xref: /titanic_41/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipsecconf.c (revision c54c769d4c1cde75dd28975fb0090a8f944651a6)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <stdio.h>
29 #include <sys/types.h>
30 #include <sys/stat.h>
31 #include <strings.h>
32 #include <stropts.h>
33 #include <fcntl.h>
34 #include <stdlib.h>
35 #include <unistd.h>
36 #include <string.h>
37 #include <ctype.h>
38 #include <arpa/inet.h>
39 #include <locale.h>
40 #include <syslog.h>
41 #include <pwd.h>
42 #include <sys/param.h>
43 #include <sys/sysmacros.h>	/* MIN, MAX */
44 #include <sys/sockio.h>
45 #include <net/pfkeyv2.h>
46 #include <net/pfpolicy.h>
47 #include <inet/ipsec_impl.h>
48 #include <signal.h>
49 #include <errno.h>
50 #include <netdb.h>
51 #include <sys/socket.h>
52 #include <sys/systeminfo.h>
53 #include <nss_dbdefs.h>					/* NSS_BUFLEN_HOSTS */
54 #include <netinet/in.h>
55 #include <assert.h>
56 #include <inet/ip.h>
57 #include <ipsec_util.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/ip_icmp.h>
60 #include <netinet/icmp6.h>
61 
62 /*
63  * Globals
64  */
65 int lfd;
66 char *my_fmri;
67 FILE *debugfile = stderr;
68 
69 #define	USAGE() if (!smf_managed) usage()
70 /*
71  * Buffer length to read in pattern/properties.
72  */
73 #define	MAXLEN			1024
74 
75 /* Max length of tunnel interface string identifier */
76 #define	TUNNAMEMAXLEN		LIFNAMSIZ
77 
78 /*
79  * Used by parse_one and parse/parse_action to communicate
80  * the errors. -1 is failure, which is not defined here.
81  */
82 enum parse_errors {PARSE_SUCCESS, PARSE_EOF};
83 
84 /*
85  * For spdsock_get_ext() diagnostics.
86  */
87 #define	SPDSOCK_DIAG_BUF_LEN	128
88 static char spdsock_diag_buf[SPDSOCK_DIAG_BUF_LEN];
89 
90 /*
91  * Define CURL here so that while you are reading
92  * this code, it does not affect "vi" in pattern
93  * matching.
94  */
95 #define	CURL_BEGIN		'{'
96 #define	CURL_END		'}'
97 #define	MAXARGS			20
98 #define	NOERROR			0
99 
100 /*
101  * IPSEC_CONF_ADD should start with 1, so that when multiple commands
102  * are given, we can fail the request.
103  */
104 
105 enum ipsec_cmds {IPSEC_CONF_ADD = 1, IPSEC_CONF_DEL, IPSEC_CONF_VIEW,
106     IPSEC_CONF_FLUSH, IPSEC_CONF_LIST, IPSEC_CONF_SUB};
107 
108 static const char policy_conf_file[] = "/var/run/ipsecpolicy.conf";
109 static const char lock_file[] = "/var/run/ipsecconf.lock";
110 static const char index_tag[] = "#INDEX";
111 
112 #define	POLICY_CONF_FILE	policy_conf_file
113 #define	LOCK_FILE		lock_file
114 #define	INDEX_TAG		index_tag
115 
116 /*
117  * Valid algorithm length.
118  */
119 #define	VALID_ALG_LEN		40
120 
121 /* Types of Error messages */
122 typedef enum error_type {BAD_ERROR, DUP_ERROR, REQ_ERROR} error_type_t;
123 
124 /* Error message human readable conversions */
125 static char *sys_error_message(int);
126 static void error_message(error_type_t, int, int);
127 static int get_pf_pol_socket(void);
128 
129 static int cmd;
130 static char *filename;
131 static char lo_buf[MAXLEN];			/* Leftover buffer */
132 
133 /*
134  * The new SPD_EXT_TUN_NAME extension has a tunnel name in it.  Use the empty
135  * string ("", stored in the char value "all_polheads") for all policy heads
136  * (global and all tunnels).  Set interface_name to NULL for global-only, or
137  * specify a name of an IP-in-IP tunnel.
138  */
139 static char *interface_name;
140 static char all_polheads;	/* So we can easily get "". */
141 
142 /* Error reporting stuff */
143 #define	CBUF_LEN		4096		/* Maximum size of the cmd */
144 /*
145  * Following are used for reporting errors with arguments.
146  * We store the line numbers of each argument as we parse them,
147  * so that the error reporting is more specific. We can have only
148  * MAXARGS -1 for pattern and properties and one for action.
149  */
150 #define	ARG_BUF_LEN		((2 * (MAXARGS - 1)) + 1)
151 static int arg_indices[ARG_BUF_LEN];
152 static int argindex;
153 static int linecount;
154 static char cbuf[CBUF_LEN];				/* Command buffer */
155 static int cbuf_offset;
156 
157 
158 #define	BYPASS_POLICY_BOOST		0x00800000
159 #define	ESP_POLICY_BOOST		0x00400000
160 #define	AH_POLICY_BOOST			0x00200000
161 #define	INITIAL_BASE_PRIORITY		0x000fffff
162 
163 /*
164  * the number used to order the
165  * rules starts at a certain base and
166  * goes down.  i.e. rules earlier in
167  * the file are checked first
168  */
169 static uint32_t priority = INITIAL_BASE_PRIORITY;
170 
171 #define	AH_AUTH		0
172 #define	ESP_ENCR	1
173 #define	ESP_AUTH	2
174 
175 
176 /*
177  * for deleting adds on error
178  */
179 
180 typedef struct d_list_s
181 {
182 	struct d_list_s *next;
183 	int index;
184 } d_list_t;
185 
186 static d_list_t *d_list = NULL;
187 static d_list_t *d_tail = NULL;
188 
189 
190 /*
191  * Used for multi-homed source/dest hosts.
192  */
193 static struct hostent *shp, *dhp;
194 static unsigned int splen, dplen;
195 static char tunif[TUNNAMEMAXLEN];
196 static boolean_t has_saprefix, has_daprefix;
197 static uint32_t seq_cnt = 0;
198 
199 /* lexxed out action and related properties */
200 typedef struct ap_s
201 {
202 	char *act;
203 	char *prop[MAXARGS + 1];
204 } ap_t;
205 
206 
207 /* one lexxed out rule */
208 typedef struct act_prop_s {
209 	char *pattern[MAXARGS+1];
210 	ap_t ap[MAXARGS + 1];
211 } act_prop_t;
212 
213 typedef struct
214 {
215 	uint8_t	 alg_id;
216 	uint32_t alg_minbits;
217 	uint32_t alg_maxbits;
218 } algreq_t;
219 
220 /* structure to hold all information for one act_prop_t */
221 typedef struct ips_act_props_s {
222 	struct ips_act_props_s	*iap_next;
223 	struct ips_conf_s		*iap_head;
224 
225 /*
226  * IPsec action types (in SPD_ATTR_TYPE attribute)
227  * SPD_ACTTYPE_DROP	0x0001
228  * SPD_ACTTYPE_PASS	0x0002
229  * SPD_ACTTYPE_IPSEC	0x0003
230  */
231 	uint16_t	iap_action;
232 	uint16_t	iap_act_tok;
233 
234 /*
235  * Action ATTR flags (in SPD_ATTR_FLAGS attribute)
236  *	SPD_APPLY_AH		0x0001
237  *	SPD_APPLY_ESP		0x0002
238  *	SPD_APPLY_SE		0x0004  * self-encapsulation *
239  *	SPD_APPLY_COMP		0x0008	* compression; NYI *
240  *	SPD_APPLY_UNIQUE	0x0010	* unique per-flow SA *
241  *	SPD_APPLY_BYPASS	0x0020	* bypass policy *
242  */
243 	uint16_t	iap_attr;
244 	uint16_t	iap_attr_tok[5];
245 
246 	algreq_t	iap_aauth;
247 	algreq_t	iap_eencr;
248 	algreq_t	iap_eauth;
249 
250 	uint32_t iap_life_soft_time;
251 	uint32_t iap_life_hard_time;
252 	uint32_t iap_life_soft_bytes;
253 	uint32_t iap_life_hard_bytes;
254 
255 } ips_act_props_t;
256 
257 #define	V4_PART_OF_V6(v6)	v6._S6_un._S6_u32[3]
258 
259 typedef struct ips_conf_s {
260 	/* selector */
261 	uint16_t patt_tok[8];
262 	uint8_t has_saddr;
263 	uint8_t has_daddr;
264 	uint8_t has_smask;
265 	uint8_t has_dmask;
266 	uint8_t has_type;
267 	uint8_t has_code;
268 	uint8_t has_negotiate;
269 	uint8_t has_tunnel;
270 	uint16_t swap;
271 
272 	struct in6_addr	ips_src_addr_v6;
273 	struct in6_addr	ips_src_mask_v6;
274 	struct in6_addr	ips_dst_addr_v6;
275 	struct in6_addr	ips_dst_mask_v6;
276 	uint8_t 		ips_src_mask_len;
277 	uint8_t 		ips_dst_mask_len;
278 	in_port_t		ips_src_port_min;
279 	in_port_t		ips_src_port_max;
280 	in_port_t		ips_dst_port_min;
281 	in_port_t		ips_dst_port_max;
282 	uint8_t			ips_icmp_type;
283 	uint8_t			ips_icmp_type_end;
284 	uint8_t			ips_icmp_code;
285 	uint8_t			ips_icmp_code_end;
286 	uint8_t			ips_ulp_prot;
287 	uint8_t			ips_ipsec_prot;
288 	uint8_t			ips_isv4;
289 	/*
290 	 * SPD_RULE_FLAG_INBOUND		0x0001
291 	 * SPD_RULE_FLAG_OUTBOUND		0x0002
292 	 */
293 	uint8_t			ips_dir;
294 	/*
295 	 * Keep track of tunnel separately due to explosion of ways to set
296 	 * inbound/outbound.
297 	 */
298 	boolean_t		ips_tunnel;
299 	uint64_t		ips_policy_index;
300 	uint32_t		ips_act_cnt;
301 	ips_act_props_t	*ips_acts;
302 } ips_conf_t;
303 
304 #define	ips_src_addr	V4_PART_OF_V6(ips_src_addr_v6)
305 #define	ips_dst_addr	V4_PART_OF_V6(ips_dst_addr_v6)
306 
307 static int ipsecconf_nflag;		/* Used only with -l option */
308 static int ipsecconf_qflag;		/* Used only with -a|-r option */
309 
310 typedef struct str_val {
311 	const char *string;
312 	int value;
313 } str_val_t;
314 
315 typedef struct str_tval {
316 	const char *string;
317 	int tok_val;
318 	int value;
319 } str_tval_t;
320 
321 static int	parse_int(const char *);
322 static int	parse_index(const char *, char *);
323 static int	attach_tunname(spd_if_t *);
324 static void	usage(void);
325 static int	ipsec_conf_del(int, boolean_t);
326 static int	ipsec_conf_add(boolean_t, boolean_t);
327 static int	ipsec_conf_sub(void);
328 static int	ipsec_conf_flush(int);
329 static int	ipsec_conf_view(void);
330 static int	ipsec_conf_list(void);
331 static int	lock(void);
332 static int	unlock(int);
333 static int	parse_one(FILE *, act_prop_t *);
334 static void	reconfigure();
335 static void	in_prefixlentomask(unsigned int, uchar_t *);
336 static int	in_getprefixlen(char *);
337 static int	parse_address(int, char *);
338 #ifdef DEBUG_HEAVY
339 static void	pfpol_msg_dump(spd_msg_t *msg, char *);
340 #endif /* DEBUG_HEAVY */
341 static void	print_pfpol_msg(spd_msg_t *);
342 static int	pfp_delete_rule(uint64_t);
343 static void	ipsec_conf_admin(uint8_t);
344 static void	print_bit_range(int, int);
345 static void	nuke_adds();
346 
347 #ifdef DEBUG
348 static void	dump_conf(ips_conf_t *);
349 #endif
350 
351 typedef struct
352 {
353 	uint32_t	id;
354 	uint32_t	minkeybits;
355 	uint32_t	maxkeybits;
356 	uint32_t	defkeybits;
357 	uint32_t	incr;
358 } alginfo_t;
359 
360 static int ipsec_nalgs[3];
361 static alginfo_t known_algs[3][256];
362 
363 #define	IPS_SRC_MASK SPD_EXT_LCLADDR + 100
364 #define	IPS_DST_MASK SPD_EXT_REMADDR + 100
365 
366 /*
367  * if inbound, src=remote, dst=local
368  * if outbound, src=local, dst=remote
369  */
370 
371 #define	TOK_saddr	1
372 #define	TOK_daddr	2
373 #define	TOK_sport	3
374 #define	TOK_dport	4
375 #define	TOK_smask	5
376 #define	TOK_dmask	6
377 #define	TOK_ulp	7
378 #define	TOK_local	8
379 #define	TOK_lport	9
380 #define	TOK_remote	10
381 #define	TOK_rport	11
382 #define	TOK_dir 	12
383 #define	TOK_type	13
384 #define	TOK_code	14
385 #define	TOK_negotiate	15
386 #define	TOK_tunnel	16
387 
388 #define	IPS_SA SPD_ATTR_END
389 #define	IPS_DIR SPD_ATTR_EMPTY
390 #define	IPS_NEG SPD_ATTR_NOP
391 
392 
393 static str_tval_t pattern_table[] = {
394 	{"saddr", 		TOK_saddr,		SPD_EXT_LCLADDR},
395 	{"src",			TOK_saddr,		SPD_EXT_LCLADDR},
396 	{"srcaddr",		TOK_saddr,		SPD_EXT_LCLADDR},
397 	{"daddr", 		TOK_daddr,		SPD_EXT_REMADDR},
398 	{"dst",			TOK_daddr,		SPD_EXT_REMADDR},
399 	{"dstaddr",		TOK_daddr,		SPD_EXT_REMADDR},
400 	{"sport", 		TOK_sport,		SPD_EXT_LCLPORT},
401 	{"dport", 		TOK_dport,		SPD_EXT_REMPORT},
402 	{"smask", 		TOK_smask,		IPS_SRC_MASK},
403 	{"dmask", 		TOK_dmask,		IPS_DST_MASK},
404 	{"ulp", 		TOK_ulp,		SPD_EXT_PROTO},
405 	{"proto", 		TOK_ulp,		SPD_EXT_PROTO},
406 	{"local",		TOK_local,		SPD_EXT_LCLADDR},
407 	{"laddr",		TOK_local,		SPD_EXT_LCLADDR},
408 	{"lport",		TOK_lport,		SPD_EXT_LCLPORT},
409 	{"remote",		TOK_remote,		SPD_EXT_REMADDR},
410 	{"raddr",		TOK_remote,		SPD_EXT_REMADDR},
411 	{"rport",		TOK_rport,		SPD_EXT_REMPORT},
412 	{"dir",			TOK_dir,		IPS_DIR},
413 	{"type",		TOK_type,		SPD_EXT_ICMP_TYPECODE},
414 	{"code",		TOK_code,		SPD_EXT_ICMP_TYPECODE},
415 	{"negotiate",		TOK_negotiate,		IPS_NEG},
416 	{"tunnel",		TOK_tunnel,		SPD_EXT_TUN_NAME},
417 	{NULL, 			0,				0},
418 };
419 
420 #define	TOK_apply	1
421 #define	TOK_permit	2
422 #define	TOK_ipsec	3
423 #define	TOK_bypass	4
424 #define	TOK_drop	5
425 #define	TOK_or		6
426 
427 static str_tval_t action_table[] = {
428 	{"apply", 		TOK_apply,		SPD_ACTTYPE_IPSEC},
429 	{"permit", 		TOK_permit,		SPD_ACTTYPE_IPSEC},
430 	{"ipsec", 		TOK_ipsec,		SPD_ACTTYPE_IPSEC},
431 	{"bypass", 		TOK_bypass,		SPD_ACTTYPE_PASS},
432 	{"pass", 		TOK_bypass,		SPD_ACTTYPE_PASS},
433 	{"drop", 		TOK_drop,		SPD_ACTTYPE_DROP},
434 	{"or",			TOK_or,			0},
435 	{NULL, 			0,				0},
436 };
437 
438 static str_val_t property_table[] = {
439 	{"auth_algs", 		SPD_ATTR_AH_AUTH},
440 	{"encr_algs", 		SPD_ATTR_ESP_ENCR},
441 	{"encr_auth_algs",	SPD_ATTR_ESP_AUTH},
442 	{"sa",				IPS_SA},
443 	{"dir",				IPS_DIR},
444 	{NULL,				0},
445 };
446 
447 static str_val_t icmp_type_table[] = {
448 	{"unreach",	ICMP_UNREACH},
449 	{"echo",	ICMP_ECHO},
450 	{"echorep",	ICMP_ECHOREPLY},
451 	{"squench",	ICMP_SOURCEQUENCH},
452 	{"redir",	ICMP_REDIRECT},
453 	{"timex",	ICMP_TIMXCEED},
454 	{"paramprob",	ICMP_PARAMPROB},
455 	{"timest",	ICMP_TSTAMP},
456 	{"timestrep",	ICMP_TSTAMPREPLY},
457 	{"inforeq",	ICMP_IREQ},
458 	{"inforep",	ICMP_IREQREPLY},
459 	{"maskreq",	ICMP_MASKREQ},
460 	{"maskrep",	ICMP_MASKREPLY},
461 	{"unreach6",	ICMP6_DST_UNREACH},
462 	{"pkttoobig6",	ICMP6_PACKET_TOO_BIG},
463 	{"timex6",	ICMP6_TIME_EXCEEDED},
464 	{"paramprob6",	ICMP6_PARAM_PROB},
465 	{"echo6", 	ICMP6_ECHO_REQUEST},
466 	{"echorep6",	ICMP6_ECHO_REPLY},
467 	{"router-sol6",	ND_ROUTER_SOLICIT},
468 	{"router-ad6",	ND_ROUTER_ADVERT},
469 	{"neigh-sol6",	ND_NEIGHBOR_SOLICIT},
470 	{"neigh-ad6",	ND_NEIGHBOR_ADVERT},
471 	{"redir6",	ND_REDIRECT},
472 	{NULL,		0},
473 };
474 
475 static str_val_t icmp_code_table[] = {
476 	{"net-unr",		ICMP_UNREACH_NET},
477 	{"host-unr",		ICMP_UNREACH_HOST},
478 	{"proto-unr",		ICMP_UNREACH_PROTOCOL},
479 	{"port-unr",		ICMP_UNREACH_PORT},
480 	{"needfrag",		ICMP_UNREACH_NEEDFRAG},
481 	{"srcfail",		ICMP_UNREACH_SRCFAIL},
482 	{"net-unk",		ICMP_UNREACH_NET_UNKNOWN},
483 	{"host-unk",		ICMP_UNREACH_HOST_UNKNOWN},
484 	{"isolate",		ICMP_UNREACH_ISOLATED},
485 	{"net-prohib",		ICMP_UNREACH_NET_PROHIB},
486 	{"host-prohib",		ICMP_UNREACH_HOST_PROHIB},
487 	{"net-tos",		ICMP_UNREACH_TOSNET},
488 	{"host-tos",		ICMP_UNREACH_TOSHOST},
489 	{"filter-prohib",	ICMP_UNREACH_FILTER_PROHIB},
490 	{"host-preced",		ICMP_UNREACH_HOST_PRECEDENCE},
491 	{"cutoff-preced",	ICMP_UNREACH_PRECEDENCE_CUTOFF},
492 	{"no-route6",		ICMP6_DST_UNREACH_NOROUTE},
493 	{"adm-prohib6",		ICMP6_DST_UNREACH_ADMIN},
494 	{"addr-unr6",		ICMP6_DST_UNREACH_ADDR},
495 	{"port-unr6",		ICMP6_DST_UNREACH_NOPORT},
496 	{"hop-limex6",		ICMP6_TIME_EXCEED_TRANSIT},
497 	{"frag-re-timex6",	ICMP6_TIME_EXCEED_REASSEMBLY},
498 	{"err-head6",		ICMP6_PARAMPROB_HEADER},
499 	{"unrec-head6",		ICMP6_PARAMPROB_NEXTHEADER},
500 	{"unreq-opt6",		ICMP6_PARAMPROB_OPTION},
501 	{NULL,			0},
502 };
503 
504 static sigset_t set, oset;
505 
506 
507 static boolean_t
508 add_index(int index)
509 {
510 	d_list_t *temp = malloc(sizeof (d_list_t));
511 
512 	if (temp == NULL) {
513 		warn("malloc");
514 		return (B_TRUE);
515 	}
516 
517 	temp->index = index;
518 	temp->next = NULL;
519 
520 	if (d_tail == NULL) {
521 		d_list = d_tail = temp;
522 		return (B_FALSE);
523 	}
524 
525 	d_tail->next = temp;
526 	d_tail = temp;
527 
528 	return (B_FALSE);
529 }
530 
531 static int
532 block_all_signals()
533 {
534 	if (sigfillset(&set) == -1) {
535 		warn("sigfillset");
536 		return (-1);
537 	}
538 	if (sigprocmask(SIG_SETMASK, &set, &oset) == -1) {
539 		warn("sigprocmask");
540 		return (-1);
541 	}
542 	return (0);
543 }
544 
545 static int
546 restore_all_signals()
547 {
548 	if (sigprocmask(SIG_SETMASK, &oset, NULL) == -1) {
549 		warn("sigprocmask");
550 		return (-1);
551 	}
552 	return (0);
553 }
554 
555 /* allocate an ips_act_props_t and link it in correctly */
556 static ips_act_props_t *
557 alloc_iap(ips_conf_t *parent)
558 {
559 	ips_act_props_t *ret;
560 	ips_act_props_t *next = parent->ips_acts;
561 	ips_act_props_t *current = NULL;
562 
563 	ret = (ips_act_props_t *)calloc(sizeof (ips_act_props_t), 1);
564 
565 	if (ret == NULL)
566 		return (NULL);
567 
568 	ret->iap_head = parent;
569 
570 	while (next != NULL) {
571 		current = next;
572 		next = next->iap_next;
573 	}
574 
575 	if (current != NULL)
576 		current->iap_next = ret;
577 	else
578 		parent->ips_acts = ret;
579 
580 	parent->ips_act_cnt++;
581 
582 	return (ret);
583 }
584 
585 /*
586  * This function exit()s if it fails.
