【内核IPSec代码分析1】术语与结构体
来源:互联网 发布:淘宝店铺动态怎么看 编辑:程序博客网 时间:2024/05/19 17:52
术语
1. xfrm
xfrm应该是transform的缩写,表示对ip报文的转换,即封装和解封装,加密和解密等。
1.bundle
bundle英文翻译为捆,把多个东西打成一个包等,在代码中多次出现这个词,如create_bundle, xfrm_bundle_lookup等,这里的意思应该指对普通IP 报文进行IPSec封装,可以理解为安全路由封装,或封包。
结构体
1. 策略xfrm_policy
策略包含了匹配报文的规则,由selector指定,包括了源地址,目的地址,协议等,还包含了IKE的配置,由xfrm_vec[]指定,xfrm_vec的元素个数由xfrm_nr指定。
struct xfrm_policy { possible_net_t xp_net; struct hlist_node bydst; struct hlist_node byidx; /* This lock only affects elements except for entry. */ rwlock_t lock; atomic_t refcnt; struct timer_list timer; struct flow_cache_object flo; atomic_t genid; u32 priority; u32 index; struct xfrm_mark mark; struct xfrm_selector selector; struct xfrm_lifetime_cfg lft; struct xfrm_lifetime_cur curlft; struct xfrm_policy_walk_entry walk; struct xfrm_policy_queue polq; u8 type; u8 action; u8 flags; u8 xfrm_nr; u16 family; struct xfrm_sec_ctx *security; struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];};
2. 选择器xfrm_selector
用于与流信息进行比较,是否选择使用此策略。
/* Selector, used as selector both on policy rules (SPD) and SAs. */struct xfrm_selector { xfrm_address_t daddr; xfrm_address_t saddr; __be16 dport; __be16 dport_mask; __be16 sport; __be16 sport_mask; __u16 family; __u8 prefixlen_d; __u8 prefixlen_s; __u8 proto; int ifindex; __kernel_uid32_t user;}
3. IKE配置模板xfrm_tmpl
此模板保存在policy中,当报文匹配上此策略的selector时,会使用此策略的IKE配置模板和SA状态进行匹配,找到策略对应SA状态,这样才可以使用此SA状态的安全通道对报文进行加密和封装。
struct xfrm_tmpl {/* id in template is interpreted as: * daddr - destination of tunnel, may be zero for transport mode. * spi - zero to acquire spi. Not zero if spi is static, then * daddr must be fixed too. * proto - AH/ESP/IPCOMP */ struct xfrm_id id;/* Source address of tunnel. Ignored, if it is not a tunnel. */ xfrm_address_t saddr; unsigned short encap_family; u32 reqid;/* Mode: transport, tunnel etc. */ u8 mode;/* Sharing mode: unique, this session only, this user only etc. */ u8 share;/* May skip this transfomration if no SA is found */ u8 optional;/* Skip aalgos/ealgos/calgos checks. */ u8 allalgs;/* Bit mask of algos allowed for acquisition */ u32 aalgos; u32 ealgos; u32 calgos;};
4. IPSec SA状态xfrm_state
SA状态保存了两个安全联盟端点协商出的安全通道的信息,这个是IKE协商第二阶段生成的IPSec SA,包括封装协议,加密算法,认证算法。它还包含了struct xfrm_id id和struct xfrm_selector sel用于与策略的struct xfrm_tmp和struct xfrm_selector进行匹配。
/* Full description of state of transformer. */struct xfrm_state { possible_net_t xs_net; union { struct hlist_node gclist; struct hlist_node bydst; }; struct hlist_node bysrc; struct hlist_node byspi; atomic_t refcnt; spinlock_t lock; struct xfrm_id id; struct xfrm_selector sel; struct xfrm_mark mark; u32 tfcpad; u32 genid; /* Key manager bits */ struct xfrm_state_walk km; /* Parameters of this state. */ struct { u32 reqid; u8 mode; u8 replay_window; u8 aalgo, ealgo, calgo; u8 flags; u16 family; xfrm_address_t saddr; int header_len; int trailer_len; u32 extra_flags; } props; struct xfrm_lifetime_cfg lft; /* Data for transformer */ struct xfrm_algo_auth *aalg; struct xfrm_algo *ealg; struct xfrm_algo *calg; struct xfrm_algo_aead *aead; const char *geniv; /* Data for encapsulator */ struct xfrm_encap_tmpl *encap; /* Data for care-of address */ xfrm_address_t *coaddr; /* IPComp needs an IPIP tunnel for handling uncompressed packets */ struct xfrm_state *tunnel; /* If a tunnel, number of users + 1 */ atomic_t tunnel_users; /* State for replay detection */ struct xfrm_replay_state replay; struct xfrm_replay_state_esn *replay_esn; /* Replay detection state at the time we sent the last notification */ struct xfrm_replay_state preplay; struct xfrm_replay_state_esn *preplay_esn; /* The functions for replay detection. */ struct xfrm_replay *repl; /* internal flag that only holds state for delayed aevent at the * moment */ u32 xflags; /* Replay detection notification settings */ u32 replay_maxage; u32 replay_maxdiff; /* Replay detection notification timer */ struct timer_list rtimer; /* Statistics */ struct xfrm_stats stats; struct xfrm_lifetime_cur curlft; struct tasklet_hrtimer mtimer; /* used to fix curlft->add_time when changing date */ long saved_tmo; /* Last used time */ unsigned long lastused; /* Reference to data common to all the instances of this * transformer. */ const struct xfrm_type *type; struct xfrm_mode *inner_mode; struct xfrm_mode *inner_mode_iaf; struct xfrm_mode *outer_mode; /* Security context */ struct xfrm_sec_ctx *security; /* Private data of this transformer, format is opaque, * interpreted by xfrm_type methods. */ void *data;};
0 0
- 【内核IPSec代码分析1】术语与结构体
- 【内核IPSec代码分析2】报文转发处理过程
- 内核IPSec代码中xfrm_input.c中关于kmem_cache_alloc的使用分析
- Linux内核代码结构简要分析
- IPsec 与 SSL分析比较
- 基于openswan klips的IPsec VPN实现分析(四)应用层和内核通信(1)
- 基于openswan klips的IPsec VPN实现分析(七)内核SADB维护(1)
- 内核的创建流程与代码分析
- Linux内核中的IPSEC实现(1)
- Linux内核中的IPSEC实现(1)
- Linux内核中的IPSEC实现(1)
- Linux内核中的IPSEC实现1
- 以太网报文结构分析,与解析代码
- 理解ResNet结构与TensorFlow代码分析
- 理解ResNet结构与TensorFlow代码分析
- 理解ResNet结构与TensorFlow代码分析
- Linux内核代码-结构体初始化
- Linux内核代码 结构体初始化
- Light--1078(取模运算)
- ListView的滑动冲突
- 韩顺平老师php从入门到精通149讲
- iOS开发之如何跳到系统设置里的各种设置界面
- [Python] Bargain Box Kung Fu
- 【内核IPSec代码分析1】术语与结构体
- Super Ugly Number | LeetCode
- 初识指针的学习总结(1)
- Linux学习笔记(五、常见目录的作用)
- asio io_service multithreaded timer
- 说说&和&&的区别?
- hand_excel
- 点击一个Btn其他的btn的颜色变成原来的样子
- mysql alter