[apple/xnu.git] / bsd / netinet6 / ipsec.h

/*	$FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $	*/
/*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * IPsec controller part.
 */

#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
#include <sys/appleapiopts.h>

#include <net/pfkeyv2.h>
#ifdef KERNEL_PRIVATE
#include <netkey/keydb.h>

/*
 * Security Policy Index
 * Ensure that both address families in the "src" and "dst" are same.
 * When the value of the ul_proto is ICMPv6, the port field in "src"
 * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
 */
struct secpolicyindex {
	u_int8_t dir;			/* direction of packet flow, see blow */
	struct sockaddr_storage src;	/* IP src address for SP */
	struct sockaddr_storage dst;	/* IP dst address for SP */
	u_int8_t prefs;			/* prefix length in bits for src */
	u_int8_t prefd;			/* prefix length in bits for dst */
	u_int16_t ul_proto;		/* upper layer Protocol */
#ifdef notyet
	uid_t uids;
	uid_t uidd;
	gid_t gids;
	gid_t gidd;
#endif
};

/* Security Policy Data Base */
struct secpolicy {
	LIST_ENTRY(secpolicy) chain;

	int refcnt;			/* reference count */
	struct secpolicyindex spidx;	/* selector */
	u_int32_t id;			/* It's unique number on the system. */
	u_int state;			/* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD	0
#define IPSEC_SPSTATE_ALIVE	1

	u_int policy;		/* DISCARD, NONE or IPSEC, see keyv2.h */
	struct ipsecrequest *req;
				/* pointer to the ipsec request tree, */
				/* if policy == IPSEC else this value == NULL.*/

	/*
	 * lifetime handler.
	 * the policy can be used without limitiation if both lifetime and
	 * validtime are zero.
	 * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	 * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	 */
	long created;		/* time created the policy */
	long lastused;		/* updated every when kernel sends a packet */
	long lifetime;		/* duration of the lifetime of this policy */
	long validtime;		/* duration this policy is valid without use */
};

/* Request for IPsec */
struct ipsecrequest {
	struct ipsecrequest *next;
				/* pointer to next structure */
				/* If NULL, it means the end of chain. */
	struct secasindex saidx;/* hint for search proper SA */
				/* if __ss_len == 0 then no address specified.*/
	u_int level;		/* IPsec level defined below. */

	struct secasvar *sav;	/* place holder of SA for use */
	struct secpolicy *sp;	/* back pointer to SP */
};

/* security policy in PCB */
struct inpcbpolicy {
	struct secpolicy *sp_in;
	struct secpolicy *sp_out;
	int priv;			/* privileged socket ? */
};

/* SP acquiring list table. */
struct secspacq {
	LIST_ENTRY(secspacq) chain;

	struct secpolicyindex spidx;

	long created;		/* for lifetime */
	int count;		/* for lifetime */
	/* XXX: here is mbuf place holder to be sent ? */
};
#endif /* KERNEL_PRIVATE */

/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY		0
#define IPSEC_ULPROTO_ANY	255
#define IPSEC_PROTO_ANY		255

/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD.  It's only use in SAD */
#define	IPSEC_MODE_ANY		0	/* i.e. wildcard. */
#define	IPSEC_MODE_TRANSPORT	1
#define	IPSEC_MODE_TUNNEL	2

/*
 * Direction of security policy.
 * NOTE: Since INVALID is used just as flag.
 * The other are used for loop counter too.
 */
#define IPSEC_DIR_ANY		0
#define IPSEC_DIR_INBOUND	1
#define IPSEC_DIR_OUTBOUND	2
#define IPSEC_DIR_MAX		3
#define IPSEC_DIR_INVALID	4

/* Policy level */
/*
 * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
 * DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
 * DISCARD and NONE are allowed for system default.
 */
#define IPSEC_POLICY_DISCARD	0	/* discarding packet */
#define IPSEC_POLICY_NONE	1	/* through IPsec engine */
#define IPSEC_POLICY_IPSEC	2	/* do IPsec */
#define IPSEC_POLICY_ENTRUST	3	/* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS	4	/* only for privileged socket. */

