sys/linux/socket_netlink_xfrm.txt - platform/external/syzkaller - Git at Google

 # Copyright 2017 syzkaller project authors. All rights reserved.
 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

 # AF_NETLINK/NETLINK_XFRM support.

 include <linux/net.h>
 include <uapi/linux/netlink.h>
 include <uapi/linux/in.h>
 include <uapi/linux/xfrm.h>
 include <uapi/linux/ipsec.h>

 resource sock_nl_xfrm[sock_netlink]
 type xfrm_req_id int32[13567:13575, opt]
 type xfrm_policy_index int32[7236528:7236544, opt]
 type xfrm_spi int32be[1234:1238]

 socket$nl_xfrm(domain const[AF_NETLINK], type const[SOCK_RAW], proto const[NETLINK_XFRM]) sock_nl_xfrm

 sendmsg$nl_xfrm(fd sock_nl_xfrm, msg ptr[in, msghdr_nl_xfrm], f flags[send_flags])

 type msghdr_nl_xfrm msghdr_netlink[netlink_msg_xfrm]

 type xfrm_msg[TYPE, PAYLOAD] netlink_msg[TYPE, PAYLOAD, xfrm_attrs]

 netlink_msg_xfrm [
 	newsa		xfrm_msg[XFRM_MSG_NEWSA, xfrm_usersa_info]
 	updsa		xfrm_msg[XFRM_MSG_UPDSA, xfrm_usersa_info]
 	delsa		xfrm_msg[XFRM_MSG_DELSA, xfrm_usersa_id]
 	getsa		xfrm_msg[XFRM_MSG_GETSA, xfrm_usersa_id]
 	newpolicy	xfrm_msg[XFRM_MSG_NEWPOLICY, xfrm_userpolicy_info]
 	updpolicy	xfrm_msg[XFRM_MSG_UPDPOLICY, xfrm_userpolicy_info]
 	delpolicy	xfrm_msg[XFRM_MSG_DELPOLICY, xfrm_userpolicy_id]
 	getpolicy	xfrm_msg[XFRM_MSG_GETPOLICY, xfrm_userpolicy_id]
 	migrate		xfrm_msg[XFRM_MSG_MIGRATE, xfrm_userpolicy_id]
 	allocspi	xfrm_msg[XFRM_MSG_ALLOCSPI, xfrm_userspi_info]
 	acquire		xfrm_msg[XFRM_MSG_ACQUIRE, xfrm_user_acquire]
 	expire		xfrm_msg[XFRM_MSG_EXPIRE, xfrm_user_expire]
 	polexpire	xfrm_msg[XFRM_MSG_POLEXPIRE, xfrm_user_polexpire]
 	flushsa		xfrm_msg[XFRM_MSG_FLUSHSA, xfrm_usersa_flush]
 	report		xfrm_msg[XFRM_MSG_REPORT, xfrm_user_report]
 	flushpolicy	xfrm_msg[XFRM_MSG_FLUSHPOLICY, void]
 	newae		xfrm_msg[XFRM_MSG_NEWAE, xfrm_aevent_id]
 	getae		xfrm_msg[XFRM_MSG_GETAE, xfrm_aevent_id]
 	getsadinfo	xfrm_msg[XFRM_MSG_GETSADINFO, const[0, int32]]
 	newspdinfo	xfrm_msg[XFRM_MSG_NEWSPDINFO, int32]
 	getspdinfo	xfrm_msg[XFRM_MSG_GETSPDINFO, int32]
 ] [varlen]

 xfrm_usersa_info {
 	sel		xfrm_selector
 	id		xfrm_id
 	saddr		xfrm_address
 	lft		xfrm_lifetime_cfg
 	curlft		xfrm_lifetime_cur
 	stats		xfrm_stats
 	seq		netlink_seq
 	reqid		xfrm_req_id
 	family		flags[xfrm_family, int16]
 	mode		flags[xfrm_mode, int8]
 	replay_window	int8
 	flags		flags[xfrm_state, int8]
 }

 xfrm_usersa_id {
 	daddr	xfrm_address
 	spi	xfrm_spi
 	family	flags[xfrm_family, int16]
 	proto	flags[xfrm_proto, int8]
 }

 xfrm_userpolicy_id {
 	sel	xfrm_selector
 	index	xfrm_policy_index
 	dir	flags[xfrm_policy_dir, int8]
 }

