Support for dumping the SADB.

6 files changed, 457 insertions, 26 deletions

diff --git a/sbin/ipsecctl/Makefile b/sbin/ipsecctl/Makefile
index f9df063b4de..170f6246dec 100644
--- a/sbin/ipsecctl/Makefile
+++ b/sbin/ipsecctl/Makefile
@@ -1,9 +1,9 @@
-#	$OpenBSD: Makefile,v 1.2 2005/04/04 22:22:55 hshoexer Exp $
+#	$OpenBSD: Makefile,v 1.3 2005/05/27 05:19:55 hshoexer Exp $
 
 PROG=	ipsecctl
 MAN=	ipsecctl.8 ipsec.conf.5
 
-SRCS=	ipsecctl.c pfkey.c parse.y
+SRCS=	ipsecctl.c pfkey.c pfkdump.c parse.y
 
 CFLAGS+= -Wall -I${.CURDIR}
 CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes
diff --git a/sbin/ipsecctl/ipsecctl.8 b/sbin/ipsecctl/ipsecctl.8
index d3e48599a93..da82fd4b47b 100644
--- a/sbin/ipsecctl/ipsecctl.8
+++ b/sbin/ipsecctl/ipsecctl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsecctl.8,v 1.7 2005/05/23 20:25:54 kjell Exp $
+.\"	$OpenBSD: ipsecctl.8,v 1.8 2005/05/27 05:19:55 hshoexer Exp $
 .\"
 .\" Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
 .\"
@@ -22,8 +22,9 @@
 .Nd control flows for IPsec
 .Sh SYNOPSIS
 .Nm ipsecctl
-.Op Fl Fnsv
+.Op Fl Fnv
 .Op Fl f Ar file
+.Op Fl s Ar modifier
 .Sh DESCRIPTION
 The
 .Nm
@@ -46,8 +47,19 @@ Load the rules contained in
 .Ar file .
 .It Fl n
 Do not actually load rules, just parse them.
-.It Fl s
+.It Fl s Ar modifier
+Show the kernels databases specified by
+.Ar modifier
+(may be abbreviated):
+.Pp
+.Bl -tag -width xxxxxxxxxxxxx -compact
+.It Fl s Cm flow
 Show the ruleset loaded into the SPD.
+.It Fl s Cm sa
+Show the active SADB entries.
+.It Fl s Cm all
+Show all of the above.
+.El
 .It Fl v
 Produce more verbose output.
 A second use of
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index dd8bb185bd4..beb040f3f1c 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.c,v 1.7 2005/05/25 17:10:26 hshoexer Exp $	*/
+/*	$OpenBSD: ipsecctl.c,v 1.8 2005/05/27 05:19:55 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -46,10 +46,20 @@ void		 ipsecctl_print_addr(struct ipsec_addr *);
 void		 ipsecctl_print_rule(struct ipsec_rule *, int);
 int		 ipsecctl_flush(int);
 void		 ipsecctl_get_rules(struct ipsecctl *);
-void		 ipsecctl_show(int);
+void		 ipsecctl_print_title(char *);
+void		 ipsecctl_show_flows(int);
+void		 ipsecctl_show_sas(int);
 void		 usage(void);
+const char	*ipsecctl_lookup_option(char *, const char **);
 
 const char	*infile;	/* Used by parse.y */
+const char	*showopt;
+
+int		 first_title = 1;
+
+static const char *showopt_list[] = {
+	"flow", "sa", "all", NULL
+};
 
 int
 ipsecctl_rules(char *filename, int opts)
@@ -140,7 +150,7 @@ ipsecctl_add_rule(struct ipsecctl *ipsec, struct ipsec_rule *r)
 
 	if ((ipsec->opts & IPSECCTL_OPT_VERBOSE) && !(ipsec->opts &
 	    IPSECCTL_OPT_SHOW))
-		ipsecctl_print_rule(r, ipsec->opts & IPSECCTL_OPT_VERBOSE2);
+		ipsecctl_print_rule(r, ipsec->opts);
 
 	return (0);
 }
@@ -170,13 +180,13 @@ ipsecctl_print_addr(struct ipsec_addr *ipa)
 }
 
 void
-ipsecctl_print_rule(struct ipsec_rule *r, int verbose)
+ipsecctl_print_rule(struct ipsec_rule *r, int opts)
 {
 	static const char *direction[] = {"?", "in", "out"};
 	static const char *proto[] = {"?", "esp", "ah"};
 	static const char *auth[] = {"?", "psk", "rsa"};
 