587  */
588 static void
589 fetch_algorithms()
590 {
591 	struct spd_msg msg;
592 	struct spd_ext_actions *actp;
593 	struct spd_attribute *attr, *endattr;
594 	spd_ext_t *exts[SPD_EXT_MAX+1];
595 	uint64_t reply_buf[256];
596 	int sfd;
597 	int cnt, retval;
598 	uint64_t *start, *end;
599 	alginfo_t alg = {0, 0, 0, 0, 0};
600 	uint_t algtype;
601 	static boolean_t has_run = B_FALSE;
602 
603 	if (has_run)
604 		return;
605 	else
606 		has_run = B_TRUE;
607 
608 	sfd = get_pf_pol_socket();
609 	if (sfd < 0) {
610 		err(-1, gettext("unable to open policy socket"));
611 	}
612 
613 	(void) memset(&msg, 0, sizeof (msg));
614 	msg.spd_msg_version = PF_POLICY_V1;
615 	msg.spd_msg_type = SPD_ALGLIST;
616 	msg.spd_msg_len = SPD_8TO64(sizeof (msg));
617 
618 	cnt = write(sfd, &msg, sizeof (msg));
619 	if (cnt != sizeof (msg)) {
620 		if (cnt < 0) {
621 			err(-1, gettext("alglist failed: write"));
622 		} else {
623 			errx(-1, gettext("alglist failed: short write"));
624 		}
625 	}
626 
627 	cnt = read(sfd, reply_buf, sizeof (reply_buf));
628 
629 	retval = spdsock_get_ext(exts, (spd_msg_t *)reply_buf, SPD_8TO64(cnt),
630 	    spdsock_diag_buf, SPDSOCK_DIAG_BUF_LEN);
631 
632 	if (retval == KGE_LEN && exts[0]->spd_ext_len == 0) {
633 		/*
634 		 * No algorithms are defined in the kernel, which caused
635 		 * the extension length to be zero, and spdsock_get_ext()
636 		 * to fail with a KGE_LEN error. This is not an error
637 		 * condition, so we return nicely.
638 		 */
639 		return;
640 	} else if (retval != 0) {
641 		if (strlen(spdsock_diag_buf) != 0)
642 			warnx(spdsock_diag_buf);
643 		err(1, gettext("fetch_algorithms failed"));
644 	}
645 
646 	if (!exts[SPD_EXT_ACTION]) {
647 		errx(1, gettext("fetch_algorithms: action missing?!"));
648 	}
649 
650 	actp = (struct spd_ext_actions *)exts[SPD_EXT_ACTION];
651 	start = (uint64_t *)actp;
652 	end = (start + actp->spd_actions_len);
653 	endattr = (struct spd_attribute *)end;
654 	attr = (struct spd_attribute *)&actp[1];
655 
656 	algtype = 0;
657 
658 	while (attr < endattr) {
659 		switch (attr->spd_attr_tag) {
660 		case SPD_ATTR_NOP:
661 		case SPD_ATTR_EMPTY:
662 			break;
663 		case SPD_ATTR_END:
664 			attr = endattr;
665 			/* FALLTHRU */
666 		case SPD_ATTR_NEXT:
667 			known_algs[algtype][ipsec_nalgs[algtype]] = alg;
668 			ipsec_nalgs[algtype]++;
669 			break;
670 
671 		case SPD_ATTR_ENCR_MINBITS:
672 		case SPD_ATTR_AH_MINBITS:
673 		case SPD_ATTR_ESPA_MINBITS:
674 			alg.minkeybits = attr->spd_attr_value;
675 			break;
676 
677 		case SPD_ATTR_ENCR_MAXBITS:
678 		case SPD_ATTR_AH_MAXBITS:
679 		case SPD_ATTR_ESPA_MAXBITS:
680 			alg.maxkeybits = attr->spd_attr_value;
681 			break;
682 
683 		case SPD_ATTR_ENCR_DEFBITS:
684 		case SPD_ATTR_AH_DEFBITS:
685 		case SPD_ATTR_ESPA_DEFBITS:
686 			alg.defkeybits = attr->spd_attr_value;
687 			break;
688 
689 		case SPD_ATTR_ENCR_INCRBITS:
690 		case SPD_ATTR_AH_INCRBITS:
691 		case SPD_ATTR_ESPA_INCRBITS:
692 			alg.incr = attr->spd_attr_value;
693 			break;
694 
695 		case SPD_ATTR_AH_AUTH:
696 		case SPD_ATTR_ESP_AUTH:
697 		case SPD_ATTR_ESP_ENCR:
698 			alg.id = attr->spd_attr_value;
699 			algtype = attr->spd_attr_tag - SPD_ATTR_AH_AUTH;
700 			break;
701 		}
702 		attr++;
703 	}
704 
705 	(void) close(sfd);
706 }
707 
708 /* data dependant transform (act_cnt) */
709 #define	ATTR(ap, tag, value) \
710 do { (ap)->spd_attr_tag = (tag); \
711 	(ap)->spd_attr_value = (value); \
712 	ap++; } while (0)
713 
714 static struct spd_attribute *
715 emit_alg(struct spd_attribute *ap, int type, const algreq_t *ar,
716     int algattr, int minbitattr, int maxbitattr)
717 {
718 	int id = ar->alg_id;
719 	int minbits, i;
720 
721 	if (id != 0) {
722 		/* LINTED E_CONST_COND */
723 		ATTR(ap, algattr, ar->alg_id);
724 
725 		minbits = ar->alg_minbits;
726 		if (minbits == 0) {
727 			for (i = 0; i < ipsec_nalgs[type]; i++) {
728 				if (known_algs[type][i].id == id)
729 					break;
730 			}
731 			if (i < ipsec_nalgs[type])
732 				minbits = known_algs[type][i].defkeybits;
733 		}
734 		if (minbits != 0)
735 			/* LINTED E_CONST_COND */
736 			ATTR(ap, minbitattr, minbits);
737 		if (ar->alg_maxbits != SPD_MAX_MAXBITS)
738 			/* LINTED E_CONST_COND */
739 			ATTR(ap, maxbitattr, ar->alg_maxbits);
740 	}
741 
742 	return (ap);
743 }
744 
745 
746 
747 static struct spd_attribute *
748 ips_act_props_to_action(struct spd_attribute *ap, uint32_t *rule_priorityp,
749     const ips_act_props_t *act_ptr)
750 {
751 	uint32_t rule_priority = *rule_priorityp;
752 
753 	/* LINTED E_CONST_COND */
754 	ATTR(ap, SPD_ATTR_EMPTY, 0);
755 
756 	/* type */
757 	/* LINTED E_CONST_COND */
758 	ATTR(ap, SPD_ATTR_TYPE, act_ptr->iap_action);
759 
760 	if (act_ptr->iap_action == SPD_ACTTYPE_PASS)
761 		rule_priority |= BYPASS_POLICY_BOOST;
762 
763 	/* flags */
764 	if (act_ptr->iap_attr != 0)
765 		/* LINTED E_CONST_COND */
766 		ATTR(ap, SPD_ATTR_FLAGS, act_ptr->iap_attr);
767 
768 	/* esp */
769 	if (act_ptr->iap_attr & SPD_APPLY_ESP) {
770 		rule_priority |= ESP_POLICY_BOOST;
771 
772 		/* encr */
773 		ap = emit_alg(ap, ESP_ENCR, &act_ptr->iap_eencr,
774 		    SPD_ATTR_ESP_ENCR,
775 		    SPD_ATTR_ENCR_MINBITS, SPD_ATTR_ENCR_MAXBITS);
776 
777 		/* auth */
778 		ap = emit_alg(ap, ESP_AUTH, &act_ptr->iap_eauth,
779 		    SPD_ATTR_ESP_AUTH,
780 		    SPD_ATTR_ESPA_MINBITS, SPD_ATTR_ESPA_MAXBITS);
781 	}
782 
783 	/* ah */
784 	if (act_ptr->iap_attr & SPD_APPLY_AH) {
785 		rule_priority |= AH_POLICY_BOOST;
786 		/* auth */
787 		ap = emit_alg(ap, AH_AUTH, &act_ptr->iap_aauth,
788 		    SPD_ATTR_AH_AUTH,
789 		    SPD_ATTR_AH_MINBITS, SPD_ATTR_AH_MAXBITS);
790 	}
791 
792 	/* lifetimes */
793 	if (act_ptr->iap_life_soft_time != 0)
794 		/* LINTED E_CONST_COND */
795 		ATTR(ap, SPD_ATTR_LIFE_SOFT_TIME, act_ptr->iap_life_soft_time);
796 	if (act_ptr->iap_life_hard_time != 0)
797 		/* LINTED E_CONST_COND */
798 		ATTR(ap, SPD_ATTR_LIFE_HARD_TIME, act_ptr->iap_life_hard_time);
799 	if (act_ptr->iap_life_soft_bytes != 0)
800 		/* LINTED E_CONST_COND */
801 		ATTR(ap, SPD_ATTR_LIFE_SOFT_BYTES,
802 		    act_ptr->iap_life_soft_bytes);
803 	if (act_ptr->iap_life_hard_bytes != 0)
804 		/* LINTED E_CONST_COND */
805 		ATTR(ap, SPD_ATTR_LIFE_HARD_BYTES,
806 		    act_ptr->iap_life_hard_bytes);
807 
808 	/* LINTED E_CONST_COND */
809 	ATTR(ap, SPD_ATTR_NEXT, 0);
810 
811 	*rule_priorityp = rule_priority;
812 
813 	return (ap);
814 }
815 
816 static boolean_t
817 alg_rangecheck(uint_t type, uint_t algid, const algreq_t *ar)
818 {
819 	int i;
820 	uint_t minbits = ar->alg_minbits;
821 	uint_t maxbits = ar->alg_maxbits;
822 
823 	for (i = 0; i < ipsec_nalgs[type]; i++) {
824 		if (known_algs[type][i].id == algid)
825 			break;
826 	}
827 
828 	if (i >= ipsec_nalgs[type]) {
829 		/*
830 		 * The kernel (where we populate known_algs from) doesn't
831 		 * return the id's associated with NONE algorithms so we
832 		 * test here if this was the reason the algorithm wasn't
833 		 * found before wrongly failing.
834 		 */
835 		if (((type == ESP_ENCR) && (algid == SADB_EALG_NONE)) ||
836 		    ((type == ESP_AUTH) && (algid == SADB_AALG_NONE)) ||
837 		    ((type == AH_AUTH) && (algid == SADB_AALG_NONE))) {
838 			return (B_TRUE);
839 		} else {
840 			return (B_FALSE); /* not found */
841 		}
842 	}
843 
844 	if ((minbits == 0) && (maxbits == 0))
845 		return (B_TRUE);
846 
847 	minbits = MAX(minbits, known_algs[type][i].minkeybits);
848 	maxbits = MIN(maxbits, known_algs[type][i].maxkeybits);
849 
850 	/* we could also check key increments here.. */
851 	return (minbits <= maxbits); /* non-null intersection */
852 }
853 
854 /*
855  * Inspired by uts/common/inet/spd.c:ipsec_act_wildcard_expand()
856  */
857 
858 static struct spd_attribute *
859 ips_act_wild_props_to_action(struct spd_attribute *ap,
860     uint32_t *rule_priorityp, uint16_t *act_cntp,
861     const ips_act_props_t *act_ptr)
862 {
863 	ips_act_props_t tact = *act_ptr;
864 	boolean_t use_ah, use_esp, use_espa;
865 	boolean_t wild_auth, wild_encr, wild_eauth;
866 	uint_t	auth_alg, auth_idx, auth_min, auth_max;
867 	uint_t	eauth_alg, eauth_idx, eauth_min, eauth_max;
868 	uint_t  encr_alg, encr_idx, encr_min, encr_max;
869 
870 	use_ah = !!(act_ptr->iap_attr & SPD_APPLY_AH);
871 	use_esp = !!(act_ptr->iap_attr & SPD_APPLY_ESP);
872 	use_espa = !!(act_ptr->iap_attr & SPD_APPLY_ESPA);
873 	auth_alg = act_ptr->iap_aauth.alg_id;
874 	eauth_alg = act_ptr->iap_eauth.alg_id;
875 	encr_alg = act_ptr->iap_eencr.alg_id;
876 
877 	wild_auth = use_ah && (auth_alg == SADB_AALG_NONE);
878 	wild_eauth = use_espa && (eauth_alg == SADB_AALG_NONE);
879 	wild_encr = use_esp && (encr_alg == SADB_EALG_NONE);
880 
881 	auth_min = auth_max = auth_alg;
882 	eauth_min = eauth_max = eauth_alg;
883 	encr_min = encr_max = encr_alg;
884 
885 	/*
886 	 * set up for explosion.. for each dimension, expand output
887 	 * size by the explosion factor.
888 	 */
889 	if (wild_auth) {
890 		auth_min = 0;
891 		auth_max = ipsec_nalgs[AH_AUTH] - 1;
892 	}
893 	if (wild_eauth) {
894 		eauth_min = 0;
895 		eauth_max = ipsec_nalgs[ESP_AUTH] - 1;
896 	}
897 	if (wild_encr) {
898 		encr_min = 0;
899 		encr_max = ipsec_nalgs[ESP_ENCR] - 1;
900 	}
901 
902 #define	WHICH_ALG(type, wild, idx) ((wild)?(known_algs[type][idx].id):(idx))
903 
904 	for (encr_idx = encr_min; encr_idx <= encr_max; encr_idx++) {
905 		encr_alg = WHICH_ALG(ESP_ENCR, wild_encr, encr_idx);
906 
907 		if (use_esp &&
908 		    !alg_rangecheck(ESP_ENCR, encr_alg, &act_ptr->iap_eencr))
909 			continue;
910 
911 		for (auth_idx = auth_min; auth_idx <= auth_max; auth_idx++) {
912 			auth_alg = WHICH_ALG(AH_AUTH, wild_auth, auth_idx);
913 
914 			if (use_ah &&
915 			    !alg_rangecheck(AH_AUTH, auth_alg,
916 				&act_ptr->iap_aauth))
917 				continue;
918 
919 
920 			for (eauth_idx = eauth_min; eauth_idx <= eauth_max;
921 			    eauth_idx++) {
922 				eauth_alg = WHICH_ALG(ESP_AUTH, wild_eauth,
923 				    eauth_idx);
924 
925 				if (use_espa &&
926 				    !alg_rangecheck(ESP_AUTH, eauth_alg,
927 				    &act_ptr->iap_eauth))
928 					continue;
929 
930 				tact.iap_eencr.alg_id = encr_alg;
931 				tact.iap_eauth.alg_id = eauth_alg;
932 				tact.iap_aauth.alg_id = auth_alg;
933 
934 				(*act_cntp)++;
935 				ap = ips_act_props_to_action(ap,
936 				    rule_priorityp, &tact);
937 			}
938 		}
939 	}
940 
941 #undef WHICH_ALG
942 
943 	return (ap);
944 }
945 
946 /* huge, but not safe since no length checking is done */
947 #define	MAX_POL_MSG_LEN 16384
948 
949 
950 /*
951  * hand in some ips_conf_t's, get back an
952  * iovec of pfpol messages.
953  * this function converts the internal ips_conf_t into
954  * a form that pf_pol can use.
