1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #ifndef _NET_PFPOLICY_H 28*7c478bd9Sstevel@tonic-gate #define _NET_PFPOLICY_H 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate /* 33*7c478bd9Sstevel@tonic-gate * Definitions and structures for PF_POLICY version 1. 34*7c478bd9Sstevel@tonic-gate * 35*7c478bd9Sstevel@tonic-gate * This local protocol provides an interface allowing utilities to 36*7c478bd9Sstevel@tonic-gate * manage a system's IPsec System Policy Database; see RFC2401 for a 37*7c478bd9Sstevel@tonic-gate * conceptual overview of the SPD. 38*7c478bd9Sstevel@tonic-gate * The basic encoding is modelled on PF_KEY version 2; see pfkeyv2.h 39*7c478bd9Sstevel@tonic-gate * and RFC2367 for more information. 40*7c478bd9Sstevel@tonic-gate */ 41*7c478bd9Sstevel@tonic-gate 42*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 43*7c478bd9Sstevel@tonic-gate extern "C" { 44*7c478bd9Sstevel@tonic-gate #endif 45*7c478bd9Sstevel@tonic-gate 46*7c478bd9Sstevel@tonic-gate #define PF_POLICY_V1 1 47*7c478bd9Sstevel@tonic-gate #define PF_POLICY_REVISION 200304L 48*7c478bd9Sstevel@tonic-gate 49*7c478bd9Sstevel@tonic-gate /* 50*7c478bd9Sstevel@tonic-gate * Base PF_POLICY message header. Each request/response starts with 51*7c478bd9Sstevel@tonic-gate * one of these, followed by some number of extensions. Each 52*7c478bd9Sstevel@tonic-gate * extension type appears at most once in a message. spd_msg_len 53*7c478bd9Sstevel@tonic-gate * contains the total length of the message including header. 54*7c478bd9Sstevel@tonic-gate */ 55*7c478bd9Sstevel@tonic-gate typedef struct spd_msg 56*7c478bd9Sstevel@tonic-gate { 57*7c478bd9Sstevel@tonic-gate uint8_t spd_msg_version; /* PF_POLICY_V1 */ 58*7c478bd9Sstevel@tonic-gate uint8_t spd_msg_type; /* ADD, DELETE, QUERY, ... */ 59*7c478bd9Sstevel@tonic-gate uint8_t spd_msg_errno; /* Unix errno space; mbz on request */ 60*7c478bd9Sstevel@tonic-gate uint8_t spd_msg_spdid; /* which policy db instance */ 61*7c478bd9Sstevel@tonic-gate uint16_t spd_msg_len; /* in 64-bit words */ 62*7c478bd9Sstevel@tonic-gate uint16_t spd_msg_diagnostic; /* additional error reason */ 63*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 64*7c478bd9Sstevel@tonic-gate union { 65*7c478bd9Sstevel@tonic-gate struct { 66*7c478bd9Sstevel@tonic-gate uint32_t spd_msg_useq; /* set by sender */ 67*7c478bd9Sstevel@tonic-gate uint32_t spd_msg_upid; /* set by sender */ 68*7c478bd9Sstevel@tonic-gate } spd_msg_actual; 69*7c478bd9Sstevel@tonic-gate uint64_t spd_msg_alignment; 70*7c478bd9Sstevel@tonic-gate } spd_msg_u; 71*7c478bd9Sstevel@tonic-gate #define spd_msg_seq spd_msg_u.spd_msg_actual.spd_msg_useq 72*7c478bd9Sstevel@tonic-gate #define spd_msg_pid spd_msg_u.spd_msg_actual.spd_msg_upid 73*7c478bd9Sstevel@tonic-gate } spd_msg_t; 74*7c478bd9Sstevel@tonic-gate 75*7c478bd9Sstevel@tonic-gate /* 76*7c478bd9Sstevel@tonic-gate * Command numbers, found in spd_msg_type. 77*7c478bd9Sstevel@tonic-gate */ 78*7c478bd9Sstevel@tonic-gate #define SPD_RESERVED 0 79*7c478bd9Sstevel@tonic-gate #define SPD_MIN 1 80*7c478bd9Sstevel@tonic-gate #define SPD_FLUSH 1 81*7c478bd9Sstevel@tonic-gate #define SPD_ADDRULE 2 82*7c478bd9Sstevel@tonic-gate #define SPD_DELETERULE 3 83*7c478bd9Sstevel@tonic-gate #define SPD_FLIP 4 84*7c478bd9Sstevel@tonic-gate #define SPD_LOOKUP 5 85*7c478bd9Sstevel@tonic-gate #define SPD_DUMP 6 86*7c478bd9Sstevel@tonic-gate #define SPD_CLONE 7 87*7c478bd9Sstevel@tonic-gate #define SPD_ALGLIST 8 88*7c478bd9Sstevel@tonic-gate #define SPD_DUMPALGS 9 89*7c478bd9Sstevel@tonic-gate #define SPD_UPDATEALGS 10 90*7c478bd9Sstevel@tonic-gate #define SPD_MAX 10 91*7c478bd9Sstevel@tonic-gate 92*7c478bd9Sstevel@tonic-gate /* 