Edit

IABSD.fr/src/sbin/ipsecctl/pfkey.c

Branch :

  • Show log

    Commit

  • Author : tobhe
    Date : 2023-10-09 15:32:14
    Hash : 202aab43
    Message : Add pledge("stdio") before parsing pfkey messages. This applies to ipsecctl -m and ipsecctl -s. Refactor ipsecctl_show_*() to setup all sysctls first before dropping privileges and finally parsing and printing IPsec SAs and flows. feedback and ok mbuhl@ ok deraadt@

  • sbin/ipsecctl/pfkey.c
  • /*	$OpenBSD: pfkey.c,v 1.64 2023/10/09 15:32:14 tobhe Exp $	*/
    /*
     * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
     * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
     * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
     *
     * Permission to use, copy, modify, and distribute this software for any
     * purpose with or without fee is hereby granted, provided that the above
     * copyright notice and this permission notice appear in all copies.
     *
     * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
     * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
     * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
     * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
     * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
     */
    
    #include <sys/types.h>
    #include <sys/queue.h>
    #include <sys/uio.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netinet/ip_ipsp.h>
    #include <net/pfkeyv2.h>
    
    #include <err.h>
    #include <errno.h>
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    #include <poll.h>
    #include <unistd.h>
    
    #include "ipsecctl.h"
    #include "pfkey.h"
    
    #define ROUNDUP(x) (((x) + (PFKEYV2_CHUNK - 1)) & ~(PFKEYV2_CHUNK - 1))
    #define IOV_CNT 20
    
    static int	fd;
    static u_int32_t sadb_msg_seq = 1;
    
    static int	pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, u_int8_t,
    		    struct ipsec_addr_wrap *, u_int16_t,
    		    struct ipsec_addr_wrap *, u_int16_t,
    		    struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
    		    struct ipsec_auth *, u_int8_t);
    static int	pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,
    		    struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
    		    u_int8_t, u_int16_t,
    		    struct ipsec_transforms *, struct ipsec_key *,
    		    struct ipsec_key *, u_int8_t);
    static int	pfkey_sabundle(int, u_int8_t, u_int8_t, u_int8_t,
    		    struct ipsec_addr_wrap *, u_int32_t,
    		    struct ipsec_addr_wrap *, u_int32_t);
    static int	pfkey_reply(int, u_int8_t **, ssize_t *);
    int		pfkey_parse(struct sadb_msg *, struct ipsec_rule *);
    int		pfkey_ipsec_flush(void);
    int		pfkey_ipsec_establish(int, struct ipsec_rule *);
    int		pfkey_init(void);
    
    static int
    pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
        u_int8_t proto, struct ipsec_addr_wrap *src, u_int16_t sport,
        struct ipsec_addr_wrap *dst, u_int16_t dport,
        struct ipsec_addr_wrap *local, struct ipsec_addr_wrap *peer,
        struct ipsec_auth *auth, u_int8_t flowtype)
    {
    	struct sadb_msg		 smsg;
    	struct sadb_address	 sa_src, sa_dst, sa_local, sa_peer, sa_smask,
    				 sa_dmask;
    	struct sadb_protocol	 sa_flowtype, sa_protocol;
    	struct sadb_ident	*sa_srcid, *sa_dstid;
    	struct sockaddr_storage	 ssrc, sdst, slocal, speer, smask, dmask;
    	struct iovec		 iov[IOV_CNT];
    	ssize_t			 n;
    	int			 iov_cnt, len, ret = 0;
    
    	sa_srcid = sa_dstid = NULL;
    
    	bzero(&ssrc, sizeof(ssrc));
    	bzero(&smask, sizeof(smask));
    	ssrc.ss_family = smask.ss_family = src->af;
    	switch (src->af) {
    	case AF_INET:
    		((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4;
    		ssrc.ss_len = sizeof(struct sockaddr_in);
    		((struct sockaddr_in *)&smask)->sin_addr = src->mask.v4;
    		if (sport) {
    			((struct sockaddr_in *)&ssrc)->sin_port = sport;
    			((struct sockaddr_in *)&smask)->sin_port = 0xffff;
    		}
    		break;
    	case AF_INET6:
    		((struct sockaddr_in6 *)&ssrc)->sin6_addr = src->address.v6;
    		ssrc.ss_len = sizeof(struct sockaddr_in6);
    		((struct sockaddr_in6 *)&smask)->sin6_addr = src->mask.v6;
    		if (sport) {
    			((struct sockaddr_in6 *)&ssrc)->sin6_port = sport;
    			((struct sockaddr_in6 *)&smask)->sin6_port = 0xffff;
    		}
    		break;
    	default:
    		warnx("unsupported address family %d", src->af);
    		return -1;
    	}
    	smask.ss_len = ssrc.ss_len;
    
    	bzero(&sdst, sizeof(sdst));
    	bzero(&dmask, sizeof(dmask));
    	sdst.ss_family = dmask.ss_family = dst->af;
    	switch (dst->af) {
    	case AF_INET:
    		((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
    		sdst.ss_len = sizeof(struct sockaddr_in);
    		((struct sockaddr_in *)&dmask)->sin_addr = dst->mask.v4;
    		if (dport) {
    			((struct sockaddr_in *)&sdst)->sin_port = dport;
    			((struct sockaddr_in *)&dmask)->sin_port = 0xffff;
    		}
    		break;
    	case AF_INET6:
    		((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6;
    		sdst.ss_len = sizeof(struct sockaddr_in6);
    		((struct sockaddr_in6 *)&dmask)->sin6_addr = dst->mask.v6;
    		if (dport) {
    			((struct sockaddr_in6 *)&sdst)->sin6_port = dport;
    			((struct sockaddr_in6 *)&dmask)->sin6_port = 0xffff;
    		}
    		break;
    	default:
    		warnx("unsupported address family %d", dst->af);
    		return -1;
    	}
    	dmask.ss_len = sdst.ss_len;
    