-	if (verbose)
+	if (opts & IPSECCTL_OPT_VERBOSE2)
 		printf("@%d ", r->nr);
 
 	printf("flow %s %s", proto[r->proto], direction[r->direction]);
@@ -187,14 +197,14 @@ ipsecctl_print_rule(struct ipsec_rule *r, int verbose)
 	printf(" peer ");
 	ipsecctl_print_addr(r->peer);
 
-	if (r->auth.srcid)
-		printf(" srcid %s", r->auth.srcid);
-	if (r->auth.dstid)
-		printf(" dstid %s", r->auth.dstid);
-
-	if (r->auth.type > 0)
-		printf(" %s", auth[r->auth.type]);
-
+	if (opts & IPSECCTL_OPT_VERBOSE) {
+		if (r->auth.srcid)
+			printf("\n\tsrcid %s", r->auth.srcid);
+		if (r->auth.dstid)
+			printf("\n\tdstid %s", r->auth.dstid);
+		if (r->auth.type > 0)
+			printf(" %s", auth[r->auth.type]);
+	}
 	printf("\n");
 }
 
@@ -318,7 +328,16 @@ ipsecctl_get_rules(struct ipsecctl *ipsec)
 }
 
 void
-ipsecctl_show(int opts)
+ipsecctl_print_title(char *title)
+{
+	if (!first_title)
+		printf("\n");
+	first_title = 0;
+	printf("%s\n", title);
+}
+
+void
+ipsecctl_show_flows(int opts)
 {
 	struct ipsecctl ipsec;
 	struct ipsec_rule *rp;
@@ -329,10 +348,19 @@ ipsecctl_show(int opts)
 
 	ipsecctl_get_rules(&ipsec);
 
+	if (opts & IPSECCTL_OPT_SHOWALL)
+		ipsecctl_print_title("FLOWS:");
+
+	if (TAILQ_FIRST(&ipsec.rule_queue) == 0) {
+		if (opts & IPSECCTL_OPT_SHOWALL)
+			printf("No flows\n");
+		return;
+	}
+		
 	while ((rp = TAILQ_FIRST(&ipsec.rule_queue))) {
 		TAILQ_REMOVE(&ipsec.rule_queue, rp, entries);
 
-		ipsecctl_print_rule(rp, ipsec.opts & IPSECCTL_OPT_VERBOSE2);
+		ipsecctl_print_rule(rp, ipsec.opts);
 
 		free(rp->src);
 		free(rp->dst);
@@ -347,15 +375,65 @@ ipsecctl_show(int opts)
 	return;
 }
 
+void
+ipsecctl_show_sas(int opts)
+{
+	struct sadb_msg *msg;
+	int		 mib[5];
+	size_t		 need = 0;
+	char		*buf, *lim, *next;
+
+	mib[0] = CTL_NET;
+	mib[1] = PF_KEY;
+	mib[2] = PF_KEY_V2;
+	mib[3] = NET_KEY_SADB_DUMP;
+	mib[4] = SADB_SATYPE_UNSPEC;
+
+	if (opts & IPSECCTL_OPT_SHOWALL)
+		ipsecctl_print_title("SADB:");
+
+	/* When the SADB is empty we get ENOENT, no need to err(). */
+	if (sysctl(mib, 5, NULL, &need, NULL, 0) == -1 && errno != ENOENT)
+		err(1, "sysctl");
+	if (need == 0) {
+		if (opts & IPSECCTL_OPT_SHOWALL)
+			printf("No entries\n");
+		return;
+	}
+	if ((buf = malloc(need)) == NULL)
+		err(1, "malloc");
+	if (sysctl(mib, 5, buf, &need, NULL, 0) == -1)
+		err(1, "sysctl");
+	lim = buf + need;
+	for (next = buf; next < lim;
+	    next += msg->sadb_msg_len * PFKEYV2_CHUNK) {
+		msg = (struct sadb_msg *)next;
+		if (msg->sadb_msg_len == 0)
+			break;
+		pfkey_print_sa(msg, opts);
+	}
+}
+
 __dead void
 usage(void)
 {
 	extern char	*__progname;
 