 xfrm_userspi_info {
 	info	xfrm_usersa_info
 	min	int32
 	max	int32
 }

 xfrm_user_acquire {
 	id	xfrm_id
 	saddr	xfrm_address
 	sel	xfrm_selector
 	policy	xfrm_userpolicy_info
 	aalgos	int32
 	ealgos	int32
 	calgo	int32
 	seq	netlink_seq
 }

 xfrm_user_expire {
 	state	xfrm_usersa_info
 	hard	int8
 }

 xfrm_user_polexpire {
 	pol	xfrm_userpolicy_info
 	hard	int8
 }

 xfrm_usersa_flush {
 	proto	flags[xfrm_proto, int8]
 }

 xfrm_user_report {
 	proto	flags[xfrm_proto, int8]
 	sel	xfrm_selector
 }

 xfrm_aevent_id {
 	sa_id	xfrm_usersa_id
 	saddr	xfrm_address
 	flags	int32
 	reqid	xfrm_req_id
 }

 xfrm_attrs [
 	sa		nlattr[XFRMA_SA, xfrm_usersa_info]
 	policy		nlattr[XFRMA_POLICY, xfrm_userpolicy_info]
 	lastused	nlattr[XFRMA_LASTUSED, int64]
 	algo_auth_trunc	nlattr[XFRMA_ALG_AUTH_TRUNC, xfrm_algo_auth]
 	algo_aead	nlattr[XFRMA_ALG_AEAD, xfrm_algo_aead]
 	algo_auth	nlattr[XFRMA_ALG_AUTH, xfrm_algo_hash]
 	algo_crypt	nlattr[XFRMA_ALG_CRYPT, xfrm_algo_blkcipher]
 	algo_comp	nlattr[XFRMA_ALG_COMP, xfrm_algo_compress]
 	srcaddr		nlattr[XFRMA_SRCADDR, xfrm_address]
 	coaddr		nlattr[XFRMA_COADDR, xfrm_address]
 	extra_flags	nlattr[XFRMA_SA_EXTRA_FLAGS, int32]
 	tfcpad		nlattr[XFRMA_TFCPAD, int32]
 	replay_thresh	nlattr[XFRMA_REPLAY_THRESH, int32]
 	etimer_thresh	nlattr[XFRMA_ETIMER_THRESH, int32]
 	output_mark	nlattr[XFRMA_OUTPUT_MARK, int32]
 	encap		nlattr[XFRMA_ENCAP, xfrm_encap_tmpl]
 	offload		nlattr[XFRMA_OFFLOAD_DEV, xfrm_user_offload]
 	sec_ctx		nlattr[XFRMA_SEC_CTX, xfrm_user_sec_ctx]
 	lifetime_val	nlattr[XFRMA_LTIME_VAL, xfrm_lifetime_cur]
 	tmpl		nlattr[XFRMA_TMPL, array[xfrm_user_tmpl]]
 	replay_val	nlattr[XFRMA_REPLAY_VAL, xfrm_replay_state]
 	replay_esn_val	nlattr[XFRMA_REPLAY_ESN_VAL, xfrm_replay_state_esn]
 	policy_type	nlattr[XFRMA_POLICY_TYPE, xfrm_userpolicy_type]
 	migrate		nlattr[XFRMA_MIGRATE, array[xfrm_user_migrate]]
 	user_kmaddress	nlattr[XFRMA_KMADDRESS, xfrm_user_kmaddress]
 	mark		nlattr[XFRMA_MARK, xfrm_mark]
 	proto		nlattr[XFRMA_PROTO, flags[xfrm_proto, int8]]
 	address_filter	nlattr[XFRMA_ADDRESS_FILTER, xfrm_address_filter]
 	ipv4_hthresh	nlattr[XFRMA_SPD_IPV4_HTHRESH, xfrmu_spdhthresh4]
 	ipv6_hthresh	nlattr[XFRMA_SPD_IPV6_HTHRESH, xfrmu_spdhthresh6]
 ] [varlen]

 xfrm_encap_tmpl {
 	encap_type	flags[xfrm_encap_type, int16]
 	encap_sport	sock_port
 	encap_dport	sock_port
 	encap_oa	xfrm_address
 }

 xfrm_user_offload {
 	ifindex	ifindex[opt]
 	flags	flags[xfrm_offload_flags, int8]
 }