    	bzero(&slocal, sizeof(slocal));
    	if (local) {
    		slocal.ss_family = local->af;
    		switch (local->af) {
    		case AF_INET:
    			((struct sockaddr_in *)&slocal)->sin_addr =
    			    local->address.v4;
    			slocal.ss_len = sizeof(struct sockaddr_in);
    			break;
    		case AF_INET6:
    			((struct sockaddr_in6 *)&slocal)->sin6_addr =
    			    local->address.v6;
    			slocal.ss_len = sizeof(struct sockaddr_in6);
    			break;
    		default:
    			warnx("unsupported address family %d", local->af);
    			return -1;
    		}
    	}
    
    	bzero(&speer, sizeof(speer));
    	if (peer) {
    		speer.ss_family = peer->af;
    		switch (peer->af) {
    		case AF_INET:
    			((struct sockaddr_in *)&speer)->sin_addr =
    			    peer->address.v4;
    			speer.ss_len = sizeof(struct sockaddr_in);
    			break;
    		case AF_INET6:
    			((struct sockaddr_in6 *)&speer)->sin6_addr =
    			    peer->address.v6;
    			speer.ss_len = sizeof(struct sockaddr_in6);
    			break;
    		default:
    			warnx("unsupported address family %d", peer->af);
    			return -1;
    		}
    	}
    
    	bzero(&smsg, sizeof(smsg));
    	smsg.sadb_msg_version = PF_KEY_V2;
    	smsg.sadb_msg_seq = sadb_msg_seq++;
    	smsg.sadb_msg_pid = getpid();
    	smsg.sadb_msg_len = sizeof(smsg) / 8;
    	smsg.sadb_msg_type = action;
    	smsg.sadb_msg_satype = satype;
    
    	bzero(&sa_flowtype, sizeof(sa_flowtype));
    	sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE;
    	sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8;
    	sa_flowtype.sadb_protocol_direction = direction;
    
    	switch (flowtype) {
    	case TYPE_USE:
    		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE;
    		break;
    	case TYPE_ACQUIRE:
    		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_ACQUIRE;
    		break;
    	case TYPE_REQUIRE:
    		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE;
    		break;
    	case TYPE_DENY:
    		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DENY;
    		break;
    	case TYPE_BYPASS:
    		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_BYPASS;
    		break;
    	case TYPE_DONTACQ:
    		sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_DONTACQ;
    		break;
    	default:
    		warnx("unsupported flowtype %d", flowtype);
    		return -1;
    	}
    
    	bzero(&sa_protocol, sizeof(sa_protocol));
    	sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
    	sa_protocol.sadb_protocol_len = sizeof(sa_protocol) / 8;
    	sa_protocol.sadb_protocol_direction = 0;
    	sa_protocol.sadb_protocol_proto = proto;
    
    	bzero(&sa_src, sizeof(sa_src));
    	sa_src.sadb_address_exttype = SADB_X_EXT_SRC_FLOW;
    	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
    
    	bzero(&sa_smask, sizeof(sa_smask));
    	sa_smask.sadb_address_exttype = SADB_X_EXT_SRC_MASK;
    	sa_smask.sadb_address_len =
    	    (sizeof(sa_smask) + ROUNDUP(smask.ss_len)) / 8;
    
    	bzero(&sa_dst, sizeof(sa_dst));
    	sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
    	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
    
    	bzero(&sa_dmask, sizeof(sa_dmask));
    	sa_dmask.sadb_address_exttype = SADB_X_EXT_DST_MASK;
    	sa_dmask.sadb_address_len =
    	    (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
    
    	if (local) {
    		bzero(&sa_local, sizeof(sa_local));
    		sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
    		sa_local.sadb_address_len =
    		    (sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8;
    	}
    	if (peer) {
    		bzero(&sa_peer, sizeof(sa_peer));
    		sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
    		sa_peer.sadb_address_len =
    		    (sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8;
    	}
    
    	if (auth && auth->srcid) {
    		len = ROUNDUP(strlen(auth->srcid) + 1) + sizeof(*sa_srcid);
    
    		sa_srcid = calloc(len, sizeof(u_int8_t));
    		if (sa_srcid == NULL)
    			err(1, "pfkey_flow: calloc");
    
    		sa_srcid->sadb_ident_type = auth->srcid_type;
    		sa_srcid->sadb_ident_len = len / 8;
    		sa_srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
    
    		strlcpy((char *)(sa_srcid + 1), auth->srcid,
    		    ROUNDUP(strlen(auth->srcid) + 1));
    	}
    	if (auth && auth->dstid) {
    		len = ROUNDUP(strlen(auth->dstid) + 1) + sizeof(*sa_dstid);
    
    		sa_dstid = calloc(len, sizeof(u_int8_t));
    		if (sa_dstid == NULL)
    			err(1, "pfkey_flow: calloc");
    
    		sa_dstid->sadb_ident_type = auth->dstid_type;
    		sa_dstid->sadb_ident_len = len / 8;
    		sa_dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
    
    		strlcpy((char *)(sa_dstid + 1), auth->dstid,
    		    ROUNDUP(strlen(auth->dstid) + 1));
    	}
    
    	iov_cnt = 0;
    
    	/* header */
    	iov[iov_cnt].iov_base = &smsg;
    	iov[iov_cnt].iov_len = sizeof(smsg);
    	iov_cnt++;
    
    	/* add flow type */
    	iov[iov_cnt].iov_base = &sa_flowtype;
    	iov[iov_cnt].iov_len = sizeof(sa_flowtype);
    	smsg.sadb_msg_len += sa_flowtype.sadb_protocol_len;
    	iov_cnt++;
    
    	/* local ip */
    	if (local) {
    		iov[iov_cnt].iov_base = &sa_local;
    		iov[iov_cnt].iov_len = sizeof(sa_local);
    		iov_cnt++;
    		iov[iov_cnt].iov_base = &slocal;
    		iov[iov_cnt].iov_len = ROUNDUP(slocal.ss_len);
    		smsg.sadb_msg_len += sa_local.sadb_address_len;
    		iov_cnt++;
    	}
    
    	/* remote peer */
    	if (peer) {
    		iov[iov_cnt].iov_base = &sa_peer;
    		iov[iov_cnt].iov_len = sizeof(sa_peer);
    		iov_cnt++;
    		iov[iov_cnt].iov_base = &speer;
    		iov[iov_cnt].iov_len = ROUNDUP(speer.ss_len);
    		smsg.sadb_msg_len += sa_peer.sadb_address_len;
    		iov_cnt++;
    	}
    