93*7c478bd9Sstevel@tonic-gate * Well-known policy db instances, found in spd_msg_spdid 94*7c478bd9Sstevel@tonic-gate */ 95*7c478bd9Sstevel@tonic-gate #define SPD_ACTIVE 0 /* The currently active instance */ 96*7c478bd9Sstevel@tonic-gate #define SPD_STANDBY 1 /* "on deck" standby SPD */ 97*7c478bd9Sstevel@tonic-gate 98*7c478bd9Sstevel@tonic-gate /* 99*7c478bd9Sstevel@tonic-gate * The spd_msg_t is followed by extensions, which start with the 100*7c478bd9Sstevel@tonic-gate * following header; each extension structure includes the length and 101*7c478bd9Sstevel@tonic-gate * type fields internally as an overlay to simplify parsing and 102*7c478bd9Sstevel@tonic-gate * construction. 103*7c478bd9Sstevel@tonic-gate */ 104*7c478bd9Sstevel@tonic-gate typedef struct spd_ext 105*7c478bd9Sstevel@tonic-gate { 106*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 107*7c478bd9Sstevel@tonic-gate union { 108*7c478bd9Sstevel@tonic-gate struct { 109*7c478bd9Sstevel@tonic-gate uint16_t spd_ext_ulen; /* in 64-bit words */ 110*7c478bd9Sstevel@tonic-gate uint16_t spd_ext_utype; /* 0 is reserved */ 111*7c478bd9Sstevel@tonic-gate } spd_ext_actual; 112*7c478bd9Sstevel@tonic-gate uint64_t spd_ext_alignment; 113*7c478bd9Sstevel@tonic-gate } spd_ext_u; 114*7c478bd9Sstevel@tonic-gate #define spd_ext_len spd_ext_u.spd_ext_actual.spd_ext_ulen 115*7c478bd9Sstevel@tonic-gate #define spd_ext_type spd_ext_u.spd_ext_actual.spd_ext_utype 116*7c478bd9Sstevel@tonic-gate } spd_ext_t; 117*7c478bd9Sstevel@tonic-gate 118*7c478bd9Sstevel@tonic-gate /* 119*7c478bd9Sstevel@tonic-gate * Extension numbers, found in spd_ext_type. 120*7c478bd9Sstevel@tonic-gate */ 121*7c478bd9Sstevel@tonic-gate 122*7c478bd9Sstevel@tonic-gate #define SPD_EXT_LCLPORT 1 123*7c478bd9Sstevel@tonic-gate #define SPD_EXT_REMPORT 2 124*7c478bd9Sstevel@tonic-gate #define SPD_EXT_PROTO 3 125*7c478bd9Sstevel@tonic-gate #define SPD_EXT_LCLADDR 4 126*7c478bd9Sstevel@tonic-gate #define SPD_EXT_REMADDR 5 127*7c478bd9Sstevel@tonic-gate 128*7c478bd9Sstevel@tonic-gate #define SPD_EXT_ACTION 6 129*7c478bd9Sstevel@tonic-gate #define SPD_EXT_RULE 7 130*7c478bd9Sstevel@tonic-gate #define SPD_EXT_RULESET 8 131*7c478bd9Sstevel@tonic-gate #define SPD_EXT_ICMP_TYPECODE 9 132*7c478bd9Sstevel@tonic-gate 133*7c478bd9Sstevel@tonic-gate #define SPD_EXT_MAX 9 134*7c478bd9Sstevel@tonic-gate 135*7c478bd9Sstevel@tonic-gate /* 136*7c478bd9Sstevel@tonic-gate * base policy rule (attributes which every rule has) 137*7c478bd9Sstevel@tonic-gate * 138*7c478bd9Sstevel@tonic-gate * spd_rule_index MBZ on a SPD_ADD, and is assigned by the kernel. 139*7c478bd9Sstevel@tonic-gate * subsequent deletes can operate either by specifying selectors or by 140*7c478bd9Sstevel@tonic-gate * specifying a non-zero rule index. 141*7c478bd9Sstevel@tonic-gate */ 142*7c478bd9Sstevel@tonic-gate struct spd_rule 143*7c478bd9Sstevel@tonic-gate { 144*7c478bd9Sstevel@tonic-gate uint16_t spd_rule_len; 145*7c478bd9Sstevel@tonic-gate uint16_t spd_rule_type; /* SPD_EXT_RULE */ 146*7c478bd9Sstevel@tonic-gate uint32_t spd_rule_priority; 147*7c478bd9Sstevel@tonic-gate uint32_t spd_rule_flags; /* INBOUND, OUTBOUND, ... */ 148*7c478bd9Sstevel@tonic-gate uint32_t spd_rule_unused; 149*7c478bd9Sstevel@tonic-gate uint64_t spd_rule_index; /* unique rule identifier. */ 150*7c478bd9Sstevel@tonic-gate }; 151*7c478bd9Sstevel@tonic-gate 152*7c478bd9Sstevel@tonic-gate /* 153*7c478bd9Sstevel@tonic-gate * Flags for spd_rule.spd_rule_flags 154*7c478bd9Sstevel@tonic-gate */ 155*7c478bd9Sstevel@tonic-gate #define SPD_RULE_FLAG_INBOUND 0x0001 156*7c478bd9Sstevel@tonic-gate #define SPD_RULE_FLAG_OUTBOUND 0x0002 157*7c478bd9Sstevel@tonic-gate 158*7c478bd9Sstevel@tonic-gate /* 159*7c478bd9Sstevel@tonic-gate * Address selectors. Different from PF_KEY because we want a 160*7c478bd9Sstevel@tonic-gate * more precise format for wildcards on ports/protocol. 