]> granicus.if.org Git - libnl/commitdiff
xfrm: add xfrm support
authorSruthi Yellamraju <ysruthi@gmail.com>
Sun, 20 Jul 2014 13:57:33 +0000 (15:57 +0200)
committerThomas Haller <thaller@redhat.com>
Sun, 20 Jul 2014 16:14:46 +0000 (18:14 +0200)
Signed-off-by: Sruthi Yellamraju <ysruthi@gmail.com>
Signed-off-by: Thomas Haller <thaller@redhat.com>
20 files changed:
Makefile.am
configure.ac
include/Makefile.am
include/linux/xfrm.h [new file with mode: 0644]
include/netlink-private/netlink.h
include/netlink-private/types.h
include/netlink/xfrm/ae.h [new file with mode: 0644]
include/netlink/xfrm/lifetime.h [new file with mode: 0644]
include/netlink/xfrm/sa.h [new file with mode: 0644]
include/netlink/xfrm/selector.h [new file with mode: 0644]
include/netlink/xfrm/sp.h [new file with mode: 0644]
include/netlink/xfrm/template.h [new file with mode: 0644]
lib/Makefile.am
lib/xfrm/ae.c [new file with mode: 0644]
lib/xfrm/lifetime.c [new file with mode: 0644]
lib/xfrm/sa.c [new file with mode: 0644]
lib/xfrm/selector.c [new file with mode: 0644]
lib/xfrm/sp.c [new file with mode: 0644]
lib/xfrm/template.c [new file with mode: 0644]
libnl-xfrm-3.0.pc.in [new file with mode: 0644]

index bc4266def1849c3bb7431f1002f4eda9a836f9d2..5e464ac0c0144a6a9451f6620daa304776db7ceb 100644 (file)
@@ -7,7 +7,8 @@ SUBDIRS = include lib man python tests
 pkgconfig_DATA = libnl-3.0.pc \
                 libnl-route-3.0.pc \
                 libnl-genl-3.0.pc \
-                libnl-nf-3.0.pc
+                libnl-nf-3.0.pc \
+                libnl-xfrm-3.0.pc
 
 if ENABLE_CLI
 SUBDIRS += src
index c6f064e6a2f8f60567fd723be32125b7c70dca77..7764fed26e48d2f881b5703c7c1771803dbd1662 100644 (file)
@@ -127,6 +127,7 @@ libnl-route-3.0.pc
 libnl-genl-3.0.pc
 libnl-nf-3.0.pc
 libnl-cli-3.0.pc
+libnl-xfrm-3.0.pc
 lib/Makefile
 include/Makefile
 src/Makefile
index 765cf5a9fec05e6ad2079a473febb9d974fba5c0..9833defc26d69a06fd409b4f27d3c80c3feb33e8 100644 (file)
@@ -93,7 +93,13 @@ nobase_libnlinclude_HEADERS = \
        netlink/idiag/meminfo.h \
        netlink/idiag/msg.h \
        netlink/idiag/req.h \
-       netlink/idiag/vegasinfo.h
+       netlink/idiag/vegasinfo.h \
+       netlink/xfrm/ae.h \
+       netlink/xfrm/lifetime.h \
+       netlink/xfrm/sa.h \
+       netlink/xfrm/selector.h \
+       netlink/xfrm/sp.h \
+       netlink/xfrm/template.h
 
 if ENABLE_CLI
 nobase_libnlinclude_HEADERS += \
@@ -141,6 +147,7 @@ noinst_HEADERS = \
        linux/pkt_sched.h \
        linux/rtnetlink.h \
        linux/snmp.h \
+       linux/xfrm.h \
        linux/tc_ematch/tc_em_meta.h \
        netlink-private/genl.h \
        netlink-private/netlink.h \
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
new file mode 100644 (file)
index 0000000..0aa3805
--- /dev/null
@@ -0,0 +1,502 @@
+#ifndef _LINUX_XFRM_H
+#define _LINUX_XFRM_H
+
+#include <linux/types.h>
+
+/* All of the structures in this file may not change size as they are
+ * passed into the kernel from userspace via netlink sockets.
+ */
+
+/* Structure to encapsulate addresses. I do not want to use
+ * "standard" structure. My apologies.
+ */
+typedef union {
+       __be32          a4;
+       __be32          a6[4];
+} xfrm_address_t;
+
+/* Ident of a specific xfrm_state. It is used on input to lookup
+ * the state by (spi,daddr,ah/esp) or to store information about
+ * spi, protocol and tunnel address on output.
+ */
+struct xfrm_id {
+       xfrm_address_t  daddr;
+       __be32          spi;
+       __u8            proto;
+};
+
+struct xfrm_sec_ctx {
+       __u8    ctx_doi;
+       __u8    ctx_alg;
+       __u16   ctx_len;
+       __u32   ctx_sid;
+       char    ctx_str[0];
+};
+
+/* Security Context Domains of Interpretation */
+#define XFRM_SC_DOI_RESERVED 0
+#define XFRM_SC_DOI_LSM 1
+
+/* Security Context Algorithms */
+#define XFRM_SC_ALG_RESERVED 0
+#define XFRM_SC_ALG_SELINUX 1
+
+/* Selector, used as selector both on policy rules (SPD) and SAs. */
+
+struct xfrm_selector {
+       xfrm_address_t  daddr;
+       xfrm_address_t  saddr;
+       __be16  dport;
+       __be16  dport_mask;
+       __be16  sport;
+       __be16  sport_mask;
+       __u16   family;
+       __u8    prefixlen_d;
+       __u8    prefixlen_s;
+       __u8    proto;
+       int     ifindex;
+       __kernel_uid32_t        user;
+};
+
+#define XFRM_INF (~(__u64)0)
+
+struct xfrm_lifetime_cfg {
+       __u64   soft_byte_limit;
+       __u64   hard_byte_limit;
+       __u64   soft_packet_limit;
+       __u64   hard_packet_limit;
+       __u64   soft_add_expires_seconds;
+       __u64   hard_add_expires_seconds;
+       __u64   soft_use_expires_seconds;
+       __u64   hard_use_expires_seconds;
+};
+
+struct xfrm_lifetime_cur {
+       __u64   bytes;
+       __u64   packets;
+       __u64   add_time;
+       __u64   use_time;
+};
+
+struct xfrm_replay_state {
+       __u32   oseq;
+       __u32   seq;
+       __u32   bitmap;
+};
+
+struct xfrm_replay_state_esn {
+       unsigned int    bmp_len;
+       __u32           oseq;
+       __u32           seq;
+       __u32           oseq_hi;
+       __u32           seq_hi;
+       __u32           replay_window;
+       __u32           bmp[0];
+};
+
+struct xfrm_algo {
+       char            alg_name[64];
+       unsigned int    alg_key_len;    /* in bits */
+       char            alg_key[0];
+};
+
+struct xfrm_algo_auth {
+       char            alg_name[64];
+       unsigned int    alg_key_len;    /* in bits */
+       unsigned int    alg_trunc_len;  /* in bits */
+       char            alg_key[0];
+};
+
+struct xfrm_algo_aead {
+       char            alg_name[64];
+       unsigned int    alg_key_len;    /* in bits */
+       unsigned int    alg_icv_len;    /* in bits */
+       char            alg_key[0];
+};
+
+struct xfrm_stats {
+       __u32   replay_window;
+       __u32   replay;
+       __u32   integrity_failed;
+};
+
+enum {
+       XFRM_POLICY_TYPE_MAIN   = 0,
+       XFRM_POLICY_TYPE_SUB    = 1,
+       XFRM_POLICY_TYPE_MAX    = 2,
+       XFRM_POLICY_TYPE_ANY    = 255
+};
+
+enum {
+       XFRM_POLICY_IN  = 0,
+       XFRM_POLICY_OUT = 1,
+       XFRM_POLICY_FWD = 2,
+       XFRM_POLICY_MASK = 3,
+       XFRM_POLICY_MAX = 3
+};
+
+enum {
+       XFRM_SHARE_ANY,         /* No limitations */
+       XFRM_SHARE_SESSION,     /* For this session only */
+       XFRM_SHARE_USER,        /* For this user only */
+       XFRM_SHARE_UNIQUE       /* Use once */
+};
+
+#define XFRM_MODE_TRANSPORT 0
+#define XFRM_MODE_TUNNEL 1
+#define XFRM_MODE_ROUTEOPTIMIZATION 2
+#define XFRM_MODE_IN_TRIGGER 3
+#define XFRM_MODE_BEET 4
+#define XFRM_MODE_MAX 5
+
+/* Netlink configuration messages.  */
+enum {
+       XFRM_MSG_BASE = 0x10,
+
+       XFRM_MSG_NEWSA = 0x10,
+#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
+       XFRM_MSG_DELSA,
+#define XFRM_MSG_DELSA XFRM_MSG_DELSA
+       XFRM_MSG_GETSA,
+#define XFRM_MSG_GETSA XFRM_MSG_GETSA
+
+       XFRM_MSG_NEWPOLICY,
+#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
+       XFRM_MSG_DELPOLICY,
+#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
+       XFRM_MSG_GETPOLICY,
+#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
+
+       XFRM_MSG_ALLOCSPI,
+#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
+       XFRM_MSG_ACQUIRE,
+#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
+       XFRM_MSG_EXPIRE,
+#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
+
+       XFRM_MSG_UPDPOLICY,
+#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
+       XFRM_MSG_UPDSA,
+#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
+
+       XFRM_MSG_POLEXPIRE,
+#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
+
+       XFRM_MSG_FLUSHSA,
+#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
+       XFRM_MSG_FLUSHPOLICY,
+#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
+
+       XFRM_MSG_NEWAE,
+#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
+       XFRM_MSG_GETAE,
+#define XFRM_MSG_GETAE XFRM_MSG_GETAE
+
+       XFRM_MSG_REPORT,
+#define XFRM_MSG_REPORT XFRM_MSG_REPORT
+
+       XFRM_MSG_MIGRATE,
+#define XFRM_MSG_MIGRATE XFRM_MSG_MIGRATE
+
+       XFRM_MSG_NEWSADINFO,
+#define XFRM_MSG_NEWSADINFO XFRM_MSG_NEWSADINFO
+       XFRM_MSG_GETSADINFO,
+#define XFRM_MSG_GETSADINFO XFRM_MSG_GETSADINFO
+
+       XFRM_MSG_NEWSPDINFO,
+#define XFRM_MSG_NEWSPDINFO XFRM_MSG_NEWSPDINFO
+       XFRM_MSG_GETSPDINFO,
+#define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
+
+       XFRM_MSG_MAPPING,
+#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
+       __XFRM_MSG_MAX
+};
+#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
+
+#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
+
+/*
+ * Generic LSM security context for comunicating to user space
+ * NOTE: Same format as sadb_x_sec_ctx
+ */
+struct xfrm_user_sec_ctx {
+       __u16                   len;
+       __u16                   exttype;
+       __u8                    ctx_alg;  /* LSMs: e.g., selinux == 1 */
+       __u8                    ctx_doi;
+       __u16                   ctx_len;
+};
+
+struct xfrm_user_tmpl {
+       struct xfrm_id          id;
+       __u16                   family;
+       xfrm_address_t          saddr;
+       __u32                   reqid;
+       __u8                    mode;
+       __u8                    share;
+       __u8                    optional;
+       __u32                   aalgos;
+       __u32                   ealgos;
+       __u32                   calgos;
+};
+
+struct xfrm_encap_tmpl {
+       __u16           encap_type;
+       __be16          encap_sport;
+       __be16          encap_dport;
+       xfrm_address_t  encap_oa;
+};
+
+/* AEVENT flags  */
+enum xfrm_ae_ftype_t {
+       XFRM_AE_UNSPEC,
+       XFRM_AE_RTHR=1, /* replay threshold*/
+       XFRM_AE_RVAL=2, /* replay value */
+       XFRM_AE_LVAL=4, /* lifetime value */
+       XFRM_AE_ETHR=8, /* expiry timer threshold */
+       XFRM_AE_CR=16, /* Event cause is replay update */
+       XFRM_AE_CE=32, /* Event cause is timer expiry */
+       XFRM_AE_CU=64, /* Event cause is policy update */
+       __XFRM_AE_MAX
+
+#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
+};
+
+struct xfrm_userpolicy_type {
+       __u8            type;
+       __u16           reserved1;
+       __u8            reserved2;
+};
+
+/* Netlink message attributes.  */
+enum xfrm_attr_type_t {
+       XFRMA_UNSPEC,
+       XFRMA_ALG_AUTH,         /* struct xfrm_algo */
+       XFRMA_ALG_CRYPT,        /* struct xfrm_algo */
+       XFRMA_ALG_COMP,         /* struct xfrm_algo */
+       XFRMA_ENCAP,            /* struct xfrm_algo + struct xfrm_encap_tmpl */
+       XFRMA_TMPL,             /* 1 or more struct xfrm_user_tmpl */
+       XFRMA_SA,               /* struct xfrm_usersa_info  */
+       XFRMA_POLICY,           /*struct xfrm_userpolicy_info */
+       XFRMA_SEC_CTX,          /* struct xfrm_sec_ctx */
+       XFRMA_LTIME_VAL,
+       XFRMA_REPLAY_VAL,
+       XFRMA_REPLAY_THRESH,
+       XFRMA_ETIMER_THRESH,
+       XFRMA_SRCADDR,          /* xfrm_address_t */
+       XFRMA_COADDR,           /* xfrm_address_t */
+       XFRMA_LASTUSED,         /* unsigned long  */
+       XFRMA_POLICY_TYPE,      /* struct xfrm_userpolicy_type */
+       XFRMA_MIGRATE,
+       XFRMA_ALG_AEAD,         /* struct xfrm_algo_aead */
+       XFRMA_KMADDRESS,        /* struct xfrm_user_kmaddress */
+       XFRMA_ALG_AUTH_TRUNC,   /* struct xfrm_algo_auth */
+       XFRMA_MARK,             /* struct xfrm_mark */
+       XFRMA_TFCPAD,           /* __u32 */
+       XFRMA_REPLAY_ESN_VAL,   /* struct xfrm_replay_esn */
+       __XFRMA_MAX
+
+#define XFRMA_MAX (__XFRMA_MAX - 1)
+};
+
+struct xfrm_mark {
+       __u32           v; /* value */
+       __u32           m; /* mask */
+};
+
+enum xfrm_sadattr_type_t {
+       XFRMA_SAD_UNSPEC,
+       XFRMA_SAD_CNT,
+       XFRMA_SAD_HINFO,
+       __XFRMA_SAD_MAX
+
+#define XFRMA_SAD_MAX (__XFRMA_SAD_MAX - 1)
+};
+
+struct xfrmu_sadhinfo {
+       __u32 sadhcnt; /* current hash bkts */
+       __u32 sadhmcnt; /* max allowed hash bkts */
+};
+
+enum xfrm_spdattr_type_t {
+       XFRMA_SPD_UNSPEC,
+       XFRMA_SPD_INFO,
+       XFRMA_SPD_HINFO,
+       __XFRMA_SPD_MAX
+
+#define XFRMA_SPD_MAX (__XFRMA_SPD_MAX - 1)
+};
+
+struct xfrmu_spdinfo {
+       __u32 incnt;
+       __u32 outcnt;
+       __u32 fwdcnt;
+       __u32 inscnt;
+       __u32 outscnt;
+       __u32 fwdscnt;
+};
+
+struct xfrmu_spdhinfo {
+       __u32 spdhcnt;
+       __u32 spdhmcnt;
+};
+
+struct xfrm_usersa_info {
+       struct xfrm_selector            sel;
+       struct xfrm_id                  id;
+       xfrm_address_t                  saddr;
+       struct xfrm_lifetime_cfg        lft;
+       struct xfrm_lifetime_cur        curlft;
+       struct xfrm_stats               stats;
+       __u32                           seq;
+       __u32                           reqid;
+       __u16                           family;
+       __u8                            mode;           /* XFRM_MODE_xxx */
+       __u8                            replay_window;
+       __u8                            flags;
+#define XFRM_STATE_NOECN       1
+#define XFRM_STATE_DECAP_DSCP  2
+#define XFRM_STATE_NOPMTUDISC  4
+#define XFRM_STATE_WILDRECV    8
+#define XFRM_STATE_ICMP                16
+#define XFRM_STATE_AF_UNSPEC   32
+#define XFRM_STATE_ALIGN4      64
+#define XFRM_STATE_ESN         128
+};
+
+struct xfrm_usersa_id {
+       xfrm_address_t                  daddr;
+       __be32                          spi;
+       __u16                           family;
+       __u8                            proto;
+};
+
+struct xfrm_aevent_id {
+       struct xfrm_usersa_id           sa_id;
+       xfrm_address_t                  saddr;
+       __u32                           flags;
+       __u32                           reqid;
+};
+
+struct xfrm_userspi_info {
+       struct xfrm_usersa_info         info;
+       __u32                           min;
+       __u32                           max;
+};
+
+struct xfrm_userpolicy_info {
+       struct xfrm_selector            sel;
+       struct xfrm_lifetime_cfg        lft;
+       struct xfrm_lifetime_cur        curlft;
+       __u32                           priority;
+       __u32                           index;
+       __u8                            dir;
+       __u8                            action;
+#define XFRM_POLICY_ALLOW      0
+#define XFRM_POLICY_BLOCK      1
+       __u8                            flags;
+#define XFRM_POLICY_LOCALOK    1       /* Allow user to override global policy */
+       /* Automatically expand selector to include matching ICMP payloads. */
+#define XFRM_POLICY_ICMP       2
+       __u8                            share;
+};
+
+struct xfrm_userpolicy_id {
+       struct xfrm_selector            sel;
+       __u32                           index;
+       __u8                            dir;
+};
+
+struct xfrm_user_acquire {
+       struct xfrm_id                  id;
+       xfrm_address_t                  saddr;
+       struct xfrm_selector            sel;
+       struct xfrm_userpolicy_info     policy;
+       __u32                           aalgos;
+       __u32                           ealgos;
+       __u32                           calgos;
+       __u32                           seq;
+};
+
+struct xfrm_user_expire {
+       struct xfrm_usersa_info         state;
+       __u8                            hard;
+};
+
+struct xfrm_user_polexpire {
+       struct xfrm_userpolicy_info     pol;
+       __u8                            hard;
+};
+
+struct xfrm_usersa_flush {
+       __u8                            proto;
+};
+
+struct xfrm_user_report {
+       __u8                            proto;
+       struct xfrm_selector            sel;
+};
+
+/* Used by MIGRATE to pass addresses IKE should use to perform
+ * SA negotiation with the peer */
+struct xfrm_user_kmaddress {
+       xfrm_address_t                  local;
+       xfrm_address_t                  remote;
+       __u32                           reserved;
+       __u16                           family;
+};
+
+struct xfrm_user_migrate {
+       xfrm_address_t                  old_daddr;
+       xfrm_address_t                  old_saddr;
+       xfrm_address_t                  new_daddr;
+       xfrm_address_t                  new_saddr;
+       __u8                            proto;
+       __u8                            mode;
+       __u16                           reserved;
+       __u32                           reqid;
+       __u16                           old_family;
+       __u16                           new_family;
+};
+
+struct xfrm_user_mapping {
+       struct xfrm_usersa_id           id;
+       __u32                           reqid;
+       xfrm_address_t                  old_saddr;
+       xfrm_address_t                  new_saddr;
+       __be16                          old_sport;
+       __be16                          new_sport;
+};
+
+/* backwards compatibility for userspace */
+#define XFRMGRP_ACQUIRE                1
+#define XFRMGRP_EXPIRE         2
+#define XFRMGRP_SA             4
+#define XFRMGRP_POLICY         8
+#define XFRMGRP_REPORT         0x20
+
+enum xfrm_nlgroups {
+       XFRMNLGRP_NONE,
+#define XFRMNLGRP_NONE         XFRMNLGRP_NONE
+       XFRMNLGRP_ACQUIRE,
+#define XFRMNLGRP_ACQUIRE      XFRMNLGRP_ACQUIRE
+       XFRMNLGRP_EXPIRE,
+#define XFRMNLGRP_EXPIRE       XFRMNLGRP_EXPIRE
+       XFRMNLGRP_SA,
+#define XFRMNLGRP_SA           XFRMNLGRP_SA
+       XFRMNLGRP_POLICY,
+#define XFRMNLGRP_POLICY       XFRMNLGRP_POLICY
+       XFRMNLGRP_AEVENTS,
+#define XFRMNLGRP_AEVENTS      XFRMNLGRP_AEVENTS
+       XFRMNLGRP_REPORT,
+#define XFRMNLGRP_REPORT       XFRMNLGRP_REPORT
+       XFRMNLGRP_MIGRATE,
+#define XFRMNLGRP_MIGRATE      XFRMNLGRP_MIGRATE
+       XFRMNLGRP_MAPPING,
+#define XFRMNLGRP_MAPPING      XFRMNLGRP_MAPPING
+       __XFRMNLGRP_MAX
+};
+#define XFRMNLGRP_MAX  (__XFRMNLGRP_MAX - 1)
+
+#endif /* _LINUX_XFRM_H */
index e366d1e90f8985445359f8b7a3292ef740b3a6f5..990b99d8278f26f9fe85f5f40c7d74af78ec8531 100644 (file)
@@ -54,6 +54,7 @@
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/snmp.h>
+#include <linux/xfrm.h>
 
 #ifndef DISABLE_PTHREADS
 #include <pthread.h>
index 3ff4fe1aadf385e2e5753c5581142e2757f27af6..cde85d679a5b49c8a8ad2cad81fdcddef423491e 100644 (file)
@@ -1000,4 +1000,231 @@ struct idiagnl_req {
        uint32_t                idiag_states;
        uint32_t                idiag_dbs;
 };
+
+// XFRM related definitions
+
+/* Selector, used as selector both on policy rules (SPD) and SAs. */
+struct xfrmnl_sel {
+        uint32_t                refcnt;
+        struct nl_addr*         daddr;
+        struct nl_addr*         saddr;
+        uint16_t                dport;
+        uint16_t                dport_mask;
+        uint16_t                sport;
+        uint16_t                sport_mask;
+        uint16_t                family;
+        uint8_t                 prefixlen_d;
+        uint8_t                 prefixlen_s;
+        uint8_t                 proto;
+        int32_t                 ifindex;
+        uint32_t                user;
+};
+
+/* Lifetime configuration, used for both policy rules (SPD) and SAs. */
+struct xfrmnl_ltime_cfg {
+        uint32_t                refcnt;
+        uint64_t                soft_byte_limit;
+        uint64_t                hard_byte_limit;
+        uint64_t                soft_packet_limit;
+        uint64_t                hard_packet_limit;
+        uint64_t                soft_add_expires_seconds;
+        uint64_t                hard_add_expires_seconds;
+        uint64_t                soft_use_expires_seconds;
+        uint64_t                hard_use_expires_seconds;
+};
+
+/* Current lifetime, used for both policy rules (SPD) and SAs. */
+struct xfrmnl_lifetime_cur {
+        uint64_t                bytes;
+        uint64_t                packets;
+        uint64_t                add_time;
+        uint64_t                use_time;
+};
+
+struct xfrmnl_replay_state {
+        uint32_t                oseq;
+        uint32_t                seq;
+        uint32_t                bitmap;
+};
+
+struct xfrmnl_replay_state_esn {
+        uint32_t                bmp_len;
+        uint32_t                oseq;
+        uint32_t                seq;
+        uint32_t                oseq_hi;
+        uint32_t                seq_hi;
+        uint32_t                replay_window;
+        uint32_t                bmp[0];
+};
+
+struct xfrmnl_mark {
+        uint32_t                v; /* value */
+        uint32_t                m; /* mask */
+};
+
+/* XFRM AE related definitions */
+
+struct xfrmnl_sa_id {
+        struct nl_addr*         daddr;
+        uint32_t                spi;
+        uint16_t                family;
+        uint8_t                 proto;
+};
+
+struct xfrmnl_ae {
+        NLHDR_COMMON
+
+        struct xfrmnl_sa_id             sa_id;
+        struct nl_addr*                 saddr;
+        uint32_t                        flags;
+        uint32_t                        reqid;
+        struct xfrmnl_mark              mark;
+        struct xfrmnl_lifetime_cur      lifetime_cur;
+        uint32_t                        replay_maxage;
+        uint32_t                        replay_maxdiff;
+        struct xfrmnl_replay_state      replay_state;
+        struct xfrmnl_replay_state_esn* replay_state_esn;
+};
+
+/* XFRM SA related definitions */
+
+struct xfrmnl_id {
+        struct nl_addr*         daddr;
+        uint32_t                spi;
+        uint8_t                 proto;
+};
+
+struct xfrmnl_stats {
+        uint32_t                replay_window;
+        uint32_t                replay;
+        uint32_t                integrity_failed;
+};
+
+struct xfrmnl_algo_aead {
+        char                    alg_name[64];
+        uint32_t                alg_key_len;    /* in bits */
+        uint32_t                alg_icv_len;    /* in bits */
+        char                    alg_key[0];
+};
+
+struct xfrmnl_algo_auth {
+        char                    alg_name[64];
+        uint32_t                alg_key_len;    /* in bits */
+        uint32_t                alg_trunc_len;  /* in bits */
+        char                    alg_key[0];
+};
+
+struct xfrmnl_algo {
+        char                    alg_name[64];
+        uint32_t                alg_key_len;    /* in bits */
+        char                    alg_key[0];
+};
+
+struct xfrmnl_encap_tmpl {
+        uint16_t                encap_type;
+        uint16_t                encap_sport;
+        uint16_t                encap_dport;
+        struct nl_addr*         encap_oa;
+};
+
+struct xfrmnl_sec_ctx {
+        uint8_t                 ctx_doi;
+        uint8_t                 ctx_alg;
+        uint16_t                ctx_len;
+        uint32_t                ctx_sid;
+        char                    ctx_str[0];
+};
+
+struct xfrmnl_sa {
+        NLHDR_COMMON
+
+        struct xfrmnl_sel*              sel;
+        struct xfrmnl_id                id;
+        struct nl_addr*                 saddr;
+        struct xfrmnl_ltime_cfg*        lft;
+        struct xfrmnl_lifetime_cur      curlft;
+        struct xfrmnl_stats             stats;
+        uint32_t                        seq;
+        uint32_t                        reqid;
+        uint16_t                        family;
+        uint8_t                         mode;           /* XFRM_MODE_xxx */
+        uint8_t                         replay_window;
+        uint8_t                         flags;
+        struct xfrmnl_algo_aead*        aead;
+        struct xfrmnl_algo_auth*        auth;
+        struct xfrmnl_algo*             crypt;
+        struct xfrmnl_algo*             comp;
+        struct xfrmnl_encap_tmpl*       encap;
+        uint32_t                        tfcpad;
+        struct nl_addr*                 coaddr;
+        struct xfrmnl_mark              mark;
+        struct xfrmnl_sec_ctx*          sec_ctx;
+        uint32_t                        replay_maxage;
+        uint32_t                        replay_maxdiff;
+        struct xfrmnl_replay_state      replay_state;
+        struct xfrmnl_replay_state_esn* replay_state_esn;
+        uint8_t                         hard;
+};
+
+struct xfrmnl_usersa_flush {
+        uint8_t                         proto;
+};
+
+
+/* XFRM SP related definitions */
+
+struct xfrmnl_userpolicy_id {
+        struct xfrmnl_sel               sel;
+        uint32_t                        index;
+        uint8_t                         dir;
+};
+
+struct xfrmnl_user_sec_ctx {
+        uint16_t                        len;
+        uint16_t                        exttype;
+        uint8_t                         ctx_alg;
+        uint8_t                         ctx_doi;
+        uint16_t                        ctx_len;
+        char                            ctx[0];
+};
+
+struct xfrmnl_userpolicy_type {
+        uint8_t                         type;
+        uint16_t                        reserved1;
+        uint16_t                        reserved2;
+};
+
+struct xfrmnl_user_tmpl {
+        struct xfrmnl_id                id;
+        uint16_t                        family;
+        struct nl_addr*                 saddr;
+        uint32_t                        reqid;
+        uint8_t                         mode;
+        uint8_t                         share;
+        uint8_t                         optional;
+        uint32_t                        aalgos;
+        uint32_t                        ealgos;
+        uint32_t                        calgos;
+        struct nl_list_head             utmpl_list;
+};
+
+struct xfrmnl_sp {
+        NLHDR_COMMON
+
+        struct xfrmnl_sel*              sel;
+        struct xfrmnl_ltime_cfg*        lft;
+        struct xfrmnl_lifetime_cur      curlft;
+        uint32_t                        priority;
+        uint32_t                        index;
+        uint8_t                         dir;
+        uint8_t                         action;
+        uint8_t                         flags;
+        uint8_t                         share;
+        struct xfrmnl_user_sec_ctx*     sec_ctx;
+        struct xfrmnl_userpolicy_type   uptype;
+        uint32_t                        nr_user_tmpl;
+        struct nl_list_head             usertmpl_list;
+        struct xfrmnl_mark              mark;
+};
+
 #endif
diff --git a/include/netlink/xfrm/ae.h b/include/netlink/xfrm/ae.h
new file mode 100644 (file)
index 0000000..86ccdd0
--- /dev/null
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+*/
+#ifndef NETLINK_XFRM_AE_H_
+#define NETLINK_XFRM_AE_H_
+
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/addr.h>
+#include <linux/xfrm.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct xfrmnl_ae;
+
+extern struct xfrmnl_ae*        xfrmnl_ae_alloc(void);
+extern void             xfrmnl_ae_put(struct xfrmnl_ae *);
+
+extern int              xfrmnl_ae_get_kernel(struct nl_sock*, struct nl_addr*, unsigned int, unsigned int,
+                                             unsigned int, unsigned int, struct xfrmnl_ae**);
+extern int              xfrmnl_ae_set(struct nl_sock*, struct xfrmnl_ae*, int);
+
+extern int              xfrmnl_ae_parse(struct nlmsghdr*, struct xfrmnl_ae **);
+extern int              xfrmnl_ae_build_get_request(struct nl_addr*, unsigned int, unsigned int,
+                                                    unsigned int, unsigned int, struct nl_msg **);
+
+extern struct nl_addr*  xfrmnl_ae_get_daddr (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_daddr (struct xfrmnl_ae*, struct nl_addr*);
+
+extern int              xfrmnl_ae_get_spi (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_spi (struct xfrmnl_ae*, unsigned int);
+
+extern int              xfrmnl_ae_get_family (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_family (struct xfrmnl_ae*, unsigned int);
