xref: /titanic_44/usr/src/uts/common/net/pfpolicy.h (revision 7c478bd95313f5f23a4c958a745db2134aa03244)
1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate  * CDDL HEADER START
3*7c478bd9Sstevel@tonic-gate  *
4*7c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*7c478bd9Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
6*7c478bd9Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
7*7c478bd9Sstevel@tonic-gate  * with the License.
8*7c478bd9Sstevel@tonic-gate  *
9*7c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*7c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
11*7c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
12*7c478bd9Sstevel@tonic-gate  * and limitations under the License.
13*7c478bd9Sstevel@tonic-gate  *
14*7c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
15*7c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*7c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
17*7c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
18*7c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
19*7c478bd9Sstevel@tonic-gate  *
20*7c478bd9Sstevel@tonic-gate  * CDDL HEADER END
21*7c478bd9Sstevel@tonic-gate  */
22*7c478bd9Sstevel@tonic-gate /*
23*7c478bd9Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24*7c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
25*7c478bd9Sstevel@tonic-gate  */
26*7c478bd9Sstevel@tonic-gate 
27*7c478bd9Sstevel@tonic-gate #ifndef	_NET_PFPOLICY_H
28*7c478bd9Sstevel@tonic-gate #define	_NET_PFPOLICY_H
29*7c478bd9Sstevel@tonic-gate 
30*7c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
31*7c478bd9Sstevel@tonic-gate 
32*7c478bd9Sstevel@tonic-gate /*
33*7c478bd9Sstevel@tonic-gate  * Definitions and structures for PF_POLICY version 1.
34*7c478bd9Sstevel@tonic-gate  *
35*7c478bd9Sstevel@tonic-gate  * This local protocol provides an interface allowing utilities to
36*7c478bd9Sstevel@tonic-gate  * manage a system's IPsec System Policy Database; see RFC2401 for a
37*7c478bd9Sstevel@tonic-gate  * conceptual overview of the SPD.
38*7c478bd9Sstevel@tonic-gate  * The basic encoding is modelled on PF_KEY version 2; see pfkeyv2.h
39*7c478bd9Sstevel@tonic-gate  * and RFC2367 for more information.
40*7c478bd9Sstevel@tonic-gate  */
41*7c478bd9Sstevel@tonic-gate 
42*7c478bd9Sstevel@tonic-gate #ifdef	__cplusplus
43*7c478bd9Sstevel@tonic-gate extern "C" {
44*7c478bd9Sstevel@tonic-gate #endif
45*7c478bd9Sstevel@tonic-gate 
46*7c478bd9Sstevel@tonic-gate #define	PF_POLICY_V1		1
47*7c478bd9Sstevel@tonic-gate #define	PF_POLICY_REVISION	200304L
48*7c478bd9Sstevel@tonic-gate 
49*7c478bd9Sstevel@tonic-gate /*
50*7c478bd9Sstevel@tonic-gate  * Base PF_POLICY message header.  Each request/response starts with
51*7c478bd9Sstevel@tonic-gate  * one of these, followed by some number of extensions.  Each
52*7c478bd9Sstevel@tonic-gate  * extension type appears at most once in a message.  spd_msg_len
53*7c478bd9Sstevel@tonic-gate  * contains the total length of the message including header.
54*7c478bd9Sstevel@tonic-gate  */
55*7c478bd9Sstevel@tonic-gate typedef struct spd_msg
56*7c478bd9Sstevel@tonic-gate {
57*7c478bd9Sstevel@tonic-gate 	uint8_t spd_msg_version;	/* PF_POLICY_V1 */
58*7c478bd9Sstevel@tonic-gate 	uint8_t spd_msg_type;		/* ADD, DELETE, QUERY, ... */
59*7c478bd9Sstevel@tonic-gate 	uint8_t spd_msg_errno;		/* Unix errno space; mbz on request */
60*7c478bd9Sstevel@tonic-gate 	uint8_t spd_msg_spdid;		/* which policy db instance */
61*7c478bd9Sstevel@tonic-gate 	uint16_t spd_msg_len;		/* in 64-bit words */
62*7c478bd9Sstevel@tonic-gate 	uint16_t spd_msg_diagnostic;	/* additional error reason */
63*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
64*7c478bd9Sstevel@tonic-gate 	union {
65*7c478bd9Sstevel@tonic-gate 		struct {
66*7c478bd9Sstevel@tonic-gate 			uint32_t spd_msg_useq;		/* set by sender */
67*7c478bd9Sstevel@tonic-gate 			uint32_t spd_msg_upid;		/* set by sender */
68*7c478bd9Sstevel@tonic-gate 		} spd_msg_actual;
69*7c478bd9Sstevel@tonic-gate 		uint64_t spd_msg_alignment;
70*7c478bd9Sstevel@tonic-gate 	} spd_msg_u;
71*7c478bd9Sstevel@tonic-gate #define	spd_msg_seq spd_msg_u.spd_msg_actual.spd_msg_useq
72*7c478bd9Sstevel@tonic-gate #define	spd_msg_pid spd_msg_u.spd_msg_actual.spd_msg_upid
73*7c478bd9Sstevel@tonic-gate } spd_msg_t;
74*7c478bd9Sstevel@tonic-gate 
75*7c478bd9Sstevel@tonic-gate /*
76*7c478bd9Sstevel@tonic-gate  * Command numbers, found in spd_msg_type.