955  * return 0 on success, 1 on failure
956  */
957 static int
958 ips_conf_to_pfpol_msg(int ipsec_cmd, ips_conf_t *inConf, int num_ips,
959     struct iovec *msg)
960 {
961 	int i;
962 	ips_conf_t *conf;
963 	uint64_t *scratch = NULL;
964 
965 	for (i = 0; i < num_ips; i++) {
966 		uint16_t *msg_len;
967 		uint16_t act_cnt = 0;
968 		uint64_t *next = NULL;
969 		spd_msg_t *spd_msg;
970 		spd_address_t *spd_address;
971 		struct spd_rule *spd_rule;
972 		struct spd_proto *spd_proto;
973 		struct spd_portrange *spd_portrange;
974 		struct spd_ext_actions *spd_ext_actions;
975 		struct spd_attribute *ap;
976 		struct spd_typecode *spd_typecode;
977 		spd_if_t *spd_if;
978 		ips_act_props_t *act_ptr;
979 		uint32_t rule_priority = 0;
980 
981 		scratch = calloc(1, MAX_POL_MSG_LEN);
982 		msg[i].iov_base = (char *)scratch;
983 		if (scratch == NULL) {
984 			warn(gettext("memory"));
985 			return (1);
986 		}
987 		conf = &(inConf[i]);
988 
989 		spd_msg = (spd_msg_t *)scratch;
990 		next = (uint64_t *)&(spd_msg[1]);
991 
992 		msg_len = &(spd_msg->spd_msg_len);
993 
994 		spd_msg->spd_msg_version = PF_POLICY_V1;
995 		spd_msg->spd_msg_pid = getpid();
996 		spd_msg->spd_msg_seq = ++seq_cnt;
997 
998 		switch (ipsec_cmd) {
999 		case SPD_ADDRULE:
1000 			spd_msg->spd_msg_type = SPD_ADDRULE;
1001 			break;
1002 
1003 		default:
1004 			warnx("%s %d", gettext("bad command:"), ipsec_cmd);
1005 			spd_msg->spd_msg_type = SPD_ADDRULE;
1006 			break;
1007 		}
1008 
1009 		/*
1010 		 * SELECTOR
1011 		 */
1012 
1013 		spd_msg->spd_msg_spdid = SPD_STANDBY;
1014 
1015 		/* rule */
1016 		spd_rule = (struct spd_rule *)next;
1017 
1018 		spd_rule->spd_rule_len = SPD_8TO64(sizeof (struct spd_rule));
1019 		spd_rule->spd_rule_type = SPD_EXT_RULE;
1020 		spd_rule->spd_rule_flags = conf->ips_dir;
1021 		if (conf->ips_tunnel)
1022 			spd_rule->spd_rule_flags |= SPD_RULE_FLAG_TUNNEL;
1023 
1024 		next = (uint64_t *)&(spd_rule[1]);
1025 
1026 		/* proto */
1027 		if (conf->ips_ulp_prot != 0) {
1028 			spd_proto = (struct spd_proto *)next;
1029 			spd_proto->spd_proto_len =
1030 				SPD_8TO64(sizeof (struct spd_proto));
1031 			spd_proto->spd_proto_exttype = SPD_EXT_PROTO;
1032 			spd_proto->spd_proto_number = conf->ips_ulp_prot;
1033 			next = (uint64_t *)&(spd_proto[1]);
1034 		}
1035 
1036 		/* tunnel */
1037 		if (conf->has_tunnel != 0) {
1038 			spd_if = (spd_if_t *)next;
1039 			spd_if->spd_if_len =
1040 			    SPD_8TO64(P2ROUNDUP(strlen(tunif) + 1, 8) +
1041 			    sizeof (spd_if_t));
1042 			spd_if->spd_if_exttype = SPD_EXT_TUN_NAME;
1043 			(void) strlcpy((char *)spd_if->spd_if_name, tunif,
1044 				TUNNAMEMAXLEN);
1045 			next = (uint64_t *)(spd_if) + spd_if->spd_if_len;
1046 		}
1047 
1048 		/* icmp type/code */
1049 		if (conf->ips_ulp_prot == IPPROTO_ICMP ||
1050 		    conf->ips_ulp_prot == IPPROTO_ICMPV6) {
1051 			if (conf->has_type) {
1052 				spd_typecode = (struct spd_typecode *)next;
1053 				spd_typecode->spd_typecode_len =
1054 				    SPD_8TO64(sizeof (struct spd_typecode));
1055 				spd_typecode->spd_typecode_exttype =
1056 				    SPD_EXT_ICMP_TYPECODE;
1057 				spd_typecode->spd_typecode_type =
1058 				    conf->ips_icmp_type;
1059 				spd_typecode->spd_typecode_type_end =
1060 				    conf->ips_icmp_type_end;
1061 				if (conf->has_code) {
1062 					spd_typecode->spd_typecode_code =
1063 					    conf->ips_icmp_code;
1064 					spd_typecode->spd_typecode_code_end =
1065 					    conf->ips_icmp_code_end;
1066 				} else {
1067 					spd_typecode->spd_typecode_code = 255;
1068 					spd_typecode->spd_typecode_code_end
1069 					    = 255;
1070 				}
1071 				next = (uint64_t *)&(spd_typecode[1]);
1072 			}
1073 		}
1074 
1075 		/* src port */
1076 		if (conf->ips_src_port_min != 0 ||
1077 		    conf->ips_src_port_max != 0) {
1078 			spd_portrange = (struct spd_portrange *)next;
1079 			spd_portrange->spd_ports_len =
1080 				SPD_8TO64(sizeof (struct spd_portrange));
1081 			spd_portrange->spd_ports_exttype =
1082 				(conf->swap)?SPD_EXT_REMPORT:SPD_EXT_LCLPORT;
1083 			spd_portrange->spd_ports_minport =
1084 				conf->ips_src_port_min;
1085 			spd_portrange->spd_ports_maxport =
1086 				conf->ips_src_port_max;
1087 			next = (uint64_t *)&(spd_portrange[1]);
1088 		}
1089 		/* dst port */
1090 		if (conf->ips_dst_port_min != 0 ||
1091 		    conf->ips_dst_port_max != 0) {
1092 			spd_portrange = (struct spd_portrange *)next;
1093 			spd_portrange->spd_ports_len =
1094 				SPD_8TO64(sizeof (struct spd_portrange));
1095 			spd_portrange->spd_ports_exttype =
1096 				(conf->swap)?SPD_EXT_LCLPORT:SPD_EXT_REMPORT;
1097 			spd_portrange->spd_ports_minport =
1098 				conf->ips_dst_port_min;
1099 			spd_portrange->spd_ports_maxport =
1100 				conf->ips_dst_port_max;
1101 			next = (uint64_t *)&(spd_portrange[1]);
1102 		}
1103 
1104 		/* saddr */
1105 		if (conf->has_saddr) {
1106 			spd_address = (spd_address_t *)next;
1107 			next = (uint64_t *)(spd_address + 1);
1108 
1109 			spd_address->spd_address_exttype =
1110 				(conf->swap)?SPD_EXT_REMADDR:SPD_EXT_LCLADDR;
1111 			spd_address->spd_address_prefixlen =
1112 				conf->ips_src_mask_len;
1113 
1114 			if (conf->ips_isv4) {
1115 				spd_address->spd_address_af = AF_INET;
1116 				(void) memcpy(next, &(conf->ips_src_addr),
1117 				sizeof (ipaddr_t));
1118 				spd_address->spd_address_len = 2;
1119 				next += SPD_8TO64(sizeof (ipaddr_t) + 4);
1120 				if (!conf->has_smask)
1121 					spd_address->spd_address_prefixlen = 32;
1122 			} else {
1123 				spd_address->spd_address_af = AF_INET6;
1124 				(void) memcpy(next, &(conf->ips_src_addr_v6),
1125 				    sizeof (in6_addr_t));
1126 				spd_address->spd_address_len = 3;
1127 				next += SPD_8TO64(sizeof (in6_addr_t));
1128 				if (!conf->has_smask)
1129 					spd_address->spd_address_prefixlen
1130 						= 128;
1131 			}
1132 		}
1133 
1134 		/* daddr */
1135 		if (conf->has_daddr) {
1136 			spd_address = (spd_address_t *)next;
1137 
1138 			next = (uint64_t *)(spd_address + 1);
1139 
1140 			spd_address->spd_address_exttype =
1141 				(conf->swap)?SPD_EXT_LCLADDR:SPD_EXT_REMADDR;
1142 			spd_address->spd_address_prefixlen =
1143 				conf->ips_dst_mask_len;
1144 
1145 			if (conf->ips_isv4) {
1146 				spd_address->spd_address_af = AF_INET;
1147 				(void) memcpy(next, &conf->ips_dst_addr,
1148 				    sizeof (ipaddr_t));
1149 				spd_address->spd_address_len = 2;
1150 				/* "+ 4" below is for padding. */
1151 				next += SPD_8TO64(sizeof (ipaddr_t) + 4);
1152 				if (!conf->has_dmask)
1153 					spd_address->spd_address_prefixlen = 32;
1154 			} else {
1155 				spd_address->spd_address_af = AF_INET6;
1156 				(void) memcpy(next, &(conf->ips_dst_addr_v6),
1157 				    sizeof (in6_addr_t));
1158 				spd_address->spd_address_len = 3;
1159 				next += SPD_8TO64(sizeof (in6_addr_t));
1160 				if (!conf->has_dmask)
1161 					spd_address->spd_address_prefixlen
1162 						= 128;
1163 			}
1164 		}
1165 
1166 		/* actions */
1167 		spd_ext_actions = (struct spd_ext_actions *)next;
1168 
1169 		spd_ext_actions->spd_actions_exttype = SPD_EXT_ACTION;
1170 
1171 		act_ptr = conf->ips_acts;
1172 		ap = (struct spd_attribute *)(&spd_ext_actions[1]);
1173 
1174 		rule_priority = priority--;
1175 
1176 		for (act_ptr = conf->ips_acts; act_ptr != NULL;
1177 		    act_ptr = act_ptr->iap_next) {
1178 			ap = ips_act_wild_props_to_action(ap, &rule_priority,
1179 			    &act_cnt, act_ptr);
1180 		}
1181 		ap[-1].spd_attr_tag = SPD_ATTR_END;
1182 
1183 		next = (uint64_t *)ap;
1184 
1185 		spd_rule->spd_rule_priority = rule_priority;
1186 
1187 		msg[i].iov_len = (uintptr_t)next - (uintptr_t)msg[i].iov_base;
1188 		*msg_len = (uint16_t)SPD_8TO64(msg[i].iov_len);
1189 		spd_ext_actions->spd_actions_count = act_cnt;
1190 		spd_ext_actions->spd_actions_len =
1191 		    SPD_8TO64((uintptr_t)next - (uintptr_t)spd_ext_actions);
1192 #ifdef DEBUG_HEAVY
1193 		printf("pfpol msg len in uint64_t's = %d\n", *msg_len);
1194 		printf("pfpol test_len in bytes = %d\n", msg[i].iov_len);
1195 		pfpol_msg_dump((spd_msg_t *)scratch,
1196 		    "ips_conf_to_pfpol_msg");
1197 #endif
1198 	}
1199 
1200 #undef ATTR
1201 	return (0);
1202 }
1203 
1204 static int
1205 get_pf_pol_socket(void)
1206 {
1207 	int s = socket(PF_POLICY, SOCK_RAW, PF_POLICY_V1);
1208 	if (s < 0) {
1209 		if (errno == EPERM) {
1210 			EXIT_BADPERM("Insufficient privileges to open "
1211 			    "PF_POLICY socket.");
1212 		} else {
1213 			warn(gettext("(loading pf_policy) socket:"));
1214 		}
1215 	}
1216 
1217 	return (s);
1218 }
1219 
1220 
1221 static int
1222 send_pf_pol_message(int ipsec_cmd, ips_conf_t *conf, int *diag)
1223 {
1224 	int retval;
1225 	int cnt;
1226 	int total_len;
1227 	struct iovec polmsg;
1228 	spd_msg_t *return_buf;
1229 	spd_ext_t *exts[SPD_EXT_MAX+1];
1230 	int fd = get_pf_pol_socket();
1231 
1232 	*diag = 0;
1233 
1234 	if (fd < 0)
1235 		return (EBADF);
1236 
1237 	retval = ips_conf_to_pfpol_msg(ipsec_cmd, conf, 1, &polmsg);
1238 
1239 	if (retval) {
1240 		(void) close(fd);
1241 		return (ENOMEM);
1242 	}
1243 
1244 	total_len = polmsg.iov_len;
1245 
1246 	cnt = writev(fd, &polmsg, 1);
1247 
1248 #ifdef DEBUG_HEAVY
1249 	(void) printf("cnt = %d\n", cnt);
1250 #endif
1251 	if (cnt < 0) {
1252 		warn(gettext("pf_pol write"));
1253 	} else {
1254 		return_buf = (spd_msg_t *)calloc(total_len, 1);
1255 
1256 		if (return_buf == NULL) {
1257 			warn(gettext("memory"));
1258 		} else {
1259 			cnt = read(fd, (void*)return_buf, total_len);
1260 #ifdef	DEBUG_HEAVY
1261 			(void) printf("pf_pol read: cnt = %d(%d)\n", cnt,
1262 			    total_len);
1263 #endif
1264 
1265 			if (cnt > 8 && return_buf->spd_msg_errno) {
1266 				*diag = return_buf->spd_msg_diagnostic;
1267 				if (!ipsecconf_qflag) {
1268 					warnx("%s: %s",
1269 					    gettext("Kernel returned"),
1270 					    sys_error_message(
1271 					    return_buf->spd_msg_errno));
1272 				}
1273 				if (*diag != 0)
1274 					(void) printf(gettext(
1275 					    "\t(spdsock diagnostic: %s)\n"),
1276 					    spdsock_diag(*diag));
1277 #ifdef DEBUG_HEAVY
1278 				pfpol_msg_dump((spd_msg_t *)polmsg.iov_base,
1279 				    "message in");
1280 				pfpol_msg_dump(return_buf,
1281 				    "send_pf_pol_message");
1282 #endif
1283 				retval = return_buf->spd_msg_errno;
1284 				free(return_buf);
1285 				free(polmsg.iov_base);
1286 				(void) close(fd);
1287 				return (retval);
1288 			}
1289 
1290 			retval = spdsock_get_ext(exts, return_buf,
1291 			    return_buf->spd_msg_len, NULL, 0);
1292 			/* ignore retval */
1293 
1294 			if (exts[SPD_EXT_RULE]) {
1295 				conf->ips_policy_index =
1296 				    ((struct spd_rule *)
1297 					exts[SPD_EXT_RULE])->spd_rule_index;
1298 
1299 				if (add_index(conf->ips_policy_index)) {
1300 					free(return_buf);
1301 					free(polmsg.iov_base);
1302 					(void) close(fd);
1303 					return (ENOMEM);
1304 				}
1305 			}
1306 
1307 			free(return_buf);
1308 		}
1309 	}
1310 
1311 	free(polmsg.iov_base);
1312 	(void) close(fd);
1313 
1314 	return (0);
1315 
1316 }
1317 
1318 int
1319 main(int argc, char *argv[])
1320 {
1321 	int ret, flushret;
1322 	int c;
1323 	int index;
1324 	boolean_t smf_managed;
1325 	boolean_t just_check = B_FALSE;
1326 
1327 	char *smf_warning = gettext(
1328 		"\n\tIPsec policy should be managed using smf(5). Modifying\n"
1329 		"\tthe IPsec policy from the command line while the 'policy'\n"
1330 		"\tservice is enabled could result in an inconsistent\n"
1331 		"\tsecurity policy.\n\n");
1332 
1333 	flushret = 0;
1334 
1335 	(void) setlocale(LC_ALL, "");
1336 #if !defined(TEXT_DOMAIN)
1337 #define	TEXT_DOMAIN "SYS_TEST"
1338 #endif
1339 	(void) textdomain(TEXT_DOMAIN);
1340 
1341 	openlog("ipsecconf", LOG_CONS, LOG_AUTH);
1342 
1343 	/*
1344 	 * We don't immediately check for privilege here. This is done by IP
1345 	 * when we open /dev/ip below.
1346 	 */
1347 
1348 	if (argc == 1) {
1349 		cmd = IPSEC_CONF_VIEW;
1350 		goto done;
1351 	}
1352 	my_fmri = getenv("SMF_FMRI");
1353 	if (my_fmri == NULL)
1354 		smf_managed = B_FALSE;
1355 	else
1356 		smf_managed = B_TRUE;
1357 
1358 	while ((c = getopt(argc, argv, "nlfLFa:qd:r:i:c:")) != EOF) {
1359 		switch (c) {
1360 		case 'F':
1361 			if (interface_name != NULL) {
1362 				USAGE();
1363 				EXIT_FATAL("interface name not required.");
1364 			}
1365 			/* Apply to all policy heads - global and tunnels. */
1366 			interface_name = &all_polheads;
1367 			/* FALLTHRU */
1368 		case 'f':
1369 			/* Only one command at a time */
1370 			if (cmd != 0) {
1371 				USAGE();
1372 				EXIT_FATAL("Multiple commands specified");
1373 			}
1374 			cmd = IPSEC_CONF_FLUSH;
1375 			break;
1376 		case 'L':
1377 			if (interface_name != NULL) {
1378 				USAGE();
1379 				EXIT_FATAL("interface name not required.");
1380 			}
1381 			/* Apply to all policy heads - global and tunnels. */
1382 			interface_name = &all_polheads;
1383 			/* FALLTHRU */
1384 		case 'l':
1385 			/* Only one command at a time */
1386 			if (cmd != 0) {
1387 				USAGE();
1388 				EXIT_FATAL("Multiple commands specified");
1389 			}
1390 			cmd = IPSEC_CONF_LIST;
1391 			break;
1392 		case 'c':
1393 			just_check = B_TRUE;
1394 			ipsecconf_qflag++;
1395 			/* FALLTHRU */
1396 		case 'a':
1397 			/* Only one command at a time, and no interface name */
1398 			if (cmd != 0 || interface_name != NULL) {
1399 				USAGE();
1400 				EXIT_FATAL("Multiple commands or interface "
1401 				    "not required.");
1402 			}
1403 			cmd = IPSEC_CONF_ADD;
1404 			filename = optarg;
1405 			break;
1406 		case 'd':
1407 			/*
1408 			 * Only one command at a time.  Interface name is
1409 			 * optional.
1410 			 */
1411 			if (cmd != 0) {
1412 				USAGE();
1413 				EXIT_FATAL("Multiple commands specified");
1414 			}
1415 			cmd = IPSEC_CONF_DEL;
1416 			index = parse_index(optarg, NULL);
1417 			break;
1418 		case 'n' :
1419 			ipsecconf_nflag++;
1420 			break;
1421 		case 'q' :
1422 			ipsecconf_qflag++;
1423 			break;
1424 		case 'r' :
1425 			/* Only one command at a time, and no interface name */
1426 			if (cmd != 0 || interface_name != NULL) {
1427 				USAGE();
1428 				EXIT_FATAL("Multiple commands or interface "
1429 				    "not required.");
1430 			}
1431 			cmd = IPSEC_CONF_SUB;
1432 			filename = optarg;
1433 			break;
1434 		case 'i':
1435 			if (interface_name != NULL) {
1436 				EXIT_FATAL("Interface name already selected");
1437 			}
1438 			interface_name = optarg;
1439 			/* Check for some cretin using the all-polheads name. */
1440 			if (strlen(optarg) == 0) {
1441 				USAGE();
1442 				EXIT_FATAL("Invalid interface name.");
1443 			}
1444 			break;
1445 		default :
1446 			USAGE();
1447 			EXIT_FATAL("Bad usage.");
1448 		}
1449 	}
1450 
1451 done:
1452 	ret = 0;
1453 	lfd = lock();
1454 
1455 	/*
1456 	 * ADD, FLUSH, DELETE needs to do two operations.
1457 	 *
1458 	 * 1) Update/delete/empty the POLICY_CONF_FILE.
1459 	 * 2) Make an ioctl and tell IP to update its state.
1460 	 *
1461 	 * We already lock()ed so that only one instance of this
1462 	 * program runs. We also need to make sure that the above
1463 	 * operations are atomic i.e we don't want to update the file
1464 	 * and get interrupted before we could tell IP. To make it
1465 	 * atomic we block all the signals and restore them.
1466 	 */
1467 	switch (cmd) {
1468 	case IPSEC_CONF_LIST:
1469 		fetch_algorithms();
1470 		ret = ipsec_conf_list();
1471 		break;
1472 	case IPSEC_CONF_FLUSH:
1473 		if ((ret = block_all_signals()) == -1) {
1474 			break;
1475 		}
1476 		if (!smf_managed && !ipsecconf_qflag)
1477 			(void) fprintf(stdout, "%s", smf_warning);
1478 		ret = ipsec_conf_flush(SPD_ACTIVE);
1479 		(void) restore_all_signals();
1480 		break;
1481 	case IPSEC_CONF_VIEW:
1482 		if (interface_name != NULL) {
1483 			EXIT_FATAL("Cannot view for one interface only.");
1484 		}
1485 		ret = ipsec_conf_view();
1486 		break;
1487 	case IPSEC_CONF_DEL:
1488 		if (index == -1) {
1489 			warnx(gettext("Invalid index"));
1490 			ret = -1;
1491 			break;
1492 		}
1493 		if ((ret = block_all_signals()) == -1) {
1494 			break;
1495 		}
1496 		if (!smf_managed && !ipsecconf_qflag)
1497 			(void) fprintf(stdout, "%s", smf_warning);
1498 		ret = ipsec_conf_del(index, B_FALSE);
1499 		(void) restore_all_signals();
1500 		flushret = ipsec_conf_flush(SPD_STANDBY);
1501 		break;
1502 	case IPSEC_CONF_ADD:
1503 		/*
1504 		 * The IPsec kernel modules should only be loaded
1505 		 * if there is a policy to install, for this
1506 		 * reason ipsec_conf_add() calls fetch_algorithms()
1507 		 * and ipsec_conf_flush() only when appropriate.
1508 		 */
1509 		if ((ret = block_all_signals()) == -1) {
1510 			break;
1511 		}
1512 		if (!smf_managed && !ipsecconf_qflag)
1513 			(void) fprintf(stdout, "%s", smf_warning);
1514 		ret = ipsec_conf_add(just_check, smf_managed);
1515 		(void) restore_all_signals();
1516 		break;
1517 	case IPSEC_CONF_SUB:
1518 		fetch_algorithms();
1519 		if ((ret = block_all_signals()) == -1) {
1520 			break;
1521 		}
1522 		if (!smf_managed && !ipsecconf_qflag)
1523 			(void) fprintf(stdout, "%s", smf_warning);
1524 		ret = ipsec_conf_sub();
1525 		(void) restore_all_signals();
1526 		flushret = ipsec_conf_flush(SPD_STANDBY);
1527 		break;
1528 	default :
1529 		/* If no argument is given but a "-" */
1530 		USAGE();
1531 		EXIT_FATAL("Bad usage.");
1532 	}
1533 
1534 	(void) unlock(lfd);
1535 	if (ret != 0 || flushret != 0)
1536 		ret = 1;
1537 	return (ret);
1538 }
1539 
1540 static void
1541 perm_check(void)
1542 {
1543 	if (errno == EACCES)
1544 		EXIT_BADPERM("Insufficient privilege to run ipsecconf.");
1545 	else
1546 		warn(gettext("Cannot open lock file %s"), LOCK_FILE);
1547 
1548 	EXIT_BADPERM(NULL);
1549 }
1550 
1551 static int
1552 lock()
1553 {
1554 	int fd;
1555 	struct stat sbuf1;
1556 	struct stat sbuf2;
1557 
1558 	/*
1559 	 * Open the file with O_CREAT|O_EXCL. If it exists already, it
1560 	 * will fail. If it already exists, check whether it looks like
1561 	 * the one we created.
1562 	 */
1563 	(void) umask(0077);
1564 	if ((fd = open(LOCK_FILE, O_EXCL|O_CREAT|O_RDWR, S_IRUSR|S_IWUSR))
1565 	    == -1) {
1566 		if (errno != EEXIST) {
1567 			/* Some other problem. Will exit. */
1568 			perm_check();
1569 		}
1570 
1571 		/*
1572 		 * open() returned an EEXIST error. We don't fail yet
1573 		 * as it could be a residual from a previous
1574 		 * execution.
1575 		 * File exists. make sure it is OK. We need to lstat()
1576 		 * as fstat() stats the file pointed to by the symbolic
1577 		 * link.
1578 		 */
1579 		if (lstat(LOCK_FILE, &sbuf1) == -1) {
1580 			EXIT_FATAL2("Cannot lstat lock file %s", LOCK_FILE);
1581 		}
1582 		/*
1583 		 * Check whether it is a regular file and not a symbolic
1584 		 * link. Its link count should be 1. The owner should be
1585 		 * root and the file should be empty.
1586 		 */
1587 		if (!S_ISREG(sbuf1.st_mode) ||
1588 		    sbuf1.st_nlink != 1 ||
1589 		    sbuf1.st_uid != 0 ||
1590 		    sbuf1.st_size != 0) {
1591 			EXIT_FATAL2("Bad lock file %s", LOCK_FILE);
1592 		}
1593 		if ((fd = open(LOCK_FILE, O_CREAT|O_RDWR,
1594 		    S_IRUSR|S_IWUSR)) == -1) {
1595 			/* Will exit */
1596 			perm_check();
1597 		}
1598 		/*
1599 		 * Check whether we opened the file that we lstat()ed.
1600 		 */
1601 		if (fstat(fd, &sbuf2) == -1) {
1602 			EXIT_FATAL2("Cannot lstat lock file %s", LOCK_FILE);
1603 		}
1604 		if (sbuf1.st_dev != sbuf2.st_dev ||
1605 		    sbuf1.st_ino != sbuf2.st_ino) {
1606 			/* File changed after we did the lstat() above */
1607 			EXIT_FATAL2("Bad lock file %s", LOCK_FILE);
1608 		}
1609 	}
1610 	if (lockf(fd, F_LOCK, 0) == -1) {
1611 		EXIT_FATAL2("Cannot lockf %s", LOCK_FILE);
1612 	}
1613 	return (fd);
1614 }
1615 
1616 static int
1617 unlock(int fd)
1618 {
1619 	if (lockf(fd, F_ULOCK, 0) == -1) {
1620 		warn("lockf");
1621 		return (-1);
1622 	}
1623 	return (0);
1624 }
1625 
1626 /* send in TOK_* */
1627 static void
1628 print_pattern_string(int type)
1629 {
1630 	int j;
1631 
1632 	for (j = 0; pattern_table[j].string != NULL; j++) {
1633 		if (type == pattern_table[j].tok_val) {
1634 			(void) printf("%s ", pattern_table[j].string);
1635 			return;
1636 		}
1637 	}
1638 }
1639 
1640 static void
1641 print_icmp_typecode(uint8_t type, uint8_t type_end, uint8_t code,
1642     uint8_t code_end)
1643 {
1644 	(void) printf("type %d", type);
1645 	if (type_end != type)
1646 		(void) printf("-%d ", type_end);
1647 	else
1648 		(void) printf(" ");
1649 	if (code != 255) {
1650 		(void) printf("code %d", code);
1651 		if (code_end != code)
1652 			(void) printf("-%d ", code_end);
1653 		else
1654 			(void) printf(" ");
1655 	}
1656 }
1657 
1658 
1659 static void
1660 print_spd_flags(uint32_t flags)
1661 {
1662 	flags &= (SPD_RULE_FLAG_INBOUND|SPD_RULE_FLAG_OUTBOUND);
1663 
1664 	if (flags == SPD_RULE_FLAG_OUTBOUND)
1665 		(void) printf("dir out ");
1666 	else if (flags == SPD_RULE_FLAG_INBOUND)
1667 		(void) printf("dir in ");
1668 	else if (flags == (SPD_RULE_FLAG_INBOUND|SPD_RULE_FLAG_OUTBOUND))
1669 		(void) printf("dir both ");
1670 }
1671 
1672 static void
1673 print_bit_range(int min, int max)
1674 {
1675 	if (min != 0 || (max != 0 && max != SPD_MAX_MAXBITS)) {
1676 		(void) printf("(");
1677 		if (min != 0)
1678 			(void) printf("%d", min);
1679 		if (min != 0 && max != 0 && min != max) {
1680 			(void) printf("..");
1681 			if (max != 0 && max != SPD_MAX_MAXBITS)
1682 				(void) printf("%d", max);
1683 		}
1684 		(void) printf(")");
1685 	}
1686 }
1687 
1688 static void
1689 print_alg(const char *tag, algreq_t *algreq, int proto_num)
1690 {
1691 	int min = algreq->alg_minbits;
1692 	int max = algreq->alg_maxbits;
1693 	struct ipsecalgent *alg;
1694 
1695 	/*
1696 	 * This function won't be called with alg_id == 0, so we don't
1697 	 * have to worry about ANY vs. NONE here.
