klips2-design-api-trips.txt

网上下到的一个很详细介绍VPN基础知识的资料

				char[] --uid-owner UID
				char[] --seclev seclev
				char[] -J DROP (or PEEK)
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				target DROP (or PEEK)
		
	- allow properly processed packets in
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK
				char[] -d DADDR/DMASK
				char[] --protocol PROTO
				char[] --sport SPORT
				char[] --dport DPORT
				char[] --uid-owner UID
				char[] --seclev seclev
				char[] --salist SAList
				char[] -J ACCEPT
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> sa match iptables(8) library
		ip6tables(8) -> sa match ip6tables(8) library
			in:
				char[] --salist SAList
			out:
				struct ip_said SA[, ...]

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				struct ip_said SA[, ...]

	- allow unprocessed packets from IPSec peer in
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK (remote SG)
				char[] -d DADDR/DMASK (local SG)
				char[] --proto ESP
				char[] --espspi SPI
				char[] -J ACCEPT
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev

	- incoming packet is tested on match modules
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- packet arrives via transport layer demux to DECRYPT
		Transport Layer De-mux -> IPSec DECRYPT kernel module
			in:
				struct sk_buff *skb

	- fetch SAs specified by packet in skb
		IPSec DECRYPT kernel module -> SADB (SAID)
			in:
				struct ip_said SA
			out:
				struct tdb *tdbp

	- send skb (packet) back into NF_IP_PRE_ROUTE
		IPSec DECRYPT kernel module -> NetFilter
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
		
	- processed packet is tested on match modules and ACCEPTED
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- expire SA if a limit is reached
		SADB -> KMd (PF_KEYv2 EXPIRE)
			see RFC2367, PF_KEYv2 EXPIRE
				
Incoming w/existing connection specifying IPSec device
	- put in the new SAs in place once the negotiations have succeeded
		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA

	- put in a blocking entry to prevent unprotected packets entering
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK
				char[] -d DADDR/DMASK
				char[] --protocol PROTO
				char[] --sport SPORT
				char[] --dport DPORT
				char[] --uid-owner UID
				char[] --seclev seclev
				char[] -J DROP (or PEEK)
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				target DROP (or PEEK)
		
	- allow properly processed packets in
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK
				char[] -d DADDR/DMASK
				char[] --protocol PROTO
				char[] --sport SPORT
				char[] --dport DPORT
				char[] --uid-owner UID
				char[] --in-interface IPSECdev
				char[] --seclev seclev
				char[] --salist SAList
				       (can we set an --in-interface IPSECdev
					from this so we can just test
					in-interface?  This may need two
					entries, including a target SETDEV)
				char[] -J ACCEPT
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> sa match iptables(8) library
		ip6tables(8) -> sa match ip6tables(8) library
			in:
				char[] --salist SAList
			out:
				struct ip_said SA[, ...]

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				struct ip_said SA[, ...]

	- allow unprocessed packets from IPSec peer in
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK (remote SG)
				char[] -d DADDR/DMASK (local SG)
				char[] --proto ESP
				char[] --espspi SPI
				char[] -J ACCEPT
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev

	- incoming packet is tested on match modules
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- packet arrives via transport layer demux to DECRYPT
		Transport Layer De-mux -> IPSec DECRYPT kernel module
			in:
				struct sk_buff *skb

	- fetch SAs specified by packet in skb
		IPSec DECRYPT kernel module -> SADB (SAID)
			in:
				struct ip_said SA
			out:
				struct tdb *tdbp

	- send skb (packet) back into NF_IP_PRE_ROUTE
		IPSec DECRYPT kernel module -> NetFilter
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
		
	- processed packet is tested on match modules and ACCEPTED
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- expire SA if a limit is reached
		SADB -> KMd (PF_KEYv2 EXPIRE)
			see RFC2367, PF_KEYv2 EXPIRE
				
