【内核IPSec代码分析1】术语与结构体

术语

1. xfrm

xfrm应该是transform的缩写，表示对ip报文的转换，即封装和解封装，加密和解密等。

1.bundle

bundle英文翻译为捆，把多个东西打成一个包等，在代码中多次出现这个词，如create_bundle， xfrm_bundle_lookup等，这里的意思应该指对普通IP 报文进行IPSec封装，可以理解为安全路由封装，或封包。

结构体

1. 策略xfrm_policy

策略包含了匹配报文的规则，由selector指定，包括了源地址，目的地址，协议等，还包含了IKE的配置，由xfrm_vec[]指定，xfrm_vec的元素个数由xfrm_nr指定。

struct xfrm_policy {
possible_net_t      xp_net;
struct hlist_node   bydst;
struct hlist_node   byidx;

/* This lock only affects elements except for entry. */
rwlock_t        lock;
atomic_t        refcnt;
struct timer_list   timer;

struct flow_cache_object flo;
atomic_t        genid;
u32         priority;
u32         index;
struct xfrm_mark    mark;
struct xfrm_selector    selector;
struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft;
struct xfrm_policy_walk_entry walk;
struct xfrm_policy_queue polq;
u8          type;
u8          action;
u8          flags;
u8          xfrm_nr;
u16         family;
struct xfrm_sec_ctx *security;
struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
};

2. 选择器xfrm_selector

用于与流信息进行比较，是否选择使用此策略。

/* Selector, used as selector both on policy rules (SPD) and SAs. */

struct xfrm_selector {
xfrm_address_t  daddr;
xfrm_address_t  saddr;
__be16  dport;
__be16  dport_mask;
__be16  sport;
__be16  sport_mask;
__u16   family;
__u8    prefixlen_d;
__u8    prefixlen_s;
__u8    proto;
int ifindex;
__kernel_uid32_t    user;
}

3. IKE配置模板xfrm_tmpl

此模板保存在policy中，当报文匹配上此策略的selector时，会使用此策略的IKE配置模板和SA状态进行匹配，找到策略对应SA状态，这样才可以使用此SA状态的安全通道对报文进行加密和封装。

struct xfrm_tmpl {
/* id in template is interpreted as:
* daddr - destination of tunnel, may be zero for transport mode.
* spi   - zero to acquire spi. Not zero if spi is static, then
*     daddr must be fixed too.
* proto - AH/ESP/IPCOMP
*/
struct xfrm_id      id;

/* Source address of tunnel. Ignored, if it is not a tunnel. */
xfrm_address_t      saddr;

unsigned short      encap_family;

u32         reqid;

/* Mode: transport, tunnel etc. */
u8          mode;

/* Sharing mode: unique, this session only, this user only etc. */
u8          share;

/* May skip this transfomration if no SA is found */
u8          optional;

/* Skip aalgos/ealgos/calgos checks. */
u8          allalgs;

/* Bit mask of algos allowed for acquisition */
u32         aalgos;
u32         ealgos;
u32         calgos;
};

4. IPSec SA状态xfrm_state

SA状态保存了两个安全联盟端点协商出的安全通道的信息，这个是IKE协商第二阶段生成的IPSec SA，包括封装协议，加密算法，认证算法。它还包含了struct xfrm_id id和struct xfrm_selector sel用于与策略的struct xfrm_tmp和struct xfrm_selector进行匹配。

/* Full description of state of transformer. */
struct xfrm_state {
possible_net_t      xs_net;
union {
struct hlist_node   gclist;
struct hlist_node   bydst;
};
struct hlist_node   bysrc;
struct hlist_node   byspi;

atomic_t        refcnt;
spinlock_t      lock;

struct xfrm_id      id;
struct xfrm_selector    sel;
struct xfrm_mark    mark;
u32         tfcpad;

u32         genid;

/* Key manager bits */
struct xfrm_state_walk  km;

/* Parameters of this state. */
struct {
u32     reqid;
u8      mode;
u8      replay_window;
u8      aalgo, ealgo, calgo;
u8      flags;
u16     family;
xfrm_address_t  saddr;
int     header_len;
int     trailer_len;
u32     extra_flags;
} props;

struct xfrm_lifetime_cfg lft;

/* Data for transformer */
struct xfrm_algo_auth   *aalg;
struct xfrm_algo    *ealg;
struct xfrm_algo    *calg;
struct xfrm_algo_aead   *aead;
const char      *geniv;

/* Data for encapsulator */
struct xfrm_encap_tmpl  *encap;

/* Data for care-of address */
xfrm_address_t  *coaddr;

/* IPComp needs an IPIP tunnel for handling uncompressed packets */
struct xfrm_state   *tunnel;

/* If a tunnel, number of users + 1 */
atomic_t        tunnel_users;

/* State for replay detection */
struct xfrm_replay_state replay;
struct xfrm_replay_state_esn *replay_esn;

/* Replay detection state at the time we sent the last notification */
struct xfrm_replay_state preplay;
struct xfrm_replay_state_esn *preplay_esn;

/* The functions for replay detection. */
struct xfrm_replay  *repl;

/* internal flag that only holds state for delayed aevent at the
* moment
*/
u32         xflags;

/* Replay detection notification settings */
u32         replay_maxage;
u32         replay_maxdiff;

/* Replay detection notification timer */
struct timer_list   rtimer;

/* Statistics */
struct xfrm_stats   stats;

struct xfrm_lifetime_cur curlft;
struct tasklet_hrtimer  mtimer;

/* used to fix curlft->add_time when changing date */
long        saved_tmo;

/* Last used time */
unsigned long       lastused;

/* Reference to data common to all the instances of this
* transformer. */
const struct xfrm_type  *type;
struct xfrm_mode    *inner_mode;
struct xfrm_mode    *inner_mode_iaf;
struct xfrm_mode    *outer_mode;

/* Security context */
struct xfrm_sec_ctx *security;

/* Private data of this transformer, format is opaque,
* interpreted by xfrm_type methods. */
void            *data;
};