xref: /illumos-gate/usr/src/uts/common/net/pfpolicy.h (revision bbf215553c7233fbab8a0afdf1fac74c44781867)
1  /*
2   * CDDL HEADER START
3   *
4   * The contents of this file are subject to the terms of the
5   * Common Development and Distribution License (the "License").
6   * You may not use this file except in compliance with the License.
7   *
8   * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9   * or http://www.opensolaris.org/os/licensing.
10   * See the License for the specific language governing permissions
11   * and limitations under the License.
12   *
13   * When distributing Covered Code, include this CDDL HEADER in each
14   * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15   * If applicable, add the following below this CDDL HEADER, with the
16   * fields enclosed by brackets "[]" replaced with your own identifying
17   * information: Portions Copyright [yyyy] [name of copyright owner]
18   *
19   * CDDL HEADER END
20   */
21  /*
22   * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23   * Use is subject to license terms.
24   */
25  
26  #ifndef	_NET_PFPOLICY_H
27  #define	_NET_PFPOLICY_H
28  
29  /*
30   * Definitions and structures for PF_POLICY version 1.
31   *
32   * This local protocol provides an interface allowing utilities to
33   * manage a system's IPsec System Policy Database; see RFC2401 for a
34   * conceptual overview of the SPD.
35   * The basic encoding is modelled on PF_KEY version 2; see pfkeyv2.h
36   * and RFC2367 for more information.
37   */
38  
39  #ifdef	__cplusplus
40  extern "C" {
41  #endif
42  
43  #define	PF_POLICY_V1		1
44  #define	PF_POLICY_REVISION	200304L
45  
46  /*
47   * Base PF_POLICY message header.  Each request/response starts with
48   * one of these, followed by some number of extensions.  Each
49   * extension type appears at most once in a message.  spd_msg_len
50   * contains the total length of the message including header.
51   */
52  typedef struct spd_msg
53  {
54  	uint8_t spd_msg_version;	/* PF_POLICY_V1 */
55  	uint8_t spd_msg_type;		/* ADD, DELETE, QUERY, ... */
56  	uint8_t spd_msg_errno;		/* Unix errno space; mbz on request */
57  	uint8_t spd_msg_spdid;		/* which policy db instance */
58  	uint16_t spd_msg_len;		/* in 64-bit words */
59  	uint16_t spd_msg_diagnostic;	/* additional error reason */
60  	/* Union is for guaranteeing 64-bit alignment. */
61  	union {
62  		struct {
63  			uint32_t spd_msg_useq;		/* set by sender */
64  			uint32_t spd_msg_upid;		/* set by sender */
65  		} spd_msg_actual;
66  		uint64_t spd_msg_alignment;
67  	} spd_msg_u;
68  #define	spd_msg_seq spd_msg_u.spd_msg_actual.spd_msg_useq
69  #define	spd_msg_pid spd_msg_u.spd_msg_actual.spd_msg_upid
70  } spd_msg_t;
71  
72  /*
73   * Command numbers, found in spd_msg_type.
74   */
75  #define	SPD_RESERVED				0
76  #define	SPD_MIN					1
77  #define	SPD_FLUSH				1
78  #define	SPD_ADDRULE				2
79  #define	SPD_DELETERULE				3
80  #define	SPD_FLIP				4
81  #define	SPD_LOOKUP				5
82  #define	SPD_DUMP				6
83  #define	SPD_CLONE				7
84  #define	SPD_ALGLIST				8
85  #define	SPD_DUMPALGS				9
86  #define	SPD_UPDATEALGS				10
87  #define	SPD_MAX					10
88  
89  /*
90   * Well-known policy db instances, found in spd_msg_spdid
91   */
92  #define	SPD_ACTIVE		0	/* The currently active instance */
93  #define	SPD_STANDBY		1 	/* "on deck" standby SPD */
94  
95  /*
96   * The spd_msg_t is followed by extensions, which start with the
97   * following header; each extension structure includes the length and
98   * type fields internally as an overlay to simplify parsing and
99   * construction.