1698 	 */
1699 
1700 	(void) printf("%s ", tag);
1701 
1702 	alg = getipsecalgbynum(algreq->alg_id, proto_num, NULL);
1703 	if (alg == NULL) {
1704 		(void) printf("%d", algreq->alg_id);
1705 	} else {
1706 		(void) printf("%s", alg->a_names[0]);
1707 		freeipsecalgent(alg);
1708 	}
1709 
1710 	print_bit_range(min, max);
1711 	(void) printf(" ");
1712 }
1713 
1714 static void
1715 print_ulp(uint8_t proto)
1716 {
1717 	struct protoent *pe;
1718 
1719 	if (proto == 0)
1720 		return;
1721 
1722 	print_pattern_string(TOK_ulp);
1723 	pe = NULL;
1724 	if (!ipsecconf_nflag) {
1725 		pe = getprotobynumber(proto);
1726 	}
1727 	if (pe != NULL)
1728 		(void) printf("%s ", pe->p_name);
1729 	else
1730 		(void) printf("%d ", proto);
1731 }
1732 
1733 /* needs to do ranges */
1734 static void
1735 print_port(uint16_t in_port, int type)
1736 {
1737 	in_port_t port = ntohs(in_port);
1738 	struct servent *sp;
1739 
1740 	if (port == 0)
1741 		return;
1742 
1743 	print_pattern_string(type);
1744 	sp = NULL;
1745 	if (!ipsecconf_nflag)
1746 		sp = getservbyport(port, NULL);
1747 
1748 	if (sp != NULL)
1749 		(void) printf("%s ", sp->s_name);
1750 	else
1751 		(void) printf("%d ", port);
1752 }
1753 
1754 /*
1755  * Print the address, given as "raw" input via the void pointer.
1756  */
1757 static void
1758 print_raw_address(void *input, boolean_t isv4)
1759 {
1760 	char  *cp;
1761 	struct hostent *hp;
1762 	char	domain[MAXHOSTNAMELEN + 1];
1763 	struct in_addr addr;
1764 	struct in6_addr addr6;
1765 	char abuf[INET6_ADDRSTRLEN];
1766 	int error_num;
1767 	struct in6_addr in_addr;
1768 	uchar_t *addr_ptr;
1769 	sa_family_t af;
1770 	int addr_len;
1771 
1772 	if (isv4) {
1773 		af = AF_INET;
1774 		(void) memcpy(&V4_PART_OF_V6(in_addr), input, 4);
1775 		/* we don't print unspecified addresses */
1776 		IN6_V4MAPPED_TO_INADDR(&in_addr, &addr);
1777 		if (addr.s_addr == INADDR_ANY)
1778 			return;
1779 		addr_ptr = (uchar_t *)&addr.s_addr;
1780 		addr_len = IPV4_ADDR_LEN;
1781 	} else {
1782 		(void) memcpy(&addr6, input, 16);
1783 		af = AF_INET6;
1784 		/* we don't print unspecified addresses */
1785 		if (IN6_IS_ADDR_UNSPECIFIED(&addr6))
1786 			return;
1787 		addr_ptr = (uchar_t *)&addr6.s6_addr;
1788 		addr_len = sizeof (struct in6_addr);
1789 	}
1790 
1791 	cp = NULL;
1792 	if (!ipsecconf_nflag) {
1793 		if (sysinfo(SI_HOSTNAME, domain, MAXHOSTNAMELEN) != -1 &&
1794 			(cp = strchr(domain, '.')) != NULL) {
1795 			(void) strlcpy(domain, cp + 1, sizeof (domain));
1796 		} else {
1797 			domain[0] = 0;
1798 		}
1799 		hp = getipnodebyaddr(addr_ptr, addr_len, af, &error_num);
1800 		if (hp) {
1801 			if ((cp = strchr(hp->h_name, '.')) != 0 &&
1802 					strcasecmp(cp + 1, domain) == 0)
1803 				*cp = 0;
1804 			cp = hp->h_name;
1805 		}
1806 	}
1807 
1808 	if (cp) {
1809 		(void) printf("%s", cp);
1810 	} else {
1811 		(void) printf("%s", inet_ntop(af, addr_ptr, abuf,
1812 		    INET6_ADDRSTRLEN));
1813 	}
1814 }
1815 
1816 /*
1817  * Get the next SPD_DUMP message from the PF_POLICY socket.  A single
1818  * read may contain multiple messages.  This function uses static buffers,
1819  * and is therefore non-reentrant, so if you lift it for an MT application,
1820  * be careful.
1821  *
1822  * Return NULL if there's an error.
1823  */
1824 static spd_msg_t *
1825 ipsec_read_dump(int pfd)
1826 {
1827 	static uint64_t buf[SADB_8TO64(CBUF_LEN)];
1828 	static uint64_t *offset;
1829 	static int len;		/* In uint64_t units. */
1830 	spd_msg_t *retval;
1831 
1832 	/* Assume offset and len are initialized to NULL and 0. */
1833 
1834 	if ((offset - len == buf) || (offset == NULL)) {
1835 		/* read a new block from the socket. */
1836 		len = read(pfd, &buf, sizeof (buf));
1837 		if (len == -1) {
1838 			warn(gettext("rule dump: bad read"));
1839 			return (NULL);
1840 		}
1841 		offset = buf;
1842 		len = SADB_8TO64(len);
1843 	} /* Else I still have more messages from a previous read. */
1844 
1845 	retval = (spd_msg_t *)offset;
1846 	offset += retval->spd_msg_len;
1847 	if (offset > buf + len) {
1848 		warnx(gettext("dump read: message corruption,"
1849 		    " %d len exceeds %d boundary."),
1850 		    SADB_64TO8((uintptr_t)(offset - buf)),
1851 		    SADB_64TO8((uintptr_t)(buf + len)));
1852 		return (NULL);
1853 	}
1854 
1855 	return (retval);
1856 }
1857 
1858 /*
1859  * returns 0 on success
1860  * -1 on read error
1861  * >0  on invalid returned message
1862  */
1863 
1864 static int
1865 ipsec_conf_list(void)
1866 {
1867 	int ret;
1868 	int pfd;
1869 	struct spd_msg *msg;
1870 	int cnt;
1871 	spd_msg_t *rmsg;
1872 	spd_ext_t *exts[SPD_EXT_MAX+1];
1873 	/*
1874 	 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation
1875 	 * issues.
1876 	 */
1877 	uint64_t buffer[
1878 	    SPD_8TO64(sizeof (*msg) + sizeof (spd_if_t) + LIFNAMSIZ) + 1];
1879 
1880 	pfd = get_pf_pol_socket();
1881 
1882 	if (pfd == -1) {
1883 		warnx(gettext("Error getting list of policies from kernel"));
1884 		return (-1);
1885 	}
1886 
1887 	(void) memset(buffer, 0, sizeof (buffer));
1888 	msg = (struct spd_msg *)buffer;
1889 	msg->spd_msg_version = PF_POLICY_V1;
1890 	msg->spd_msg_type = SPD_DUMP;
1891 	msg->spd_msg_len = SPD_8TO64(sizeof (*msg));
1892 
1893 	msg->spd_msg_len += attach_tunname((spd_if_t *)(msg + 1));
1894 
1895 	cnt = write(pfd, msg, SPD_64TO8(msg->spd_msg_len));
1896 
1897 	if (cnt < 0) {
1898 		warn(gettext("dump: invalid write() return"));
1899 		(void) close(pfd);
1900 		return (-1);
1901 	}
1902 
1903 	rmsg = ipsec_read_dump(pfd);
1904 
1905 	if (rmsg == NULL || rmsg->spd_msg_errno != 0) {
1906 		warnx("%s: %s", gettext("ruleset dump failed"),
1907 		    (rmsg == NULL ?
1908 			gettext("read error") :
1909 			sys_error_message(rmsg->spd_msg_errno)));
1910 		(void) close(pfd);
1911 		return (-1);
1912 	}
1913 
1914 
1915 	for (;;) {
1916 		/* read rule */
1917 		rmsg = ipsec_read_dump(pfd);
1918 
1919 		if (rmsg == NULL) {
1920 			(void) close(pfd);
1921 			return (-1);
1922 		}
1923 
1924 		if (rmsg->spd_msg_errno != 0) {
1925 			warnx("%s: %s", gettext("dump read: bad message"),
1926 			    sys_error_message(rmsg->spd_msg_errno));
1927 			(void) close(pfd);
1928 			return (-1);
1929 		}
1930 
1931 		ret = spdsock_get_ext(exts, rmsg, rmsg->spd_msg_len,
1932 		    spdsock_diag_buf, SPDSOCK_DIAG_BUF_LEN);
1933 		if (ret != 0) {
1934 			if (strlen(spdsock_diag_buf) != 0)
1935 				warnx(spdsock_diag_buf);
1936 			warnx("%s: %s", gettext("dump read: bad message"),
1937 			    sys_error_message(rmsg->spd_msg_errno));
1938 			(void) close(pfd);
1939 			return (ret);
1940 		}
1941 
1942 		/*
1943 		 * End of dump..
1944 		 */
1945 		if (exts[SPD_EXT_RULESET] != NULL)
1946 			break;	/* and return 0. */
1947 
1948 		print_pfpol_msg(rmsg);
1949 	}
1950 
1951 	(void) close(pfd);
1952 	return (0);
1953 }
1954 
1955 static void
1956 print_iap(ips_act_props_t *iap)
1957 {
1958 
1959 	/* action */
1960 	switch (iap->iap_action) {
1961 	case SPD_ACTTYPE_PASS:
1962 		(void) printf("pass ");
1963 		break;
1964 	case SPD_ACTTYPE_DROP:
1965 		(void) printf("drop ");
1966 		break;
1967 	case SPD_ACTTYPE_IPSEC:
1968 		(void) printf("ipsec ");
1969 		break;
1970 	}
1971 
1972 	/* properties */
1973 	(void) printf("%c ", CURL_BEGIN);
1974 	if (iap->iap_action == SPD_ACTTYPE_IPSEC) {
1975 		if (iap->iap_attr & SPD_APPLY_AH &&
1976 		    iap->iap_aauth.alg_id != 0)
1977 			print_alg("auth_algs", &iap->iap_aauth,
1978 			    IPSEC_PROTO_AH);
1979 
1980 		if (iap->iap_attr & SPD_APPLY_ESP) {
1981 			print_alg("encr_algs", &iap->iap_eencr,
1982 			    IPSEC_PROTO_ESP);
1983 			if (iap->iap_eauth.alg_id != 0)
1984 				print_alg("encr_auth_algs", &iap->iap_eauth,
1985 				    IPSEC_PROTO_AH);
1986 		}
1987 		if (iap->iap_attr & SPD_APPLY_UNIQUE)
1988 			(void) printf("sa unique ");
1989 		else
1990 			(void) printf("sa shared ");
1991 	}
1992 	(void) printf("%c ", CURL_END);
1993 }
1994 
1995 
1996 static void
1997 print_pfpol_msg(spd_msg_t *msg)
1998 {
1999 	spd_ext_t *exts[SPD_EXT_MAX+1];
2000 	spd_address_t *spd_address;
2001 	struct spd_rule *spd_rule;
2002 	struct spd_proto *spd_proto;
2003 	struct spd_portrange *spd_portrange;
2004 	struct spd_ext_actions *spd_ext_actions;
2005 	struct spd_typecode *spd_typecode;
2006 	struct spd_attribute *app;
2007 	spd_if_t *spd_if;
2008 	uint32_t rv;
2009 	uint16_t act_count;
2010 
2011 	rv = spdsock_get_ext(exts, msg, msg->spd_msg_len, spdsock_diag_buf,
2012 	    SPDSOCK_DIAG_BUF_LEN);
2013 
2014 	if (rv == KGE_OK && exts[SPD_EXT_RULE] != NULL) {
2015 		spd_if = (spd_if_t *)exts[SPD_EXT_TUN_NAME];
2016 		spd_rule = (struct spd_rule *)exts[SPD_EXT_RULE];
2017 		if (spd_if == NULL) {
2018 			(void) printf("%s %lld\n", INDEX_TAG,
2019 			    spd_rule->spd_rule_index);
2020 		} else {
2021 			(void) printf("%s %s,%lld\n", INDEX_TAG,
2022 			    (char *)spd_if->spd_if_name,
2023 			    spd_rule->spd_rule_index);
2024 		}
2025 	} else {
2026 		if (strlen(spdsock_diag_buf) != 0)
2027 			warnx(spdsock_diag_buf);
2028 		warnx(gettext("print_pfpol_msg: malformed PF_POLICY message."));
2029 		return;
2030 	}
2031 
2032 	(void) printf("%c ", CURL_BEGIN);
2033 
2034 	if (spd_if != NULL) {
2035 		(void) printf("tunnel %s negotiate %s ",
2036 		    (char *)spd_if->spd_if_name,
2037 		    (spd_rule->spd_rule_flags & SPD_RULE_FLAG_TUNNEL) ?
2038 		    "tunnel" : "transport");
2039 	}
2040 
2041 	if (exts[SPD_EXT_PROTO] != NULL) {
2042 		spd_proto = (struct spd_proto *)exts[SPD_EXT_PROTO];
2043 		print_ulp(spd_proto->spd_proto_number);
2044 	}
2045 
2046 	if (exts[SPD_EXT_LCLADDR] != NULL) {
2047 		spd_address = (spd_address_t *)exts[SPD_EXT_LCLADDR];
2048 
2049 		(void) printf("laddr ");
2050 		print_raw_address((spd_address + 1),
2051 		    (spd_address->spd_address_len == 2));
2052 		(void) printf("/%d ", spd_address->spd_address_prefixlen);
2053 	}
2054 
2055 	if (exts[SPD_EXT_LCLPORT] != NULL) {
2056 		spd_portrange = (struct spd_portrange *)exts[SPD_EXT_LCLPORT];
2057 		if (spd_portrange->spd_ports_minport != 0) {
2058 			print_port(spd_portrange->spd_ports_minport,
2059 			    TOK_lport);
2060 		}
2061 	}
2062 
2063 
2064 	if (exts[SPD_EXT_REMADDR] != NULL) {
2065 		spd_address = (spd_address_t *)exts[SPD_EXT_REMADDR];
2066 
2067 		(void) printf("raddr ");
2068 		print_raw_address((spd_address + 1),
2069 		    (spd_address->spd_address_len == 2));
2070 		(void) printf("/%d ", spd_address->spd_address_prefixlen);
2071 	}
2072 
2073 	if (exts[SPD_EXT_REMPORT] != NULL) {
2074 		spd_portrange =
2075 			(struct spd_portrange *)exts[SPD_EXT_REMPORT];
2076 		if (spd_portrange->spd_ports_minport != 0) {
2077 			print_port(
2078 				spd_portrange->spd_ports_minport,
2079 				TOK_rport);
2080 		}
2081 	}
2082 
2083 	if (exts[SPD_EXT_ICMP_TYPECODE] != NULL) {
2084 		spd_typecode =
2085 		    (struct spd_typecode *)exts[SPD_EXT_ICMP_TYPECODE];
2086 		print_icmp_typecode(spd_typecode->spd_typecode_type,
2087 		    spd_typecode->spd_typecode_type_end,
2088 		    spd_typecode->spd_typecode_code,
2089 		    spd_typecode->spd_typecode_code_end);
2090 	}
2091 
2092 	if (exts[SPD_EXT_RULE] != NULL) {
2093 		spd_rule = (struct spd_rule *)exts[SPD_EXT_RULE];
2094 		print_spd_flags(spd_rule->spd_rule_flags);
2095 	}
2096 
2097 
2098 	(void) printf("%c ", CURL_END);
2099 
2100 	if (exts[SPD_EXT_ACTION] != NULL) {
2101 		ips_act_props_t iap;
2102 		int or_needed = 0;
2103 
2104 		(void) memset(&iap, 0, sizeof (iap));
2105 		spd_ext_actions =
2106 		    (struct spd_ext_actions *)exts[SPD_EXT_ACTION];
2107 		app = (struct spd_attribute *)(spd_ext_actions + 1);
2108 
2109 		for (act_count = 0;
2110 		    act_count < spd_ext_actions->spd_actions_len -1;
2111 			act_count++) {
2112 
2113 			switch (app->spd_attr_tag) {
2114 
2115 			case SPD_ATTR_NOP:
2116 				break;
2117 
2118 			case SPD_ATTR_END:
2119 				/* print */
2120 				if (or_needed) {
2121 					(void) printf("or ");
2122 				} else {
2123 					or_needed = 1;
2124 				}
2125 				print_iap(&iap);
2126 				break;
2127 
2128 			case SPD_ATTR_EMPTY:
2129 				/* clear */
2130 				(void) memset(&iap, 0, sizeof (iap));
2131 				break;
2132 
2133 			case SPD_ATTR_NEXT:
2134 				/* print */
2135 				if (or_needed) {
2136 					(void) printf("or ");
2137 				} else {
2138 					or_needed = 1;
2139 				}
2140 
2141 				print_iap(&iap);
2142 				break;
2143 
2144 			case SPD_ATTR_TYPE:
2145 				iap.iap_action = app->spd_attr_value;
2146 				break;
2147 
2148 			case SPD_ATTR_FLAGS:
2149 				iap.iap_attr = app->spd_attr_value;
2150 				break;
2151 
2152 			case SPD_ATTR_AH_AUTH:
2153 				iap.iap_aauth.alg_id = app->spd_attr_value;
2154 				break;
2155 
2156 			case SPD_ATTR_ESP_ENCR:
2157 				iap.iap_eencr.alg_id = app->spd_attr_value;
2158 				break;
2159 
2160 			case SPD_ATTR_ESP_AUTH:
2161 				iap.iap_eauth.alg_id = app->spd_attr_value;
2162 				break;
2163 
2164 			case SPD_ATTR_ENCR_MINBITS:
2165 				iap.iap_eencr.alg_minbits = app->spd_attr_value;
2166 				break;
2167 
2168 			case SPD_ATTR_ENCR_MAXBITS:
2169 				iap.iap_eencr.alg_maxbits = app->spd_attr_value;
2170 				break;
2171 
2172 			case SPD_ATTR_AH_MINBITS:
2173 				iap.iap_aauth.alg_minbits = app->spd_attr_value;
2174 				break;
2175 
2176 			case SPD_ATTR_AH_MAXBITS:
2177 				iap.iap_aauth.alg_maxbits = app->spd_attr_value;
2178 				break;
2179 
2180 			case SPD_ATTR_ESPA_MINBITS:
2181 				iap.iap_eauth.alg_minbits = app->spd_attr_value;
2182 				break;
2183 
2184 			case SPD_ATTR_ESPA_MAXBITS:
2185 				iap.iap_eauth.alg_maxbits = app->spd_attr_value;
2186 				break;
2187 
2188 			case SPD_ATTR_LIFE_SOFT_TIME:
2189 			case SPD_ATTR_LIFE_HARD_TIME:
2190 			case SPD_ATTR_LIFE_SOFT_BYTES:
2191 			case SPD_ATTR_LIFE_HARD_BYTES:
2192 			default:
2193 				(void) printf("\tattr %d: %X-%d\n",
2194 				    act_count,
2195 				    app->spd_attr_tag,
2196 				    app->spd_attr_value);
2197 				break;
2198 			}
2199 			app++;
2200 		}
2201 	}
2202 
2203 	(void) printf("\n");
2204 }
2205 
2206 #ifdef DEBUG_HEAVY
2207 static void
2208 pfpol_msg_dump(spd_msg_t *msg, char *tag)
2209 {
2210 	spd_ext_t *exts[SPD_EXT_MAX+1];
2211 	uint32_t i;
2212 	spd_address_t *spd_address;
2213 	struct spd_rule *spd_rule;
2214 	struct spd_proto *spd_proto;
2215 	struct spd_portrange *spd_portrange;
2216 	struct spd_typecode *spd_typecode;
2217 	struct spd_ext_actions *spd_ext_actions;
2218 	struct spd_attribute *app;
2219 	spd_if_t *spd_if;
2220 	char abuf[INET6_ADDRSTRLEN];
2221 	uint32_t rv;
2222 	uint16_t act_count;
2223 
2224 	rv = spdsock_get_ext(exts, msg, msg->spd_msg_len, NULL, 0);
2225 	if (rv != KGE_OK)
2226 		return;
2227 
2228 	(void) printf("===========%s==============\n", tag);
2229 	(void) printf("pfpol_msg_dump %d\n-------------------\n", rv);
2230 
2231 	(void) printf("spd_msg_version:%d\n", msg->spd_msg_version);
2232 	(void) printf("spd_msg_type:%d\n", msg->spd_msg_type);
2233 	(void) printf("spd_msg_errno:%d\n", msg->spd_msg_errno);
2234 	(void) printf("spd_msg_spdid:%d\n", msg->spd_msg_spdid);
2235 	(void) printf("spd_msg_len:%d\n", msg->spd_msg_len);
2236 	(void) printf("spd_msg_diagnostic:%d\n", msg->spd_msg_diagnostic);
2237 	(void) printf("spd_msg_seq:%d\n", msg->spd_msg_seq);
2238 	(void) printf("spd_msg_pid:%d\n", msg->spd_msg_pid);
2239 
2240 	for (i = 1; i <= SPD_EXT_MAX; i++) {
2241 		if (exts[i] == NULL) {
2242 			printf("skipped %d\n", i);
2243 			continue;
2244 		}
2245 
2246 		switch (i) {
2247 		case SPD_EXT_TUN_NAME:
2248 			spd_if = (spd_if_t *)exts[i];
2249 			(void) printf("spd_if = %s\n", spd_if->spd_if_name);
2250 			break;
2251 
2252 		case SPD_EXT_ICMP_TYPECODE:
2253 			spd_typecode = (struct spd_typecode *)exts[i];
2254 			(void) printf("icmp type %d-%d code %d-%d\n",
2255 			    spd_typecode->spd_typecode_type,
2256 			    spd_typecode->spd_typecode_type_end,
2257 			    spd_typecode->spd_typecode_code,
2258 			    spd_typecode->spd_typecode_code_end);
2259 			break;
2260 
2261 		case SPD_EXT_LCLPORT:
2262 			spd_portrange = (struct spd_portrange *)exts[i];
2263 			(void) printf("local ports %d-%d\n",
2264 			    spd_portrange->spd_ports_minport,
2265 			    spd_portrange->spd_ports_maxport);
2266 
2267 			break;
2268 
2269 		case SPD_EXT_REMPORT:
2270 			spd_portrange = (struct spd_portrange *)exts[i];
2271 			(void) printf("remote ports %d-%d\n",
2272 			    spd_portrange->spd_ports_minport,
2273 			    spd_portrange->spd_ports_maxport);
2274 
2275 			break;
2276 
2277 		case SPD_EXT_PROTO:
2278 			spd_proto = (struct spd_proto *)exts[i];
2279 			(void) printf("proto:spd_proto_exttype %d\n",
2280 			    spd_proto->spd_proto_exttype);
2281 			(void) printf("proto:spd_proto_number %d\n",
2282 			    spd_proto->spd_proto_number);
2283 			break;
2284 
2285 		case SPD_EXT_LCLADDR:
2286 		case SPD_EXT_REMADDR:
2287 			spd_address = (spd_address_t *)exts[i];
2288 			if (i == SPD_EXT_LCLADDR)
2289 				(void) printf("local addr ");
2290 			else
2291 				(void) printf("remote addr ");
2292 
2293 
2294 			(void) printf("%s\n",
2295 			    inet_ntop(spd_address->spd_address_af,
2296 				(void *) (spd_address +1), abuf,
2297 				INET6_ADDRSTRLEN));
2298 
2299 			(void) printf("prefixlen: %d\n",
2300 			    spd_address->spd_address_prefixlen);
2301 			break;
2302 
2303 		case SPD_EXT_ACTION:
2304 			spd_ext_actions = (struct spd_ext_actions *)exts[i];
2305 			(void) printf("spd_ext_action\n");
2306 			(void) printf("spd_actions_count %d\n",
2307 			    spd_ext_actions->spd_actions_count);
2308 			app = (struct spd_attribute *)(spd_ext_actions + 1);
2309 
2310 			for (act_count = 0;
2311 			    act_count < spd_ext_actions->spd_actions_len -1;
2312 			    act_count++) {
2313 				(void) printf("\tattr %d: %X-%d\n", act_count,
2314 				    app->spd_attr_tag, app->spd_attr_value);
2315 				app++;
2316 			}
2317 
2318 			break;
2319 
2320 		case SPD_EXT_RULE:
2321 			spd_rule = (struct spd_rule *)exts[i];
2322 			(void) printf("spd_rule_priority: 0x%x\n",
2323 			    spd_rule->spd_rule_priority);
2324 			(void) printf("spd_rule_flags: %d\n",
2325 			    spd_rule->spd_rule_flags);
2326 			break;
2327 
2328 		case SPD_EXT_RULESET:
2329 			(void) printf("spd_ext_ruleset\n");
2330 			break;
2331 		default:
2332 			(void) printf("default\n");
2333 			break;
2334 		}
2335 	}
2336 
2337 	(void) printf("-------------------\n");
2338 	(void) printf("=========================\n");
2339 }
2340 #endif /* DEBUG_HEAVY */
2341 
2342 static int
2343 ipsec_conf_view()
2344 {
2345 	char buf[MAXLEN];
2346 	FILE *fp;
2347 
2348 	fp = fopen(POLICY_CONF_FILE, "r");
2349 	if (fp == NULL) {
2350 		if (errno == ENOENT) {
2351 			/*
2352 			 * The absence of POLICY_CONF_FILE should
2353 			 * not cause the command to exit with a
2354 			 * non-zero status, since this condition
2355 			 * is valid when no policies were previously
2356 			 * defined.