 xfrm_offload_flags = XFRM_OFFLOAD_IPV6, XFRM_OFFLOAD_INBOUND

 xfrm_user_sec_ctx {
 	len	len[parent, int16]
 	exttype	const[XFRMA_SEC_CTX, int16]
 	ctx_alg	flags[xfrm_sec_ctx_alg, int8]
 	ctx_doi	int8
 	ctx_len	len[payload, int16]
 # TODO: what's this? looks intersting.
 	payload	array[int8]
 }

 xfrm_sec_ctx_alg = XFRM_SC_ALG_SELINUX

 xfrm_replay_state {
 	oseq	netlink_seq
 	seq	netlink_seq
 	bitmap	int32
 }

 xfrm_replay_state_esn {
 	bmp_len		len[bmp, int32]
 	oseq		netlink_seq
 	seq		netlink_seq
 	oseq_hi		netlink_seq
 	seq_hi		netlink_seq
 	replay_window	int32
 	bmp		array[int32]
 }

 xfrm_userpolicy_type {
 	type		flags[xfrm_policy_types, int8]
 	reserved1	const[0, int16]
 	reserved2	const[0, int8]
 }

 xfrm_user_migrate {
 	old_daddr	xfrm_address
 	new_saddr	xfrm_address
 	proto		flags[xfrm_proto, int8]
 	mode		flags[xfrm_mode, int8]
 	reserved	const[0, int16]
 	reqid		xfrm_req_id
 	old_family	flags[xfrm_family, int16]
 	new_family	flags[xfrm_family, int16]
 }

 xfrm_user_kmaddress {
 	local		xfrm_address
 	remote		xfrm_address
 	reserved	const[0, int32]
 	family		flags[xfrm_family, int16]
 }

 xfrm_mark {
 	v	int32[3475289:3475293]
 	m	int32
 }

 xfrm_address_filter {
 	saddr	xfrm_address
 	daddr	xfrm_address
 	family	flags[xfrm_family, int16]
 	splen	int8
 	dplen	int8
 }

 xfrmu_spdhthresh4 {
 	lbits	int8[0:32]
 	rbits	int8[0:32]
 }

 xfrmu_spdhthresh6 {
 	lbits	int8[0:128]
 	rbits	int8[0:128]
 }

 xfrm_selector {
 	daddr		xfrm_address
 	saddr		xfrm_address
 	dport		sock_port
 	dport_mask	int16be[opt]
 	sport		sock_port
 	sport_mask	int16be[opt]
 	family		flags[xfrm_family, int16]
 	prefixlen_d	flags[xfrm_prefixlens, int8]
 	prefixlen_s	flags[xfrm_prefixlens, int8]
 	proto		flags[ipv6_types, int8]
 	ifindex		ifindex[opt]
 	user		uid
 }

 xfrm_lifetime_cfg {
 	soft_byte_limit			int64
 	hard_byte_limit			int64
 	soft_packet_limit		int64
 	hard_packet_limit		int64
 	soft_add_expires_seconds	int64
 	hard_add_expires_seconds	int64
 	soft_use_expires_seconds	int64
 	hard_use_expires_seconds	int64
 }

 xfrm_lifetime_cur {
 	bytes		int64
 	packets		int64
 	add_time	int64
 	use_time	int64
 }

 xfrm_stats {
 	replay_window		int32
 	replay			int32
 	integrity_failed	int32
 }

 xfrm_algo_hash {
 	alg_name	alg_hash_name
 	alg_key_len	bitsize[alg_key, int32]
 	alg_key		array[int8]
 }

 xfrm_algo_blkcipher {
 	alg_name	alg_blkcipher_name
 	alg_key_len	bitsize[alg_key, int32]
 	alg_key		array[int8]
 }

 xfrm_algo_compress {
 	alg_name	alg_compress_name
 	alg_key_len	bitsize[alg_key, int32]
 	alg_key		array[int8]
 }

 xfrm_algo_auth {
 	alg_name	alg_hash_name
 	alg_key_len	bitsize[alg_key, int32]
 	alg_icv_len	flags[xfrm_algo_truncbits, int32]
 	alg_key		array[int8]
 }

 xfrm_algo_aead {
 	alg_name	alg_aead_name
 	alg_key_len	bitsize[alg_key, int32]
 	alg_icv_len	flags[xfrm_algo_truncbits, int32]
 	alg_key		array[int8]
 }

