aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlabel/netlabel_cipso_v4.h
blob: 4c6ff4b93004aa8588ff4227a915aa3c2df57194 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
/*
 * NetLabel CIPSO/IPv4 Support
 *
 * This file defines the CIPSO/IPv4 functions for the NetLabel system.  The
 * NetLabel system manages static and dynamic label mappings for network
 * protocols such as CIPSO and RIPSO.
 *
 * Author: Paul Moore <paul.moore@hp.com>
 *
 */

/*
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 * the GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program;  if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 *
 */

#ifndef _NETLABEL_CIPSO_V4
#define _NETLABEL_CIPSO_V4

#include <net/netlabel.h>

/*
 * The following NetLabel payloads are supported by the CIPSO subsystem, all
 * of which are preceeded by the nlmsghdr struct.
 *
 * o ACK:
 *   Sent by the kernel in response to an applications message, applications
 *   should never send this message.
 *
 *   +----------------------+-----------------------+
 *   | seq number (32 bits) | return code (32 bits) |
 *   +----------------------+-----------------------+
 *
 *     seq number:  the sequence number of the original message, taken from the
 *                  nlmsghdr structure
 *     return code: return value, based on errno values
 *
 * o ADD:
 *   Sent by an application to add a new DOI mapping table, after completion
 *   of the task the kernel should ACK this message.
 *
 *   +---------------+--------------------+---------------------+
 *   | DOI (32 bits) | map type (32 bits) | tag count (32 bits) | ...
 *   +---------------+--------------------+---------------------+
 *
 *   +-----------------+
 *   | tag #X (8 bits) | ... repeated
 *   +-----------------+
 *
 *   +-------------- ---- --- -- -
 *   | mapping data
 *   +-------------- ---- --- -- -
 *
 *     DOI:          the DOI value
 *     map type:     the mapping table type (defined in the cipso_ipv4.h header
 *                   as CIPSO_V4_MAP_*)
 *     tag count:    the number of tags, must be greater than zero
 *     tag:          the CIPSO tag for the DOI, tags listed first are given
 *                   higher priorirty when sending packets
 *     mapping data: specific to the map type (see below)
 *
 *   CIPSO_V4_MAP_STD
 *
 *   +------------------+-----------------------+----------------------+
 *   | levels (32 bits) | max l level (32 bits) | max r level (8 bits) | ...
 *   +------------------+-----------------------+----------------------+
 *
 *   +----------------------+---------------------+---------------------+
 *   | categories (32 bits) | max l cat (32 bits) | max r cat (16 bits) | ...
 *   +----------------------+---------------------+---------------------+
 *
 *   +--------------------------+-------------------------+
 *   | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
 *   +--------------------------+-------------------------+
 *
 *   +-----------------------------+-----------------------------+
 *   | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
 *   +-----------------------------+-----------------------------+
 *
 *     levels:         the number of level mappings
 *     max l level:    the highest local level
 *     max r level:    the highest remote/CIPSO level
 *     categories:     the number of category mappings
 *     max l cat:      the highest local category
 *     max r cat:      the highest remote/CIPSO category
 *     local level:    the local part of a level mapping
 *     CIPSO level:    the remote/CIPSO part of a level mapping
 *     local category: the local part of a category mapping
 *     CIPSO category: the remote/CIPSO part of a category mapping
 *
 *   CIPSO_V4_MAP_PASS
 *
 *   No mapping data is needed for this map type.
 *
 * o REMOVE:
 *   Sent by an application to remove a specific DOI mapping table from the
 *   CIPSO V4 system.  The kernel should ACK this message.
 *
 *   +---------------+
 *   | DOI (32 bits) |
 *   +---------------+
 *
 *     DOI:          the DOI value
 *
 * o LIST:
 *   Sent by an application to list the details of a DOI definition.  The
 *   kernel should send an ACK on error or a response as indicated below.  The
 *   application generated message format is shown below.
 *
 *   +---------------+
 *   | DOI (32 bits) |
 *   +---------------+
 *
 *     DOI:          the DOI value
 *
 *   The valid response message format depends on the type of the DOI mapping,
 *   the known formats are shown below.
 *
 *   +--------------------+
 *   | map type (32 bits) | ...
 *   +--------------------+
 *
 *     map type:       the DOI mapping table type (defined in the cipso_ipv4.h
 *                     header as CIPSO_V4_MAP_*)
 *
 *   (map type == CIPSO_V4_MAP_STD)
 *
 *   +----------------+------------------+----------------------+
 *   | tags (32 bits) | levels (32 bits) | categories (32 bits) | ...
 *   +----------------+------------------+----------------------+
 *
 *   +-----------------+
 *   | tag #X (8 bits) | ... repeated
 *   +-----------------+
 *
 *   +--------------------------+-------------------------+
 *   | local level #X (32 bits) | CIPSO level #X (8 bits) | ... repeated
 *   +--------------------------+-------------------------+
 *
 *   +-----------------------------+-----------------------------+
 *   | local category #X (32 bits) | CIPSO category #X (16 bits) | ... repeated
 *   +-----------------------------+-----------------------------+
 *
 *     tags:           the number of CIPSO tag types
 *     levels:         the number of level mappings
 *     categories:     the number of category mappings
 *     tag:            the tag number, tags listed first are given higher
 *                     priority when sending packets
 *     local level:    the local part of a level mapping
 *     CIPSO level:    the remote/CIPSO part of a level mapping
 *     local category: the local part of a category mapping
 *     CIPSO category: the remote/CIPSO part of a category mapping
 *
 *   (map type == CIPSO_V4_MAP_PASS)
 *
 *   +----------------+
 *   | tags (32 bits) | ...
 *   +----------------+
 *
 *   +-----------------+
 *   | tag #X (8 bits) | ... repeated
 *   +-----------------+
 *
 *     tags:           the number of CIPSO tag types
 *     tag:            the tag number, tags listed first are given higher
 *                     priority when sending packets
 *
 * o LISTALL:
 *   This message is sent by an application to list the valid DOIs on the
 *   system.  There is no payload and the kernel should respond with an ACK
 *   or the following message.
 *
 *   +---------------------+------------------+-----------------------+
 *   | DOI count (32 bits) | DOI #X (32 bits) | map type #X (32 bits) |
 *   +---------------------+------------------+-----------------------+
 *
 *   +-----------------------+
 *   | map type #X (32 bits) | ...
 *   +-----------------------+
 *
 *     DOI count:      the number of DOIs
 *     DOI:            the DOI value
 *     map type:       the DOI mapping table type (defined in the cipso_ipv4.h
 *                     header as CIPSO_V4_MAP_*)
 *
 */

/* NetLabel CIPSOv4 commands */
enum {
	NLBL_CIPSOV4_C_UNSPEC,
	NLBL_CIPSOV4_C_ACK,
	NLBL_CIPSOV4_C_ADD,
	NLBL_CIPSOV4_C_REMOVE,
	NLBL_CIPSOV4_C_LIST,
	NLBL_CIPSOV4_C_LISTALL,
	__NLBL_CIPSOV4_C_MAX,
};
#define NLBL_CIPSOV4_C_MAX (__NLBL_CIPSOV4_C_MAX - 1)

/* NetLabel protocol functions */
int netlbl_cipsov4_genl_init(void);

#endif