+
+extern int              xfrmnl_ae_get_proto (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_proto (struct xfrmnl_ae*, unsigned int);
+
+extern struct nl_addr*  xfrmnl_ae_get_saddr (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_saddr (struct xfrmnl_ae*, struct nl_addr*);
+
+extern int              xfrmnl_ae_get_flags (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_flags (struct xfrmnl_ae*, unsigned int);
+
+extern int              xfrmnl_ae_get_reqid (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_reqid (struct xfrmnl_ae*, unsigned int);
+
+extern int              xfrmnl_ae_get_mark (struct xfrmnl_ae*, unsigned int*, unsigned int*);
+extern int              xfrmnl_ae_set_mark (struct xfrmnl_ae*, unsigned int, unsigned int);
+
+extern int              xfrmnl_ae_get_curlifetime (struct xfrmnl_ae*, unsigned long long int*,
+                                                   unsigned long long int*, unsigned long long int*,
+                                                   unsigned long long int*);
+extern int              xfrmnl_ae_set_curlifetime (struct xfrmnl_ae*, unsigned long long int,
+                                                   unsigned long long int, unsigned long long int,
+                                                   unsigned long long int);
+
+extern int              xfrmnl_ae_get_replay_maxage (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_replay_maxage (struct xfrmnl_ae*, unsigned int);
+
+extern int              xfrmnl_ae_get_replay_maxdiff (struct xfrmnl_ae*);
+extern int              xfrmnl_ae_set_replay_maxdiff (struct xfrmnl_ae*, unsigned int);
+
+extern int              xfrmnl_ae_get_replay_state (struct xfrmnl_ae*, unsigned int*, unsigned int*, unsigned int*);
+extern int              xfrmnl_ae_set_replay_state (struct xfrmnl_ae*, unsigned int, unsigned int, unsigned int);
+
+extern int              xfrmnl_ae_get_replay_state_esn (struct xfrmnl_ae*, unsigned int*, unsigned int*, unsigned int*,
+                                                        unsigned int*, unsigned int*, unsigned int*, unsigned int*);
+extern int              xfrmnl_ae_set_replay_state_esn (struct xfrmnl_ae*, unsigned int, unsigned int, unsigned int,
+                                                        unsigned int, unsigned int, unsigned int, unsigned int*);
+
+extern char*            xfrmnl_ae_flags2str(int, char *, size_t);
+extern int              xfrmnl_ae_str2flag(const char *);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/netlink/xfrm/lifetime.h b/include/netlink/xfrm/lifetime.h
new file mode 100644 (file)
index 0000000..a5d5955
--- /dev/null
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+*/
+#ifndef NETLINK_XFRM_LTIME_H_
+#define NETLINK_XFRM_LTIME_H_
+
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/addr.h>
+#include <linux/xfrm.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct xfrmnl_ltime_cfg;
+
+/* Creation */
+extern struct xfrmnl_ltime_cfg* xfrmnl_ltime_cfg_alloc(void);
+extern struct xfrmnl_ltime_cfg* xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg*);
+
+/* Usage Management */
+extern struct xfrmnl_ltime_cfg* xfrmnl_ltime_cfg_get(struct xfrmnl_ltime_cfg*);
+extern void                     xfrmnl_ltime_cfg_put(struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_shared(struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg*, struct xfrmnl_ltime_cfg*);
+
+/* Access Functions */
+extern unsigned long long       xfrmnl_ltime_cfg_get_soft_bytelimit (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_soft_bytelimit (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_hard_bytelimit (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_hard_bytelimit (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_soft_packetlimit (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_soft_packetlimit (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_hard_packetlimit (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_hard_packetlimit (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_soft_addexpires (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_soft_addexpires (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_hard_addexpires (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_hard_addexpires (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_soft_useexpires (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_soft_useexpires (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+extern unsigned long long       xfrmnl_ltime_cfg_get_hard_useexpires (struct xfrmnl_ltime_cfg*);
+extern int                      xfrmnl_ltime_cfg_set_hard_useexpires (struct xfrmnl_ltime_cfg*, unsigned long long);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/netlink/xfrm/sa.h b/include/netlink/xfrm/sa.h
new file mode 100644 (file)
index 0000000..acc7f4d
--- /dev/null
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+*/
+#ifndef NETLINK_XFRM_SA_H_
+#define NETLINK_XFRM_SA_H_
+
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/addr.h>
+#include <linux/xfrm.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct xfrmnl_sa;
+
+extern struct xfrmnl_sa*        xfrmnl_sa_alloc(void);
+extern void                     xfrmnl_sa_put(struct xfrmnl_sa *);
+
+extern int                      xfrmnl_sa_alloc_cache(struct nl_sock *, struct nl_cache **);
+extern struct xfrmnl_sa*        xfrmnl_sa_get(struct nl_cache*, struct nl_addr*, unsigned int, unsigned int);
+
+extern int                      xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result);
+
+extern int                      xfrmnl_sa_build_get_request(struct nl_addr*, unsigned int, unsigned int,
+                                                            unsigned int, unsigned int, struct nl_msg **);
+extern int                      xfrmnl_sa_get_kernel(struct nl_sock*, struct nl_addr*, unsigned int,
+                                                     unsigned int, unsigned int, unsigned int, struct xfrmnl_sa**);
+
+extern int                      xfrmnl_sa_build_add_request(struct xfrmnl_sa*, int, struct nl_msg **);
+extern int                      xfrmnl_sa_add(struct nl_sock*, struct xfrmnl_sa*, int);
+
+extern int                      xfrmnl_sa_build_update_request(struct xfrmnl_sa*, int, struct nl_msg **);
+extern int                      xfrmnl_sa_update(struct nl_sock*, struct xfrmnl_sa*, int);
+
+extern int                      xfrmnl_sa_build_delete_request(struct xfrmnl_sa*, int, struct nl_msg **);
+extern int                      xfrmnl_sa_delete(struct nl_sock*, struct xfrmnl_sa*, int);
+
+extern struct xfrmnl_sel*       xfrmnl_sa_get_sel (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_sel (struct xfrmnl_sa*, struct xfrmnl_sel*);
+
+extern struct nl_addr*          xfrmnl_sa_get_daddr (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_daddr (struct xfrmnl_sa*, struct nl_addr*);
+
+extern int                      xfrmnl_sa_get_spi (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_spi (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_proto (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_proto (struct xfrmnl_sa*, unsigned int);
+
+extern struct nl_addr*          xfrmnl_sa_get_saddr (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_saddr (struct xfrmnl_sa*, struct nl_addr*);
+
+extern struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa*, struct xfrmnl_ltime_cfg*);
+
+extern int                      xfrmnl_sa_get_curlifetime (struct xfrmnl_sa*, unsigned long long int*,
+                                                           unsigned long long int*, unsigned long long int*,
+                                                           unsigned long long int*);
+
+extern int                      xfrmnl_sa_get_stats (struct xfrmnl_sa*, unsigned long long int*,
+                                                     unsigned long long int*, unsigned long long int*);
+
+extern int                      xfrmnl_sa_get_seq (struct xfrmnl_sa*);
+
+extern int                      xfrmnl_sa_get_reqid (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_reqid (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_family (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_family (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_mode (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_mode (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_replay_window (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_replay_window (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_flags (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_flags (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_aead_params (struct xfrmnl_sa*, char*, unsigned int*,
+                                                           unsigned int*, char*);
+extern int                      xfrmnl_sa_set_aead_params (struct xfrmnl_sa*, char*, unsigned int,
+                                                           unsigned int, char*);
+
+extern int                      xfrmnl_sa_get_auth_params (struct xfrmnl_sa*, char*, unsigned int*,
+                                                           unsigned int*, char*);
+extern int                      xfrmnl_sa_set_auth_params (struct xfrmnl_sa*, char*, unsigned int,
+                                                           unsigned int, char*);
+
+extern int                      xfrmnl_sa_get_crypto_params (struct xfrmnl_sa*, char*, unsigned int*, char*);
+extern int                      xfrmnl_sa_set_crypto_params (struct xfrmnl_sa*, char*, unsigned int, char*);
+
+extern int                      xfrmnl_sa_get_comp_params (struct xfrmnl_sa*, char*, unsigned int*, char*);
+extern int                      xfrmnl_sa_set_comp_params (struct xfrmnl_sa*, char*, unsigned int, char*);
+
+extern int                      xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa*, unsigned int*, unsigned int*,
+                                                          unsigned int*, struct nl_addr**);
+extern int                      xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa*, unsigned int, unsigned int,
+                                                          unsigned int, struct nl_addr*);
+
+extern int                      xfrmnl_sa_get_tfcpad (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_tfcpad (struct xfrmnl_sa*, unsigned int);
+
+extern struct nl_addr*          xfrmnl_sa_get_coaddr (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_coaddr (struct xfrmnl_sa*, struct nl_addr*);
+
+extern int                      xfrmnl_sa_get_mark (struct xfrmnl_sa*, unsigned int*, unsigned int*);
+extern int                      xfrmnl_sa_set_mark (struct xfrmnl_sa*, unsigned int, unsigned int);
+
+extern int                      xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa*, unsigned int, unsigned int,
+                                                       unsigned int, unsigned int, char*);
+extern int                      xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa*, unsigned int, unsigned int,
+                                                       unsigned int, unsigned int, char*);
+
+extern int                      xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa*, unsigned int);
+
+extern int                      xfrmnl_sa_get_replay_state (struct xfrmnl_sa*, unsigned int*,
+                                                            unsigned int*, unsigned int*);
+extern int                      xfrmnl_sa_set_replay_state (struct xfrmnl_sa*, unsigned int,
+                                                            unsigned int, unsigned int);
+
+extern int                      xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa*, unsigned int*, unsigned int*,
+                                                                unsigned int*, unsigned int*, unsigned int*,
+                                                                unsigned int*, unsigned int*);
+extern int                      xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa*, unsigned int, unsigned int,
+                                                                unsigned int, unsigned int, unsigned int,
+                                                                unsigned int, unsigned int*);
+
+extern int                      xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa*);
+extern int                      xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa*);
+
+extern char*                    xfrmnl_sa_flags2str(int, char *, size_t);
+extern int                      xfrmnl_sa_str2flag(const char *);
+
+extern char*                    xfrmnl_sa_mode2str(int, char *, size_t);
+extern int                      xfrmnl_sa_str2mode(const char *);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/netlink/xfrm/selector.h b/include/netlink/xfrm/selector.h
new file mode 100644 (file)
index 0000000..2ee6842
--- /dev/null
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+*/
+#ifndef NETLINK_XFRM_SEL_H_
+#define NETLINK_XFRM_SEL_H_
+
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/addr.h>
+#include <linux/xfrm.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct xfrmnl_sel;
+
+/* Creation */
+extern struct xfrmnl_sel*       xfrmnl_sel_alloc(void);
+extern struct xfrmnl_sel*       xfrmnl_sel_clone(struct xfrmnl_sel*);
+
+/* Usage Management */
+extern struct xfrmnl_sel*       xfrmnl_sel_get(struct xfrmnl_sel*);
+extern void                     xfrmnl_sel_put(struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_shared(struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_cmp(struct xfrmnl_sel*, struct xfrmnl_sel*);
+extern void                     xfrmnl_sel_dump(struct xfrmnl_sel*, struct nl_dump_params *);
+
+/* Access Functions */
+extern struct nl_addr*          xfrmnl_sel_get_daddr (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_daddr (struct xfrmnl_sel*, struct nl_addr*);
+
+extern struct nl_addr*          xfrmnl_sel_get_saddr (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_saddr (struct xfrmnl_sel*, struct nl_addr*);
+
+extern int                      xfrmnl_sel_get_dport (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_dport (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_dportmask (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_dportmask (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_sport (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_sport (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_sportmask (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_sportmask (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_family (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_family (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_prefixlen_d (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_prefixlen_d (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_prefixlen_s (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_prefixlen_s (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_proto (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_proto (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_ifindex (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_ifindex (struct xfrmnl_sel*, unsigned int);
+
+extern int                      xfrmnl_sel_get_userid (struct xfrmnl_sel*);
+extern int                      xfrmnl_sel_set_userid (struct xfrmnl_sel*, unsigned int);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/netlink/xfrm/sp.h b/include/netlink/xfrm/sp.h
new file mode 100644 (file)
index 0000000..84cbfb2
--- /dev/null
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+*/
+#ifndef NETLINK_XFRM_SP_H_
+#define NETLINK_XFRM_SP_H_
+
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/addr.h>
+#include <netlink/xfrm/template.h>
+#include <netlink/xfrm/lifetime.h>
+#include <linux/xfrm.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct xfrmnl_sp;
+
+extern struct xfrmnl_sp*        xfrmnl_sp_alloc(void);
+extern void                     xfrmnl_sp_put(struct xfrmnl_sp *);
+
+extern int                      xfrmnl_sp_alloc_cache(struct nl_sock *, struct nl_cache **);
+extern struct xfrmnl_sp*        xfrmnl_sp_get(struct nl_cache*, unsigned int, unsigned int);
+
+extern int                      xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result);
+
+extern int                      xfrmnl_sp_build_get_request(unsigned int, unsigned int, unsigned int,
+                                                            unsigned int, struct nl_msg **);
+extern int                      xfrmnl_sp_get_kernel(struct nl_sock*, unsigned int, unsigned int,
+                                                     unsigned int, unsigned int, struct xfrmnl_sp**);
+
+extern int                      xfrmnl_sp_add(struct nl_sock*, struct xfrmnl_sp*, int);
+extern int                      xfrmnl_sp_build_add_request(struct xfrmnl_sp*, int, struct nl_msg **);
+
+extern int                      xfrmnl_sp_update(struct nl_sock*, struct xfrmnl_sp*, int);
+extern int                      xfrmnl_sp_build_update_request(struct xfrmnl_sp*, int, struct nl_msg **);
+
+extern int                      xfrmnl_sp_delete(struct nl_sock*, struct xfrmnl_sp*, int);
+extern int                      xfrmnl_sp_build_delete_request(struct xfrmnl_sp*, int, struct nl_msg **);
+
+extern struct xfrmnl_sel*       xfrmnl_sp_get_sel (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_sel (struct xfrmnl_sp*, struct xfrmnl_sel*);
+
+extern struct xfrmnl_ltime_cfg* xfrmnl_sp_get_lifetime_cfg (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_lifetime_cfg (struct xfrmnl_sp*, struct xfrmnl_ltime_cfg*);
+
+extern int                      xfrmnl_sp_get_curlifetime (struct xfrmnl_sp*, unsigned long long int*,
+                                                           unsigned long long int*, unsigned long long int*,
+                                                           unsigned long long int*);
+
+extern int                      xfrmnl_sp_get_priority (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_priority (struct xfrmnl_sp*, unsigned int);
+
+extern int                      xfrmnl_sp_get_index (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_index (struct xfrmnl_sp*, unsigned int);
+
+extern int                      xfrmnl_sp_get_dir (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_dir (struct xfrmnl_sp*, unsigned int);
+
+extern int                      xfrmnl_sp_get_action (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_action (struct xfrmnl_sp*, unsigned int);
+
+extern int                      xfrmnl_sp_get_flags (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_flags (struct xfrmnl_sp*, unsigned int);
+
+extern int                      xfrmnl_sp_get_share (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_share (struct xfrmnl_sp*, unsigned int);
+
+extern int                      xfrmnl_sp_get_sec_ctx (struct xfrmnl_sp*, unsigned int*, unsigned int*,
+                                                       unsigned int*, unsigned int*, unsigned int*, char*);
+extern int                      xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp*, unsigned int, unsigned int,
+                                                       unsigned int, unsigned int, unsigned int, char*);
+
+extern int                      xfrmnl_sp_get_userpolicy_type (struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_set_userpolicy_type (struct xfrmnl_sp*, unsigned int);
+
+extern void                     xfrmnl_sp_add_usertemplate(struct xfrmnl_sp*, struct xfrmnl_user_tmpl*);
+extern void                     xfrmnl_sp_remove_usertemplate(struct xfrmnl_sp*, struct xfrmnl_user_tmpl*);
+extern struct nl_list_head*     xfrmnl_sp_get_usertemplates(struct xfrmnl_sp*);
+extern int                      xfrmnl_sp_get_nusertemplates(struct xfrmnl_sp*);
+extern void                     xfrmnl_sp_foreach_usertemplate(struct xfrmnl_sp*,
+                                                               void (*cb)(struct xfrmnl_user_tmpl*, void *),
+                                                               void *arg);
+extern struct xfrmnl_user_tmpl* xfrmnl_sp_usertemplate_n(struct xfrmnl_sp*, int);
+
+extern int                      xfrmnl_sp_get_mark (struct xfrmnl_sp*, unsigned int*, unsigned int*);
+extern int                      xfrmnl_sp_set_mark (struct xfrmnl_sp*, unsigned int, unsigned int);
+
+extern char*                    xfrmnl_sp_action2str(int, char *, size_t);
+extern int                      xfrmnl_sp_str2action(const char *);
+
+extern char*                    xfrmnl_sp_flags2str(int, char *, size_t);
+extern int                      xfrmnl_sp_str2flag(const char *);
+
+extern char*                    xfrmnl_sp_type2str(int, char *, size_t);
+extern int                      xfrmnl_sp_str2type(const char *);
+
+extern char*                    xfrmnl_sp_dir2str(int, char *, size_t);
+extern int                      xfrmnl_sp_str2dir(const char *);
+
+extern char*                    xfrmnl_sp_share2str(int, char *, size_t);
+extern int                      xfrmnl_sp_str2share(const char *);
+
+extern int                      xfrmnl_sp_index2dir (unsigned int);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/netlink/xfrm/template.h b/include/netlink/xfrm/template.h
new file mode 100644 (file)
index 0000000..da51e7d
--- /dev/null
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+*/
+#ifndef NETLINK_XFRM_TEMPL_H_
+#define NETLINK_XFRM_TEMPL_H_
+
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/addr.h>
+#include <linux/xfrm.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct xfrmnl_user_tmpl;
+
+/* Creation */
+extern struct xfrmnl_user_tmpl* xfrmnl_user_tmpl_alloc(void);
+extern struct xfrmnl_user_tmpl* xfrmnl_user_tmpl_clone(struct xfrmnl_user_tmpl*);
+extern void                     xfrmnl_user_tmpl_free(struct xfrmnl_user_tmpl* utmpl);
+
+/* Utility functions */
+extern int                      xfrmnl_user_tmpl_cmp(struct xfrmnl_user_tmpl*, struct xfrmnl_user_tmpl*);
+extern void                     xfrmnl_user_tmpl_dump(struct xfrmnl_user_tmpl*, struct nl_dump_params*);
+
+/* Access Functions */
+extern struct nl_addr*          xfrmnl_user_tmpl_get_daddr (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_daddr (struct xfrmnl_user_tmpl*, struct nl_addr*);
+
+extern int                      xfrmnl_user_tmpl_get_spi (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_spi (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_proto (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_proto (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_family (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_family (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern struct nl_addr*          xfrmnl_user_tmpl_get_saddr (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_saddr (struct xfrmnl_user_tmpl*, struct nl_addr*);
+
+extern int                      xfrmnl_user_tmpl_get_reqid (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_reqid (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_mode (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_mode (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_share (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_share (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_optional (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_optional (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_aalgos (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_aalgos (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_ealgos (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_ealgos (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern int                      xfrmnl_user_tmpl_get_calgos (struct xfrmnl_user_tmpl*);
+extern int                      xfrmnl_user_tmpl_set_calgos (struct xfrmnl_user_tmpl*, unsigned int);
+
+extern char*                    xfrmnl_user_tmpl_mode2str(int, char *, size_t);
+extern int                      xfrmnl_user_tmpl_str2mode(const char *);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
index 1ae37a934a771e474a56f71f33f7ba498fb8fe1c..4953d21f464c654bbc132b2fc2612e59aa2bc57b 100644 (file)
@@ -14,7 +14,7 @@ AM_LDFLAGS = \
        -Wl,--version-script=$(top_builddir)/libnl.sym
 
 lib_LTLIBRARIES = \
-       libnl-3.la libnl-genl-3.la libnl-route-3.la libnl-nf-3.la libnl-idiag-3.la
+       libnl-3.la libnl-genl-3.la libnl-route-3.la libnl-nf-3.la libnl-idiag-3.la libnl-xfrm-3.la
 
 libnl_3_la_SOURCES = \
        addr.c attr.c cache.c cache_mngr.c cache_mngt.c data.c \
@@ -110,6 +110,15 @@ EXTRA_DIST = \
        route/cls/ematch_grammar.l \
        route/cls/ematch_syntax.y
 
+libnl_xfrm_3_la_LIBADD  = libnl-3.la
+libnl_xfrm_3_la_SOURCES = \
+       xfrm/ae.c \
+       xfrm/lifetime.c \
+       xfrm/sa.c \
+       xfrm/selector.c \
+       xfrm/sp.c \
+       xfrm/template.c
+
 if ENABLE_CLI
 nobase_pkglib_LTLIBRARIES = \
        cli/qdisc/htb.la \
diff --git a/lib/xfrm/ae.c b/lib/xfrm/ae.c
new file mode 100644 (file)
index 0000000..bbc1a1c
--- /dev/null
@@ -0,0 +1,977 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ * @ingroup xfrmnl
+ * @defgroup ae Attribute Element
+ * @brief
+ *
+ * The AE interface allows a user to retrieve and update various
+ * Security Association (SA) attributes such as lifetime, replay state etc.
+ *
+ * @par AE Flags
+ * @code
+ * XFRM_AE_UNSPEC
+ * XFRM_AE_RTHR=1
+ * XFRM_AE_RVAL=2
+ * XFRM_AE_LVAL=4
+ * XFRM_AE_ETHR=8
+ * XFRM_AE_CR=16
+ * XFRM_AE_CE=32
+ * XFRM_AE_CU=64
+ * @endcode
+ *
+ * @par AE Identification
+ * An AE is uniquely identified by the attributes listed below, whenever
+ * you refer to an existing AE all of the attributes must be set. There is
+ * no cache support for AE since you can retrieve the AE for any given combination
+ * of attributes mentioned below, but not all at once since they just characterize
+ * an SA.
+ *   - destination address (xfrmnl_ae_set_daddr())
+ *   - SPI (xfrmnl_ae_set_spi)
+ *   - protocol (xfrmnl_ae_set_proto)
+ *   - mark (xfrmnl_ae_set_mark)
+ *
+ * @par Changeable Attributes
+ * \anchor ae_changeable
+ *  - current lifetime (xfrmnl_ae_set_curlifetime())
+ *  - replay properties (xfrmnl_ae_set_replay_maxage(), xfrmnl_ae_set_replay_maxdiff())
+ *  - replay state (xfrmnl_ae_set_replay_state(), xfrmnl_ae_set_replay_state_esn))
+ *
+ * @par Required Caches for Dumping
+ * None
+ *
+ * @par TODO
+ * None
+ *
+ * @par 1) Retrieving AE information for a given SA tuple
+ * @code
+ * // Create a netlink socket and connect it to XFRM subsystem in
+ * the kernel to be able to send/receive info from userspace.
+ * struct nl_sock* sk = nl_socket_alloc ();
+ * nl_connect (sk, NETLINK_XFRM);
+ *
+ * // AEs can then be looked up by the SA tuple, destination address,
+ * SPI, protocol, mark:
+ * struct xfrmnl_ae *ae;
+ * xfrmnl_ae_get_kernel(sk, dst_addr, spi, proto,mark_mask, mark_value, &ae);
+ *
+ * // After successful usage, the object must be freed
+ * xfrmnl_ae_put(ae);
+ * @endcode
+ *
+ * @par 2) Updating AE
+ * @code
+ * // Allocate an empty AE handle to be filled out with the attributes
+ * // of the new AE.
+ * struct xfrmnl_ae *ae = xfrmnl_ae_alloc();
+ *
+ * // Fill out the attributes of the new AE
+ * xfrmnl_ae_set_daddr(ae, dst_addr);
+ * xfrmnl_ae_set_spi(ae, 0xDEADBEEF);
+ * xfrmnl_ae_set_proto(ae, 50);
+ * xfrmnl_ae_set_mark(ae, 0x0);
+ * xfrmnl_ae_set_saddr(ae, src_addr);
+* xfrmnl_ae_set_curlifetime(ae, 540, 10, 0xAABB1122, 0x0);
+*
+* // Build the netlink message and send it to the kernel, the operation will
+* // block until the operation has been completed. Alternatively, a netlink message
+* // can be built using xfrmnl_ae_build_get_request () API and be sent using
+* // nl_send_auto(). Further the result from the kernel can be parsed using
+* // xfrmnl_ae_parse() API.
