implement monitor mode for ipsecctl. worked on with markus@

ok hshoexer@

1 files changed, 301 insertions, 6 deletions

diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index ff2cfc26d8d..351ee000fbe 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkdump.c,v 1.10 2005/12/21 01:40:23 millert Exp $	*/
+/*	$OpenBSD: pfkdump.c,v 1.11 2006/05/30 21:56:05 msf Exp $	*/
 
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
@@ -40,6 +40,13 @@
 #include "ipsecctl.h"
 #include "pfkey.h"
 
+static void	print_proto(struct sadb_ext *, struct sadb_msg *);
+static void	print_flow(struct sadb_ext *, struct sadb_msg *);
+static void	print_supp(struct sadb_ext *, struct sadb_msg *);
+static void	print_prop(struct sadb_ext *, struct sadb_msg *);
+static void	print_sens(struct sadb_ext *, struct sadb_msg *);
+static void	print_spir(struct sadb_ext *, struct sadb_msg *);
+static void	print_policy(struct sadb_ext *, struct sadb_msg *);
 static void	print_sa(struct sadb_ext *, struct sadb_msg *);
 static void	print_addr(struct sadb_ext *, struct sadb_msg *);
 static void	print_key(struct sadb_ext *, struct sadb_msg *);
@@ -54,6 +61,7 @@ static char    *lookup_name(struct idname [], u_int8_t);
 static void	print_ext(struct sadb_ext *, struct sadb_msg *, int);
 
 void		pfkey_print_sa(struct sadb_msg *, int);
+void		pfkey_print_raw(u_int8_t *, ssize_t);
 
 struct sadb_ext *extensions[SADB_EXT_MAX];
 
@@ -71,10 +79,27 @@ struct idname ext_types[] = {
 	{ SADB_EXT_LIFETIME_SOFT,	"lifetime_soft",	print_life },
 	{ SADB_EXT_ADDRESS_SRC,		"address_src",		print_addr},
 	{ SADB_EXT_ADDRESS_DST,		"address_dst",		print_addr},
+	{ SADB_EXT_ADDRESS_PROXY,	"address_proxy",	print_addr},
 	{ SADB_EXT_KEY_AUTH,		"key_auth",		print_key},
 	{ SADB_EXT_KEY_ENCRYPT,		"key_encrypt",		print_key},
 	{ SADB_EXT_IDENTITY_SRC,	"identity_src",		print_ident },
 	{ SADB_EXT_IDENTITY_DST,	"identity_dst",		print_ident },
+	{ SADB_EXT_SENSITIVITY,		"sensitivity",		print_sens },
+	{ SADB_EXT_PROPOSAL,		"proposal",		print_prop },
+	{ SADB_EXT_SUPPORTED_AUTH,	"supported_auth",	print_supp },
+	{ SADB_EXT_SUPPORTED_ENCRYPT,	"supported_encrypt",	print_supp },
+	{ SADB_EXT_SPIRANGE,		"spirange",		print_spir },
+	{ SADB_X_EXT_SRC_MASK,		"src_mask",		print_addr },
+	{ SADB_X_EXT_DST_MASK,		"dst_mask",		print_addr },
+	{ SADB_X_EXT_PROTOCOL,		"protocol",		print_proto },
+	{ SADB_X_EXT_FLOW_TYPE,		"flow_type",		print_flow },
+	{ SADB_X_EXT_SRC_FLOW,		"src_flow",		print_addr },
+	{ SADB_X_EXT_DST_FLOW,		"dst_flow",		print_addr },
+	{ SADB_X_EXT_SA2,		"sa2",			print_sa },
+	{ SADB_X_EXT_DST2,		"dst2",			print_addr },
+	{ SADB_X_EXT_POLICY,		"policy",		print_policy },
+	{ SADB_X_EXT_LOCAL_AUTH,	"local_auth",		print_auth },
+	{ SADB_X_EXT_SUPPORTED_COMP,	"supported_comp",	print_supp },
 	{ SADB_X_EXT_REMOTE_AUTH,	"remote_auth",		print_auth },
 	{ SADB_X_EXT_LOCAL_CREDENTIALS,	"local_cred",		print_cred },
 	{ SADB_X_EXT_REMOTE_CREDENTIALS,"remote_cred",		print_cred },
@@ -83,6 +108,25 @@ struct idname ext_types[] = {
 	{ 0,				NULL,			NULL }
 };
 