    	/* src addr */
    	iov[iov_cnt].iov_base = &sa_src;
    	iov[iov_cnt].iov_len = sizeof(sa_src);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &ssrc;
    	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
    	smsg.sadb_msg_len += sa_src.sadb_address_len;
    	iov_cnt++;
    
    	/* src mask */
    	iov[iov_cnt].iov_base = &sa_smask;
    	iov[iov_cnt].iov_len = sizeof(sa_smask);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &smask;
    	iov[iov_cnt].iov_len = ROUNDUP(smask.ss_len);
    	smsg.sadb_msg_len += sa_smask.sadb_address_len;
    	iov_cnt++;
    
    	/* dest addr */
    	iov[iov_cnt].iov_base = &sa_dst;
    	iov[iov_cnt].iov_len = sizeof(sa_dst);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &sdst;
    	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
    	smsg.sadb_msg_len += sa_dst.sadb_address_len;
    	iov_cnt++;
    
    	/* dst mask */
    	iov[iov_cnt].iov_base = &sa_dmask;
    	iov[iov_cnt].iov_len = sizeof(sa_dmask);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &dmask;
    	iov[iov_cnt].iov_len = ROUNDUP(dmask.ss_len);
    	smsg.sadb_msg_len += sa_dmask.sadb_address_len;
    	iov_cnt++;
    
    	/* add protocol */
    	iov[iov_cnt].iov_base = &sa_protocol;
    	iov[iov_cnt].iov_len = sizeof(sa_protocol);
    	smsg.sadb_msg_len += sa_protocol.sadb_protocol_len;
    	iov_cnt++;
    
    	if (sa_srcid) {
    		/* src identity */
    		iov[iov_cnt].iov_base = sa_srcid;
    		iov[iov_cnt].iov_len = sa_srcid->sadb_ident_len * 8;
    		smsg.sadb_msg_len += sa_srcid->sadb_ident_len;
    		iov_cnt++;
    	}
    	if (sa_dstid) {
    		/* dst identity */
    		iov[iov_cnt].iov_base = sa_dstid;
    		iov[iov_cnt].iov_len = sa_dstid->sadb_ident_len * 8;
    		smsg.sadb_msg_len += sa_dstid->sadb_ident_len;
    		iov_cnt++;
    	}
    	len = smsg.sadb_msg_len * 8;
    
    	do {
    		n = writev(sd, iov, iov_cnt);
    	} while (n == -1 && (errno == EAGAIN || errno == EINTR));
    	if (n == -1) {
    		warn("writev failed");
    		ret = -1;
    	}
    
    	free(sa_srcid);
    	free(sa_dstid);
    
    	return ret;
    }
    
    static int
    pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,
        struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
        u_int8_t encap, u_int16_t dport,
        struct ipsec_transforms *xfs, struct ipsec_key *authkey,
        struct ipsec_key *enckey, u_int8_t tmode)
    {
    	struct sadb_msg		smsg;
    	struct sadb_sa		sa;
    	struct sadb_address	sa_src, sa_dst;
    	struct sadb_key		sa_authkey, sa_enckey;
    	struct sadb_x_udpencap	udpencap;
    	struct sockaddr_storage	ssrc, sdst;
    	struct iovec		iov[IOV_CNT];
    	ssize_t			n;
    	int			iov_cnt, len, ret = 0;
    
    	bzero(&ssrc, sizeof(ssrc));
    	ssrc.ss_family = src->af;
    	switch (src->af) {
    	case AF_INET:
    		((struct sockaddr_in *)&ssrc)->sin_addr = src->address.v4;
    		ssrc.ss_len = sizeof(struct sockaddr_in);
    		break;
    	case AF_INET6:
    		((struct sockaddr_in6 *)&ssrc)->sin6_addr = src->address.v6;
    		ssrc.ss_len = sizeof(struct sockaddr_in6);
    		break;
    	default:
    		warnx("unsupported address family %d", src->af);
    		return -1;
    	}
    
    	bzero(&sdst, sizeof(sdst));
    	sdst.ss_family = dst->af;
    	switch (dst->af) {
    	case AF_INET:
    		((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
    		sdst.ss_len = sizeof(struct sockaddr_in);
    		break;
    	case AF_INET6:
    		((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6;
    		sdst.ss_len = sizeof(struct sockaddr_in6);
    		break;
    	default:
    		warnx("unsupported address family %d", dst->af);
    		return -1;
    	}
    
    	bzero(&smsg, sizeof(smsg));
    	smsg.sadb_msg_version = PF_KEY_V2;
    	smsg.sadb_msg_seq = sadb_msg_seq++;
    	smsg.sadb_msg_pid = getpid();
    	smsg.sadb_msg_len = sizeof(smsg) / 8;
    	smsg.sadb_msg_type = action;
    	smsg.sadb_msg_satype = satype;
    
    	bzero(&sa, sizeof(sa));
    	sa.sadb_sa_len = sizeof(sa) / 8;
    	sa.sadb_sa_exttype = SADB_EXT_SA;
    	sa.sadb_sa_spi = htonl(spi);
    	sa.sadb_sa_state = SADB_SASTATE_MATURE;
    
    	if (satype != SADB_X_SATYPE_IPIP && tmode == IPSEC_TUNNEL)
    		sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
    
