Hi, did anyone except itojun ever use the IPsec socket options?
It currently only seems to be used by isakmpd/iked to bypass IPsec for IKE traffic but I could not find any code that is using the other modes like "require". The attached diff is for testing only and is based on an old KAME ping from itojun, see http://goo.gl/7xSAH for details. I expected to see a pfkey acquire message from the kernel but nothing happens - I did not look at the kernel side yet. It seems that the implementation was never finished but I'm wondering if anyone knows the history or details behind it? reyk Index: ping.c =================================================================== RCS file: /cvs/src/sbin/ping/ping.c,v retrieving revision 1.88 diff -u -p -r1.88 ping.c --- ping.c 3 Jul 2010 04:44:51 -0000 1.88 +++ ping.c 18 Apr 2011 10:02:31 -0000 @@ -108,6 +108,7 @@ int options; #define F_SO_JUMBO 0x1000 #define F_AUD_RECV 0x2000 #define F_AUD_MISS 0x4000 +#define F_ENCRYPT 0x8000 /* multicast options */ int moptions; @@ -201,7 +202,7 @@ main(int argc, char *argv[]) preload = 0; datap = &outpack[8 + sizeof(struct tvi)]; while ((ch = getopt(argc, argv, - "DEI:LRS:c:defi:jl:np:qrs:T:t:V:vw:")) != -1) + "DEI:LRS:c:defi:jl:np:qrs:T:t:V:vw:X")) != -1) switch(ch) { case 'c': npackets = (unsigned long)strtonum(optarg, 0, @@ -326,6 +327,9 @@ main(int argc, char *argv[]) errx(1, "maxwait value is %s: %s", errstr, optarg); break; + case 'X': + options |= F_ENCRYPT; + break; default: usage(); } @@ -407,6 +411,13 @@ main(int argc, char *argv[]) options |= F_HDRINCL; } + if (options & F_ENCRYPT) { + int optval = IPSEC_LEVEL_REQUIRE; + int level = IP_ESP_TRANS_LEVEL; /* XXX _ESP_NETWORK_LEVEL */ + (void)setsockopt(s, IPPROTO_IP, level, &optval, + sizeof(optval)); + } + if (options & F_RROUTE && options & F_HDRINCL) errx(1, "-R option and -D or -T, or -t to unicast destinations" " are incompatible"); @@ -1363,7 +1374,7 @@ void usage(void) { (void)fprintf(stderr, - "usage: ping [-DdEefLnqRrv] [-c count] [-I ifaddr] [-i wait]\n" + "usage: ping [-DdEefLnqRSrvX] [-c count] [-I ifaddr] [-i wait]\n" "\t[-l preload] [-p pattern] [-s packetsize] [-T tos] [-t ttl]\n" "\t[-V rtable] [-w maxwait] host\n"); exit(1);