K 10
svn:author
V 2
ae
K 8
svn:date
V 27
2016-12-22T13:38:50.770016Z
K 7
svn:log
V 1821
Add netipsec/ipsec_support.h header file.

This is supposed to be the only file, that provides IPsec interface
to the kernel. It is assumed, that each kernel consumer that needs
IPsec support will include only "opt_ipsec.h" and ipsec_support.h.

IPsec support will be declared as set of methods, specific for
IPv4 and IPv6. These methods are invoked by the kernel using macros.
Depending from the defined kernel options, macros will be expaned into
different code. E.g. if we have defined IPSEC option, macros will
directly call defined for given address family method. If defined
only IPSEC_SUPPORT option, macros will call special kmod wrappers.
Wrappers are needed to protect access to methods, that might be unloaded.

The presense of specific IPsec module determined by IPSEC_ENABLED() and
TCPMD5_ENABLED() macros.

IPsec support provided by following methods:
o IPSEC_INPUT() - handles inbound packets for AH/ESP/IPCOMP protocols. For
  protocols with PR_LASTHDR flag in pr_flags it does inbound policy check.
o IPSEC_OUTPUT() - checks outbound packets against security policy and
  perform IPsec transform if needed.
o IPSEC_CHECK_POLICY() - for inbound packets with PCB layer (TCP,UDP,RAW)
  do check against inbound security policy.
o IPSEC_PCBCTL() - for given address family handle socket option requests.
o IPSEC_CAPS() - check for specific IPSec capability.
o IPSEC_HDRSIZE() - get approximate size that IPsec will consume after
  transform.

TCP-MD5 methods:
o TCPMD5_INPUT() - verify MD5 signature for inbound TCP segment.
o TCPMD5_OUTPUT() - calculate MD5 signature for outbound TCP segment.
o TCPMD5_PCBCTL() - handle TCP_MD5SIG socket option.

UDP encapsulation methods (needed for NAT-T):
o UDPENCAP_INPUT() - check and decapsulate inbound packet.
o UDPENCAP_PCBCTL() - handle UDP_ENCAP socket option.

END