X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/52b7d2ce06d68d0a9160d16f6e7c08c21c149d0d..e627a751fc4d26304657fc20440abb72632b1e6e:/ipsec-tools/Common/pfkey_dump.c diff --git a/ipsec-tools/Common/pfkey_dump.c b/ipsec-tools/Common/pfkey_dump.c index 5c8cd26..2833544 100644 --- a/ipsec-tools/Common/pfkey_dump.c +++ b/ipsec-tools/Common/pfkey_dump.c @@ -42,11 +42,7 @@ # include #endif -#ifdef __APPLE__ -#include -#else #include -#endif #include #include @@ -109,14 +105,14 @@ do { \ printf("%u ", (num)); \ } while (/*CONSTCOND*/0) -static char *str_ipaddr __P((struct sockaddr *)); -static char *str_ipport __P((struct sockaddr *)); -static char *str_prefport __P((u_int, u_int, u_int, u_int)); -static void str_upperspec __P((u_int, u_int, u_int)); -static char *str_time __P((time_t)); -static void str_lifetime_byte __P((struct sadb_lifetime *, char *)); -static void pfkey_sadump1(struct sadb_msg *, int); -static void pfkey_spdump1(struct sadb_msg *, int); +static char *str_ipaddr (struct sockaddr *); +static char *str_ipport (struct sockaddr *); +static char *str_prefport (u_int, u_int, u_int, u_int); +static void str_upperspec (u_int, u_int, u_int); +static char *str_time (time_t); +static void str_lifetime_byte (struct sadb_lifetime *, char *); +static void pfkey_sadump1 (struct sadb_msg *, int); +static void pfkey_spdump1 (struct sadb_msg *, int); struct val2str { int val; @@ -255,6 +251,7 @@ pfkey_sadump1(m, withports) int use_natt = 0; #endif + struct sadb_x_ipsecif *m_ipif = NULL; struct sockaddr *sa; /* check pfkey message. */ @@ -293,6 +290,7 @@ pfkey_sadump1(m, withports) if (natt_type && natt_type->sadb_x_nat_t_type_type) use_natt = 1; #endif + m_ipif = (void *)mhp[SADB_X_EXT_IPSECIF]; /* source address */ if (m_saddr == NULL) { printf("no ADDRESS_SRC extension.\n"); @@ -391,11 +389,27 @@ pfkey_sadump1(m, withports) m_sa->sadb_sa_replay, m_sa->sadb_sa_flags); +#ifdef SADB_X_EXT_SA2_DELETE_ON_DETACH + printf("flags2=0x%08x ", + m_sa2->sadb_x_sa2_flags); +#endif + /* state */ printf("state="); GETMSGSTR(str_state, m_sa->sadb_sa_state); printf("\n"); + if (m_ipif) { + printf("\t"); + if (m_ipif->sadb_x_ipsecif_internal_if[0]) + printf("internal_if: %s ", m_ipif->sadb_x_ipsecif_internal_if); + if (m_ipif->sadb_x_ipsecif_outgoing_if[0]) + printf("outgoing_if: %s ", m_ipif->sadb_x_ipsecif_outgoing_if); + if (m_ipif->sadb_x_ipsecif_ipsec_if[0]) + printf("ipsec_if: %s ", m_ipif->sadb_x_ipsecif_ipsec_if); + printf("disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled); + } + /* lifetime */ if (m_lftc != NULL) { time_t tmp_time = time(0); @@ -462,22 +476,52 @@ pfkey_spdump_withports(m) pfkey_spdump1(m, 1); } +static void +pfkey_dump_single_address (struct sadb_address *addr) +{ + u_int16_t port = 0; + char pbuf[NI_MAXSERV]; + struct sockaddr *sa; + sa = (void *)(addr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, + 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) + port = 0; /*XXX*/ + else + port = atoi(pbuf); + printf("%s%s", str_ipaddr(sa), + str_prefport((u_int)sa->sa_family, + (u_int)addr->sadb_address_prefixlen, + (u_int)port, + (u_int)addr->sadb_address_proto)); + break; + default: + printf("unknown-af"); + break; + } + +} + static void pfkey_spdump1(m, withports) - struct sadb_msg *m; - int