xref: /illumos-gate/usr/src/uts/common/net/pfpolicy.h (revision 16f0fd39d0c84c014919d701f87f5fc48be58d31)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_NET_PFPOLICY_H
27 #define	_NET_PFPOLICY_H
28 
29 /*
30  * Definitions and structures for PF_POLICY version 1.
31  *
32  * This local protocol provides an interface allowing utilities to
33  * manage a system's IPsec System Policy Database; see RFC2401 for a
34  * conceptual overview of the SPD.
35  * The basic encoding is modelled on PF_KEY version 2; see pfkeyv2.h
36  * and RFC2367 for more information.
37  */
38 
39 #ifdef	__cplusplus
40 extern "C" {
41 #endif
42 
43 #define	PF_POLICY_V1		1
44 #define	PF_POLICY_REVISION	200304L
45 
46 /*
47  * Base PF_POLICY message header.  Each request/response starts with
48  * one of these, followed by some number of extensions.  Each
49  * extension type appears at most once in a message.  spd_msg_len
50  * contains the total length of the message including header.
51  */
52 typedef struct spd_msg
53 {
54 	uint8_t spd_msg_version;	/* PF_POLICY_V1 */
55 	uint8_t spd_msg_type;		/* ADD, DELETE, QUERY, ... */
56 	uint8_t spd_msg_errno;		/* Unix errno space; mbz on request */
57 	uint8_t spd_msg_spdid;		/* which policy db instance */
58 	uint16_t spd_msg_len;		/* in 64-bit words */
59 	uint16_t spd_msg_diagnostic;	/* additional error reason */
60 	/* Union is for guaranteeing 64-bit alignment. */
61 	union {
62 		struct {
63 			uint32_t spd_msg_useq;		/* set by sender */
64 			uint32_t spd_msg_upid;		/* set by sender */
65 		} spd_msg_actual;
66 		uint64_t spd_msg_alignment;
67 	} spd_msg_u;
68 #define	spd_msg_seq spd_msg_u.spd_msg_actual.spd_msg_useq
69 #define	spd_msg_pid spd_msg_u.spd_msg_actual.spd_msg_upid
70 } spd_msg_t;
71 
72 /*
73  * Command numbers, found in spd_msg_type.
74  */
75 #define	SPD_RESERVED				0
76 #define	SPD_MIN					1
77 #define	SPD_FLUSH				1
78 #define	SPD_ADDRULE				2
79 #define	SPD_DELETERULE				3
80 #define	SPD_FLIP				4
81 #define	SPD_LOOKUP				5
82 #define	SPD_DUMP				6
83 #define	SPD_CLONE				7
84 #define	SPD_ALGLIST				8
85 #define	SPD_DUMPALGS				9
86 #define	SPD_UPDATEALGS				10
87 #define	SPD_MAX					10
88 
89 /*
90  * Well-known policy db instances, found in spd_msg_spdid
91  */
92 #define	SPD_ACTIVE		0	/* The currently active instance */
93 #define	SPD_STANDBY		1 	/* "on deck" standby SPD */
94 
95 /*
96  * The spd_msg_t is followed by extensions, which start with the
97  * following header; each extension structure includes the length and
98  * type fields internally as an overlay to simplify parsing and
99  * construction.
100  */
101 typedef struct spd_ext
102 {
103 	/* Union is for guaranteeing 64-bit alignment. */
104 	union {
105 		struct {
106 			uint16_t spd_ext_ulen;		/* in 64-bit words */
107 			uint16_t spd_ext_utype;		/* 0 is reserved */
108 		} spd_ext_actual;
109 		uint64_t spd_ext_alignment;
110 	} spd_ext_u;
111 #define	spd_ext_len spd_ext_u.spd_ext_actual.spd_ext_ulen
112 #define	spd_ext_type spd_ext_u.spd_ext_actual.spd_ext_utype
113 } spd_ext_t;
114 
115 /*
116  * Extension numbers, found in spd_ext_type.