-	fprintf(stderr, "usage: %s [-Fnsv] [-f file]\n", __progname);
+	fprintf(stderr, "usage: %s [-Fnv] [-f file] [-s modifier]\n",
+	    __progname);
 	exit(1);
 }
 
+const char *
+ipsecctl_lookup_option(char *cmd, const char **list)
+{
+	if (cmd != NULL && *cmd)
+		for (; *list; list++)
+			if (!strncmp(cmd, *list, strlen(cmd)))
+				return (*list);
+	return (NULL);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -367,7 +445,7 @@ main(int argc, char *argv[])
 	if (argc < 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "f:Fnvs")) != -1) {
+	while ((ch = getopt(argc, argv, "f:Fnvs:")) != -1) {
 		switch (ch) {
 		case 'f':
 			rulesopt = optarg;
@@ -388,6 +466,12 @@ main(int argc, char *argv[])
 			break;
 
 		case 's':
+			showopt = ipsecctl_lookup_option(optarg, showopt_list);
+			if (showopt == NULL) {
+				warnx("Unknown show modifier '%s'", optarg);
+				usage();
+				/* NOTREACHED */
+			}
 			opts |= IPSECCTL_OPT_SHOW;
 			break;
 
@@ -410,8 +494,20 @@ main(int argc, char *argv[])
 		if (ipsecctl_rules(rulesopt, opts))
 			error = 1;
 
-	if (opts & IPSECCTL_OPT_SHOW)
-		ipsecctl_show(opts);
+	if (showopt != NULL) {
+		switch (*showopt) {
+		case 'f':
+			ipsecctl_show_flows(opts);
+			break;
+		case 's':
+			ipsecctl_show_sas(opts);
+			break;
+		case 'a':
+			opts |= IPSECCTL_OPT_SHOWALL;
+			ipsecctl_show_flows(opts);
+			ipsecctl_show_sas(opts);
+		}
+	}
 
 	exit(error);
 }
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 2a7be598c06..a1d831aeb1b 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.h,v 1.4 2005/05/25 17:10:26 hshoexer Exp $	*/
+/*	$OpenBSD: ipsecctl.h,v 1.5 2005/05/27 05:19:55 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -24,6 +24,7 @@
 #define IPSECCTL_OPT_VERBOSE		0x0010
 #define IPSECCTL_OPT_VERBOSE2		0x0020
 #define IPSECCTL_OPT_SHOW		0x0040
+#define IPSECCTL_OPT_SHOWALL		0x0080
 #define IPSECCTL_OPT_FLUSH		0x0100
 