/* Security protocol level */
#define	IPSEC_LEVEL_DEFAULT	0	/* reference to system default */
#define	IPSEC_LEVEL_USE		1	/* use SA if present. */
#define	IPSEC_LEVEL_REQUIRE	2	/* require SA. */
#define	IPSEC_LEVEL_UNIQUE	3	/* unique SA. */

#define IPSEC_MANUAL_REQID_MAX	0x3fff
				/*
				 * if security policy level == unique, this id
				 * indicate to a relative SA for use, else is
				 * zero.
				 * 1 - 0x3fff are reserved for manual keying.
				 * 0 are reserved for above reason.  Others is
				 * for kernel use.
				 * Note that this id doesn't identify SA
				 * by only itself.
				 */
#define IPSEC_REPLAYWSIZE  32

/* statistics for ipsec processing */
struct ipsecstat {
	u_quad_t in_success;  /* succeeded inbound process */
	u_quad_t in_polvio;
			/* security policy violation for inbound process */
	u_quad_t in_nosa;     /* inbound SA is unavailable */
	u_quad_t in_inval;    /* inbound processing failed due to EINVAL */
	u_quad_t in_nomem;    /* inbound processing failed due to ENOBUFS */
	u_quad_t in_badspi;   /* failed getting a SPI */
	u_quad_t in_ahreplay; /* AH replay check failed */
	u_quad_t in_espreplay; /* ESP replay check failed */
	u_quad_t in_ahauthsucc; /* AH authentication success */
	u_quad_t in_ahauthfail; /* AH authentication failure */
	u_quad_t in_espauthsucc; /* ESP authentication success */
	u_quad_t in_espauthfail; /* ESP authentication failure */
	u_quad_t in_esphist[256];
	u_quad_t in_ahhist[256];
	u_quad_t in_comphist[256];
	u_quad_t out_success; /* succeeded outbound process */
	u_quad_t out_polvio;
			/* security policy violation for outbound process */
	u_quad_t out_nosa;    /* outbound SA is unavailable */
	u_quad_t out_inval;   /* outbound process failed due to EINVAL */
	u_quad_t out_nomem;    /* inbound processing failed due to ENOBUFS */
	u_quad_t out_noroute; /* there is no route */
	u_quad_t out_esphist[256];
	u_quad_t out_ahhist[256];
	u_quad_t out_comphist[256];
};

#ifdef KERNEL_PRIVATE
/*
 * Definitions for IPsec & Key sysctl operations.
 */
/*
 * Names for IPsec & Key sysctl objects
 */
#define IPSECCTL_STATS			1	/* stats */
#define IPSECCTL_DEF_POLICY		2
#define IPSECCTL_DEF_ESP_TRANSLEV	3	/* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV		4	/* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV	5	/* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV		6	/* int; AH tunnel mode */
#if 0	/* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE	7
#endif
#define	IPSECCTL_AH_CLEARTOS		8
#define	IPSECCTL_AH_OFFSETMASK		9
#define	IPSECCTL_DFBIT			10
#define	IPSECCTL_ECN			11
#define	IPSECCTL_DEBUG			12
#define	IPSECCTL_ESP_RANDPAD		13
#define IPSECCTL_MAXID			14

#define IPSECCTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ "ah_cleartos", CTLTYPE_INT }, \
	{ "ah_offsetmask", CTLTYPE_INT }, \
	{ "dfbit", CTLTYPE_INT }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#define IPSEC6CTL_NAMES { \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "def_policy", CTLTYPE_INT }, \
	{ "esp_trans_deflev", CTLTYPE_INT }, \
	{ "esp_net_deflev", CTLTYPE_INT }, \
	{ "ah_trans_deflev", CTLTYPE_INT }, \
	{ "ah_net_deflev", CTLTYPE_INT }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ 0, 0 }, \
	{ "ecn", CTLTYPE_INT }, \
	{ "debug", CTLTYPE_INT }, \
	{ "esp_randpad", CTLTYPE_INT }, \
}

#ifdef KERNEL
struct ipsec_output_state {
	struct mbuf *m;
	struct route *ro;
	struct sockaddr *dst;
};

struct ipsec_history {
	int ih_proto;
	u_int32_t ih_spi;
};

extern int ipsec_debug;

extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;