77*7c478bd9Sstevel@tonic-gate  */
78*7c478bd9Sstevel@tonic-gate #define	SPD_RESERVED				0
79*7c478bd9Sstevel@tonic-gate #define	SPD_MIN					1
80*7c478bd9Sstevel@tonic-gate #define	SPD_FLUSH				1
81*7c478bd9Sstevel@tonic-gate #define	SPD_ADDRULE				2
82*7c478bd9Sstevel@tonic-gate #define	SPD_DELETERULE				3
83*7c478bd9Sstevel@tonic-gate #define	SPD_FLIP				4
84*7c478bd9Sstevel@tonic-gate #define	SPD_LOOKUP				5
85*7c478bd9Sstevel@tonic-gate #define	SPD_DUMP				6
86*7c478bd9Sstevel@tonic-gate #define	SPD_CLONE				7
87*7c478bd9Sstevel@tonic-gate #define	SPD_ALGLIST				8
88*7c478bd9Sstevel@tonic-gate #define	SPD_DUMPALGS				9
89*7c478bd9Sstevel@tonic-gate #define	SPD_UPDATEALGS				10
90*7c478bd9Sstevel@tonic-gate #define	SPD_MAX					10
91*7c478bd9Sstevel@tonic-gate 
92*7c478bd9Sstevel@tonic-gate /*
93*7c478bd9Sstevel@tonic-gate  * Well-known policy db instances, found in spd_msg_spdid
94*7c478bd9Sstevel@tonic-gate  */
95*7c478bd9Sstevel@tonic-gate #define	SPD_ACTIVE		0	/* The currently active instance */
96*7c478bd9Sstevel@tonic-gate #define	SPD_STANDBY		1 	/* "on deck" standby SPD */
97*7c478bd9Sstevel@tonic-gate 
98*7c478bd9Sstevel@tonic-gate /*
99*7c478bd9Sstevel@tonic-gate  * The spd_msg_t is followed by extensions, which start with the
100*7c478bd9Sstevel@tonic-gate  * following header; each extension structure includes the length and
101*7c478bd9Sstevel@tonic-gate  * type fields internally as an overlay to simplify parsing and
102*7c478bd9Sstevel@tonic-gate  * construction.
103*7c478bd9Sstevel@tonic-gate  */
104*7c478bd9Sstevel@tonic-gate typedef struct spd_ext
105*7c478bd9Sstevel@tonic-gate {
106*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
107*7c478bd9Sstevel@tonic-gate 	union {
108*7c478bd9Sstevel@tonic-gate 		struct {
109*7c478bd9Sstevel@tonic-gate 			uint16_t spd_ext_ulen;		/* in 64-bit words */
110*7c478bd9Sstevel@tonic-gate 			uint16_t spd_ext_utype;		/* 0 is reserved */
111*7c478bd9Sstevel@tonic-gate 		} spd_ext_actual;
112*7c478bd9Sstevel@tonic-gate 		uint64_t spd_ext_alignment;
113*7c478bd9Sstevel@tonic-gate 	} spd_ext_u;
114*7c478bd9Sstevel@tonic-gate #define	spd_ext_len spd_ext_u.spd_ext_actual.spd_ext_ulen
115*7c478bd9Sstevel@tonic-gate #define	spd_ext_type spd_ext_u.spd_ext_actual.spd_ext_utype
116*7c478bd9Sstevel@tonic-gate } spd_ext_t;
117*7c478bd9Sstevel@tonic-gate 
118*7c478bd9Sstevel@tonic-gate /*
119*7c478bd9Sstevel@tonic-gate  * Extension numbers, found in spd_ext_type.