+* xfrmnl_ae_set(sk, ae, NLM_F_REPLACE);
+*
+* // Free the memory
+* xfrmnl_ae_put(ae);
+* @endcode
+*
+* @endcode
+* @}
+*/
+
+#include <netlink-private/netlink.h>
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/object.h>
+#include <linux/xfrm.h>
+
+/** @cond SKIP */
+#define XFRM_AE_ATTR_DADDR          0x01
+#define XFRM_AE_ATTR_SPI            0x02
+#define XFRM_AE_ATTR_PROTO          0x04
+#define XFRM_AE_ATTR_SADDR          0x08
+#define XFRM_AE_ATTR_FLAGS          0x10
+#define XFRM_AE_ATTR_REQID          0x20
+#define XFRM_AE_ATTR_MARK           0x40
+#define XFRM_AE_ATTR_LIFETIME       0x80
+#define XFRM_AE_ATTR_REPLAY_MAXAGE  0x100
+#define XFRM_AE_ATTR_REPLAY_MAXDIFF 0x200
+#define XFRM_AE_ATTR_REPLAY_STATE   0x400
+#define XFRM_AE_ATTR_FAMILY         0x800
+
+static struct nl_object_ops xfrm_ae_obj_ops;
+/** @endcond */
+
+
+static void xfrm_ae_free_data(struct nl_object *c)
+{
+        struct xfrmnl_ae* ae =   nl_object_priv (c);
+
+        if (ae == NULL)
+                return;
+
+        nl_addr_put (ae->sa_id.daddr);
+        nl_addr_put (ae->saddr);
+
+        if (ae->replay_state_esn)
+                free (ae->replay_state_esn);
+}
+
+static int xfrm_ae_clone(struct nl_object *_dst, struct nl_object *_src)
+{
+        struct xfrmnl_ae* dst = nl_object_priv(_dst);
+        struct xfrmnl_ae* src = nl_object_priv(_src);
+
+        if (src->sa_id.daddr)
+                if ((dst->sa_id.daddr = nl_addr_clone (src->sa_id.daddr)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->saddr)
+                if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->replay_state_esn)
+        {
+                uint32_t len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * src->replay_state_esn->bmp_len);
+                if ((dst->replay_state_esn = (struct xfrmnl_replay_state_esn*)calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy (dst->replay_state_esn, dst->replay_state_esn, len);
+        }
+
+        return 0;
+}
+
+static int xfrm_ae_compare(struct nl_object *_a, struct nl_object *_b, uint32_t attrs, int flags)
+{
+        struct xfrmnl_ae* a  =   (struct xfrmnl_ae *) _a;
+        struct xfrmnl_ae* b  =   (struct xfrmnl_ae *) _b;
+        int diff = 0, found = 0;
+
+#define XFRM_AE_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_AE_ATTR_##ATTR, a, b, EXPR)
+        diff |= XFRM_AE_DIFF(DADDR, nl_addr_cmp(a->sa_id.daddr, b->sa_id.daddr));
+        diff |= XFRM_AE_DIFF(SPI, a->sa_id.spi != b->sa_id.spi);
+        diff |= XFRM_AE_DIFF(PROTO, a->sa_id.proto != b->sa_id.proto);
+        diff |= XFRM_AE_DIFF(SADDR, nl_addr_cmp(a->saddr, b->saddr));
+        diff |= XFRM_AE_DIFF(FLAGS, a->flags != b->flags);
+        diff |= XFRM_AE_DIFF(REQID, a->reqid != b->reqid);
+        diff |= XFRM_AE_DIFF(MARK, (a->mark.v & a->mark.m) != (b->mark.v & b->mark.m));
+        diff |= XFRM_AE_DIFF(REPLAY_MAXAGE, a->replay_maxage != b->replay_maxage);
+        diff |= XFRM_AE_DIFF(REPLAY_MAXDIFF, a->replay_maxdiff != b->replay_maxdiff);
+
+        /* Compare replay states */
+        found = AVAILABLE_MISMATCH (a, b, XFRM_AE_ATTR_REPLAY_STATE);
+        if (found == 0) // attribute exists in both objects
+        {
+                if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
+                     ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
+                        found |= 1;
+
+                if (found == 0) // same replay type. compare actual values
+                {
+                        if (a->replay_state_esn)
+                        {
+                                if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
+                                        diff |= 1;
+                                else
+                                {
+                                        uint32_t len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * a->replay_state_esn->bmp_len);
+                                        diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
+                                }
+                        }
+                        else
+                        {
+                                if ((a->replay_state.oseq != b->replay_state.oseq) ||
+                                    (a->replay_state.seq != b->replay_state.seq) ||
+                                    (a->replay_state.bitmap != b->replay_state.bitmap))
+                                        diff |= 1;
+                        }
+                }
+        }
+#undef XFRM_AE_DIFF
+
+        return diff;
+}
+
+/**
+ * @name XFRM AE Attribute Translations
+ * @{
+ */
+static const struct trans_tbl ae_attrs[] =
+{
+        __ADD(XFRM_AE_ATTR_DADDR, daddr)
+        __ADD(XFRM_AE_ATTR_SPI, spi)
+        __ADD(XFRM_AE_ATTR_PROTO, protocol)
+        __ADD(XFRM_AE_ATTR_SADDR, saddr)
+        __ADD(XFRM_AE_ATTR_FLAGS, flags)
+        __ADD(XFRM_AE_ATTR_REQID, reqid)
+        __ADD(XFRM_AE_ATTR_MARK, mark)
+        __ADD(XFRM_AE_ATTR_LIFETIME, cur_lifetime)
+        __ADD(XFRM_AE_ATTR_REPLAY_MAXAGE, replay_maxage)
+        __ADD(XFRM_AE_ATTR_REPLAY_MAXDIFF, replay_maxdiff)
+        __ADD(XFRM_AE_ATTR_REPLAY_STATE, replay_state)
+};
+
+static char* xfrm_ae_attrs2str (int attrs, char *buf, size_t len)
+{
+        return __flags2str(attrs, buf, len, ae_attrs, ARRAY_SIZE(ae_attrs));
+}
+/** @} */
+
+/**
+ * @name XFRM AE Flags Translations
+ * @{
+ */
+
+static const struct trans_tbl ae_flags[] = {
+        __ADD(XFRM_AE_UNSPEC, unspecified)
+        __ADD(XFRM_AE_RTHR, replay threshold)
+        __ADD(XFRM_AE_RVAL, replay value)
+        __ADD(XFRM_AE_LVAL, lifetime value)
+        __ADD(XFRM_AE_ETHR, expiry time threshold)
+        __ADD(XFRM_AE_CR, replay update event)
+        __ADD(XFRM_AE_CE, timer expiry event)
+        __ADD(XFRM_AE_CU, policy update event)
+};
+
+char* xfrmnl_ae_flags2str(int flags, char *buf, size_t len)
+{
+        return __flags2str (flags, buf, len, ae_flags, ARRAY_SIZE(ae_flags));
+}
+
+int xfrmnl_ae_str2flag(const char *name)
+{
+        return __str2flags(name, ae_flags, ARRAY_SIZE(ae_flags));
+}
+/** @} */
+
+static void xfrm_ae_dump_line(struct nl_object *a, struct nl_dump_params *p)
+{
+        char                dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
+        struct xfrmnl_ae*   ae  =   (struct xfrmnl_ae *) a;
+        char                flags[128], buf[128];
+        time_t              add_time, use_time;
+        struct tm           *add_time_tm, *use_time_tm;
+
+        nl_dump_line(p, "src %s dst %s \n", nl_addr2str(ae->saddr, src, sizeof(src)),
+                        nl_addr2str(ae->sa_id.daddr, dst, sizeof(dst)));
+
+        nl_dump_line(p, "\tproto %s spi 0x%x reqid %u ",
+                        nl_ip_proto2str (ae->sa_id.proto, buf, sizeof (buf)),
+                        ae->sa_id.spi, ae->reqid);
+
+        xfrmnl_ae_flags2str(ae->flags, flags, sizeof (flags));
+        nl_dump_line(p, "flags %s(0x%x) mark mask/value 0x%x/0x%x \n", flags,
+                        ae->flags, ae->mark.m, ae->mark.v);
+
+        nl_dump_line(p, "\tlifetime current: \n");
+        nl_dump_line(p, "\t\tbytes %llu packets %llu \n", ae->lifetime_cur.bytes,
+                        ae->lifetime_cur.packets);
+        if (ae->lifetime_cur.add_time != 0)
+        {
+                add_time = ae->lifetime_cur.add_time;
+                add_time_tm = gmtime (&add_time);
+                strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
+        }
+        else
+        {
+                sprintf (flags, "%s", "-");
+        }
+
+        if (ae->lifetime_cur.use_time != 0)
+        {
+                use_time = ae->lifetime_cur.use_time;
+                use_time_tm = gmtime (&use_time);
+                strftime (buf, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
+        }
+        else
+        {
+                sprintf (buf, "%s", "-");
+        }
+        nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, buf);
+
+        nl_dump_line(p, "\treplay info: \n");
+        nl_dump_line(p, "\t\tmax age %u max diff %u \n", ae->replay_maxage, ae->replay_maxdiff);
+
+        nl_dump_line(p, "\treplay state info: \n");
+        if (ae->replay_state_esn)
+        {
+                nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
+                                ae->replay_state_esn->oseq, ae->replay_state_esn->seq,
+                                ae->replay_state_esn->oseq_hi, ae->replay_state_esn->seq_hi,
+                                ae->replay_state_esn->replay_window);
+        }
+        else
+        {
+                nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", ae->replay_state.oseq,
+                                ae->replay_state.seq, ae->replay_state.bitmap);
+        }
+
+        nl_dump(p, "\n");
+}
+
+static void xfrm_ae_dump_details(struct nl_object *a, struct nl_dump_params *p)
+{
+        xfrm_ae_dump_line(a, p);
+}
+
+static void xfrm_ae_dump_stats(struct nl_object *a, struct nl_dump_params *p)
+{
+        xfrm_ae_dump_details(a, p);
+}
+
+
+static int build_xfrm_ae_message(struct xfrmnl_ae *tmpl, int cmd, int flags,
+                struct nl_msg **result)
+{
+        struct nl_msg*          msg;
+        struct xfrm_aevent_id   ae_id;
+
+        if (!(tmpl->ce_mask & XFRM_AE_ATTR_DADDR) ||
+            !(tmpl->ce_mask & XFRM_AE_ATTR_SPI) ||
+            !(tmpl->ce_mask & XFRM_AE_ATTR_PROTO))
+                return -NLE_MISSING_ATTR;
+
+        memcpy (&ae_id.sa_id.daddr, nl_addr_get_binary_addr (tmpl->sa_id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->sa_id.daddr));
+        ae_id.sa_id.spi    = htonl(tmpl->sa_id.spi);
+        ae_id.sa_id.family = tmpl->sa_id.family;
+        ae_id.sa_id.proto  = tmpl->sa_id.proto;
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_SADDR)
+                memcpy (&ae_id.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_FLAGS)
+                ae_id.flags    = tmpl->flags;
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_REQID)
+                ae_id.reqid    = tmpl->reqid;
+
+        msg = nlmsg_alloc_simple(cmd, flags);
+        if (!msg)
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &ae_id, sizeof(ae_id), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_MARK)
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrmnl_mark), &tmpl->mark);
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_LIFETIME)
+                NLA_PUT (msg, XFRMA_LTIME_VAL, sizeof (struct xfrmnl_lifetime_cur), &tmpl->lifetime_cur);
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_REPLAY_MAXAGE)
+                NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_REPLAY_MAXDIFF)
+                NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
+
+        if (tmpl->ce_mask & XFRM_AE_ATTR_REPLAY_STATE) {
+                if (tmpl->replay_state_esn) {
+                        uint32_t len = sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
+                        NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
+                }
+                else {
+                        NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrmnl_replay_state), &tmpl->replay_state);
+                }
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+/**
+ * @name XFRM AE Update
+ * @{
+ */
+
+int xfrmnl_ae_set(struct nl_sock* sk, struct xfrmnl_ae* ae, int flags)
+{
+        int err;
+        struct nl_msg *msg;
+
+        if ((err = build_xfrm_ae_message(ae, XFRM_MSG_NEWAE, flags|NLM_F_REPLACE, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/** @} */
+
+/**
+ * @name XFRM AE Object Allocation/Freeage
+ * @{
+ */
+
+struct xfrmnl_ae* xfrmnl_ae_alloc(void)
+{
+        return (struct xfrmnl_ae*) nl_object_alloc(&xfrm_ae_obj_ops);
+}
+
+void xfrmnl_ae_put(struct xfrmnl_ae* ae)
+{
+        nl_object_put((struct nl_object *) ae);
+}
+
+/** @} */
+
+static struct nla_policy xfrm_ae_policy[XFRMA_MAX+1] = {
+        [XFRMA_LTIME_VAL]       = { .minlen = sizeof(struct xfrm_lifetime_cur) },
+        [XFRMA_REPLAY_VAL]  = { .minlen = sizeof(struct xfrm_replay_state) },
+        [XFRMA_REPLAY_THRESH]   = { .type = NLA_U32 },
+        [XFRMA_ETIMER_THRESH]   = { .type = NLA_U32 },
+        [XFRMA_SRCADDR]     = { .minlen = sizeof(xfrm_address_t) },
+        [XFRMA_MARK]        = { .minlen = sizeof(struct xfrm_mark) },
+        [XFRMA_REPLAY_ESN_VAL]  = { .minlen = sizeof(struct xfrm_replay_state_esn) },
+};
+
+int xfrmnl_ae_parse(struct nlmsghdr *n, struct xfrmnl_ae **result)
+{
+        struct xfrmnl_ae*    ae;
+        struct nlattr           *tb[XFRMA_MAX + 1];
+        struct xfrm_aevent_id*  ae_id;
+        int err;
+
+        ae = xfrmnl_ae_alloc();
+        if (!ae) {
+                err = -NLE_NOMEM;
+                goto errout;
+        }
+
+        ae->ce_msgtype = n->nlmsg_type;
+        ae_id = nlmsg_data(n);
+
+        err = nlmsg_parse(n, sizeof(struct xfrm_aevent_id), tb, XFRMA_MAX, xfrm_ae_policy);
+        if (err < 0)
+                goto errout;
+
+        ae->sa_id.daddr = nl_addr_build(ae_id->sa_id.family, &ae_id->sa_id.daddr, sizeof (ae_id->sa_id.daddr));
+        ae->sa_id.family= ae_id->sa_id.family;
+        ae->sa_id.spi   = ntohl(ae_id->sa_id.spi);
+        ae->sa_id.proto = ae_id->sa_id.proto;
+        ae->saddr       = nl_addr_build(ae_id->sa_id.family, &ae_id->saddr, sizeof (ae_id->saddr));
+        ae->reqid       = ae_id->reqid;
+        ae->flags       = ae_id->flags;
+        ae->ce_mask |= (XFRM_AE_ATTR_DADDR | XFRM_AE_ATTR_FAMILY | XFRM_AE_ATTR_SPI |
+                        XFRM_AE_ATTR_PROTO | XFRM_AE_ATTR_SADDR | XFRM_AE_ATTR_REQID |
+                        XFRM_AE_ATTR_FLAGS);
+
+        if (tb[XFRMA_MARK]) {
+                struct xfrm_mark* m =   nla_data(tb[XFRMA_MARK]);
+                ae->mark.m  =   m->m;
+                ae->mark.v  =   m->v;
+                ae->ce_mask |= XFRM_AE_ATTR_MARK;
+        }
+
+        if (tb[XFRMA_LTIME_VAL]) {
+                struct xfrm_lifetime_cur* cur =   nla_data(tb[XFRMA_LTIME_VAL]);
+                ae->lifetime_cur.bytes      =   cur->bytes;
+                ae->lifetime_cur.packets    =   cur->packets;
+                ae->lifetime_cur.add_time   =   cur->add_time;
+                ae->lifetime_cur.use_time   =   cur->use_time;
+                ae->ce_mask |= XFRM_AE_ATTR_LIFETIME;
+        }
+
+        if (tb[XFRM_AE_ETHR]) {
+                ae->replay_maxage       =   *(uint32_t*)nla_data(tb[XFRM_AE_ETHR]);
+                ae->ce_mask |= XFRM_AE_ATTR_REPLAY_MAXAGE;
+        }
+
+        if (tb[XFRM_AE_RTHR]) {
+                ae->replay_maxdiff      =   *(uint32_t*)nla_data(tb[XFRM_AE_RTHR]);
+                ae->ce_mask |= XFRM_AE_ATTR_REPLAY_MAXDIFF;
+        }
+
+        if (tb[XFRMA_REPLAY_ESN_VAL]) {
+                struct xfrm_replay_state_esn* esn =  nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
+                uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +  (sizeof (uint32_t) * esn->bmp_len);
+
+                if ((ae->replay_state_esn = calloc (1, len)) == NULL)
+                        goto errout;
+                ae->replay_state_esn->oseq       =  esn->oseq;
+                ae->replay_state_esn->seq        =  esn->seq;
+                ae->replay_state_esn->oseq_hi    =  esn->oseq_hi;
+                ae->replay_state_esn->seq_hi     =  esn->seq_hi;
+                ae->replay_state_esn->replay_window   =   esn->replay_window;
+                ae->replay_state_esn->bmp_len    =   esn->bmp_len;
+                memcpy (ae->replay_state_esn->bmp, esn->bmp, sizeof (uint32_t) * esn->bmp_len);
+                ae->ce_mask |= XFRM_AE_ATTR_REPLAY_STATE;
+        }
+        else
+        {
+                struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
+                ae->replay_state.oseq       =   replay_state->oseq;
+                ae->replay_state.seq        =   replay_state->seq;
+                ae->replay_state.bitmap     =   replay_state->bitmap;
+                ae->ce_mask |= XFRM_AE_ATTR_REPLAY_STATE;
+
+                ae->replay_state_esn = NULL;
+        }
+
+        *result = ae;
+        return 0;
+
+errout:
+        xfrmnl_ae_put(ae);
+        return err;
+}
+
+static int xfrm_ae_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
+                struct nlmsghdr *n, struct nl_parser_param *pp)
+{
+        struct xfrmnl_ae*    ae;
+        int err;
+
+        if ((err = xfrmnl_ae_parse(n, &ae)) < 0)
+                return err;
+
+        err = pp->pp_cb((struct nl_object *) ae, pp);
+
+        xfrmnl_ae_put(ae);
+        return err;
+}
+
+/**
+ * @name XFRM AE Get
+ * @{
+ */
+
+int xfrmnl_ae_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol,
+                unsigned int mark_mask, unsigned int mark_value, struct nl_msg **result)
+{
+        struct nl_msg *msg;
+        struct xfrm_aevent_id   ae_id;
+        struct xfrmnl_mark   mark;
+
+        if (!daddr || !spi)
+        {
+                fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
+                                __FILE__, __LINE__, __PRETTY_FUNCTION__);
+                assert(0);
+                return -NLE_MISSING_ATTR;
+        }
+
+        memset(&ae_id, 0, sizeof(ae_id));
+        memcpy (&ae_id.sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
+        ae_id.sa_id.spi    = htonl(spi);
+        ae_id.sa_id.family = nl_addr_get_family (daddr);
+        ae_id.sa_id.proto  = protocol;
+
+        if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETAE, 0)))
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &ae_id, sizeof(ae_id), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        mark.m  =   mark_mask;
+        mark.v  =   mark_value;
+        NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrmnl_mark), &mark);
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+int xfrmnl_ae_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol,
+                unsigned int mark_mask, unsigned int mark_value, struct xfrmnl_ae** result)
+{
+        struct nl_msg *msg = NULL;
+        struct nl_object *obj;
+        int err;
+
+        if ((err = xfrmnl_ae_build_get_request(daddr, spi, protocol, mark_mask, mark_value, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto(sock, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        if ((err = nl_pickup(sock, &xfrm_ae_msg_parser, &obj)) < 0)
+                return err;
+
+        /* We have used xfrm_ae_msg_parser(), object is definitely a xfrm ae */
+        *result = (struct xfrmnl_ae *) obj;
+
+        /* If an object has been returned, we also need to wait for the ACK */
+        if (err == 0 && obj)
+                nl_wait_for_ack(sock);
+
+        return 0;
+}
+
+/** @} */
+
+/**
+ * @name Attributes
+ * @{
+ */
+
+static inline int __assign_addr(struct xfrmnl_ae* ae, struct nl_addr **pos,
+                struct nl_addr *new, int flag, int nocheck)
+{
+        if (!nocheck) {
+                if (ae->ce_mask & XFRM_AE_ATTR_FAMILY) {
+                        if (nl_addr_get_family (new) != ae->sa_id.family)
+                                return -NLE_AF_MISMATCH;
+                } else {
+                        ae->sa_id.family = nl_addr_get_family (new);
+                        ae->ce_mask |= XFRM_AE_ATTR_FAMILY;
+                }
+        }
+
+        if (*pos)
+                nl_addr_put(*pos);
+
+        nl_addr_get(new);
+        *pos = new;
+
+        ae->ce_mask |= flag;
+
+        return 0;
+}
+
+
+struct nl_addr* xfrmnl_ae_get_daddr (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_DADDR)
+                return ae->sa_id.daddr;
+        else
+                return NULL;
+}
+
+int xfrmnl_ae_set_daddr (struct xfrmnl_ae* ae, struct nl_addr* addr)
+{
+        return __assign_addr(ae, &ae->sa_id.daddr, addr, XFRM_AE_ATTR_DADDR, 0);
+}
+
+int xfrmnl_ae_get_spi (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_SPI)
+                return ae->sa_id.spi;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_spi (struct xfrmnl_ae* ae, unsigned int spi)
+{
+        ae->sa_id.spi = spi;
+        ae->ce_mask |= XFRM_AE_ATTR_SPI;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_family (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_FAMILY)
+                return ae->sa_id.family;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_family (struct xfrmnl_ae* ae, unsigned int family)
+{
+        ae->sa_id.family = family;
+        ae->ce_mask |= XFRM_AE_ATTR_FAMILY;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_proto (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_PROTO)
+                return ae->sa_id.proto;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_proto (struct xfrmnl_ae* ae, unsigned int protocol)
+{
+        ae->sa_id.proto = protocol;
+        ae->ce_mask |= XFRM_AE_ATTR_PROTO;
+
+        return 0;
+}
+
+struct nl_addr* xfrmnl_ae_get_saddr (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_SADDR)
+                return ae->saddr;
+        else
+                return NULL;
+}
+
+int xfrmnl_ae_set_saddr (struct xfrmnl_ae* ae, struct nl_addr* addr)
+{
+        return  __assign_addr(ae, &ae->saddr, addr, XFRM_AE_ATTR_SADDR, 1);
+}
+
+int xfrmnl_ae_get_flags (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_FLAGS)
+                return ae->flags;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_flags (struct xfrmnl_ae* ae, unsigned int flags)
+{
+        ae->flags = flags;
+        ae->ce_mask |= XFRM_AE_ATTR_FLAGS;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_reqid (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_REQID)
+                return ae->reqid;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_reqid (struct xfrmnl_ae* ae, unsigned int reqid)
+{
+        ae->reqid = reqid;
+        ae->ce_mask |= XFRM_AE_ATTR_REQID;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_mark (struct xfrmnl_ae* ae, unsigned int* mark_mask, unsigned int* mark_value)
+{
+        if (mark_mask == NULL || mark_value == NULL)
+                return -1;
+
+        if (ae->ce_mask & XFRM_AE_ATTR_MARK)
+        {
+                *mark_mask  =   ae->mark.m;
+                *mark_value  =   ae->mark.v;
+
+                return 0;
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_mark (struct xfrmnl_ae* ae, unsigned int value, unsigned int mask)
+{
+        ae->mark.v  = value;
+        ae->mark.m  = mask;
+        ae->ce_mask |= XFRM_AE_ATTR_MARK;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_curlifetime (struct xfrmnl_ae* ae, unsigned long long int* curr_bytes,
+                unsigned long long int* curr_packets, unsigned long long int* curr_add_time,
+                unsigned long long int* curr_use_time)
+{
+        if (curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
+                return -1;
+
+        if (ae->ce_mask & XFRM_AE_ATTR_LIFETIME)
+        {
+                *curr_bytes     =   ae->lifetime_cur.bytes;
+                *curr_packets   =   ae->lifetime_cur.packets;
+                *curr_add_time  =   ae->lifetime_cur.add_time;
+                *curr_use_time  =   ae->lifetime_cur.use_time;
+
+                return 0;
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_curlifetime (struct xfrmnl_ae* ae, unsigned long long int curr_bytes,
+                unsigned long long int curr_packets, unsigned long long int curr_add_time,
+                unsigned long long int curr_use_time)
+{
+        ae->lifetime_cur.bytes = curr_bytes;
+        ae->lifetime_cur.packets = curr_packets;
+        ae->lifetime_cur.add_time = curr_add_time;
+        ae->lifetime_cur.use_time = curr_use_time;
+        ae->ce_mask |= XFRM_AE_ATTR_LIFETIME;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_replay_maxage (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_REPLAY_MAXAGE)
+                return ae->replay_maxage;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_replay_maxage (struct xfrmnl_ae* ae, unsigned int replay_maxage)
+{
+        ae->replay_maxage  = replay_maxage;
+        ae->ce_mask |= XFRM_AE_ATTR_REPLAY_MAXAGE;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_replay_maxdiff (struct xfrmnl_ae* ae)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_REPLAY_MAXDIFF)
+                return ae->replay_maxdiff;
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_replay_maxdiff (struct xfrmnl_ae* ae, unsigned int replay_maxdiff)
+{
+        ae->replay_maxdiff  = replay_maxdiff;
+        ae->ce_mask |= XFRM_AE_ATTR_REPLAY_MAXDIFF;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_replay_state (struct xfrmnl_ae* ae, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_REPLAY_STATE)
+        {
+                if (ae->replay_state_esn == NULL)
+                {
+                        *oseq   =   ae->replay_state.oseq;
+                        *seq    =   ae->replay_state.seq;
+                        *bmp    =   ae->replay_state.bitmap;
+
+                        return 0;
+                }
+                else
+                {
+                        return -1;
+                }
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_replay_state (struct xfrmnl_ae* ae, unsigned int oseq, unsigned int seq, unsigned int bitmap)
+{
+        ae->replay_state.oseq = oseq;
+        ae->replay_state.seq = seq;
+        ae->replay_state.bitmap = bitmap;
+        ae->ce_mask |= XFRM_AE_ATTR_REPLAY_STATE;
+
+        return 0;
+}
+
+int xfrmnl_ae_get_replay_state_esn(struct xfrmnl_ae* ae, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
+                unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
+{
+        if (ae->ce_mask & XFRM_AE_ATTR_REPLAY_STATE)
+        {
+                if (ae->replay_state_esn)
+                {
+                        *oseq   =   ae->replay_state_esn->oseq;
+                        *seq    =   ae->replay_state_esn->seq;
+                        *oseq_hi=   ae->replay_state_esn->oseq_hi;
+                        *seq_hi =   ae->replay_state_esn->seq_hi;
+                        *replay_window  =   ae->replay_state_esn->replay_window;
+                        *bmp_len        =   ae->replay_state_esn->bmp_len; // In number of 32 bit words
+                        memcpy (bmp, ae->replay_state_esn->bmp, ae->replay_state_esn->bmp_len * sizeof (uint32_t));
+
+                        return 0;
+                }
+                else
+                {
+                        return -1;
+                }
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_ae_set_replay_state_esn(struct xfrmnl_ae* ae, unsigned int oseq, unsigned int seq,
+                unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
+                unsigned int bmp_len, unsigned int* bmp)
+{
+        /* Free the old replay ESN state and allocate new one */
+        if (ae->replay_state_esn)
+                free (ae->replay_state_esn);
+
+        if ((ae->replay_state_esn = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + sizeof (uint32_t) * bmp_len)) == NULL)
+                return -1;
+
+        ae->replay_state_esn->oseq = oseq;
+        ae->replay_state_esn->seq = seq;
+        ae->replay_state_esn->oseq_hi = oseq_hi;
+        ae->replay_state_esn->seq_hi = seq_hi;
+        ae->replay_state_esn->replay_window = replay_window;
+        ae->replay_state_esn->bmp_len = bmp_len; // In number of 32 bit words
+        memcpy (ae->replay_state_esn->bmp, bmp, bmp_len * sizeof (uint32_t));
+        ae->ce_mask |= XFRM_AE_ATTR_REPLAY_STATE;
+
+        return 0;
+}
+
+/** @} */
+
+static struct nl_object_ops xfrm_ae_obj_ops = {
+        .oo_name        =   "xfrm/ae",
+        .oo_size    =   sizeof(struct xfrmnl_ae),
+        .oo_free_data   =   xfrm_ae_free_data,
+        .oo_clone   =   xfrm_ae_clone,
+        .oo_dump        =   {
+                [NL_DUMP_LINE]          =   xfrm_ae_dump_line,
+                [NL_DUMP_DETAILS]       =   xfrm_ae_dump_details,
+                [NL_DUMP_STATS]         =   xfrm_ae_dump_stats,
+        },
+        .oo_compare     =   xfrm_ae_compare,
+        .oo_attrs2str   =   xfrm_ae_attrs2str,
+        .oo_id_attrs    =   (XFRM_AE_ATTR_DADDR | XFRM_AE_ATTR_SPI | XFRM_AE_ATTR_PROTO),
+};
diff --git a/lib/xfrm/lifetime.c b/lib/xfrm/lifetime.c
new file mode 100644 (file)
index 0000000..a03f0ea
--- /dev/null
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * @ingroup xfrmnl
+ * @defgroup XFRM Lifetime Configuration Object
+ *
+ * Abstract data type representing XFRM SA lifetime properties
+ *
+ * @{
+ *
+ * Header
+ * ------
+ * ~~~~{.c}
+ * #include <netlink/xfrm/lifetime.h>
+ * ~~~~
+ */
+
+#include <netlink-private/netlink.h>
+
+static void ltime_cfg_destroy(struct xfrmnl_ltime_cfg* ltime)
+{
+        if (!ltime)
+                return;
+
+        if (ltime->refcnt != 1)
+        {
+                fprintf(stderr, "BUG: %s:%d\n", __FILE__, __LINE__);
+                assert(0);
+        }
+
+        free(ltime);
+}
+
+/**
+ * @name Creating Selector
+ * @{
+ */
+
+/**
+ * Allocate new lifetime config object.