+struct idname msg_types[] = {
+	{ SADB_ACQUIRE,			"sadb_acquire",		NULL },
+	{ SADB_ADD,			"sadb_add",		NULL },
+	{ SADB_DELETE,			"sadb_delete",		NULL },
+	{ SADB_DUMP,			"sadb_dump",		NULL },
+	{ SADB_EXPIRE,			"sadb_expire",		NULL },
+	{ SADB_FLUSH,			"sadb_flush",		NULL },
+	{ SADB_GET,			"sadb_get",		NULL },
+	{ SADB_GETSPI,			"sadb_getspi",		NULL },
+	{ SADB_REGISTER,		"sadb_register",	NULL },
+	{ SADB_UPDATE,			"sadb_update",		NULL },
+	{ SADB_X_ADDFLOW,		"sadb_addflow",		NULL },
+	{ SADB_X_ASKPOLICY,		"sadb_askpolicy",	NULL },
+	{ SADB_X_DELFLOW,		"sadb_delflow",		NULL },
+	{ SADB_X_GRPSPIS,		"sadb_grpspis",		NULL },
+	{ SADB_X_PROMISC,		"sadb_promisc",		NULL },
+	{ 0,				NULL,			NULL },
+};
+
 struct idname sa_types[] = {
 	{ SADB_SATYPE_UNSPEC,		"unspec",		NULL },
 	{ SADB_SATYPE_AH,		"ah",			NULL },
@@ -160,6 +204,24 @@ struct idname identity_types[] = {
 	{ 0,				NULL,			NULL }
 };
 
+struct idname flow_types[] = {
+	{ SADB_X_FLOW_TYPE_USE,		"use",			NULL },
+	{ SADB_X_FLOW_TYPE_ACQUIRE,	"acquire",		NULL },
+	{ SADB_X_FLOW_TYPE_REQUIRE,	"require",		NULL },
+	{ SADB_X_FLOW_TYPE_BYPASS,	"bypass",		NULL },
+	{ SADB_X_FLOW_TYPE_DENY,	"deny",			NULL },
+	{ SADB_X_FLOW_TYPE_DONTACQ,	"dontacq",		NULL },
+	{ 0,				NULL,			NULL }
+};
+
+struct idname states[] = {
+	{ SADB_SASTATE_LARVAL,		"larval",		NULL },
+	{ SADB_SASTATE_MATURE,		"mature",		NULL },
+	{ SADB_SASTATE_DYING,		"dying",		NULL },
+	{ SADB_SASTATE_DEAD,		"dead",			NULL },
+	{ 0,				NULL,			NULL }
+};
+
 static struct idname *
 lookup(struct idname tab[], u_int8_t id)
 {
@@ -304,6 +366,143 @@ print_life(struct sadb_ext *ext, struct sadb_msg *msg)
 	    life->sadb_lifetime_usetime);
 }
 