 xfrm_algo_truncbits = 0, 64, 96, 128, 160, 192, 256, 384, 512

 xfrm_id {
 	daddr	xfrm_address
 	spi	xfrm_spi
 	proto	flags[xfrm_proto, int8]
 }

 xfrm_address [
 	in	ipv4_addr
 	in6	ipv6_addr
 ]

 xfrm_filter {
 	info	xfrm_userpolicy_info
 	tmpl	xfrm_user_tmpl
 }

 xfrm_userpolicy_info {
 	sel		xfrm_selector
 	lft		xfrm_lifetime_cfg
 	curlft		xfrm_lifetime_cur
 	priority	int32
 	index		xfrm_policy_index
 	dir		flags[xfrm_policy_dir, int8]
 	action		flags[xfrm_policy_actions, int8]
 	flags		flags[xfrm_policy_flags, int8]
 	share		flags[xfrm_policy_shares, int8]
 }

 xfrm_user_tmpl {
 	id		xfrm_id
 	family		flags[xfrm_family, int16]
 	saddr		xfrm_address
 	reqid		xfrm_req_id
 	mode		flags[xfrm_mode, int8]
 	share		flags[xfrm_policy_shares, int8]
 	optional	int8
 	aalgos		int32
 	ealgos		int32
 	calgos		int32
 }

 xfrm_mode = XFRM_MODE_TRANSPORT, XFRM_MODE_TUNNEL, XFRM_MODE_ROUTEOPTIMIZATION, XFRM_MODE_IN_TRIGGER, XFRM_MODE_BEET
 xfrm_state = XFRM_STATE_NOECN, XFRM_STATE_DECAP_DSCP, XFRM_STATE_NOPMTUDISC, XFRM_STATE_WILDRECV, XFRM_STATE_ICMP, XFRM_STATE_AF_UNSPEC, XFRM_STATE_ALIGN4, XFRM_STATE_ESN
 xfrm_family = AF_INET, AF_INET6
 xfrm_proto = IPPROTO_AH, IPPROTO_ESP, IPPROTO_COMP, IPPROTO_DSTOPTS, IPPROTO_ROUTING, IPSEC_PROTO_ANY
 xfrm_policy_types = XFRM_POLICY_TYPE_MAIN, XFRM_POLICY_TYPE_SUB
 xfrm_policy_actions = XFRM_POLICY_ALLOW, XFRM_POLICY_BLOCK
 xfrm_policy_flags = XFRM_POLICY_LOCALOK, XFRM_POLICY_ICMP
 xfrm_policy_shares = XFRM_SHARE_ANY, XFRM_SHARE_SESSION, XFRM_SHARE_USER, XFRM_SHARE_UNIQUE
 xfrm_policy_dir = XFRM_POLICY_IN, XFRM_POLICY_OUT, XFRM_POLICY_FWD
 xfrm_prefixlens = 32, 128
 xfrm_encap_type = -3, -2, -1, 0, 1, 2, 3
	# Copyright 2017 syzkaller project authors. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	# AF_NETLINK/NETLINK_XFRM support.

	include <linux/net.h>
	include <uapi/linux/netlink.h>
	include <uapi/linux/in.h>
	include <uapi/linux/xfrm.h>
	include <uapi/linux/ipsec.h>

	resource sock_nl_xfrm[sock_netlink]
	type xfrm_req_id int32[13567:13575, opt]
	type xfrm_policy_index int32[7236528:7236544, opt]
	type xfrm_spi int32be[1234:1238]

	socket$nl_xfrm(domain const[AF_NETLINK], type const[SOCK_RAW], proto const[NETLINK_XFRM]) sock_nl_xfrm

	sendmsg$nl_xfrm(fd sock_nl_xfrm, msg ptr[in, msghdr_nl_xfrm], f flags[send_flags])

	type msghdr_nl_xfrm msghdr_netlink[netlink_msg_xfrm]

	type xfrm_msg[TYPE, PAYLOAD] netlink_msg[TYPE, PAYLOAD, xfrm_attrs]