117  */
118 
119 #define	SPD_EXT_LCLPORT				1
120 #define	SPD_EXT_REMPORT				2
121 #define	SPD_EXT_PROTO				3
122 #define	SPD_EXT_LCLADDR				4
123 #define	SPD_EXT_REMADDR				5
124 
125 #define	SPD_EXT_ACTION				6
126 #define	SPD_EXT_RULE				7
127 #define	SPD_EXT_RULESET				8
128 #define	SPD_EXT_ICMP_TYPECODE  			9
129 
130 #define	SPD_EXT_TUN_NAME			10
131 
132 #define	SPD_EXT_MAX				10
133 
134 /*
135  * base policy rule (attributes which every rule has)
136  *
137  * spd_rule_index MBZ on a SPD_ADD, and is assigned by the kernel.
138  * subsequent deletes can operate either by specifying selectors or by
139  * specifying a non-zero rule index.
140  */
141 struct spd_rule
142 {
143 	uint16_t spd_rule_len;
144 	uint16_t spd_rule_type;		/* SPD_EXT_RULE */
145 	uint32_t spd_rule_priority;
146 	uint32_t spd_rule_flags;	/* INBOUND, OUTBOUND, ... */
147 	uint32_t spd_rule_unused;
148 	uint64_t spd_rule_index;	/* unique rule identifier. */
149 };
150 
151 /*
152  * Flags for spd_rule.spd_rule_flags
153  */
154 #define	SPD_RULE_FLAG_INBOUND		0x0001
155 #define	SPD_RULE_FLAG_OUTBOUND		0x0002
156 /* Only applies to tunnel policy heads. */
157 #define	SPD_RULE_FLAG_TUNNEL		0x0004
158 
159 /*
160  * Address selectors.   Different from PF_KEY because we want a
161  * more precise format for wildcards on ports/protocol.
162  */
163 typedef struct spd_address {
164 	/* Union is for guaranteeing 64-bit alignment. */
165 	union {
166 		struct {
167 			uint16_t spd_address_ulen;
168 			uint16_t spd_address_uexttype;	/* SRC, DST */
169 			uint8_t spd_address_uaf;	/* address family. */
170 			uint8_t spd_address_uprefixlen;	/* Prefix len (bits). */
171 			uint16_t spd_address_ureserved2; /* Padding */
172 		} spd_address_actual;
173 		uint64_t spd_address_alignment;
174 	} spd_address_u;
175 	/*
176 	 * .. followed by 4 bytes of IPv4 or 16 bytes of IPv6 address,
177 	 * padded up to next uint64_t
178 	 */
179 #define	spd_address_len	\
180 	spd_address_u.spd_address_actual.spd_address_ulen
181 #define	spd_address_exttype \
182 	spd_address_u.spd_address_actual.spd_address_uexttype
183 #define	spd_address_af \
184 	spd_address_u.spd_address_actual.spd_address_uaf
185 #define	spd_address_prefixlen \
186 	spd_address_u.spd_address_actual.spd_address_uprefixlen
187 #define	spd_address_reserved2 \
188 	spd_address_u.spd_address_actual.spd_address_ureserved2
189 } spd_address_t;
190 
191 /*
192  * Protocol selector
193  */
194 struct spd_proto
195 {
196 	/* Union is for guaranteeing 64-bit alignment. */
197 	union {
198 		struct {
199 			uint16_t spd_proto_ulen;
200 			uint16_t spd_proto_uexttype;		/* PROTO */
201 			uint8_t spd_proto_unumber;		/* IPPROTO_* */
202 			uint8_t	spd_proto_ureserved1;		 /* pad */
203 			uint16_t spd_proto_ureserved2;		 /* pad */
204 		} spd_proto_actual;
205 		uint64_t spd_proto_alignment;
206 	} spd_proto_u;
207 #define	spd_proto_len spd_proto_u.spd_proto_actual.spd_proto_ulen
208 #define	spd_proto_exttype spd_proto_u.spd_proto_actual.spd_proto_uexttype
209 #define	spd_proto_number spd_proto_u.spd_proto_actual.spd_proto_unumber
210 #define	spd_proto_reserved1 spd_proto_u.spd_proto_actual.spd_proto_ureserved1
211 #define	spd_proto_reserved2 spd_proto_u.spd_proto_actual.spd_proto_ureserved2
212 };
213 
214 /*
215  * Port selector.  We only support minport==maxport at present.
