【内核IPSec代码分析1】术语与结构体

---

术语

1. xfrm

xfrm应该是transform的缩写，表示对ip报文的转换，即封装和解封装，加密和解密等。

1.bundle

bundle英文翻译为捆，把多个东西打成一个包等，在代码中多次出现这个词，如create_bundle， xfrm_bundle_lookup等，这里的意思应该指对普通IP 报文进行IPSec封装，可以理解为安全路由封装，或封包。

结构体

1. 策略xfrm_policy

策略包含了匹配报文的规则，由selector指定，包括了源地址，目的地址，协议等，还包含了IKE的配置，由xfrm_vec[]指定，xfrm_vec的元素个数由xfrm_nr指定。

struct xfrm_policy {    possible_net_t      xp_net;    struct hlist_node   bydst;    struct hlist_node   byidx;    /* This lock only affects elements except for entry. */    rwlock_t        lock;    atomic_t        refcnt;    struct timer_list   timer;    struct flow_cache_object flo;    atomic_t        genid;    u32         priority;    u32         index;    struct xfrm_mark    mark;    struct xfrm_selector    selector;    struct xfrm_lifetime_cfg lft;    struct xfrm_lifetime_cur curlft;    struct xfrm_policy_walk_entry walk;    struct xfrm_policy_queue polq;    u8          type;    u8          action;    u8          flags;    u8          xfrm_nr;    u16         family;    struct xfrm_sec_ctx *security;    struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];};

2. 选择器xfrm_selector

用于与流信息进行比较，是否选择使用此策略。

/* Selector, used as selector both on policy rules (SPD) and SAs. */struct xfrm_selector {    xfrm_address_t  daddr;    xfrm_address_t  saddr;    __be16  dport;    __be16  dport_mask;    __be16  sport;    __be16  sport_mask;    __u16   family;    __u8    prefixlen_d;    __u8    prefixlen_s;    __u8    proto;    int ifindex;    __kernel_uid32_t    user;}

3. IKE配置模板xfrm_tmpl

此模板保存在policy中，当报文匹配上此策略的selector时，会使用此策略的IKE配置模板和SA状态进行匹配，找到策略对应SA状态，这样才可以使用此SA状态的安全通道对报文进行加密和封装。

struct xfrm_tmpl {/* id in template is interpreted as: * daddr - destination of tunnel, may be zero for transport mode. * spi   - zero to acquire spi. Not zero if spi is static, then *     daddr must be fixed too. * proto - AH/ESP/IPCOMP */    struct xfrm_id      id;/* Source address of tunnel. Ignored, if it is not a tunnel. */    xfrm_address_t      saddr;    unsigned short      encap_family;    u32         reqid;/* Mode: transport, tunnel etc. */    u8          mode;/* Sharing mode: unique, this session only, this user only etc. */    u8          share;/* May skip this transfomration if no SA is found */    u8          optional;/* Skip aalgos/ealgos/calgos checks. */    u8          allalgs;/* Bit mask of algos allowed for acquisition */    u32         aalgos;    u32         ealgos;    u32         calgos;};

4. IPSec SA状态xfrm_state

SA状态保存了两个安全联盟端点协商出的安全通道的信息，这个是IKE协商第二阶段生成的IPSec SA，包括封装协议，加密算法，认证算法。它还包含了struct xfrm_id id和struct xfrm_selector sel用于与策略的struct xfrm_tmp和struct xfrm_selector进行匹配。

/* Full description of state of transformer. */struct xfrm_state {    possible_net_t      xs_net;    union {        struct hlist_node   gclist;        struct hlist_node   bydst;    };    struct hlist_node   bysrc;    struct hlist_node   byspi;    atomic_t        refcnt;    spinlock_t      lock;    struct xfrm_id      id;    struct xfrm_selector    sel;    struct xfrm_mark    mark;    u32         tfcpad;    u32         genid;    /* Key manager bits */    struct xfrm_state_walk  km;    /* Parameters of this state. */    struct {        u32     reqid;        u8      mode;        u8      replay_window;        u8      aalgo, ealgo, calgo;        u8      flags;        u16     family;        xfrm_address_t  saddr;        int     header_len;        int     trailer_len;        u32     extra_flags;    } props;    struct xfrm_lifetime_cfg lft;    /* Data for transformer */    struct xfrm_algo_auth   *aalg;    struct xfrm_algo    *ealg;    struct xfrm_algo    *calg;    struct xfrm_algo_aead   *aead;    const char      *geniv;    /* Data for encapsulator */    struct xfrm_encap_tmpl  *encap;    /* Data for care-of address */    xfrm_address_t  *coaddr;    /* IPComp needs an IPIP tunnel for handling uncompressed packets */    struct xfrm_state   *tunnel;    /* If a tunnel, number of users + 1 */    atomic_t        tunnel_users;    /* State for replay detection */    struct xfrm_replay_state replay;    struct xfrm_replay_state_esn *replay_esn;    /* Replay detection state at the time we sent the last notification */    struct xfrm_replay_state preplay;    struct xfrm_replay_state_esn *preplay_esn;    /* The functions for replay detection. */    struct xfrm_replay  *repl;    /* internal flag that only holds state for delayed aevent at the     * moment    */    u32         xflags;    /* Replay detection notification settings */    u32         replay_maxage;    u32         replay_maxdiff;    /* Replay detection notification timer */    struct timer_list   rtimer;    /* Statistics */    struct xfrm_stats   stats;    struct xfrm_lifetime_cur curlft;    struct tasklet_hrtimer  mtimer;    /* used to fix curlft->add_time when changing date */    long        saved_tmo;    /* Last used time */    unsigned long       lastused;    /* Reference to data common to all the instances of this     * transformer. */    const struct xfrm_type  *type;    struct xfrm_mode    *inner_mode;    struct xfrm_mode    *inner_mode_iaf;    struct xfrm_mode    *outer_mode;    /* Security context */    struct xfrm_sec_ctx *security;    /* Private data of this transformer, format is opaque,     * interpreted by xfrm_type methods. */    void            *data;};