhiyun }; 346*4882a593Smuzhiyun 347*4882a593Smuzhiyun struct xfrmu_spdinfo { 348*4882a593Smuzhiyun __u32 incnt; 349*4882a593Smuzhiyun __u32 outcnt; 350*4882a593Smuzhiyun __u32 fwdcnt; 351*4882a593Smuzhiyun __u32 inscnt; 352*4882a593Smuzhiyun __u32 outscnt; 353*4882a593Smuzhiyun __u32 fwdscnt; 354*4882a593Smuzhiyun }; 355*4882a593Smuzhiyun 356*4882a593Smuzhiyun struct xfrmu_spdhinfo { 357*4882a593Smuzhiyun __u32 spdhcnt; 358*4882a593Smuzhiyun __u32 spdhmcnt; 359*4882a593Smuzhiyun }; 360*4882a593Smuzhiyun 361*4882a593Smuzhiyun struct xfrmu_spdhthresh { 362*4882a593Smuzhiyun __u8 lbits; 363*4882a593Smuzhiyun __u8 rbits; 364*4882a593Smuzhiyun }; 365*4882a593Smuzhiyun 366*4882a593Smuzhiyun struct xfrm_usersa_info { 367*4882a593Smuzhiyun struct xfrm_selector sel; 368*4882a593Smuzhiyun struct xfrm_id id; 369*4882a593Smuzhiyun xfrm_address_t saddr; 370*4882a593Smuzhiyun struct xfrm_lifetime_cfg lft; 371*4882a593Smuzhiyun struct xfrm_lifetime_cur curlft; 372*4882a593Smuzhiyun struct xfrm_stats stats; 373*4882a593Smuzhiyun __u32 seq; 374*4882a593Smuzhiyun __u32 reqid; 375*4882a593Smuzhiyun __u16 family; 376*4882a593Smuzhiyun __u8 mode; /* XFRM_MODE_xxx */ 377*4882a593Smuzhiyun __u8 replay_window; 378*4882a593Smuzhiyun __u8 flags; 379*4882a593Smuzhiyun #define XFRM_STATE_NOECN 1 380*4882a593Smuzhiyun #define XFRM_STATE_DECAP_DSCP 2 381*4882a593Smuzhiyun #define XFRM_STATE_NOPMTUDISC 4 382*4882a593Smuzhiyun #define XFRM_STATE_WILDRECV 8 383*4882a593Smuzhiyun #define XFRM_STATE_ICMP 16 384*4882a593Smuzhiyun #define XFRM_STATE_AF_UNSPEC 32 385*4882a593Smuzhiyun #define XFRM_STATE_ALIGN4 64 386*4882a593Smuzhiyun #define XFRM_STATE_ESN 128 387*4882a593Smuzhiyun }; 388*4882a593Smuzhiyun 389*4882a593Smuzhiyun #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1 390*4882a593Smuzhiyun #define XFRM_SA_XFLAG_OSEQ_MAY_WRAP 2 391*4882a593Smuzhiyun 392*4882a593Smuzhiyun struct xfrm_usersa_id { 393*4882a593Smuzhiyun xfrm_address_t daddr; 394*4882a593Smuzhiyun __be32 spi; 395*4882a593Smuzhiyun __u16 family; 396*4882a593Smuzhiyun __u8 proto; 397*4882a593Smuzhiyun }; 398*4882a593Smuzhiyun 399*4882a593Smuzhiyun struct xfrm_aevent_id { 400*4882a593Smuzhiyun struct xfrm_usersa_id sa_id; 401*4882a593Smuzhiyun xfrm_address_t saddr; 402*4882a593Smuzhiyun __u32 flags; 403*4882a593Smuzhiyun __u32 reqid; 404*4882a593Smuzhiyun }; 405*4882a593Smuzhiyun 406*4882a593Smuzhiyun struct xfrm_userspi_info { 407*4882a593Smuzhiyun struct xfrm_usersa_info info; 408*4882a593Smuzhiyun __u32 min; 409*4882a593Smuzhiyun __u32 max; 410*4882a593Smuzhiyun }; 411*4882a593Smuzhiyun 412*4882a593Smuzhiyun struct xfrm_userpolicy_info { 413*4882a593Smuzhiyun struct xfrm_selector sel; 414*4882a593Smuzhiyun struct xfrm_lifetime_cfg lft; 415*4882a593Smuzhiyun struct xfrm_lifetime_cur curlft; 416*4882a593Smuzhiyun __u32 priority; 417*4882a593Smuzhiyun __u32 index; 418*4882a593Smuzhiyun __u8 dir; 419*4882a593Smuzhiyun __u8 action; 420*4882a593Smuzhiyun #define XFRM_POLICY_ALLOW 0 421*4882a593Smuzhiyun #define XFRM_POLICY_BLOCK 1 422*4882a593Smuzhiyun __u8 flags; 423*4882a593Smuzhiyun #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 424*4882a593Smuzhiyun /* Automatically expand selector to include matching ICMP payloads. */ 425*4882a593Smuzhiyun #define XFRM_POLICY_ICMP 2 426*4882a593Smuzhiyun __u8 share; 427*4882a593Smuzhiyun }; 428*4882a593Smuzhiyun 429*4882a593Smuzhiyun struct xfrm_userpolicy_id { 430*4882a593Smuzhiyun struct xfrm_selector sel; 431*4882a593Smuzhiyun __u32 index; 432*4882a593Smuzhiyun __u8 dir; 433*4882a593Smuzhiyun }; 434*4882a593Smuzhiyun 435*4882a593Smuzhiyun struct xfrm_user_acquire { 436*4882a593Smuzhiyun struct xfrm_id id; 437*4882a593Smuzhiyun xfrm_address_t saddr; 438*4882a593Smuzhiyun struct xfrm_selector sel; 439*4882a593Smuzhiyun struct xfrm_userpolicy_info policy; 440*4882a593Smuzhiyun __u32 aalgos; 441*4882a593Smuzhiyun __u32 ealgos; 442*4882a593Smuzhiyun __u32 calgos; 443*4882a593Smuzhiyun __u32 seq; 444*4882a593Smuzhiyun }; 445*4882a593Smuzhiyun 446*4882a593Smuzhiyun struct xfrm_user_expire { 447*4882a593Smuzhiyun struct xfrm_usersa_info state; 448*4882a593Smuzhiyun __u8 hard; 449*4882a593Smuzhiyun }; 450*4882a593Smuzhiyun 451*4882a593Smuzhiyun struct xfrm_user_polexpire { 452*4882a593Smuzhiyun struct xfrm_userpolicy_info pol; 453*4882a593Smuzhiyun __u8 hard; 454*4882a593Smuzhiyun }; 455*4882a593Smuzhiyun 456*4882a593Smuzhiyun struct xfrm_usersa_flush { 457*4882a593Smuzhiyun __u8 proto; 458*4882a593Smuzhiyun }; 459*4882a593Smuzhiyun 460*4882a593Smuzhiyun struct xfrm_user_report { 461*4882a593Smuzhiyun __u8 proto; 462*4882a593Smuzhiyun struct xfrm_selector sel; 463*4882a593Smuzhiyun }; 464*4882a593Smuzhiyun 465*4882a593Smuzhiyun /* Used by MIGRATE to pass addresses IKE should use to perform 466*4882a593Smuzhiyun * SA negotiation with the peer */ 467*4882a593Smuzhiyun struct xfrm_user_kmaddress { 468*4882a593Smuzhiyun xfrm_address_t local; 469*4882a593Smuzhiyun xfrm_address_t remote; 470*4882a593Smuzhiyun __u32 reserved; 471*4882a593Smuzhiyun __u16 family; 472*4882a593Smuzhiyun }; 473*4882a593Smuzhiyun 474*4882a593Smuzhiyun struct xfrm_user_migrate { 475*4882a593Smuzhiyun xfrm_address_t old_daddr; 476*4882a593Smuzhiyun xfrm_address_t old_saddr; 477*4882a593Smuzhiyun xfrm_address_t new_daddr; 478*4882a593Smuzhiyun xfrm_address_t new_saddr; 479*4882a593Smuzhiyun __u8 proto; 480*4882a593Smuzhiyun __u8 mode; 481*4882a593Smuzhiyun __u16 reserved; 482*4882a593Smuzhiyun __u32 reqid; 483*4882a593Smuzhiyun __u16 old_family; 484*4882a593Smuzhiyun __u16 new_family; 485*4882a593Smuzhiyun }; 486*4882a593Smuzhiyun 487*4882a593Smuzhiyun struct xfrm_user_mapping { 488*4882a593Smuzhiyun struct xfrm_usersa_id id; 