+static void
+print_proto(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_protocol *proto = (struct sadb_protocol *)ext;
+
+	/* overloaded */
+	if (msg->sadb_msg_type == SADB_X_GRPSPIS)
+		printf("satype %s flags %u",
+		    lookup_name(sa_types, proto->sadb_protocol_proto),
+		    proto->sadb_protocol_flags);
+	else
+		printf("proto %u flags %u",
+		    proto->sadb_protocol_proto, proto->sadb_protocol_flags);
+}
+
+/* ARGSUSED1 */
+static void
+print_flow(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_protocol *proto = (struct sadb_protocol *)ext;
+	char *dir = "unknown";
+
+	switch (proto->sadb_protocol_direction) {
+	case IPSP_DIRECTION_IN:
+		dir = "in";
+		break;
+	case IPSP_DIRECTION_OUT:
+		dir = "out";
+		break;
+	}
+	printf("type %s direction %s",
+	    lookup_name(flow_types, proto->sadb_protocol_proto), dir);
+}
+
+static char *
+alg_by_ext(u_int8_t ext_type, u_int8_t id)
+{
+	switch (ext_type) {
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		return lookup_name(enc_types, id);
+	case SADB_EXT_SUPPORTED_AUTH:
+		return lookup_name(auth_types, id);
+	case SADB_X_EXT_SUPPORTED_COMP:
+		return lookup_name(comp_types, id);
+	default:
+		return "unknown";
+	}
+}
+
+static void
+print_alg(struct sadb_alg *alg, u_int8_t ext_type)
+{
+	printf("\t\t%s iv %u min %u max %u\n",
+	    alg_by_ext(ext_type, alg->sadb_alg_id), alg->sadb_alg_ivlen,
+	    alg->sadb_alg_minbits, alg->sadb_alg_maxbits);
+}
+
+/* ARGSUSED1 */
+static void
+print_supp(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_supported *supported = (struct sadb_supported *)ext;
+	struct sadb_alg *alg;
+
+	printf("\n");
+	for (alg = (struct sadb_alg *)(supported + 1);
+	    (size_t)((u_int8_t *)alg - (u_int8_t *)ext) <
+	    ext->sadb_ext_len * PFKEYV2_CHUNK;
+	    alg++)
+		print_alg(alg, ext->sadb_ext_type);
+}
+
+/* ARGSUSED1 */
+static void
+print_comb(struct sadb_comb *comb, struct sadb_msg *msg)
+{
+	printf("\t\tauth %s min %u max %u\n"
+	    "\t\tenc %s min %u max %u\n"
+	    "\t\taddtime hard %llu soft %llu\n"
+	    "\t\tusetime hard %llu soft %llu\n",
+	    lookup_name(auth_types, comb->sadb_comb_auth),
+	    comb->sadb_comb_auth_minbits,
+	    comb->sadb_comb_auth_maxbits,
+	    lookup_name(enc_types, comb->sadb_comb_encrypt),
+	    comb->sadb_comb_encrypt_minbits,
+	    comb->sadb_comb_encrypt_maxbits,
+	    comb->sadb_comb_soft_addtime,
+	    comb->sadb_comb_hard_addtime,
+	    comb->sadb_comb_soft_usetime,
+	    comb->sadb_comb_hard_usetime);
+#if 0
+	    comb->sadb_comb_flags,
+	    comb->sadb_comb_reserved,
+	    comb->sadb_comb_soft_allocations,
+	    comb->sadb_comb_hard_allocations,
+	    comb->sadb_comb_soft_bytes,
+	    comb->sadb_comb_hard_bytes,
+#endif
+}
+
+/* ARGSUSED1 */
+static void
+print_prop(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_prop *prop = (struct sadb_prop *)ext;
+	struct sadb_comb *comb;
+
+	printf("replay %u\n", prop->sadb_prop_replay);
+	for (comb = (struct sadb_comb *)(prop + 1);
+	    (size_t)((u_int8_t *)comb - (u_int8_t *)ext) <
+	    ext->sadb_ext_len * PFKEYV2_CHUNK;
+	    comb++)
+		print_comb(comb, msg);
+}
+
+/* ARGSUSED1 */
+static void
+print_sens(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_sens *sens = (struct sadb_sens *)ext;
+
+	printf("dpd %u sens_level %u integ_level %u\n",
+	    sens->sadb_sens_dpd,
+	    sens->sadb_sens_sens_level,
+	    sens->sadb_sens_integ_level);
+}
+
+/* ARGSUSED1 */
+static void
+print_spir(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_spirange *spirange = (struct sadb_spirange *)ext;
+
+	printf("min 0x%8.8x max 0x%8.8x\n",
+	    spirange->sadb_spirange_min, spirange->sadb_spirange_max);
+}
+
 /* ARGSUSED1 */
 static void
 print_ident(struct sadb_ext *ext, struct sadb_msg *msg)
@@ -336,6 +535,15 @@ print_cred(struct sadb_ext *ext, struct sadb_msg *msg)
 
 /* ARGSUSED1 */
 static void
+print_policy(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_x_policy *x_policy = (struct sadb_x_policy *)ext;
+
+	printf("seq %u\n", x_policy->sadb_x_policy_seq);
+}
+
+/* ARGSUSED1 */
+static void
 print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg)
 {
 	struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *)ext;
@@ -343,24 +551,111 @@ print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg)
 	printf("udpencap port %u\n", ntohs(x_udpencap->sadb_x_udpencap_port));
 }
 