2357 			 */
2358 			return (0);
2359 		}
2360 		warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
2361 		return (-1);
2362 	}
2363 	while (fgets(buf, MAXLEN, fp) != NULL) {
2364 		/* Don't print removed entries */
2365 		if (*buf == ';')
2366 			continue;
2367 		if (strlen(buf) != 0)
2368 			buf[strlen(buf) - 1] = '\0';
2369 		(void) puts(buf);
2370 	}
2371 	return (0);
2372 }
2373 
2374 /*
2375  * Delete nlines from start in the POLICY_CONF_FILE.
2376  */
2377 static int
2378 delete_from_file(int start, int nlines)
2379 {
2380 	FILE *fp;
2381 	char ibuf[MAXLEN];
2382 	int len;
2383 
2384 	if ((fp = fopen(POLICY_CONF_FILE, "r+b")) == NULL) {
2385 		warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
2386 		return (-1);
2387 	}
2388 
2389 	/*
2390 	 * Insert a ";", read the line and discard it. Repeat
2391 	 * this logic nlines - 1 times. For the last line there
2392 	 * is just a newline character. We can't just insert a
2393 	 * single ";" character instead of the newline character
2394 	 * as it would affect the next line. Thus when we comment
2395 	 * the last line we seek one less and insert a ";"
2396 	 * character, which will replace the newline of the
2397 	 * penultimate line with ; and newline of the last line
2398 	 * will become part of the previous line.
2399 	 */
2400 	do {
2401 		/*
2402 		 * It is not enough to seek just once and expect the
2403 		 * subsequent fgets below to take you to the right
2404 		 * offset of the next line. fgets below seems to affect
2405 		 * the offset. Thus we need to seek, replace with ";",
2406 		 * and discard a line using fgets for every line.
2407 		 */
2408 		if (fseek(fp, start, SEEK_SET) == -1) {
2409 			warn("fseek");
2410 			return (-1);
2411 		}
2412 		if (fputc(';', fp) < 0) {
2413 			warn("fputc");
2414 			return (-1);
2415 		}
2416 		/*
2417 		 * Flush the above ";" character before we do the fgets().
2418 		 * Without this, fgets() gets confused with offsets.
2419 		 */
2420 		(void) fflush(fp);
2421 		len = 0;
2422 		while (fgets(ibuf, MAXLEN, fp) != NULL) {
2423 			len += strlen(ibuf);
2424 			if (ibuf[len - 1] == '\n') {
2425 				/*
2426 				 * We have read a complete line.
2427 				 */
2428 				break;
2429 			}
2430 		}
2431 		/*
2432 		 * We read the line after ";" character has been inserted.
2433 		 * Thus len does not count ";". To advance to the next line
2434 		 * increment by 1.
2435 		 */
2436 		start += (len + 1);
2437 		/*
2438 		 * If nlines == 2, we will be commenting out the last
2439 		 * line next, which has only one newline character.
2440 		 * If we blindly replace it with ";", it will  be
2441 		 * read as part of the next line which could have
2442 		 * a INDEX string and thus confusing ipsec_conf_view.
2443 		 * Thus, we seek one less and replace the previous
2444 		 * line's newline character with ";", and the
2445 		 * last line's newline character will become part of
2446 		 * the previous line.
2447 		 */
2448 		if (nlines == 2)
2449 			start--;
2450 	} while (--nlines != 0);
2451 	(void) fclose(fp);
2452 	if (nlines != 0)
2453 		return (-1);
2454 	else
2455 		return (0);
2456 }
2457 
2458 /*
2459  * Delete an entry from the file by inserting a ";" at the
2460  * beginning of the lines to be removed.
2461  */
2462 static int
2463 ipsec_conf_del(int policy_index, boolean_t ignore_spd)
2464 {
2465 	act_prop_t *act_props = malloc(sizeof (act_prop_t));
2466 	char *buf;
2467 	FILE *fp;
2468 	char ibuf[MAXLEN];
2469 	int ibuf_len, index_len, index;
2470 	int ret = 0;
2471 	int offset, prev_offset;
2472 	int nlines;
2473 	char lifname[LIFNAMSIZ];
2474 
2475 	if (act_props == NULL) {
2476 		warn(gettext("memory"));
2477 		return (-1);
2478 	}
2479 
2480 	fp = fopen(POLICY_CONF_FILE, "r");
2481 	if (fp == NULL) {
2482 		warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
2483 		free(act_props);
2484 		return (-1);
2485 	}
2486 
2487 	index_len = strlen(INDEX_TAG);
2488 	index = 0;
2489 	for (offset = prev_offset = 0; fgets(ibuf, MAXLEN, fp) != NULL;
2490 	    offset += ibuf_len) {
2491 		prev_offset = offset;
2492 		ibuf_len = strlen(ibuf);
2493 
2494 		if (strncmp(ibuf, INDEX_TAG, index_len) != 0) {
2495 			continue;
2496 		}
2497 
2498 		/*
2499 		 * This line contains INDEX_TAG
2500 		 */
2501 		buf = ibuf + index_len;
2502 		buf++;			/* Skip the space */
2503 		index = parse_index(buf, lifname);
2504 		if (index == -1) {
2505 			warnx(gettext("Invalid index in the file"));
2506 			free(act_props);
2507 			return (-1);
2508 		}
2509 		if (index == policy_index &&
2510 		    (interface_name == NULL ||
2511 			strncmp(interface_name, lifname, LIFNAMSIZ) == 0)) {
2512 			if (!ignore_spd) {
2513 				ret = parse_one(fp, act_props);
2514 				if (ret == -1) {
2515 					warnx(gettext("Invalid policy entry "
2516 					    "in the file"));
2517 					free(act_props);
2518 					return (-1);
2519 				}
2520 			}
2521 			/*
2522 			 * nlines is the number of lines we should comment
2523 			 * out. linecount tells us how many lines this command
2524 			 * spans. And we need to remove the line with INDEX
2525 			 * and an extra line we added during ipsec_conf_add.
2526 			 *
2527 			 * NOTE : If somebody added a policy entry which does
2528 			 * not have a newline, ipsec_conf_add() fills in the
2529 			 * newline. Hence, there is always 2 extra lines
2530 			 * to delete.
2531 			 */
2532 			nlines = linecount + 2;
2533 			goto delete;
2534 		}
2535 	}
2536 
2537 	if (!ignore_spd)
2538 		ret = pfp_delete_rule(policy_index);
2539 
2540 	if (ret != 0) {
2541 		warnx(gettext("Deletion incomplete. Please "
2542 		    "flush all the entries and re-configure :"));
2543 		reconfigure();
2544 		free(act_props);
2545 		return (ret);
2546 	}
2547 	free(act_props);
2548 	return (ret);
2549 
2550 delete:
2551 	/* Delete nlines from prev_offset */
2552 	(void) fclose(fp);
2553 	ret = delete_from_file(prev_offset, nlines);
2554 
2555 	if (ret != 0) {
2556 		warnx(gettext("Deletion incomplete. Please "
2557 		    "flush all the entries and re-configure :"));
2558 		reconfigure();
2559 		free(act_props);
2560 		return (ret);
2561 	}
2562 
2563 	if (!ignore_spd)
2564 		ret = pfp_delete_rule(policy_index);
2565 
2566 	if (ret != 0) {
2567 		warnx(gettext("Deletion incomplete. Please "
2568 		    "flush all the entries and re-configure :"));
2569 		reconfigure();
2570 		free(act_props);
2571 		return (ret);
2572 	}
2573 	free(act_props);
2574 	return (0);
2575 }
2576 
2577 static int
2578 pfp_delete_rule(uint64_t index)
2579 {
2580 	struct spd_msg *msg;
2581 	struct spd_rule *rule;
2582 	int sfd;
2583 	int cnt, len, alloclen;
2584 
2585 	sfd = get_pf_pol_socket();
2586 	if (sfd < 0) {
2587 		warn(gettext("unable to open policy socket"));
2588 		return (-1);
2589 	}
2590 
2591 	/*
2592 	 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation
2593 	 * issues.
2594 	 */
2595 	alloclen = sizeof (spd_msg_t) + sizeof (struct spd_rule) +
2596 	    sizeof (spd_if_t) + LIFNAMSIZ + 8;
2597 	msg = (spd_msg_t *)malloc(alloclen);
2598 
2599 	if (msg == NULL) {
2600 		warn("malloc");
2601 		return (-1);
2602 	}
2603 
2604 	rule = (struct spd_rule *)(msg + 1);
2605 
2606 	(void) memset(msg, 0, alloclen);
2607 	msg->spd_msg_version = PF_POLICY_V1;
2608 	msg->spd_msg_type = SPD_DELETERULE;
2609 	msg->spd_msg_len = SPD_8TO64(sizeof (spd_msg_t)
2610 	    + sizeof (struct spd_rule));
2611 
2612 	rule->spd_rule_type = SPD_EXT_RULE;
2613 	rule->spd_rule_len = SPD_8TO64(sizeof (struct spd_rule));
2614 	rule->spd_rule_index = index;
2615 
2616 	msg->spd_msg_len += attach_tunname((spd_if_t *)(rule + 1));
2617 
2618 	len = SPD_64TO8(msg->spd_msg_len);
2619 	cnt = write(sfd, msg, len);
2620 
2621 	if (cnt != len) {
2622 		if (cnt < 0) {
2623 			(void) close(sfd);
2624 			free(msg);
2625 			warn(gettext("Delete failed: write"));
2626 			return (-1);
2627 		} else {
2628 			(void) close(sfd);
2629 			free(msg);
2630 			warnx(gettext("Delete failed: short write"));
2631 			return (-1);
2632 		}
2633 	}
2634 
2635 	cnt = read(sfd, msg, len);
2636 	if (cnt != len) {
2637 		if (cnt < 0) {
2638 			(void) close(sfd);
2639 			free(msg);
2640 			warn(gettext("Delete failed: read"));
2641 			return (-1);
2642 		} else {
2643 			(void) close(sfd);
2644 			free(msg);
2645 			warnx(gettext("Delete failed while reading reply"));
2646 			return (-1);
2647 		}
2648 	}
2649 	(void) close(sfd);
2650 	if (msg->spd_msg_errno != 0) {
2651 		free(msg);
2652 		errno = msg->spd_msg_errno;
2653 		warn(gettext("Delete failed: SPD_FLUSH"));
2654 		return (-1);
2655 	}
2656 
2657 	free(msg);
2658 	return (0);
2659 }
2660 
2661 static int
2662 ipsec_conf_flush(int db)
2663 {
2664 	int pfd, cnt, len;
2665 	int sfd;
2666 	struct spd_msg *msg;
2667 	/*
2668 	 * Add an extra 8 bytes of space (+1 uint64_t) to avoid truncation
2669 	 * issues.
2670 	 */
2671 	uint64_t buffer[
2672 	    SPD_8TO64(sizeof (*msg) + sizeof (spd_if_t) + LIFNAMSIZ) + 1];
2673 
2674 	sfd = get_pf_pol_socket();
2675 	if (sfd < 0) {
2676 		warn(gettext("unable to open policy socket"));
2677 		return (-1);
2678 	}
2679 
2680 	(void) memset(buffer, 0, sizeof (buffer));
2681 	msg = (struct spd_msg *)buffer;
2682 	msg->spd_msg_version = PF_POLICY_V1;
2683 	msg->spd_msg_type = SPD_FLUSH;
2684 	msg->spd_msg_len = SPD_8TO64(sizeof (*msg));
2685 	msg->spd_msg_spdid = db;
2686 
2687 	msg->spd_msg_len += attach_tunname((spd_if_t *)(msg + 1));
2688 
2689 	len = SPD_64TO8(msg->spd_msg_len);
2690 	cnt = write(sfd, msg, len);
2691 	if (cnt != len) {
2692 		if (cnt < 0) {
2693 			warn(gettext("Flush failed: write"));
2694 			return (-1);
2695 		} else {
2696 			warnx(gettext("Flush failed: short write"));
2697 			return (-1);
2698 		}
2699 	}
2700 
2701 	cnt = read(sfd, msg, len);
2702 	if (cnt != len) {
2703 		if (cnt < 0) {
2704 			warn(gettext("Flush failed: read"));
2705 			return (-1);
2706 		} else {
2707 			warnx(gettext("Flush failed while reading reply"));
2708 			return (-1);
2709 		}
2710 	}
2711 	(void) close(sfd);
2712 	if (msg->spd_msg_errno != 0) {
2713 		warnx("%s: %s", gettext("Flush failed: SPD_FLUSH"),
2714 		    sys_error_message(msg->spd_msg_errno));
2715 		return (-1);
2716 	}
2717 
2718 	/* Truncate the file */
2719 	if (db == SPD_ACTIVE) {
2720 		if ((pfd = open(POLICY_CONF_FILE, O_TRUNC|O_RDWR)) == -1) {
2721 			if (errno == ENOENT) {
2722 				/*
2723 				 * The absence of POLICY_CONF_FILE should
2724 				 * not cause the command to exit with a
2725 				 * non-zero status, since this condition
2726 				 * is valid when no policies were previously
2727 				 * defined.
2728 				 */
2729 				return (0);
2730 			}
2731 			warn(gettext("%s cannot be truncated"),
2732 			    POLICY_CONF_FILE);
2733 			return (-1);
2734 		}
2735 		(void) close(pfd);
2736 	}
2737 	return (0);
2738 }
2739 
2740 /*
2741  * function to send SPD_FLIP and SPD_CLONE messages
2742  * Do it for ALL polheads for simplicity's sake.
2743  */
2744 static void
2745 ipsec_conf_admin(uint8_t type)
2746 {
2747 	int cnt;
2748 	int sfd;
2749 	struct spd_msg *msg;
2750 	uint64_t buffer[
2751 	    SPD_8TO64(sizeof (struct spd_msg) + sizeof (spd_if_t))];
2752 	char *save_ifname;
2753 
2754 	sfd = get_pf_pol_socket();
2755 	if (sfd < 0) {
2756 		err(-1, gettext("unable to open policy socket"));
2757 	}
2758 
2759 	(void) memset(buffer, 0, sizeof (buffer));
2760 	msg = (struct spd_msg *)buffer;
2761 	msg->spd_msg_version = PF_POLICY_V1;
2762 	msg->spd_msg_type = type;
2763 	msg->spd_msg_len = SPD_8TO64(sizeof (buffer));
2764 
2765 	save_ifname = interface_name;
2766 	/* Apply to all policy heads - global and tunnels. */
2767 	interface_name = &all_polheads;
2768 	(void) attach_tunname((spd_if_t *)(msg + 1));
2769 	interface_name = save_ifname;
2770 
2771 	cnt = write(sfd, msg, sizeof (buffer));
2772 	if (cnt != sizeof (buffer)) {
2773 		if (cnt < 0) {
2774 			err(-1, gettext("admin failed: write"));
2775 		} else {
2776 			errx(-1, gettext("admin failed: short write"));
2777 		}
2778 	}
2779 
2780 	cnt = read(sfd, msg, sizeof (buffer));
2781 	if (cnt != sizeof (buffer)) {
2782 		if (cnt < 0) {
2783 			err(-1, gettext("admin failed: read"));
2784 		} else {
2785 			errx(-1, gettext("admin failed while reading reply"));
2786 		}
2787 	}
2788 	(void) close(sfd);
2789 	if (msg->spd_msg_errno != 0) {
2790 		errno = msg->spd_msg_errno;
2791 		err(-1, gettext("admin failed"));
2792 	}
2793 }
2794 
2795 static void
2796 reconfigure()
2797 {
2798 	(void) fprintf(stderr, gettext(
2799 		"\tipsecconf -f \n "
2800 		"\tipsecconf -a policy_file\n"));
2801 }
2802 
2803 static void
2804 usage(void)
2805 {
2806 	(void) fprintf(stderr, gettext(
2807 	"Usage:	ipsecconf\n"
2808 	"\tipsecconf -a ([-]|<filename>) [-q]\n"
2809 	"\tipsecconf -c <filename>\n"
2810 	"\tipsecconf -r ([-]|<filename>) [-q]\n"
2811 	"\tipsecconf -d [-i tunnel-interface] <index>\n"
2812 	"\tipsecconf -d <tunnel-interface,index>\n"
2813 	"\tipsecconf -l [-n] [-i tunnel-interface]\n"
2814 	"\tipsecconf -f [-i tunnel-interface]\n"
2815 	"\tipsecconf -L [-n]\n"
2816 	"\tipsecconf -F\n"));
2817 }
2818 
2819 /*
2820  * a type consists of
2821  * "type" <int>{ "-" <int>}
2822  * or
2823  * "type" keyword
2824  *
2825  * a code consists of
2826  * "code" <int>{ "-" <int>}
2827  * or
2828  * "code" keyword
2829  */
2830 
2831 
2832 static int
2833 parse_type_code(const char *str, const str_val_t *table)
2834 {
2835 	char *end1, *end2;
2836 	int res1 = 0, res2 = 0;
2837 	int i;
2838 
2839 	if (isdigit(str[0])) {
2840 		res1 = strtol(str, &end1, 0);
2841 
2842 		if (end1 == str) {
2843 			return (-1);
2844 		}
2845 
2846 		if (res1 > 255 || res1 < 0) {
2847 			return (-1);
2848 		}
2849 
2850 		if (*end1 == '-') {
2851 			end1++;
2852 			res2 = strtol(end1, &end2, 0);
2853 			if (res2 > 255 || res2 < 0) {
2854 				return (-1);
2855 			}
2856 		} else {
2857 			end2 = end1;
2858 		}
2859 
2860 		while (isspace(*end2))
2861 			end2++;
2862 
2863 		if (*end2 != '\0') {
2864 			return (-1);
2865 		}
2866 
2867 		return (res1 + (res2 << 8));
2868 	}
2869 
2870 	for (i = 0; table[i].string; i++) {
2871 		if (strcmp(str, table[i].string) == 0) {
2872 			return (table[i].value);
2873 		}
2874 	}
2875 
2876 	return (-1);
2877 }
2878 
2879 static int
2880 parse_int(const char *str)
2881 {
2882 	char *end;
2883 	int res;
2884 
2885 	res = strtol(str, &end, 0);
2886 	if (end == str)
2887 		return (-1);
2888 	while (isspace(*end))
2889 		end++;
2890 	if (*end != '\0')
2891 		return (-1);
2892 	return (res);
2893 }
2894 
2895 /*
2896  * Parses <interface>,<index>.  Sets iname or the global interface_name (if
2897  * iname == NULL) to <interface> and returns <index>.  Calls exit() if we have
2898  * an interface_name already set.