    	if (xfs && xfs->authxf) {
    		switch (xfs->authxf->id) {
    		case AUTHXF_NONE:
    			break;
    		case AUTHXF_HMAC_MD5:
    			sa.sadb_sa_auth = SADB_AALG_MD5HMAC;
    			break;
    		case AUTHXF_HMAC_RIPEMD160:
    			sa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC;
    			break;
    		case AUTHXF_HMAC_SHA1:
    			sa.sadb_sa_auth = SADB_AALG_SHA1HMAC;
    			break;
    		case AUTHXF_HMAC_SHA2_256:
    			sa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
    			break;
    		case AUTHXF_HMAC_SHA2_384:
    			sa.sadb_sa_auth = SADB_X_AALG_SHA2_384;
    			break;
    		case AUTHXF_HMAC_SHA2_512:
    			sa.sadb_sa_auth = SADB_X_AALG_SHA2_512;
    			break;
    		default:
    			warnx("unsupported authentication algorithm %d",
    			    xfs->authxf->id);
    		}
    	}
    	if (xfs && xfs->encxf) {
    		switch (xfs->encxf->id) {
    		case ENCXF_NONE:
    			break;
    		case ENCXF_3DES_CBC:
    			sa.sadb_sa_encrypt = SADB_EALG_3DESCBC;
    			break;
    		case ENCXF_AES:
    		case ENCXF_AES_128:
    		case ENCXF_AES_192:
    		case ENCXF_AES_256:
    			sa.sadb_sa_encrypt = SADB_X_EALG_AES;
    			break;
    		case ENCXF_AESCTR:
    		case ENCXF_AES_128_CTR:
    		case ENCXF_AES_192_CTR:
    		case ENCXF_AES_256_CTR:
    			sa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
    			break;
    		case ENCXF_AES_128_GCM:
    		case ENCXF_AES_192_GCM:
    		case ENCXF_AES_256_GCM:
    			sa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
    			break;
    		case ENCXF_AES_128_GMAC:
    		case ENCXF_AES_192_GMAC:
    		case ENCXF_AES_256_GMAC:
    			sa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
    			break;
    		case ENCXF_BLOWFISH:
    			sa.sadb_sa_encrypt = SADB_X_EALG_BLF;
    			break;
    		case ENCXF_CAST128:
    			sa.sadb_sa_encrypt = SADB_X_EALG_CAST;
    			break;
    		case ENCXF_NULL:
    			sa.sadb_sa_encrypt = SADB_EALG_NULL;
    			break;
    		default:
    			warnx("unsupported encryption algorithm %d",
    			    xfs->encxf->id);
    		}
    	}
    	if (xfs && xfs->compxf) {
    		switch (xfs->compxf->id) {
    		case COMPXF_DEFLATE:
    			sa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE;
    			break;
    		default:
    			warnx("unsupported compression algorithm %d",
    			    xfs->compxf->id);
    		}
    	}
    
    	bzero(&sa_src, sizeof(sa_src));
    	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
    	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
    
    	bzero(&sa_dst, sizeof(sa_dst));
    	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
    	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
    
    	if (encap) {
    		sa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
    		udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
    		udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8;
    		udpencap.sadb_x_udpencap_port = htons(dport);
    	}
    	if (action == SADB_ADD && !authkey && !enckey && satype !=
    	    SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { /* XXX ENCNULL */
    		warnx("no key specified");
    		return -1;
    	}
    	if (authkey) {
    		bzero(&sa_authkey, sizeof(sa_authkey));
    		sa_authkey.sadb_key_len = (sizeof(sa_authkey) +
    		    ((authkey->len + 7) / 8) * 8) / 8;
    		sa_authkey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
    		sa_authkey.sadb_key_bits = 8 * authkey->len;
    	}
    	if (enckey) {
    		bzero(&sa_enckey, sizeof(sa_enckey));
    		sa_enckey.sadb_key_len = (sizeof(sa_enckey) +
    		    ((enckey->len + 7) / 8) * 8) / 8;
    		sa_enckey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
    		sa_enckey.sadb_key_bits = 8 * enckey->len;
    	}
    
    	iov_cnt = 0;
    
    	/* header */
    	iov[iov_cnt].iov_base = &smsg;
    	iov[iov_cnt].iov_len = sizeof(smsg);
    	iov_cnt++;
    
    	/* sa */
    	iov[iov_cnt].iov_base = &sa;
    	iov[iov_cnt].iov_len = sizeof(sa);
    	smsg.sadb_msg_len += sa.sadb_sa_len;
    	iov_cnt++;
    
    	/* src addr */
    	iov[iov_cnt].iov_base = &sa_src;
    	iov[iov_cnt].iov_len = sizeof(sa_src);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &ssrc;
    	iov[iov_cnt].iov_len = ROUNDUP(ssrc.ss_len);
    	smsg.sadb_msg_len += sa_src.sadb_address_len;
    	iov_cnt++;
    
    	/* dst addr */
    	iov[iov_cnt].iov_base = &sa_dst;
    	iov[iov_cnt].iov_len = sizeof(sa_dst);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &sdst;
    	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
    	smsg.sadb_msg_len += sa_dst.sadb_address_len;
    	iov_cnt++;
    
    	if (encap) {
    		iov[iov_cnt].iov_base = &udpencap;
    		iov[iov_cnt].iov_len = sizeof(udpencap);
    		smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len;
    		iov_cnt++;
    	}
    	if (authkey) {
    		/* authentication key */
    		iov[iov_cnt].iov_base = &sa_authkey;
    		iov[iov_cnt].iov_len = sizeof(sa_authkey);
    		iov_cnt++;
    		iov[iov_cnt].iov_base = authkey->data;
    		iov[iov_cnt].iov_len = ((authkey->len + 7) / 8) * 8;
    		smsg.sadb_msg_len += sa_authkey.sadb_key_len;
    		iov_cnt++;
    	}
    	if (enckey) {
    		/* encryption key */
    		iov[iov_cnt].iov_base = &sa_enckey;
    		iov[iov_cnt].iov_len = sizeof(sa_enckey);
    		iov_cnt++;
    		iov[iov_cnt].iov_base = enckey->data;
    		iov[iov_cnt].iov_len = ((enckey->len + 7) / 8) * 8;
    		smsg.sadb_msg_len += sa_enckey.sadb_key_len;
    		iov_cnt++;
    	}
    
    	len = smsg.sadb_msg_len * 8;
    	if ((n = writev(sd, iov, iov_cnt)) == -1) {
    		warn("writev failed");
    		ret = -1;
    	} else if (n != len) {
    		warnx("short write");
    		ret = -1;
    	}
    