 enum {
diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
new file mode 100644
index 00000000000..6c2c1d79c1d
--- /dev/null
+++ b/sbin/ipsecctl/pfkdump.c
@@ -0,0 +1,321 @@
+/*	$OpenBSD: pfkdump.c,v 1.1 2005/05/27 05:19:55 hshoexer Exp $	*/
+
+/*
+ * Copyright (c) 2003 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/errno.h>
+#include <sys/time.h>
+#include <sys/sysctl.h>
+#include <net/pfkeyv2.h>
+#include <netinet/ip_ipsp.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <err.h>
+
+#include "ipsecctl.h"
+#include "pfkey.h"
+
+static void	print_sa(struct sadb_ext *, struct sadb_msg *);
+static void	print_addr(struct sadb_ext *, struct sadb_msg *);
+static void	print_key(struct sadb_ext *, struct sadb_msg *);
+static void	print_life(struct sadb_ext *, struct sadb_msg *);
+static void	print_ident(struct sadb_ext *, struct sadb_msg *);
+static void	print_auth(struct sadb_ext *, struct sadb_msg *);
+static void	print_udpenc(struct sadb_ext *, struct sadb_msg *);
+
+static struct idname *lookup(struct idname [], u_int8_t);
+static char    *lookup_name(struct idname [], u_int8_t);
+static void	print_ext(struct sadb_ext *, struct sadb_msg *, int);
+
+void		pfkey_print_sa(struct sadb_msg *, int);
+
+struct idname {
+	u_int8_t id;
+	char *name;
+	void (*func)(struct sadb_ext *, struct sadb_msg *);
+};
+
+struct idname ext_types[] = {
+	{ SADB_EXT_RESERVED,		"reserved",		NULL },
+	{ SADB_EXT_SA,			"sa",			print_sa},
+	{ SADB_EXT_LIFETIME_CURRENT,	"lifetime_cur",		print_life },
+	{ SADB_EXT_LIFETIME_HARD,	"lifetime_hard",	print_life },
+	{ SADB_EXT_LIFETIME_SOFT,	"lifetime_soft",	print_life },
+	{ SADB_EXT_ADDRESS_SRC,		"address_src",		print_addr},
+	{ SADB_EXT_ADDRESS_DST,		"address_dst",		print_addr},
+	{ SADB_EXT_KEY_AUTH,		"key_auth",		print_key},
+	{ SADB_EXT_KEY_ENCRYPT,		"key_encrypt",		print_key},
+	{ SADB_EXT_IDENTITY_SRC,	"identity_src",		print_ident },
+	{ SADB_EXT_IDENTITY_DST,	"identity_dst",		print_ident },
+	{ SADB_X_EXT_REMOTE_AUTH,	"remote_auth",		print_auth },
+	{ SADB_X_EXT_UDPENCAP,		"udpencap",		print_udpenc },
+	{ SADB_X_EXT_LIFETIME_LASTUSE,	"lifetime_lastuse",	print_life },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname sa_types[] = {
+	{ SADB_SATYPE_UNSPEC,		"unspec",		NULL },
+	{ SADB_SATYPE_AH,		"ah",			NULL },
+	{ SADB_SATYPE_ESP,		"esp",			NULL },
+	{ SADB_SATYPE_RSVP,		"rsvp",			NULL },
+	{ SADB_SATYPE_OSPFV2,		"ospfv2",		NULL },
+	{ SADB_SATYPE_RIPV2,		"ripv2",		NULL },
+	{ SADB_SATYPE_MIP,		"mip",			NULL },
+	{ SADB_X_SATYPE_IPIP,		"ipip",			NULL },
+	{ SADB_X_SATYPE_TCPSIGNATURE,	"tcpmd5",		NULL },
+	{ SADB_X_SATYPE_IPCOMP,		"ipcomp",		NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname auth_types[] = {
+	{ SADB_AALG_NONE,		"none",			NULL },
+	{ SADB_X_AALG_DES,		"des",			NULL },
+	{ SADB_AALG_MD5HMAC,		"hmac-md5",		NULL },
+	{ SADB_X_AALG_RIPEMD160HMAC,	"hmac-ripemd160",	NULL },
+	{ SADB_AALG_SHA1HMAC,		"hmac-sha1",		NULL },
+	{ SADB_X_AALG_SHA2_256,		"hmac-sha2-256",	NULL },
+	{ SADB_X_AALG_SHA2_384,		"hmac-sha2-384",	NULL },
+	{ SADB_X_AALG_SHA2_512,		"hmac-sha2-512",	NULL },
+	{ SADB_X_AALG_MD5,		"md5",			NULL },
+	{ SADB_X_AALG_SHA1,		"sha1",			NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname enc_types[] = {