216  */
217 struct spd_portrange
218 {
219 	/* Union is for guaranteeing 64-bit alignment. */
220 	union {
221 		struct {
222 			uint16_t spd_ports_ulen;
223 			uint16_t spd_ports_uexttype;	/* LCLPORT, REMPORT */
224 			uint16_t spd_ports_uminport;	/* min port */
225 			uint16_t spd_ports_umaxport;	/* max port */
226 		} spd_ports_actual;
227 		uint64_t spd_ports_alignment;
228 	} spd_ports_u;
229 #define	spd_ports_len spd_ports_u.spd_ports_actual.spd_ports_ulen
230 #define	spd_ports_exttype spd_ports_u.spd_ports_actual.spd_ports_uexttype
231 #define	spd_ports_minport spd_ports_u.spd_ports_actual.spd_ports_uminport
232 #define	spd_ports_maxport spd_ports_u.spd_ports_actual.spd_ports_umaxport
233 };
234 
235 /*
236  * ICMP type selector.
237  */
238 struct spd_typecode
239 {
240 	/* Union is for guaranteeing 64-bit alignment. */
241 	union {
242 		struct {
243 			uint16_t spd_typecode_ulen;
244 			uint16_t spd_typecode_uexttype;	/* ICMP_TYPECODE */
245 			uint8_t  spd_typecode_utype;
246 			uint8_t  spd_typecode_utype_end;
247 			uint8_t  spd_typecode_ucode;
248 			uint8_t  spd_typecode_ucode_end;
249 		} spd_typecode_actual;
250 		uint64_t spd_typecode_alignment;
251 	} spd_typecode_u;
252 #define	spd_typecode_len	\
253     spd_typecode_u.spd_typecode_actual.spd_typecode_ulen
254 #define	spd_typecode_exttype	\
255     spd_typecode_u.spd_typecode_actual.spd_typecode_uexttype
256 #define	spd_typecode_type	\
257     spd_typecode_u.spd_typecode_actual.spd_typecode_utype
258 #define	spd_typecode_type_end	\
259     spd_typecode_u.spd_typecode_actual.spd_typecode_utype_end
260 #define	spd_typecode_code	\
261     spd_typecode_u.spd_typecode_actual.spd_typecode_ucode
262 #define	spd_typecode_code_end	\
263     spd_typecode_u.spd_typecode_actual.spd_typecode_ucode_end
264 };
265 
266 
267 /*
268  * Actions, specifying what happens to packets which match selectors.
269  * This extension is followed by some number of spd_attribute tag-value pairs
270  * which encode one or more alternative policies; see below for
271  * the encoding used.
272  */
273 struct spd_ext_actions
274 {
275 	/* Union is for guaranteeing 64-bit alignment. */
276 	union {
277 		struct {
278 			uint16_t spd_actions_ulen;
279 			uint16_t spd_actions_uexttype;	/* ACTION */
280 			uint16_t spd_actions_ucount;	/* # of alternatives */
281 			uint16_t spd_actions_ureserved;
282 		} spd_actions_actual;
283 		uint64_t spd_actions_alignment;
284 	} spd_actions_u;
285 #define	spd_actions_len \
286 	spd_actions_u.spd_actions_actual.spd_actions_ulen
287 #define	spd_actions_exttype \
288 	spd_actions_u.spd_actions_actual.spd_actions_uexttype
289 #define	spd_actions_count \
290 	spd_actions_u.spd_actions_actual.spd_actions_ucount
291 #define	spd_actions_reserved \
292 	spd_actions_u.spd_actions_actual.spd_actions_ureserved
293 };
294 
295 /*
296  * Extensible encoding for requested SA attributes.
297  * To allow additional attributes to be added, we use a simple-to-interpret
298  * (tag, value) encoding to fill in attributes in a list of alternatives.
299  *
300  * We fill in alternatives one at a time, starting with most-preferred,
301  * proceeding to least-preferred.
302  *
303  * Conceptually, we are filling in attributes of a "template", and
304  * then copying that template value into the list of alternatives when
305  * we see a SPD_ATTR_END or SPD_ATTR_NEXT.
306  *
307  * The template is not changed by SPD_ATTR_NEXT, so that attributes common to
308  * all alternatives need only be mentioned once.