161*7c478bd9Sstevel@tonic-gate */ 162*7c478bd9Sstevel@tonic-gate typedef struct spd_address { 163*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 164*7c478bd9Sstevel@tonic-gate union { 165*7c478bd9Sstevel@tonic-gate struct { 166*7c478bd9Sstevel@tonic-gate uint16_t spd_address_ulen; 167*7c478bd9Sstevel@tonic-gate uint16_t spd_address_uexttype; /* SRC, DST */ 168*7c478bd9Sstevel@tonic-gate uint8_t spd_address_uaf; /* address family. */ 169*7c478bd9Sstevel@tonic-gate uint8_t spd_address_uprefixlen; /* Prefix len (bits). */ 170*7c478bd9Sstevel@tonic-gate uint16_t spd_address_ureserved2; /* Padding */ 171*7c478bd9Sstevel@tonic-gate } spd_address_actual; 172*7c478bd9Sstevel@tonic-gate uint64_t spd_address_alignment; 173*7c478bd9Sstevel@tonic-gate } spd_address_u; 174*7c478bd9Sstevel@tonic-gate /* 175*7c478bd9Sstevel@tonic-gate * .. followed by 4 bytes of IPv4 or 16 bytes of IPv6 address, 176*7c478bd9Sstevel@tonic-gate * padded up to next uint64_t 177*7c478bd9Sstevel@tonic-gate */ 178*7c478bd9Sstevel@tonic-gate #define spd_address_len \ 179*7c478bd9Sstevel@tonic-gate spd_address_u.spd_address_actual.spd_address_ulen 180*7c478bd9Sstevel@tonic-gate #define spd_address_exttype \ 181*7c478bd9Sstevel@tonic-gate spd_address_u.spd_address_actual.spd_address_uexttype 182*7c478bd9Sstevel@tonic-gate #define spd_address_af \ 183*7c478bd9Sstevel@tonic-gate spd_address_u.spd_address_actual.spd_address_uaf 184*7c478bd9Sstevel@tonic-gate #define spd_address_prefixlen \ 185*7c478bd9Sstevel@tonic-gate spd_address_u.spd_address_actual.spd_address_uprefixlen 186*7c478bd9Sstevel@tonic-gate #define spd_address_reserved2 \ 187*7c478bd9Sstevel@tonic-gate spd_address_u.spd_address_actual.spd_address_ureserved2 188*7c478bd9Sstevel@tonic-gate } spd_address_t; 189*7c478bd9Sstevel@tonic-gate 190*7c478bd9Sstevel@tonic-gate /* 191*7c478bd9Sstevel@tonic-gate * Protocol selector 192*7c478bd9Sstevel@tonic-gate */ 193*7c478bd9Sstevel@tonic-gate struct spd_proto 194*7c478bd9Sstevel@tonic-gate { 195*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 196*7c478bd9Sstevel@tonic-gate union { 197*7c478bd9Sstevel@tonic-gate struct { 198*7c478bd9Sstevel@tonic-gate uint16_t spd_proto_ulen; 199*7c478bd9Sstevel@tonic-gate uint16_t spd_proto_uexttype; /* PROTO */ 200*7c478bd9Sstevel@tonic-gate uint8_t spd_proto_unumber; /* IPPROTO_* */ 201*7c478bd9Sstevel@tonic-gate uint8_t spd_proto_ureserved1; /* pad */ 202*7c478bd9Sstevel@tonic-gate uint16_t spd_proto_ureserved2; /* pad */ 203*7c478bd9Sstevel@tonic-gate } spd_proto_actual; 204*7c478bd9Sstevel@tonic-gate uint64_t spd_proto_alignment; 205*7c478bd9Sstevel@tonic-gate } spd_proto_u; 206*7c478bd9Sstevel@tonic-gate #define spd_proto_len spd_proto_u.spd_proto_actual.spd_proto_ulen 207*7c478bd9Sstevel@tonic-gate #define spd_proto_exttype spd_proto_u.spd_proto_actual.spd_proto_uexttype 208*7c478bd9Sstevel@tonic-gate #define spd_proto_number spd_proto_u.spd_proto_actual.spd_proto_unumber 209*7c478bd9Sstevel@tonic-gate #define spd_proto_reserved1 spd_proto_u.spd_proto_actual.spd_proto_ureserved1 210*7c478bd9Sstevel@tonic-gate #define spd_proto_reserved2 spd_proto_u.spd_proto_actual.spd_proto_ureserved2 211*7c478bd9Sstevel@tonic-gate }; 212*7c478bd9Sstevel@tonic-gate 213*7c478bd9Sstevel@tonic-gate /* 214*7c478bd9Sstevel@tonic-gate * Port selector. We only support minport==maxport at present. 