489*4882a593Smuzhiyun __u32 reqid; 490*4882a593Smuzhiyun xfrm_address_t old_saddr; 491*4882a593Smuzhiyun xfrm_address_t new_saddr; 492*4882a593Smuzhiyun __be16 old_sport; 493*4882a593Smuzhiyun __be16 new_sport; 494*4882a593Smuzhiyun }; 495*4882a593Smuzhiyun 496*4882a593Smuzhiyun struct xfrm_address_filter { 497*4882a593Smuzhiyun xfrm_address_t saddr; 498*4882a593Smuzhiyun xfrm_address_t daddr; 499*4882a593Smuzhiyun __u16 family; 500*4882a593Smuzhiyun __u8 splen; 501*4882a593Smuzhiyun __u8 dplen; 502*4882a593Smuzhiyun }; 503*4882a593Smuzhiyun 504*4882a593Smuzhiyun struct xfrm_user_offload { 505*4882a593Smuzhiyun int ifindex; 506*4882a593Smuzhiyun __u8 flags; 507*4882a593Smuzhiyun }; 508*4882a593Smuzhiyun /* This flag was exposed without any kernel code that supporting it. 509*4882a593Smuzhiyun * Unfortunately, strongswan has the code that uses sets this flag, 510*4882a593Smuzhiyun * which makes impossible to reuse this bit. 511*4882a593Smuzhiyun * 512*4882a593Smuzhiyun * So leave it here to make sure that it won't be reused by mistake. 513*4882a593Smuzhiyun */ 514*4882a593Smuzhiyun #define XFRM_OFFLOAD_IPV6 1 515*4882a593Smuzhiyun #define XFRM_OFFLOAD_INBOUND 2 516*4882a593Smuzhiyun 517*4882a593Smuzhiyun #ifndef __KERNEL__ 518*4882a593Smuzhiyun /* backwards compatibility for userspace */ 519*4882a593Smuzhiyun #define XFRMGRP_ACQUIRE 1 520*4882a593Smuzhiyun #define XFRMGRP_EXPIRE 2 521*4882a593Smuzhiyun #define XFRMGRP_SA 4 522*4882a593Smuzhiyun #define XFRMGRP_POLICY 8 523*4882a593Smuzhiyun #define XFRMGRP_REPORT 0x20 524*4882a593Smuzhiyun #endif 525*4882a593Smuzhiyun 526*4882a593Smuzhiyun enum xfrm_nlgroups { 527*4882a593Smuzhiyun XFRMNLGRP_NONE, 528*4882a593Smuzhiyun #define XFRMNLGRP_NONE XFRMNLGRP_NONE 529*4882a593Smuzhiyun XFRMNLGRP_ACQUIRE, 530*4882a593Smuzhiyun #define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE 531*4882a593Smuzhiyun XFRMNLGRP_EXPIRE, 532*4882a593Smuzhiyun #define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE 533*4882a593Smuzhiyun XFRMNLGRP_SA, 534*4882a593Smuzhiyun #define XFRMNLGRP_SA XFRMNLGRP_SA 535*4882a593Smuzhiyun XFRMNLGRP_POLICY, 536*4882a593Smuzhiyun #define XFRMNLGRP_POLICY XFRMNLGRP_POLICY 537*4882a593Smuzhiyun XFRMNLGRP_AEVENTS, 538*4882a593Smuzhiyun #define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS 539*4882a593Smuzhiyun XFRMNLGRP_REPORT, 540*4882a593Smuzhiyun #define XFRMNLGRP_REPORT XFRMNLGRP_REPORT 541*4882a593Smuzhiyun XFRMNLGRP_MIGRATE, 542*4882a593Smuzhiyun #define XFRMNLGRP_MIGRATE XFRMNLGRP_MIGRATE 543*4882a593Smuzhiyun XFRMNLGRP_MAPPING, 544*4882a593Smuzhiyun #define XFRMNLGRP_MAPPING XFRMNLGRP_MAPPING 545*4882a593Smuzhiyun __XFRMNLGRP_MAX 546*4882a593Smuzhiyun }; 547*4882a593Smuzhiyun #define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) 548*4882a593Smuzhiyun 549*4882a593Smuzhiyun #endif /* _LINUX_XFRM_H */ 550