#define ipseclog(x)	do { if (ipsec_debug) log x; } while (0)

extern struct secpolicy *ipsec4_getpolicybysock(struct mbuf *, u_int,
						struct socket *, int *);
extern struct secpolicy *ipsec4_getpolicybyaddr(struct mbuf *, u_int, int,
						int *);

struct inpcb;
extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **);
extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *);
extern u_int ipsec_get_reqlevel(struct ipsecrequest *);

extern int ipsec4_set_policy(struct inpcb *inp, int optname,
	caddr_t request, size_t len, int priv);
extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
	size_t len, struct mbuf **mp);
extern int ipsec4_delete_pcbpolicy(struct inpcb *);
extern int ipsec4_in_reject_so(struct mbuf *, struct socket *);
extern int ipsec4_in_reject(struct mbuf *, struct inpcb *);

struct secas;
struct tcpcb;
extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
extern int ipsec_updatereplay(u_int32_t, struct secasvar *);

extern size_t ipsec4_hdrsiz(struct mbuf *, u_int, struct inpcb *);
extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);

struct ip;
extern const char *ipsec4_logpacketstr(struct ip *, u_int32_t);
extern const char *ipsec_logsastr(struct secasvar *);

extern void ipsec_dumpmbuf(struct mbuf *);

extern int ipsec4_output(struct ipsec_output_state *, struct secpolicy *, int);
extern int ipsec4_tunnel_validate(struct mbuf *, int, u_int, struct secasvar *);
extern struct mbuf *ipsec_copypkt(struct mbuf *);
extern void ipsec_delaux(struct mbuf *);
extern int ipsec_setsocket(struct mbuf *, struct socket *);
extern struct socket *ipsec_getsocket(struct mbuf *);
extern int ipsec_addhist(struct mbuf *, int, u_int32_t); 
extern struct ipsec_history *ipsec_gethist(struct mbuf *, int *);
extern void ipsec_clearhist(struct mbuf *);
#endif KERNEL
#endif KERNEL_PRIVATE

#ifndef KERNEL
extern caddr_t ipsec_set_policy(char *, int);
extern int ipsec_get_policylen(caddr_t);
extern char *ipsec_dump_policy(caddr_t, char *);