100   */
101  typedef struct spd_ext
102  {
103  	/* Union is for guaranteeing 64-bit alignment. */
104  	union {
105  		struct {
106  			uint16_t spd_ext_ulen;		/* in 64-bit words */
107  			uint16_t spd_ext_utype;		/* 0 is reserved */
108  		} spd_ext_actual;
109  		uint64_t spd_ext_alignment;
110  	} spd_ext_u;
111  #define	spd_ext_len spd_ext_u.spd_ext_actual.spd_ext_ulen
112  #define	spd_ext_type spd_ext_u.spd_ext_actual.spd_ext_utype
113  } spd_ext_t;
114  
115  /*
116   * Extension numbers, found in spd_ext_type.
117   */
118  
119  #define	SPD_EXT_LCLPORT				1
120  #define	SPD_EXT_REMPORT				2
121  #define	SPD_EXT_PROTO				3
122  #define	SPD_EXT_LCLADDR				4
123  #define	SPD_EXT_REMADDR				5
124  
125  #define	SPD_EXT_ACTION				6
126  #define	SPD_EXT_RULE				7
127  #define	SPD_EXT_RULESET				8
128  #define	SPD_EXT_ICMP_TYPECODE  			9
129  
130  #define	SPD_EXT_TUN_NAME			10
131  
132  #define	SPD_EXT_MAX				10
133  
134  /*
135   * base policy rule (attributes which every rule has)
136   *
137   * spd_rule_index MBZ on a SPD_ADD, and is assigned by the kernel.
138   * subsequent deletes can operate either by specifying selectors or by
139   * specifying a non-zero rule index.
140   */
141  struct spd_rule
142  {
143  	uint16_t spd_rule_len;
144  	uint16_t spd_rule_type;		/* SPD_EXT_RULE */
145  	uint32_t spd_rule_priority;
146  	uint32_t spd_rule_flags;	/* INBOUND, OUTBOUND, ... */
147  	uint32_t spd_rule_unused;
148  	uint64_t spd_rule_index;	/* unique rule identifier. */
149  };
150  
151  /*
152   * Flags for spd_rule.spd_rule_flags
153   */
154  #define	SPD_RULE_FLAG_INBOUND		0x0001
155  #define	SPD_RULE_FLAG_OUTBOUND		0x0002
156  /* Only applies to tunnel policy heads. */
157  #define	SPD_RULE_FLAG_TUNNEL		0x0004
158  
159  /*
160   * Address selectors.   Different from PF_KEY because we want a
161   * more precise format for wildcards on ports/protocol.
162   */
163  typedef struct spd_address {
164  	/* Union is for guaranteeing 64-bit alignment. */
165  	union {
166  		struct {
167  			uint16_t spd_address_ulen;
168  			uint16_t spd_address_uexttype;	/* SRC, DST */
169  			uint8_t spd_address_uaf;	/* address family. */
170  			uint8_t spd_address_uprefixlen;	/* Prefix len (bits). */
171  			uint16_t spd_address_ureserved2; /* Padding */
172  		} spd_address_actual;
173  		uint64_t spd_address_alignment;
174  	} spd_address_u;
175  	/*
176  	 * .. followed by 4 bytes of IPv4 or 16 bytes of IPv6 address,
177  	 * padded up to next uint64_t
178  	 */
179  #define	spd_address_len	\
180  	spd_address_u.spd_address_actual.spd_address_ulen
181  #define	spd_address_exttype \
182  	spd_address_u.spd_address_actual.spd_address_uexttype
183  #define	spd_address_af \
184  	spd_address_u.spd_address_actual.spd_address_uaf
185  #define	spd_address_prefixlen \
186  	spd_address_u.spd_address_actual.spd_address_uprefixlen
187  #define	spd_address_reserved2 \
188  	spd_address_u.spd_address_actual.spd_address_ureserved2
189  } spd_address_t;
190  
191  /*
192   * Protocol selector
193   */
194  struct spd_proto
195  {
196  	/* Union is for guaranteeing 64-bit alignment. */
197  	union {
198  		struct {
199  			uint16_t spd_proto_ulen;
200  			uint16_t spd_proto_uexttype;		/* PROTO */
201  			uint8_t spd_proto_unumber;		/* IPPROTO_* */
202  			uint8_t	spd_proto_ureserved1;		 /* pad */
203  			uint16_t spd_proto_ureserved2;		 /* pad */
204  		} spd_proto_actual;
205  		uint64_t spd_proto_alignment;
206  	} spd_proto_u;
207  #define	spd_proto_len spd_proto_u.spd_proto_actual.spd_proto_ulen
208  #define	spd_proto_exttype spd_proto_u.spd_proto_actual.spd_proto_uexttype
209  #define	spd_proto_number spd_proto_u.spd_proto_actual.spd_proto_unumber
210  #define	spd_proto_reserved1 spd_proto_u.spd_proto_actual.spd_proto_ureserved1
211  #define	spd_proto_reserved2 spd_proto_u.spd_proto_actual.spd_proto_ureserved2
212  };
213  
214  /*
215   * Port selector.  We only support minport==maxport at present.