215*7c478bd9Sstevel@tonic-gate */ 216*7c478bd9Sstevel@tonic-gate struct spd_portrange 217*7c478bd9Sstevel@tonic-gate { 218*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 219*7c478bd9Sstevel@tonic-gate union { 220*7c478bd9Sstevel@tonic-gate struct { 221*7c478bd9Sstevel@tonic-gate uint16_t spd_ports_ulen; 222*7c478bd9Sstevel@tonic-gate uint16_t spd_ports_uexttype; /* LCLPORT, REMPORT */ 223*7c478bd9Sstevel@tonic-gate uint16_t spd_ports_uminport; /* min port */ 224*7c478bd9Sstevel@tonic-gate uint16_t spd_ports_umaxport; /* max port */ 225*7c478bd9Sstevel@tonic-gate } spd_ports_actual; 226*7c478bd9Sstevel@tonic-gate uint64_t spd_ports_alignment; 227*7c478bd9Sstevel@tonic-gate } spd_ports_u; 228*7c478bd9Sstevel@tonic-gate #define spd_ports_len spd_ports_u.spd_ports_actual.spd_ports_ulen 229*7c478bd9Sstevel@tonic-gate #define spd_ports_exttype spd_ports_u.spd_ports_actual.spd_ports_uexttype 230*7c478bd9Sstevel@tonic-gate #define spd_ports_minport spd_ports_u.spd_ports_actual.spd_ports_uminport 231*7c478bd9Sstevel@tonic-gate #define spd_ports_maxport spd_ports_u.spd_ports_actual.spd_ports_umaxport 232*7c478bd9Sstevel@tonic-gate }; 233*7c478bd9Sstevel@tonic-gate 234*7c478bd9Sstevel@tonic-gate /* 235*7c478bd9Sstevel@tonic-gate * ICMP type selector. 236*7c478bd9Sstevel@tonic-gate */ 237*7c478bd9Sstevel@tonic-gate struct spd_typecode 238*7c478bd9Sstevel@tonic-gate { 239*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 240*7c478bd9Sstevel@tonic-gate union { 241*7c478bd9Sstevel@tonic-gate struct { 242*7c478bd9Sstevel@tonic-gate uint16_t spd_typecode_ulen; 243*7c478bd9Sstevel@tonic-gate uint16_t spd_typecode_uexttype; /* ICMP_TYPECODE */ 244*7c478bd9Sstevel@tonic-gate uint8_t spd_typecode_utype; 245*7c478bd9Sstevel@tonic-gate uint8_t spd_typecode_utype_end; 246*7c478bd9Sstevel@tonic-gate uint8_t spd_typecode_ucode; 247*7c478bd9Sstevel@tonic-gate uint8_t spd_typecode_ucode_end; 248*7c478bd9Sstevel@tonic-gate } spd_typecode_actual; 249*7c478bd9Sstevel@tonic-gate uint64_t spd_typecode_alignment; 250*7c478bd9Sstevel@tonic-gate } spd_typecode_u; 251*7c478bd9Sstevel@tonic-gate #define spd_typecode_len \ 252*7c478bd9Sstevel@tonic-gate spd_typecode_u.spd_typecode_actual.spd_typecode_ulen 253*7c478bd9Sstevel@tonic-gate #define spd_typecode_exttype \ 254*7c478bd9Sstevel@tonic-gate spd_typecode_u.spd_typecode_actual.spd_typecode_uexttype 255*7c478bd9Sstevel@tonic-gate #define spd_typecode_type \ 256*7c478bd9Sstevel@tonic-gate spd_typecode_u.spd_typecode_actual.spd_typecode_utype 257*7c478bd9Sstevel@tonic-gate #define spd_typecode_type_end \ 258*7c478bd9Sstevel@tonic-gate spd_typecode_u.spd_typecode_actual.spd_typecode_utype_end 259*7c478bd9Sstevel@tonic-gate #define spd_typecode_code \ 260*7c478bd9Sstevel@tonic-gate spd_typecode_u.spd_typecode_actual.spd_typecode_ucode 261*7c478bd9Sstevel@tonic-gate #define spd_typecode_code_end \ 262*7c478bd9Sstevel@tonic-gate spd_typecode_u.spd_typecode_actual.spd_typecode_ucode_end 263*7c478bd9Sstevel@tonic-gate }; 264*7c478bd9Sstevel@tonic-gate 265*7c478bd9Sstevel@tonic-gate 266*7c478bd9Sstevel@tonic-gate /* 267*7c478bd9Sstevel@tonic-gate * Actions, specifying what happens to packets which match selectors. 268*7c478bd9Sstevel@tonic-gate * This extension is followed by some number of spd_attribute tag-value pairs 269*7c478bd9Sstevel@tonic-gate * which encode one or more alternative policies; see below for 270*7c478bd9Sstevel@tonic-gate * the encoding used. 271*7c478bd9Sstevel@tonic-gate */ 272*7c478bd9Sstevel@tonic-gate struct spd_ext_actions 273*7c478bd9Sstevel@tonic-gate { 274*7c478bd9Sstevel@tonic-gate /* Union is for guaranteeing 64-bit alignment. */ 275*7c478bd9Sstevel@tonic-gate union { 276*7c478bd9Sstevel@tonic-gate struct { 277*7c478bd9Sstevel@tonic-gate uint16_t spd_actions_ulen; 278*7c478bd9Sstevel@tonic-gate uint16_t spd_actions_uexttype; /* ACTION */ 