309  *
310  * spd_actions_count is the maximum number of alternatives present; it
311  * should be one greater than the number of SPD_ATTR_NEXT opcodes
312  * present in the sequence.
313  */
314 
315 struct spd_attribute
316 {
317 	union {
318 		struct {
319 			uint32_t	spd_attr_utag;
320 			uint32_t	spd_attr_uvalue;
321 		} spd_attribute_actual;
322 		uint64_t spd_attribute_alignment;
323 	} spd_attribute_u;
324 #define	spd_attr_tag spd_attribute_u.spd_attribute_actual.spd_attr_utag
325 #define	spd_attr_value spd_attribute_u.spd_attribute_actual.spd_attr_uvalue
326 };
327 
328 /*
329  * These flags are used by the kernel algorithm structures and by ipsecalgs(1m).
330  * ALG_FLAG_KERNELCHECKED is used by ipsecalgs(1m) to tag ipsecalgent_t as
331  * kernel verified. ALG_FLAG_VALID is only meaningful if set by the kernel.
332  */
333 #define	ALG_FLAG_VALID		0x01
334 #define	ALG_FLAG_COUNTERMODE	0x02
335 #define	ALG_FLAG_COMBINED	0x04
336 #define	ALG_FLAG_CCM		0x08
337 #define	ALG_FLAG_GCM		0x10
338 #define	ALG_FLAG_KERNELCHECKED	0x80000000
339 
340 #define	SPD_ATTR_NOP	0x00000000	/* space filler */
341 #define	SPD_ATTR_END	0x00000001	/* end of description */
342 #define	SPD_ATTR_EMPTY	0x00000002	/* reset template to default */
343 #define	SPD_ATTR_NEXT	0x00000003	/* start filling next alternative */
344 
345 #define	SPD_ATTR_TYPE			0x00000100
346 #define	SPD_ATTR_FLAGS			0x00000101
347 #define	SPD_ATTR_AH_AUTH		0x00000102
348 #define	SPD_ATTR_ESP_ENCR		0x00000103
349 #define	SPD_ATTR_ESP_AUTH		0x00000104
350 #define	SPD_ATTR_ENCR_MINBITS		0x00000105
351 #define	SPD_ATTR_ENCR_MAXBITS		0x00000106
352 #define	SPD_ATTR_AH_MINBITS		0x00000107
353 #define	SPD_ATTR_AH_MAXBITS		0x00000108
354 #define	SPD_ATTR_LIFE_SOFT_TIME		0x00000109
355 #define	SPD_ATTR_LIFE_HARD_TIME		0x0000010a
356 #define	SPD_ATTR_LIFE_SOFT_BYTES	0x0000010b
357 #define	SPD_ATTR_LIFE_HARD_BYTES	0x0000010c
358 #define	SPD_ATTR_KM_PROTO		0x0000010d
359 #define	SPD_ATTR_KM_COOKIE		0x0000010e
360 #define	SPD_ATTR_REPLAY_DEPTH		0x0000010f
361 #define	SPD_ATTR_ESPA_MINBITS		0x00000110
362 #define	SPD_ATTR_ESPA_MAXBITS		0x00000111
363 #define	SPD_ATTR_ENCR_DEFBITS		0x00000112
364 #define	SPD_ATTR_ENCR_INCRBITS		0x00000113
365 #define	SPD_ATTR_AH_DEFBITS		0x00000114
366 #define	SPD_ATTR_AH_INCRBITS		0x00000115
367 #define	SPD_ATTR_ESPA_DEFBITS		0x00000116
368 #define	SPD_ATTR_ESPA_INCRBITS		0x00000117
369 #define	SPD_ATTR_ALG_ID			0x00000118
370 #define	SPD_ATTR_ALG_PROTO		0x00000119
371 #define	SPD_ATTR_ALG_INCRBITS		0x0000011a
372 #define	SPD_ATTR_ALG_NKEYSIZES		0x0000011b
373 #define	SPD_ATTR_ALG_KEYSIZE		0x0000011c
374 #define	SPD_ATTR_ALG_NBLOCKSIZES	0x0000011d
375 #define	SPD_ATTR_ALG_BLOCKSIZE		0x0000011e
376 #define	SPD_ATTR_ALG_MECHNAME		0x0000011f
377 #define	SPD_ATTR_PROTO_ID		0x00000120
378 #define	SPD_ATTR_PROTO_EXEC_MODE	0x00000121
379 #define	SPD_ATTR_ALG_NPARAMS		0x00000122
380 #define	SPD_ATTR_ALG_PARAMS		0x00000123
381 #define	SPD_ATTR_ALG_FLAGS		0x00000124
382 
383 /*
384  * An interface extension identifies a network interface.