2899  */
2900 static int
2901 parse_index(const char *str, char *iname)
2902 {
2903 	char *intf, *num, *copy;
2904 	int rc;
2905 
2906 	copy = strdup(str);
2907 	if (copy == NULL) {
2908 		EXIT_FATAL("Out of memory.");
2909 	}
2910 
2911 	intf = strtok(copy, ",");
2912 	/* Just want the rest of the string unmolested, so use "" for arg2. */
2913 	num = strtok(NULL, "");
2914 	if (num == NULL) {
2915 		/* No comma found, just parse it like an int. */
2916 		free(copy);
2917 		return (parse_int(str));
2918 	}
2919 
2920 	if (iname != NULL) {
2921 		(void) strlcpy(iname, intf, LIFNAMSIZ);
2922 	} else {
2923 		if (interface_name != NULL) {
2924 			EXIT_FATAL("Interface name already selected");
2925 		}
2926 
2927 		interface_name = strdup(intf);
2928 		if (interface_name == NULL) {
2929 			EXIT_FATAL("Out of memory.");
2930 		}
2931 	}
2932 
2933 	rc = parse_int(num);
2934 	free(copy);
2935 	return (rc);
2936 }
2937 
2938 /*
2939  * Convert a mask to a prefix length.
2940  * Returns prefix length on success, -1 otherwise.
2941  */
2942 static int
2943 in_getprefixlen(char *mask)
2944 {
2945 	int prefixlen;
2946 	char *end;
2947 
2948 	prefixlen = (int)strtol(mask, &end, 10);
2949 	if (prefixlen < 0) {
2950 		return (-1);
2951 	}
2952 	if (mask == end) {
2953 		return (-1);
2954 	}
2955 	if (*end != '\0') {
2956 		return (-1);
2957 	}
2958 	return (prefixlen);
2959 }
2960 
2961 /*
2962  * Convert a prefix length to a mask.
2963  * Assumes the mask array is zero'ed by the caller.
2964  */
2965 static void
2966 in_prefixlentomask(unsigned int prefixlen, uchar_t *mask)
2967 {
2968 	while (prefixlen > 0) {
2969 		if (prefixlen >= 8) {
2970 			*mask++ = 0xFF;
2971 			prefixlen -= 8;
2972 			continue;
2973 		}
2974 		*mask |= 1 << (8 - prefixlen);
2975 		prefixlen--;
2976 	}
2977 }
2978 
2979 
2980 static int
2981 parse_address(int type, char *addr_str)
2982 {
2983 	char *ptr;
2984 	int prefix_len = 0;
2985 	struct netent *ne = NULL;
2986 	struct hostent *hp = NULL;
2987 	int h_errno;
2988 	struct in_addr netaddr;
2989 	struct in6_addr *netaddr6;
2990 	struct hostent *ne_hent;
2991 	boolean_t	has_mask = B_FALSE;
2992 
2993 	ptr = strchr(addr_str, '/');
2994 	if (ptr != NULL) {
2995 		has_mask = B_TRUE;
2996 		*ptr++ = NULL;
2997 
2998 		prefix_len = in_getprefixlen(ptr);
2999 		if (prefix_len < 0)
3000 			return (-1);
3001 	}
3002 
3003 	/*
3004 	 * getipnodebyname() is thread safe. This allows us to hold on to the
3005 	 * returned hostent structure, which is pointed to by the shp and
3006 	 * dhp globals for the source and destination addresses, respectively.
3007 	 */
3008 	hp = getipnodebyname(addr_str, AF_INET6, AI_DEFAULT | AI_ALL, &h_errno);
3009 	if (hp != NULL) {
3010 		/*
3011 		 * We come here for both a hostname and
3012 		 * any host address /network address.
3013 		 */
3014 		assert(hp->h_addrtype == AF_INET6);
3015 	} else if ((ne = getnetbyname(addr_str)) != NULL) {
3016 		switch (ne->n_addrtype) {
3017 		case AF_INET:
3018 			/*
3019 			 * Allocate a struct hostent and initialize
3020 			 * it with the address corresponding to the
3021 			 * network number previously returned by
3022 			 * getnetbyname(). Freed by do_address_adds()
3023 			 * once the policy is defined.
3024 			 */
3025 			ne_hent = malloc(sizeof (struct hostent));
3026 			if (ne_hent == NULL) {
3027 				warn("malloc");
3028 				return (-1);
3029 			}
3030 			ne_hent->h_addr_list = malloc(2*sizeof (char *));
3031 			if (ne_hent->h_addr_list == NULL) {
3032 				warn("malloc");
3033 				free(ne_hent);
3034 				return (-1);
3035 			}
3036 			netaddr6 = malloc(sizeof (struct in6_addr));
3037 			if (netaddr6 == NULL) {
3038 				warn("malloc");
3039 				free(ne_hent->h_addr_list);
3040 				free(ne_hent);
3041 				return (-1);
3042 			}
3043 			ne_hent->h_addr_list[0] = (char *)netaddr6;
3044 			ne_hent->h_addr_list[1] = NULL;
3045 			netaddr = inet_makeaddr(ne->n_net, INADDR_ANY);
3046 			IN6_INADDR_TO_V4MAPPED(&netaddr, netaddr6);
3047 			hp = ne_hent;
3048 			break;
3049 		default:
3050 			warnx("Address type %d not supported.", ne->n_addrtype);
3051 			return (-1);
3052 		}
3053 	} else {
3054 		return (-1);
3055 	}
3056 
3057 	if (type == IPSEC_CONF_SRC_ADDRESS) {
3058 		shp = hp;
3059 		if (has_mask)
3060 			splen = prefix_len;
3061 		has_saprefix = has_mask;
3062 	} else {
3063 		dhp = hp;
3064 		if (has_mask)
3065 			dplen = prefix_len;
3066 		has_daprefix = has_mask;
3067 	}
3068 
3069 	return (0);
3070 }
3071 
3072 /*
3073  * Add port-only entries.  Make sure to add them in both the V6 and V4 tables!
3074  */
3075 static int
3076 do_port_adds(ips_conf_t *cptr)
3077 {
3078 	int ret, diag;
3079 
3080 	assert(IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_addr_v6));
3081 	assert(IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_dst_addr_v6));
3082 
3083 #ifdef DEBUG_HEAVY
3084 	(void) dump_conf(cptr);
3085 #endif
3086 
3087 	ret = send_pf_pol_message(SPD_ADDRULE, cptr, &diag);
3088 	if (ret != 0 && !ipsecconf_qflag) {
3089 		warnx(
3090 		    gettext("Could not add IPv4 policy for sport %d, dport %d "
3091 			"- diagnostic %d - %s"),
3092 		    ntohs(cptr->ips_src_port_min),
3093 		    ntohs(cptr->ips_dst_port_min), diag, spdsock_diag(diag));
3094 	}
3095 
3096 	return (ret);
3097 }
3098 
3099 /*
3100  * Nuke a list of policy entries.
3101  * rewrite this to use flipping
3102  * d_list isn't freed because we will be
3103  * exiting the program soon.
3104  */
3105 static void
3106 nuke_adds()
3107 {
3108 	d_list_t *temp = d_list;
3109 	FILE *policy_fp;
3110 
3111 	policy_fp = fopen(POLICY_CONF_FILE, "a");
3112 	if (policy_fp == NULL) {
3113 		warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
3114 	}
3115 	(void) fprintf(policy_fp, "\n\n");
3116 	(void) fflush(policy_fp);
3117 
3118 	while (temp != NULL) {
3119 		(void) ipsec_conf_del(temp->index, B_TRUE);
3120 		temp = temp->next;
3121 	}
3122 }
3123 
3124 /*
3125  * Set mask info from the specified prefix len. Fail if multihomed.
3126  */
3127 static int
3128 set_mask_info(struct hostent *hp, unsigned int plen, struct in6_addr *mask_v6)
3129 {
3130 	struct in6_addr addr;
3131 	struct in_addr mask_v4;
3132 
3133 	if (hp->h_addr_list[1] != NULL) {
3134 		return (EOPNOTSUPP);
3135 	}
3136 
3137 	if (!IN6_IS_ADDR_UNSPECIFIED(mask_v6)) {
3138 		return (EBUSY);
3139 	}
3140 
3141 	bcopy(hp->h_addr_list[0], &addr, sizeof (struct in6_addr));
3142 	if (IN6_IS_ADDR_V4MAPPED(&addr)) {
3143 		if (plen > IP_ABITS) {
3144 			return (ERANGE);
3145 		}
3146 		(void) memset(&mask_v4, 0, sizeof (mask_v4));
3147 		in_prefixlentomask(plen, (uchar_t *)&mask_v4);
3148 		IN6_INADDR_TO_V4MAPPED(&mask_v4, mask_v6);
3149 	} else {
3150 		if (plen > IPV6_ABITS) {
3151 			return (ERANGE);
3152 		}
3153 		/* mask_v6 is already zero (unspecified), see test above */
3154 		in_prefixlentomask(plen, (uchar_t *)mask_v6);
3155 	}
3156 	return (0);
3157 }
3158 
3159 /*
3160  * Initialize the specified IPv6 address with all f's.
3161  */
3162 static void
3163 init_addr_wildcard(struct in6_addr *addr_v6, boolean_t isv4)
3164 {
3165 	if (isv4) {
3166 		uint32_t addr_v4 = 0xffffffff;
3167 		IN6_INADDR_TO_V4MAPPED((struct in_addr *)&addr_v4, addr_v6);
3168 	} else {
3169 		(void) memset(addr_v6, 0xff, sizeof (struct in6_addr));
3170 	}
3171 }
3172 
3173 /*
3174  * Called at the end to actually add policy.  Handles single and multi-homed
3175  * cases.
3176  */
3177 static int
3178 do_address_adds(ips_conf_t *cptr, int *diag)
3179 {
3180 	int i, j;
3181 	int ret = 0;	/* For ioctl() call. */
3182 	int rc = 0;	/* My own return code. */
3183 	struct in6_addr zeroes = {0, 0, 0, 0};
3184 	char *ptr[2];
3185 	struct hostent hent;
3186 	boolean_t isv4;
3187 	int add_count = 0;
3188 
3189 	/*
3190 	 * dst_hent may not be initialized if a destination
3191 	 * address was not given. It will be initalized with just
3192 	 * one address if a destination address was given. In both
3193 	 * the cases, we initialize here with ipsc_dst_addr and enter
3194 	 * the loop below.
3195 	 */
3196 	if (dhp == NULL) {
3197 		assert(shp != NULL);
3198 		hent.h_addr_list = ptr;
3199 		ptr[0] = (char *)&zeroes.s6_addr;
3200 		ptr[1] = NULL;
3201 		dhp = &hent;
3202 	} else if (shp == NULL) {
3203 		assert(dhp != NULL);
3204 		hent.h_addr_list = ptr;
3205 		ptr[0] = (char *)&zeroes.s6_addr;
3206 		ptr[1] = NULL;
3207 		shp = &hent;
3208 	}
3209 
3210 	/*
3211 	 * Set mask info here.  Bail if multihomed and there's a prefix len.
3212 	 */
3213 	if (has_saprefix) {
3214 		rc = set_mask_info(shp, splen, &cptr->ips_src_mask_v6);
3215 		if (rc != 0)
3216 			goto bail;
3217 		cptr->ips_src_mask_len = splen;
3218 	}
3219 
3220 	if (has_daprefix) {
3221 		rc = set_mask_info(dhp, dplen, &cptr->ips_dst_mask_v6);
3222 		if (rc != 0)
3223 			goto bail;
3224 		cptr->ips_dst_mask_len = dplen;
3225 	}
3226 
3227 	for (i = 0; shp->h_addr_list[i] != NULL; i++) {
3228 		bcopy(shp->h_addr_list[i], &cptr->ips_src_addr_v6,
3229 		    sizeof (struct in6_addr));
3230 		isv4 = cptr->ips_isv4 =
3231 		    IN6_IS_ADDR_V4MAPPED(&cptr->ips_src_addr_v6);
3232 		if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_mask_v6) &&
3233 		    shp != &hent) {
3234 			init_addr_wildcard(&cptr->ips_src_mask_v6, isv4);
3235 		}
3236 
3237 		for (j = 0; dhp->h_addr_list[j] != NULL; j++) {
3238 			bcopy(dhp->h_addr_list[j], &cptr->ips_dst_addr_v6,
3239 			    sizeof (struct in6_addr));
3240 			if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_src_addr_v6)) {
3241 				/*
3242 				 * Src was not specified, so update isv4 flag
3243 				 * for this policy according to the family
3244 				 * of the destination address.
3245 				 */
3246 				isv4 = cptr->ips_isv4 =
3247 				    IN6_IS_ADDR_V4MAPPED(
3248 					    &cptr->ips_dst_addr_v6);
3249 			} else if ((dhp != &hent) && (isv4 !=
3250 			    IN6_IS_ADDR_V4MAPPED(&cptr->ips_dst_addr_v6))) {
3251 				/* v6/v4 mismatch. */
3252 				continue;
3253 			}
3254 			if (IN6_IS_ADDR_UNSPECIFIED(&cptr->ips_dst_mask_v6) &&
3255 			    dhp != &hent) {
3256 				init_addr_wildcard(&cptr->ips_dst_mask_v6,
3257 				    isv4);
3258 			}
3259 
3260 			ret = send_pf_pol_message(SPD_ADDRULE, cptr, diag);
3261 
3262 			if (ret == 0) {
3263 				add_count++;
3264 			} else {
3265 				/* For now, allow duplicate/overlap policies. */
3266 				if (ret != EEXIST) {
3267 					/*
3268 					 * We have an error where we added
3269 					 * some, but had errors with others.
3270 					 * Undo the previous adds, and
3271 					 * bail.
3272 					 */
3273 					rc = ret;
3274 					goto bail;
3275 				}
3276 			}
3277 
3278 			bzero(&cptr->ips_dst_mask_v6,
3279 			    sizeof (struct in6_addr));
3280 		}
3281 
3282 		bzero(&cptr->ips_src_mask_v6, sizeof (struct in6_addr));
3283 	}
3284 
3285 bail:
3286 	if (shp != &hent)
3287 		freehostent(shp);
3288 	shp = NULL;
3289 	if (dhp != &hent)
3290 		freehostent(dhp);
3291 	dhp = NULL;
3292 	splen = 0;
3293 	dplen = 0;
3294 
3295 	if ((add_count == 0) && (rc == 0)) {
3296 		/*
3297 		 * No entries were added. We failed all adds
3298 		 * because the entries already existed, or because
3299 		 * no v4 or v6 src/dst pairs were found. Either way,
3300 		 * we must fail here with an appropriate error
3301 		 * to avoid a corresponding entry from being added
3302 		 * to ipsecpolicy.conf.
3303 		 */
3304 		if ((ret == EEXIST)) {
3305 			/* All adds failed with EEXIST */
3306 			rc = EEXIST;
3307 		} else {
3308 			/* No matching v4 or v6 src/dst pairs */
3309 			rc = ESRCH;
3310 		}
3311 	}
3312 
3313 	return (rc);
3314 }
3315 
3316 static int
3317 parse_mask(int type, char *mask_str, ips_conf_t *cptr)
3318 {
3319 	struct in_addr mask;
3320 	struct in6_addr *mask6;
3321 
3322 	if (type == IPSEC_CONF_SRC_MASK) {
3323 		mask6 = &cptr->ips_src_mask_v6;
3324 	} else {
3325 		mask6 = &cptr->ips_dst_mask_v6;
3326 	}
3327 
3328 	if ((strncasecmp(mask_str, "0x", 2) == 0) &&
3329 	    (strchr(mask_str, '.') == NULL)) {
3330 		/* Is it in the form 0xff000000 ? */
3331 		char *end;
3332 
3333 		mask.s_addr = strtoul(mask_str, &end, 0);
3334 		if (end == mask_str) {
3335 			return (-1);
3336 		}
3337 		if (*end != '\0') {
3338 			return (-1);
3339 		}
3340 		mask.s_addr = htonl(mask.s_addr);
3341 	} else {
3342 		/*
3343 		 * Since inet_addr() returns -1 on error, we have
3344 		 * to convert a broadcast address ourselves.
3345 		 */
3346 		if (strcmp(mask_str, "255.255.255.255") == 0) {
3347 			mask.s_addr = 0xffffffff;
3348 		} else {
3349 			mask.s_addr = inet_addr(mask_str);
3350 			if (mask.s_addr == (unsigned int)-1)
3351 				return (-1);
3352 		}
3353 	}
3354 
3355 	/* Should we check for non-contiguous masks ? */
3356 	if (mask.s_addr == 0)
3357 		return (-1);
3358 	IN6_INADDR_TO_V4MAPPED(&mask, mask6);
3359 
3360 
3361 	if (type == IPSEC_CONF_SRC_MASK) {
3362 		cptr->ips_src_mask_len = in_masktoprefix(mask6->s6_addr,
3363 		    B_TRUE);
3364 	} else {
3365 		cptr->ips_dst_mask_len = in_masktoprefix(mask6->s6_addr,
3366 		    B_TRUE);
3367 	}
3368 
3369 	return (0);
3370 }
3371 
3372 static int
3373 parse_port(int type, char *port_str, ips_conf_t *conf)
3374 {
3375 	struct servent *sent;
3376 	in_port_t port;
3377 	int ret;
3378 
3379 	sent = getservbyname(port_str, NULL);
3380 	if (sent == NULL) {
3381 		ret = parse_int(port_str);
3382 		if (ret < 0 || ret >= 65536) {
3383 			return (-1);
3384 		}
3385 		port = htons((in_port_t)ret);
3386 	} else {
3387 		port = sent->s_port;
3388 	}
3389 	if (type == IPSEC_CONF_SRC_PORT) {
3390 		conf->ips_src_port_min = conf->ips_src_port_max = port;
3391 	} else {
3392 		conf->ips_dst_port_min = conf->ips_dst_port_max = port;
3393 	}
3394 	return (0);
3395 }
3396 
3397 static int
3398 valid_algorithm(int proto_num, const char *str)
3399 {
3400 	const char *tmp;
3401 	int ret;
3402 	struct ipsecalgent *alg;
3403 
3404 	/* Short-circuit "none" */
3405 	if (strncasecmp("none", str, 5) == 0)
3406 		return (-2);
3407 
3408 	alg = getipsecalgbyname(str, proto_num, NULL);
3409 	if (alg != NULL) {
3410 		ret = alg->a_alg_num;
3411 		freeipsecalgent(alg);
3412 		return (ret);
3413 	}
3414 
3415 	/*
3416 	 * Look whether it could be a valid number.
3417 	 * We support numbers also so that users can
3418 	 * load algorithms as they need it. We can't
3419 	 * check for validity of numbers here. It will
3420 	 * be checked when the SA is negotiated/looked up.
3421 	 * parse_int uses strtol(str), which converts 3DES
3422 	 * to a valid number i.e looks only at initial
3423 	 * number part. If we come here we should expect
3424 	 * only a decimal number.
3425 	 */
3426 	tmp = str;
3427 	while (*tmp) {
3428 		if (!isdigit(*tmp))
3429 			return (-1);
3430 		tmp++;
3431 	}
3432 
3433 	ret = parse_int(str);
3434 	if (ret > 0 && ret <= 255)
3435 		return (ret);
3436 	else
3437 		return (-1);
3438 }
3439 
3440 static int
3441 parse_ipsec_alg(char *str, ips_act_props_t *iap, int alg_type)
3442 {
3443 	int alg_value;
3444 	char tstr[VALID_ALG_LEN];
3445 	char *lens = NULL;
3446 	char *l1_str;
3447 	int l1 = 0;
3448 	char *l2_str;
3449 	int l2 = SPD_MAX_MAXBITS;
3450 	algreq_t *ap;
3451 	uint_t a_type;
3452 
3453 	fetch_algorithms();
3454 
3455 	/*
3456 	 * Make sure that we get a null terminated string.