120*7c478bd9Sstevel@tonic-gate  */
121*7c478bd9Sstevel@tonic-gate 
122*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_LCLPORT				1
123*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_REMPORT				2
124*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_PROTO				3
125*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_LCLADDR				4
126*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_REMADDR				5
127*7c478bd9Sstevel@tonic-gate 
128*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_ACTION				6
129*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_RULE				7
130*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_RULESET				8
131*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_ICMP_TYPECODE  	9
132*7c478bd9Sstevel@tonic-gate 
133*7c478bd9Sstevel@tonic-gate #define	SPD_EXT_MAX				9
134*7c478bd9Sstevel@tonic-gate 
135*7c478bd9Sstevel@tonic-gate /*
136*7c478bd9Sstevel@tonic-gate  * base policy rule (attributes which every rule has)
137*7c478bd9Sstevel@tonic-gate  *
138*7c478bd9Sstevel@tonic-gate  * spd_rule_index MBZ on a SPD_ADD, and is assigned by the kernel.
139*7c478bd9Sstevel@tonic-gate  * subsequent deletes can operate either by specifying selectors or by
140*7c478bd9Sstevel@tonic-gate  * specifying a non-zero rule index.
141*7c478bd9Sstevel@tonic-gate  */
142*7c478bd9Sstevel@tonic-gate struct spd_rule
143*7c478bd9Sstevel@tonic-gate {
144*7c478bd9Sstevel@tonic-gate 	uint16_t spd_rule_len;
145*7c478bd9Sstevel@tonic-gate 	uint16_t spd_rule_type;		/* SPD_EXT_RULE */
146*7c478bd9Sstevel@tonic-gate 	uint32_t spd_rule_priority;
147*7c478bd9Sstevel@tonic-gate 	uint32_t spd_rule_flags;	/* INBOUND, OUTBOUND, ... */
148*7c478bd9Sstevel@tonic-gate 	uint32_t spd_rule_unused;
149*7c478bd9Sstevel@tonic-gate 	uint64_t spd_rule_index;	/* unique rule identifier. */
150*7c478bd9Sstevel@tonic-gate };
151*7c478bd9Sstevel@tonic-gate 
152*7c478bd9Sstevel@tonic-gate /*
153*7c478bd9Sstevel@tonic-gate  * Flags for spd_rule.spd_rule_flags
154*7c478bd9Sstevel@tonic-gate  */
155*7c478bd9Sstevel@tonic-gate #define	SPD_RULE_FLAG_INBOUND		0x0001
156*7c478bd9Sstevel@tonic-gate #define	SPD_RULE_FLAG_OUTBOUND		0x0002
157*7c478bd9Sstevel@tonic-gate 
158*7c478bd9Sstevel@tonic-gate /*
159*7c478bd9Sstevel@tonic-gate  * Address selectors.   Different from PF_KEY because we want a
160*7c478bd9Sstevel@tonic-gate  * more precise format for wildcards on ports/protocol.
161*7c478bd9Sstevel@tonic-gate  */
162*7c478bd9Sstevel@tonic-gate typedef struct spd_address {
163*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
164*7c478bd9Sstevel@tonic-gate 	union {
165*7c478bd9Sstevel@tonic-gate 		struct {
166*7c478bd9Sstevel@tonic-gate 			uint16_t spd_address_ulen;
167*7c478bd9Sstevel@tonic-gate 			uint16_t spd_address_uexttype;	/* SRC, DST */
168*7c478bd9Sstevel@tonic-gate 			uint8_t spd_address_uaf;	/* address family. */
169*7c478bd9Sstevel@tonic-gate 			uint8_t spd_address_uprefixlen;	/* Prefix len (bits). */
170*7c478bd9Sstevel@tonic-gate 			uint16_t spd_address_ureserved2; /* Padding */
171*7c478bd9Sstevel@tonic-gate 		} spd_address_actual;
172*7c478bd9Sstevel@tonic-gate 		uint64_t spd_address_alignment;
173*7c478bd9Sstevel@tonic-gate 	} spd_address_u;
174*7c478bd9Sstevel@tonic-gate 	/*
175*7c478bd9Sstevel@tonic-gate 	 * .. followed by 4 bytes of IPv4 or 16 bytes of IPv6 address,
176*7c478bd9Sstevel@tonic-gate 	 * padded up to next uint64_t
177*7c478bd9Sstevel@tonic-gate 	 */
178*7c478bd9Sstevel@tonic-gate #define	spd_address_len	\
179*7c478bd9Sstevel@tonic-gate 	spd_address_u.spd_address_actual.spd_address_ulen