216   */
217  struct spd_portrange
218  {
219  	/* Union is for guaranteeing 64-bit alignment. */
220  	union {
221  		struct {
222  			uint16_t spd_ports_ulen;
223  			uint16_t spd_ports_uexttype;	/* LCLPORT, REMPORT */
224  			uint16_t spd_ports_uminport;	/* min port */
225  			uint16_t spd_ports_umaxport;	/* max port */
226  		} spd_ports_actual;
227  		uint64_t spd_ports_alignment;
228  	} spd_ports_u;
229  #define	spd_ports_len spd_ports_u.spd_ports_actual.spd_ports_ulen
230  #define	spd_ports_exttype spd_ports_u.spd_ports_actual.spd_ports_uexttype
231  #define	spd_ports_minport spd_ports_u.spd_ports_actual.spd_ports_uminport
232  #define	spd_ports_maxport spd_ports_u.spd_ports_actual.spd_ports_umaxport
233  };
234  
235  /*
236   * ICMP type selector.
237   */
238  struct spd_typecode
239  {
240  	/* Union is for guaranteeing 64-bit alignment. */
241  	union {
242  		struct {
243  			uint16_t spd_typecode_ulen;
244  			uint16_t spd_typecode_uexttype;	/* ICMP_TYPECODE */
245  			uint8_t  spd_typecode_utype;
246  			uint8_t  spd_typecode_utype_end;
247  			uint8_t  spd_typecode_ucode;
248  			uint8_t  spd_typecode_ucode_end;
249  		} spd_typecode_actual;
250  		uint64_t spd_typecode_alignment;
251  	} spd_typecode_u;
252  #define	spd_typecode_len	\
253      spd_typecode_u.spd_typecode_actual.spd_typecode_ulen
254  #define	spd_typecode_exttype	\
255      spd_typecode_u.spd_typecode_actual.spd_typecode_uexttype
256  #define	spd_typecode_type	\
257      spd_typecode_u.spd_typecode_actual.spd_typecode_utype
258  #define	spd_typecode_type_end	\
259      spd_typecode_u.spd_typecode_actual.spd_typecode_utype_end
260  #define	spd_typecode_code	\
261      spd_typecode_u.spd_typecode_actual.spd_typecode_ucode
262  #define	spd_typecode_code_end	\
263      spd_typecode_u.spd_typecode_actual.spd_typecode_ucode_end
264  };
265  
266  
267  /*
268   * Actions, specifying what happens to packets which match selectors.
269   * This extension is followed by some number of spd_attribute tag-value pairs
270   * which encode one or more alternative policies; see below for
271   * the encoding used.
272   */
273  struct spd_ext_actions
274  {
275  	/* Union is for guaranteeing 64-bit alignment. */
276  	union {
277  		struct {
278  			uint16_t spd_actions_ulen;
279  			uint16_t spd_actions_uexttype;	/* ACTION */
280  			uint16_t spd_actions_ucount;	/* # of alternatives */
281  			uint16_t spd_actions_ureserved;
282  		} spd_actions_actual;
283  		uint64_t spd_actions_alignment;
284  	} spd_actions_u;
285  #define	spd_actions_len \
286  	spd_actions_u.spd_actions_actual.spd_actions_ulen
287  #define	spd_actions_exttype \
288  	spd_actions_u.spd_actions_actual.spd_actions_uexttype
289  #define	spd_actions_count \
290  	spd_actions_u.spd_actions_actual.spd_actions_ucount
291  #define	spd_actions_reserved \
292  	spd_actions_u.spd_actions_actual.spd_actions_ureserved
293  };
294  
295  /*
296   * Extensible encoding for requested SA attributes.
297   * To allow additional attributes to be added, we use a simple-to-interpret
298   * (tag, value) encoding to fill in attributes in a list of alternatives.
299   *
300   * We fill in alternatives one at a time, starting with most-preferred,
301   * proceeding to least-preferred.
