Hi,
Now that the kernel provides information about IPsec SA bundles,
print them by default. The group rule appears next to the first
SA rule.
# ipsecctl -ss
esp tunnel from 10.188.100.17 to 10.188.100.70 spi 0x10000841 auth
hmac-sha2-256 enc aes-256
[group esp to 10.188.100.70 spi 0x10000841 with ah to 10.188.100.70 spi
0x10002841]
...
ah tunnel from 10.188.100.17 to 10.188.100.70 spi 0x10002841 auth hmac-sha2-256
ok?
bluhm
Index: sbin/ipsecctl/ipsecctl.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/ipsecctl/ipsecctl.c,v
retrieving revision 1.80
diff -u -p -r1.80 ipsecctl.c
--- sbin/ipsecctl/ipsecctl.c 10 Dec 2015 17:27:00 -0000 1.80
+++ sbin/ipsecctl/ipsecctl.c 28 Feb 2017 16:49:01 -0000
@@ -384,9 +384,6 @@ ipsecctl_print_sa(struct ipsec_rule *r,
void
ipsecctl_print_sagroup(struct ipsec_rule *r, int opts)
{
- if (!(opts & IPSECCTL_OPT_VERBOSE2))
- return;
-
printf("[group %s to ", satype[r->proto]);
ipsecctl_print_addr(r->dst);
printf(" spi 0x%08x with %s to ", r->spi, satype[r->proto2]);
Index: sbin/ipsecctl/pfkdump.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/ipsecctl/pfkdump.c,v
retrieving revision 1.43
diff -u -p -r1.43 pfkdump.c
--- sbin/ipsecctl/pfkdump.c 28 Feb 2017 16:46:27 -0000 1.43
+++ sbin/ipsecctl/pfkdump.c 28 Feb 2017 16:49:01 -0000
@@ -604,6 +604,31 @@ parse_key(struct sadb_ext *ext, struct i
ikey->len = key->sadb_key_bits / 8;
}
+static void
+parse_satype(struct sadb_ext *ext, u_int8_t *satype)
+{
+ struct sadb_protocol *proto = (struct sadb_protocol *)ext;
+
+ if (proto == NULL)
+ return;
+ switch (proto->sadb_protocol_proto) {
+ case SADB_SATYPE_ESP:
+ *satype = IPSEC_ESP;
+ break;
+ case SADB_SATYPE_AH:
+ *satype = IPSEC_AH;
+ break;
+ case SADB_X_SATYPE_IPCOMP:
+ *satype = IPSEC_IPCOMP;
+ break;
+ case SADB_X_SATYPE_IPIP:
+ *satype = IPSEC_IPIP;
+ break;
+ default:
+ return;
+ }
+}
+
u_int32_t
pfkey_get_spi(struct sadb_msg *msg)
{
@@ -622,8 +647,8 @@ pfkey_print_sa(struct sadb_msg *msg, int
struct ipsec_rule r;
struct ipsec_key enckey, authkey;
struct ipsec_transforms xfs;
- struct ipsec_addr_wrap src, dst;
- struct sadb_sa *sa;
+ struct ipsec_addr_wrap src, dst, dst2;
+ struct sadb_sa *sa, *sa2;
setup_extensions(msg);
sa = (struct sadb_sa *)extensions[SADB_EXT_SA];
@@ -786,6 +811,15 @@ pfkey_print_sa(struct sadb_msg *msg, int
bzero(&authkey, sizeof authkey);
extensions[SADB_EXT_KEY_AUTH] = NULL;
extensions[SADB_EXT_KEY_ENCRYPT] = NULL;
+ }
+ if (extensions[SADB_X_EXT_SA2]) {
+ r.type |= RULE_GROUP;
+ sa2 = (struct sadb_sa *)extensions[SADB_X_EXT_SA2];
+ r.spi2 = ntohl(sa2->sadb_sa_spi);
+ parse_addr(extensions[SADB_X_EXT_DST2], &dst2);
+ r.dst2 = &dst2;
+ parse_satype(extensions[SADB_X_EXT_SATYPE2], &r.proto2);
+ r.proto = r.satype;
}
ipsecctl_print_rule(&r, opts);
