术语
1. xfrm
xfrm应该是transform的缩写,表示对ip报文的转换,即封装和解封装,加密和解密等。
1.bundle
bundle英文翻译为捆,把多个东西打成一个包等,在代码中多次出现这个词,如create_bundle, xfrm_bundle_lookup等,这里的意思应该指对普通IP 报文进行IPSec封装,可以理解为安全路由封装,或封包。
结构体
1. 策略xfrm_policy
策略包含了匹配报文的规则,由selector指定,包括了源地址,目的地址,协议等,还包含了IKE的配置,由xfrm_vec[]指定,xfrm_vec的元素个数由xfrm_nr指定。
struct xfrm_policy {
possible_net_t xp_net;
struct hlist_node bydst;
struct hlist_node byidx;
/* This lock only affects elements except for entry. */
rwlock_t lock;
atomic_t refcnt;
struct timer_list timer;
struct flow_cache_object flo;
atomic_t genid;
u32 priority;
u32 index;
struct xfrm_mark mark;
struct xfrm_selector selector;
struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft;
struct xfrm_policy_walk_entry walk;
struct xfrm_policy_queue polq;
u8 type;
u8 action;
u8 flags;
u8 xfrm_nr;
u16 family;
struct xfrm_sec_ctx *security;
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
};
2. 选择器xfrm_selector
用于与流信息进行比较,是否选择使用此策略。
/* Selector, used as selector both on policy rules (SPD) and SAs. */
struct xfrm_selector {
xfrm_address_t daddr;
xfrm_address_t saddr;
__be16 dport;
__be16 dport_mask;
__be16 sport;
__be16 sport_mask;
__u16 family;
__u8 prefixlen_d;
__u8 prefixlen_s;
__u8 proto;
int ifindex;
__kernel_uid32_t user;
}
3. IKE配置模板xfrm_tmpl
此模板保存在policy中,当报文匹配上此策略的selector时,会使用此策略的IKE配置模板和SA状态进行匹配,找到策略对应SA状态,这样才可以使用此SA状态的安全通道对报文进行加密和封装。
struct xfrm_tmpl {
/* id in template is interpreted as:
* daddr - destination of tunnel, may be zero for transport mode.
* spi - zero to acquire spi. Not zero if spi is static, then
* daddr must be fixed too.
* proto - AH/ESP/IPCOMP
*/
struct xfrm_id id;
/* Source address of tunnel. Ignored, if it is not a tunnel. */
xfrm_address_t saddr;
unsigned short encap_family;
u32 reqid;
/* Mode: transport, tunnel etc. */
u8 mode;
/* Sharing mode: unique, this session only, this user only etc. */
u8 share;
/* May skip this transfomration if no SA is found */
u8 optional;
/* Skip aalgos/ealgos/calgos checks. */
u8 allalgs;
/* Bit mask of algos allowed for acquisition */
u32 aalgos;
u32 ealgos;
u32 calgos;
};
4. IPSec SA状态xfrm_state
SA状态保存了两个安全联盟端点协商出的安全通道的信息,这个是IKE协商第二阶段生成的IPSec SA,包括封装协议,加密算法,认证算法。它还包含了struct xfrm_id id和struct xfrm_selector sel用于与策略的struct xfrm_tmp和struct xfrm_selector进行匹配。
/* Full description of state of transformer. */
struct xfrm_state {
possible_net_t xs_net;
union {
struct hlist_node gclist;
struct hlist_node bydst;
};
struct hlist_node bysrc;
struct hlist_node byspi;
atomic_t refcnt;
spinlock_t lock;
struct xfrm_id id;
struct xfrm_selector sel;
struct xfrm_mark mark;
u32 tfcpad;
u32 genid;
/* Key manager bits */
struct xfrm_state_walk km;
/* Parameters of this state. */
struct {
u32 reqid;
u8 mode;
u8 replay_window;
u8 aalgo, ealgo, calgo;
u8 flags;
u16 family;
xfrm_address_t saddr;
int header_len;
int trailer_len;
u32 extra_flags;
} props;
struct xfrm_lifetime_cfg lft;
/* Data for transformer */
struct xfrm_algo_auth *aalg;
struct xfrm_algo *ealg;
struct xfrm_algo *calg;
struct xfrm_algo_aead *aead;
const char *geniv;
/* Data for encapsulator */
struct xfrm_encap_tmpl *encap;
/* Data for care-of address */
xfrm_address_t *coaddr;
/* IPComp needs an IPIP tunnel for handling uncompressed packets */
struct xfrm_state *tunnel;
/* If a tunnel, number of users + 1 */
atomic_t tunnel_users;
/* State for replay detection */
struct xfrm_replay_state replay;
struct xfrm_replay_state_esn *replay_esn;
/* Replay detection state at the time we sent the last notification */
struct xfrm_replay_state preplay;
struct xfrm_replay_state_esn *preplay_esn;
/* The functions for replay detection. */
struct xfrm_replay *repl;
/* internal flag that only holds state for delayed aevent at the
* moment
*/
u32 xflags;
/* Replay detection notification settings */
u32 replay_maxage;
u32 replay_maxdiff;
/* Replay detection notification timer */
struct timer_list rtimer;
/* Statistics */
struct xfrm_stats stats;
struct xfrm_lifetime_cur curlft;
struct tasklet_hrtimer mtimer;
/* used to fix curlft->add_time when changing date */
long saved_tmo;
/* Last used time */
unsigned long lastused;
/* Reference to data common to all the instances of this
* transformer. */
const struct xfrm_type *type;
struct xfrm_mode *inner_mode;
struct xfrm_mode *inner_mode_iaf;
struct xfrm_mode *outer_mode;
/* Security context */
struct xfrm_sec_ctx *security;
/* Private data of this transformer, format is opaque,
* interpreted by xfrm_type methods. */
void *data;
};