withports; +struct sadb_msg *m; +int withports; { char pbuf[NI_MAXSERV]; caddr_t mhp[SADB_EXT_MAX + 1]; struct sadb_address *m_saddr, *m_daddr; + struct sadb_address *m_saddr_s, *m_saddr_e, *m_daddr_s, *m_daddr_e; #ifdef SADB_X_EXT_TAG struct sadb_x_tag *m_tag; #endif struct sadb_x_policy *m_xpl; struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL; + struct sadb_x_ipsecif *m_ipif = NULL; struct sockaddr *sa; u_int16_t sport = 0, dport = 0; - + /* check pfkey message. */ if (pfkey_align(m, mhp)) { printf("%s\n", ipsec_strerror()); @@ -487,76 +531,88 @@ pfkey_spdump1(m, withports) printf("%s\n", ipsec_strerror()); return; } - + m_saddr = (void *)mhp[SADB_EXT_ADDRESS_SRC]; m_daddr = (void *)mhp[SADB_EXT_ADDRESS_DST]; + m_saddr_s = (void *)mhp[SADB_X_EXT_ADDR_RANGE_SRC_START]; + m_saddr_e = (void *)mhp[SADB_X_EXT_ADDR_RANGE_SRC_END]; + m_daddr_s = (void *)mhp[SADB_X_EXT_ADDR_RANGE_DST_START]; + m_daddr_e = (void *)mhp[SADB_X_EXT_ADDR_RANGE_DST_END]; #ifdef SADB_X_EXT_TAG m_tag = (void *)mhp[SADB_X_EXT_TAG]; #endif m_xpl = (void *)mhp[SADB_X_EXT_POLICY]; m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT]; m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD]; - -#ifdef __linux__ - /* *bsd indicates per-socket policies by omiting src and dst - * extensions. Linux always includes them, but we can catch it - * by checkin for policy id. - */ - if (m_xpl->sadb_x_policy_id % 8 >= 3) { - printf("(per-socket policy) "); - } else -#endif - if (m_saddr && m_daddr) { + m_ipif = (void *)mhp[SADB_X_EXT_IPSECIF]; + + if ((m_saddr || (m_saddr_s && m_saddr_e)) && (m_daddr || (m_daddr_s && m_daddr_e))) { /* source address */ - sa = (void *)(m_saddr + 1); - switch (sa->sa_family) { - case AF_INET: - case AF_INET6: - if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, - 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) - sport = 0; /*XXX*/ - else - sport = atoi(pbuf); - printf("%s%s ", str_ipaddr(sa), - str_prefport((u_int)sa->sa_family, - (u_int)m_saddr->sadb_address_prefixlen, - (u_int)sport, - (u_int)m_saddr->sadb_address_proto)); - break; - default: - printf("unknown-af "); - break; - } - + if (m_saddr_s && m_saddr_e) { + pfkey_dump_single_address(m_saddr_s); + printf("-"); + pfkey_dump_single_address(m_saddr_e); + printf(" "); + } else if (m_saddr) { + sa = (void *)(m_saddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, + 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) + sport = 0; /*XXX*/ + else + sport = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport((u_int)sa->sa_family, + (u_int)m_saddr->sadb_address_prefixlen, + (u_int)sport, + (u_int)m_saddr->sadb_address_proto)); + break; + default: + printf("unknown-af "); + break; + } + } + /* destination address */ - sa = (void *)(m_daddr + 1); - switch (sa->sa_family) { - case AF_INET: - case AF_INET6: - if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, - 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) - dport = 0; /*XXX*/ - else - dport = atoi(pbuf); - printf("%s%s ", str_ipaddr(sa), - str_prefport((u_int)sa->sa_family, - (u_int)m_daddr->sadb_address_prefixlen, - (u_int)dport, - (u_int)m_saddr->sadb_address_proto)); - break; - default: - printf("unknown-af "); - break; - } - + if (m_daddr_s && m_daddr_e) { + pfkey_dump_single_address(m_daddr_s); + printf("-"); + pfkey_dump_single_address(m_daddr_e); + printf(" "); + } else if (m_daddr) { + sa = (void *)(m_daddr + 1); + switch (sa->sa_family) { + case AF_INET: + case AF_INET6: + if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL, + 0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0) + dport = 0; /*XXX*/ + else + dport = atoi(pbuf); + printf("%s%s ", str_ipaddr(sa), + str_prefport((u_int)sa->sa_family, + (u_int)m_daddr->sadb_address_prefixlen, + (u_int)dport, + (u_int)m_daddr->sadb_address_proto)); + break; + default: + printf("unknown-af "); + break; + } + } + /* upper layer protocol */ - if (m_saddr->sadb_address_proto != - m_daddr->sadb_address_proto) { - printf("upper layer protocol mismatched.\n"); - return; - } - str_upperspec((u_int)m_saddr->sadb_address_proto, (u_int)sport, - (u_int)dport); + if (m_saddr && m_daddr) { + if (m_saddr->sadb_address_proto != + m_daddr->sadb_address_proto) { + printf("upper layer protocol mismatched.\n"); + return; + } + str_upperspec((u_int)m_saddr->sadb_address_proto, (u_int)sport, + (u_int)dport); + } } #ifdef SADB_X_EXT_TAG else if (m_tag) @@ -564,52 +620,62 @@ pfkey_spdump1(m, withports) #endif else printf("(no selector, probably per-socket policy) "); - + /* policy */ { - char *d_xpl; - - if (m_xpl == NULL) { - printf("no X_POLICY extension.\n"); - return; - } - if (withports) - d_xpl = ipsec_dump_policy_withports(m_xpl, "\n\t"); - else - d_xpl = ipsec_dump_policy((ipsec_policy_t)m_xpl, "\n\t"); + char *d_xpl; + + if (m_xpl == NULL) { + printf("no X_POLICY extension.\n"); + return; + } + if (withports) + d_xpl = ipsec_dump_policy_withports(m_xpl, "\n\t"); + else + d_xpl = ipsec_dump_policy((ipsec_policy_t)m_xpl, "\n\t"); - if (!d_xpl) - printf("\n\tPolicy:[%s]\n", ipsec_strerror()); - else { - /* dump SPD */ - printf("\n\t%s\n", d_xpl); - free(d_xpl); - } + if (!d_xpl) + printf("\n\tPolicy:[%s]\n", ipsec_strerror()); + else { + /* dump SPD */ + printf("\n\t%s\n", d_xpl); + free(d_xpl); + } } - + /* lifetime */ if (m_lftc) { printf("\tcreated: %s ", - str_time((long)m_lftc->sadb_lifetime_addtime)); + str_time((long)m_lftc->sadb_lifetime_addtime)); printf("lastused: %s\n", - str_time((long)m_lftc->sadb_lifetime_usetime)); + str_time((long)m_lftc->sadb_lifetime_usetime)); } if (m_lfth) { printf("\tlifetime: %lu(s) ", - (u_long)m_lfth->sadb_lifetime_addtime); + (u_long)m_lfth->sadb_lifetime_addtime); printf("validtime: %lu(s)\n", - (u_long)m_lfth->sadb_lifetime_usetime); + (u_long)m_lfth->sadb_lifetime_usetime); + } + + if (m_ipif) { + printf("\t"); + if (m_ipif->sadb_x_ipsecif_internal_if[0]) + printf("internal_if: %s ", m_ipif->sadb_x_ipsecif_internal_if); + if (m_ipif->sadb_x_ipsecif_outgoing_if[0]) + printf("outgoing_if: %s ", m_ipif->sadb_x_ipsecif_outgoing_if); + if (m_ipif->sadb_x_ipsecif_ipsec_if[0]) + printf("ipsec_if: %s ", m_ipif->sadb_x_ipsecif_ipsec_if); + printf("disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled); } - printf("\tspid=%ld seq=%ld pid=%ld\n", - (u_long)m_xpl->sadb_x_policy_id, - (u_long)m->sadb_msg_seq, - (u_long)m->sadb_msg_pid); - + (u_long)m_xpl->sadb_x_policy_id, + (u_long)m->sadb_msg_seq, + (u_long)m->sadb_msg_pid); + /* XXX TEST */ printf("\trefcnt=%u\n", m->sadb_msg_reserved); - + return; }