blob: 29b264b2551b81e9c552ef38387a6c142a72d13b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
/* Netfilter Driver for IPSec VPN Client
*
* Copyright(c) 2012 Samsung Electronics
*
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
/*
* linux_params.h
*
* Linux interceptor tunable parameters.
*
*/
#ifndef LINUX_PARAMS_H
#define LINUX_PARAMS_H
/* Netfilter interoperability flag. This flags specifies the extension
selector slot which is used for storing the Linux 'skb->nfmark' firewall
mark. Note that in kernel versions before 2.6.20 the linux kernel
CONFIG_IP_ROUTE_FWMARK must be enabled if you wish to use `skb->nfmark'
in route lookups. This define is not used if
SSH_INTERCEPTOR_NUM_EXTENSION_SELECTORS is 0. */
/* #define SSH_LINUX_FWMARK_EXTENSION_SELECTOR 0 */
/* The upper treshold of queued messages from the engine to the policymanager.
If this treshold is passed, then "unreliable" messages (messages not
necessary for the correct operation of the engine/policymanager), are
discarded. Both existing queued messages or new messages can be
discarded. */
#define SSH_LINUX_MAX_IPM_MESSAGES 2000
/* Disable IPV6 support in the interceptor here, if explicitly desired.
Undefining SSH_LINUX_INTERCEPTOR_IPV6 results into excluding IPv6
specific code in the interceptor. The define does not affect the
size of any common data structures.
Currently it is disabled by default if IPv6 is not available in the
kernel. */
#if defined (WITH_IPV6)
#define SSH_LINUX_INTERCEPTOR_IPV6 1
#ifndef CONFIG_IPV6
#ifndef CONFIG_IPV6_MODULE
#undef SSH_LINUX_INTERCEPTOR_IPV6
#endif /* !CONFIG_IPV6_MODULE */
#endif /* !CONFIG_IPV6 */
#endif /* WITH_IPV6 */
/* Netfilter interoperability flag. If this flag is set, then packets
intercepted at the PRE_ROUTING hook are passed to other netfilter modules
before the packet is given to the engine for processing. */
/* #define SSH_LINUX_NF_PRE_ROUTING_BEFORE_ENGINE 1 */
/* Netfilter interoperability flag. If this flag is set, then packets
sent to host stack are passed to other netfilter modules in the PRE_ROUTING
hook after the packet has been processed in the engine. */
/* #define SSH_LINUX_NF_PRE_ROUTING_AFTER_ENGINE 1 */
/* Netfilter interoperability flag. If this flag is set, then packets
intercepted at the POST_ROUTING hook are passed to other netfilter
modules before the packet is given to the engine for processing. */
/* #define SSH_LINUX_NF_POST_ROUTING_BEFORE_ENGINE 1 */
/* Netfilter interoperability flag. If this flag is set, then packets
sent to network are passed to other netfilter modules in the POST_ROUTING
hook after the packet has been processed in the engine. This flag is usable
only if SSH_IPSEC_IP_ONLY_INTERCEPTOR is defined. */
#ifdef SSH_IPSEC_IP_ONLY_INTERCEPTOR
/* #define SSH_LINUX_NF_POST_ROUTING_AFTER_ENGINE 1 */
#endif /* SSH_IPSEC_IP_ONLY_INTERCEPTOR */
/* Netfilter interoperability flag. If this flags is set, then forwarded
packets are passed to netfilter modules in the FORWARD hook after
the packet has been processed in the engine. This flag is usable
only if SSH_IPSEC_IP_ONLY_INTERCEPTOR defined, and if the engine performs
packet forwarding (that is, SSH_ENGINE_FLAGS does not include
SSH_ENGINE_NO_FORWARDING). */
#ifdef SSH_IPSEC_IP_ONLY_INTERCEPTOR
/* #define SSH_LINUX_NF_FORWARD_AFTER_ENGINE 1 */
#endif /* SSH_IPSEC_IP_ONLY_INTERCEPTOR */
#endif /* LINUX_PARAMS_H */
|