302   *
303   * Conceptually, we are filling in attributes of a "template", and
304   * then copying that template value into the list of alternatives when
305   * we see a SPD_ATTR_END or SPD_ATTR_NEXT.
306   *
307   * The template is not changed by SPD_ATTR_NEXT, so that attributes common to
308   * all alternatives need only be mentioned once.
309   *
310   * spd_actions_count is the maximum number of alternatives present; it
311   * should be one greater than the number of SPD_ATTR_NEXT opcodes
312   * present in the sequence.
313   */
314  
315  struct spd_attribute
316  {
317  	union {
318  		struct {
319  			uint32_t	spd_attr_utag;
320  			uint32_t	spd_attr_uvalue;
321  		} spd_attribute_actual;
322  		uint64_t spd_attribute_alignment;
323  	} spd_attribute_u;
324  #define	spd_attr_tag spd_attribute_u.spd_attribute_actual.spd_attr_utag
325  #define	spd_attr_value spd_attribute_u.spd_attribute_actual.spd_attr_uvalue
326  };
327  
328  /*
329   * These flags are used by the kernel algorithm structures and by ipsecalgs(8).
330   * ALG_FLAG_KERNELCHECKED is used by ipsecalgs(8) to tag ipsecalgent_t as
331   * kernel verified. ALG_FLAG_VALID is only meaningful if set by the kernel.
332   */
333  #define	ALG_FLAG_VALID		0x01
334  #define	ALG_FLAG_COUNTERMODE	0x02
335  #define	ALG_FLAG_COMBINED	0x04
336  #define	ALG_FLAG_CCM		0x08
337  #define	ALG_FLAG_GCM		0x10
338  #define	ALG_FLAG_KERNELCHECKED	0x80000000
339  
340  #define	SPD_ATTR_NOP	0x00000000	/* space filler */
341  #define	SPD_ATTR_END	0x00000001	/* end of description */
342  #define	SPD_ATTR_EMPTY	0x00000002	/* reset template to default */
343  #define	SPD_ATTR_NEXT	0x00000003	/* start filling next alternative */
344  
345  #define	SPD_ATTR_TYPE			0x00000100
346  #define	SPD_ATTR_FLAGS			0x00000101
347  #define	SPD_ATTR_AH_AUTH		0x00000102
348  #define	SPD_ATTR_ESP_ENCR		0x00000103
349  #define	SPD_ATTR_ESP_AUTH		0x00000104
350  #define	SPD_ATTR_ENCR_MINBITS		0x00000105
351  #define	SPD_ATTR_ENCR_MAXBITS		0x00000106
352  #define	SPD_ATTR_AH_MINBITS		0x00000107
353  #define	SPD_ATTR_AH_MAXBITS		0x00000108
354  #define	SPD_ATTR_LIFE_SOFT_TIME		0x00000109
355  #define	SPD_ATTR_LIFE_HARD_TIME		0x0000010a
356  #define	SPD_ATTR_LIFE_SOFT_BYTES	0x0000010b
357  #define	SPD_ATTR_LIFE_HARD_BYTES	0x0000010c
358  #define	SPD_ATTR_KM_PROTO		0x0000010d
359  #define	SPD_ATTR_KM_COOKIE		0x0000010e
360  #define	SPD_ATTR_REPLAY_DEPTH		0x0000010f
361  #define	SPD_ATTR_ESPA_MINBITS		0x00000110
362  #define	SPD_ATTR_ESPA_MAXBITS		0x00000111
363  #define	SPD_ATTR_ENCR_DEFBITS		0x00000112
364  #define	SPD_ATTR_ENCR_INCRBITS		0x00000113
365  #define	SPD_ATTR_AH_DEFBITS		0x00000114
366  #define	SPD_ATTR_AH_INCRBITS		0x00000115
367  #define	SPD_ATTR_ESPA_DEFBITS		0x00000116
368  #define	SPD_ATTR_ESPA_INCRBITS		0x00000117
369  #define	SPD_ATTR_ALG_ID			0x00000118
370  #define	SPD_ATTR_ALG_PROTO		0x00000119
371  #define	SPD_ATTR_ALG_INCRBITS		0x0000011a
372  #define	SPD_ATTR_ALG_NKEYSIZES		0x0000011b
373  #define	SPD_ATTR_ALG_KEYSIZE		0x0000011c
374  #define	SPD_ATTR_ALG_NBLOCKSIZES	0x0000011d
375  #define	SPD_ATTR_ALG_BLOCKSIZE		0x0000011e
376  #define	SPD_ATTR_ALG_MECHNAME		0x0000011f
377  #define	SPD_ATTR_PROTO_ID		0x00000120
378  #define	SPD_ATTR_PROTO_EXEC_MODE	0x00000121
379  #define	SPD_ATTR_ALG_NPARAMS		0x00000122
380  #define	SPD_ATTR_ALG_PARAMS		0x00000123
381  #define	SPD_ATTR_ALG_FLAGS		0x00000124
382  
383  /*
384   * An interface extension identifies a network interface.