3457 	 * For a bad input, we truncate at VALID_ALG_LEN.
3458 	 */
3459 	(void) strlcpy(tstr, str, VALID_ALG_LEN);
3460 	lens = strtok(tstr, "()");
3461 	lens = strtok(NULL, "()");
3462 
3463 	if (lens != NULL) {
3464 		int len1 = 0;
3465 		int len2 = SPD_MAX_MAXBITS;
3466 		int len_all = strlen(lens);
3467 		int dot_start = (lens[0] == '.');
3468 		l1_str = strtok(lens, ".");
3469 		l2_str = strtok(NULL, ".");
3470 		if (l1_str != NULL) {
3471 			l1 = parse_int(l1_str);
3472 			len1 = strlen(l1_str);
3473 			if (len1 < 0)
3474 				return (1);
3475 		}
3476 		if (l2_str != NULL) {
3477 			l2 = parse_int(l2_str);
3478 			len2 = strlen(l2_str);
3479 			if (len2 < 0)
3480 				return (1);
3481 		}
3482 
3483 		if (len_all == len1) {
3484 			/* alg(n) */
3485 			l2 = l1;
3486 		} else if (dot_start) {
3487 			/* alg(..n) */
3488 			l2 = l1;
3489 			l1 = 0;
3490 		} else if ((len_all - 2) == len1) {
3491 			/* alg(n..) */
3492 			l2 = SPD_MAX_MAXBITS;
3493 		} /* else alg(n..m) */
3494 	}
3495 
3496 	if (alg_type == SPD_ATTR_AH_AUTH ||
3497 	    alg_type == SPD_ATTR_ESP_AUTH) {
3498 		alg_value = valid_algorithm(IPSEC_PROTO_AH, tstr);
3499 	} else {
3500 		alg_value = valid_algorithm(IPSEC_PROTO_ESP, tstr);
3501 	}
3502 	if (alg_value < 0) {
3503 		/* Invalid algorithm or "none" */
3504 		return (alg_value);
3505 	}
3506 
3507 	if (alg_type == SPD_ATTR_AH_AUTH) {
3508 		a_type = AH_AUTH;
3509 		iap->iap_attr |= SPD_APPLY_AH;
3510 		ap = &(iap->iap_aauth);
3511 	} else if (alg_type == SPD_ATTR_ESP_AUTH) {
3512 		a_type = ESP_AUTH;
3513 		iap->iap_attr |= SPD_APPLY_ESP|SPD_APPLY_ESPA;
3514 		ap = &(iap->iap_eauth);
3515 	} else {
3516 		a_type = ESP_ENCR;
3517 		iap->iap_attr |= SPD_APPLY_ESP;
3518 		ap = &(iap->iap_eencr);
3519 	}
3520 
3521 	ap->alg_id = alg_value;
3522 	ap->alg_minbits = l1;
3523 	ap->alg_maxbits = l2;
3524 
3525 	if (!alg_rangecheck(a_type, alg_value, ap))
3526 		return (1);
3527 
3528 	return (0);
3529 }
3530 
3531 static char *
3532 sys_error_message(int syserr)
3533 {
3534 	char *mesg;
3535 
3536 	switch (syserr) {
3537 	case EEXIST:
3538 		mesg = gettext("Entry already exists");
3539 		break;
3540 	case ENOENT:
3541 		mesg = gettext("Tunnel not found");
3542 		break;
3543 	case EINVAL:
3544 		mesg = gettext("Invalid entry");
3545 		break;
3546 	default :
3547 		mesg = strerror(syserr);
3548 	}
3549 	return (mesg);
3550 }
3551 
3552 static void
3553 error_message(error_type_t error, int type, int line)
3554 {
3555 	char *mesg;
3556 
3557 	switch (type) {
3558 	case IPSEC_CONF_SRC_ADDRESS:
3559 		mesg = gettext("Source Address");
3560 		break;
3561 	case IPSEC_CONF_DST_ADDRESS:
3562 		mesg = gettext("Destination Address");
3563 		break;
3564 	case IPSEC_CONF_SRC_PORT:
3565 		mesg = gettext("Source Port");
3566 		break;
3567 	case IPSEC_CONF_DST_PORT:
3568 		mesg = gettext("Destination Port");
3569 		break;
3570 	case IPSEC_CONF_SRC_MASK:
3571 		mesg = gettext("Source Mask");
3572 		break;
3573 	case IPSEC_CONF_DST_MASK:
3574 		mesg = gettext("Destination Mask");
3575 		break;
3576 	case IPSEC_CONF_ULP:
3577 		mesg = gettext("Upper Layer Protocol");
3578 		break;
3579 	case IPSEC_CONF_IPSEC_AALGS:
3580 		mesg = gettext("Authentication Algorithm");
3581 		break;
3582 	case IPSEC_CONF_IPSEC_EALGS:
3583 		mesg = gettext("Encryption Algorithm");
3584 		break;
3585 	case IPSEC_CONF_IPSEC_EAALGS:
3586 		mesg = gettext("ESP Authentication Algorithm");
3587 		break;
3588 	case IPSEC_CONF_IPSEC_SA:
3589 		mesg = gettext("SA");
3590 		break;
3591 	case IPSEC_CONF_IPSEC_DIR:
3592 		mesg = gettext("Direction");
3593 		break;
3594 	case IPSEC_CONF_ICMP_TYPE:
3595 		mesg = gettext("ICMP type");
3596 		break;
3597 	case IPSEC_CONF_ICMP_CODE:
3598 		mesg = gettext("ICMP code");
3599 		break;
3600 	case IPSEC_CONF_NEGOTIATE:
3601 		mesg = gettext("Negotiate");
3602 		break;
3603 	case IPSEC_CONF_TUNNEL:
3604 		mesg = gettext("Tunnel");
3605 		break;
3606 	default :
3607 		return;
3608 	}
3609 	/*
3610 	 * If we never read a newline character, we don't want
3611 	 * to print 0.
3612 	 */
3613 	warnx(gettext("%s%s%s %s on line: %d"),
3614 	    (error == BAD_ERROR) ? gettext("Bad") : "",
3615 	    (error == DUP_ERROR) ? gettext("Duplicate") : "",
3616 	    (error == REQ_ERROR) ? gettext("Requires") : "",
3617 	    mesg,
3618 	    (arg_indices[line] == 0) ? 1 : arg_indices[line]);
3619 }
3620 
3621 static int
3622 validate_properties(ips_act_props_t *cptr, boolean_t dir, boolean_t is_alg)
3623 {
3624 	if (cptr->iap_action == SPD_ACTTYPE_PASS ||
3625 		cptr->iap_action == SPD_ACTTYPE_DROP) {
3626 		if (!dir) {
3627 			warnx(gettext("dir string "
3628 			    "not found for bypass policy"));
3629 		}
3630 
3631 		if (is_alg) {
3632 			warnx(gettext("Algorithms found for bypass policy"));
3633 			return (-1);
3634 		}
3635 		return (0);
3636 	}
3637 	if (!is_alg) {
3638 		warnx(gettext("No IPsec algorithms given"));
3639 		return (-1);
3640 	}
3641 	if (cptr->iap_attr == 0) {
3642 		warnx(gettext("No SA attribute"));
3643 		return (-1);
3644 	}
3645 	return (0);
3646 }
3647 
3648 /*
3649  * This function is called only to parse a single rule's worth of
3650  * action strings.  This is called after parsing pattern and before
3651  * parsing properties.  Thus we may have something in the leftover
3652  * buffer while parsing the pattern, which we need to handle here.
3653  */
3654 static int
3655 parse_action(FILE *fp, char **action, char **leftover)
3656 {
3657 	char *cp;
3658 	char ibuf[MAXLEN];
3659 	char *tmp_buf;
3660 	char *buf;
3661 	boolean_t new_stuff;
3662 
3663 	if (*leftover != NULL) {
3664 		buf = *leftover;
3665 		new_stuff = B_FALSE;
3666 		goto scan;
3667 	}
3668 	while (fgets(ibuf, MAXLEN, fp) != NULL) {
3669 		new_stuff = B_TRUE;
3670 		if (ibuf[strlen(ibuf) - 1] == '\n')
3671 			linecount++;
3672 		buf = ibuf;
3673 scan:
3674 		/* Truncate at the beginning of a comment */
3675 		cp = strchr(buf, '#');
3676 		if (cp != NULL)
3677 			*cp = NULL;
3678 
3679 		/* Skip any whitespace */
3680 		while (*buf != NULL && isspace(*buf))
3681 			buf++;
3682 
3683 		/* Empty line */
3684 		if (*buf == NULL)
3685 			continue;
3686 
3687 		/*
3688 		 * Store the command for error reporting
3689 		 * and ipsec_conf_add().
3690 		 */
3691 		if (new_stuff) {
3692 			/*
3693 			 * Check for buffer overflow including the null
3694 			 * terminating character.
3695 			 */
3696 			int len = strlen(ibuf);
3697 			if ((cbuf_offset + len + 1) >= CBUF_LEN)
3698 				return (-1);
3699 			(void) strcpy(cbuf + cbuf_offset, ibuf);
3700 			cbuf_offset += len;
3701 		}
3702 		/*
3703 		 * Start of the non-empty non-space character.
3704 		 */
3705 		tmp_buf = buf++;
3706 
3707 		/* Skip until next whitespace or CURL_BEGIN */
3708 		while (*buf != NULL && !isspace(*buf) &&
3709 		    *buf != CURL_BEGIN)
3710 			buf++;
3711 
3712 
3713 		if (*buf != NULL) {
3714 			if (*buf == CURL_BEGIN) {
3715 				*buf = NULL;
3716 				/* Allocate an extra byte for the null also */
3717 				if ((*action = malloc(strlen(tmp_buf) + 1)) ==
3718 				    NULL) {
3719 					warn("malloc");
3720 					return (ENOMEM);
3721 				}
3722 				(void) strcpy(*action, tmp_buf);
3723 				*buf = CURL_BEGIN;
3724 			} else {
3725 				/* We have hit a space */
3726 				*buf++ = NULL;
3727 				/* Allocate an extra byte for the null also */
3728 				if ((*action = malloc(strlen(tmp_buf) + 1)) ==
3729 				    NULL) {
3730 					warn("malloc");
3731 					return (ENOMEM);
3732 				}
3733 				(void) strcpy(*action, tmp_buf);
3734 			}
3735 			/*
3736 			 * Copy the rest of the line into the
3737 			 * leftover buffer.
3738 			 */
3739 			if (*buf != NULL) {
3740 				(void) strlcpy(lo_buf, buf, sizeof (lo_buf));
3741 				*leftover = lo_buf;
3742 			} else {
3743 				*leftover = NULL;
3744 			}
3745 		} else {
3746 			/* Allocate an extra byte for the null also */
3747 			if ((*action = malloc(strlen(tmp_buf) + 1)) ==
3748 			    NULL) {
3749 				warn("malloc");
3750 				return (ENOMEM);
3751 			}
3752 			(void) strcpy(*action, tmp_buf);
3753 			*leftover = NULL;
3754 		}
3755 		if (argindex >= ARG_BUF_LEN)
3756 			return (-1);
3757 		arg_indices[argindex++] = linecount;
3758 		return (PARSE_SUCCESS);
3759 	}
3760 	/*
3761 	 * Return error, on an empty action field.
3762 	 */
3763 	return (-1);
3764 }
3765 
3766 /*
3767  * This is called to parse pattern or properties that is enclosed
3768  * between CURL_BEGIN and CURL_END.
3769  */
3770 static int
3771 parse_pattern_or_prop(FILE *fp, char *argvec[], char **leftover)
3772 {
3773 	char *cp;
3774 	int i = 0;
3775 	boolean_t curl_begin_seen = B_FALSE;
3776 	char ibuf[MAXLEN];
3777 	char *tmp_buf;
3778 	char *buf;
3779 	boolean_t new_stuff;
3780 
3781 	/*
3782 	 * When parsing properties, leftover buffer could have the
3783 	 * leftovers of the previous fgets().
3784 	 */
3785 	if (*leftover != NULL) {
3786 		buf = *leftover;
3787 		new_stuff = B_FALSE;
3788 		goto scan;
3789 	}
3790 	while (fgets(ibuf, MAXLEN, fp) != NULL) {
3791 		new_stuff = B_TRUE;
3792 #ifdef DEBUG_HEAVY
3793 		(void) printf("%s\n", ibuf);
3794 #endif
3795 		if (ibuf[strlen(ibuf) - 1] == '\n')
3796 			linecount++;
3797 		buf = ibuf;
3798 scan:
3799 		/* Truncate at the beginning of a comment */
3800 		cp = strchr(buf, '#');
3801 		if (cp != NULL)
3802 			*cp = NULL;
3803 
3804 		/* Skip any whitespace */
3805 		while (*buf != NULL && isspace(*buf))
3806 			buf++;
3807 
3808 		/* Empty line */
3809 		if (*buf == NULL)
3810 			continue;
3811 		/*
3812 		 * Store the command for error reporting
3813 		 * and ipsec_conf_add().
3814 		 */
3815 		if (new_stuff) {
3816 			/*
3817 			 * Check for buffer overflow including the null
3818 			 * terminating character.
3819 			 */
3820 			int len = strlen(ibuf);
3821 			if ((cbuf_offset + len + 1) >= CBUF_LEN)
3822 				return (-1);
3823 			(void) strcpy(cbuf + cbuf_offset, ibuf);
3824 			cbuf_offset += len;
3825 		}
3826 		/*
3827 		 * First non-space character should be
3828 		 * a curly bracket.
3829 		 */
3830 		if (!curl_begin_seen) {
3831 			if (*buf != CURL_BEGIN) {
3832 				/*
3833 				 * If we never read a newline character,
3834 				 * we don't want to print 0.
3835 				 */
3836 				warnx(gettext("line %d : line must start "
3837 				    "with \"{\" character"),
3838 				    (linecount == 0) ? 1 : linecount);
3839 				return (-1);
3840 			}
3841 			buf++;
3842 			curl_begin_seen = B_TRUE;
3843 		}
3844 		/*
3845 		 * Arguments are separated by white spaces or
3846 		 * newlines. Scan till you see a CURL_END.
3847 		 */
3848 		while (*buf != NULL) {
3849 			if (*buf == CURL_END) {
3850 ret:
3851 				*buf++ = NULL;
3852 				/*
3853 				 * Copy the rest of the line into the
3854 				 * leftover buffer if any.
3855 				 */
3856 				if (*buf != NULL) {
3857 					(void) strlcpy(lo_buf, buf,
3858 					    sizeof (lo_buf));
3859 					*leftover = lo_buf;
3860 				} else {
3861 					*leftover = NULL;
3862 				}
3863 				return (PARSE_SUCCESS);
3864 			}
3865 			/*
3866 			 * Skip any trailing whitespace until we see a
3867 			 * non white-space character.
3868 			 */
3869 			while (*buf != NULL && isspace(*buf))
3870 				buf++;
3871 
3872 			if (*buf == CURL_END)
3873 				goto ret;
3874 
3875 			/* Scan the next line as this buffer is empty */
3876 			if (*buf == NULL)
3877 				break;
3878 
3879 			if (i >= MAXARGS) {
3880 				warnx(
3881 				    gettext("Number of Arguments exceeded %d"),
3882 				    i);
3883 				return (-1);
3884 			}
3885 			/*
3886 			 * Non-empty, Non-space buffer.
3887 			 */
3888 			tmp_buf = buf++;
3889 			/*
3890 			 * Real scan of the argument takes place here.
3891 			 * Skip past till space or CURL_END.
3892 			 */
3893 			while (*buf != NULL && !isspace(*buf) &&
3894 			    *buf != CURL_END) {
3895 				buf++;
3896 			}
3897 			/*
3898 			 * Either a space or we have hit the CURL_END or
3899 			 * the real end.
3900 			 */
3901 			if (*buf != NULL) {
3902 				if (*buf == CURL_END) {
3903 					*buf++ = NULL;
3904 					if ((argvec[i] = malloc(strlen(tmp_buf)
3905 					    + 1)) == NULL) {
3906 						warn("malloc");
3907 						return (ENOMEM);
3908 					}
3909 					if (strlen(tmp_buf) != 0) {
3910 						(void) strcpy(argvec[i],
3911 						    tmp_buf);
3912 						if (argindex >= ARG_BUF_LEN)
3913 							return (-1);
3914 						arg_indices[argindex++] =
3915 						    linecount;
3916 					}
3917 					/*
3918 					 * Copy the rest of the line into the
3919 					 * leftover buffer.
3920 					 */
3921 					if (*buf != NULL) {
3922 						(void) strlcpy(lo_buf, buf,
3923 						    sizeof (lo_buf));
3924 						*leftover = lo_buf;
3925 					} else {
3926 						*leftover = NULL;
3927 					}
3928 					return (PARSE_SUCCESS);
3929 				} else {
3930 					*buf++ = NULL;
3931 				}
3932 			}
3933 			/*
3934 			 * Copy this argument and scan for the buffer more
3935 			 * if it is non-empty. If it is empty scan for
3936 			 * the next line.
3937 			 */
3938 			if ((argvec[i] = malloc(strlen(tmp_buf) + 1)) ==
3939 			    NULL) {
3940 				warn("malloc");
3941 				return (ENOMEM);
3942 			}
3943 			(void) strcpy(argvec[i++], tmp_buf);
3944 			if (argindex >= ARG_BUF_LEN)
3945 				return (-1);
3946 			arg_indices[argindex++] = linecount;
3947 		}
3948 	}
3949 	/*
3950 	 * If nothing is given in the file, it is okay.
3951 	 * If something is given in the file and it is
3952 	 * not CURL_BEGIN, we would have returned error
3953 	 * above. If curl_begin_seen and we are here,
3954 	 * something is wrong.
3955 	 */
3956 	if (curl_begin_seen)
3957 		return (-1);
3958 	return (PARSE_EOF);		/* Nothing more in the file */
3959 }
3960 
3961 /*
3962  * Parse one command i.e {pattern} action {properties}.
3963  *
3964  * {pattern} ( action {prop} | pass | drop ) (or ...)*
3965  */
3966 static int
3967 parse_one(FILE *fp, act_prop_t *act_props)
3968 {
3969 	char *leftover;
3970 	int ret;
3971 	int i;
3972 	int ap_num = 0;
3973 	enum parse_state {pattern, action, prop } pstate;
3974 
3975 	has_daprefix = has_saprefix = B_FALSE;
3976 
3977 	(void) memset(act_props, 0, sizeof (act_prop_t));
3978 	pstate = pattern;
3979 
3980 	ret = 0;
3981 	leftover = NULL;
3982 	argindex = 0;
3983 	cbuf_offset = 0;
3984 	assert(shp == NULL && dhp == NULL);
3985 
3986 
3987 	for (;;) {
3988 		switch (pstate) {
3989 		case pattern:
3990 		{
3991 #ifdef DEBUG_HEAVY
3992 			(void) printf("pattern\n");
3993 #endif
3994 			ret = parse_pattern_or_prop(fp,
3995 			    act_props->pattern, &leftover);
3996 			if (ret == PARSE_EOF) {
3997 				/* EOF reached */
3998 				return (0);
3999 			}
4000 			if (ret != 0) {
4001 				goto err;
4002 			}
4003 			pstate = action;
4004 			break;
4005 		}
4006 		case action:
4007 		{
4008 #ifdef DEBUG_HEAVY
4009 			(void) printf("action\n");
4010 #endif
4011 			ret = parse_action(fp,
4012 			    &act_props->ap[ap_num].act, &leftover);
4013 			if (ret != 0) {
4014 				goto err;
4015 			}
4016 
4017 			/*
4018 			 * Validate action now itself so that we don't
4019 			 * proceed too much into the bad world.
4020 			 */
4021 			for (i = 0; action_table[i].string; i++) {
4022 				if (strcmp(act_props->ap[ap_num].act,
4023 				    action_table[i].string) == 0)
4024 					break;
4025 			}
4026 
4027 			if (action_table[i].tok_val == TOK_or) {
4028 				/* hit an or, go again */
4029 				break;
4030 			}
4031 
4032 			if (action_table[i].string == NULL) {
4033 				/*
4034 				 * If we never read a newline
4035 				 * character, we don't want
4036 				 * to print 0.
4037 				 */
4038 				warnx(gettext("(parsing one command)"
4039 				    "Invalid action on line %d: %s"),
4040 				    (linecount == 0) ? 1 : linecount,
4041 				    act_props->ap[ap_num].act);
4042 				return (-1);
4043 			}
4044 
4045 			pstate = prop;
4046 			break;
4047 		}
4048 		case prop:
4049 		{
4050 #ifdef DEBUG_HEAVY
4051 			(void) printf("prop\n");
4052 #endif
4053 			ret = parse_pattern_or_prop(fp,
4054 			    act_props->ap[ap_num].prop, &leftover);
4055 			if (ret != 0) {
4056 				goto err;
4057 			}
4058 
4059 			if (leftover != NULL) {
4060 				/* Accomodate spaces at the end */
4061 				while (*leftover != NULL) {
4062 					if (*leftover == 'o') {
4063 						leftover++;
4064 						if (*leftover == 'r') {
4065 							leftover++;
4066 							ap_num++;
4067 							if (ap_num > MAXARGS)
4068 								return (1);
4069 							pstate = action;
4070 							goto again;
4071 						}
4072 
4073 					}
4074 					if (!isspace(*leftover)) {
4075 						ret = -1;
4076 						goto err;
4077 					}
4078 					leftover++;
4079 				}
4080 				return (0);
4081 			}
4082 			ap_num++;
4083 			if (ap_num > MAXARGS)
4084 				return (0);
4085 			pstate = action; /* or */
4086 			break;
4087 		} /* case prop: */
4088 		} /* switch(pstate) */
4089 
4090 again:
4091 		if (ap_num > MAXARGS)
4092 			return (0);
4093 	} /* while(1) */
4094 err:
4095 	if (ret != 0) {
4096 		/*
4097 		 * If we never read a newline character, we don't want
4098 		 * to print 0.