Incoming no connection
	 - set target for PEEKing at (or TRAPing) incoming packets with no connection
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK
				char[] -d DADDR/DMASK
				char[] --protocol PROTO
				char[] --sport SPORT
				char[] --dport DPORT
				char[] --uid-owner UID
				char[] --seclev seclev
				char[] -J PEEK (or TRAP)
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				target PEEK (or TRAP)

	- packet comes in and gets tested by match modules
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- packet matches and gets sent to PEEK target
		NetFilter -> PEEK (or TRAP) target NetFilter kernel module
			in:
				struct sk_buff *skb
			out:
				unsigned int = NF_ACCEPT (or NF_STOLEN)

	- send up an ACQUIRE
		PEEK (or TRAP) target NetFilter kernel module -> KMds (PF_KEYv2 ACQUIRE)
			see RFC2367, PF_KEYv2 ACQUIRE

	- create ACCEPT (or HOLD) target with skb info to prevent KMd overload
		PEEK (or HOLD) target NetFilter kernel module -> NetFilter
			in:
				struct sk_buff *skb
			out:
				boolean

	- next packet comes in while KMd is negotiating SAs.
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- put the new SAs in place once the negotiations have succeeded
		KMd -> SADB (PF_KEYv2 ADD/UPDATE)
			see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA

	- put in a blocking entry to prevent unprotected packets entering
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK
				char[] -d DADDR/DMASK
				char[] --protocol PROTO
				char[] --sport SPORT
				char[] --dport DPORT
				char[] --uid-owner UID
				char[] --seclev seclev
				char[] -J DROP (or PEEK)
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				(target PEEK)
		
	- allow properly processed packets in
		KMd -> iptables(8) system(3) call (Policy)
		KMd -> ip6tables(8) system(3) call (Policy)
			in:
				char[] -I
				char[] -s SADDR/SMASK
				char[] -d DADDR/DMASK
				char[] --protocol PROTO
				char[] --sport SPORT
				char[] --dport DPORT
				char[] --uid-owner UID
				char[] --seclev seclev
				char[] --salist SAList
				char[] -J ACCEPT
			out:
				unsigned char exit_code

		iptables(8) -> seclev match iptables(8) library
		ip6tables(8) -> seclev match ip6tables(8) library
			in:
				char[] --seclev seclevstr
			out:
				struct seclev

		iptables(8) -> sa match iptables(8) library
		ip6tables(8) -> sa match ip6tables(8) library
			in:
				char[] --salist SAList
			out:
				struct ip_said SA[, ...]

		iptables(8) -> NetFilter
		ip6tables(8) -> NetFilter
		I/F is already defined in NetFilter.  In addition, it will
		need structures to pass the following:
			in:
				struct seclev
				struct ip_said SA[, ...]
		
	- incoming packet is tested on match modules
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- packet arrives via transport layer demux to DECRYPT
		Transport Layer De-mux -> IPSec DECRYPT kernel module
			in:
				struct sk_buff *skb

	- fetch SAs specified by packet in skb
		IPSec DECRYPT kernel module -> SADB (SAID)
			in:
				struct ip_said SA
			out:
				struct tdb *tdbp

	- send skb (packet) back into NF_IP_PRE_ROUTE
		IPSec DECRYPT kernel module -> NetFilter
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
		
	- processed packet is tested on match modules and ACCEPTed
		NetFilter -> seclev match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct seclev
			out:
				boolean

		NetFilter -> sa match NetFilter kernel module
			in:
				struct sk_buff *skb
				struct ip_said SA[,...]
			out:
				boolean

	- expire SA if a limit is reached
		SADB -> KMd (PF_KEYv2 EXPIRE)
			see RFC2367, PF_KEYv2 EXPIRE

TODO:
	api trips:
		Packet w/no route?  how to get to kmd?  default route to IPSECdev which calls TRAP?
		Nested tunnels, IKE recursion api trip
		how to know when to stop decapsulating nested tunnels?
		DHR's routing problem
		mutli-layer routing environments that both touch and denker need.
	nail down function calls and/or globals for each I/F, c-like function syntax
	better api block comments
	interface, function, args, block comment