+ * @return Newly allocated lifetime config object or NULL
+ */
+struct xfrmnl_ltime_cfg* xfrmnl_ltime_cfg_alloc()
+{
+        struct xfrmnl_ltime_cfg* ltime;
+
+        ltime = calloc(1, sizeof(struct xfrmnl_ltime_cfg));
+        if (!ltime)
+                return NULL;
+
+        ltime->refcnt = 1;
+
+        return ltime;
+}
+
+/**
+ * Clone existing lifetime config object.
+ * @arg ltime       Selector object.
+ * @return Newly allocated lifetime config object being a duplicate of the
+ *         specified lifetime config object or NULL if a failure occured.
+ */
+struct xfrmnl_ltime_cfg* xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg* ltime)
+{
+        struct xfrmnl_ltime_cfg* new;
+
+        new = xfrmnl_ltime_cfg_alloc();
+        if (new)
+                memcpy ((void*)new, (void*)ltime, sizeof (struct xfrmnl_ltime_cfg));
+
+        return new;
+}
+
+/** @} */
+
+/**
+ * @name Managing Usage References
+ * @{
+ */
+
+struct xfrmnl_ltime_cfg* xfrmnl_ltime_cfg_get(struct xfrmnl_ltime_cfg* ltime)
+{
+        ltime->refcnt++;
+
+        return ltime;
+}
+
+void xfrmnl_ltime_cfg_put(struct xfrmnl_ltime_cfg* ltime)
+{
+        if (!ltime)
+                return;
+
+        if (ltime->refcnt == 1)
+                ltime_cfg_destroy(ltime);
+        else
+                ltime->refcnt--;
+}
+
+/**
+ * Check whether an lifetime config object is shared.
+ * @arg addr        Selector object.
+ * @return Non-zero if the lifetime config object is shared, otherwise 0.
+ */
+int xfrmnl_ltime_cfg_shared(struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->refcnt > 1;
+}
+
+/** @} */
+
+/**
+ * @name Miscellaneous
+ * @{
+ */
+
+/**
+ * Compares two lifetime config objects.
+ * @arg a       A lifetime config object.
+ * @arg b       Another lifetime config object.
+ *
+ * @return Non zero if difference is found, 0 otherwise if both
+ * the objects are identical.
+ */
+int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg* a, struct xfrmnl_ltime_cfg* b)
+{
+        /* Check for any differences */
+        if ((a->soft_byte_limit != b->soft_byte_limit) ||
+            (a->soft_packet_limit != b->soft_packet_limit) ||
+            (a->hard_byte_limit != b->hard_byte_limit) ||
+            (a->hard_packet_limit != b->hard_packet_limit) ||
+            (a->soft_add_expires_seconds != b->soft_add_expires_seconds) ||
+            (a->hard_add_expires_seconds != b->hard_add_expires_seconds) ||
+            (a->soft_use_expires_seconds != b->soft_use_expires_seconds) ||
+            (a->hard_use_expires_seconds != b->hard_use_expires_seconds))
+                return 1;
+
+        /* The objects are identical */
+        return 0;
+}
+
+/** @} */
+
+/**
+ * @name Attributes
+ * @{
+ */
+unsigned long long xfrmnl_ltime_cfg_get_soft_bytelimit (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->soft_byte_limit;
+}
+
+int xfrmnl_ltime_cfg_set_soft_bytelimit (struct xfrmnl_ltime_cfg* ltime, unsigned long long soft_byte_limit)
+{
+        ltime->soft_byte_limit = soft_byte_limit;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_hard_bytelimit (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->hard_byte_limit;
+}
+
+int xfrmnl_ltime_cfg_set_hard_bytelimit (struct xfrmnl_ltime_cfg* ltime, unsigned long long hard_byte_limit)
+{
+        ltime->hard_byte_limit = hard_byte_limit;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_soft_packetlimit (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->soft_packet_limit;
+}
+
+int xfrmnl_ltime_cfg_set_soft_packetlimit (struct xfrmnl_ltime_cfg* ltime, unsigned long long soft_packet_limit)
+{
+        ltime->soft_packet_limit = soft_packet_limit;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_hard_packetlimit (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->hard_packet_limit;
+}
+
+int xfrmnl_ltime_cfg_set_hard_packetlimit (struct xfrmnl_ltime_cfg* ltime, unsigned long long hard_packet_limit)
+{
+        ltime->hard_packet_limit = hard_packet_limit;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_soft_addexpires (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->soft_add_expires_seconds;
+}
+
+int xfrmnl_ltime_cfg_set_soft_addexpires (struct xfrmnl_ltime_cfg* ltime, unsigned long long soft_add_expires_seconds)
+{
+        ltime->soft_add_expires_seconds = soft_add_expires_seconds;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_hard_addexpires (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->hard_add_expires_seconds;
+}
+
+int xfrmnl_ltime_cfg_set_hard_addexpires (struct xfrmnl_ltime_cfg* ltime, unsigned long long hard_add_expires_seconds)
+{
+        ltime->hard_add_expires_seconds = hard_add_expires_seconds;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_soft_useexpires (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->soft_use_expires_seconds;
+}
+
+int xfrmnl_ltime_cfg_set_soft_useexpires (struct xfrmnl_ltime_cfg* ltime, unsigned long long soft_use_expires_seconds)
+{
+        ltime->soft_use_expires_seconds = soft_use_expires_seconds;
+
+        return 0;
+}
+
+unsigned long long xfrmnl_ltime_cfg_get_hard_useexpires (struct xfrmnl_ltime_cfg* ltime)
+{
+        return ltime->hard_use_expires_seconds;
+}
+
+int xfrmnl_ltime_cfg_set_hard_useexpires (struct xfrmnl_ltime_cfg* ltime, unsigned long long hard_use_expires_seconds)
+{
+        ltime->hard_use_expires_seconds = hard_use_expires_seconds;
+
+        return 0;
+}
+
+/** @} */
diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c
new file mode 100644 (file)
index 0000000..5f76080
--- /dev/null
@@ -0,0 +1,2075 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ * @ingroup xfrmnl
+ * @defgroup sa Security Association
+ * @brief
+ */
+
+#include <netlink-private/netlink.h>
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/object.h>
+#include <netlink/xfrm/selector.h>
+#include <netlink/xfrm/lifetime.h>
+#include <time.h>
+
+/** @cond SKIP */
+#define XFRM_SA_ATTR_SEL            0x01
+#define XFRM_SA_ATTR_DADDR          0x02
+#define XFRM_SA_ATTR_SPI            0x04
+#define XFRM_SA_ATTR_PROTO          0x08
+#define XFRM_SA_ATTR_SADDR          0x10
+#define XFRM_SA_ATTR_LTIME_CFG      0x20
+#define XFRM_SA_ATTR_LTIME_CUR      0x40
+#define XFRM_SA_ATTR_STATS          0x80
+#define XFRM_SA_ATTR_SEQ            0x100
+#define XFRM_SA_ATTR_REQID          0x200
+#define XFRM_SA_ATTR_FAMILY         0x400
+#define XFRM_SA_ATTR_MODE           0x800
+#define XFRM_SA_ATTR_REPLAY_WIN     0x1000
+#define XFRM_SA_ATTR_FLAGS          0x2000
+#define XFRM_SA_ATTR_ALG_AEAD       0x4000
+#define XFRM_SA_ATTR_ALG_AUTH       0x8000
+#define XFRM_SA_ATTR_ALG_CRYPT      0x10000
+#define XFRM_SA_ATTR_ALG_COMP       0x20000
+#define XFRM_SA_ATTR_ENCAP          0x40000
+#define XFRM_SA_ATTR_TFCPAD         0x80000
+#define XFRM_SA_ATTR_COADDR         0x100000
+#define XFRM_SA_ATTR_MARK           0x200000
+#define XFRM_SA_ATTR_SECCTX         0x400000
+#define XFRM_SA_ATTR_REPLAY_MAXAGE  0x800000
+#define XFRM_SA_ATTR_REPLAY_MAXDIFF 0x1000000
+#define XFRM_SA_ATTR_REPLAY_STATE   0x2000000
+#define XFRM_SA_ATTR_EXPIRE         0x4000000
+
+static struct nl_cache_ops  xfrmnl_sa_ops;
+static struct nl_object_ops xfrm_sa_obj_ops;
+/** @endcond */
+
+static void xfrm_sa_alloc_data(struct nl_object *c)
+{
+        struct xfrmnl_sa* sa =   nl_object_priv (c);
+
+        if ((sa->sel = xfrmnl_sel_alloc ()) == NULL)
+                return;
+
+        if ((sa->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
+                return;
+}
+
+static void xfrm_sa_free_data(struct nl_object *c)
+{
+        struct xfrmnl_sa* sa =   nl_object_priv (c);
+
+        if (sa == NULL)
+                return;
+
+        xfrmnl_sel_put (sa->sel);
+        xfrmnl_ltime_cfg_put (sa->lft);
+        nl_addr_put (sa->id.daddr);
+        nl_addr_put (sa->saddr);
+
+        if (sa->aead)
+                free (sa->aead);
+        if (sa->auth)
+                free (sa->auth);
+        if (sa->crypt)
+                free (sa->crypt);
+        if (sa->comp)
+                free (sa->comp);
+        if (sa->encap)
+                free (sa->encap);
+        if (sa->coaddr)
+                nl_addr_put (sa->coaddr);
+        if (sa->sec_ctx)
+                free (sa->sec_ctx);
+        if (sa->replay_state_esn)
+                free (sa->replay_state_esn);
+}
+
+static int xfrm_sa_clone(struct nl_object *_dst, struct nl_object *_src)
+{
+        struct xfrmnl_sa*   dst = nl_object_priv(_dst);
+        struct xfrmnl_sa*   src = nl_object_priv(_src);
+        uint32_t            len = 0;
+
+        if (src->sel)
+                if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->lft)
+                if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->id.daddr)
+                if ((dst->id.daddr = nl_addr_clone (src->id.daddr)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->saddr)
+                if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->aead)
+        {
+                len = sizeof (struct xfrmnl_algo_aead) + ((src->aead->alg_key_len + 7) / 8);
+                if ((dst->aead = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->aead, (void *)src->aead, len);
+        }
+
+        if (src->auth)
+        {
+                len = sizeof (struct xfrmnl_algo_auth) + ((src->auth->alg_key_len + 7) / 8);
+                if ((dst->auth = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->auth, (void *)src->auth, len);
+        }
+
+        if (src->crypt)
+        {
+                len = sizeof (struct xfrmnl_algo) + ((src->crypt->alg_key_len + 7) / 8);
+                if ((dst->crypt = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->crypt, (void *)src->crypt, len);
+        }
+
+        if (src->comp)
+        {
+                len = sizeof (struct xfrmnl_algo) + ((src->comp->alg_key_len + 7) / 8);
+                if ((dst->comp = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->comp, (void *)src->comp, len);
+        }
+
+        if (src->encap)
+        {
+                len = sizeof (struct xfrmnl_encap_tmpl);
+                if ((dst->encap = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->encap, (void *)src->encap, len);
+        }
+
+        if (src->coaddr)
+                if ((dst->coaddr = nl_addr_clone (src->coaddr)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->sec_ctx)
+        {
+                len = sizeof (struct xfrmnl_sec_ctx) + src->sec_ctx->ctx_len;
+                if ((dst->sec_ctx = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
+        }
+
+        if (src->replay_state_esn)
+        {
+                len = sizeof (struct xfrmnl_replay_state_esn) + (src->replay_state_esn->bmp_len * sizeof (uint32_t));
+                if ((dst->replay_state_esn = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->replay_state_esn, (void *)src->replay_state_esn, len);
+        }
+
+        return 0;
+}
+
+static int xfrm_sa_compare(struct nl_object *_a, struct nl_object *_b, uint32_t attrs, int flags)
+{
+        struct xfrmnl_sa* a  =   (struct xfrmnl_sa *) _a;
+        struct xfrmnl_sa* b  =   (struct xfrmnl_sa *) _b;
+        int diff = 0;
+        int found = 0;
+
+#define XFRM_SA_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_SA_ATTR_##ATTR, a, b, EXPR)
+        diff |= XFRM_SA_DIFF(SEL,   xfrmnl_sel_cmp(a->sel, b->sel));
+        diff |= XFRM_SA_DIFF(DADDR, nl_addr_cmp(a->id.daddr, b->id.daddr));
+        diff |= XFRM_SA_DIFF(SPI,   a->id.spi != b->id.spi);
+        diff |= XFRM_SA_DIFF(PROTO, a->id.proto != b->id.proto);
+        diff |= XFRM_SA_DIFF(SADDR, nl_addr_cmp(a->saddr, b->saddr));
+        diff |= XFRM_SA_DIFF(LTIME_CFG, xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
+        diff |= XFRM_SA_DIFF(REQID, a->reqid != b->reqid);
+        diff |= XFRM_SA_DIFF(FAMILY,a->family != b->family);
+        diff |= XFRM_SA_DIFF(MODE,a->mode != b->mode);
+        diff |= XFRM_SA_DIFF(REPLAY_WIN,a->replay_window != b->replay_window);
+        diff |= XFRM_SA_DIFF(FLAGS,a->flags != b->flags);
+        diff |= XFRM_SA_DIFF(ALG_AEAD,(strcmp(a->aead->alg_name, b->aead->alg_name) ||
+                                       (a->aead->alg_key_len != b->aead->alg_key_len) ||
+                                       (a->aead->alg_icv_len != b->aead->alg_icv_len) ||
+                                       memcmp(a->aead->alg_key, b->aead->alg_key,
+                                              ((a->aead->alg_key_len + 7)/8))));
+        diff |= XFRM_SA_DIFF(ALG_AUTH,(strcmp(a->auth->alg_name, b->auth->alg_name) ||
+                                       (a->auth->alg_key_len != b->auth->alg_key_len) ||
+                                       (a->auth->alg_trunc_len != b->auth->alg_trunc_len) ||
+                                       memcmp(a->auth->alg_key, b->auth->alg_key,
+                                              ((a->auth->alg_key_len + 7)/8))));
+        diff |= XFRM_SA_DIFF(ALG_CRYPT,(strcmp(a->crypt->alg_name, b->crypt->alg_name) ||
+                                        (a->crypt->alg_key_len != b->crypt->alg_key_len) ||
+                                        memcmp(a->crypt->alg_key, b->crypt->alg_key,
+                                               ((a->crypt->alg_key_len + 7)/8))));
+        diff |= XFRM_SA_DIFF(ALG_COMP,(strcmp(a->comp->alg_name, b->comp->alg_name) ||
+                                       (a->comp->alg_key_len != b->comp->alg_key_len) ||
+                                       memcmp(a->comp->alg_key, b->comp->alg_key,
+                                             ((a->comp->alg_key_len + 7)/8))));
+        diff |= XFRM_SA_DIFF(ENCAP,((a->encap->encap_type != b->encap->encap_type) ||
+                                    (a->encap->encap_sport != b->encap->encap_sport) ||
+                                    (a->encap->encap_dport != b->encap->encap_dport) ||
+                                    nl_addr_cmp(a->encap->encap_oa, b->encap->encap_oa)));
+        diff |= XFRM_SA_DIFF(TFCPAD,a->tfcpad != b->tfcpad);
+        diff |= XFRM_SA_DIFF(COADDR,nl_addr_cmp(a->coaddr, b->coaddr));
+        diff |= XFRM_SA_DIFF(MARK,(a->mark.m != b->mark.m) ||
+                                  (a->mark.v != b->mark.v));
+        diff |= XFRM_SA_DIFF(SECCTX,((a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
+                                     (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
+                                     (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
+                                     (a->sec_ctx->ctx_sid != b->sec_ctx->ctx_sid) ||
+                                     strcmp(a->sec_ctx->ctx_str, b->sec_ctx->ctx_str)));
+        diff |= XFRM_SA_DIFF(REPLAY_MAXAGE,a->replay_maxage != b->replay_maxage);
+        diff |= XFRM_SA_DIFF(REPLAY_MAXDIFF,a->replay_maxdiff != b->replay_maxdiff);
+        diff |= XFRM_SA_DIFF(EXPIRE,a->hard != b->hard);
+
+        /* Compare replay states */
+        found = AVAILABLE_MISMATCH (a, b, XFRM_SA_ATTR_REPLAY_STATE);
+        if (found == 0) // attribute exists in both objects
+        {
+                if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
+                    ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
+                        found |= 1;
+
+                if (found == 0) // same replay type. compare actual values
+                {
+                        if (a->replay_state_esn)
+                        {
+                                if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
+                                        diff |= 1;
+                                else
+                                {
+                                        uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +
+                                                               (a->replay_state_esn->bmp_len * sizeof (uint32_t));
+                                        diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
+                                }
+                        }
+                        else
+                        {
+                                if ((a->replay_state.oseq != b->replay_state.oseq) ||
+                                    (a->replay_state.seq != b->replay_state.seq) ||
+                                    (a->replay_state.bitmap != b->replay_state.bitmap))
+                                        diff |= 1;
+                        }
+                }
+        }
+#undef XFRM_SA_DIFF
+
+        return diff;
+}
+
+/**
+ * @name XFRM SA Attribute Translations
+ * @{
+ */
+static const struct trans_tbl sa_attrs[] = {
+        __ADD(XFRM_SA_ATTR_SEL, selector)
+        __ADD(XFRM_SA_ATTR_DADDR, daddr)
+        __ADD(XFRM_SA_ATTR_SPI, spi)
+        __ADD(XFRM_SA_ATTR_PROTO, proto)
+        __ADD(XFRM_SA_ATTR_SADDR, saddr)
+        __ADD(XFRM_SA_ATTR_LTIME_CFG, lifetime_cfg)
+        __ADD(XFRM_SA_ATTR_LTIME_CUR, lifetime_cur)
+        __ADD(XFRM_SA_ATTR_STATS, stats)
+        __ADD(XFRM_SA_ATTR_SEQ, seqnum)
+        __ADD(XFRM_SA_ATTR_REQID, reqid)
+        __ADD(XFRM_SA_ATTR_FAMILY, family)
+        __ADD(XFRM_SA_ATTR_MODE, mode)
+        __ADD(XFRM_SA_ATTR_REPLAY_WIN, replay_window)
+        __ADD(XFRM_SA_ATTR_FLAGS, flags)
+        __ADD(XFRM_SA_ATTR_ALG_AEAD, alg_aead)
+        __ADD(XFRM_SA_ATTR_ALG_AUTH, alg_auth)
+        __ADD(XFRM_SA_ATTR_ALG_CRYPT, alg_crypto)
+        __ADD(XFRM_SA_ATTR_ALG_COMP, alg_comp)
+        __ADD(XFRM_SA_ATTR_ENCAP, encap)
+        __ADD(XFRM_SA_ATTR_TFCPAD, tfcpad)
+        __ADD(XFRM_SA_ATTR_COADDR, coaddr)
+        __ADD(XFRM_SA_ATTR_MARK, mark)
+        __ADD(XFRM_SA_ATTR_SECCTX, sec_ctx)
+        __ADD(XFRM_SA_ATTR_REPLAY_MAXAGE, replay_maxage)
+        __ADD(XFRM_SA_ATTR_REPLAY_MAXDIFF, replay_maxdiff)
+        __ADD(XFRM_SA_ATTR_REPLAY_STATE, replay_state)
+        __ADD(XFRM_SA_ATTR_EXPIRE, expire)
+};
+
+static char* xfrm_sa_attrs2str(int attrs, char *buf, size_t len)
+{
+        return __flags2str (attrs, buf, len, sa_attrs, ARRAY_SIZE(sa_attrs));
+}
+/** @} */
+
+/**
+ * @name XFRM SA Flags Translations
+ * @{
+ */
+static const struct trans_tbl sa_flags[] = {
+        __ADD(XFRM_STATE_NOECN, no ecn)
+        __ADD(XFRM_STATE_DECAP_DSCP, decap dscp)
+        __ADD(XFRM_STATE_NOPMTUDISC, no pmtu discovery)
+        __ADD(XFRM_STATE_WILDRECV, wild receive)
+        __ADD(XFRM_STATE_ICMP, icmp)
+        __ADD(XFRM_STATE_AF_UNSPEC, unspecified)
+        __ADD(XFRM_STATE_ALIGN4, align4)
+        __ADD(XFRM_STATE_ESN, esn)
+};
+
+char* xfrmnl_sa_flags2str(int flags, char *buf, size_t len)
+{
+        return __flags2str (flags, buf, len, sa_flags, ARRAY_SIZE(sa_flags));
+}
+
+int xfrmnl_sa_str2flag(const char *name)
+{
+        return __str2flags (name, sa_flags, ARRAY_SIZE(sa_flags));
+}
+/** @} */
+
+/**
+ * @name XFRM SA Mode Translations
+ * @{
+ */
+static const struct trans_tbl sa_modes[] = {
+        __ADD(XFRM_MODE_TRANSPORT, transport)
+        __ADD(XFRM_MODE_TUNNEL, tunnel)
+        __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization)
+        __ADD(XFRM_MODE_IN_TRIGGER, in trigger)
+        __ADD(XFRM_MODE_BEET, beet)
+};
+
+char* xfrmnl_sa_mode2str(int mode, char *buf, size_t len)
+{
+        return __type2str (mode, buf, len, sa_modes, ARRAY_SIZE(sa_modes));
+}
+
+int xfrmnl_sa_str2mode(const char *name)
+{
+        return __str2type (name, sa_modes, ARRAY_SIZE(sa_modes));
+}
+/** @} */
+
+
+static void xfrm_sa_dump_line(struct nl_object *a, struct nl_dump_params *p)
+{
+        char                dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
+        struct xfrmnl_sa*   sa  =   (struct xfrmnl_sa *) a;
+        char                flags[128], mode[128];
+        time_t              add_time, use_time;
+        struct tm           *add_time_tm, *use_time_tm;
+
+        nl_dump_line(p, "src %s dst %s family: %s\n", nl_addr2str(sa->saddr, src, sizeof(src)),
+                        nl_addr2str(sa->id.daddr, dst, sizeof(dst)),
+                        nl_af2str (sa->family, flags, sizeof (flags)));
+
+        nl_dump_line(p, "\tproto %s spi 0x%x reqid %u\n",
+                        nl_ip_proto2str (sa->id.proto, flags, sizeof(flags)),
+                        sa->id.spi, sa->reqid);
+
+        xfrmnl_sa_flags2str(sa->flags, flags, sizeof (flags));
+        xfrmnl_sa_mode2str(sa->mode, mode, sizeof (mode));
+        nl_dump_line(p, "\tmode: %s flags: %s (0x%x) seq: %u replay window: %u\n",
+                        mode, flags, sa->flags, sa->seq, sa->replay_window);
+
+        nl_dump_line(p, "\tlifetime configuration: \n");
+        if (sa->lft->soft_byte_limit == XFRM_INF)
+                sprintf (flags, "INF");
+        else
+                sprintf (flags, "%llu", sa->lft->soft_byte_limit);
+        if (sa->lft->soft_packet_limit == XFRM_INF)
+                sprintf (mode, "INF");
+        else
+                sprintf (mode, "%llu", sa->lft->soft_packet_limit);
+        nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets)\n", flags, mode);
+        if (sa->lft->hard_byte_limit == XFRM_INF)
+                sprintf (flags, "INF");
+        else
+                sprintf (flags, "%llu", sa->lft->hard_byte_limit);
+        if (sa->lft->hard_packet_limit == XFRM_INF)
+                sprintf (mode, "INF");
+        else
+                sprintf (mode, "%llu", sa->lft->hard_packet_limit);
+        nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets)\n", flags, mode);
+        nl_dump_line(p, "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
+                        sa->lft->soft_add_expires_seconds, sa->lft->soft_use_expires_seconds);
+        nl_dump_line(p, "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
+                        sa->lft->hard_add_expires_seconds, sa->lft->hard_use_expires_seconds);
+
+        nl_dump_line(p, "\tlifetime current: \n");
+        nl_dump_line(p, "\t\t%llu bytes, %llu packets\n", sa->curlft.bytes, sa->curlft.packets);
+        if (sa->curlft.add_time != 0)
+        {
+                add_time = sa->curlft.add_time;
+                add_time_tm = gmtime (&add_time);
+                strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
+        }
+        else
+        {
+                sprintf (flags, "%s", "-");
+        }
+
+        if (sa->curlft.use_time != 0)
+        {
+                use_time = sa->curlft.use_time;
+                use_time_tm = gmtime (&use_time);
+                strftime (mode, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
+        }
+        else
+        {
+                sprintf (mode, "%s", "-");
+        }
+        nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, mode);
+
+        if (sa->aead)
+        {
+                nl_dump_line(p, "\tAEAD Algo: \n");
+                nl_dump_line(p, "\t\tName: %s Key len(bits): %u ICV Len(bits): %u\n",
+                                sa->aead->alg_name, sa->aead->alg_key_len, sa->aead->alg_icv_len);
+        }
+
+        if (sa->auth)
+        {
+                nl_dump_line(p, "\tAuth Algo: \n");
+                nl_dump_line(p, "\t\tName: %s Key len(bits): %u Trunc len(bits): %u\n",
+                                sa->auth->alg_name, sa->auth->alg_key_len, sa->auth->alg_trunc_len);
+        }
+
+        if (sa->crypt)
+        {
+                nl_dump_line(p, "\tEncryption Algo: \n");
+                nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
+                                sa->crypt->alg_name, sa->crypt->alg_key_len);
+        }
+
+        if (sa->comp)
+        {
+                nl_dump_line(p, "\tCompression Algo: \n");
+                nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
+                                sa->comp->alg_name, sa->comp->alg_key_len);
+        }
+
+        if (sa->encap)
+        {
+                nl_dump_line(p, "\tEncapsulation template: \n");
+                nl_dump_line(p, "\t\tType: %d Src port: %d Dst port: %d Encap addr: %s\n",
+                                sa->encap->encap_type, sa->encap->encap_sport, sa->encap->encap_dport,
+                                nl_addr2str (sa->encap->encap_oa, dst, sizeof (dst)));
+        }
+
+        if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
+                nl_dump_line(p, "\tTFC Pad: %u\n", sa->tfcpad);
+
+        if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
+                nl_dump_line(p, "\tCO Address: %s\n", nl_addr2str (sa->coaddr, dst, sizeof (dst)));
+
+        if (sa->ce_mask & XFRM_SA_ATTR_MARK)
+                nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sa->mark.m, sa->mark.v);
+
+        if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
+                nl_dump_line(p, "\tDOI: %d Algo: %d Len: %u SID: %u ctx: %s\n", sa->sec_ctx->ctx_doi,
+                                sa->sec_ctx->ctx_alg, sa->sec_ctx->ctx_len, sa->sec_ctx->ctx_sid, sa->sec_ctx->ctx_str);
+
+        nl_dump_line(p, "\treplay info: \n");
+        nl_dump_line(p, "\t\tmax age %u max diff %u \n", sa->replay_maxage, sa->replay_maxdiff);
+
+        if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
+        {
+                nl_dump_line(p, "\treplay state info: \n");
+                if (sa->replay_state_esn)
+                {
+                        nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
+                                        sa->replay_state_esn->oseq, sa->replay_state_esn->seq,
+                                        sa->replay_state_esn->oseq_hi, sa->replay_state_esn->seq_hi,
+                                        sa->replay_state_esn->replay_window);
+                }
+                else
+                {
+                        nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", sa->replay_state.oseq,
+                                        sa->replay_state.seq, sa->replay_state.bitmap);
+                }
+        }
+
+        nl_dump_line(p, "\tselector info: \n");
+        xfrmnl_sel_dump (sa->sel, p);
+
+        nl_dump_line(p, "\tHard: %d\n", sa->hard);
+
+        nl_dump(p, "\n");
+}
+
+static void xfrm_sa_dump_stats(struct nl_object *a, struct nl_dump_params *p)
+{
+        struct xfrmnl_sa*   sa  =   (struct xfrmnl_sa*)a;
+
+        nl_dump_line(p, "\tstats: \n");
+        nl_dump_line(p, "\t\treplay window: %u replay: %u integrity failed: %u \n",
+                        sa->stats.replay_window, sa->stats.replay, sa->stats.integrity_failed);
+
+        return;
+}
+
+static void xfrm_sa_dump_details(struct nl_object *a, struct nl_dump_params *p)
+{
+        xfrm_sa_dump_line(a, p);
+        xfrm_sa_dump_stats (a, p);
+}
+
+/**
+ * @name XFRM SA Object Allocation/Freeage
+ * @{
+ */
+
+struct xfrmnl_sa* xfrmnl_sa_alloc(void)
+{
+        return (struct xfrmnl_sa*) nl_object_alloc(&xfrm_sa_obj_ops);
+}
+
+void xfrmnl_sa_put(struct xfrmnl_sa* sa)
+{
+        nl_object_put((struct nl_object *) sa);
+}
+
+/** @} */
+
+/**
+ * @name SA Cache Managament
+ * @{
+ */
+
+/**
+ * Build a SA cache including all SAs currently configured in the kernel.