279*7c478bd9Sstevel@tonic-gate uint16_t spd_actions_ucount; /* # of alternatives */ 280*7c478bd9Sstevel@tonic-gate uint16_t spd_actions_ureserved; 281*7c478bd9Sstevel@tonic-gate } spd_actions_actual; 282*7c478bd9Sstevel@tonic-gate uint64_t spd_actions_alignment; 283*7c478bd9Sstevel@tonic-gate } spd_actions_u; 284*7c478bd9Sstevel@tonic-gate #define spd_actions_len \ 285*7c478bd9Sstevel@tonic-gate spd_actions_u.spd_actions_actual.spd_actions_ulen 286*7c478bd9Sstevel@tonic-gate #define spd_actions_exttype \ 287*7c478bd9Sstevel@tonic-gate spd_actions_u.spd_actions_actual.spd_actions_uexttype 288*7c478bd9Sstevel@tonic-gate #define spd_actions_count \ 289*7c478bd9Sstevel@tonic-gate spd_actions_u.spd_actions_actual.spd_actions_ucount 290*7c478bd9Sstevel@tonic-gate #define spd_actions_reserved \ 291*7c478bd9Sstevel@tonic-gate spd_actions_u.spd_actions_actual.spd_actions_ureserved 292*7c478bd9Sstevel@tonic-gate }; 293*7c478bd9Sstevel@tonic-gate 294*7c478bd9Sstevel@tonic-gate /* 295*7c478bd9Sstevel@tonic-gate * Extensible encoding for requested SA attributes. 296*7c478bd9Sstevel@tonic-gate * To allow additional attributes to be added, we use a simple-to-interpret 297*7c478bd9Sstevel@tonic-gate * (tag, value) encoding to fill in attributes in a list of alternatives. 298*7c478bd9Sstevel@tonic-gate * 299*7c478bd9Sstevel@tonic-gate * We fill in alternatives one at a time, starting with most-preferred, 300*7c478bd9Sstevel@tonic-gate * proceeding to least-preferred. 301*7c478bd9Sstevel@tonic-gate * 302*7c478bd9Sstevel@tonic-gate * Conceptually, we are filling in attributes of a "template", and 303*7c478bd9Sstevel@tonic-gate * then copying that template value into the list of alternatives when 304*7c478bd9Sstevel@tonic-gate * we see a SPD_ATTR_END or SPD_ATTR_NEXT. 305*7c478bd9Sstevel@tonic-gate * 306*7c478bd9Sstevel@tonic-gate * The template is not changed by SPD_ATTR_NEXT, so that attributes common to 307*7c478bd9Sstevel@tonic-gate * all alternatives need only be mentioned once. 308*7c478bd9Sstevel@tonic-gate * 309*7c478bd9Sstevel@tonic-gate * spd_actions_count is the maximum number of alternatives present; it 310*7c478bd9Sstevel@tonic-gate * should be one greater than the number of SPD_ATTR_NEXT opcodes 311*7c478bd9Sstevel@tonic-gate * present in the sequence. 312*7c478bd9Sstevel@tonic-gate */ 313*7c478bd9Sstevel@tonic-gate 314*7c478bd9Sstevel@tonic-gate struct spd_attribute 315*7c478bd9Sstevel@tonic-gate { 316*7c478bd9Sstevel@tonic-gate union { 317*7c478bd9Sstevel@tonic-gate struct { 318*7c478bd9Sstevel@tonic-gate uint32_t spd_attr_utag; 319*7c478bd9Sstevel@tonic-gate uint32_t spd_attr_uvalue; 320*7c478bd9Sstevel@tonic-gate } spd_attribute_actual; 321*7c478bd9Sstevel@tonic-gate uint64_t spd_attribute_alignment; 322*7c478bd9Sstevel@tonic-gate } spd_attribute_u; 323*7c478bd9Sstevel@tonic-gate #define spd_attr_tag spd_attribute_u.spd_attribute_actual.spd_attr_utag 324*7c478bd9Sstevel@tonic-gate #define spd_attr_value spd_attribute_u.spd_attribute_actual.spd_attr_uvalue 325*7c478bd9Sstevel@tonic-gate }; 326*7c478bd9Sstevel@tonic-gate 327*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_NOP 0x00000000 /* space filler */ 328*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_END 0x00000001 /* end of description */ 329*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_EMPTY 0x00000002 /* reset template to default */ 330*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_NEXT 0x00000003 /* start filling next alternative */ 331*7c478bd9Sstevel@tonic-gate 332*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_TYPE 0x00000100 333*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_FLAGS 0x00000101 