180*7c478bd9Sstevel@tonic-gate #define	spd_address_exttype \
181*7c478bd9Sstevel@tonic-gate 	spd_address_u.spd_address_actual.spd_address_uexttype
182*7c478bd9Sstevel@tonic-gate #define	spd_address_af \
183*7c478bd9Sstevel@tonic-gate 	spd_address_u.spd_address_actual.spd_address_uaf
184*7c478bd9Sstevel@tonic-gate #define	spd_address_prefixlen \
185*7c478bd9Sstevel@tonic-gate 	spd_address_u.spd_address_actual.spd_address_uprefixlen
186*7c478bd9Sstevel@tonic-gate #define	spd_address_reserved2 \
187*7c478bd9Sstevel@tonic-gate 	spd_address_u.spd_address_actual.spd_address_ureserved2
188*7c478bd9Sstevel@tonic-gate } spd_address_t;
189*7c478bd9Sstevel@tonic-gate 
190*7c478bd9Sstevel@tonic-gate /*
191*7c478bd9Sstevel@tonic-gate  * Protocol selector
192*7c478bd9Sstevel@tonic-gate  */
193*7c478bd9Sstevel@tonic-gate struct spd_proto
194*7c478bd9Sstevel@tonic-gate {
195*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
196*7c478bd9Sstevel@tonic-gate 	union {
197*7c478bd9Sstevel@tonic-gate 		struct {
198*7c478bd9Sstevel@tonic-gate 			uint16_t spd_proto_ulen;
199*7c478bd9Sstevel@tonic-gate 			uint16_t spd_proto_uexttype;		/* PROTO */
200*7c478bd9Sstevel@tonic-gate 			uint8_t spd_proto_unumber;		/* IPPROTO_* */
201*7c478bd9Sstevel@tonic-gate 			uint8_t	spd_proto_ureserved1;		 /* pad */
202*7c478bd9Sstevel@tonic-gate 			uint16_t spd_proto_ureserved2;		 /* pad */
203*7c478bd9Sstevel@tonic-gate 		} spd_proto_actual;
204*7c478bd9Sstevel@tonic-gate 		uint64_t spd_proto_alignment;
205*7c478bd9Sstevel@tonic-gate 	} spd_proto_u;
206*7c478bd9Sstevel@tonic-gate #define	spd_proto_len spd_proto_u.spd_proto_actual.spd_proto_ulen
207*7c478bd9Sstevel@tonic-gate #define	spd_proto_exttype spd_proto_u.spd_proto_actual.spd_proto_uexttype
208*7c478bd9Sstevel@tonic-gate #define	spd_proto_number spd_proto_u.spd_proto_actual.spd_proto_unumber
209*7c478bd9Sstevel@tonic-gate #define	spd_proto_reserved1 spd_proto_u.spd_proto_actual.spd_proto_ureserved1
210*7c478bd9Sstevel@tonic-gate #define	spd_proto_reserved2 spd_proto_u.spd_proto_actual.spd_proto_ureserved2
211*7c478bd9Sstevel@tonic-gate };
212*7c478bd9Sstevel@tonic-gate 
213*7c478bd9Sstevel@tonic-gate /*
214*7c478bd9Sstevel@tonic-gate  * Port selector.  We only support minport==maxport at present.
215*7c478bd9Sstevel@tonic-gate  */
216*7c478bd9Sstevel@tonic-gate struct spd_portrange
217*7c478bd9Sstevel@tonic-gate {
218*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
219*7c478bd9Sstevel@tonic-gate 	union {
220*7c478bd9Sstevel@tonic-gate 		struct {
221*7c478bd9Sstevel@tonic-gate 			uint16_t spd_ports_ulen;
222*7c478bd9Sstevel@tonic-gate 			uint16_t spd_ports_uexttype;	/* LCLPORT, REMPORT */
223*7c478bd9Sstevel@tonic-gate 			uint16_t spd_ports_uminport;	/* min port */
224*7c478bd9Sstevel@tonic-gate 			uint16_t spd_ports_umaxport;	/* max port */
225*7c478bd9Sstevel@tonic-gate 		} spd_ports_actual;
226*7c478bd9Sstevel@tonic-gate 		uint64_t spd_ports_alignment;
227*7c478bd9Sstevel@tonic-gate 	} spd_ports_u;
228*7c478bd9Sstevel@tonic-gate #define	spd_ports_len spd_ports_u.spd_ports_actual.spd_ports_ulen
229*7c478bd9Sstevel@tonic-gate #define	spd_ports_exttype spd_ports_u.spd_ports_actual.spd_ports_uexttype
230*7c478bd9Sstevel@tonic-gate #define	spd_ports_minport spd_ports_u.spd_ports_actual.spd_ports_uminport
231*7c478bd9Sstevel@tonic-gate #define	spd_ports_maxport spd_ports_u.spd_ports_actual.spd_ports_umaxport
232*7c478bd9Sstevel@tonic-gate };
233*7c478bd9Sstevel@tonic-gate 
234*7c478bd9Sstevel@tonic-gate /*
235*7c478bd9Sstevel@tonic-gate  * ICMP type selector.
