【内核IPSec代码分析1】术语与结构体

---

术语

1. xfrm

xfrm应该是transform的缩写，表示对ip报文的转换，即封装和解封装，加密和解密等。

1.bundle

bundle英文翻译为捆，把多个东西打成一个包等，在代码中多次出现这个词，如create_bundle， xfrm_bundle_lookup等，这里的意思应该指对普通IP 报文进行IPSec封装，可以理解为安全路由封装，或封包。

结构体

1. 策略xfrm_policy

策略包含了匹配报文的规则，由selector指定，包括了源地址，目的地址，协议等，还包含了IKE的配置，由xfrm_vec[]指定，xfrm_vec的元素个数由xfrm_nr指定。

struct xfrm_policy {
    possible_net_t      xp_net;
    struct hlist_node   bydst;
    struct hlist_node   byidx;

    /* This lock only affects elements except for entry. */
    rwlock_t        lock;
    atomic_t        refcnt;
    struct timer_list   timer;

    struct flow_cache_object flo;
    atomic_t        genid;
    u32         priority;
    u32         index;
    struct xfrm_mark    mark;
    struct xfrm_selector    selector;
    struct xfrm_lifetime_cfg lft;
    struct xfrm_lifetime_cur curlft;
    struct xfrm_policy_walk_entry walk;
    struct xfrm_policy_queue polq;
    u8          type;
    u8          action;
    u8          flags;
    u8          xfrm_nr;
    u16         family;
    struct xfrm_sec_ctx *security;
    struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
};

2. 选择器xfrm_selector

用于与流信息进行比较，是否选择使用此策略。

/* Selector, used as selector both on policy rules (SPD) and SAs. */

struct xfrm_selector {
    xfrm_address_t  daddr;
    xfrm_address_t  saddr;
    __be16  dport;
    __be16  dport_mask;
    __be16  sport;
    __be16  sport_mask;
    __u16   family;
    __u8    prefixlen_d;
    __u8    prefixlen_s;
    __u8    proto;
    int ifindex;
    __kernel_uid32_t    user;
}

3. IKE配置模板xfrm_tmpl

此模板保存在policy中，当报文匹配上此策略的selector时，会使用此策略的IKE配置模板和SA状态进行匹配，找到策略对应SA状态，这样才可以使用此SA状态的安全通道对报文进行加密和封装。

struct xfrm_tmpl {
/* id in template is interpreted as:
 * daddr - destination of tunnel, may be zero for transport mode.
 * spi   - zero to acquire spi. Not zero if spi is static, then
 *     daddr must be fixed too.
 * proto - AH/ESP/IPCOMP
 */
    struct xfrm_id      id;

/* Source address of tunnel. Ignored, if it is not a tunnel. */
    xfrm_address_t      saddr;

    unsigned short      encap_family;

    u32         reqid;

/* Mode: transport, tunnel etc. */
    u8          mode;

/* Sharing mode: unique, this session only, this user only etc. */
    u8          share;

/* May skip this transfomration if no SA is found */
    u8          optional;

/* Skip aalgos/ealgos/calgos checks. */
    u8          allalgs;

/* Bit mask of algos allowed for acquisition */
    u32         aalgos;
    u32         ealgos;
    u32         calgos;
};

4. IPSec SA状态xfrm_state

SA状态保存了两个安全联盟端点协商出的安全通道的信息，这个是IKE协商第二阶段生成的IPSec SA，包括封装协议，加密算法，认证算法。它还包含了struct xfrm_id id和struct xfrm_selector sel用于与策略的struct xfrm_tmp和struct xfrm_selector进行匹配。

/* Full description of state of transformer. */
struct xfrm_state {
    possible_net_t      xs_net;
    union {
        struct hlist_node   gclist;
        struct hlist_node   bydst;
    };
    struct hlist_node   bysrc;
    struct hlist_node   byspi;

    atomic_t        refcnt;
    spinlock_t      lock;

    struct xfrm_id      id;
    struct xfrm_selector    sel;
    struct xfrm_mark    mark;
    u32         tfcpad;

    u32         genid;

    /* Key manager bits */
    struct xfrm_state_walk  km;

    /* Parameters of this state. */
    struct {
        u32     reqid;
        u8      mode;
        u8      replay_window;
        u8      aalgo, ealgo, calgo;
        u8      flags;
        u16     family;
        xfrm_address_t  saddr;
        int     header_len;
        int     trailer_len;
        u32     extra_flags;
    } props;

    struct xfrm_lifetime_cfg lft;

    /* Data for transformer */
    struct xfrm_algo_auth   *aalg;
    struct xfrm_algo    *ealg;
    struct xfrm_algo    *calg;
    struct xfrm_algo_aead   *aead;
    const char      *geniv;

    /* Data for encapsulator */
    struct xfrm_encap_tmpl  *encap;

    /* Data for care-of address */
    xfrm_address_t  *coaddr;

    /* IPComp needs an IPIP tunnel for handling uncompressed packets */
    struct xfrm_state   *tunnel;

    /* If a tunnel, number of users + 1 */
    atomic_t        tunnel_users;

    /* State for replay detection */
    struct xfrm_replay_state replay;
    struct xfrm_replay_state_esn *replay_esn;

    /* Replay detection state at the time we sent the last notification */
    struct xfrm_replay_state preplay;
    struct xfrm_replay_state_esn *preplay_esn;

    /* The functions for replay detection. */
    struct xfrm_replay  *repl;

    /* internal flag that only holds state for delayed aevent at the
     * moment
    */
    u32         xflags;

    /* Replay detection notification settings */
    u32         replay_maxage;
    u32         replay_maxdiff;

    /* Replay detection notification timer */
    struct timer_list   rtimer;

    /* Statistics */
    struct xfrm_stats   stats;

    struct xfrm_lifetime_cur curlft;
    struct tasklet_hrtimer  mtimer;

    /* used to fix curlft->add_time when changing date */
    long        saved_tmo;

    /* Last used time */
    unsigned long       lastused;

    /* Reference to data common to all the instances of this
     * transformer. */
    const struct xfrm_type  *type;
    struct xfrm_mode    *inner_mode;
    struct xfrm_mode    *inner_mode_iaf;
    struct xfrm_mode    *outer_mode;

    /* Security context */
    struct xfrm_sec_ctx *security;

    /* Private data of this transformer, format is opaque,
     * interpreted by xfrm_type methods. */
    void            *data;
};