334*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_AH_AUTH 0x00000102 335*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ESP_ENCR 0x00000103 336*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ESP_AUTH 0x00000104 337*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ENCR_MINBITS 0x00000105 338*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ENCR_MAXBITS 0x00000106 339*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_AH_MINBITS 0x00000107 340*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_AH_MAXBITS 0x00000108 341*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_LIFE_SOFT_TIME 0x00000109 342*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_LIFE_HARD_TIME 0x0000010a 343*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_LIFE_SOFT_BYTES 0x0000010b 344*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_LIFE_HARD_BYTES 0x0000010c 345*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_KM_PROTO 0x0000010d 346*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_KM_COOKIE 0x0000010e 347*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_REPLAY_DEPTH 0x0000010f 348*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ESPA_MINBITS 0x00000110 349*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ESPA_MAXBITS 0x00000111 350*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ENCR_DEFBITS 0x00000112 351*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ENCR_INCRBITS 0x00000113 352*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_AH_DEFBITS 0x00000114 353*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_AH_INCRBITS 0x00000115 354*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ESPA_DEFBITS 0x00000116 355*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ESPA_INCRBITS 0x00000117 356*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_ID 0x00000118 357*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_PROTO 0x00000119 358*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_INCRBITS 0x0000011a 359*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_NKEYSIZES 0x0000011b 360*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_KEYSIZE 0x0000011c 361*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_NBLOCKSIZES 0x0000011d 362*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_BLOCKSIZE 0x0000011e 363*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_ALG_MECHNAME 0x0000011f 364*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_PROTO_ID 0x00000120 365*7c478bd9Sstevel@tonic-gate #define SPD_ATTR_PROTO_EXEC_MODE 0x00000121 366*7c478bd9Sstevel@tonic-gate 367*7c478bd9Sstevel@tonic-gate /* 368*7c478bd9Sstevel@tonic-gate * Minimum, maximum key lengths in bits. 369*7c478bd9Sstevel@tonic-gate */ 370*7c478bd9Sstevel@tonic-gate #define SPD_MIN_MINBITS 0x0000 371*7c478bd9Sstevel@tonic-gate #define SPD_MAX_MAXBITS 0xffff 372*7c478bd9Sstevel@tonic-gate 373*7c478bd9Sstevel@tonic-gate /* 374*7c478bd9Sstevel@tonic-gate * IPsec action types (in SPD_ATTR_TYPE attribute) 375*7c478bd9Sstevel@tonic-gate */ 376*7c478bd9Sstevel@tonic-gate #define SPD_ACTTYPE_DROP 0x0001 377*7c478bd9Sstevel@tonic-gate #define SPD_ACTTYPE_PASS 0x0002 378*7c478bd9Sstevel@tonic-gate #define SPD_ACTTYPE_IPSEC 0x0003 379*7c478bd9Sstevel@tonic-gate 380*7c478bd9Sstevel@tonic-gate /* 381*7c478bd9Sstevel@tonic-gate * Action flags (in SPD_ATTR_FLAGS attribute) 382*7c478bd9Sstevel@tonic-gate */ 383*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_AH 0x0001 384*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_ESP 0x0002 385*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_SE 0x0004 /* self-encapsulation */ 386*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_COMP 0x0008 /* compression; NYI */ 387*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_UNIQUE 0x0010 /* unique per-flow SA */ 388*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_BYPASS 0x0020 /* bypass policy */ 389*7c478bd9Sstevel@tonic-gate #define SPD_APPLY_ESPA 0x0040 /* ESP authentication */ 390*7c478bd9Sstevel@tonic-gate 391*7c478bd9Sstevel@tonic-gate /* 392*7c478bd9Sstevel@tonic-gate * SW crypto execution modes. 