385  * It is used for configuring Tunnel Mode policies on a tunnelling
386  * interface for now.
387  */
388 typedef struct spd_if_s {
389 	union {
390 		struct {
391 			uint16_t spd_if_ulen;
392 			uint16_t spd_if_uexttype;
393 			union {
394 				uint8_t spd_if_iuname[4];
395 				uint32_t spd_if_iuindex;
396 			} spd_if_iu;
397 		} spd_if_actual;
398 		uint64_t spd_if_alignment;
399 	} spd_if_u;
400 #define	spd_if_len spd_if_u.spd_if_actual.spd_if_ulen
401 #define	spd_if_exttype spd_if_u.spd_if_actual.spd_if_uexttype
402 #define	spd_if_name spd_if_u.spd_if_actual.spd_if_iu.spd_if_iuname
403 #define	spd_if_index spd_if_u.spd_if_actual.spd_if_iu.spd_if_iuindex
404 } spd_if_t;
405 
406 /*
407  * Minimum, maximum key lengths in bits.
408  */
409 #define	SPD_MIN_MINBITS		0x0000
410 #define	SPD_MAX_MAXBITS		0xffff
411 
412 /*
413  * IPsec action types (in SPD_ATTR_TYPE attribute)
414  */
415 #define	SPD_ACTTYPE_DROP	0x0001
416 #define	SPD_ACTTYPE_PASS	0x0002
417 #define	SPD_ACTTYPE_IPSEC	0x0003
418 
419 /*
420  * Action flags (in SPD_ATTR_FLAGS attribute)
421  */
422 #define	SPD_APPLY_AH		0x0001
423 #define	SPD_APPLY_ESP		0x0002
424 #define	SPD_APPLY_SE		0x0004  /* self-encapsulation */
425 #define	SPD_APPLY_COMP		0x0008	/* compression; NYI */
426 #define	SPD_APPLY_UNIQUE	0x0010	/* unique per-flow SA */
427 #define	SPD_APPLY_BYPASS	0x0020	/* bypass policy */
428 #define	SPD_APPLY_ESPA		0x0040 	/* ESP authentication */
429 
430 /*
431  * SW crypto execution modes.
432  */
433 #define	SPD_ALG_EXEC_MODE_SYNC		1	/* synchronous */
434 #define	SPD_ALG_EXEC_MODE_ASYNC		2	/* asynchronous */
435 
436 /*
437  * SPD_DUMP protocol:
438  *
439  * We do not want to force an stack to have to read-lock the entire
440  * SPD for the duration of the dump, but we want management apps to be
441  * able to get a consistent snapshot of the SPD.
442  *
443  * Therefore, we make optimistic locking assumptions.
444  *
445  * The response to a SPD_DUMP request consists of multiple spd_msg
446  * records, all with spd_msg_type == SPD_DUMP and spd_msg_{seq,pid}
447  * matching the request.
448  *
449  * There is one header, then a sequence of policy rule records (one
450  * rule per record), then a trailer.
451  *
452  * The header and trailer both contain a single SPD_EXT_RULESET
453  * containing a version number and rule count.  The dump was "good" if
454  * header version == trailer version, and the number of rules read by
455  * the application matches the rule count in the trailer.  The rule
456  * count in the header is unused and should be set to zero.
457  *
458  * In between, each rule record contains a set of extensions which, if
459  * used in an SPD_ADD request, would recreate an equivalent rule.
460  *
461  * If rules were added to the SPD during the dump, the dump may be
462  * truncated or otherwise incomplete; the management application
463  * should re-try the dump in this case.
464  */
465 
466 /*
467  * Ruleset extension, used at the start and end of a SPD_DUMP.