    	return ret;
    }
    
    static int
    pfkey_sabundle(int sd, u_int8_t satype, u_int8_t satype2, u_int8_t action,
        struct ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_addr_wrap *dst2,
        u_int32_t spi2)
    {
    	struct sadb_msg		smsg;
    	struct sadb_sa		sa1, sa2;
    	struct sadb_address	sa_dst, sa_dst2;
    	struct sockaddr_storage	sdst, sdst2;
    	struct sadb_protocol	sa_proto;
    	struct iovec		iov[IOV_CNT];
    	ssize_t			n;
    	int			iov_cnt, len, ret = 0;
    
    	bzero(&sdst, sizeof(sdst));
    	sdst.ss_family = dst->af;
    	switch (dst->af) {
    	case AF_INET:
    		((struct sockaddr_in *)&sdst)->sin_addr = dst->address.v4;
    		sdst.ss_len = sizeof(struct sockaddr_in);
    		break;
    	case AF_INET6:
    		((struct sockaddr_in6 *)&sdst)->sin6_addr = dst->address.v6;
    		sdst.ss_len = sizeof(struct sockaddr_in6);
    		break;
    	default:
    		warnx("unsupported address family %d", dst->af);
    		return -1;
    	}
    
    	bzero(&sdst2, sizeof(sdst2));
    	sdst2.ss_family = dst2->af;
    	switch (dst2->af) {
    	case AF_INET:
    		((struct sockaddr_in *)&sdst2)->sin_addr = dst2->address.v4;
    		sdst2.ss_len = sizeof(struct sockaddr_in);
    		break;
    	case AF_INET6:
    		((struct sockaddr_in6 *)&sdst2)->sin6_addr = dst2->address.v6;
    		sdst2.ss_len = sizeof(struct sockaddr_in6);
    		break;
    	default:
    		warnx("unsupported address family %d", dst2->af);
    		return -1;
    	}
    
    	bzero(&smsg, sizeof(smsg));
    	smsg.sadb_msg_version = PF_KEY_V2;
    	smsg.sadb_msg_seq = sadb_msg_seq++;
    	smsg.sadb_msg_pid = getpid();
    	smsg.sadb_msg_len = sizeof(smsg) / 8;
    	smsg.sadb_msg_type = action;
    	smsg.sadb_msg_satype = satype;
    
    	bzero(&sa1, sizeof(sa1));
    	sa1.sadb_sa_len = sizeof(sa1) / 8;
    	sa1.sadb_sa_exttype = SADB_EXT_SA;
    	sa1.sadb_sa_spi = htonl(spi);
    	sa1.sadb_sa_state = SADB_SASTATE_MATURE;
    
    	bzero(&sa2, sizeof(sa2));
    	sa2.sadb_sa_len = sizeof(sa2) / 8;
    	sa2.sadb_sa_exttype = SADB_X_EXT_SA2;
    	sa2.sadb_sa_spi = htonl(spi2);
    	sa2.sadb_sa_state = SADB_SASTATE_MATURE;
    	iov_cnt = 0;
    
    	bzero(&sa_dst, sizeof(sa_dst));
    	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
    	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
    
    	bzero(&sa_dst2, sizeof(sa_dst2));
    	sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2;
    	sa_dst2.sadb_address_len = (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8;
    
    	bzero(&sa_proto, sizeof(sa_proto));
    	sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2;
    	sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8;
    	sa_proto.sadb_protocol_direction = 0;
    	sa_proto.sadb_protocol_proto = satype2;
    
    	/* header */
    	iov[iov_cnt].iov_base = &smsg;
    	iov[iov_cnt].iov_len = sizeof(smsg);
    	iov_cnt++;
    
    	/* sa */
    	iov[iov_cnt].iov_base = &sa1;
    	iov[iov_cnt].iov_len = sizeof(sa1);
    	smsg.sadb_msg_len += sa1.sadb_sa_len;
    	iov_cnt++;
    
    	/* dst addr */
    	iov[iov_cnt].iov_base = &sa_dst;
    	iov[iov_cnt].iov_len = sizeof(sa_dst);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &sdst;
    	iov[iov_cnt].iov_len = ROUNDUP(sdst.ss_len);
    	smsg.sadb_msg_len += sa_dst.sadb_address_len;
    	iov_cnt++;
    
    	/* second sa */
    	iov[iov_cnt].iov_base = &sa2;
    	iov[iov_cnt].iov_len = sizeof(sa2);
    	smsg.sadb_msg_len += sa2.sadb_sa_len;
    	iov_cnt++;
    
    	/* second dst addr */
    	iov[iov_cnt].iov_base = &sa_dst2;
    	iov[iov_cnt].iov_len = sizeof(sa_dst2);
    	iov_cnt++;
    	iov[iov_cnt].iov_base = &sdst2;
    	iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len);
    	smsg.sadb_msg_len += sa_dst2.sadb_address_len;
    	iov_cnt++;
    
    	/* SA type */
    	iov[iov_cnt].iov_base = &sa_proto;
    	iov[iov_cnt].iov_len = sizeof(sa_proto);
    	smsg.sadb_msg_len += sa_proto.sadb_protocol_len;
    	iov_cnt++;
    
    	len = smsg.sadb_msg_len * 8;
    	if ((n = writev(sd, iov, iov_cnt)) == -1) {
    		warn("writev failed");
    		ret = -1;
    	} else if (n != len) {
    		warnx("short write");
    		ret = -1;
    	}
    
    	return (ret);
    }
    
    static int
    pfkey_reply(int sd, u_int8_t **datap, ssize_t *lenp)
    {
    	struct sadb_msg	 hdr;
    	ssize_t		 len;
    	u_int8_t	*data;
    
    	if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
    		warnx("short read");
    		return -1;
    	}
    	len = hdr.sadb_msg_len * PFKEYV2_CHUNK;
    	if ((data = malloc(len)) == NULL)
    		err(1, "pfkey_reply: malloc");
    	if (read(sd, data, len) != len) {
    		warn("PF_KEY short read");
    		freezero(data, len);
    		return -1;
    	}
    	if (datap) {
    		*datap = data;
    		if (lenp)
    			*lenp = len;
    	} else {
    		freezero(data, len);
    	}
    	if (datap == NULL && hdr.sadb_msg_errno != 0) {
    		errno = hdr.sadb_msg_errno;
    		if (errno != EEXIST) {
    			warn("PF_KEY failed");
    			return -1;
    		}
    	}
    	return 0;
    }
    
