1 /*	$OpenBSD: ipsecctl.h,v 1.10 2005/07/09 21:05:02 hshoexer Exp $	*/
2 /*
3  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #ifndef _IPSECCTL_H_
19 #define _IPSECCTL_H_
20 
21 #define IPSECCTL_OPT_DISABLE		0x0001
22 #define IPSECCTL_OPT_ENABLE		0x0002
23 #define IPSECCTL_OPT_NOACTION		0x0004
24 #define IPSECCTL_OPT_VERBOSE		0x0010
25 #define IPSECCTL_OPT_VERBOSE2		0x0020
26 #define IPSECCTL_OPT_SHOW		0x0040
27 #define IPSECCTL_OPT_SHOWALL		0x0080
28 #define IPSECCTL_OPT_FLUSH		0x0100
29 #define IPSECCTL_OPT_DELETE		0x0200
30 
31 enum {
32 	RULE_UNKNOWN, RULE_FLOW, RULE_SA
33 };
34 enum {
35 	DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
36 };
37 enum {
38 	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP
39 };
40 enum {
41 	AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
42 };
43 enum {
44 	ID_UNKNOWN, ID_PREFIX, ID_FQDN, ID_UFQDN
45 };
46 enum {
47 	TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
48 	TYPE_BYPASS, TYPE_DONTACQ
49 };
50 
51 struct ipsec_addr {
52 	struct in_addr  v4;
53 	union {
54 		struct in_addr  mask;
55 		u_int32_t	mask32;
56 	}		v4mask;
57 	int		netaddress;
58 	sa_family_t	af;
59 };
60 
61 struct ipsec_auth {
62 	char		*srcid;
63 	char		*dstid;
64 	u_int8_t	 idtype;
65 	u_int16_t	 type;
66 };
67 
68 struct ipsec_key {
69 	size_t		 len;
70 	u_int8_t	*data;
71 };
72 
73 /* Complete state of one rule. */
74 struct ipsec_rule {
75 	u_int8_t	 type;
76 
77 	struct ipsec_addr *src;
78 	struct ipsec_addr *dst;
79 	struct ipsec_addr *peer;
80 	struct ipsec_auth  auth;
81 	struct ipsec_key  *key;
82 
83 	u_int8_t	 proto;
84 	u_int8_t	 direction;
85 	u_int8_t	 flowtype;
86 	u_int32_t	 spi;
87 	u_int32_t	 nr;
88 
89 	TAILQ_ENTRY(ipsec_rule) entries;
90 };
91 
92 TAILQ_HEAD(ipsec_rule_queue, ipsec_rule);
93 
94 struct ipsecctl {
95 	u_int32_t	rule_nr;
96 	int		opts;
97 	struct ipsec_rule_queue rule_queue;
98 };
99 
100 int	parse_rules(FILE *, struct ipsecctl *);
101 int	ipsecctl_add_rule(struct ipsecctl * ipsec, struct ipsec_rule *);
102 void	ipsecctl_get_rules(struct ipsecctl *);
103 
104 #endif				/* _IPSECCTL_H_ */
105