468  */
469 typedef struct spd_ruleset_ext
470 {
471 	uint16_t spd_ruleset_len;	/* 2 x 64 bits */
472 	uint16_t spd_ruleset_type;	/* SPD_EXT_RULESET */
473 	uint32_t spd_ruleset_count;	/* only valid in trailer */
474 	uint64_t spd_ruleset_version;	/* version number */
475 } spd_ruleset_ext_t;
476 
477 /*
478  * Diagnostic codes.  These supplement error messages.  Be sure to
479  * update libipsecutil's spdsock_diag() if you change any of these.
480  */
481 #define	SPD_DIAGNOSTIC_NONE			0
482 #define	SPD_DIAGNOSTIC_UNKNOWN_EXT		1
483 #define	SPD_DIAGNOSTIC_BAD_EXTLEN		2
484 #define	SPD_DIAGNOSTIC_NO_RULE_EXT		3
485 #define	SPD_DIAGNOSTIC_BAD_ADDR_LEN		4
486 #define	SPD_DIAGNOSTIC_MIXED_AF			5
487 #define	SPD_DIAGNOSTIC_ADD_NO_MEM		6
488 #define	SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT	7
489 #define	SPD_DIAGNOSTIC_ADD_BAD_TYPE		8
490 #define	SPD_DIAGNOSTIC_ADD_BAD_FLAGS		9
491 #define	SPD_DIAGNOSTIC_ADD_INCON_FLAGS		10
492 #define	SPD_DIAGNOSTIC_MALFORMED_LCLPORT 	11
493 #define	SPD_DIAGNOSTIC_DUPLICATE_LCLPORT	12
494 #define	SPD_DIAGNOSTIC_MALFORMED_REMPORT	13
495 #define	SPD_DIAGNOSTIC_DUPLICATE_REMPORT	14
496 #define	SPD_DIAGNOSTIC_MALFORMED_PROTO		15
497 #define	SPD_DIAGNOSTIC_DUPLICATE_PROTO		16
498 #define	SPD_DIAGNOSTIC_MALFORMED_LCLADDR	17
499 #define	SPD_DIAGNOSTIC_DUPLICATE_LCLADDR	18
500 #define	SPD_DIAGNOSTIC_MALFORMED_REMADDR	19
501 #define	SPD_DIAGNOSTIC_DUPLICATE_REMADDR	20
502 #define	SPD_DIAGNOSTIC_MALFORMED_ACTION		21
503 #define	SPD_DIAGNOSTIC_DUPLICATE_ACTION		22
504 #define	SPD_DIAGNOSTIC_MALFORMED_RULE		23
505 #define	SPD_DIAGNOSTIC_DUPLICATE_RULE		24
506 #define	SPD_DIAGNOSTIC_MALFORMED_RULESET	25
507 #define	SPD_DIAGNOSTIC_DUPLICATE_RULESET	26
508 #define	SPD_DIAGNOSTIC_INVALID_RULE_INDEX	27
509 #define	SPD_DIAGNOSTIC_BAD_SPDID		28
510 #define	SPD_DIAGNOSTIC_BAD_MSG_TYPE		29
511 #define	SPD_DIAGNOSTIC_UNSUPP_AH_ALG		30
512 #define	SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG	31
513 #define	SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG	32
514 #define	SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE	33
515 #define	SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE	34
516 #define	SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE	35
517 #define	SPD_DIAGNOSTIC_NO_ACTION_EXT		36
518 #define	SPD_DIAGNOSTIC_ALG_ID_RANGE		37
519 #define	SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES	38
520 #define	SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES	39
521 #define	SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN	40
522 #define	SPD_DIAGNOSTIC_ALG_IPSEC_NOT_LOADED	41
523 #define	SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE	42
524 #define	SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE	43
525 #define	SPD_DIAGNOSTIC_NOT_GLOBAL_OP		44
526 #define	SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS	45
527 
528 /*
529  * Helper macros.
530  */
531 #define	SPD_64TO8(x)	((x) << 3)
532 #define	SPD_8TO64(x)	((x) >> 3)
533 #define	SPD_8TO1(x)	((x) << 3)
534 #define	SPD_1TO8(x)	((x) >> 3)
535 
536 #ifdef	__cplusplus
537 }
538 #endif
539 
540 #endif	/* _NET_PFPOLICY_H */
541