    int
    pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
    {
    	struct sadb_ext		*ext;
    	struct sadb_address	*saddr;
    	struct sadb_protocol	*sproto;
    	struct sadb_ident	*sident;
    	struct sockaddr		*sa;
    	struct sockaddr_in	*sa_in;
    	struct sockaddr_in6	*sa_in6;
    	int			 len;
    
    	switch (msg->sadb_msg_satype) {
    	case SADB_SATYPE_ESP:
    		rule->satype = IPSEC_ESP;
    		break;
    	case SADB_SATYPE_AH:
    		rule->satype = IPSEC_AH;
    		break;
    	case SADB_X_SATYPE_IPCOMP:
    		rule->satype = IPSEC_IPCOMP;
    		break;
    	case SADB_X_SATYPE_IPIP:
    		rule->satype = IPSEC_IPIP;
    		break;
    	default:
    		return (1);
    	}
    
    	for (ext = (struct sadb_ext *)(msg + 1);
    	    (size_t)((u_int8_t *)ext - (u_int8_t *)msg) <
    	    msg->sadb_msg_len * PFKEYV2_CHUNK && ext->sadb_ext_len > 0;
    	    ext = (struct sadb_ext *)((u_int8_t *)ext +
    	    ext->sadb_ext_len * PFKEYV2_CHUNK)) {
    		switch (ext->sadb_ext_type) {
    		case SADB_EXT_ADDRESS_SRC:
    			saddr = (struct sadb_address *)ext;
    			sa = (struct sockaddr *)(saddr + 1);
    
    			rule->local = calloc(1, sizeof(struct ipsec_addr_wrap));
    			if (rule->local == NULL)
    				err(1, "pfkey_parse: calloc");
    
    			rule->local->af = sa->sa_family;
    			switch (sa->sa_family) {
    			case AF_INET:
    				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
    				    &rule->local->address.v4,
    				    sizeof(struct in_addr));
    				set_ipmask(rule->local, 32);
    				break;
    			case AF_INET6:
    				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
    				    &rule->local->address.v6,
    				    sizeof(struct in6_addr));
    				set_ipmask(rule->local, 128);
    				break;
    			default:
    				return (1);
    			}
    			break;
    
    
    		case SADB_EXT_ADDRESS_DST:
    			saddr = (struct sadb_address *)ext;
    			sa = (struct sockaddr *)(saddr + 1);
    
    			rule->peer = calloc(1, sizeof(struct ipsec_addr_wrap));
    			if (rule->peer == NULL)
    				err(1, "pfkey_parse: calloc");
    
    			rule->peer->af = sa->sa_family;
    			switch (sa->sa_family) {
    			case AF_INET:
    				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
    				    &rule->peer->address.v4,
    				    sizeof(struct in_addr));
    				set_ipmask(rule->peer, 32);
    				break;
    			case AF_INET6:
    				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
    				    &rule->peer->address.v6,
    				    sizeof(struct in6_addr));
    				set_ipmask(rule->peer, 128);
    				break;
    			default:
    				return (1);
    			}
    			break;
    
    		case SADB_EXT_IDENTITY_SRC:
    			sident = (struct sadb_ident *)ext;
    			len = (sident->sadb_ident_len * sizeof(uint64_t)) -
    			    sizeof(struct sadb_ident);
    
    			if (rule->auth == NULL) {
    				rule->auth = calloc(1, sizeof(struct
    				    ipsec_auth));
    				if (rule->auth == NULL)
    					err(1, "pfkey_parse: calloc");
    			}
    
    			rule->auth->srcid = calloc(1, len);
    			if (rule->auth->srcid == NULL)
    				err(1, "pfkey_parse: calloc");
    
    			strlcpy(rule->auth->srcid, (char *)(sident + 1), len);
    			break;
    
    		case SADB_EXT_IDENTITY_DST:
    			sident = (struct sadb_ident *)ext;
    			len = (sident->sadb_ident_len * sizeof(uint64_t)) -
    			    sizeof(struct sadb_ident);
    
    			if (rule->auth == NULL) {
    				rule->auth = calloc(1, sizeof(struct
    				    ipsec_auth));
    				if (rule->auth == NULL)
    					err(1, "pfkey_parse: calloc");
    			}
    
    			rule->auth->dstid = calloc(1, len);
    			if (rule->auth->dstid == NULL)
    				err(1, "pfkey_parse: calloc");
    
    			strlcpy(rule->auth->dstid, (char *)(sident + 1), len);
    			break;
    
    		case SADB_X_EXT_PROTOCOL:
    			sproto = (struct sadb_protocol *)ext;
    			if (sproto->sadb_protocol_direction == 0)
    				rule->proto = sproto->sadb_protocol_proto;
    			break;
    
    		case SADB_X_EXT_FLOW_TYPE:
    			sproto = (struct sadb_protocol *)ext;
    
    			switch (sproto->sadb_protocol_direction) {
    			case IPSP_DIRECTION_IN:
    				rule->direction = IPSEC_IN;
    				break;
    			case IPSP_DIRECTION_OUT:
    				rule->direction = IPSEC_OUT;
    				break;
    			default:
    				return (1);
    			}
    			switch (sproto->sadb_protocol_proto) {
    			case SADB_X_FLOW_TYPE_USE:
    				rule->flowtype = TYPE_USE;
    				break;
    			case SADB_X_FLOW_TYPE_ACQUIRE:
    				rule->flowtype = TYPE_ACQUIRE;
    				break;
    			case SADB_X_FLOW_TYPE_REQUIRE:
    				rule->flowtype = TYPE_REQUIRE;
    				break;
    			case SADB_X_FLOW_TYPE_DENY:
    				rule->flowtype = TYPE_DENY;
    				break;
    			case SADB_X_FLOW_TYPE_BYPASS:
    				rule->flowtype = TYPE_BYPASS;
    				break;
    			case SADB_X_FLOW_TYPE_DONTACQ:
    				rule->flowtype = TYPE_DONTACQ;
    				break;
    			default:
    				rule->flowtype = TYPE_UNKNOWN;
    				break;
    			}
    			break;
    