236*7c478bd9Sstevel@tonic-gate  */
237*7c478bd9Sstevel@tonic-gate struct spd_typecode
238*7c478bd9Sstevel@tonic-gate {
239*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
240*7c478bd9Sstevel@tonic-gate 	union {
241*7c478bd9Sstevel@tonic-gate 		struct {
242*7c478bd9Sstevel@tonic-gate 			uint16_t spd_typecode_ulen;
243*7c478bd9Sstevel@tonic-gate 			uint16_t spd_typecode_uexttype;	/* ICMP_TYPECODE */
244*7c478bd9Sstevel@tonic-gate 			uint8_t  spd_typecode_utype;
245*7c478bd9Sstevel@tonic-gate 			uint8_t  spd_typecode_utype_end;
246*7c478bd9Sstevel@tonic-gate 			uint8_t  spd_typecode_ucode;
247*7c478bd9Sstevel@tonic-gate 			uint8_t  spd_typecode_ucode_end;
248*7c478bd9Sstevel@tonic-gate 		} spd_typecode_actual;
249*7c478bd9Sstevel@tonic-gate 		uint64_t spd_typecode_alignment;
250*7c478bd9Sstevel@tonic-gate 	} spd_typecode_u;
251*7c478bd9Sstevel@tonic-gate #define	spd_typecode_len	\
252*7c478bd9Sstevel@tonic-gate     spd_typecode_u.spd_typecode_actual.spd_typecode_ulen
253*7c478bd9Sstevel@tonic-gate #define	spd_typecode_exttype	\
254*7c478bd9Sstevel@tonic-gate     spd_typecode_u.spd_typecode_actual.spd_typecode_uexttype
255*7c478bd9Sstevel@tonic-gate #define	spd_typecode_type	\
256*7c478bd9Sstevel@tonic-gate     spd_typecode_u.spd_typecode_actual.spd_typecode_utype
257*7c478bd9Sstevel@tonic-gate #define	spd_typecode_type_end	\
258*7c478bd9Sstevel@tonic-gate     spd_typecode_u.spd_typecode_actual.spd_typecode_utype_end
259*7c478bd9Sstevel@tonic-gate #define	spd_typecode_code	\
260*7c478bd9Sstevel@tonic-gate     spd_typecode_u.spd_typecode_actual.spd_typecode_ucode
261*7c478bd9Sstevel@tonic-gate #define	spd_typecode_code_end	\
262*7c478bd9Sstevel@tonic-gate     spd_typecode_u.spd_typecode_actual.spd_typecode_ucode_end
263*7c478bd9Sstevel@tonic-gate };
264*7c478bd9Sstevel@tonic-gate 
265*7c478bd9Sstevel@tonic-gate 
266*7c478bd9Sstevel@tonic-gate /*
267*7c478bd9Sstevel@tonic-gate  * Actions, specifying what happens to packets which match selectors.
268*7c478bd9Sstevel@tonic-gate  * This extension is followed by some number of spd_attribute tag-value pairs
269*7c478bd9Sstevel@tonic-gate  * which encode one or more alternative policies; see below for
270*7c478bd9Sstevel@tonic-gate  * the encoding used.
271*7c478bd9Sstevel@tonic-gate  */
272*7c478bd9Sstevel@tonic-gate struct spd_ext_actions
273*7c478bd9Sstevel@tonic-gate {
274*7c478bd9Sstevel@tonic-gate 	/* Union is for guaranteeing 64-bit alignment. */
275*7c478bd9Sstevel@tonic-gate 	union {
276*7c478bd9Sstevel@tonic-gate 		struct {
277*7c478bd9Sstevel@tonic-gate 			uint16_t spd_actions_ulen;
278*7c478bd9Sstevel@tonic-gate 			uint16_t spd_actions_uexttype;	/* ACTION */
279*7c478bd9Sstevel@tonic-gate 			uint16_t spd_actions_ucount;	/* # of alternatives */
280*7c478bd9Sstevel@tonic-gate 			uint16_t spd_actions_ureserved;
281*7c478bd9Sstevel@tonic-gate 		} spd_actions_actual;
282*7c478bd9Sstevel@tonic-gate 		uint64_t spd_actions_alignment;
283*7c478bd9Sstevel@tonic-gate 	} spd_actions_u;
284*7c478bd9Sstevel@tonic-gate #define	spd_actions_len \
285*7c478bd9Sstevel@tonic-gate 	spd_actions_u.spd_actions_actual.spd_actions_ulen
286*7c478bd9Sstevel@tonic-gate #define	spd_actions_exttype \
287*7c478bd9Sstevel@tonic-gate 	spd_actions_u.spd_actions_actual.spd_actions_uexttype
288*7c478bd9Sstevel@tonic-gate #define	spd_actions_count \
289*7c478bd9Sstevel@tonic-gate 	spd_actions_u.spd_actions_actual.spd_actions_ucount
290*7c478bd9Sstevel@tonic-gate #define	spd_actions_reserved \
291*7c478bd9Sstevel@tonic-gate 	spd_actions_u.spd_actions_actual.spd_actions_ureserved
292*7c478bd9Sstevel@tonic-gate };
293*7c478bd9Sstevel@tonic-gate 
294*7c478bd9Sstevel@tonic-gate /*
295*7c478bd9Sstevel@tonic-gate  * Extensible encoding for requested SA attributes.