+ * @arg sock        Netlink socket.
+ * @arg result      Pointer to store resulting cache.
+ *
+ * Allocates a new SA cache, initializes it properly and updates it
+ * to include all SAs currently configured in the kernel.
+ *
+ * @return 0 on success or a negative error code.
+ */
+int xfrmnl_sa_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
+{
+        return nl_cache_alloc_and_fill(&xfrmnl_sa_ops, sock, result);
+}
+
+/**
+ * Look up a SA by destination address, SPI, protocol
+ * @arg cache       SA cache
+ * @arg daddr       destination address of the SA
+ * @arg spi         SPI
+ * @arg proto       protocol
+ * @return sa handle or NULL if no match was found.
+ */
+struct xfrmnl_sa* xfrmnl_sa_get(struct nl_cache* cache, struct nl_addr* daddr,
+                unsigned int spi, unsigned int proto)
+{
+        struct xfrmnl_sa *sa;
+
+        //nl_list_for_each_entry(sa, &cache->c_items, ce_list) {
+        for (sa = (struct xfrmnl_sa*)nl_cache_get_first (cache);
+             sa != NULL;
+             sa = (struct xfrmnl_sa*)nl_cache_get_next ((struct nl_object*)sa))
+        {
+                if (sa->id.proto == proto &&
+                    sa->id.spi == spi &&
+                    !nl_addr_cmp(sa->id.daddr, daddr))
+                {
+                        nl_object_get((struct nl_object *) sa);
+                        return sa;
+                }
+
+        }
+
+        return NULL;
+}
+
+
+/** @} */
+
+
+static struct nla_policy xfrm_sa_policy[XFRMA_MAX+1] = {
+        [XFRMA_SA]      = { .minlen = sizeof(struct xfrm_usersa_info)},
+        [XFRMA_ALG_AUTH_TRUNC]  = { .minlen = sizeof(struct xfrm_algo_auth)},
+        [XFRMA_ALG_AEAD]    = { .minlen = sizeof(struct xfrm_algo_aead) },
+        [XFRMA_ALG_AUTH]    = { .minlen = sizeof(struct xfrm_algo) },
+        [XFRMA_ALG_CRYPT]   = { .minlen = sizeof(struct xfrm_algo) },
+        [XFRMA_ALG_COMP]    = { .minlen = sizeof(struct xfrm_algo) },
+        [XFRMA_ENCAP]       = { .minlen = sizeof(struct xfrm_encap_tmpl) },
+        [XFRMA_TMPL]        = { .minlen = sizeof(struct xfrm_user_tmpl) },
+        [XFRMA_SEC_CTX]     = { .minlen = sizeof(struct xfrm_sec_ctx) },
+        [XFRMA_LTIME_VAL]   = { .minlen = sizeof(struct xfrm_lifetime_cur) },
+        [XFRMA_REPLAY_VAL]  = { .minlen = sizeof(struct xfrm_replay_state) },
+        [XFRMA_REPLAY_THRESH]   = { .type = NLA_U32 },
+        [XFRMA_ETIMER_THRESH]   = { .type = NLA_U32 },
+        [XFRMA_SRCADDR]     = { .minlen = sizeof(xfrm_address_t) },
+        [XFRMA_COADDR]      = { .minlen = sizeof(xfrm_address_t) },
+        [XFRMA_MARK]        = { .minlen = sizeof(struct xfrm_mark) },
+        [XFRMA_TFCPAD]      = { .type = NLA_U32 },
+        [XFRMA_REPLAY_ESN_VAL]  = { .minlen = sizeof(struct xfrm_replay_state_esn) },
+};
+
+static int xfrm_sa_request_update(struct nl_cache *c, struct nl_sock *h)
+{
+        struct xfrm_id   sa_id;
+
+        memset ((void *)&sa_id, 0, sizeof (struct xfrm_id));
+        return nl_send_simple (h, XFRM_MSG_GETSA, NLM_F_DUMP,(void*)&sa_id, sizeof (struct xfrm_id));
+}
+
+int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
+{
+        struct xfrmnl_sa*           sa;
+        struct nlattr               *tb[XFRMA_MAX + 1];
+        struct xfrm_usersa_info*    sa_info;
+        struct xfrm_user_expire*    ue;
+        struct xfrm_usersa_id*      sa_id;
+        int                         len, err;
+        struct nl_addr*             addr;
+
+        sa = xfrmnl_sa_alloc();
+        if (!sa) {
+                err = -NLE_NOMEM;
+                goto errout;
+        }
+
+        sa->ce_msgtype = n->nlmsg_type;
+        if (n->nlmsg_type == XFRM_MSG_EXPIRE)
+        {
+                ue = nlmsg_data(n);
+                sa_info = &ue->state;
+                sa->hard = ue->hard;
+                sa->ce_mask |= XFRM_SA_ATTR_EXPIRE;
+        }
+        else if (n->nlmsg_type == XFRM_MSG_DELSA)
+        {
+                sa_id = nlmsg_data(n);
+                sa_info = (struct xfrm_usersa_info*)(nlmsg_data(n) + sizeof (struct xfrm_usersa_id) + NLA_HDRLEN);
+        }
+        else
+        {
+                sa_info = nlmsg_data(n);
+        }
+
+        err = nlmsg_parse(n, sizeof(struct xfrm_usersa_info), tb, XFRMA_MAX, xfrm_sa_policy);
+        if (err < 0)
+                goto errout;
+
+        if (sa_info->sel.family == AF_INET)
+                addr    = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a4, sizeof (sa_info->sel.daddr.a4));
+        else
+                addr    = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a6, sizeof (sa_info->sel.daddr.a6));
+        nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_d);
+        xfrmnl_sel_set_daddr (sa->sel, addr);
+        xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
+
+        if (sa_info->sel.family == AF_INET)
+                addr    = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a4, sizeof (sa_info->sel.saddr.a4));
+        else
+                addr    = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a6, sizeof (sa_info->sel.saddr.a6));
+        nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_s);
+        xfrmnl_sel_set_saddr (sa->sel, addr);
+        xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
+
+        xfrmnl_sel_set_dport (sa->sel, ntohs(sa_info->sel.dport));
+        xfrmnl_sel_set_dportmask (sa->sel, ntohs(sa_info->sel.dport_mask));
+        xfrmnl_sel_set_sport (sa->sel, ntohs(sa_info->sel.sport));
+        xfrmnl_sel_set_sportmask (sa->sel, ntohs(sa_info->sel.sport_mask));
+        xfrmnl_sel_set_family (sa->sel, sa_info->sel.family);
+        xfrmnl_sel_set_proto (sa->sel, sa_info->sel.proto);
+        xfrmnl_sel_set_ifindex (sa->sel, sa_info->sel.ifindex);
+        xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
+        sa->ce_mask             |= XFRM_SA_ATTR_SEL;
+
+        if (sa_info->family == AF_INET)
+                sa->id.daddr        = nl_addr_build (sa_info->family, &sa_info->id.daddr.a4, sizeof (sa_info->id.daddr.a4));
+        else
+                sa->id.daddr        = nl_addr_build (sa_info->family, &sa_info->id.daddr.a6, sizeof (sa_info->id.daddr.a6));
+        sa->id.spi              = ntohl(sa_info->id.spi);
+        sa->id.proto            = sa_info->id.proto;
+        sa->ce_mask             |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
+
+        if (sa_info->family == AF_INET)
+                sa->saddr           = nl_addr_build (sa_info->family, &sa_info->saddr.a4, sizeof (sa_info->saddr.a4));
+        else
+                sa->saddr           = nl_addr_build (sa_info->family, &sa_info->saddr.a6, sizeof (sa_info->saddr.a6));
+        sa->ce_mask             |= XFRM_SA_ATTR_SADDR;
+
+        sa->lft->soft_byte_limit    =   sa_info->lft.soft_byte_limit;
+        sa->lft->hard_byte_limit    =   sa_info->lft.hard_byte_limit;
+        sa->lft->soft_packet_limit  =   sa_info->lft.soft_packet_limit;
+        sa->lft->hard_packet_limit  =   sa_info->lft.hard_packet_limit;
+        sa->lft->soft_add_expires_seconds   =   sa_info->lft.soft_add_expires_seconds;
+        sa->lft->hard_add_expires_seconds   =   sa_info->lft.hard_add_expires_seconds;
+        sa->lft->soft_use_expires_seconds   =   sa_info->lft.soft_use_expires_seconds;
+        sa->lft->hard_use_expires_seconds   =   sa_info->lft.hard_use_expires_seconds;
+        sa->ce_mask             |= XFRM_SA_ATTR_LTIME_CFG;
+
+        sa->curlft.bytes        = sa_info->curlft.bytes;
+        sa->curlft.packets      = sa_info->curlft.packets;
+        sa->curlft.add_time     = sa_info->curlft.add_time;
+        sa->curlft.use_time     = sa_info->curlft.use_time;
+        sa->ce_mask             |= XFRM_SA_ATTR_LTIME_CUR;
+
+        sa->stats.replay_window = sa_info->stats.replay_window;
+        sa->stats.replay        = sa_info->stats.replay;
+        sa->stats.integrity_failed = sa_info->stats.integrity_failed;
+        sa->ce_mask             |= XFRM_SA_ATTR_STATS;
+
+        sa->seq                 = sa_info->seq;
+        sa->reqid               = sa_info->reqid;
+        sa->family              = sa_info->family;
+        sa->mode                = sa_info->mode;
+        sa->replay_window       = sa_info->replay_window;
+        sa->flags               = sa_info->flags;
+        sa->ce_mask             |= (XFRM_SA_ATTR_SEQ | XFRM_SA_ATTR_REQID |
+                        XFRM_SA_ATTR_FAMILY | XFRM_SA_ATTR_MODE |
+                        XFRM_SA_ATTR_REPLAY_WIN | XFRM_SA_ATTR_FLAGS);
+
+        if (tb[XFRMA_ALG_AEAD]) {
+                struct xfrm_algo_aead* aead = nla_data(tb[XFRMA_ALG_AEAD]);
+                len = sizeof (struct xfrmnl_algo_aead) + ((aead->alg_key_len + 7) / 8);
+                if ((sa->aead = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sa->aead, (void *)aead, len);
+                sa->ce_mask     |= XFRM_SA_ATTR_ALG_AEAD;
+        }
+
+        if (tb[XFRMA_ALG_AUTH_TRUNC]) {
+                struct xfrm_algo_auth* auth = nla_data(tb[XFRMA_ALG_AUTH_TRUNC]);
+                len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
+                if ((sa->auth = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sa->auth, (void *)auth, len);
+                sa->ce_mask     |= XFRM_SA_ATTR_ALG_AUTH;
+        }
+
+        if (tb[XFRMA_ALG_AUTH] && !sa->auth) {
+                struct xfrm_algo* auth = nla_data(tb[XFRMA_ALG_AUTH]);
+                len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
+                if ((sa->auth = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                strcpy(sa->auth->alg_name, auth->alg_name);
+                memcpy(sa->auth->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
+                sa->auth->alg_key_len = auth->alg_key_len;
+                sa->ce_mask     |=  XFRM_SA_ATTR_ALG_AUTH;
+        }
+
+        if (tb[XFRMA_ALG_CRYPT]) {
+                struct xfrm_algo* crypt = nla_data(tb[XFRMA_ALG_CRYPT]);
+                len = sizeof (struct xfrmnl_algo) + ((crypt->alg_key_len + 7) / 8);
+                if ((sa->crypt = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sa->crypt, (void *)crypt, len);
+                sa->ce_mask     |= XFRM_SA_ATTR_ALG_CRYPT;
+        }
+
+        if (tb[XFRMA_ALG_COMP]) {
+                struct xfrm_algo* comp = nla_data(tb[XFRMA_ALG_COMP]);
+                len = sizeof (struct xfrmnl_algo) + ((comp->alg_key_len + 7) / 8);
+                if ((sa->comp = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sa->comp, (void *)comp, len);
+                sa->ce_mask     |= XFRM_SA_ATTR_ALG_COMP;
+        }
+
+        if (tb[XFRMA_ENCAP]) {
+                struct xfrm_encap_tmpl* encap = nla_data(tb[XFRMA_ENCAP]);
+                len = sizeof (struct xfrmnl_encap_tmpl);
+                if ((sa->encap = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                sa->encap->encap_type   =   encap->encap_type;
+                sa->encap->encap_sport  =   ntohs(encap->encap_sport);
+                sa->encap->encap_dport  =   ntohs(encap->encap_dport);
+                if (sa_info->family == AF_INET)
+                        sa->encap->encap_oa =   nl_addr_build (sa_info->family, &encap->encap_oa.a4, sizeof (encap->encap_oa.a4));
+                else
+                        sa->encap->encap_oa =   nl_addr_build (sa_info->family, &encap->encap_oa.a6, sizeof (encap->encap_oa.a6));
+                sa->ce_mask     |= XFRM_SA_ATTR_ENCAP;
+        }
+
+        if (tb[XFRMA_TFCPAD]) {
+                sa->tfcpad      =   *(uint32_t*)nla_data(tb[XFRMA_TFCPAD]);
+                sa->ce_mask     |= XFRM_SA_ATTR_TFCPAD;
+        }
+
+        if (tb[XFRMA_COADDR]) {
+                if (sa_info->family == AF_INET)
+                {
+                        sa->coaddr  = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
+                                        sizeof (uint32_t));
+                }
+                else
+                {
+                        sa->coaddr  = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
+                                        sizeof (uint32_t) * 4);
+                }
+                sa->ce_mask         |= XFRM_SA_ATTR_COADDR;
+        }
+
+        if (tb[XFRMA_MARK]) {
+                struct xfrm_mark* m =   nla_data(tb[XFRMA_MARK]);
+                sa->mark.m  =   m->m;
+                sa->mark.v  =   m->v;
+                sa->ce_mask |= XFRM_SA_ATTR_MARK;
+        }
+
+        if (tb[XFRMA_SEC_CTX]) {
+                struct xfrm_sec_ctx* sec_ctx = nla_data(tb[XFRMA_SEC_CTX]);
+                len = sizeof (struct xfrmnl_sec_ctx) + sec_ctx->ctx_len;
+                if ((sa->sec_ctx = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sa->sec_ctx, (void *)sec_ctx, len);
+                sa->ce_mask     |= XFRM_SA_ATTR_SECCTX;
+        }
+
+        if (tb[XFRMA_ETIMER_THRESH]) {
+                sa->replay_maxage       =   *(uint32_t*)nla_data(tb[XFRMA_ETIMER_THRESH]);
+                sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
+        }
+
+        if (tb[XFRMA_REPLAY_THRESH]) {
+                sa->replay_maxdiff      =   *(uint32_t*)nla_data(tb[XFRMA_REPLAY_THRESH]);
+                sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
+        }
+
+        if (tb[XFRMA_REPLAY_ESN_VAL]) {
+                struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
+                len =   sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len);
+                if ((sa->replay_state_esn = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sa->replay_state_esn, (void *)esn, len);
+                sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
+        }
+        else if (tb[XFRMA_REPLAY_VAL])
+        {
+                struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
+                sa->replay_state.oseq       =   replay_state->oseq;
+                sa->replay_state.seq        =   replay_state->seq;
+                sa->replay_state.bitmap     =   replay_state->bitmap;
+                sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
+                sa->replay_state_esn = NULL;
+        }
+
+        *result = sa;
+        return 0;
+
+errout:
+        xfrmnl_sa_put(sa);
+        return err;
+}
+
+static int xfrm_sa_update_cache (struct nl_cache *cache, struct nl_object *obj,
+                change_func_t change_cb, void *data)
+{
+        struct nl_object*       old_sa;
+        struct xfrmnl_sa*       sa = (struct xfrmnl_sa*)obj;
+
+        if (nl_object_get_msgtype (obj) == XFRM_MSG_EXPIRE)
+        {
+                /* On hard expiry, the SA gets deleted too from the kernel state without any
+                 * further delete event. On Expire message, we are only updating the cache with
+                 * the SA object's new state. In absence of the explicit delete event, the cache will
+                 * be out of sync with the kernel state. To get around this, expiry messages cache
+                 * operations are handled here (installed with NL_ACT_UNSPEC action) instead of
+                 * in Libnl Cache module. */
+
+                /* Do we already have this object in the cache? */
+                old_sa = nl_cache_search(cache, obj);
+                if (old_sa)
+                {
+                        /* Found corresponding SA object in cache. Delete it */
+                        nl_cache_remove (old_sa);
+                }
+
+                /* Handle the expiry event now */
+                if (sa->hard == 0)
+                {
+                        /* Soft expiry event: Save the new object to the
+                         * cache and notify application of the expiry event. */
+                        nl_cache_move (cache, obj);
+
+                        if (old_sa == NULL && change_cb)
+                        {
+                                /* Application CB present, no previous instance of SA object present.
+                                 * Notify application CB as a NEW event */
+                                change_cb (cache, obj, NL_ACT_NEW, data);
+                        }
+                        else if (old_sa)
+                        {
+                                /* Application CB present, a previous instance of SA object present.
+                                 * Notify application CB as a CHANGE1 event */
+                                if (nl_object_diff (old_sa, obj) && change_cb)
+                                        change_cb (cache, obj, NL_ACT_CHANGE, data);
+                                nl_object_put (old_sa);
+                        }
+                }
+                else
+                {
+                        /* Hard expiry event: Delete the object from the
+                         * cache and notify application of the expiry event. */
+                        if (change_cb)
+                                change_cb (cache, obj, NL_ACT_DEL, data);
+                        nl_object_put (old_sa);
+                }
+
+                /* Done handling expire message */
+                return 0;
+        }
+        else
+        {
+                /* All other messages other than Expire, let the standard Libnl cache
+                 * module handle it. */
+                return nl_cache_include (cache, obj, change_cb, data);
+        }
+}
+
+static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
+                struct nlmsghdr *n, struct nl_parser_param *pp)
+{
+        struct xfrmnl_sa*       sa;
+        int                     err;
+
+        if ((err = xfrmnl_sa_parse(n, &sa)) < 0)
+                return err;
+
+        err = pp->pp_cb((struct nl_object *) sa, pp);
+
+        xfrmnl_sa_put(sa);
+        return 0;
+}
+
+/**
+ * @name XFRM SA Get
+ * @{
+ */
+
+int xfrmnl_sa_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
+{
+        struct nl_msg               *msg;
+        struct xfrm_usersa_id       sa_id;
+        struct xfrm_mark            mark;
+
+        if (!daddr || !spi)
+        {
+                fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
+                                __FILE__, __LINE__, __PRETTY_FUNCTION__);
+                assert(0);
+                return -NLE_MISSING_ATTR;
+        }
+
+        memset(&sa_id, 0, sizeof(sa_id));
+        memcpy (&sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
+        sa_id.family = nl_addr_get_family (daddr);
+        sa_id.spi    = htonl(spi);
+        sa_id.proto  = protocol;
+
+        if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETSA, 0)))
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if ((mark_m & mark_v) != 0)
+        {
+                memset(&mark, 0, sizeof(struct xfrm_mark));
+                mark.m = mark_m;
+                mark.v = mark_v;
+
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+int xfrmnl_sa_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sa** result)
+{
+        struct nl_msg *msg = NULL;
+        struct nl_object *obj;
+        int err;
+
+        if ((err = xfrmnl_sa_build_get_request(daddr, spi, protocol, mark_m, mark_v, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto(sock, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        if ((err = nl_pickup(sock, &xfrm_sa_msg_parser, &obj)) < 0)
+                return err;
+
+        /* We have used xfrm_sa_msg_parser(), object is definitely a xfrm sa */
+        *result = (struct xfrmnl_sa *) obj;
+
+        /* If an object has been returned, we also need to wait for the ACK */
+        if (err == 0 && obj)
+                nl_wait_for_ack(sock);
+
+        return 0;
+}
+
+/** @} */
+
+static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
+{
+        struct nl_msg*          msg;
+        struct xfrm_usersa_info sa_info;
+        uint32_t                len;
+        struct nl_addr*         addr;
+
+        if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
+                        !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
+                        !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
+                return -NLE_MISSING_ATTR;
+
+        memset ((void*)&sa_info, 0, sizeof (sa_info));
+        if (tmpl->ce_mask & XFRM_SA_ATTR_SEL)
+        {
+                addr = xfrmnl_sel_get_daddr (tmpl->sel);
+                memcpy ((void*)&sa_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
+                addr = xfrmnl_sel_get_saddr (tmpl->sel);
+                memcpy ((void*)&sa_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
+                sa_info.sel.dport       =   htons (xfrmnl_sel_get_dport (tmpl->sel));
+                sa_info.sel.dport_mask  =   htons (xfrmnl_sel_get_dportmask (tmpl->sel));
+                sa_info.sel.sport       =   htons (xfrmnl_sel_get_sport (tmpl->sel));
+                sa_info.sel.sport_mask  =   htons (xfrmnl_sel_get_sportmask (tmpl->sel));
+                sa_info.sel.family      =   xfrmnl_sel_get_family (tmpl->sel);
+                sa_info.sel.prefixlen_d =   xfrmnl_sel_get_prefixlen_d (tmpl->sel);
+                sa_info.sel.prefixlen_s =   xfrmnl_sel_get_prefixlen_s (tmpl->sel);
+                sa_info.sel.proto       =   xfrmnl_sel_get_proto (tmpl->sel);
+                sa_info.sel.ifindex     =   xfrmnl_sel_get_ifindex (tmpl->sel);
+                sa_info.sel.user        =   xfrmnl_sel_get_userid (tmpl->sel);
+        }
+
+        memcpy (&sa_info.id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
+        sa_info.id.spi    = htonl(tmpl->id.spi);
+        sa_info.id.proto  = tmpl->id.proto;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_SADDR)
+                memcpy (&sa_info.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
+        {
+                sa_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
+                sa_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
+                sa_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
+                sa_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
+                sa_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
+                sa_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
+                sa_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
+                sa_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
+        }
+
+        //Skip current lifetime: cur lifetime can be updated only via AE
+        //Skip stats: stats cant be updated
+        //Skip seq: seq cant be updated
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_REQID)
+                sa_info.reqid           = tmpl->reqid;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_FAMILY)
+                sa_info.family          = tmpl->family;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_MODE)
+                sa_info.mode            = tmpl->mode;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
+                sa_info.replay_window   = tmpl->replay_window;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_FLAGS)
+                sa_info.flags           = tmpl->flags;
+
+        msg = nlmsg_alloc_simple(cmd, flags);
+        if (!msg)
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &sa_info, sizeof(sa_info), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AEAD) {
+                len = sizeof (struct xfrm_algo_aead) + ((tmpl->aead->alg_key_len + 7) / 8);
+                NLA_PUT (msg, XFRMA_ALG_AEAD, len, tmpl->aead);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AUTH) {
+                struct xfrm_algo*   auth;
+                struct nlattr *     auth_attr;
+
+                len = sizeof (struct xfrm_algo) + ((tmpl->auth->alg_key_len + 7) / 8);
+                auth_attr = nla_reserve(msg, XFRMA_ALG_AUTH, len);
+                if (!auth_attr)
+                        goto nla_put_failure;
+                auth = nla_data (auth_attr);
+                strcpy(auth->alg_name, tmpl->auth->alg_name);
+                memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);
+                auth->alg_key_len = tmpl->auth->alg_key_len;
+
+                len = sizeof (struct xfrm_algo_auth) + ((tmpl->auth->alg_key_len + 7) / 8);
+                NLA_PUT (msg, XFRMA_ALG_AUTH_TRUNC, len, tmpl->auth);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_CRYPT) {
+                len = sizeof (struct xfrm_algo) + ((tmpl->crypt->alg_key_len + 7) / 8);
+                NLA_PUT (msg, XFRMA_ALG_CRYPT, len, tmpl->crypt);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_COMP) {
+                len = sizeof (struct xfrm_algo) + ((tmpl->comp->alg_key_len + 7) / 8);
+                NLA_PUT (msg, XFRMA_ALG_COMP, len, tmpl->comp);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_ENCAP) {
+                struct xfrm_encap_tmpl* encap_tmpl;
+                struct nlattr*          encap_attr;
+
+                len = sizeof (struct xfrm_encap_tmpl);
+                encap_attr = nla_reserve(msg, XFRMA_ENCAP, len);
+                if (!encap_attr)
+                        goto nla_put_failure;
+                encap_tmpl = nla_data (encap_attr);
+                encap_tmpl->encap_type  =   tmpl->encap->encap_type;
+                encap_tmpl->encap_sport =   htons (tmpl->encap->encap_sport);
+                encap_tmpl->encap_dport =   htons (tmpl->encap->encap_dport);
+                memcpy (&encap_tmpl->encap_oa, nl_addr_get_binary_addr (tmpl->encap->encap_oa), sizeof (uint8_t) * nl_addr_get_len (tmpl->encap->encap_oa));
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_TFCPAD) {
+                NLA_PUT_U32 (msg, XFRMA_TFCPAD, tmpl->tfcpad);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_COADDR) {