385   * It is used for configuring Tunnel Mode policies on a tunnelling
386   * interface for now.
387   */
388  typedef struct spd_if_s {
389  	union {
390  		struct {
391  			uint16_t spd_if_ulen;
392  			uint16_t spd_if_uexttype;
393  			union {
394  				uint8_t spd_if_iuname[4];
395  				uint32_t spd_if_iuindex;
396  			} spd_if_iu;
397  		} spd_if_actual;
398  		uint64_t spd_if_alignment;
399  	} spd_if_u;
400  #define	spd_if_len spd_if_u.spd_if_actual.spd_if_ulen
401  #define	spd_if_exttype spd_if_u.spd_if_actual.spd_if_uexttype
402  #define	spd_if_name spd_if_u.spd_if_actual.spd_if_iu.spd_if_iuname
403  #define	spd_if_index spd_if_u.spd_if_actual.spd_if_iu.spd_if_iuindex
404  } spd_if_t;
405  
406  /*
407   * Minimum, maximum key lengths in bits.
408   */
409  #define	SPD_MIN_MINBITS		0x0000
410  #define	SPD_MAX_MAXBITS		0xffff
411  
412  /*
413   * IPsec action types (in SPD_ATTR_TYPE attribute)
414   */
415  #define	SPD_ACTTYPE_DROP	0x0001
416  #define	SPD_ACTTYPE_PASS	0x0002
417  #define	SPD_ACTTYPE_IPSEC	0x0003
418  
419  /*
420   * Action flags (in SPD_ATTR_FLAGS attribute)
421   */
422  #define	SPD_APPLY_AH		0x0001
423  #define	SPD_APPLY_ESP		0x0002
424  #define	SPD_APPLY_SE		0x0004  /* self-encapsulation */
425  #define	SPD_APPLY_COMP		0x0008	/* compression; NYI */
426  #define	SPD_APPLY_UNIQUE	0x0010	/* unique per-flow SA */
427  #define	SPD_APPLY_BYPASS	0x0020	/* bypass policy */
428  #define	SPD_APPLY_ESPA		0x0040 	/* ESP authentication */
429  
430  /*
431   * SW crypto execution modes.
432   */
433  #define	SPD_ALG_EXEC_MODE_SYNC		1	/* synchronous */
434  #define	SPD_ALG_EXEC_MODE_ASYNC		2	/* asynchronous */
435  
436  /*
437   * SPD_DUMP protocol:
438   *
439   * We do not want to force an stack to have to read-lock the entire
440   * SPD for the duration of the dump, but we want management apps to be
441   * able to get a consistent snapshot of the SPD.
442   *
443   * Therefore, we make optimistic locking assumptions.
444   *
445   * The response to a SPD_DUMP request consists of multiple spd_msg
446   * records, all with spd_msg_type == SPD_DUMP and spd_msg_{seq,pid}
447   * matching the request.
448   *
449   * There is one header, then a sequence of policy rule records (one
450   * rule per record), then a trailer.
451   *
452   * The header and trailer both contain a single SPD_EXT_RULESET
453   * containing a version number and rule count.  The dump was "good" if
454   * header version == trailer version, and the number of rules read by
455   * the application matches the rule count in the trailer.  The rule
456   * count in the header is unused and should be set to zero.
457   *
458   * In between, each rule record contains a set of extensions which, if
459   * used in an SPD_ADD request, would recreate an equivalent rule.
460   *
461   * If rules were added to the SPD during the dump, the dump may be
462   * truncated or otherwise incomplete; the management application
463   * should re-try the dump in this case.
464   */
465  
466  /*
467   * Ruleset extension, used at the start and end of a SPD_DUMP.