393*7c478bd9Sstevel@tonic-gate */ 394*7c478bd9Sstevel@tonic-gate #define SPD_ALG_EXEC_MODE_SYNC 1 /* synchronous */ 395*7c478bd9Sstevel@tonic-gate #define SPD_ALG_EXEC_MODE_ASYNC 2 /* asynchronous */ 396*7c478bd9Sstevel@tonic-gate 397*7c478bd9Sstevel@tonic-gate /* 398*7c478bd9Sstevel@tonic-gate * SPD_DUMP protocol: 399*7c478bd9Sstevel@tonic-gate * 400*7c478bd9Sstevel@tonic-gate * We do not want to force an stack to have to read-lock the entire 401*7c478bd9Sstevel@tonic-gate * SPD for the duration of the dump, but we want management apps to be 402*7c478bd9Sstevel@tonic-gate * able to get a consistent snapshot of the SPD. 403*7c478bd9Sstevel@tonic-gate * 404*7c478bd9Sstevel@tonic-gate * Therefore, we make optimistic locking assumptions. 405*7c478bd9Sstevel@tonic-gate * 406*7c478bd9Sstevel@tonic-gate * The response to a SPD_DUMP request consists of multiple spd_msg 407*7c478bd9Sstevel@tonic-gate * records, all with spd_msg_type == SPD_DUMP and spd_msg_{seq,pid} 408*7c478bd9Sstevel@tonic-gate * matching the request. 409*7c478bd9Sstevel@tonic-gate * 410*7c478bd9Sstevel@tonic-gate * There is one header, then a sequence of policy rule records (one 411*7c478bd9Sstevel@tonic-gate * rule per record), then a trailer. 412*7c478bd9Sstevel@tonic-gate * 413*7c478bd9Sstevel@tonic-gate * The header and trailer both contain a single SPD_EXT_RULESET 414*7c478bd9Sstevel@tonic-gate * containing a version number and rule count. The dump was "good" if 415*7c478bd9Sstevel@tonic-gate * header version == trailer version, and the number of rules read by 416*7c478bd9Sstevel@tonic-gate * the application matches the rule count in the trailer. The rule 417*7c478bd9Sstevel@tonic-gate * count in the header is unused and should be set to zero. 418*7c478bd9Sstevel@tonic-gate * 419*7c478bd9Sstevel@tonic-gate * In between, each rule record contains a set of extensions which, if 420*7c478bd9Sstevel@tonic-gate * used in an SPD_ADD request, would recreate an equivalent rule. 421*7c478bd9Sstevel@tonic-gate * 422*7c478bd9Sstevel@tonic-gate * If rules were added to the SPD during the dump, the dump may be 423*7c478bd9Sstevel@tonic-gate * truncated or otherwise incomplete; the management application 424*7c478bd9Sstevel@tonic-gate * should re-try the dump in this case. 425*7c478bd9Sstevel@tonic-gate */ 426*7c478bd9Sstevel@tonic-gate 427*7c478bd9Sstevel@tonic-gate /* 428*7c478bd9Sstevel@tonic-gate * Ruleset extension, used at the start and end of a SPD_DUMP. 429*7c478bd9Sstevel@tonic-gate */ 430*7c478bd9Sstevel@tonic-gate typedef struct spd_ruleset_ext 431*7c478bd9Sstevel@tonic-gate { 432*7c478bd9Sstevel@tonic-gate uint16_t spd_ruleset_len; /* 2 x 64 bits */ 433*7c478bd9Sstevel@tonic-gate uint16_t spd_ruleset_type; /* SPD_EXT_RULESET */ 434*7c478bd9Sstevel@tonic-gate uint32_t spd_ruleset_count; /* only valid in trailer */ 435*7c478bd9Sstevel@tonic-gate uint64_t spd_ruleset_version; /* version number */ 436*7c478bd9Sstevel@tonic-gate } spd_ruleset_ext_t; 437*7c478bd9Sstevel@tonic-gate 438*7c478bd9Sstevel@tonic-gate /* 439*7c478bd9Sstevel@tonic-gate * Diagnostic codes. These supplement error messages. Be sure to 440*7c478bd9Sstevel@tonic-gate * update libipsecutil's spdsock_diag() if you change any of these. 