diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-03-02 17:44:32 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-03-02 17:44:32 +0000 |
| commit | fbd50af56a11314f850094ab77f51ab5b415c827 (patch) | |
| tree | efdccd085c3e5be2211d147ed2f0733000577d6f | |
| parent | Implement a new routing message RTM_PROPOSAL that communicates (diff) | |
| download | wireguard-openbsd-fbd50af56a11314f850094ab77f51ab5b415c827.tar.xz wireguard-openbsd-fbd50af56a11314f850094ab77f51ab5b415c827.zip | |
Now that the kernel provides information about IPsec SA bundles,
print them by default.
OK hshoexer@
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 5 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkdump.c | 40 |
2 files changed, 38 insertions, 7 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index a1456d176a6..a2819c58bcb 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.80 2015/12/10 17:27:00 mmcc Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.81 2017/03/02 17:44:32 bluhm Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -384,9 +384,6 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) void ipsecctl_print_sagroup(struct ipsec_rule *r, int opts) { - if (!(opts & IPSECCTL_OPT_VERBOSE2)) - return; - printf("[group %s to ", satype[r->proto]); ipsecctl_print_addr(r->dst); printf(" spi 0x%08x with %s to ", r->spi, satype[r->proto2]); diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index b8dbaf5228a..15e63c10837 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.43 2017/02/28 16:46:27 bluhm Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.44 2017/03/02 17:44:32 bluhm Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -604,6 +604,31 @@ parse_key(struct sadb_ext *ext, struct ipsec_key *ikey) ikey->len = key->sadb_key_bits / 8; } +static void +parse_satype(struct sadb_ext *ext, u_int8_t *satype) +{ + struct sadb_protocol *proto = (struct sadb_protocol *)ext; + + if (proto == NULL) + return; + switch (proto->sadb_protocol_proto) { + case SADB_SATYPE_ESP: + *satype = IPSEC_ESP; + break; + case SADB_SATYPE_AH: + *satype = IPSEC_AH; + break; + case SADB_X_SATYPE_IPCOMP: + *satype = IPSEC_IPCOMP; + break; + case SADB_X_SATYPE_IPIP: + *satype = IPSEC_IPIP; + break; + default: + return; + } +} + u_int32_t pfkey_get_spi(struct sadb_msg *msg) { @@ -622,8 +647,8 @@ pfkey_print_sa(struct sadb_msg *msg, int opts) struct ipsec_rule r; struct ipsec_key enckey, authkey; struct ipsec_transforms xfs; - struct ipsec_addr_wrap src, dst; - struct sadb_sa *sa; + struct ipsec_addr_wrap src, dst, dst2; + struct sadb_sa *sa, *sa2; setup_extensions(msg); sa = (struct sadb_sa *)extensions[SADB_EXT_SA]; @@ -787,6 +812,15 @@ pfkey_print_sa(struct sadb_msg *msg, int opts) extensions[SADB_EXT_KEY_AUTH] = NULL; extensions[SADB_EXT_KEY_ENCRYPT] = NULL; } + if (extensions[SADB_X_EXT_SA2]) { + r.type |= RULE_GROUP; + sa2 = (struct sadb_sa *)extensions[SADB_X_EXT_SA2]; + r.spi2 = ntohl(sa2->sadb_sa_spi); + parse_addr(extensions[SADB_X_EXT_DST2], &dst2); + r.dst2 = &dst2; + parse_satype(extensions[SADB_X_EXT_SATYPE2], &r.proto2); + r.proto = r.satype; + } ipsecctl_print_rule(&r, opts); if (opts & IPSECCTL_OPT_VERBOSE) { |