    		case SADB_X_EXT_SRC_FLOW:
    			saddr = (struct sadb_address *)ext;
    			sa = (struct sockaddr *)(saddr + 1);
    
    			if (rule->src == NULL) {
    				rule->src = calloc(1,
    				    sizeof(struct ipsec_addr_wrap));
    				if (rule->src == NULL)
    					err(1, "pfkey_parse: calloc");
    			}
    
    			rule->src->af = sa->sa_family;
    			switch (sa->sa_family) {
    			case AF_INET:
    				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
    				    &rule->src->address.v4,
    				    sizeof(struct in_addr));
    				rule->sport =
    				    ((struct sockaddr_in *)sa)->sin_port;
    				break;
    			case AF_INET6:
    				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
    				    &rule->src->address.v6,
    				    sizeof(struct in6_addr));
    				rule->sport =
    				    ((struct sockaddr_in6 *)sa)->sin6_port;
    				break;
    			default:
    				return (1);
    			}
    			break;
    
    		case SADB_X_EXT_DST_FLOW:
    			saddr = (struct sadb_address *)ext;
    			sa = (struct sockaddr *)(saddr + 1);
    
    			if (rule->dst == NULL) {
    				rule->dst = calloc(1,
    				    sizeof(struct ipsec_addr_wrap));
    				if (rule->dst == NULL)
    					err(1, "pfkey_parse: calloc");
    			}
    
    			rule->dst->af = sa->sa_family;
    			switch (sa->sa_family) {
    			case AF_INET:
    				bcopy(&((struct sockaddr_in *)sa)->sin_addr,
    				    &rule->dst->address.v4,
    				    sizeof(struct in_addr));
    				rule->dport =
    				    ((struct sockaddr_in *)sa)->sin_port;
    				break;
    			case AF_INET6:
    				bcopy(&((struct sockaddr_in6 *)sa)->sin6_addr,
    				    &rule->dst->address.v6,
    				    sizeof(struct in6_addr));
    				rule->dport =
    				    ((struct sockaddr_in6 *)sa)->sin6_port;
    				break;
    			default:
    				return (1);
    			}
    			break;
    
    
    		case SADB_X_EXT_SRC_MASK:
    			saddr = (struct sadb_address *)ext;
    			sa = (struct sockaddr *)(saddr + 1);
    
    			if (rule->src == NULL) {
    				rule->src = calloc(1,
    				    sizeof(struct ipsec_addr_wrap));
    				if (rule->src == NULL)
    					err(1, "pfkey_parse: calloc");
    			}
    
    			rule->src->af = sa->sa_family;
    			switch (sa->sa_family) {
    			case AF_INET:
    				sa_in = (struct sockaddr_in *)sa;
    				bcopy(&sa_in->sin_addr, &rule->src->mask.v4,
    				    sizeof(struct in_addr));
    				break;
    			case AF_INET6:
    				sa_in6 = (struct sockaddr_in6 *)sa;
    				bcopy(&sa_in6->sin6_addr, &rule->src->mask.v6,
    				    sizeof(struct in6_addr));
    				break;
    
    			default:
    				return (1);
    			}
    			break;
    
    		case SADB_X_EXT_DST_MASK:
    			saddr = (struct sadb_address *)ext;
    			sa = (struct sockaddr *)(saddr + 1);
    
    			if (rule->dst == NULL) {
    				rule->dst = calloc(1,
    				    sizeof(struct ipsec_addr_wrap));
    				if (rule->dst == NULL)
    					err(1, "pfkey_parse: calloc");
    			}
    
    			rule->dst->af = sa->sa_family;
    			switch (sa->sa_family) {
    			case AF_INET:
    				sa_in = (struct sockaddr_in *)sa;
    				bcopy(&sa_in->sin_addr, &rule->dst->mask.v4,
    				    sizeof(struct in_addr));
    				break;
    			case AF_INET6:
    				sa_in6 = (struct sockaddr_in6 *)sa;
    				bcopy(&sa_in6->sin6_addr, &rule->dst->mask.v6,
    				    sizeof(struct in6_addr));
    				break;
    			default:
    				return (1);
    			}
    			break;
    
    		default:
    			return (1);
    		}
    	}
    
    	return (0);
    }
    
    int
    pfkey_ipsec_establish(int action, struct ipsec_rule *r)
    {
    	int		ret;
    	u_int8_t	satype, satype2, direction;
    
    	if (r->type == RULE_FLOW) {
    		switch (r->satype) {
    		case IPSEC_ESP:
    			satype = SADB_SATYPE_ESP;
    			break;
    		case IPSEC_AH:
    			satype = SADB_SATYPE_AH;
    			break;
    		case IPSEC_IPCOMP:
    			satype = SADB_X_SATYPE_IPCOMP;
    			break;
    		case IPSEC_IPIP:
    			satype = SADB_X_SATYPE_IPIP;
    			break;
    		default:
    			return -1;
    		}
    
    		switch (r->direction) {
    		case IPSEC_IN:
    			direction = IPSP_DIRECTION_IN;
    			break;
    		case IPSEC_OUT:
    			direction = IPSP_DIRECTION_OUT;
    			break;
    		default:
    			return -1;
    		}
    