+                NLA_PUT (msg, XFRMA_COADDR, sizeof (xfrm_address_t), tmpl->coaddr);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_SECCTX) {
+                len = sizeof (struct xfrm_sec_ctx) + tmpl->sec_ctx->ctx_len;
+                NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE) {
+                NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF) {
+                NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
+        }
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_STATE) {
+                if (tmpl->replay_state_esn) {
+                        len =   sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
+                        NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
+                }
+                else {
+                        NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrm_replay_state), &tmpl->replay_state);
+                }
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+/**
+ * @name XFRM SA Add
+ * @{
+ */
+
+int xfrmnl_sa_build_add_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
+{
+        return build_xfrm_sa_message (tmpl, XFRM_MSG_NEWSA, flags, result);
+}
+
+int xfrmnl_sa_add(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
+{
+        int             err;
+        struct nl_msg   *msg;
+
+        if ((err = xfrmnl_sa_build_add_request(tmpl, flags, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/**
+ * @name XFRM SA Update
+ * @{
+ */
+
+int xfrmnl_sa_build_update_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
+{
+        return build_xfrm_sa_message (tmpl, XFRM_MSG_UPDSA, flags, result);
+}
+
+int xfrmnl_sa_update(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
+{
+        int             err;
+        struct nl_msg   *msg;
+
+        if ((err = xfrmnl_sa_build_update_request(tmpl, flags, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/** @} */
+
+static int build_xfrm_sa_delete_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
+{
+        struct nl_msg*          msg;
+        struct xfrm_usersa_id   sa_id;
+
+        if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
+            !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
+            !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
+                return -NLE_MISSING_ATTR;
+
+        memcpy (&sa_id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr),
+                sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
+        sa_id.family = nl_addr_get_family (tmpl->id.daddr);
+        sa_id.spi    = htonl(tmpl->id.spi);
+        sa_id.proto  = tmpl->id.proto;
+
+        msg = nlmsg_alloc_simple(cmd, flags);
+        if (!msg)
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+/**
+ * @name XFRM SA Delete
+ * @{
+ */
+
+int xfrmnl_sa_build_delete_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
+{
+        return build_xfrm_sa_delete_message (tmpl, XFRM_MSG_DELSA, flags, result);
+}
+
+int xfrmnl_sa_delete(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
+{
+        int             err;
+        struct nl_msg   *msg;
+
+        if ((err = xfrmnl_sa_build_delete_request(tmpl, flags, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/** @} */
+
+
+/**
+ * @name Attributes
+ * @{
+ */
+
+struct xfrmnl_sel* xfrmnl_sa_get_sel (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_SEL)
+                return sa->sel;
+        else
+                return NULL;
+}
+
+int xfrmnl_sa_set_sel (struct xfrmnl_sa* sa, struct xfrmnl_sel* sel)
+{
+        /* Release any previously held selector object from the SA */
+        if (sa->sel)
+                xfrmnl_sel_put (sa->sel);
+
+        /* Increment ref count on new selector and save it in the SA */
+        xfrmnl_sel_get (sel);
+        sa->sel     =   sel;
+        sa->ce_mask |=  XFRM_SA_ATTR_SEL;
+
+        return 0;
+}
+
+static inline int __assign_addr(struct xfrmnl_sa* sa, struct nl_addr **pos,
+                struct nl_addr *new, int flag, int nocheck)
+{
+        if (!nocheck)
+        {
+                if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
+                {
+                        if (nl_addr_get_family (new) != sa->family)
+                                return -NLE_AF_MISMATCH;
+                }
+        }
+
+        if (*pos)
+                nl_addr_put(*pos);
+
+        nl_addr_get(new);
+        *pos = new;
+
+        sa->ce_mask |= flag;
+
+        return 0;
+}
+
+
+struct nl_addr* xfrmnl_sa_get_daddr (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_DADDR)
+                return sa->id.daddr;
+        else
+                return NULL;
+}
+
+int xfrmnl_sa_set_daddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
+{
+        return __assign_addr(sa, &sa->id.daddr, addr, XFRM_SA_ATTR_DADDR, 0);
+}
+
+int xfrmnl_sa_get_spi (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_SPI)
+                return sa->id.spi;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_spi (struct xfrmnl_sa* sa, unsigned int spi)
+{
+        sa->id.spi = spi;
+        sa->ce_mask |= XFRM_SA_ATTR_SPI;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_proto (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_PROTO)
+                return sa->id.proto;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_proto (struct xfrmnl_sa* sa, unsigned int protocol)
+{
+        sa->id.proto = protocol;
+        sa->ce_mask |= XFRM_SA_ATTR_PROTO;
+
+        return 0;
+}
+
+struct nl_addr* xfrmnl_sa_get_saddr (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_SADDR)
+                return sa->saddr;
+        else
+                return NULL;
+}
+
+int xfrmnl_sa_set_saddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
+{
+        return  __assign_addr(sa, &sa->saddr, addr, XFRM_SA_ATTR_SADDR, 1);
+}
+
+struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
+                return sa->lft;
+        else
+                return NULL;
+}
+
+int xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa* sa, struct xfrmnl_ltime_cfg* ltime)
+{
+        /* Release any previously held lifetime cfg object from the SA */
+        if (sa->lft)
+                xfrmnl_ltime_cfg_put (sa->lft);
+
+        /* Increment ref count on new lifetime object and save it in the SA */
+        xfrmnl_ltime_cfg_get (ltime);
+        sa->lft     =   ltime;
+        sa->ce_mask |=  XFRM_SA_ATTR_LTIME_CFG;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_curlifetime (struct xfrmnl_sa* sa, unsigned long long int* curr_bytes,
+                unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
+{
+        if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
+                return -1;
+
+        if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CUR)
+        {
+                *curr_bytes     =   sa->curlft.bytes;
+                *curr_packets   =   sa->curlft.packets;
+                *curr_add_time  =   sa->curlft.add_time;
+                *curr_use_time  =   sa->curlft.use_time;
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_stats (struct xfrmnl_sa* sa, unsigned long long int* replay_window,
+                unsigned long long int* replay, unsigned long long int* integrity_failed)
+{
+        if (sa == NULL || replay_window == NULL || replay == NULL || integrity_failed == NULL)
+                return -1;
+
+        if (sa->ce_mask & XFRM_SA_ATTR_STATS)
+        {
+                *replay_window      =   sa->stats.replay_window;
+                *replay             =   sa->stats.replay;
+                *integrity_failed   =   sa->stats.integrity_failed;
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_seq (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_SEQ)
+                return sa->seq;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_get_reqid (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_REQID)
+                return sa->reqid;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_reqid (struct xfrmnl_sa* sa, unsigned int reqid)
+{
+        sa->reqid = reqid;
+        sa->ce_mask |= XFRM_SA_ATTR_REQID;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_family (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
+                return sa->family;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_family (struct xfrmnl_sa* sa, unsigned int family)
+{
+        sa->family = family;
+        sa->ce_mask |= XFRM_SA_ATTR_FAMILY;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_mode (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_MODE)
+                return sa->mode;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_mode (struct xfrmnl_sa* sa, unsigned int mode)
+{
+        sa->mode    =   mode;
+        sa->ce_mask |=  XFRM_SA_ATTR_MODE;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_replay_window (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
+                return sa->replay_window;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_replay_window (struct xfrmnl_sa* sa, unsigned int replay_window)
+{
+        sa->replay_window   =   replay_window;
+        sa->ce_mask         |=  XFRM_SA_ATTR_REPLAY_WIN;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_flags (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_FLAGS)
+                return sa->flags;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_flags (struct xfrmnl_sa* sa, unsigned int flags)
+{
+        sa->flags = flags;
+        sa->ce_mask |= XFRM_SA_ATTR_FLAGS;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* icv_len, char* key)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_ALG_AEAD)
+        {
+                strcpy (alg_name, sa->aead->alg_name);
+                *key_len    =   sa->aead->alg_key_len;
+                *icv_len    =   sa->aead->alg_icv_len;
+                memcpy ((void *)key, (void *)sa->aead->alg_key, ((sa->aead->alg_key_len + 7)/8));
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int key_len, unsigned int icv_len, char* key)
+{
+        uint32_t    newlen = sizeof (struct xfrmnl_algo_aead) + (sizeof (uint8_t) * ((key_len + 7)/8));
+
+        /* Free up the old key and allocate memory to hold new key */
+        if (sa->aead)
+                free (sa->aead);
+        if ((sa->aead = calloc (1, newlen)) == NULL)
+                return -1;
+
+        /* Save the new info */
+        strcpy (sa->aead->alg_name, alg_name);
+        sa->aead->alg_key_len   = key_len;
+        sa->aead->alg_icv_len   = icv_len;
+        memcpy ((void *)sa->aead->alg_key, (void *)key, newlen);
+
+        sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* trunc_len, char* key)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_ALG_AUTH)
+        {
+                strcpy (alg_name, sa->auth->alg_name);
+                *key_len    =   sa->auth->alg_key_len;
+                *trunc_len  =   sa->auth->alg_trunc_len;
+                memcpy ((void *)key, (void *)sa->auth->alg_key, ((sa->auth->alg_key_len + 7)/8));
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int key_len, unsigned int trunc_len, char* key)
+{
+        uint32_t    newlen = sizeof (struct xfrmnl_algo_auth) + (sizeof (uint8_t) * ((key_len + 7)/8));
+
+        /* Free up the old auth data and allocate new one */
+        if (sa->auth)
+                free (sa->auth);
+        if ((sa->auth = calloc (1, newlen)) == NULL)
+                return -1;
+
+        /* Save the new info */
+        strcpy (sa->auth->alg_name, alg_name);
+        sa->auth->alg_key_len   = key_len;
+        sa->auth->alg_trunc_len = trunc_len;
+        memcpy ((void *)sa->auth->alg_key, (void *)key, newlen);
+
+        sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_ALG_CRYPT)
+        {
+                strcpy (alg_name, sa->crypt->alg_name);
+                *key_len    =   sa->crypt->alg_key_len;
+                memcpy ((void *)key, (void *)sa->crypt->alg_key, ((sa->crypt->alg_key_len + 7)/8));
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int key_len, char* key)
+{
+        uint32_t    newlen = sizeof (struct xfrmnl_algo) + (sizeof (uint8_t) * ((key_len + 7)/8));
+
+        /* Free up the old crypto and allocate new one */
+        if (sa->crypt)
+                free (sa->crypt);
+        if ((sa->crypt = calloc (1, newlen)) == NULL)
+                return -1;
+
+        /* Save the new info */
+        strcpy (sa->crypt->alg_name, alg_name);
+        sa->crypt->alg_key_len  = key_len;
+        memcpy ((void *)sa->crypt->alg_key, (void *)key, newlen);
+
+        sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_ALG_COMP)
+        {
+                strcpy (alg_name, sa->comp->alg_name);
+                *key_len    =   sa->comp->alg_key_len;
+                memcpy ((void *)key, (void *)sa->comp->alg_key, ((sa->comp->alg_key_len + 7)/8));
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int key_len, char* key)
+{
+        uint32_t    newlen = sizeof (struct xfrmnl_algo) + (sizeof (uint8_t) * ((key_len + 7)/8));
+
+        /* Free up the old compression algo params and allocate new one */
+        if (sa->comp)
+                free (sa->comp);
+        if ((sa->comp = calloc (1, newlen)) == NULL)
+                return -1;
+
+        /* Save the new info */
+        strcpy (sa->comp->alg_name, alg_name);
+        sa->comp->alg_key_len  = key_len;
+        memcpy ((void *)sa->comp->alg_key, (void *)key, newlen);
+
+        sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa* sa, unsigned int* encap_type, unsigned int* encap_sport, unsigned int* encap_dport, struct nl_addr** encap_oa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_ENCAP)
+        {
+                *encap_type     =   sa->encap->encap_type;
+                *encap_sport    =   sa->encap->encap_sport;
+                *encap_dport    =   sa->encap->encap_dport;
+                *encap_oa       =   nl_addr_clone (sa->encap->encap_oa);
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa* sa, unsigned int encap_type, unsigned int encap_sport, unsigned int encap_dport, struct nl_addr* encap_oa)
+{
+        /* Free up the old encap OA */
+        if (sa->encap->encap_oa)
+                nl_addr_put (sa->encap->encap_oa);
+
+        /* Save the new info */
+        sa->encap->encap_type   =   encap_type;
+        sa->encap->encap_sport  =   encap_sport;
+        sa->encap->encap_dport  =   encap_dport;
+        nl_addr_get (encap_oa);
+        sa->encap->encap_oa     =   encap_oa;
+
+        sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_tfcpad (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
+                return sa->tfcpad;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_tfcpad (struct xfrmnl_sa* sa, unsigned int tfcpad)
+{
+        sa->tfcpad  =   tfcpad;
+        sa->ce_mask |=  XFRM_SA_ATTR_TFCPAD;
+
+        return 0;
+}
+
+struct nl_addr* xfrmnl_sa_get_coaddr (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
+                return sa->coaddr;
+        else
+                return NULL;
+}
+
+int xfrmnl_sa_set_coaddr (struct xfrmnl_sa* sa, struct nl_addr* coaddr)
+{
+        /* Free up the old coaddr */
+        if (sa->coaddr)
+                nl_addr_put (sa->coaddr);
+
+        /* Save the new info */
+        nl_addr_get (coaddr);
+        sa->coaddr  =   coaddr;
+
+        sa->ce_mask |= XFRM_SA_ATTR_COADDR;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_mark (struct xfrmnl_sa* sa, unsigned int* mark_mask, unsigned int* mark_value)
+{
+        if (mark_mask == NULL || mark_value == NULL)
+                return -1;
+
+        if (sa->ce_mask & XFRM_SA_ATTR_MARK)
+        {
+                *mark_mask  =   sa->mark.m;
+                *mark_value  =   sa->mark.v;
+
+                return 0;
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_mark (struct xfrmnl_sa* sa, unsigned int value, unsigned int mask)
+{
+        sa->mark.v  = value;
+        sa->mark.m  = mask;
+        sa->ce_mask |= XFRM_SA_ATTR_MARK;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa* sa, unsigned int* doi, unsigned int* alg, unsigned int* len, unsigned int* sid, char* ctx_str)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
+        {
+                *doi    =   sa->sec_ctx->ctx_doi;
+                *alg    =   sa->sec_ctx->ctx_alg;
+                *len    =   sa->sec_ctx->ctx_len;
+                *sid    =   sa->sec_ctx->ctx_sid;
+                memcpy ((void *)ctx_str, (void *)sa->sec_ctx->ctx_str, sizeof (uint8_t) * sa->sec_ctx->ctx_len);
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int alg, unsigned int len, unsigned int sid, char* ctx_str)
+{
+        /* Free up the old context string and allocate new one */
+        if (sa->sec_ctx)
+                free (sa->sec_ctx);
+        if ((sa->sec_ctx = calloc (1, sizeof (struct xfrmnl_sec_ctx) + (sizeof (uint8_t) * len))) == NULL)
+                return -1;
+
+        /* Save the new info */
+        sa->sec_ctx->ctx_doi    =   doi;
+        sa->sec_ctx->ctx_alg    =   alg;
+        sa->sec_ctx->ctx_len    =   len;
+        sa->sec_ctx->ctx_sid    =   sid;
+        memcpy ((void *)sa->sec_ctx->ctx_str, (void *)ctx_str, sizeof (uint8_t) * len);
+
+        sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
+
+        return 0;
+}
+
+
+int xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE)
+                return sa->replay_maxage;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa* sa, unsigned int replay_maxage)
+{
+        sa->replay_maxage  = replay_maxage;
+        sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF)
+                return sa->replay_maxdiff;
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa* sa, unsigned int replay_maxdiff)
+{
+        sa->replay_maxdiff  = replay_maxdiff;
+        sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_replay_state (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
+        {
+                if (sa->replay_state_esn == NULL)
+                {
+                        *oseq   =   sa->replay_state.oseq;
+                        *seq    =   sa->replay_state.seq;
+                        *bmp    =   sa->replay_state.bitmap;
+
+                        return 0;
+                }
+                else
+                {
+                        return -1;
+                }
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_replay_state (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq, unsigned int bitmap)
+{
+        sa->replay_state.oseq = oseq;
+        sa->replay_state.seq = seq;
+        sa->replay_state.bitmap = bitmap;
+        sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
+
+        return 0;
+}
+
+int xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
+                unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
+        {
+                if (sa->replay_state_esn)
+                {
+                        *oseq   =   sa->replay_state_esn->oseq;
+                        *seq    =   sa->replay_state_esn->seq;
+                        *oseq_hi=   sa->replay_state_esn->oseq_hi;
+                        *seq_hi =   sa->replay_state_esn->seq_hi;
+                        *replay_window  =   sa->replay_state_esn->replay_window;
+                        *bmp_len        =   sa->replay_state_esn->bmp_len; // In number of 32 bit words
+                        memcpy (bmp, sa->replay_state_esn->bmp, sa->replay_state_esn->bmp_len * sizeof (uint32_t));
+
+                        return 0;
+                }
+                else
+                {
+                        return -1;
+                }
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq,
+                unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
+                unsigned int bmp_len, unsigned int* bmp)
+{
+        /* Free the old replay state and allocate space to hold new one */
+        if (sa->replay_state_esn)
+                free (sa->replay_state_esn);
+
+        if ((sa->replay_state_esn = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * bmp_len))) == NULL)
+                return -1;
+        sa->replay_state_esn->oseq = oseq;
+        sa->replay_state_esn->seq = seq;
+        sa->replay_state_esn->oseq_hi = oseq_hi;
+        sa->replay_state_esn->seq_hi = seq_hi;
+        sa->replay_state_esn->replay_window = replay_window;
+        sa->replay_state_esn->bmp_len = bmp_len; // In number of 32 bit words
+        memcpy (sa->replay_state_esn->bmp, bmp, bmp_len * sizeof (uint32_t));
+        sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
+
+        return 0;
+}
+
+
+int xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
+                return (sa->hard > 0 ? 1: 0);
+        else
+                return 0;
+}
+
+int xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa* sa)
+{
+        if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
+                return 1;
+        else
+                return 0;
+}
+
+/** @} */
+
+static struct nl_object_ops xfrm_sa_obj_ops = {
+        .oo_name        =       "xfrm/sa",
+        .oo_size        =       sizeof(struct xfrmnl_sa),
+        .oo_constructor =       xfrm_sa_alloc_data,
+        .oo_free_data   =       xfrm_sa_free_data,
+        .oo_clone       =       xfrm_sa_clone,
+        .oo_dump        =       {
+                [NL_DUMP_LINE]          =       xfrm_sa_dump_line,
+                [NL_DUMP_DETAILS]   =       xfrm_sa_dump_details,
+                [NL_DUMP_STATS]         =       xfrm_sa_dump_stats,
+        },
+        .oo_compare     =       xfrm_sa_compare,
+        .oo_attrs2str   =       xfrm_sa_attrs2str,
+        .oo_id_attrs    =       (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO),
+};
+
+static struct nl_af_group xfrm_sa_groups[] = {
+        { AF_UNSPEC, XFRMNLGRP_SA },
+        { AF_UNSPEC, XFRMNLGRP_EXPIRE },
+        { END_OF_GROUP_LIST },
+};
+
+static struct nl_cache_ops xfrmnl_sa_ops = {
+        .co_name        =       "xfrm/sa",
+        .co_hdrsize     =       sizeof(struct xfrm_usersa_info),
+        .co_msgtypes    =       {
+                { XFRM_MSG_NEWSA, NL_ACT_NEW, "new" },
+                { XFRM_MSG_DELSA, NL_ACT_DEL, "del" },
+                { XFRM_MSG_GETSA, NL_ACT_GET, "get" },
+                { XFRM_MSG_EXPIRE, NL_ACT_UNSPEC, "expire"},
+                { XFRM_MSG_UPDSA, NL_ACT_NEW, "update"},
+                END_OF_MSGTYPES_LIST,
+        },
+        .co_protocol    =       NETLINK_XFRM,
+        .co_groups      =       xfrm_sa_groups,
+        .co_request_update      =       xfrm_sa_request_update,
+        .co_msg_parser      =       xfrm_sa_msg_parser,
+        .co_obj_ops     =       &xfrm_sa_obj_ops,
+        .co_include_event       =       &xfrm_sa_update_cache
+};
+
+/**
+ * @name XFRM SA Cache Managament
+ * @{
+ */
+
+static void __attribute__ ((constructor)) xfrm_sa_init(void)
+{
+        nl_cache_mngt_register(&xfrmnl_sa_ops);
+}
+
+static void __attribute__ ((destructor)) xfrm_sa_exit(void)
+{
+        nl_cache_mngt_unregister(&xfrmnl_sa_ops);
+}
+
+/** @} */
diff --git a/lib/xfrm/selector.c b/lib/xfrm/selector.c
new file mode 100644 (file)
index 0000000..dc74b76
--- /dev/null
@@ -0,0 +1,350 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * @ingroup xfrmnl
+ * @defgroup XFRM Address Selector
+ *
+ * Abstract data type representing XFRM SA/SP selector properties
+ *
+ * @{
+ *
+ * Header
+ * ------
+ * ~~~~{.c}
+ * #include <netlink/xfrm/selector.h>
+ * ~~~~
+ */
+
+#include <netlink-private/netlink.h>
+
+static void sel_destroy(struct xfrmnl_sel* sel)
+{
+        if (!sel)
+                return;
+
+        if (sel->refcnt != 1)
+        {
+                fprintf(stderr, "BUG: %s:%d\n", __FILE__, __LINE__);
+                assert(0);
+        }
+
+        nl_addr_put (sel->daddr);
+        nl_addr_put (sel->saddr);
+        free(sel);
+}
+
+/**
+ * @name Creating Selector
+ * @{
+ */
+
+/**
+ * Allocate new selector object.
+ * @return Newly allocated selector object or NULL
+ */
+struct xfrmnl_sel* xfrmnl_sel_alloc()
+{
+        struct xfrmnl_sel* sel;
+
+        sel = calloc(1, sizeof(struct xfrmnl_sel));
+        if (!sel)
+                return NULL;
+
+        sel->refcnt = 1;
+
+        return sel;
+}
+
+/**
+ * Clone existing selector object.
+ * @arg sel     Selector object.
+ * @return Newly allocated selector object being a duplicate of the
+ *         specified selector object or NULL if a failure occured.
+ */
+struct xfrmnl_sel* xfrmnl_sel_clone(struct xfrmnl_sel* sel)
+{
+        struct xfrmnl_sel* new;
+
+        new = xfrmnl_sel_alloc();
+        if (new)
+                memcpy ((void*)new, (void*)sel, sizeof (struct xfrmnl_sel));
+
+        new->daddr = nl_addr_clone(sel->daddr);
+        new->saddr = nl_addr_clone(sel->saddr);
+
+        return new;
+}
+
+/** @} */
+
+/**
+ * @name Managing Usage References
+ * @{
+ */
+
+struct xfrmnl_sel* xfrmnl_sel_get(struct xfrmnl_sel* sel)
+{
+        sel->refcnt++;
+
+        return sel;
+}
+
+void xfrmnl_sel_put(struct xfrmnl_sel* sel)
+{
+        if (!sel)
+                return;
+
+        if (sel->refcnt == 1)
+                sel_destroy(sel);
+        else
+                sel->refcnt--;
+}
+
+/**
+ * Check whether an selector object is shared.
+ * @arg addr        Selector object.
+ * @return Non-zero if the selector object is shared, otherwise 0.
+ */
+int xfrmnl_sel_shared(struct xfrmnl_sel* sel)
+{
+        return sel->refcnt > 1;
+}
+
+/** @} */
+
+/**
+ * @name Miscellaneous
+ * @{
+ */
+
+/**
+ * Compares two selector objects.
+ * @arg a       A selector object.
+ * @arg b       Another selector object.
+ *
+ * @return Non zero if difference is found, 0 otherwise if both
+ * the objects are identical.