extern const char *ipsec_strerror(void);
#endif KERNEL

#endif /* _NETINET6_IPSEC_H_ */
Commit	Line	Data
9bccf70c A	1	/* $FreeBSD: src/sys/netinet6/ipsec.h,v 1.4.2.2 2001/07/03 11:01:54 ume Exp $ */
9bccf70c A	2	/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
1c79356b A	3
	4	/*
	5	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* 2. Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in the
	15	* documentation and/or other materials provided with the distribution.
	16	* 3. Neither the name of the project nor the names of its contributors
	17	* may be used to endorse or promote products derived from this software
	18	* without specific prior written permission.
	19	*
	20	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	21	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	24	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	* SUCH DAMAGE.
	31	*/
	32
	33	/*
	34	* IPsec controller part.
	35	*/
	36
	37	#ifndef _NETINET6_IPSEC_H_
	38	#define _NETINET6_IPSEC_H_
9bccf70c	39	#include <sys/appleapiopts.h>
1c79356b A	40
1c79356b A	41	#include <net/pfkeyv2.h>
91447636	42	#ifdef KERNEL_PRIVATE
1c79356b A	43	#include <netkey/keydb.h>
1c79356b A	44
1c79356b A	45	/*
1c79356b A	46	* Security Policy Index
55e303ae A	47	* Ensure that both address families in the "src" and "dst" are same.
	48	* When the value of the ul_proto is ICMPv6, the port field in "src"
	49	* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
1c79356b A	50	*/
	51	struct secpolicyindex {
	52	u_int8_t dir; /* direction of packet flow, see blow */
	53	struct sockaddr_storage src; /* IP src address for SP */
	54	struct sockaddr_storage dst; /* IP dst address for SP */
	55	u_int8_t prefs; /* prefix length in bits for src */
	56	u_int8_t prefd; /* prefix length in bits for dst */
	57	u_int16_t ul_proto; /* upper layer Protocol */
	58	#ifdef notyet
	59	uid_t uids;
	60	uid_t uidd;
	61	gid_t gids;
	62	gid_t gidd;
	63	#endif
	64	};
	65
	66	/* Security Policy Data Base */
	67	struct secpolicy {
	68	LIST_ENTRY(secpolicy) chain;
	69
	70	int refcnt; /* reference count */
	71	struct secpolicyindex spidx; /* selector */
	72	u_int32_t id; /* It's unique number on the system. */
	73	u_int state; /* 0: dead, others: alive */
	74	#define IPSEC_SPSTATE_DEAD 0
	75	#define IPSEC_SPSTATE_ALIVE 1
	76
	77	u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
	78	struct ipsecrequest *req;
	79	/* pointer to the ipsec request tree, */
	80	/* if policy == IPSEC else this value == NULL.*/
9bccf70c A	81
	82	/*
	83	* lifetime handler.
	84	* the policy can be used without limitiation if both lifetime and
	85	* validtime are zero.
	86	* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
	87	* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
	88	*/
	89	long created; /* time created the policy */
	90	long lastused; /* updated every when kernel sends a packet */
	91	long lifetime; /* duration of the lifetime of this policy */
	92	long validtime; /* duration this policy is valid without use */
1c79356b A	93	};
	94
	95	/* Request for IPsec */
	96	struct ipsecrequest {
	97	struct ipsecrequest *next;
	98	/* pointer to next structure */
	99	/* If NULL, it means the end of chain. */
	100	struct secasindex saidx;/* hint for search proper SA */
	101	/* if __ss_len == 0 then no address specified.*/
	102	u_int level; /* IPsec level defined below. */
	103
	104	struct secasvar sav; / place holder of SA for use */
	105	struct secpolicy sp; / back pointer to SP */
	106	};
	107
	108	/* security policy in PCB */
	109	struct inpcbpolicy {
	110	struct secpolicy *sp_in;
	111	struct secpolicy *sp_out;
	112	int priv; /* privileged socket ? */
	113	};
	114
	115	/* SP acquiring list table. */
	116	struct secspacq {
	117	LIST_ENTRY(secspacq) chain;
	118
	119	struct secpolicyindex spidx;
	120
9bccf70c	121	long created; /* for lifetime */
1c79356b A	122	int count; /* for lifetime */
	123	/* XXX: here is mbuf place holder to be sent ? */
	124	};
91447636	125	#endif /* KERNEL_PRIVATE */
1c79356b A	126
	127	/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
	128	#define IPSEC_PORT_ANY 0
	129	#define IPSEC_ULPROTO_ANY 255
	130	#define IPSEC_PROTO_ANY 255
	131
