@@ -30,7 +30,7 @@ struct xfrm_sec_ctx {
3030 __u8 ctx_alg ;
3131 __u16 ctx_len ;
3232 __u32 ctx_sid ;
33- char ctx_str [0 ];
33+ char ctx_str [];
3434};
3535
3636/* Security Context Domains of Interpretation */
@@ -93,27 +93,27 @@ struct xfrm_replay_state_esn {
9393 __u32 oseq_hi ;
9494 __u32 seq_hi ;
9595 __u32 replay_window ;
96- __u32 bmp [0 ];
96+ __u32 bmp [];
9797};
9898
9999struct xfrm_algo {
100100 char alg_name [64 ];
101101 unsigned int alg_key_len ; /* in bits */
102- char alg_key [0 ];
102+ char alg_key [];
103103};
104104
105105struct xfrm_algo_auth {
106106 char alg_name [64 ];
107107 unsigned int alg_key_len ; /* in bits */
108108 unsigned int alg_trunc_len ; /* in bits */
109- char alg_key [0 ];
109+ char alg_key [];
110110};
111111
112112struct xfrm_algo_aead {
113113 char alg_name [64 ];
114114 unsigned int alg_key_len ; /* in bits */
115115 unsigned int alg_icv_len ; /* in bits */
116- char alg_key [0 ];
116+ char alg_key [];
117117};
118118
119119struct xfrm_stats {
@@ -137,6 +137,11 @@ enum {
137137 XFRM_POLICY_MAX = 3
138138};
139139
140+ enum xfrm_sa_dir {
141+ XFRM_SA_DIR_IN = 1 ,
142+ XFRM_SA_DIR_OUT = 2
143+ };
144+
140145enum {
141146 XFRM_SHARE_ANY , /* No limitations */
142147 XFRM_SHARE_SESSION , /* For this session only */
@@ -212,6 +217,11 @@ enum {
212217
213218 XFRM_MSG_MAPPING ,
214219#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
220+
221+ XFRM_MSG_SETDEFAULT ,
222+ #define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
223+ XFRM_MSG_GETDEFAULT ,
224+ #define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
215225 __XFRM_MSG_MAX
216226};
217227#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
@@ -288,7 +298,7 @@ enum xfrm_attr_type_t {
288298 XFRMA_ETIMER_THRESH ,
289299 XFRMA_SRCADDR , /* xfrm_address_t */
290300 XFRMA_COADDR , /* xfrm_address_t */
291- XFRMA_LASTUSED , /* __u64 */
301+ XFRMA_LASTUSED , /* __u64 */
292302 XFRMA_POLICY_TYPE , /* struct xfrm_userpolicy_type */
293303 XFRMA_MIGRATE ,
294304 XFRMA_ALG_AEAD , /* struct xfrm_algo_aead */
@@ -301,10 +311,12 @@ enum xfrm_attr_type_t {
301311 XFRMA_PROTO , /* __u8 */
302312 XFRMA_ADDRESS_FILTER , /* struct xfrm_address_filter */
303313 XFRMA_PAD ,
304- XFRMA_OFFLOAD_DEV , /* struct xfrm_state_offload */
314+ XFRMA_OFFLOAD_DEV , /* struct xfrm_user_offload */
305315 XFRMA_SET_MARK , /* __u32 */
306316 XFRMA_SET_MARK_MASK , /* __u32 */
307317 XFRMA_IF_ID , /* __u32 */
318+ XFRMA_MTIMER_THRESH , /* __u32 in seconds for input SA */
319+ XFRMA_SA_DIR , /* __u8 */
308320 __XFRMA_MAX
309321
310322#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */
@@ -384,6 +396,7 @@ struct xfrm_usersa_info {
384396};
385397
386398#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
399+ #define XFRM_SA_XFLAG_OSEQ_MAY_WRAP 2
387400
388401struct xfrm_usersa_id {
389402 xfrm_address_t daddr ;
@@ -501,10 +514,30 @@ struct xfrm_user_offload {
501514 int ifindex ;
502515 __u8 flags ;
503516};
517+ /* This flag was exposed without any kernel code that supports it.
518+ * Unfortunately, strongswan has the code that sets this flag,
519+ * which makes it impossible to reuse this bit.
520+ *
521+ * So leave it here to make sure that it won't be reused by mistake.
522+ */
504523#define XFRM_OFFLOAD_IPV6 1
505524#define XFRM_OFFLOAD_INBOUND 2
525+ /* Two bits above are relevant for state path only, while
526+ * offload is used for both policy and state flows.
527+ *
528+ * In policy offload mode, they are free and can be safely reused.
529+ */
506530#define XFRM_OFFLOAD_PACKET 4
507531
532+ struct xfrm_userpolicy_default {
533+ #define XFRM_USERPOLICY_UNSPEC 0
534+ #define XFRM_USERPOLICY_BLOCK 1
535+ #define XFRM_USERPOLICY_ACCEPT 2
536+ __u8 in ;
537+ __u8 fwd ;
538+ __u8 out ;
539+ };
540+
508541#ifndef __KERNEL__
509542/* backwards compatibility for userspace */
510543#define XFRMGRP_ACQUIRE 1
0 commit comments