441*7c478bd9Sstevel@tonic-gate */ 442*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_NONE 0 443*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNKNOWN_EXT 1 444*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_BAD_EXTLEN 2 445*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_NO_RULE_EXT 3 446*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_BAD_ADDR_LEN 4 447*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MIXED_AF 5 448*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ADD_NO_MEM 6 449*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT 7 450*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ADD_BAD_TYPE 8 451*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ADD_BAD_FLAGS 9 452*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ADD_INCON_FLAGS 10 453*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_LCLPORT 11 454*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_LCLPORT 12 455*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_REMPORT 13 456*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_REMPORT 14 457*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_PROTO 15 458*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_PROTO 16 459*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_LCLADDR 17 460*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_LCLADDR 18 461*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_REMADDR 19 462*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_REMADDR 20 463*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_ACTION 21 464*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_ACTION 22 465*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_RULE 23 466*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_RULE 24 467*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_RULESET 25 468*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_RULESET 26 469*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_INVALID_RULE_INDEX 27 470*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_BAD_SPDID 28 471*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_BAD_MSG_TYPE 29 472*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNSUPP_AH_ALG 30 473*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG 31 474*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG 32 475*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE 33 476*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE 34 477*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE 35 478*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_NO_ACTION_EXT 36 479*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ALG_ID_RANGE 37 480*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES 38 481*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES 39 482*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN 40 483*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_ALG_IPSEC_NOT_LOADED 41 484*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_MALFORMED_ICMP_TYPECODE 42 485*7c478bd9Sstevel@tonic-gate #define SPD_DIAGNOSTIC_DUPLICATE_ICMP_TYPECODE 43 486*7c478bd9Sstevel@tonic-gate 487*7c478bd9Sstevel@tonic-gate /* 488*7c478bd9Sstevel@tonic-gate * Helper macros. 489*7c478bd9Sstevel@tonic-gate */ 490*7c478bd9Sstevel@tonic-gate #define SPD_64TO8(x) ((x) << 3) 491*7c478bd9Sstevel@tonic-gate #define SPD_8TO64(x) ((x) >> 3) 492*7c478bd9Sstevel@tonic-gate #define SPD_8TO1(x) ((x) << 3) 493*7c478bd9Sstevel@tonic-gate #define SPD_1TO8(x) ((x) >> 3) 494*7c478bd9Sstevel@tonic-gate 495*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 496*7c478bd9Sstevel@tonic-gate } 497*7c478bd9Sstevel@tonic-gate #endif 498*7c478bd9Sstevel@tonic-gate 499*7c478bd9Sstevel@tonic-gate #endif /* _NET_PFPOLICY_H */ 500