+	{ SADB_EALG_NONE,		"none",			NULL },
+	{ SADB_EALG_3DESCBC,		"3des-cbc",		NULL },
+	{ SADB_EALG_DESCBC,		"des-cbc",		NULL },
+	{ SADB_X_EALG_3IDEA,		"idea3",		NULL },
+	{ SADB_X_EALG_AES,		"aes",			NULL },
+	{ SADB_X_EALG_AESCTR,		"aesctr",		NULL },
+	{ SADB_X_EALG_BLF,		"blowfish",		NULL },
+	{ SADB_X_EALG_CAST,		"cast128",		NULL },
+	{ SADB_X_EALG_DES_IV32,		"des-iv32",		NULL },
+	{ SADB_X_EALG_DES_IV64,		"des-iv64",		NULL },
+	{ SADB_X_EALG_IDEA,		"idea",			NULL },
+	{ SADB_EALG_NULL,		"null",			NULL },
+	{ SADB_X_EALG_RC4,		"rc4",			NULL },
+	{ SADB_X_EALG_RC5,		"rc5",			NULL },
+	{ SADB_X_EALG_SKIPJACK,		"skipjack",		NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname comp_types[] = {
+	{ SADB_X_CALG_NONE,		"none",			NULL },
+	{ SADB_X_CALG_OUI,		"oui",			NULL },
+	{ SADB_X_CALG_DEFLATE,		"deflate",		NULL },
+	{ SADB_X_CALG_LZS,		"lzs",			NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname xauth_types[] = {
+	{ SADB_X_AUTHTYPE_NONE,		"none",			NULL },
+	{ SADB_X_AUTHTYPE_PASSPHRASE,	"passphrase",		NULL },
+	{ SADB_X_AUTHTYPE_RSA,		"rsa",			NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname identity_types[] = {
+	{ SADB_IDENTTYPE_RESERVED,	"reserved",		NULL },
+	{ SADB_IDENTTYPE_PREFIX,	"prefix",		NULL },
+	{ SADB_IDENTTYPE_FQDN,		"fqdn",			NULL },
+	{ SADB_IDENTTYPE_USERFQDN,	"ufqdn",		NULL },
+	{ SADB_X_IDENTTYPE_CONNECTION,	"x_connection",		NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname states[] = {
+	{ SADB_SASTATE_LARVAL,		"larval",		NULL },
+	{ SADB_SASTATE_MATURE,		"mature",		NULL },
+	{ SADB_SASTATE_DYING,		"dying",		NULL },
+	{ SADB_SASTATE_DEAD,		"dead",			NULL },
+	{ 0,				NULL,			NULL }
+};
+
+static struct idname *
+lookup(struct idname tab[], u_int8_t id)
+{
+	struct idname *entry;
+
+	for (entry = tab; entry->name; entry++)
+		if (entry->id == id)
+			return (entry);
+	return (NULL);
+}
+
+static char *
+lookup_name(struct idname tab[], u_int8_t id)
+{
+	struct idname *entry;
+
+	entry = lookup(tab, id);
+	return (entry ? entry->name : "unknown");
+}
+
+static void
+print_ext(struct sadb_ext *ext, struct sadb_msg *msg, int opts)
+{
+	struct idname *entry;
+
+	if ((entry = lookup(ext_types, ext->sadb_ext_type)) == NULL) {
+		printf("unknown ext: type %u len %u\n",
+		    ext->sadb_ext_type, ext->sadb_ext_len);
+		return;
+	}
+
+	if (!(opts & IPSECCTL_OPT_VERBOSE) && entry->id != SADB_EXT_SA)
+		return;
+	if (entry->id != SADB_EXT_SA)
+		printf("\t%s: ", entry->name);
+	if (entry->func != NULL)
+		(*entry->func)(ext, msg);
+	else
+		printf("type %u len %u\n",
+		    ext->sadb_ext_type, ext->sadb_ext_len);
+}
+
+static void
+print_sa(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_sa *sa = (struct sadb_sa *) ext;
+
+	if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP)
+		printf("cpi 0x%8.8x comp %s",
+		    ntohl(sa->sadb_sa_spi),
+		    lookup_name(comp_types, sa->sadb_sa_encrypt));
+	else
+		printf("spi 0x%8.8x auth %s enc %s",
+		    ntohl(sa->sadb_sa_spi),
+		    lookup_name(auth_types, sa->sadb_sa_auth),
+		    lookup_name(enc_types, sa->sadb_sa_encrypt));
+	if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
+		printf(" tunnel");
+	printf("\n");
+}