+ */
+int xfrmnl_sel_cmp(struct xfrmnl_sel* a, struct xfrmnl_sel* b)
+{
+        /* Check for any differences */
+        if ((nl_addr_cmp_prefix (a->daddr, b->daddr) != 0) ||
+            (nl_addr_cmp_prefix (a->saddr, b->saddr) != 0) ||
+            ((a->sport & a->sport_mask) != (b->sport & b->sport_mask)) ||
+            ((a->dport & a->dport_mask) != (b->dport & b->dport_mask)) ||
+            (a->family != b->family) ||
+            (a->proto && (a->proto != b->proto)) ||
+            (a->ifindex && a->ifindex != b->ifindex) ||
+            (a->user != b->user))
+                return 1;
+
+        /* The objects are identical */
+        return 0;
+}
+
+void xfrmnl_sel_dump(struct xfrmnl_sel* sel, struct nl_dump_params *p)
+{
+        char    dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
+        char    buf [128];
+
+        nl_dump_line(p, "\t\tsrc %s dst %s family: %s\n", nl_addr2str(sel->saddr, src, sizeof(src)),
+                        nl_addr2str (sel->daddr, dst, sizeof (dst)), nl_af2str (sel->family, buf, 128));
+        nl_dump_line (p, "\t\tsrc port/mask: %d/%d dst port/mask: %d/%d\n",
+                        sel->dport, sel->dport_mask, sel->sport, sel->sport_mask);
+        nl_dump_line (p, "\t\tprotocol: %s ifindex: %u user: %u\n",
+                        nl_ip_proto2str (sel->proto, buf, sizeof(buf)), sel->ifindex, sel->user);
+
+        return;
+}
+
+
+/** @} */
+
+/**
+ * @name Attributes
+ * @{
+ */
+struct nl_addr* xfrmnl_sel_get_daddr (struct xfrmnl_sel* sel)
+{
+        return sel->daddr;
+}
+
+int xfrmnl_sel_set_daddr (struct xfrmnl_sel* sel, struct nl_addr* addr)
+{
+        /* Increment reference counter on this to keep this address
+         * object around while selector in use */
+        nl_addr_get(addr);
+
+        sel->daddr = addr;
+
+        return 0;
+}
+
+struct nl_addr* xfrmnl_sel_get_saddr (struct xfrmnl_sel* sel)
+{
+        return sel->saddr;
+}
+
+int xfrmnl_sel_set_saddr (struct xfrmnl_sel* sel, struct nl_addr* addr)
+{
+        /* Increment reference counter on this to keep this address
+         * object around while selector in use */
+        nl_addr_get(addr);
+
+        sel->saddr = addr;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_dport (struct xfrmnl_sel* sel)
+{
+        return sel->dport;
+}
+
+int xfrmnl_sel_set_dport (struct xfrmnl_sel* sel, unsigned int dport)
+{
+        sel->dport = dport;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_dportmask (struct xfrmnl_sel* sel)
+{
+        return sel->dport_mask;
+}
+
+int xfrmnl_sel_set_dportmask (struct xfrmnl_sel* sel, unsigned int dport_mask)
+{
+        sel->dport_mask = dport_mask;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_sport (struct xfrmnl_sel* sel)
+{
+        return sel->sport;
+}
+
+int xfrmnl_sel_set_sport (struct xfrmnl_sel* sel, unsigned int sport)
+{
+        sel->sport = sport;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_sportmask (struct xfrmnl_sel* sel)
+{
+        return sel->sport_mask;
+}
+
+int xfrmnl_sel_set_sportmask (struct xfrmnl_sel* sel, unsigned int sport_mask)
+{
+        sel->sport_mask = sport_mask;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_family(struct xfrmnl_sel *sel)
+{
+        return sel->family;
+}
+
+int xfrmnl_sel_set_family(struct xfrmnl_sel *sel, int family)
+{
+        sel->family = family;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_prefixlen_d (struct xfrmnl_sel* sel)
+{
+        return sel->prefixlen_d;
+}
+
+int xfrmnl_sel_set_prefixlen_d (struct xfrmnl_sel* sel, unsigned int prefixlen)
+{
+        sel->prefixlen_d = prefixlen;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_prefixlen_s (struct xfrmnl_sel* sel)
+{
+        return sel->prefixlen_s;
+}
+
+int xfrmnl_sel_set_prefixlen_s (struct xfrmnl_sel* sel, unsigned int prefixlen)
+{
+        sel->prefixlen_s = prefixlen;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_proto (struct xfrmnl_sel* sel)
+{
+        return sel->proto;
+}
+
+int xfrmnl_sel_set_proto (struct xfrmnl_sel* sel, unsigned int protocol)
+{
+        sel->proto = protocol;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_ifindex (struct xfrmnl_sel* sel)
+{
+        return sel->ifindex;
+}
+
+int xfrmnl_sel_set_ifindex (struct xfrmnl_sel* sel, unsigned int ifindex)
+{
+        sel->ifindex = ifindex;
+
+        return 0;
+}
+
+int xfrmnl_sel_get_userid (struct xfrmnl_sel* sel)
+{
+        return sel->user;
+}
+
+int xfrmnl_sel_set_userid (struct xfrmnl_sel* sel, unsigned int userid)
+{
+        sel->user   = userid;
+        return 0;
+}
+
+
+/** @} */
diff --git a/lib/xfrm/sp.c b/lib/xfrm/sp.c
new file mode 100644 (file)
index 0000000..2ddf716
--- /dev/null
@@ -0,0 +1,1369 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ * @ingroup xfrmnl
+ * @defgroup sp Security Policy
+ * @brief
+ */
+
+#include <netlink-private/netlink.h>
+#include <netlink/netlink.h>
+#include <netlink/cache.h>
+#include <netlink/object.h>
+#include <netlink/xfrm/selector.h>
+#include <netlink/xfrm/lifetime.h>
+#include <netlink/xfrm/template.h>
+#include <netlink/xfrm/sp.h>
+
+/** @cond SKIP */
+#define XFRM_SP_ATTR_SEL            0x01
+#define XFRM_SP_ATTR_LTIME_CFG      0x02
+#define XFRM_SP_ATTR_LTIME_CUR      0x04
+#define XFRM_SP_ATTR_PRIO           0x08
+#define XFRM_SP_ATTR_INDEX          0x10
+#define XFRM_SP_ATTR_DIR            0x20
+#define XFRM_SP_ATTR_ACTION         0x40
+#define XFRM_SP_ATTR_FLAGS          0x80
+#define XFRM_SP_ATTR_SHARE          0x100
+#define XFRM_SP_ATTR_POLTYPE        0x200
+#define XFRM_SP_ATTR_SECCTX         0x400
+#define XFRM_SP_ATTR_TMPL           0x800
+#define XFRM_SP_ATTR_MARK           0x1000
+
+static struct nl_cache_ops  xfrmnl_sp_ops;
+static struct nl_object_ops xfrm_sp_obj_ops;
+/** @endcond */
+
+static void xfrm_sp_alloc_data(struct nl_object *c)
+{
+        struct xfrmnl_sp* sp =   nl_object_priv (c);
+
+        if ((sp->sel = xfrmnl_sel_alloc ()) == NULL)
+                return;
+
+        if ((sp->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
+                return;
+
+        nl_init_list_head(&sp->usertmpl_list);
+
+        return;
+}
+
+static void xfrm_sp_free_data(struct nl_object *c)
+{
+        struct xfrmnl_sp* sp =   nl_object_priv (c);
+        struct xfrmnl_user_tmpl *utmpl, *tmp;
+
+        if (sp == NULL)
+                return;
+
+        xfrmnl_sel_put (sp->sel);
+        xfrmnl_ltime_cfg_put (sp->lft);
+
+        if(sp->sec_ctx)
+        {
+                free (sp->sec_ctx->ctx);
+                free (sp->sec_ctx);
+        }
+
+        nl_list_for_each_entry_safe(utmpl, tmp, &sp->usertmpl_list, utmpl_list) {
+                xfrmnl_sp_remove_usertemplate (sp, utmpl);
+                xfrmnl_user_tmpl_free (utmpl);
+        }
+}
+
+static int xfrm_sp_clone(struct nl_object *_dst, struct nl_object *_src)
+{
+        struct xfrmnl_sp*       dst = nl_object_priv(_dst);
+        struct xfrmnl_sp*       src = nl_object_priv(_src);
+        uint32_t                len = 0;
+        struct xfrmnl_user_tmpl *utmpl, *new;
+
+        if (src->sel)
+                if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
+                        return -NLE_NOMEM;
+
+        if (src->lft)
+                if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
+                        return -NLE_NOMEM;
+
+        if(src->sec_ctx)
+        {
+                len =   sizeof (struct xfrmnl_user_sec_ctx) + src->sec_ctx->ctx_len;
+                if ((dst->sec_ctx = calloc (1, len)) == NULL)
+                        return -NLE_NOMEM;
+                memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
+        }
+
+        nl_init_list_head(&dst->usertmpl_list);
+        nl_list_for_each_entry(utmpl, &src->usertmpl_list, utmpl_list) {
+                new = xfrmnl_user_tmpl_clone (utmpl);
+                if (!new)
+                        return -NLE_NOMEM;
+
+                xfrmnl_sp_add_usertemplate(dst, new);
+        }
+
+        return 0;
+}
+
+static int xfrm_sp_compare(struct nl_object *_a, struct nl_object *_b, uint32_t attrs, int flags)
+{
+        struct xfrmnl_sp* a  =   (struct xfrmnl_sp *) _a;
+        struct xfrmnl_sp* b  =   (struct xfrmnl_sp *) _b;
+        struct xfrmnl_user_tmpl *tmpl_a, *tmpl_b;
+        int diff = 0;
+
+#define XFRM_SP_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_SP_ATTR_##ATTR, a, b, EXPR)
+        diff |= XFRM_SP_DIFF(SEL,   xfrmnl_sel_cmp(a->sel, b->sel));
+        diff |= XFRM_SP_DIFF(LTIME_CFG, xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
+        diff |= XFRM_SP_DIFF(PRIO,  a->priority != b->priority);
+        diff |= XFRM_SP_DIFF(INDEX, a->index != b->index);
+        diff |= XFRM_SP_DIFF(DIR,   a->dir != b->dir);
+        diff |= XFRM_SP_DIFF(ACTION,    a->action != b->action);
+        diff |= XFRM_SP_DIFF(FLAGS, a->flags != b->flags);
+        diff |= XFRM_SP_DIFF(SHARE, a->share != b->share);
+        diff |= XFRM_SP_DIFF(SECCTX,((a->sec_ctx->len != b->sec_ctx->len) ||
+                                    (a->sec_ctx->exttype != b->sec_ctx->exttype) ||
+                                    (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
+                                    (a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
+                                    (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
+                                    strcmp(a->sec_ctx->ctx, b->sec_ctx->ctx)));
+        diff |= XFRM_SP_DIFF(POLTYPE,(a->uptype.type != b->uptype.type));
+        diff |= XFRM_SP_DIFF(TMPL,(a->nr_user_tmpl != b->nr_user_tmpl));
+        diff |= XFRM_SP_DIFF(MARK,(a->mark.m != b->mark.m) ||
+                                  (a->mark.v != b->mark.v));
+
+        /* Compare the templates */
+        nl_list_for_each_entry(tmpl_b, &b->usertmpl_list, utmpl_list)
+                nl_list_for_each_entry(tmpl_a, &a->usertmpl_list, utmpl_list)
+                diff |= xfrmnl_user_tmpl_cmp (tmpl_a, tmpl_b);
+#undef XFRM_SP_DIFF
+
+        return diff;
+}
+
+/**
+ * @name XFRM SP Attribute Translations
+ * @{
+ */
+static const struct trans_tbl sp_attrs[] = {
+        __ADD(XFRM_SP_ATTR_SEL, selector)
+        __ADD(XFRM_SP_ATTR_LTIME_CFG, lifetime_cfg)
+        __ADD(XFRM_SP_ATTR_LTIME_CUR, lifetime_cur)
+        __ADD(XFRM_SP_ATTR_PRIO, priority)
+        __ADD(XFRM_SP_ATTR_INDEX, index)
+        __ADD(XFRM_SP_ATTR_DIR, direction)
+        __ADD(XFRM_SP_ATTR_ACTION, action)
+        __ADD(XFRM_SP_ATTR_FLAGS, flags)
+        __ADD(XFRM_SP_ATTR_SHARE, share)
+        __ADD(XFRM_SP_ATTR_POLTYPE, policy_type)
+        __ADD(XFRM_SP_ATTR_SECCTX, security_context)
+        __ADD(XFRM_SP_ATTR_TMPL, user_template)
+        __ADD(XFRM_SP_ATTR_MARK, mark)
+};
+
+static char* xfrm_sp_attrs2str(int attrs, char *buf, size_t len)
+{
+        return __flags2str (attrs, buf, len, sp_attrs, ARRAY_SIZE(sp_attrs));
+}
+/** @} */
+
+/**
+ * @name XFRM SP Action Translations
+ * @{
+ */
+static const struct trans_tbl sa_actions[] = {
+        __ADD(XFRM_POLICY_ALLOW, allow)
+        __ADD(XFRM_POLICY_BLOCK, block)
+};
+
+char* xfrmnl_sp_action2str(int action, char *buf, size_t len)
+{
+        return __type2str (action, buf, len, sa_actions, ARRAY_SIZE(sa_actions));
+}
+
+int xfrmnl_sp_str2action(const char *name)
+{
+        return __str2type (name, sa_actions, ARRAY_SIZE(sa_actions));
+}
+/** @} */
+
+/**
+ * @name XFRM SP Flags Translations
+ * @{
+ */
+static const struct trans_tbl sp_flags[] = {
+        __ADD(XFRM_POLICY_LOCALOK, allow policy override by user)
+        __ADD(XFRM_POLICY_ICMP, auto include ICMP in policy)
+};
+
+char* xfrmnl_sp_flags2str(int flags, char *buf, size_t len)
+{
+        return __flags2str (flags, buf, len, sp_flags, ARRAY_SIZE(sp_flags));
+}
+
+int xfrmnl_sp_str2flag(const char *name)
+{
+        return __str2flags(name, sp_flags, ARRAY_SIZE(sp_flags));
+}
+/** @} */
+
+/**
+ * @name XFRM SP Type Translations
+ * @{
+ */
+static const struct trans_tbl sp_types[] = {
+        __ADD(XFRM_POLICY_TYPE_MAIN, main)
+        __ADD(XFRM_POLICY_TYPE_SUB, sub)
+        __ADD(XFRM_POLICY_TYPE_MAX, max)
+        __ADD(XFRM_POLICY_TYPE_ANY, any)
+};
+
+char* xfrmnl_sp_type2str(int type, char *buf, size_t len)
+{
+        return __type2str(type, buf, len, sp_types, ARRAY_SIZE(sp_types));
+}
+
+int xfrmnl_sp_str2type(const char *name)
+{
+        return __str2type(name, sp_types, ARRAY_SIZE(sp_types));
+}
+/** @} */
+
+/**
+ * @name XFRM SP Direction Translations
+ * @{
+ */
+static const struct trans_tbl sp_dir[] = {
+        __ADD(XFRM_POLICY_IN, in)
+        __ADD(XFRM_POLICY_OUT, out)
+        __ADD(XFRM_POLICY_FWD, fwd)
+        __ADD(XFRM_POLICY_MASK, mask)
+};
+
+char* xfrmnl_sp_dir2str(int dir, char *buf, size_t len)
+{
+        return __type2str (dir, buf, len, sp_dir, ARRAY_SIZE(sp_dir));
+}
+
+int xfrmnl_sp_str2dir(const char *name)
+{
+        return __str2type (name, sp_dir, ARRAY_SIZE(sp_dir));
+}
+
+int xfrmnl_sp_index2dir (unsigned int index)
+{
+        return index & 0x7;
+}
+/** @} */
+
+/**
+ * @name XFRM SP Share Translations
+ * @{
+ */
+static const struct trans_tbl sp_share[] = {
+        __ADD(XFRM_SHARE_ANY, any)
+        __ADD(XFRM_SHARE_SESSION, session)
+        __ADD(XFRM_SHARE_USER, user)
+        __ADD(XFRM_SHARE_UNIQUE, unique)
+};
+
+char* xfrmnl_sp_share2str(int share, char *buf, size_t len)
+{
+        return __type2str (share, buf, len, sp_share, ARRAY_SIZE(sp_share));
+}
+
+int xfrmnl_sp_str2share(const char *name)
+{
+        return __str2type (name, sp_share, ARRAY_SIZE(sp_share));
+}
+/** @} */
+
+static void xfrm_sp_dump_line(struct nl_object *a, struct nl_dump_params *p)
+{
+        struct xfrmnl_sp*   sp  =   (struct xfrmnl_sp *) a;
+        char                dir[32], action[32], share[32], flags[32];
+        char                dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
+        time_t              add_time, use_time;
+        struct tm           *add_time_tm, *use_time_tm;
+
+        nl_addr2str(xfrmnl_sel_get_saddr (sp->sel), src, sizeof(src));
+        nl_addr2str (xfrmnl_sel_get_daddr (sp->sel), dst, sizeof (dst));
+        nl_af2str (xfrmnl_sel_get_family (sp->sel), dir, 32);
+        nl_dump_line(p, "src %s dst %s family: %s\n", src, dst, dir);
+        nl_dump_line (p, "src port/mask: %d/%d dst port/mask: %d/%d\n",
+                        xfrmnl_sel_get_dport (sp->sel), xfrmnl_sel_get_dportmask (sp->sel),
+                        xfrmnl_sel_get_sport (sp->sel), xfrmnl_sel_get_sportmask (sp->sel));
+        nl_dump_line (p, "protocol: %s ifindex: %u uid: %u\n",
+                        nl_ip_proto2str (xfrmnl_sel_get_proto (sp->sel), dir, sizeof(dir)),
+                        xfrmnl_sel_get_ifindex (sp->sel),
+                        xfrmnl_sel_get_userid (sp->sel));
+
+        xfrmnl_sp_dir2str (sp->dir, dir, 32);
+        xfrmnl_sp_action2str (sp->action, action, 32);
+        xfrmnl_sp_share2str (sp->share, share, 32);
+        xfrmnl_sp_flags2str (sp->flags, flags, 32);
+        nl_dump_line(p, "\tdir: %s action: %s index: %u priority: %u share: %s flags: %s(0x%x) \n",
+                        dir, action, sp->index, sp->priority, share, flags, sp->flags);
+
+        nl_dump_line(p, "\tlifetime configuration: \n");
+        if (sp->lft->soft_byte_limit == XFRM_INF)
+                sprintf (dir, "INF");
+        else
+                sprintf (dir, "%llu", sp->lft->soft_byte_limit);
+        if (sp->lft->soft_packet_limit == XFRM_INF)
+                sprintf (action, "INF");
+        else
+                sprintf (action, "%llu", sp->lft->soft_packet_limit);
+        if (sp->lft->hard_byte_limit == XFRM_INF)
+                sprintf (flags, "INF");
+        else
+                sprintf (flags, "%llu", sp->lft->hard_byte_limit);
+        if (sp->lft->hard_packet_limit == XFRM_INF)
+                sprintf (share, "INF");
+        else
+                sprintf (share, "%llu", sp->lft->hard_packet_limit);
+        nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets) \n", dir, action);
+        nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets) \n", flags, share);
+        nl_dump_line(p, "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
+                        sp->lft->soft_add_expires_seconds, sp->lft->soft_use_expires_seconds);
+        nl_dump_line(p, "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
+                        sp->lft->hard_add_expires_seconds, sp->lft->hard_use_expires_seconds);
+
+        nl_dump_line(p, "\tlifetime current: \n");
+        nl_dump_line(p, "\t\t%llu bytes, %llu packets\n", sp->curlft.bytes, sp->curlft.packets);
+
+        if (sp->curlft.add_time != 0)
+        {
+                add_time = sp->curlft.add_time;
+                add_time_tm = gmtime (&add_time);
+                strftime (dst, INET6_ADDRSTRLEN+5, "%Y-%m-%d %H-%M-%S", add_time_tm);
+        }
+        else
+        {
+                sprintf (dst, "%s", "-");
+        }
+
+        if (sp->curlft.use_time != 0)
+        {
+                use_time = sp->curlft.use_time;
+                use_time_tm = gmtime (&use_time);
+                strftime (src, INET6_ADDRSTRLEN+5, "%Y-%m-%d %H-%M-%S", use_time_tm);
+        }
+        else
+        {
+                sprintf (src, "%s", "-");
+        }
+        nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", dst, src);
+
+        if (sp->ce_mask & XFRM_SP_ATTR_SECCTX)
+        {
+                nl_dump_line(p, "\tUser security context: \n");
+                nl_dump_line(p, "\t\tlen: %d exttype: %d Algo: %d DOI: %d ctxlen: %d\n",
+                                sp->sec_ctx->len, sp->sec_ctx->exttype,
+                                sp->sec_ctx->ctx_alg, sp->sec_ctx->ctx_doi, sp->sec_ctx->ctx_len);
+                nl_dump_line (p, "\t\tctx: %s \n", sp->sec_ctx->ctx);
+        }
+
+        xfrmnl_sp_type2str (sp->uptype.type, flags, 32);
+        if (sp->ce_mask & XFRM_SP_ATTR_POLTYPE)
+                nl_dump_line(p, "\tUser policy type: %s\n", flags);
+
+        if (sp->ce_mask & XFRM_SP_ATTR_TMPL)
+        {
+                struct xfrmnl_user_tmpl*    utmpl;
+
+                nl_dump_line(p, "\tUser template: \n");
+
+                nl_list_for_each_entry(utmpl, &sp->usertmpl_list, utmpl_list)
+                        xfrmnl_user_tmpl_dump (utmpl, p);
+        }
+
+        if (sp->ce_mask & XFRM_SP_ATTR_MARK)
+                nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sp->mark.m, sp->mark.v);
+
+        nl_dump(p, "\n");
+}
+
+static void xfrm_sp_dump_details(struct nl_object *a, struct nl_dump_params *p)
+{
+        xfrm_sp_dump_line(a, p);
+}
+
+static void xfrm_sp_dump_stats(struct nl_object *a, struct nl_dump_params *p)
+{
+        xfrm_sp_dump_details(a, p);
+
+        return;
+}
+
+/**
+ * @name XFRM SP Object Allocation/Freeage
+ * @{
+ */
+
+struct xfrmnl_sp* xfrmnl_sp_alloc(void)
+{
+        return (struct xfrmnl_sp*) nl_object_alloc(&xfrm_sp_obj_ops);
+}
+
+void xfrmnl_sp_put(struct xfrmnl_sp* sp)
+{
+        nl_object_put((struct nl_object *) sp);
+}
+
+/** @} */
+
+/**
+ * @name SP Cache Managament
+ * @{
+ */
+
+/**
+ * Build a SP cache including all SPs currently configured in the kernel.
+ * @arg sock        Netlink socket.
+ * @arg result      Pointer to store resulting cache.
+ *
+ * Allocates a new SP cache, initializes it properly and updates it
+ * to include all SPs currently configured in the kernel.
+ *
+ * @return 0 on success or a negative error code.
+ */
+int xfrmnl_sp_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
+{
+        return nl_cache_alloc_and_fill(&xfrmnl_sp_ops, sock, result);
+}
+
+/**
+ * Look up a SP by policy id and direction
+ * @arg cache       SP cache
+ * @arg index       Policy Id
+ * @arg dir         direction
+ * @return sp handle or NULL if no match was found.
+ */
+struct xfrmnl_sp* xfrmnl_sp_get(struct nl_cache* cache, unsigned int index, unsigned int dir)
+{
+        struct xfrmnl_sp *sp;
+
+        //nl_list_for_each_entry(sp, &cache->c_items, ce_list) {
+        for (sp = (struct xfrmnl_sp*)nl_cache_get_first (cache);
+             sp != NULL;
+             sp = (struct xfrmnl_sp*)nl_cache_get_next ((struct nl_object*)sp))
+        {
+                if (sp->index == index && sp->dir == dir)
+                {
+                        nl_object_get((struct nl_object *) sp);
+                        return sp;
+                }
+        }
+
+        return NULL;
+}
+
+
+/** @} */
+
+
+static struct nla_policy xfrm_sp_policy[XFRMA_MAX+1] = {
+        [XFRMA_POLICY]      = { .minlen = sizeof(struct xfrm_userpolicy_info)},
+        [XFRMA_SEC_CTX]     = { .minlen = sizeof(struct xfrm_sec_ctx) },
+        [XFRMA_TMPL]        = { .minlen = sizeof(struct xfrm_user_tmpl) },
+        [XFRMA_POLICY_TYPE] = { .minlen = sizeof(struct xfrm_userpolicy_type)},
+        [XFRMA_MARK]        = { .minlen = sizeof(struct xfrm_mark) },
+};
+
+static int xfrm_sp_request_update(struct nl_cache *c, struct nl_sock *h)
+{
+        struct xfrm_userpolicy_id   sp_id;
+
+        memset ((void *)&sp_id, 0, sizeof (struct xfrm_userpolicy_id));
+        return nl_send_simple (h, XFRM_MSG_GETPOLICY, NLM_F_DUMP,(void*)&sp_id, sizeof (struct xfrm_userpolicy_id));
+}
+
+int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
+{
+        struct xfrmnl_sp                *sp;
+        struct nlattr                   *tb[XFRMA_MAX + 1];
+        struct xfrm_userpolicy_info     *sp_info;
+        struct xfrm_userpolicy_id       *sp_id;
+        int                             len, err;
+        struct nl_addr*                 addr;
+
+        sp = xfrmnl_sp_alloc();
+        if (!sp) {
+                err = -NLE_NOMEM;
+                goto errout;
+        }
+
+        sp->ce_msgtype = n->nlmsg_type;
+        if (n->nlmsg_type == XFRM_MSG_DELPOLICY)
+        {
+                sp_id = nlmsg_data(n);
+                sp_info = (struct xfrm_userpolicy_info*)(nlmsg_data(n) + sizeof (struct xfrm_userpolicy_id) + NLA_HDRLEN);
+        }
+        else
+        {
+                sp_info = nlmsg_data(n);
+        }
+
+        err = nlmsg_parse(n, sizeof(struct xfrm_userpolicy_info), tb, XFRMA_MAX, xfrm_sp_policy);
+        if (err < 0)
+        {
+                printf ("parse error: %d \n", err);
+                goto errout;
+        }
+
+        if (sp_info->sel.family == AF_INET)
+                addr    = nl_addr_build (sp_info->sel.family, &sp_info->sel.daddr.a4, sizeof (sp_info->sel.daddr.a4));
+        else
+                addr    = nl_addr_build (sp_info->sel.family, &sp_info->sel.daddr.a6, sizeof (sp_info->sel.daddr.a6));
+        nl_addr_set_prefixlen (addr, sp_info->sel.prefixlen_d);
+        xfrmnl_sel_set_daddr (sp->sel, addr);
+        xfrmnl_sel_set_prefixlen_d (sp->sel, sp_info->sel.prefixlen_d);
+
+        if (sp_info->sel.family == AF_INET)
+                addr    = nl_addr_build (sp_info->sel.family, &sp_info->sel.saddr.a4, sizeof (sp_info->sel.saddr.a4));
+        else
+                addr    = nl_addr_build (sp_info->sel.family, &sp_info->sel.saddr.a6, sizeof (sp_info->sel.saddr.a6));
+        nl_addr_set_prefixlen (addr, sp_info->sel.prefixlen_s);
+        xfrmnl_sel_set_saddr (sp->sel, addr);
+        xfrmnl_sel_set_prefixlen_s (sp->sel, sp_info->sel.prefixlen_s);
+
+        xfrmnl_sel_set_dport (sp->sel, ntohs (sp_info->sel.dport));
+        xfrmnl_sel_set_dportmask (sp->sel, ntohs (sp_info->sel.dport_mask));
+        xfrmnl_sel_set_sport (sp->sel, ntohs (sp_info->sel.sport));
+        xfrmnl_sel_set_sportmask (sp->sel, ntohs (sp_info->sel.sport_mask));
+        xfrmnl_sel_set_family (sp->sel, sp_info->sel.family);
+        xfrmnl_sel_set_proto (sp->sel, sp_info->sel.proto);
+        xfrmnl_sel_set_ifindex (sp->sel, sp_info->sel.ifindex);
+        xfrmnl_sel_set_userid (sp->sel, sp_info->sel.user);
+        sp->ce_mask             |= XFRM_SP_ATTR_SEL;
+
+        sp->lft->soft_byte_limit    =   sp_info->lft.soft_byte_limit;
+        sp->lft->hard_byte_limit    =   sp_info->lft.hard_byte_limit;
+        sp->lft->soft_packet_limit  =   sp_info->lft.soft_packet_limit;
+        sp->lft->hard_packet_limit  =   sp_info->lft.hard_packet_limit;
+        sp->lft->soft_add_expires_seconds   =   sp_info->lft.soft_add_expires_seconds;
+        sp->lft->hard_add_expires_seconds   =   sp_info->lft.hard_add_expires_seconds;
+        sp->lft->soft_use_expires_seconds   =   sp_info->lft.soft_use_expires_seconds;
+        sp->lft->hard_use_expires_seconds   =   sp_info->lft.hard_use_expires_seconds;
+        sp->ce_mask             |= XFRM_SP_ATTR_LTIME_CFG;
+
+        sp->curlft.bytes        = sp_info->curlft.bytes;
+        sp->curlft.packets      = sp_info->curlft.packets;
+        sp->curlft.add_time     = sp_info->curlft.add_time;
+        sp->curlft.use_time     = sp_info->curlft.use_time;
+        sp->ce_mask             |= XFRM_SP_ATTR_LTIME_CUR;
+
+        sp->priority            = sp_info->priority;
+        sp->index               = sp_info->index;
+        sp->dir                 = sp_info->dir;
+        sp->action              = sp_info->action;
+        sp->flags               = sp_info->flags;
+        sp->share               = sp_info->share;
+        sp->ce_mask             |= (XFRM_SP_ATTR_PRIO | XFRM_SP_ATTR_INDEX |
+                        XFRM_SP_ATTR_DIR | XFRM_SP_ATTR_ACTION |
+                        XFRM_SP_ATTR_FLAGS | XFRM_SP_ATTR_SHARE);
+
+        if (tb[XFRMA_SEC_CTX]) {
+                struct xfrm_user_sec_ctx* ctx = nla_data(tb[XFRMA_SEC_CTX]);
+                len = sizeof (struct xfrmnl_user_sec_ctx) + ctx->ctx_len;
+                if ((sp->sec_ctx = calloc (1, len)) == NULL)
+                {
+                        err = -NLE_NOMEM;
+                        goto errout;
+                }
+                memcpy ((void *)sp->sec_ctx, (void *)ctx, len);
+                sp->ce_mask     |= XFRM_SP_ATTR_SECCTX;
+        }
+
+        if (tb[XFRMA_POLICY_TYPE]) {
+                struct xfrm_userpolicy_type* up = nla_data(tb[XFRMA_POLICY_TYPE]);
+                memcpy ((void *)&sp->uptype, (void *)up, sizeof (struct xfrm_userpolicy_type));
+                sp->ce_mask     |= XFRM_SP_ATTR_POLTYPE;
+        }
+
+        if (tb[XFRMA_TMPL]) {
+                struct xfrm_user_tmpl*      tmpl = nla_data(tb[XFRMA_TMPL]);
+                struct xfrmnl_user_tmpl*    sputmpl;
+                uint32_t                    i;
+                uint32_t                    num_tmpls = nla_len(tb[XFRMA_TMPL]) / sizeof (*tmpl);
+                struct  nl_addr*            addr;
+
+                for (i = 0; (i < num_tmpls) && (tmpl); i ++, tmpl++)
+                {
+                        if ((sputmpl = xfrmnl_user_tmpl_alloc ()) == NULL)
+                        {
+                                err = -NLE_NOMEM;
+                                goto errout;
+                        }
+
+                        if (tmpl->family == AF_INET)
+                                addr = nl_addr_build(tmpl->family, &tmpl->id.daddr.a4, sizeof (tmpl->id.daddr.a4));
+                        else
+                                addr = nl_addr_build(tmpl->family, &tmpl->id.daddr.a6, sizeof (tmpl->id.daddr.a6));
+                        xfrmnl_user_tmpl_set_daddr (sputmpl, addr);
+                        xfrmnl_user_tmpl_set_spi (sputmpl, ntohl(tmpl->id.spi));
+                        xfrmnl_user_tmpl_set_proto (sputmpl, tmpl->id.proto);
+                        xfrmnl_user_tmpl_set_family (sputmpl, tmpl->family);
+
+                        if (tmpl->family == AF_INET)
+                                addr = nl_addr_build(tmpl->family, &tmpl->saddr.a4, sizeof (tmpl->saddr.a4));
+                        else
+                                addr = nl_addr_build(tmpl->family, &tmpl->saddr.a6, sizeof (tmpl->saddr.a6));
+                        xfrmnl_user_tmpl_set_saddr (sputmpl, addr);
+
+                        xfrmnl_user_tmpl_set_reqid (sputmpl, tmpl->reqid);
+                        xfrmnl_user_tmpl_set_mode (sputmpl, tmpl->mode);
+                        xfrmnl_user_tmpl_set_share (sputmpl, tmpl->share);
+                        xfrmnl_user_tmpl_set_optional (sputmpl, tmpl->optional);
+                        xfrmnl_user_tmpl_set_aalgos (sputmpl, tmpl->aalgos);
+                        xfrmnl_user_tmpl_set_ealgos (sputmpl, tmpl->ealgos);
+                        xfrmnl_user_tmpl_set_calgos (sputmpl, tmpl->calgos);
+                        xfrmnl_sp_add_usertemplate (sp, sputmpl);
+
+                        sp->ce_mask     |=  XFRM_SP_ATTR_TMPL;
+                }
+        }
+
+        if (tb[XFRMA_MARK]) {
+                struct xfrm_mark* m =   nla_data(tb[XFRMA_MARK]);
+                sp->mark.m  =   m->m;
+                sp->mark.v  =   m->v;
+                sp->ce_mask |= XFRM_SP_ATTR_MARK;
+        }
+
+        *result = sp;
+        return 0;
+
+errout:
+        xfrmnl_sp_put(sp);
+        return err;
+}
+
+static int xfrm_sp_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
+                struct nlmsghdr *n, struct nl_parser_param *pp)
+{
+        struct xfrmnl_sp*   sp;
+        int                 err;
+
+        if ((err = xfrmnl_sp_parse(n, &sp)) < 0)
+        {
+                printf ("received error: %d \n", err);