296*7c478bd9Sstevel@tonic-gate  * To allow additional attributes to be added, we use a simple-to-interpret
297*7c478bd9Sstevel@tonic-gate  * (tag, value) encoding to fill in attributes in a list of alternatives.
298*7c478bd9Sstevel@tonic-gate  *
299*7c478bd9Sstevel@tonic-gate  * We fill in alternatives one at a time, starting with most-preferred,
300*7c478bd9Sstevel@tonic-gate  * proceeding to least-preferred.
301*7c478bd9Sstevel@tonic-gate  *
302*7c478bd9Sstevel@tonic-gate  * Conceptually, we are filling in attributes of a "template", and
303*7c478bd9Sstevel@tonic-gate  * then copying that template value into the list of alternatives when
304*7c478bd9Sstevel@tonic-gate  * we see a SPD_ATTR_END or SPD_ATTR_NEXT.
305*7c478bd9Sstevel@tonic-gate  *
306*7c478bd9Sstevel@tonic-gate  * The template is not changed by SPD_ATTR_NEXT, so that attributes common to
307*7c478bd9Sstevel@tonic-gate  * all alternatives need only be mentioned once.
308*7c478bd9Sstevel@tonic-gate  *
309*7c478bd9Sstevel@tonic-gate  * spd_actions_count is the maximum number of alternatives present; it
310*7c478bd9Sstevel@tonic-gate  * should be one greater than the number of SPD_ATTR_NEXT opcodes
311*7c478bd9Sstevel@tonic-gate  * present in the sequence.
312*7c478bd9Sstevel@tonic-gate  */
313*7c478bd9Sstevel@tonic-gate 
314*7c478bd9Sstevel@tonic-gate struct spd_attribute
315*7c478bd9Sstevel@tonic-gate {
316*7c478bd9Sstevel@tonic-gate 	union {
317*7c478bd9Sstevel@tonic-gate 		struct {
318*7c478bd9Sstevel@tonic-gate 			uint32_t	spd_attr_utag;
319*7c478bd9Sstevel@tonic-gate 			uint32_t	spd_attr_uvalue;
320*7c478bd9Sstevel@tonic-gate 		} spd_attribute_actual;
321*7c478bd9Sstevel@tonic-gate 		uint64_t spd_attribute_alignment;
322*7c478bd9Sstevel@tonic-gate 	} spd_attribute_u;
323*7c478bd9Sstevel@tonic-gate #define	spd_attr_tag spd_attribute_u.spd_attribute_actual.spd_attr_utag
324*7c478bd9Sstevel@tonic-gate #define	spd_attr_value spd_attribute_u.spd_attribute_actual.spd_attr_uvalue
325*7c478bd9Sstevel@tonic-gate };
326*7c478bd9Sstevel@tonic-gate 
327*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_NOP	0x00000000	/* space filler */
328*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_END	0x00000001	/* end of description */
329*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_EMPTY	0x00000002	/* reset template to default */
330*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_NEXT	0x00000003	/* start filling next alternative */
331*7c478bd9Sstevel@tonic-gate 
332*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_TYPE			0x00000100
333*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_FLAGS			0x00000101
334*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_AH_AUTH		0x00000102
335*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ESP_ENCR		0x00000103
336*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ESP_AUTH		0x00000104
337*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ENCR_MINBITS		0x00000105
338*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ENCR_MAXBITS		0x00000106
339*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_AH_MINBITS		0x00000107
340*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_AH_MAXBITS		0x00000108
341*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_LIFE_SOFT_TIME		0x00000109
342*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_LIFE_HARD_TIME		0x0000010a
343*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_LIFE_SOFT_BYTES	0x0000010b
344*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_LIFE_HARD_BYTES	0x0000010c
345*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_KM_PROTO		0x0000010d
346*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_KM_COOKIE		0x0000010e
347*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_REPLAY_DEPTH		0x0000010f
348*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ESPA_MINBITS		0x00000110
349*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ESPA_MAXBITS		0x00000111
350*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ENCR_DEFBITS		0x00000112
351*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ENCR_INCRBITS		0x00000113
352*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_AH_DEFBITS		0x00000114
353*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_AH_INCRBITS		0x00000115
354*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ESPA_DEFBITS		0x00000116
355*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ESPA_INCRBITS		0x00000117
356*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_ID			0x00000118
357*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_PROTO		0x00000119
358*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_INCRBITS		0x0000011a
359*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_NKEYSIZES		0x0000011b
360*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_KEYSIZE		0x0000011c
361*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_NBLOCKSIZES	0x0000011d
362*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_BLOCKSIZE		0x0000011e
363*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_ALG_MECHNAME		0x0000011f
364*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_PROTO_ID		0x00000120
365*7c478bd9Sstevel@tonic-gate #define	SPD_ATTR_PROTO_EXEC_MODE	0x00000121
366*7c478bd9Sstevel@tonic-gate 
367*7c478bd9Sstevel@tonic-gate /*
368*7c478bd9Sstevel@tonic-gate  * Minimum, maximum key lengths in bits.