+
+static void
+print_addr(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_address *addr = (struct sadb_address *) ext;
+	struct sockaddr *sa;
+	struct sockaddr_in *sin4;
+	struct sockaddr_in6 *sin6;
+	char hbuf[NI_MAXHOST];
+
+	sa = (struct sockaddr *)(addr + 1);
+	if (sa->sa_family == 0)
+		printf("<any>");
+	else if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0,
+	    NI_NUMERICHOST))
+		printf("<could not get numeric hostname>");
+	else
+		printf("%s", hbuf);
+	switch (sa->sa_family) {
+	case AF_INET:
+		sin4 = (struct sockaddr_in *)sa;
+		if (sin4->sin_port)
+			printf(" port %u", ntohs(sin4->sin_port));
+		break;
+	case AF_INET6:
+		sin6 = (struct sockaddr_in6 *)sa;
+		if (sin6->sin6_port)
+			printf(" port %u", ntohs(sin6->sin6_port));
+		break;
+	}
+	printf("\n");
+}
+
+static void
+print_key(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_key *key = (struct sadb_key *) ext;
+	u_int8_t *data;
+	int i;
+
+	printf("bits %u: ", key->sadb_key_bits);
+	data = (u_int8_t *)(key + 1);
+	for (i = 0; i < key->sadb_key_bits / 8; i++) {
+		printf("%2.2x", data[i]);
+		data[i] = 0x00;		/* clear sensitive data */
+	}
+	printf("\n");
+}
+
+static void
+print_life(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_lifetime *life = (struct sadb_lifetime *) ext;
+
+	printf("alloc %u bytes %llu add %llu first %llu\n",
+	    life->sadb_lifetime_allocations,
+	    life->sadb_lifetime_bytes,
+	    life->sadb_lifetime_addtime,
+	    life->sadb_lifetime_usetime);
+}
+
+static void
+print_ident(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_ident *ident = (struct sadb_ident *) ext;
+
+	printf("type %s id %llu: %s\n",
+	    lookup_name(identity_types, ident->sadb_ident_type),
+	    ident->sadb_ident_id, (char *)(ident + 1));
+}
+
+static void
+print_auth(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_x_cred *x_cred = (struct sadb_x_cred *) ext;
+
+	printf("type %s\n",
+	    lookup_name(xauth_types, x_cred->sadb_x_cred_type));
+}
+
+static void
+print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *) ext;
+
+	printf("udpencap port %u\n", ntohs(x_udpencap->sadb_x_udpencap_port));
+}
+
+void
+pfkey_print_sa(struct sadb_msg *msg, int opts)
+{
+	struct sadb_ext *ext;
+
+	printf("%s ", lookup_name(sa_types, msg->sadb_msg_satype));
+	for (ext = (struct sadb_ext *)(msg + 1);
+	    (size_t)((u_int8_t *)ext - (u_int8_t *)msg) <
+	    msg->sadb_msg_len * PFKEYV2_CHUNK && ext->sadb_ext_len > 0;
+	    ext = (struct sadb_ext *)((u_int8_t *)ext +
+	    ext->sadb_ext_len * PFKEYV2_CHUNK))
+		print_ext(ext, msg, opts);
+	fflush(stdout);
+}
diff --git a/sbin/ipsecctl/pfkey.h b/sbin/ipsecctl/pfkey.h
index 94853c9580a..cae6646a5d9 100644
--- a/sbin/ipsecctl/pfkey.h
+++ b/sbin/ipsecctl/pfkey.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.h,v 1.1 2005/05/25 17:10:26 hshoexer Exp $	*/
+/*	$OpenBSD: pfkey.h,v 1.2 2005/05/27 05:19:55 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -21,6 +21,7 @@
 #define PFKEYV2_CHUNK sizeof(u_int64_t)
 
 int	pfkey_parse(struct sadb_msg *, struct ipsec_rule *);
+void	pfkey_print_sa(struct sadb_msg *, int);
 int	pfkey_ipsec_establish(struct ipsec_rule *);
 int	pfkey_ipsec_flush(void);
 int	pfkey_init(void);