	netlink_msg_xfrm [
	newsa xfrm_msg[XFRM_MSG_NEWSA, xfrm_usersa_info]
	updsa xfrm_msg[XFRM_MSG_UPDSA, xfrm_usersa_info]
	delsa xfrm_msg[XFRM_MSG_DELSA, xfrm_usersa_id]
	getsa xfrm_msg[XFRM_MSG_GETSA, xfrm_usersa_id]
	newpolicy xfrm_msg[XFRM_MSG_NEWPOLICY, xfrm_userpolicy_info]
	updpolicy xfrm_msg[XFRM_MSG_UPDPOLICY, xfrm_userpolicy_info]
	delpolicy xfrm_msg[XFRM_MSG_DELPOLICY, xfrm_userpolicy_id]
	getpolicy xfrm_msg[XFRM_MSG_GETPOLICY, xfrm_userpolicy_id]
	migrate xfrm_msg[XFRM_MSG_MIGRATE, xfrm_userpolicy_id]
	allocspi xfrm_msg[XFRM_MSG_ALLOCSPI, xfrm_userspi_info]
	acquire xfrm_msg[XFRM_MSG_ACQUIRE, xfrm_user_acquire]
	expire xfrm_msg[XFRM_MSG_EXPIRE, xfrm_user_expire]
	polexpire xfrm_msg[XFRM_MSG_POLEXPIRE, xfrm_user_polexpire]
	flushsa xfrm_msg[XFRM_MSG_FLUSHSA, xfrm_usersa_flush]
	report xfrm_msg[XFRM_MSG_REPORT, xfrm_user_report]
	flushpolicy xfrm_msg[XFRM_MSG_FLUSHPOLICY, void]
	newae xfrm_msg[XFRM_MSG_NEWAE, xfrm_aevent_id]
	getae xfrm_msg[XFRM_MSG_GETAE, xfrm_aevent_id]
	getsadinfo xfrm_msg[XFRM_MSG_GETSADINFO, const[0, int32]]
	newspdinfo xfrm_msg[XFRM_MSG_NEWSPDINFO, int32]
	getspdinfo xfrm_msg[XFRM_MSG_GETSPDINFO, int32]
	] [varlen]

	xfrm_usersa_info {
	sel xfrm_selector
	id xfrm_id
	saddr xfrm_address
	lft xfrm_lifetime_cfg
	curlft xfrm_lifetime_cur
	stats xfrm_stats
	seq netlink_seq
	reqid xfrm_req_id
	family flags[xfrm_family, int16]
	mode flags[xfrm_mode, int8]
	replay_window int8
	flags flags[xfrm_state, int8]
	}

	xfrm_usersa_id {
	daddr xfrm_address
	spi xfrm_spi
	family flags[xfrm_family, int16]
	proto flags[xfrm_proto, int8]
	}

	xfrm_userpolicy_id {
	sel xfrm_selector
	index xfrm_policy_index
	dir flags[xfrm_policy_dir, int8]
	}

	xfrm_userspi_info {
	info xfrm_usersa_info
	min int32
	max int32
	}

	xfrm_user_acquire {
	id xfrm_id
	saddr xfrm_address
	sel xfrm_selector
	policy xfrm_userpolicy_info
	aalgos int32
	ealgos int32
	calgo int32
	seq netlink_seq
	}

	xfrm_user_expire {
	state xfrm_usersa_info
	hard int8
	}

	xfrm_user_polexpire {
	pol xfrm_userpolicy_info
	hard int8
	}

	xfrm_usersa_flush {
	proto flags[xfrm_proto, int8]
	}

	xfrm_user_report {
	proto flags[xfrm_proto, int8]
	sel xfrm_selector
	}

	xfrm_aevent_id {
	sa_id xfrm_usersa_id
	saddr xfrm_address
	flags int32
	reqid xfrm_req_id
	}