-void
-pfkey_print_sa(struct sadb_msg *msg, int opts)
+static void
+setup_extensions(struct sadb_msg *msg)
 {
 	struct sadb_ext *ext;
-	int		 i;
 
 	bzero(extensions, sizeof(extensions));
-
-	printf("%s ", lookup_name(sa_types, msg->sadb_msg_satype));
+	if (msg->sadb_msg_len == 0)
+		return;
 	for (ext = (struct sadb_ext *)(msg + 1);
 	    (size_t)((u_int8_t *)ext - (u_int8_t *)msg) <
 	    msg->sadb_msg_len * PFKEYV2_CHUNK && ext->sadb_ext_len > 0;
 	    ext = (struct sadb_ext *)((u_int8_t *)ext +
 	    ext->sadb_ext_len * PFKEYV2_CHUNK))
 		extensions[ext->sadb_ext_type] = ext;
+}
+
+void
+pfkey_print_sa(struct sadb_msg *msg, int opts)
+{
+	int		 i;
+
+	setup_extensions(msg);
 
+	printf("%s ", lookup_name(sa_types, msg->sadb_msg_satype));
 	for (i = 0; i < SADB_EXT_MAX; i++)
 		if (extensions[i])
 			print_ext(extensions[i], msg, opts);
 	fflush(stdout);
 }
+
+static void
+monitor_sa(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+        struct sadb_sa *sa = (struct sadb_sa *) ext;
+
+        if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP)
+                printf("cpi 0x%8.8x comp %s\n",
+                    ntohl(sa->sadb_sa_spi),
+                    lookup_name(comp_types, sa->sadb_sa_encrypt));
+        else
+                printf("spi 0x%8.8x auth %s enc %s\n",
+                    ntohl(sa->sadb_sa_spi),
+                    lookup_name(auth_types, sa->sadb_sa_auth),
+                    lookup_name(enc_types, sa->sadb_sa_encrypt));
+        printf("\t\tstate %s replay %u flags %u",
+            lookup_name(states, sa->sadb_sa_state),
+            sa->sadb_sa_replay, sa->sadb_sa_flags);
+}
+
+static void
+monitor_ext(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+        struct idname *entry;
+
+        if ((entry = lookup(ext_types, ext->sadb_ext_type)) == NULL) {
+                printf("unknown ext: type %u len %u\n",
+                    ext->sadb_ext_type, ext->sadb_ext_len);
+                return;
+        }
+        printf("\t%s: ", entry->name);
+        if (entry->func == print_sa)
+                monitor_sa(ext, msg);
+        else if (entry->func != NULL)
+                (*entry->func)(ext, msg);
+        else
+                printf("type %u len %u",
+                    ext->sadb_ext_type, ext->sadb_ext_len);
+	printf("\n");
+}
+
+/* ARGSUSED1 */
+void
+pfkey_monitor_sa(struct sadb_msg *msg, int opts)
+{
+	int		 i;
+
+	setup_extensions(msg);
+
+	printf("%s: satype %s vers %u len %u seq %u pid %u\n",
+	    lookup_name(msg_types, msg->sadb_msg_type),
+	    lookup_name(sa_types, msg->sadb_msg_satype),
+	    msg->sadb_msg_version, msg->sadb_msg_len,
+	    msg->sadb_msg_seq,
+	    msg->sadb_msg_pid);
+	if (msg->sadb_msg_errno)
+		printf("\terrno %u: %s\n", msg->sadb_msg_errno,
+		    strerror(msg->sadb_msg_errno));
+	for (i = 0; i < SADB_EXT_MAX; i++)
+		if (extensions[i])
+			monitor_ext(extensions[i], msg);
+	fflush(stdout);
+}
+
+void
+pfkey_print_raw(u_int8_t *data, ssize_t len)
+{
+	int i;
+	const u_int8_t *sp = (const u_int8_t *)data;
+	
+	printf("RAW PFKEYV2 MESSAGE:\n");
+	for(i = 0; i < len; i++) {
+		if ((i % 8 == 0) && (i != 0))
+			printf("\n");
+		printf("%02x ", *sp); 
+		sp++;
+	}
+	printf("\n");
+}