	132	/* mode of security protocol */
	133	/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
	134	#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
	135	#define IPSEC_MODE_TRANSPORT 1
	136	#define IPSEC_MODE_TUNNEL 2
	137
	138	/*
	139	* Direction of security policy.
	140	* NOTE: Since INVALID is used just as flag.
	141	* The other are used for loop counter too.
	142	*/
	143	#define IPSEC_DIR_ANY 0
	144	#define IPSEC_DIR_INBOUND 1
	145	#define IPSEC_DIR_OUTBOUND 2
	146	#define IPSEC_DIR_MAX 3
	147	#define IPSEC_DIR_INVALID 4
	148
	149	/* Policy level */
	150	/*
9bccf70c A	151	* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
	152	* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
	153	* DISCARD and NONE are allowed for system default.
1c79356b A	154	*/
	155	#define IPSEC_POLICY_DISCARD 0 /* discarding packet */
	156	#define IPSEC_POLICY_NONE 1 /* through IPsec engine */
	157	#define IPSEC_POLICY_IPSEC 2 /* do IPsec */
	158	#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
	159	#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
	160
	161	/* Security protocol level */
	162	#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
	163	#define IPSEC_LEVEL_USE 1 /* use SA if present. */
	164	#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
	165	#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
	166
	167	#define IPSEC_MANUAL_REQID_MAX 0x3fff
	168	/*
	169	* if security policy level == unique, this id
	170	* indicate to a relative SA for use, else is
	171	* zero.
	172	* 1 - 0x3fff are reserved for manual keying.
	173	* 0 are reserved for above reason. Others is
	174	* for kernel use.
	175	* Note that this id doesn't identify SA
	176	* by only itself.
	177	*/
	178	#define IPSEC_REPLAYWSIZE 32
	179
	180	/* statistics for ipsec processing */
	181	struct ipsecstat {
	182	u_quad_t in_success; /* succeeded inbound process */
	183	u_quad_t in_polvio;
	184	/* security policy violation for inbound process */
	185	u_quad_t in_nosa; /* inbound SA is unavailable */
	186	u_quad_t in_inval; /* inbound processing failed due to EINVAL */
	187	u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
	188	u_quad_t in_badspi; /* failed getting a SPI */
	189	u_quad_t in_ahreplay; /* AH replay check failed */
	190	u_quad_t in_espreplay; /* ESP replay check failed */
	191	u_quad_t in_ahauthsucc; /* AH authentication success */
	192	u_quad_t in_ahauthfail; /* AH authentication failure */
	193	u_quad_t in_espauthsucc; /* ESP authentication success */
	194	u_quad_t in_espauthfail; /* ESP authentication failure */
	195	u_quad_t in_esphist[256];
	196	u_quad_t in_ahhist[256];
	197	u_quad_t in_comphist[256];
	198	u_quad_t out_success; /* succeeded outbound process */
	199	u_quad_t out_polvio;
	200	/* security policy violation for outbound process */
	201	u_quad_t out_nosa; /* outbound SA is unavailable */
	202	u_quad_t out_inval; /* outbound process failed due to EINVAL */
	203	u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
	204	u_quad_t out_noroute; /* there is no route */
	205	u_quad_t out_esphist[256];
	206	u_quad_t out_ahhist[256];
	207	u_quad_t out_comphist[256];
	208	};
	209
91447636	210	#ifdef KERNEL_PRIVATE
1c79356b A	211	/*
	212	* Definitions for IPsec & Key sysctl operations.
	213	*/
	214	/*
	215	* Names for IPsec & Key sysctl objects
	216	*/
	217	#define IPSECCTL_STATS 1 /* stats */
	218	#define IPSECCTL_DEF_POLICY 2
	219	#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
	220	#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
	221	#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
	222	#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
55e303ae	223	#if 0 /* obsolete, do not reuse */
1c79356b	224	#define IPSECCTL_INBOUND_CALL_IKE 7
9bccf70c	225	#endif
1c79356b A	226	#define IPSECCTL_AH_CLEARTOS 8
	227	#define IPSECCTL_AH_OFFSETMASK 9
	228	#define IPSECCTL_DFBIT 10
	229	#define IPSECCTL_ECN 11
	230	#define IPSECCTL_DEBUG 12
9bccf70c A	231	#define IPSECCTL_ESP_RANDPAD 13
9bccf70c A	232	#define IPSECCTL_MAXID 14
1c79356b A	233
	234	#define IPSECCTL_NAMES { \
	235	{ 0, 0 }, \
	236	{ 0, 0 }, \
	237	{ "def_policy", CTLTYPE_INT }, \
	238	{ "esp_trans_deflev", CTLTYPE_INT }, \