	xfrm_attrs [
	sa nlattr[XFRMA_SA, xfrm_usersa_info]
	policy nlattr[XFRMA_POLICY, xfrm_userpolicy_info]
	lastused nlattr[XFRMA_LASTUSED, int64]
	algo_auth_trunc nlattr[XFRMA_ALG_AUTH_TRUNC, xfrm_algo_auth]
	algo_aead nlattr[XFRMA_ALG_AEAD, xfrm_algo_aead]
	algo_auth nlattr[XFRMA_ALG_AUTH, xfrm_algo_hash]
	algo_crypt nlattr[XFRMA_ALG_CRYPT, xfrm_algo_blkcipher]
	algo_comp nlattr[XFRMA_ALG_COMP, xfrm_algo_compress]
	srcaddr nlattr[XFRMA_SRCADDR, xfrm_address]
	coaddr nlattr[XFRMA_COADDR, xfrm_address]
	extra_flags nlattr[XFRMA_SA_EXTRA_FLAGS, int32]
	tfcpad nlattr[XFRMA_TFCPAD, int32]
	replay_thresh nlattr[XFRMA_REPLAY_THRESH, int32]
	etimer_thresh nlattr[XFRMA_ETIMER_THRESH, int32]
	output_mark nlattr[XFRMA_OUTPUT_MARK, int32]
	encap nlattr[XFRMA_ENCAP, xfrm_encap_tmpl]
	offload nlattr[XFRMA_OFFLOAD_DEV, xfrm_user_offload]
	sec_ctx nlattr[XFRMA_SEC_CTX, xfrm_user_sec_ctx]
	lifetime_val nlattr[XFRMA_LTIME_VAL, xfrm_lifetime_cur]
	tmpl nlattr[XFRMA_TMPL, array[xfrm_user_tmpl]]
	replay_val nlattr[XFRMA_REPLAY_VAL, xfrm_replay_state]
	replay_esn_val nlattr[XFRMA_REPLAY_ESN_VAL, xfrm_replay_state_esn]
	policy_type nlattr[XFRMA_POLICY_TYPE, xfrm_userpolicy_type]
	migrate nlattr[XFRMA_MIGRATE, array[xfrm_user_migrate]]
	user_kmaddress nlattr[XFRMA_KMADDRESS, xfrm_user_kmaddress]
	mark nlattr[XFRMA_MARK, xfrm_mark]
	proto nlattr[XFRMA_PROTO, flags[xfrm_proto, int8]]
	address_filter nlattr[XFRMA_ADDRESS_FILTER, xfrm_address_filter]
	ipv4_hthresh nlattr[XFRMA_SPD_IPV4_HTHRESH, xfrmu_spdhthresh4]
	ipv6_hthresh nlattr[XFRMA_SPD_IPV6_HTHRESH, xfrmu_spdhthresh6]
	] [varlen]

	xfrm_encap_tmpl {
	encap_type flags[xfrm_encap_type, int16]
	encap_sport sock_port
	encap_dport sock_port
	encap_oa xfrm_address
	}

	xfrm_user_offload {
	ifindex ifindex[opt]
	flags flags[xfrm_offload_flags, int8]
	}

	xfrm_offload_flags = XFRM_OFFLOAD_IPV6, XFRM_OFFLOAD_INBOUND

	xfrm_user_sec_ctx {
	len len[parent, int16]
	exttype const[XFRMA_SEC_CTX, int16]
	ctx_alg flags[xfrm_sec_ctx_alg, int8]
	ctx_doi int8
	ctx_len len[payload, int16]
	# TODO: what's this? looks intersting.
	payload array[int8]
	}

	xfrm_sec_ctx_alg = XFRM_SC_ALG_SELINUX

	xfrm_replay_state {
	oseq netlink_seq
	seq netlink_seq
	bitmap int32
	}

	xfrm_replay_state_esn {
	bmp_len len[bmp, int32]
	oseq netlink_seq
	seq netlink_seq
	oseq_hi netlink_seq
	seq_hi netlink_seq
	replay_window int32
	bmp array[int32]
	}

	xfrm_userpolicy_type {
	type flags[xfrm_policy_types, int8]
	reserved1 const[0, int16]
	reserved2 const[0, int8]
	}

	xfrm_user_migrate {
	old_daddr xfrm_address
	new_saddr xfrm_address
	proto flags[xfrm_proto, int8]
	mode flags[xfrm_mode, int8]
	reserved const[0, int16]
	reqid xfrm_req_id
	old_family flags[xfrm_family, int16]
	new_family flags[xfrm_family, int16]
	}

	xfrm_user_kmaddress {
	local xfrm_address
	remote xfrm_address
	reserved const[0, int32]
	family flags[xfrm_family, int16]
	}

	xfrm_mark {
	v int32[3475289:3475293]
	m int32
	}

	xfrm_address_filter {
	saddr xfrm_address
	daddr xfrm_address
	family flags[xfrm_family, int16]
	splen int8
	dplen int8
	}

	xfrmu_spdhthresh4 {
	lbits int8[0:32]
	rbits int8[0:32]
	}

	xfrmu_spdhthresh6 {
	lbits int8[0:128]
	rbits int8[0:128]
	}

	xfrm_selector {
	daddr xfrm_address
	saddr xfrm_address
	dport sock_port
	dport_mask int16be[opt]
	sport sock_port
	sport_mask int16be[opt]
	family flags[xfrm_family, int16]
	prefixlen_d flags[xfrm_prefixlens, int8]
	prefixlen_s flags[xfrm_prefixlens, int8]
	proto flags[ipv6_types, int8]
	ifindex ifindex[opt]
	user uid
	}