468   */
469  typedef struct spd_ruleset_ext
470  {
471  	uint16_t spd_ruleset_len;	/* 2 x 64 bits */
472  	uint16_t spd_ruleset_type;	/* SPD_EXT_RULESET */
473  	uint32_t spd_ruleset_count;	/* only valid in trailer */
474  	uint64_t spd_ruleset_version;	/* version number */
475  } spd_ruleset_ext_t;
476  
477  /*
478   * Diagnostic codes.  These supplement error messages.  Be sure to
479   * update libipsecutil's spdsock_diag() if you change any of these.
480   */
481  #define	SPD_DIAGNOSTIC_NONE			0
482  #define	SPD_DIAGNOSTIC_UNKNOWN_EXT		1
483  #define	SPD_DIAGNOSTIC_BAD_EXTLEN		2
484  #define	SPD_DIAGNOSTIC_NO_RULE_EXT		3
485  #define	SPD_DIAGNOSTIC_BAD_ADDR_LEN		4
486  #define	SPD_DIAGNOSTIC_MIXED_AF			5
487  #define	SPD_DIAGNOSTIC_ADD_NO_MEM		6
488  #define	SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT	7
489  #define	SPD_DIAGNOSTIC_ADD_BAD_TYPE		8
490  #define	SPD_DIAGNOSTIC_ADD_BAD_FLAGS		9
491  #define	SPD_DIAGNOSTIC_ADD_INCON_FLAGS		10
492  #define	SPD_DIAGNOSTIC_MALFORMED_LCLPORT 	11
493  #define	SPD_DIAGNOSTIC_DUPLICATE_LCLPORT	12
494  #define	SPD_DIAGNOSTIC_MALFORMED_REMPORT	13
495  #define	SPD_DIAGNOSTIC_DUPLICATE_REMPORT	14
496  #define	SPD_DIAGNOSTIC_MALFORMED_PROTO		15
497  #define	SPD_DIAGNOSTIC_DUPLICATE_PROTO		16
498  #define	SPD_DIAGNOSTIC_MALFORMED_LCLADDR	17
499  #define	SPD_DIAGNOSTIC_DUPLICATE_LCLADDR	18
500  #define	SPD_DIAGNOSTIC_MALFORMED_REMADDR	19
501  #define	SPD_DIAGNOSTIC_DUPLICATE_REMADDR	20
502  #define	SPD_DIAGNOSTIC_MALFORMED_ACTION		21
503  #define	SPD_DIAGNOSTIC_DUPLICATE_ACTION		22
504  #define	SPD_DIAGNOSTIC_MALFORMED_RULE		23
505  #define	SPD_DIAGNOSTIC_DUPLICATE_RULE		24
506  #define	SPD_DIAGNOSTIC_MALFORMED_RULESET	25
507  #define	SPD_DIAGNOSTIC_DUPLICATE_RULESET	26
508  #define	SPD_DIAGNOSTIC_INVALID_RULE_INDEX	27
509  #define	SPD_DIAGNOSTIC_BAD_SPDID		28
510  #define	SPD_DIAGNOSTIC_BAD_MSG_TYPE		29
511  #define	SPD_DIAGNOSTIC_UNSUPP_AH_ALG		30
512  #define	SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG	31
513  #define	SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG	32
514  #define	SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE	33
515  #define	SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE	34
516  #define	SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE	35
517  #define	SPD_DIAGNOSTIC_NO_ACTION_EXT		36
518  #define	SPD_DIAGNOSTIC_ALG_ID_RANGE		37
519  #define	SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES	38
520  #define	SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES	39
521  #define	SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN	40
522  #define	SPD_DIAGNOSTIC_ALG_IPSEC_NOT_LOADED	41
523  #define	SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE	42
524  #define	SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE	43
525  #define	SPD_DIAGNOSTIC_NOT_GLOBAL_OP		44
526  #define	SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS	45
527  
528  /*
529   * Helper macros.
530   */
531  #define	SPD_64TO8(x)	((x) << 3)
532  #define	SPD_8TO64(x)	((x) >> 3)
533  #define	SPD_8TO1(x)	((x) << 3)
534  #define	SPD_1TO8(x)	((x) >> 3)
535  
536  #ifdef	__cplusplus
537  }
538  #endif
539  
540  #endif	/* _NET_PFPOLICY_H */
541