+                return err;
+        }
+
+        err = pp->pp_cb((struct nl_object *) sp, pp);
+
+        xfrmnl_sp_put(sp);
+        return err;
+}
+
+/**
+ * @name XFRM SP Get
+ * @{
+ */
+
+int xfrmnl_sp_build_get_request(unsigned int index, unsigned int dir, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
+{
+        struct nl_msg               *msg;
+        struct xfrm_userpolicy_id   spid;
+        struct xfrm_mark            mark;
+
+        memset(&spid, 0, sizeof(spid));
+        spid.index          = index;
+        spid.dir            = dir;
+
+        if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETPOLICY, 0)))
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &spid, sizeof(spid), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if ((mark_m & mark_v) != 0)
+        {
+                memset(&mark, 0, sizeof(struct xfrm_mark));
+                mark.m = mark_m;
+                mark.v = mark_v;
+
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+int xfrmnl_sp_get_kernel(struct nl_sock* sock, unsigned int index, unsigned int dir, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sp** result)
+{
+        struct nl_msg       *msg = NULL;
+        struct nl_object    *obj;
+        int err;
+
+        if ((err = xfrmnl_sp_build_get_request(index, dir, mark_m, mark_v, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto(sock, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        if ((err = nl_pickup(sock, &xfrm_sp_msg_parser, &obj)) < 0)
+                return err;
+
+        /* We have used xfrm_sp_msg_parser(), object is definitely a xfrm ae */
+        *result = (struct xfrmnl_sp *) obj;
+
+        /* If an object has been returned, we also need to wait for the ACK */
+        if (err == 0 && obj)
+                nl_wait_for_ack(sock);
+
+        return 0;
+}
+
+/** @} */
+
+static int build_xfrm_sp_message(struct xfrmnl_sp *tmpl, int cmd, int flags, struct nl_msg **result)
+{
+        struct nl_msg*              msg;
+        struct xfrm_userpolicy_info sp_info;
+        uint32_t                    len;
+        struct nl_addr*             addr;
+
+        if (!(tmpl->ce_mask & XFRM_SP_ATTR_INDEX) ||
+                        !(tmpl->ce_mask & XFRM_SP_ATTR_DIR))
+                return -NLE_MISSING_ATTR;
+
+        memset ((void*)&sp_info, 0, sizeof (sp_info));
+        if (tmpl->ce_mask & XFRM_SP_ATTR_SEL)
+        {
+                addr = xfrmnl_sel_get_daddr (tmpl->sel);
+                memcpy ((void*)&sp_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
+                addr = xfrmnl_sel_get_saddr (tmpl->sel);
+                memcpy ((void*)&sp_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
+                sp_info.sel.dport       =   htons (xfrmnl_sel_get_dport (tmpl->sel));
+                sp_info.sel.dport_mask  =   htons (xfrmnl_sel_get_dportmask (tmpl->sel));
+                sp_info.sel.sport       =   htons (xfrmnl_sel_get_sport (tmpl->sel));
+                sp_info.sel.sport_mask  =   htons (xfrmnl_sel_get_sportmask (tmpl->sel));
+                sp_info.sel.family      =   xfrmnl_sel_get_family (tmpl->sel);
+                sp_info.sel.prefixlen_d =   xfrmnl_sel_get_prefixlen_d (tmpl->sel);
+                sp_info.sel.prefixlen_s =   xfrmnl_sel_get_prefixlen_s (tmpl->sel);
+                sp_info.sel.proto       =   xfrmnl_sel_get_proto (tmpl->sel);
+                sp_info.sel.ifindex     =   xfrmnl_sel_get_ifindex (tmpl->sel);
+                sp_info.sel.user        =   xfrmnl_sel_get_userid (tmpl->sel);
+        }
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_LTIME_CFG)
+        {
+                sp_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
+                sp_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
+                sp_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
+                sp_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
+                sp_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
+                sp_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
+                sp_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
+                sp_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
+        }
+
+        //Skip current lifetime: cur lifetime can be updated only via AE
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_PRIO)
+                sp_info.priority    = tmpl->priority;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_INDEX)
+                sp_info.index       = tmpl->index;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_DIR)
+                sp_info.dir         = tmpl->dir;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_ACTION)
+                sp_info.action      = tmpl->action;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_FLAGS)
+                sp_info.flags       = tmpl->flags;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_SHARE)
+                sp_info.share       = tmpl->share;
+
+        msg = nlmsg_alloc_simple(cmd, flags);
+        if (!msg)
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &sp_info, sizeof(sp_info), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_SECCTX) {
+                len = (sizeof (struct xfrm_user_sec_ctx)) + tmpl->sec_ctx->ctx_len;
+                NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
+        }
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_POLTYPE) {
+                len = sizeof (struct xfrm_userpolicy_type);
+                NLA_PUT (msg, XFRMA_POLICY_TYPE, len, &tmpl->uptype);
+        }
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_TMPL) {
+                struct nlattr*              tmpls;
+                struct xfrmnl_user_tmpl*    utmpl;
+                struct nl_addr*             addr;
+
+                if (!(tmpls = nla_nest_start(msg, XFRMA_TMPL)))
+                        goto nla_put_failure;
+
+                nl_list_for_each_entry(utmpl, &tmpl->usertmpl_list, utmpl_list) {
+                        struct xfrm_user_tmpl*  tmpl;
+
+                        tmpl = nlmsg_reserve(msg, sizeof(*tmpl), NLMSG_ALIGNTO);
+                        if (!tmpl)
+                                goto nla_put_failure;
+                        addr = xfrmnl_user_tmpl_get_daddr (utmpl);
+                        memcpy ((void *)&tmpl->id.daddr, nl_addr_get_binary_addr (addr),
+                                        nl_addr_get_len (addr));
+                        tmpl->id.spi    =   htonl(xfrmnl_user_tmpl_get_spi (utmpl));
+                        tmpl->id.proto  =   xfrmnl_user_tmpl_get_proto (utmpl);
+                        tmpl->family    =   xfrmnl_user_tmpl_get_family (utmpl);
+                        addr = xfrmnl_user_tmpl_get_saddr (utmpl);
+                        memcpy ((void *)&tmpl->saddr, nl_addr_get_binary_addr (addr),
+                                        nl_addr_get_len (addr));
+                        tmpl->reqid     =   xfrmnl_user_tmpl_get_reqid (utmpl);
+                        tmpl->mode      =   xfrmnl_user_tmpl_get_mode (utmpl);
+                        tmpl->share     =   xfrmnl_user_tmpl_get_share (utmpl);
+                        tmpl->optional  =   xfrmnl_user_tmpl_get_optional (utmpl);
+                        tmpl->aalgos    =   xfrmnl_user_tmpl_get_aalgos (utmpl);
+                        tmpl->ealgos    =   xfrmnl_user_tmpl_get_ealgos (utmpl);
+                        tmpl->calgos    =   xfrmnl_user_tmpl_get_calgos (utmpl);
+                }
+                nla_nest_end(msg, tmpls);
+        }
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_MARK) {
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+/**
+ * @name XFRM SP Add
+ * @{
+ */
+
+int xfrmnl_sp_build_add_request(struct xfrmnl_sp* tmpl, int flags, struct nl_msg **result)
+{
+        return build_xfrm_sp_message (tmpl, XFRM_MSG_NEWPOLICY, flags, result);
+}
+
+int xfrmnl_sp_add(struct nl_sock* sk, struct xfrmnl_sp* tmpl, int flags)
+{
+        int             err;
+        struct nl_msg   *msg;
+
+        if ((err = xfrmnl_sp_build_add_request(tmpl, flags, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/**
+ * @name XFRM SP Update
+ * @{
+ */
+
+int xfrmnl_sp_build_update_request(struct xfrmnl_sp* tmpl, int flags, struct nl_msg **result)
+{
+        return build_xfrm_sp_message (tmpl, XFRM_MSG_UPDPOLICY, flags, result);
+}
+
+int xfrmnl_sp_update(struct nl_sock* sk, struct xfrmnl_sp* tmpl, int flags)
+{
+        int             err;
+        struct nl_msg   *msg;
+
+        if ((err = xfrmnl_sp_build_update_request(tmpl, flags, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/** @} */
+
+static int build_xfrm_sp_delete_message(struct xfrmnl_sp *tmpl, int cmd, int flags, struct nl_msg **result)
+{
+        struct nl_msg*              msg;
+        struct xfrm_userpolicy_id   spid;
+
+        if (!(tmpl->ce_mask & XFRM_SP_ATTR_INDEX) ||
+                        !(tmpl->ce_mask & XFRM_SP_ATTR_DIR))
+                return -NLE_MISSING_ATTR;
+
+        memset(&spid, 0, sizeof(spid));
+        spid.index          = tmpl->index;
+        spid.dir            = tmpl->dir;
+
+        msg = nlmsg_alloc_simple(cmd, flags);
+        if (!msg)
+                return -NLE_NOMEM;
+
+        if (nlmsg_append(msg, &spid, sizeof(spid), NLMSG_ALIGNTO) < 0)
+                goto nla_put_failure;
+
+        if (tmpl->ce_mask & XFRM_SP_ATTR_MARK) {
+                NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
+        }
+
+        *result = msg;
+        return 0;
+
+nla_put_failure:
+        nlmsg_free(msg);
+        return -NLE_MSGSIZE;
+}
+
+/**
+ * @name XFRM SA Delete
+ * @{
+ */
+
+int xfrmnl_sp_build_delete_request(struct xfrmnl_sp* tmpl, int flags, struct nl_msg **result)
+{
+        return build_xfrm_sp_delete_message (tmpl, XFRM_MSG_DELPOLICY, flags, result);
+}
+
+int xfrmnl_sp_delete(struct nl_sock* sk, struct xfrmnl_sp* tmpl, int flags)
+{
+        int             err;
+        struct nl_msg   *msg;
+
+        if ((err = xfrmnl_sp_build_delete_request(tmpl, flags, &msg)) < 0)
+                return err;
+
+        err = nl_send_auto_complete(sk, msg);
+        nlmsg_free(msg);
+        if (err < 0)
+                return err;
+
+        return nl_wait_for_ack(sk);
+}
+
+/** @} */
+
+
+/**
+ * @name Attributes
+ * @{
+ */
+
+struct xfrmnl_sel* xfrmnl_sp_get_sel (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_SEL)
+                return sp->sel;
+        else
+                return NULL;
+}
+
+int xfrmnl_sp_set_sel (struct xfrmnl_sp* sp, struct xfrmnl_sel* sel)
+{
+        /* Release any previously held selector object from the SP */
+        if (sp->sel)
+                xfrmnl_sel_put (sp->sel);
+
+        /* Increment ref count on new selector and save it in the SP */
+        xfrmnl_sel_get (sel);
+        sp->sel     =   sel;
+        sp->ce_mask |=  XFRM_SP_ATTR_SEL;
+
+        return 0;
+}
+
+struct xfrmnl_ltime_cfg* xfrmnl_sp_get_lifetime_cfg (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_LTIME_CFG)
+                return sp->lft;
+        else
+                return NULL;
+}
+
+int xfrmnl_sp_set_lifetime_cfg (struct xfrmnl_sp* sp, struct xfrmnl_ltime_cfg* ltime)
+{
+        /* Release any previously held lifetime cfg object from the SP */
+        if (sp->lft)
+                xfrmnl_ltime_cfg_put (sp->lft);
+
+        /* Increment ref count on new lifetime object and save it in the SP */
+        xfrmnl_ltime_cfg_get (ltime);
+        sp->lft     =   ltime;
+        sp->ce_mask |=  XFRM_SP_ATTR_LTIME_CFG;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_curlifetime (struct xfrmnl_sp* sa, unsigned long long int* curr_bytes,
+                unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
+{
+        if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
+                return -1;
+
+        *curr_bytes     =   sa->curlft.bytes;
+        *curr_packets   =   sa->curlft.packets;
+        *curr_add_time  =   sa->curlft.add_time;
+        *curr_use_time  =   sa->curlft.use_time;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_priority (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_PRIO)
+                return sp->priority;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_priority (struct xfrmnl_sp* sp, unsigned int prio)
+{
+        sp->priority    = prio;
+        sp->ce_mask     |= XFRM_SP_ATTR_PRIO;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_index (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_INDEX)
+                return sp->index;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_index (struct xfrmnl_sp* sp, unsigned int index)
+{
+        sp->index       = index;
+        sp->ce_mask     |= XFRM_SP_ATTR_INDEX;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_dir (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_DIR)
+                return sp->dir;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_dir (struct xfrmnl_sp* sp, unsigned int dir)
+{
+        sp->dir         = dir;
+        sp->ce_mask     |= XFRM_SP_ATTR_DIR;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_action (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_ACTION)
+                return sp->action;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_action (struct xfrmnl_sp* sp, unsigned int action)
+{
+        sp->action      = action;
+        sp->ce_mask     |= XFRM_SP_ATTR_ACTION;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_flags (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_FLAGS)
+                return sp->flags;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_flags (struct xfrmnl_sp* sp, unsigned int flags)
+{
+        sp->flags       = flags;
+        sp->ce_mask     |= XFRM_SP_ATTR_FLAGS;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_share (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_SHARE)
+                return sp->share;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_share (struct xfrmnl_sp* sp, unsigned int share)
+{
+        sp->share       = share;
+        sp->ce_mask     |= XFRM_SP_ATTR_SHARE;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_sec_ctx (struct xfrmnl_sp* sp, unsigned int* len, unsigned int* exttype, unsigned int* alg, unsigned int* doi, unsigned int* ctx_len, char* ctx_str)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_SECCTX)
+        {
+                *len    =   sp->sec_ctx->len;
+                *exttype=   sp->sec_ctx->exttype;
+                *alg    =   sp->sec_ctx->ctx_alg;
+                *doi    =   sp->sec_ctx->ctx_doi;
+                *ctx_len=   sp->sec_ctx->ctx_len;
+                memcpy ((void *)ctx_str, (void *)sp->sec_ctx->ctx, sizeof (uint8_t) * sp->sec_ctx->ctx_len);
+        }
+        else
+                return -1;
+
+        return 0;
+}
+
+int xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp* sp, unsigned int len, unsigned int exttype, unsigned int alg, unsigned int doi, unsigned int ctx_len, char* ctx_str)
+{
+        /* Free up the old context string and allocate new one */
+        if (sp->sec_ctx)
+                free (sp->sec_ctx);
+        if ((sp->sec_ctx = calloc (1, sizeof (struct xfrmnl_user_sec_ctx) + (sizeof (uint8_t) * ctx_len))) == NULL)
+                return -1;
+
+        /* Save the new info */
+        sp->sec_ctx->len        =   len;
+        sp->sec_ctx->exttype    =   exttype;
+        sp->sec_ctx->ctx_alg    =   alg;
+        sp->sec_ctx->ctx_doi    =   doi;
+        sp->sec_ctx->ctx_len    =   len;
+        memcpy ((void *)sp->sec_ctx->ctx, (void *)ctx_str, sizeof (uint8_t) * ctx_len);
+
+        sp->ce_mask |= XFRM_SP_ATTR_SECCTX;
+
+        return 0;
+}
+
+int xfrmnl_sp_get_userpolicy_type (struct xfrmnl_sp* sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_POLTYPE)
+                return sp->uptype.type;
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_userpolicy_type (struct xfrmnl_sp* sp, unsigned int type)
+{
+        sp->uptype.type = type;
+        sp->ce_mask     |= XFRM_SP_ATTR_POLTYPE;
+
+        return 0;
+}
+
+void xfrmnl_sp_add_usertemplate(struct xfrmnl_sp *sp, struct xfrmnl_user_tmpl *utmpl)
+{
+        nl_list_add_tail(&utmpl->utmpl_list, &sp->usertmpl_list);
+        sp->nr_user_tmpl++;
+        sp->ce_mask |= XFRM_SP_ATTR_TMPL;
+}
+
+void xfrmnl_sp_remove_usertemplate(struct xfrmnl_sp *sp, struct xfrmnl_user_tmpl *utmpl)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_TMPL) {
+                sp->nr_user_tmpl--;
+                nl_list_del(&utmpl->utmpl_list);
+        }
+}
+
+struct nl_list_head *xfrmnl_sp_get_usertemplates(struct xfrmnl_sp *sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_TMPL)
+                return &sp->usertmpl_list;
+
+        return NULL;
+}
+
+int xfrmnl_sp_get_nusertemplates(struct xfrmnl_sp *sp)
+{
+        if (sp->ce_mask & XFRM_SP_ATTR_TMPL)
+                return sp->nr_user_tmpl;
+
+        return 0;
+}
+
+void xfrmnl_sp_foreach_usertemplate(struct xfrmnl_sp *r,
+                void (*cb)(struct xfrmnl_user_tmpl *, void *),
+                void *arg)
+{
+        struct xfrmnl_user_tmpl *utmpl;
+
+        if (r->ce_mask & XFRM_SP_ATTR_TMPL) {
+                nl_list_for_each_entry(utmpl, &r->usertmpl_list, utmpl_list) {
+                        cb(utmpl, arg);
+                }
+        }
+}
+
+struct xfrmnl_user_tmpl *xfrmnl_sp_usertemplate_n(struct xfrmnl_sp *r, int n)
+{
+        struct xfrmnl_user_tmpl *utmpl;
+        uint32_t i;
+
+        if (r->ce_mask & XFRM_SP_ATTR_TMPL && r->nr_user_tmpl > n) {
+                i = 0;
+                nl_list_for_each_entry(utmpl, &r->usertmpl_list, utmpl_list) {
+                        if (i == n) return utmpl;
+                        i++;
+                }
+        }
+        return NULL;
+}
+
+int xfrmnl_sp_get_mark (struct xfrmnl_sp* sp, unsigned int* mark_mask, unsigned int* mark_value)
+{
+        if (mark_mask == NULL || mark_value == NULL)
+                return -1;
+
+        if (sp->ce_mask & XFRM_SP_ATTR_MARK)
+        {
+                *mark_mask  =   sp->mark.m;
+                *mark_value  =   sp->mark.v;
+
+                return 0;
+        }
+        else
+                return -1;
+}
+
+int xfrmnl_sp_set_mark (struct xfrmnl_sp* sp, unsigned int value, unsigned int mask)
+{
+        sp->mark.v  = value;
+        sp->mark.m  = mask;
+        sp->ce_mask |= XFRM_SP_ATTR_MARK;
+
+        return 0;
+}
+
+static inline int __assign_addr(struct xfrmnl_sp* sp, struct nl_addr **pos,
+                struct nl_addr *new, int flag)
+{
+        if (*pos)
+                nl_addr_put(*pos);
+
+        nl_addr_get(new);
+        *pos = new;
+
+        sp->ce_mask |= flag;
+
+        return 0;
+}
+
+
+/** @} */
+
+static struct nl_object_ops xfrm_sp_obj_ops = {
+        .oo_name                =       "xfrm/sp",
+        .oo_size        =       sizeof(struct xfrmnl_sp),
+        .oo_constructor         =       xfrm_sp_alloc_data,
+        .oo_free_data           =       xfrm_sp_free_data,
+        .oo_clone       =       xfrm_sp_clone,
+        .oo_dump                =       {
+                [NL_DUMP_LINE]          =   xfrm_sp_dump_line,
+                [NL_DUMP_DETAILS]   =   xfrm_sp_dump_details,
+                [NL_DUMP_STATS]         =   xfrm_sp_dump_stats,
+        },
+        .oo_compare     =       xfrm_sp_compare,
+        .oo_attrs2str           =       xfrm_sp_attrs2str,
+        .oo_id_attrs            =       (XFRM_SP_ATTR_SEL | XFRM_SP_ATTR_INDEX | XFRM_SP_ATTR_DIR),
+};
+
+static struct nl_af_group xfrm_sp_groups[] = {
+        { AF_UNSPEC, XFRMNLGRP_POLICY },
+        { END_OF_GROUP_LIST },
+};
+
+static struct nl_cache_ops xfrmnl_sp_ops = {
+        .co_name        =       "xfrm/sp",
+        .co_hdrsize     =       sizeof(struct xfrm_userpolicy_info),
+        .co_msgtypes            = {
+                { XFRM_MSG_NEWPOLICY, NL_ACT_NEW, "new" },
+                { XFRM_MSG_DELPOLICY, NL_ACT_DEL, "del" },
+                { XFRM_MSG_GETPOLICY, NL_ACT_GET, "get" },
+                { XFRM_MSG_UPDPOLICY, NL_ACT_NEW, "update" },
+                END_OF_MSGTYPES_LIST,
+        },
+        .co_protocol            =       NETLINK_XFRM,
+        .co_groups      =       xfrm_sp_groups,
+        .co_request_update  =       xfrm_sp_request_update,
+        .co_msg_parser      =       xfrm_sp_msg_parser,
+        .co_obj_ops     =       &xfrm_sp_obj_ops,
+};
+
+/**
+ * @name XFRM SA Cache Managament
+ * @{
+ */
+
+static void __attribute__ ((constructor)) xfrm_sp_init(void)
+{
+        nl_cache_mngt_register(&xfrmnl_sp_ops);
+}
+
+static void __attribute__ ((destructor)) xfrm_sp_exit(void)
+{
+        nl_cache_mngt_unregister(&xfrmnl_sp_ops);
+}
+
+/** @} */
diff --git a/lib/xfrm/template.c b/lib/xfrm/template.c
new file mode 100644 (file)
index 0000000..fec621f
--- /dev/null
@@ -0,0 +1,338 @@
+/*
+ * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
+ *
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *
+ *    Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ *    Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the
+ *    distribution.
+ *
+ *    Neither the name of Texas Instruments Incorporated nor the names of
+ *    its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *  A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *  OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * @ingroup xfrmnl
+ * @defgroup XFRM User Template Object
+ *
+ * Abstract data type representing XFRM SA properties
+ *
+ * @{
+ *
+ * Header
+ * ------
+ * ~~~~{.c}
+ * #include <netlink/xfrm/template.h>
+ * ~~~~
+ */
+
+#include <netlink-private/netlink.h>
+
+void xfrmnl_user_tmpl_free(struct xfrmnl_user_tmpl* utmpl)
+{
+        if (!utmpl)
+                return;
+
+        nl_addr_put (utmpl->id.daddr);
+        nl_addr_put (utmpl->saddr);
+        free(utmpl);
+}
+
+/**
+ * @name Creating User Template Object
+ * @{
+ */
+
+/**
+ * Allocate new user template object.
+ * @return Newly allocated user template object or NULL
+ */
+struct xfrmnl_user_tmpl* xfrmnl_user_tmpl_alloc()
+{
+        struct xfrmnl_user_tmpl* utmpl;
+
+        utmpl = calloc(1, sizeof(struct xfrmnl_user_tmpl));
+        if (!utmpl)
+                return NULL;
+
+        nl_init_list_head(&utmpl->utmpl_list);
+
+        return utmpl;
+}
+
+/**
+ * Clone existing user template object.
+ * @arg utmpl       Selector object.
+ * @return Newly allocated user template object being a duplicate of the
+ *         specified user template object or NULL if a failure occured.
+ */
+struct xfrmnl_user_tmpl* xfrmnl_user_tmpl_clone(struct xfrmnl_user_tmpl* utmpl)
+{
+        struct xfrmnl_user_tmpl* new;
+
+        new = xfrmnl_user_tmpl_alloc();
+        if (new)
+                memcpy ((void*)new, (void*)utmpl, sizeof (struct xfrmnl_user_tmpl));
+
+        new->id.daddr = nl_addr_clone (utmpl->id.daddr);
+        new->saddr    = nl_addr_clone (utmpl->saddr);
+
+        return new;
+}
+
+/** @} */
+
+/**
+ * @name XFRM Template Mode Translations
+ * @{
+ */
+static const struct trans_tbl tmpl_modes[] = {
+        __ADD(XFRM_MODE_TRANSPORT, transport)
+        __ADD(XFRM_MODE_TUNNEL, tunnel)
+        __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization)
+        __ADD(XFRM_MODE_IN_TRIGGER, in trigger)
+        __ADD(XFRM_MODE_BEET, beet)
+};
+
+char* xfrmnl_user_tmpl_mode2str(int mode, char *buf, size_t len)
+{
+        return __type2str (mode, buf, len, tmpl_modes, ARRAY_SIZE(tmpl_modes));
+}
+
+int xfrmnl_user_tmpl_str2mode(const char *name)
+{
+        return __str2type (name, tmpl_modes, ARRAY_SIZE(tmpl_modes));
+}
+/** @} */
+
+/**
+ * @name Miscellaneous
+ * @{
+ */
+
+/**
+ * Compares two user template objects.
+ * @arg a       A user template object.
+ * @arg b       Another user template object.
+ *
+ * @return Non zero if difference is found, 0 otherwise if both
+ * the objects are identical.
+ */
+int xfrmnl_user_tmpl_cmp(struct xfrmnl_user_tmpl* a, struct xfrmnl_user_tmpl* b)
+{
+        /* Check for any differences */
+        if ((nl_addr_cmp_prefix (a->id.daddr, b->id.daddr) != 0) ||
+            (a->id.spi != b->id.spi) ||
+            (a->id.proto && (a->id.proto != b->id.proto)) ||
+            (nl_addr_cmp_prefix (a->saddr, b->saddr) != 0) ||
+            (a->family != b->family) ||
+            (a->reqid != b->reqid) ||
+            (a->mode != b->mode) ||
+            (a->share != b->share) ||
+            (a->aalgos != b->aalgos) ||
+            (a->ealgos != b->ealgos) ||
+            (a->calgos != b->calgos))
+                return 1;
+
+        /* The objects are identical */
+        return 0;
+}
+
+void xfrmnl_user_tmpl_dump(struct xfrmnl_user_tmpl* tmpl, struct nl_dump_params *p)
+{
+        char    dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
+        char    buf [128];
+
+        nl_dump_line(p, "\t\tsrc %s dst %s family: %s \n",
+                        nl_addr2str(tmpl->saddr, src, sizeof(src)),
+                        nl_addr2str (tmpl->id.daddr, dst, sizeof (dst)),
+                        nl_af2str (tmpl->family, buf, 128));
+        nl_dump_line (p, "\t\tprotocol: %s spi: 0x%x reqid: %u mode: %s\n",
+                        nl_ip_proto2str (tmpl->id.proto, buf, sizeof(buf)),
+                        tmpl->id.spi, tmpl->reqid,
+                        xfrmnl_user_tmpl_mode2str (tmpl->mode, buf, 128));
+        nl_dump_line (p, "\t\tAuth Algo: 0x%x Crypto Algo: 0x%x Compr Algo: 0x%x\n",
+                        tmpl->aalgos, tmpl->ealgos, tmpl->calgos);
+
+        return;
+}
+
+/** @} */
+
+/**
+ * @name Attributes
+ * @{
+ */
+struct nl_addr* xfrmnl_user_tmpl_get_daddr (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->id.daddr;
+}
+
+int xfrmnl_user_tmpl_set_daddr (struct xfrmnl_user_tmpl* utmpl, struct nl_addr* addr)
+{
+        /* Increment reference counter on this to keep this address
+         * object around while user template in use */
+        nl_addr_get(addr);
+
+        utmpl->id.daddr = addr;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_spi (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->id.spi;
+}
+
+int xfrmnl_user_tmpl_set_spi (struct xfrmnl_user_tmpl* utmpl, unsigned int spi)
+{
+        utmpl->id.spi = spi;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_proto (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->id.proto;
+}
+
+int xfrmnl_user_tmpl_set_proto (struct xfrmnl_user_tmpl* utmpl, unsigned int protocol)
+{
+        utmpl->id.proto = protocol;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_family(struct xfrmnl_user_tmpl *utmpl)
+{
+        return utmpl->family;
+}
+
+int xfrmnl_user_tmpl_set_family(struct xfrmnl_user_tmpl *utmpl, int family)
+{
+        utmpl->family = family;
+
+        return 0;
+}
+
+struct nl_addr* xfrmnl_user_tmpl_get_saddr (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->saddr;
+}
+
+int xfrmnl_user_tmpl_set_saddr (struct xfrmnl_user_tmpl* utmpl, struct nl_addr* addr)
+{
+        /* Increment reference counter on this to keep this address
+         * object around while user template in use */
+        nl_addr_get(addr);
+
+        utmpl->saddr = addr;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_reqid (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->reqid;
+}
+
+int xfrmnl_user_tmpl_set_reqid (struct xfrmnl_user_tmpl* utmpl, unsigned int reqid)
+{
+        utmpl->reqid = reqid;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_mode (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->mode;
+}
+
+int xfrmnl_user_tmpl_set_mode (struct xfrmnl_user_tmpl* utmpl, unsigned int mode)
+{
+        utmpl->mode = mode;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_share (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->share;
+}
+
+int xfrmnl_user_tmpl_set_share (struct xfrmnl_user_tmpl* utmpl, unsigned int share)
+{
+        utmpl->share = share;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_optional (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->optional;
+}
+
+int xfrmnl_user_tmpl_set_optional (struct xfrmnl_user_tmpl* utmpl, unsigned int optional)
+{
+        utmpl->optional = optional;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_aalgos (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->aalgos;
+}
+
+int xfrmnl_user_tmpl_set_aalgos (struct xfrmnl_user_tmpl* utmpl, unsigned int aalgos)
+{
+        utmpl->aalgos = aalgos;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_ealgos (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->ealgos;
+}
+
+int xfrmnl_user_tmpl_set_ealgos (struct xfrmnl_user_tmpl* utmpl, unsigned int ealgos)
+{
+        utmpl->ealgos = ealgos;
+
+        return 0;
+}
+
+int xfrmnl_user_tmpl_get_calgos (struct xfrmnl_user_tmpl* utmpl)
+{
+        return utmpl->calgos;
+}
+
+int xfrmnl_user_tmpl_set_calgos (struct xfrmnl_user_tmpl* utmpl, unsigned int calgos)
+{
+        utmpl->calgos = calgos;
+
+        return 0;
+}
+
+/** @} */
diff --git a/libnl-xfrm-3.0.pc.in b/libnl-xfrm-3.0.pc.in
new file mode 100644 (file)
index 0000000..48ffb70
--- /dev/null
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: libnl-xfrm
+Description: Netlink Routing Family Library
+Version: @PACKAGE_VERSION@
+Requires: libnl-3.0
+Libs: -L${libdir} -lnl-xfrm-@MAJ_VERSION@
+Cflags: -I${includedir}/libnl@MAJ_VERSION@