	xfrm_lifetime_cfg {
	soft_byte_limit int64
	hard_byte_limit int64
	soft_packet_limit int64
	hard_packet_limit int64
	soft_add_expires_seconds int64
	hard_add_expires_seconds int64
	soft_use_expires_seconds int64
	hard_use_expires_seconds int64
	}

	xfrm_lifetime_cur {
	bytes int64
	packets int64
	add_time int64
	use_time int64
	}

	xfrm_stats {
	replay_window int32
	replay int32
	integrity_failed int32
	}

	xfrm_algo_hash {
	alg_name alg_hash_name
	alg_key_len bitsize[alg_key, int32]
	alg_key array[int8]
	}

	xfrm_algo_blkcipher {
	alg_name alg_blkcipher_name
	alg_key_len bitsize[alg_key, int32]
	alg_key array[int8]
	}

	xfrm_algo_compress {
	alg_name alg_compress_name
	alg_key_len bitsize[alg_key, int32]
	alg_key array[int8]
	}

	xfrm_algo_auth {
	alg_name alg_hash_name
	alg_key_len bitsize[alg_key, int32]
	alg_icv_len flags[xfrm_algo_truncbits, int32]
	alg_key array[int8]
	}

	xfrm_algo_aead {
	alg_name alg_aead_name
	alg_key_len bitsize[alg_key, int32]
	alg_icv_len flags[xfrm_algo_truncbits, int32]
	alg_key array[int8]
	}

	xfrm_algo_truncbits = 0, 64, 96, 128, 160, 192, 256, 384, 512

	xfrm_id {
	daddr xfrm_address
	spi xfrm_spi
	proto flags[xfrm_proto, int8]
	}

	xfrm_address [
	in ipv4_addr
	in6 ipv6_addr
	]

	xfrm_filter {
	info xfrm_userpolicy_info
	tmpl xfrm_user_tmpl
	}

	xfrm_userpolicy_info {
	sel xfrm_selector
	lft xfrm_lifetime_cfg
	curlft xfrm_lifetime_cur
	priority int32
	index xfrm_policy_index
	dir flags[xfrm_policy_dir, int8]
	action flags[xfrm_policy_actions, int8]
	flags flags[xfrm_policy_flags, int8]
	share flags[xfrm_policy_shares, int8]
	}

	xfrm_user_tmpl {
	id xfrm_id
	family flags[xfrm_family, int16]
	saddr xfrm_address
	reqid xfrm_req_id
	mode flags[xfrm_mode, int8]
	share flags[xfrm_policy_shares, int8]
	optional int8
	aalgos int32
	ealgos int32
	calgos int32
	}

	xfrm_mode = XFRM_MODE_TRANSPORT, XFRM_MODE_TUNNEL, XFRM_MODE_ROUTEOPTIMIZATION, XFRM_MODE_IN_TRIGGER, XFRM_MODE_BEET
	xfrm_state = XFRM_STATE_NOECN, XFRM_STATE_DECAP_DSCP, XFRM_STATE_NOPMTUDISC, XFRM_STATE_WILDRECV, XFRM_STATE_ICMP, XFRM_STATE_AF_UNSPEC, XFRM_STATE_ALIGN4, XFRM_STATE_ESN
	xfrm_family = AF_INET, AF_INET6
	xfrm_proto = IPPROTO_AH, IPPROTO_ESP, IPPROTO_COMP, IPPROTO_DSTOPTS, IPPROTO_ROUTING, IPSEC_PROTO_ANY
	xfrm_policy_types = XFRM_POLICY_TYPE_MAIN, XFRM_POLICY_TYPE_SUB
	xfrm_policy_actions = XFRM_POLICY_ALLOW, XFRM_POLICY_BLOCK
	xfrm_policy_flags = XFRM_POLICY_LOCALOK, XFRM_POLICY_ICMP
	xfrm_policy_shares = XFRM_SHARE_ANY, XFRM_SHARE_SESSION, XFRM_SHARE_USER, XFRM_SHARE_UNIQUE
	xfrm_policy_dir = XFRM_POLICY_IN, XFRM_POLICY_OUT, XFRM_POLICY_FWD
	xfrm_prefixlens = 32, 128
	xfrm_encap_type = -3, -2, -1, 0, 1, 2, 3