	239	{ "esp_net_deflev", CTLTYPE_INT }, \
	240	{ "ah_trans_deflev", CTLTYPE_INT }, \
	241	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	242	{ 0, 0 }, \
1c79356b A	243	{ "ah_cleartos", CTLTYPE_INT }, \
	244	{ "ah_offsetmask", CTLTYPE_INT }, \
	245	{ "dfbit", CTLTYPE_INT }, \
	246	{ "ecn", CTLTYPE_INT }, \
	247	{ "debug", CTLTYPE_INT }, \
9bccf70c	248	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	249	}
	250
	251	#define IPSEC6CTL_NAMES { \
	252	{ 0, 0 }, \
	253	{ 0, 0 }, \
	254	{ "def_policy", CTLTYPE_INT }, \
	255	{ "esp_trans_deflev", CTLTYPE_INT }, \
	256	{ "esp_net_deflev", CTLTYPE_INT }, \
	257	{ "ah_trans_deflev", CTLTYPE_INT }, \
	258	{ "ah_net_deflev", CTLTYPE_INT }, \
9bccf70c	259	{ 0, 0 }, \
1c79356b A	260	{ 0, 0 }, \
	261	{ 0, 0 }, \
	262	{ 0, 0 }, \
	263	{ "ecn", CTLTYPE_INT }, \
	264	{ "debug", CTLTYPE_INT }, \
9bccf70c	265	{ "esp_randpad", CTLTYPE_INT }, \
1c79356b A	266	}
1c79356b A	267
9bccf70c	268	#ifdef KERNEL
1c79356b A	269	struct ipsec_output_state {
	270	struct mbuf *m;
	271	struct route *ro;
	272	struct sockaddr *dst;
	273	};
	274
9bccf70c A	275	struct ipsec_history {
	276	int ih_proto;
	277	u_int32_t ih_spi;
	278	};
	279
1c79356b A	280	extern int ipsec_debug;
1c79356b A	281
1c79356b A	282	extern struct ipsecstat ipsecstat;
	283	extern struct secpolicy ip4_def_policy;
	284	extern int ip4_esp_trans_deflev;
	285	extern int ip4_esp_net_deflev;
	286	extern int ip4_ah_trans_deflev;
	287	extern int ip4_ah_net_deflev;
1c79356b A	288	extern int ip4_ah_cleartos;
	289	extern int ip4_ah_offsetmask;
	290	extern int ip4_ipsec_dfbit;
	291	extern int ip4_ipsec_ecn;
9bccf70c	292	extern int ip4_esp_randpad;
1c79356b A	293
	294	#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
	295
91447636 A	296	extern struct secpolicy ipsec4_getpolicybysock(struct mbuf , u_int,
	297	struct socket , int );
	298	extern struct secpolicy ipsec4_getpolicybyaddr(struct mbuf , u_int, int,
	299	int *);
1c79356b	300
1c79356b	301	struct inpcb;
91447636 A	302	extern int ipsec_init_policy(struct socket so, struct inpcbpolicy *);
	303	extern int ipsec_copy_policy(struct inpcbpolicy , struct inpcbpolicy );
	304	extern u_int ipsec_get_reqlevel(struct ipsecrequest *);
	305
	306	extern int ipsec4_set_policy(struct inpcb *inp, int optname,
	307	caddr_t request, size_t len, int priv);
	308	extern int ipsec4_get_policy(struct inpcb *inpcb, caddr_t request,
	309	size_t len, struct mbuf **mp);
	310	extern int ipsec4_delete_pcbpolicy(struct inpcb *);
	311	extern int ipsec4_in_reject_so(struct mbuf , struct socket );
	312	extern int ipsec4_in_reject(struct mbuf , struct inpcb );
1c79356b	313
1c79356b A	314	struct secas;
1c79356b A	315	struct tcpcb;
91447636 A	316	extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
91447636 A	317	extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
1c79356b	318
91447636 A	319	extern size_t ipsec4_hdrsiz(struct mbuf , u_int, struct inpcb );
91447636 A	320	extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
1c79356b A	321
1c79356b A	322	struct ip;
91447636 A	323	extern const char ipsec4_logpacketstr(struct ip , u_int32_t);
	324	extern const char ipsec_logsastr(struct secasvar );
	325
	326	extern void ipsec_dumpmbuf(struct mbuf *);
	327
	328	extern int ipsec4_output(struct ipsec_output_state , struct secpolicy , int);
	329	extern int ipsec4_tunnel_validate(struct mbuf , int, u_int, struct secasvar );
	330	extern struct mbuf ipsec_copypkt(struct mbuf );
	331	extern void ipsec_delaux(struct mbuf *);
	332	extern int ipsec_setsocket(struct mbuf , struct socket );
	333	extern struct socket ipsec_getsocket(struct mbuf );
	334	extern int ipsec_addhist(struct mbuf *, int, u_int32_t);
	335	extern struct ipsec_history ipsec_gethist(struct mbuf , int *);
	336	extern void ipsec_clearhist(struct mbuf *);
	337	#endif KERNEL
	338	#endif KERNEL_PRIVATE
1c79356b A	339
1c79356b A	340	#ifndef KERNEL
91447636 A	341	extern caddr_t ipsec_set_policy(char *, int);
	342	extern int ipsec_get_policylen(caddr_t);
	343	extern char ipsec_dump_policy(caddr_t, char );
1c79356b	344
91447636 A	345	extern const char *ipsec_strerror(void);
91447636 A	346	#endif KERNEL
1c79356b	347
0c530ab8	348	#endif /* _NETINET6_IPSEC_H_ */