369*7c478bd9Sstevel@tonic-gate  */
370*7c478bd9Sstevel@tonic-gate #define	SPD_MIN_MINBITS		0x0000
371*7c478bd9Sstevel@tonic-gate #define	SPD_MAX_MAXBITS		0xffff
372*7c478bd9Sstevel@tonic-gate 
373*7c478bd9Sstevel@tonic-gate /*
374*7c478bd9Sstevel@tonic-gate  * IPsec action types (in SPD_ATTR_TYPE attribute)
375*7c478bd9Sstevel@tonic-gate  */
376*7c478bd9Sstevel@tonic-gate #define	SPD_ACTTYPE_DROP	0x0001
377*7c478bd9Sstevel@tonic-gate #define	SPD_ACTTYPE_PASS	0x0002
378*7c478bd9Sstevel@tonic-gate #define	SPD_ACTTYPE_IPSEC	0x0003
379*7c478bd9Sstevel@tonic-gate 
380*7c478bd9Sstevel@tonic-gate /*
381*7c478bd9Sstevel@tonic-gate  * Action flags (in SPD_ATTR_FLAGS attribute)
382*7c478bd9Sstevel@tonic-gate  */
383*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_AH		0x0001
384*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_ESP		0x0002
385*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_SE		0x0004  /* self-encapsulation */
386*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_COMP		0x0008	/* compression; NYI */
387*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_UNIQUE	0x0010	/* unique per-flow SA */
388*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_BYPASS	0x0020	/* bypass policy */
389*7c478bd9Sstevel@tonic-gate #define	SPD_APPLY_ESPA		0x0040 	/* ESP authentication */
390*7c478bd9Sstevel@tonic-gate 
391*7c478bd9Sstevel@tonic-gate /*
392*7c478bd9Sstevel@tonic-gate  * SW crypto execution modes.
393*7c478bd9Sstevel@tonic-gate  */
394*7c478bd9Sstevel@tonic-gate #define	SPD_ALG_EXEC_MODE_SYNC		1	/* synchronous */
395*7c478bd9Sstevel@tonic-gate #define	SPD_ALG_EXEC_MODE_ASYNC		2	/* asynchronous */
396*7c478bd9Sstevel@tonic-gate 
397*7c478bd9Sstevel@tonic-gate /*
398*7c478bd9Sstevel@tonic-gate  * SPD_DUMP protocol:
399*7c478bd9Sstevel@tonic-gate  *
400*7c478bd9Sstevel@tonic-gate  * We do not want to force an stack to have to read-lock the entire
401*7c478bd9Sstevel@tonic-gate  * SPD for the duration of the dump, but we want management apps to be
402*7c478bd9Sstevel@tonic-gate  * able to get a consistent snapshot of the SPD.
403*7c478bd9Sstevel@tonic-gate  *
404*7c478bd9Sstevel@tonic-gate  * Therefore, we make optimistic locking assumptions.
405*7c478bd9Sstevel@tonic-gate  *
406*7c478bd9Sstevel@tonic-gate  * The response to a SPD_DUMP request consists of multiple spd_msg
407*7c478bd9Sstevel@tonic-gate  * records, all with spd_msg_type == SPD_DUMP and spd_msg_{seq,pid}
408*7c478bd9Sstevel@tonic-gate  * matching the request.
409*7c478bd9Sstevel@tonic-gate  *
410*7c478bd9Sstevel@tonic-gate  * There is one header, then a sequence of policy rule records (one
411*7c478bd9Sstevel@tonic-gate  * rule per record), then a trailer.
412*7c478bd9Sstevel@tonic-gate  *
413*7c478bd9Sstevel@tonic-gate  * The header and trailer both contain a single SPD_EXT_RULESET
414*7c478bd9Sstevel@tonic-gate  * containing a version number and rule count.  The dump was "good" if
415*7c478bd9Sstevel@tonic-gate  * header version == trailer version, and the number of rules read by
416*7c478bd9Sstevel@tonic-gate  * the application matches the rule count in the trailer.  The rule
417*7c478bd9Sstevel@tonic-gate  * count in the header is unused and should be set to zero.
