【内核IPSec代码分析1】术语与结构体
2015-12-03 16:35
369 查看
术语
1. xfrm
xfrm应该是transform的缩写,表示对ip报文的转换,即封装和解封装,加密和解密等。1.bundle
bundle英文翻译为捆,把多个东西打成一个包等,在代码中多次出现这个词,如create_bundle, xfrm_bundle_lookup等,这里的意思应该指对普通IP 报文进行IPSec封装,可以理解为安全路由封装,或封包。结构体
1. 策略xfrm_policy
策略包含了匹配报文的规则,由selector指定,包括了源地址,目的地址,协议等,还包含了IKE的配置,由xfrm_vec[]指定,xfrm_vec的元素个数由xfrm_nr指定。struct xfrm_policy { possible_net_t xp_net; struct hlist_node bydst; struct hlist_node byidx; /* This lock only affects elements except for entry. */ rwlock_t lock; atomic_t refcnt; struct timer_list timer; struct flow_cache_object flo; atomic_t genid; u32 priority; u32 index; struct xfrm_mark mark; struct xfrm_selector selector; struct xfrm_lifetime_cfg lft; struct xfrm_lifetime_cur curlft; struct xfrm_policy_walk_entry walk; struct xfrm_policy_queue polq; u8 type; u8 action; u8 flags; u8 xfrm_nr; u16 family; struct xfrm_sec_ctx *security; struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; };
2. 选择器xfrm_selector
用于与流信息进行比较,是否选择使用此策略。/* Selector, used as selector both on policy rules (SPD) and SAs. */ struct xfrm_selector { xfrm_address_t daddr; xfrm_address_t saddr; __be16 dport; __be16 dport_mask; __be16 sport; __be16 sport_mask; __u16 family; __u8 prefixlen_d; __u8 prefixlen_s; __u8 proto; int ifindex; __kernel_uid32_t user; }
3. IKE配置模板xfrm_tmpl
此模板保存在policy中,当报文匹配上此策略的selector时,会使用此策略的IKE配置模板和SA状态进行匹配,找到策略对应SA状态,这样才可以使用此SA状态的安全通道对报文进行加密和封装。struct xfrm_tmpl { /* id in template is interpreted as: * daddr - destination of tunnel, may be zero for transport mode. * spi - zero to acquire spi. Not zero if spi is static, then * daddr must be fixed too. * proto - AH/ESP/IPCOMP */ struct xfrm_id id; /* Source address of tunnel. Ignored, if it is not a tunnel. */ xfrm_address_t saddr; unsigned short encap_family; u32 reqid; /* Mode: transport, tunnel etc. */ u8 mode; /* Sharing mode: unique, this session only, this user only etc. */ u8 share; /* May skip this transfomration if no SA is found */ u8 optional; /* Skip aalgos/ealgos/calgos checks. */ u8 allalgs; /* Bit mask of algos allowed for acquisition */ u32 aalgos; u32 ealgos; u32 calgos; };
4. IPSec SA状态xfrm_state
SA状态保存了两个安全联盟端点协商出的安全通道的信息,这个是IKE协商第二阶段生成的IPSec SA,包括封装协议,加密算法,认证算法。它还包含了struct xfrm_id id和struct xfrm_selector sel用于与策略的struct xfrm_tmp和struct xfrm_selector进行匹配。/* Full description of state of transformer. */ struct xfrm_state { possible_net_t xs_net; union { struct hlist_node gclist; struct hlist_node bydst; }; struct hlist_node bysrc; struct hlist_node byspi; atomic_t refcnt; spinlock_t lock; struct xfrm_id id; struct xfrm_selector sel; struct xfrm_mark mark; u32 tfcpad; u32 genid; /* Key manager bits */ struct xfrm_state_walk km; /* Parameters of this state. */ struct { u32 reqid; u8 mode; u8 replay_window; u8 aalgo, ealgo, calgo; u8 flags; u16 family; xfrm_address_t saddr; int header_len; int trailer_len; u32 extra_flags; } props; struct xfrm_lifetime_cfg lft; /* Data for transformer */ struct xfrm_algo_auth *aalg; struct xfrm_algo *ealg; struct xfrm_algo *calg; struct xfrm_algo_aead *aead; const char *geniv; /* Data for encapsulator */ struct xfrm_encap_tmpl *encap; /* Data for care-of address */ xfrm_address_t *coaddr; /* IPComp needs an IPIP tunnel for handling uncompressed packets */ struct xfrm_state *tunnel; /* If a tunnel, number of users + 1 */ atomic_t tunnel_users; /* State for replay detection */ struct xfrm_replay_state replay; struct xfrm_replay_state_esn *replay_esn; /* Replay detection state at the time we sent the last notification */ struct xfrm_replay_state preplay; struct xfrm_replay_state_esn *preplay_esn; /* The functions for replay detection. */ struct xfrm_replay *repl; /* internal flag that only holds state for delayed aevent at the * moment */ u32 xflags; /* Replay detection notification settings */ u32 replay_maxage; u32 replay_maxdiff; /* Replay detection notification timer */ struct timer_list rtimer; /* Statistics */ struct xfrm_stats stats; struct xfrm_lifetime_cur curlft; struct tasklet_hrtimer mtimer; /* used to fix curlft->add_time when changing date */ long saved_tmo; /* Last used time */ unsigned long lastused; /* Reference to data common to all the instances of this * transformer. */ const struct xfrm_type *type; struct xfrm_mode *inner_mode; struct xfrm_mode *inner_mode_iaf; struct xfrm_mode *outer_mode; /* Security context */ struct xfrm_sec_ctx *security; /* Private data of this transformer, format is opaque, * interpreted by xfrm_type methods. */ void *data; };
相关文章推荐
- Linux 自检和 SystemTap
- Linux内核链表实现过程
- 安全工具netsh IPSec使用方法[ip安全策略]
- 深入理解PHP内核(二)之SAPI探究
- C++中Semaphore内核对象用法实例
- 深入理解PHP内核(一)
- 深入php内核之php in array
- win2003服务器通过ipsec做防火墙的配置方法
- 修改内核 内存分配 root、文件系统和内核镜像的位置
- 移植linux-2.6.30.4到S3C2440
- 实验案例:Site to Site IPSec ***的配置
- IPsec与NAT和平共处的解决之道
- ASA Inspect
- ASA IPSEC ***配置
- 看《Linux0.11内核完全注释2.01》的方法
- IPsec over GRE 和GRE over IPsec比较和区别
- GRE over IPSEC ***
- 升级LINUX内核(支持8G内存)的命令
- FreeBSD系统优化部分内核参数调整中文注释
- Linux2.6X内核中文件相关结构体总结