    		switch (action) {
    		case ACTION_ADD:
    			ret = pfkey_flow(fd, satype, SADB_X_ADDFLOW, direction,
    			    r->proto, r->src, r->sport, r->dst, r->dport,
    			    r->local, r->peer, r->auth, r->flowtype);
    			break;
    		case ACTION_DELETE:
    			/* No peer for flow deletion. */
    			ret = pfkey_flow(fd, satype, SADB_X_DELFLOW, direction,
    			    r->proto, r->src, r->sport, r->dst, r->dport,
    			    NULL, NULL, NULL, r->flowtype);
    			break;
    		default:
    			return -1;
    		}
    	} else if (r->type == RULE_SA) {
    		switch (r->satype) {
    		case IPSEC_AH:
    			satype = SADB_SATYPE_AH;
    			break;
    		case IPSEC_ESP:
    			satype = SADB_SATYPE_ESP;
    			break;
    		case IPSEC_IPCOMP:
    			satype = SADB_X_SATYPE_IPCOMP;
    			break;
    		case IPSEC_TCPMD5:
    			satype = SADB_X_SATYPE_TCPSIGNATURE;
    			break;
    		case IPSEC_IPIP:
    			satype = SADB_X_SATYPE_IPIP;
    			break;
    		default:
    			return -1;
    		}
    		switch (action) {
    		case ACTION_ADD:
    			ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,
    			    r->src, r->dst, r->udpencap, r->udpdport,
    			    r->xfs, r->authkey, r->enckey, r->tmode);
    			break;
    		case ACTION_DELETE:
    			ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi,
    			    r->src, r->dst, 0, 0, r->xfs, NULL, NULL, r->tmode);
    			break;
    		default:
    			return -1;
    		}
    	} else if (r->type == RULE_BUNDLE) {
    		switch (r->satype) {
    		case IPSEC_AH:
    			satype = SADB_SATYPE_AH;
    			break;
    		case IPSEC_ESP:
    			satype = SADB_SATYPE_ESP;
    			break;
    		case IPSEC_IPCOMP:
    			satype = SADB_X_SATYPE_IPCOMP;
    			break;
    		case IPSEC_TCPMD5:
    			satype = SADB_X_SATYPE_TCPSIGNATURE;
    			break;
    		case IPSEC_IPIP:
    			satype = SADB_X_SATYPE_IPIP;
    			break;
    		default:
    			return -1;
    		}
    		switch (r->proto2) {
    		case IPSEC_AH:
    			satype2 = SADB_SATYPE_AH;
    			break;
    		case IPSEC_ESP:
    			satype2 = SADB_SATYPE_ESP;
    			break;
    		case IPSEC_IPCOMP:
    			satype2 = SADB_X_SATYPE_IPCOMP;
    			break;
    		case IPSEC_TCPMD5:
    			satype2 = SADB_X_SATYPE_TCPSIGNATURE;
    			break;
    		case IPSEC_IPIP:
    			satype2 = SADB_X_SATYPE_IPIP;
    			break;
    		default:
    			return -1;
    		}
    		switch (action) {
    		case ACTION_ADD:
    			ret = pfkey_sabundle(fd, satype, satype2,
    			    SADB_X_GRPSPIS, r->dst, r->spi, r->dst2, r->spi2);
    			break;
    		case ACTION_DELETE:
    			return 0;
    		default:
    			return -1;
    		}
    	} else
    		return -1;
    
    	if (ret < 0)
    		return -1;
    	if (pfkey_reply(fd, NULL, NULL) < 0)
    		return -1;
    
    	return 0;
    }
    
    int
    pfkey_ipsec_flush(void)
    {
    	struct sadb_msg smsg;
    	struct iovec	iov[IOV_CNT];
    	ssize_t		n;
    	int		iov_cnt, len;
    
    	bzero(&smsg, sizeof(smsg));
    	smsg.sadb_msg_version = PF_KEY_V2;
    	smsg.sadb_msg_seq = sadb_msg_seq++;
    	smsg.sadb_msg_pid = getpid();
    	smsg.sadb_msg_len = sizeof(smsg) / 8;
    	smsg.sadb_msg_type = SADB_FLUSH;
    	smsg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
    
    	iov_cnt = 0;
    
    	iov[iov_cnt].iov_base = &smsg;
    	iov[iov_cnt].iov_len = sizeof(smsg);
    	iov_cnt++;
    
    	len = smsg.sadb_msg_len * 8;
    	if ((n = writev(fd, iov, iov_cnt)) == -1) {
    		warn("writev failed");
    		return -1;
    	}
    	if (n != len) {
    		warnx("short write");
    		return -1;
    	}
    	if (pfkey_reply(fd, NULL, NULL) < 0)
    		return -1;
    
    	return 0;
    }
    
    static int
    pfkey_promisc(void)
    {
    	struct sadb_msg msg;
    
    	memset(&msg, 0, sizeof(msg));
    	msg.sadb_msg_version = PF_KEY_V2;
    	msg.sadb_msg_seq = sadb_msg_seq++;
    	msg.sadb_msg_pid = getpid();
    	msg.sadb_msg_len = sizeof(msg) / PFKEYV2_CHUNK;
    	msg.sadb_msg_type = SADB_X_PROMISC;
    	msg.sadb_msg_satype = 1;	/* enable */
    	if (write(fd, &msg, sizeof(msg)) != sizeof(msg)) {
    		warn("pfkey_promisc: write failed");
    		return -1;
    	}
    	if (pfkey_reply(fd, NULL, NULL) < 0)
    		return -1;
    	return 0;
    }
    
    int
    pfkey_monitor(int opts)
    {
    	struct pollfd pfd[1];
    	struct sadb_msg *msg;
    	u_int8_t *data;
    	ssize_t len;
    	int n;
    
    	if (pfkey_init() < 0)
    		return -1;
    	if (pfkey_promisc() < 0)
    		return -1;
    
    	if (pledge("stdio", NULL) == -1)
    		err(1, "pledge");
    
    	pfd[0].fd = fd;
    	pfd[0].events = POLLIN;
    	for (;;) {
    		if ((n = poll(pfd, 1, -1)) == -1)
    			err(2, "poll");
    		if (n == 0)
    			break;
    		if ((pfd[0].revents & POLLIN) == 0)
    			continue;
    		if (pfkey_reply(fd, &data, &len) < 0)
    			continue;
    		msg = (struct sadb_msg *)data;
    		if (msg->sadb_msg_type == SADB_X_PROMISC) {
    			/* remove extra header from promisc messages */
    			if ((msg->sadb_msg_len * PFKEYV2_CHUNK) >=
    			    2 * sizeof(struct sadb_msg)) {
    				msg++;
    			}
    		}
    		pfkey_monitor_sa(msg, opts);
    		if (opts & IPSECCTL_OPT_VERBOSE)
    			pfkey_print_raw(data, len);
    		freezero(data, len);
    	}
    	close(fd);
    	return 0;
    }
    
    int
    pfkey_init(void)
    {
    	if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1)
    		err(1, "pfkey_init: failed to open PF_KEY socket");
    
    	return 0;
    }