418*7c478bd9Sstevel@tonic-gate  *
419*7c478bd9Sstevel@tonic-gate  * In between, each rule record contains a set of extensions which, if
420*7c478bd9Sstevel@tonic-gate  * used in an SPD_ADD request, would recreate an equivalent rule.
421*7c478bd9Sstevel@tonic-gate  *
422*7c478bd9Sstevel@tonic-gate  * If rules were added to the SPD during the dump, the dump may be
423*7c478bd9Sstevel@tonic-gate  * truncated or otherwise incomplete; the management application
424*7c478bd9Sstevel@tonic-gate  * should re-try the dump in this case.
425*7c478bd9Sstevel@tonic-gate  */
426*7c478bd9Sstevel@tonic-gate 
427*7c478bd9Sstevel@tonic-gate /*
428*7c478bd9Sstevel@tonic-gate  * Ruleset extension, used at the start and end of a SPD_DUMP.
429*7c478bd9Sstevel@tonic-gate  */
430*7c478bd9Sstevel@tonic-gate typedef struct spd_ruleset_ext
431*7c478bd9Sstevel@tonic-gate {
432*7c478bd9Sstevel@tonic-gate 	uint16_t spd_ruleset_len;	/* 2 x 64 bits */
433*7c478bd9Sstevel@tonic-gate 	uint16_t spd_ruleset_type;	/* SPD_EXT_RULESET */
434*7c478bd9Sstevel@tonic-gate 	uint32_t spd_ruleset_count;	/* only valid in trailer */
435*7c478bd9Sstevel@tonic-gate 	uint64_t spd_ruleset_version;	/* version number */
436*7c478bd9Sstevel@tonic-gate } spd_ruleset_ext_t;
437*7c478bd9Sstevel@tonic-gate 
438*7c478bd9Sstevel@tonic-gate /*
439*7c478bd9Sstevel@tonic-gate  * Diagnostic codes.  These supplement error messages.  Be sure to
440*7c478bd9Sstevel@tonic-gate  * update libipsecutil's spdsock_diag() if you change any of these.
441*7c478bd9Sstevel@tonic-gate  */
442*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_NONE			0
443*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNKNOWN_EXT		1
444*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_BAD_EXTLEN		2
445*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_NO_RULE_EXT		3
446*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_BAD_ADDR_LEN		4
447*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MIXED_AF			5
448*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ADD_NO_MEM		6
449*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT	7
450*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ADD_BAD_TYPE		8
451*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ADD_BAD_FLAGS		9
452*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ADD_INCON_FLAGS		10
453*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_LCLPORT 	11
454*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_LCLPORT	12
455*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_REMPORT	13
456*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_REMPORT	14
457*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_PROTO		15
458*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_PROTO		16
459*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_LCLADDR	17
460*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_LCLADDR	18
461*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_REMADDR	19
462*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_REMADDR	20
463*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_ACTION		21
464*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_ACTION		22
465*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_RULE		23
466*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_RULE		24
467*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_RULESET	25
468*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_RULESET	26
469*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_INVALID_RULE_INDEX	27
470*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_BAD_SPDID		28
471*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_BAD_MSG_TYPE		29
472*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNSUPP_AH_ALG		30
473*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG	31
474*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG	32
475*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE	33
476*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE	34
477*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE	35
478*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_NO_ACTION_EXT		36
479*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ALG_ID_RANGE		37
480*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES	38
481*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES	39
482*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN	40
483*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_ALG_IPSEC_NOT_LOADED	41
484*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE	42
485*7c478bd9Sstevel@tonic-gate #define	SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE	43
486*7c478bd9Sstevel@tonic-gate 
487*7c478bd9Sstevel@tonic-gate /*
488*7c478bd9Sstevel@tonic-gate  * Helper macros.
489*7c478bd9Sstevel@tonic-gate  */
490*7c478bd9Sstevel@tonic-gate #define	SPD_64TO8(x)	((x) << 3)
491*7c478bd9Sstevel@tonic-gate #define	SPD_8TO64(x)	((x) >> 3)
492*7c478bd9Sstevel@tonic-gate #define	SPD_8TO1(x)	((x) << 3)
493*7c478bd9Sstevel@tonic-gate #define	SPD_1TO8(x)	((x) >> 3)
494*7c478bd9Sstevel@tonic-gate 
495*7c478bd9Sstevel@tonic-gate #ifdef	__cplusplus
496*7c478bd9Sstevel@tonic-gate }
497*7c478bd9Sstevel@tonic-gate #endif
498*7c478bd9Sstevel@tonic-gate 
499*7c478bd9Sstevel@tonic-gate #endif	/* _NET_PFPOLICY_H */
500