4099 		 */
4100 		warnx(gettext("Error before or at line %d"),
4101 		    (linecount == 0) ? 1 : linecount);
4102 	}
4103 	return (ret);
4104 }
4105 
4106 /*
4107  * convert an act_propts_t to an ips_conf_t
4108  */
4109 
4110 static int
4111 form_ipsec_conf(act_prop_t *act_props, ips_conf_t *cptr)
4112 {
4113 	int i, j, k;
4114 	int tok_count = 0;
4115 	struct protoent *pent;
4116 	boolean_t saddr, daddr, ipsec_aalg, ipsec_ealg, ipsec_eaalg, dir;
4117 	boolean_t old_style, new_style;
4118 	struct in_addr mask;
4119 	int line_no;
4120 	int ret;
4121 	int ap_num = 0;
4122 	int type, code, type_end, code_end;
4123 #ifdef DEBUG_HEAVY
4124 	/*
4125 	 * pattern => act_props->pattern
4126 	 * action => act_props->ap[].act
4127 	 * properties => act_props->ap[].prop
4128 	 */
4129 	(void) printf("\npattern\n------------\n");
4130 	for (i = 0; act_props->pattern[i] != NULL; i++)
4131 		(void) printf("%s\n", act_props->pattern[i]);
4132 	(void) printf("apz\n----------\n");
4133 	for (j = 0; act_props->ap[j].act != NULL; j++) {
4134 
4135 		(void) printf("act%d->%s\n", j, act_props->ap[j].act);
4136 		for (i = 0; act_props->ap[j].prop[i] != NULL; i++)
4137 			(void) printf("%dprop%d->%s\n",
4138 			    j, i, act_props->ap[j].prop[i]);
4139 	}
4140 	(void) printf("------------\n\n");
4141 #endif
4142 
4143 	(void) memset(cptr, 0, sizeof (ips_conf_t));
4144 	saddr = daddr = ipsec_aalg = ipsec_ealg = ipsec_eaalg = dir = B_FALSE;
4145 	old_style = new_style = B_FALSE;
4146 	/*
4147 	 * Get the Pattern. NULL pattern is valid.
4148 	 */
4149 	for (i = 0, line_no = 0; act_props->pattern[i]; i++, line_no++) {
4150 		for (j = 0; pattern_table[j].string; j++) {
4151 			if (strcmp(act_props->pattern[i],
4152 			    pattern_table[j].string) == 0)
4153 				break;
4154 		}
4155 
4156 		if (pattern_table[j].string == NULL) {
4157 			/*
4158 			 * If we never read a newline character, we don't want
4159 			 * to print 0.
4160 			 */
4161 			warnx(gettext("Invalid pattern on line %d: %s"),
4162 			    (arg_indices[line_no] == 0) ? 1 :
4163 			    arg_indices[line_no], act_props->pattern[i]);
4164 			return (-1);
4165 		}
4166 
4167 		cptr->patt_tok[tok_count++] = pattern_table[j].tok_val;
4168 
4169 		switch (pattern_table[j].tok_val) {
4170 
4171 		case TOK_dir:
4172 			i++, line_no++;
4173 			if (act_props->pattern[i] == NULL) {
4174 				error_message(BAD_ERROR,
4175 				    IPSEC_CONF_IPSEC_DIR, line_no);
4176 				return (-1);
4177 			}
4178 
4179 			if (strncmp(act_props->pattern[i], "in", 2) == 0) {
4180 				cptr->ips_dir = SPD_RULE_FLAG_INBOUND;
4181 			} else if (strncmp(
4182 			    act_props->pattern[i], "out", 3) == 0) {
4183 				cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND;
4184 			} else if (strncmp(
4185 			    act_props->pattern[i], "both", 4) == 0) {
4186 				if (old_style) {
4187 					error_message(BAD_ERROR,
4188 					    IPSEC_CONF_IPSEC_DIR, line_no);
4189 					return (-1);
4190 				}
4191 				new_style = B_TRUE;
4192 				cptr->ips_dir =
4193 				    SPD_RULE_FLAG_OUTBOUND |
4194 				    SPD_RULE_FLAG_INBOUND;
4195 			} else {
4196 				error_message(BAD_ERROR,
4197 				    IPSEC_CONF_IPSEC_DIR, line_no);
4198 				return (-1);
4199 			}
4200 			dir = B_TRUE;
4201 			break;
4202 
4203 		case TOK_local:
4204 			if (old_style) {
4205 				error_message(BAD_ERROR,
4206 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4207 				return (-1);
4208 			}
4209 			new_style = B_TRUE;
4210 
4211 			if (saddr) {
4212 				error_message(DUP_ERROR,
4213 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4214 				return (-1);
4215 			}
4216 			/*
4217 			 * Use this to detect duplicates rather
4218 			 * than 0 like other cases, because 0 for
4219 			 * address means INADDR_ANY.
4220 			 */
4221 			saddr = B_TRUE;
4222 			cptr->has_saddr = 1;
4223 			/*
4224 			 * Advance to the string containing
4225 			 * the address.
4226 			 */
4227 			i++, line_no++;
4228 			if (act_props->pattern[i] == NULL) {
4229 				error_message(BAD_ERROR,
4230 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4231 				return (-1);
4232 			}
4233 			if (parse_address(IPSEC_CONF_SRC_ADDRESS,
4234 			    act_props->pattern[i]) != 0) {
4235 				error_message(BAD_ERROR,
4236 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4237 				return (-1);
4238 			}
4239 			if (!cptr->has_smask)
4240 				cptr->has_smask = has_saprefix;
4241 
4242 			break;
4243 		case TOK_remote:
4244 			if (old_style) {
4245 				error_message(BAD_ERROR,
4246 				    IPSEC_CONF_DST_ADDRESS, line_no);
4247 				return (-1);
4248 			}
4249 			new_style = B_TRUE;
4250 
4251 			if (daddr) {
4252 				error_message(DUP_ERROR,
4253 				    IPSEC_CONF_DST_ADDRESS, line_no);
4254 				return (-1);
4255 			}
4256 			/*
4257 			 * Use this to detect duplicates rather
4258 			 * than 0 like other cases, because 0 for
4259 			 * address means INADDR_ANY.
4260 			 */
4261 			daddr = B_TRUE;
4262 			cptr->has_daddr = 1;
4263 			/*
4264 			 * Advance to the string containing
4265 			 * the address.
4266 			 */
4267 			i++, line_no++;
4268 			if (act_props->pattern[i] == NULL) {
4269 				error_message(BAD_ERROR,
4270 				    IPSEC_CONF_DST_ADDRESS, line_no);
4271 				return (-1);
4272 			}
4273 			if (parse_address(IPSEC_CONF_DST_ADDRESS,
4274 			    act_props->pattern[i]) != 0) {
4275 				error_message(BAD_ERROR,
4276 				    IPSEC_CONF_DST_ADDRESS, line_no);
4277 				return (-1);
4278 			}
4279 			if (!cptr->has_dmask)
4280 				cptr->has_dmask = has_daprefix;
4281 			break;
4282 
4283 		case TOK_saddr:
4284 			if (new_style) {
4285 				error_message(BAD_ERROR,
4286 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4287 				return (-1);
4288 			}
4289 			old_style = B_TRUE;
4290 
4291 			if (saddr) {
4292 				error_message(DUP_ERROR,
4293 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4294 				return (-1);
4295 			}
4296 			/*
4297 			 * Use this to detect duplicates rather
4298 			 * than 0 like other cases, because 0 for
4299 			 * address means INADDR_ANY.
4300 			 */
4301 			saddr = B_TRUE;
4302 			cptr->has_saddr = 1;
4303 			/*
4304 			 * Advance to the string containing
4305 			 * the address.
4306 			 */
4307 			i++, line_no++;
4308 			if (act_props->pattern[i] == NULL) {
4309 				error_message(BAD_ERROR,
4310 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4311 				return (-1);
4312 			}
4313 
4314 			if (parse_address(IPSEC_CONF_SRC_ADDRESS,
4315 			    act_props->pattern[i]) != 0) {
4316 				error_message(BAD_ERROR,
4317 				    IPSEC_CONF_SRC_ADDRESS, line_no);
4318 				return (-1);
4319 			}
4320 			/* shp or bhp? */
4321 			if (!cptr->has_smask)
4322 				cptr->has_smask = has_saprefix;
4323 			break;
4324 
4325 		case TOK_daddr:
4326 			if (new_style) {
4327 				error_message(BAD_ERROR,
4328 				    IPSEC_CONF_DST_ADDRESS, line_no);
4329 				return (-1);
4330 			}
4331 			old_style = B_TRUE;
4332 
4333 			if (daddr) {
4334 				error_message(DUP_ERROR,
4335 				    IPSEC_CONF_DST_ADDRESS, line_no);
4336 				return (-1);
4337 			}
4338 			/*
4339 			 * Use this to detect duplicates rather
4340 			 * than 0 like other cases, because 0 for
4341 			 * address means INADDR_ANY.
4342 			 */
4343 			daddr = B_TRUE;
4344 			cptr->has_daddr = 1;
4345 			/*
4346 			 * Advance to the string containing
4347 			 * the address.
4348 			 */
4349 			i++, line_no++;
4350 			if (act_props->pattern[i] == NULL) {
4351 				error_message(BAD_ERROR,
4352 				    IPSEC_CONF_DST_ADDRESS, line_no);
4353 				return (-1);
4354 			}
4355 			if (parse_address(IPSEC_CONF_DST_ADDRESS,
4356 			    act_props->pattern[i]) != 0) {
4357 				error_message(BAD_ERROR,
4358 				    IPSEC_CONF_DST_ADDRESS, line_no);
4359 				return (-1);
4360 			}
4361 			if (!cptr->has_dmask)
4362 				cptr->has_dmask = has_daprefix;
4363 			break;
4364 
4365 		case TOK_sport:
4366 			if (new_style) {
4367 				error_message(BAD_ERROR,
4368 				    IPSEC_CONF_SRC_PORT, line_no);
4369 				return (-1);
4370 			}
4371 			old_style = B_TRUE;
4372 
4373 			if (cptr->ips_src_port_min != 0) {
4374 				error_message(DUP_ERROR, IPSEC_CONF_SRC_PORT,
4375 				    line_no);
4376 				return (-1);
4377 			}
4378 			i++, line_no++;
4379 			if (act_props->pattern[i] == NULL) {
4380 				error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4381 				    line_no);
4382 				return (-1);
4383 			}
4384 			ret = parse_port(IPSEC_CONF_SRC_PORT,
4385 			    act_props->pattern[i], cptr);
4386 			if (ret != 0) {
4387 				error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4388 				    line_no);
4389 				return (-1);
4390 			}
4391 			break;
4392 		case TOK_dport:
4393 			if (new_style) {
4394 				error_message(BAD_ERROR,
4395 				    IPSEC_CONF_DST_PORT, line_no);
4396 				return (-1);
4397 			}
4398 			old_style = B_TRUE;
4399 
4400 			if (cptr->ips_dst_port_min != 0) {
4401 				error_message(DUP_ERROR, IPSEC_CONF_DST_PORT,
4402 				    line_no);
4403 				return (-1);
4404 			}
4405 			i++, line_no++;
4406 			if (act_props->pattern[i] == NULL) {
4407 				error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4408 				    line_no);
4409 				return (-1);
4410 			}
4411 			ret = parse_port(IPSEC_CONF_DST_PORT,
4412 			    act_props->pattern[i],
4413 			    cptr);
4414 			if (ret != 0) {
4415 				error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4416 				    line_no);
4417 				return (-1);
4418 			}
4419 			break;
4420 
4421 		case TOK_lport:
4422 			if (old_style) {
4423 				error_message(BAD_ERROR,
4424 				    IPSEC_CONF_SRC_PORT, line_no);
4425 				return (-1);
4426 			}
4427 			new_style = B_TRUE;
4428 
4429 			if (cptr->ips_src_port_min != 0) {
4430 				error_message(DUP_ERROR, IPSEC_CONF_SRC_PORT,
4431 				    line_no);
4432 				return (-1);
4433 			}
4434 			i++, line_no++;
4435 			if (act_props->pattern[i] == NULL) {
4436 				error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4437 				    line_no);
4438 				return (-1);
4439 			}
4440 			ret = parse_port(IPSEC_CONF_SRC_PORT,
4441 			    act_props->pattern[i],
4442 			    cptr);
4443 			if (ret != 0) {
4444 				error_message(BAD_ERROR, IPSEC_CONF_SRC_PORT,
4445 				    line_no);
4446 				return (-1);
4447 			}
4448 			break;
4449 
4450 		case TOK_rport:
4451 			if (old_style) {
4452 				error_message(BAD_ERROR,
4453 				    IPSEC_CONF_DST_PORT, line_no);
4454 				return (-1);
4455 			}
4456 			new_style = B_TRUE;
4457 
4458 			if (cptr->ips_dst_port_min != 0) {
4459 				error_message(DUP_ERROR, IPSEC_CONF_DST_PORT,
4460 				    line_no);
4461 				return (-1);
4462 			}
4463 			i++, line_no++;
4464 			if (act_props->pattern[i] == NULL) {
4465 				error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4466 				    line_no);
4467 				return (-1);
4468 			}
4469 			ret = parse_port(IPSEC_CONF_DST_PORT,
4470 			    act_props->pattern[i],
4471 			    cptr);
4472 			if (ret != 0) {
4473 				error_message(BAD_ERROR, IPSEC_CONF_DST_PORT,
4474 				    line_no);
4475 				return (-1);
4476 			}
4477 			break;
4478 
4479 		case TOK_smask:
4480 			if (new_style) {
4481 				error_message(BAD_ERROR,
4482 				    IPSEC_CONF_SRC_MASK, line_no);
4483 				return (-1);
4484 			}
4485 			old_style = B_TRUE;
4486 			cptr->has_smask = B_TRUE;
4487 
4488 			IN6_V4MAPPED_TO_INADDR(&cptr->ips_src_mask_v6, &mask);
4489 			if (mask.s_addr != 0) {
4490 				error_message(DUP_ERROR, IPSEC_CONF_SRC_MASK,
4491 				    line_no);
4492 				return (-1);
4493 			}
4494 			i++, line_no++;
4495 			if (act_props->pattern[i] == NULL) {
4496 				error_message(BAD_ERROR, IPSEC_CONF_SRC_MASK,
4497 				    line_no);
4498 				return (-1);
4499 			}
4500 			ret = parse_mask(IPSEC_CONF_SRC_MASK,
4501 			    act_props->pattern[i],
4502 			    cptr);
4503 			if (ret != 0) {
4504 				error_message(BAD_ERROR, IPSEC_CONF_SRC_MASK,
4505 				    line_no);
4506 				return (-1);
4507 			}
4508 			break;
4509 		case TOK_dmask:
4510 			if (new_style) {
4511 				error_message(BAD_ERROR,
4512 				    IPSEC_CONF_DST_MASK, line_no);
4513 				return (-1);
4514 			}
4515 			old_style = B_TRUE;
4516 			cptr->has_dmask = B_TRUE;
4517 
4518 			IN6_V4MAPPED_TO_INADDR(&cptr->ips_dst_mask_v6, &mask);
4519 			if (mask.s_addr != 0) {
4520 				error_message(DUP_ERROR, IPSEC_CONF_DST_MASK,
4521 				    line_no);
4522 				return (-1);
4523 			}
4524 			i++, line_no++;
4525 			if (act_props->pattern[i] == NULL) {
4526 				error_message(BAD_ERROR, IPSEC_CONF_DST_MASK,
4527 				    line_no);
4528 				return (-1);
4529 			}
4530 			ret = parse_mask(IPSEC_CONF_DST_MASK,
4531 			    act_props->pattern[i],
4532 			    cptr);
4533 			if (ret != 0) {
4534 				error_message(BAD_ERROR, IPSEC_CONF_DST_MASK,
4535 				    line_no);
4536 				return (-1);
4537 			}
4538 			break;
4539 		case TOK_ulp:
4540 			if (cptr->ips_ulp_prot != 0) {
4541 				error_message(DUP_ERROR,
4542 				    IPSEC_CONF_ULP, line_no);
4543 				return (-1);
4544 			}
4545 			i++, line_no++;
4546 			if (act_props->pattern[i] == NULL) {
4547 				error_message(BAD_ERROR,
4548 				    IPSEC_CONF_ULP, line_no);
4549 				return (-1);
4550 			}
4551 			pent = getprotobyname(act_props->pattern[i]);
4552 			if (pent == NULL) {
4553 				int ulp;
4554 				ulp = parse_int(act_props->pattern[i]);
4555 				if (ulp == -1) {
4556 					error_message(BAD_ERROR,
4557 					    IPSEC_CONF_ULP, line_no);
4558 					return (-1);
4559 				}
4560 				cptr->ips_ulp_prot = ulp;
4561 			} else {
4562 				cptr->ips_ulp_prot = pent->p_proto;
4563 			}
4564 			break;
4565 		case TOK_type:
4566 			if (cptr->has_type) {
4567 				error_message(DUP_ERROR,
4568 				    IPSEC_CONF_ICMP_TYPE, line_no);
4569 				return (-1);
4570 			}
4571 
4572 			i++, line_no++;
4573 			type = parse_type_code(act_props->pattern[i],
4574 			    icmp_type_table);
4575 
4576 			if (type > 65536 || type < 0) {
4577 				error_message(BAD_ERROR,
4578 				    IPSEC_CONF_ICMP_TYPE, line_no);
4579 				return (-1);
4580 			}
4581 
4582 			type_end = type / 256;
4583 			type = type % 256;
4584 
4585 			if (type_end < type)
4586 				type_end = type;
4587 
4588 			cptr->has_type = 1;
4589 			cptr->ips_icmp_type = (uint8_t)type;
4590 			cptr->ips_icmp_type_end = (uint8_t)type_end;
4591 			break;
4592 		case TOK_code:
4593 			if (!cptr->has_type) {
4594 				error_message(BAD_ERROR,
4595 				    IPSEC_CONF_ICMP_CODE, line_no);
4596 				return (-1);
4597 			}
4598 
4599 			if (cptr->has_code) {
4600 				error_message(DUP_ERROR,
4601 				    IPSEC_CONF_ICMP_CODE, line_no);
4602 				return (-1);
4603 			}
4604 
4605 			i++, line_no++;
4606 
4607 			code = parse_type_code(act_props->pattern[i],
4608 			    icmp_code_table);
4609 			if (type > 65536 || type < 0) {
4610 				error_message(BAD_ERROR,
4611 				    IPSEC_CONF_ICMP_CODE, line_no);
4612 				return (-1);
4613 			}
4614 			code_end = code / 256;
4615 			code = code % 256;
4616 
4617 			if (code_end < code)
4618 				code_end = code;
4619 
4620 			cptr->has_code = 1;
4621 			cptr->ips_icmp_code = (uint8_t)code;
4622 			cptr->ips_icmp_code_end = (uint8_t)code_end;
4623 			break;
4624 		case TOK_tunnel:
4625 			if (cptr->has_tunnel == 1) {
4626 				error_message(BAD_ERROR,
4627 				    IPSEC_CONF_TUNNEL, line_no);
4628 				return (-1);
4629 			}
4630 			i++, line_no++;
4631 			if (act_props->pattern[i] == NULL) {
4632 				error_message(BAD_ERROR,
4633 				    IPSEC_CONF_TUNNEL, line_no);
4634 				return (-1);
4635 			}
4636 
4637 			if (strlcpy(tunif, act_props->pattern[i],
4638 			    TUNNAMEMAXLEN) >= TUNNAMEMAXLEN) {
4639 				error_message(BAD_ERROR,
4640 				    IPSEC_CONF_TUNNEL, line_no);
4641 				return (-1);
4642 			}
4643 			cptr->has_tunnel = 1;
4644 			break;
4645 		case TOK_negotiate:
4646 			if (cptr->has_negotiate == 1) {
4647 				error_message(BAD_ERROR,
4648 				    IPSEC_CONF_NEGOTIATE, line_no);
4649 				return (-1);
4650 			}
4651 			i++, line_no++;
4652 			if (act_props->pattern[i] == NULL) {
4653 				error_message(BAD_ERROR,
4654 				    IPSEC_CONF_NEGOTIATE, line_no);
4655 				return (-1);
4656 			}
4657 
4658 			if (strncmp(act_props->pattern[i], "tunnel", 6) == 0) {
4659 				cptr->ips_tunnel = B_TRUE;
4660 			} else if (strncmp(
4661 			    act_props->pattern[i], "transport", 9) != 0) {
4662 				error_message(BAD_ERROR,
4663 				    IPSEC_CONF_NEGOTIATE, line_no);
4664 				return (-1);
4665 			}
4666 			cptr->has_negotiate = 1;
4667 			break;
4668 		}
4669 
4670 	}
4671 
4672 	/* Sanity check that certain tokens occur together */
4673 	if (cptr->has_tunnel + cptr->has_negotiate == 1) {
4674 		if (cptr->has_negotiate == 0) {
4675 			error_message(REQ_ERROR, IPSEC_CONF_NEGOTIATE, line_no);
4676 		} else {
4677 			error_message(REQ_ERROR, IPSEC_CONF_TUNNEL, line_no);
4678 		}
4679 		errx(1, gettext(
4680 		    "tunnel and negotiate tokens must occur together"));
4681 		return (-1);
4682 	}
4683 
4684 	/*
4685 	 * Get the actions.
4686 	 */
4687 
4688 	for (ap_num = 0; act_props->ap[ap_num].act != NULL; ap_num++) {
4689 		ips_act_props_t *iap;
4690 
4691 		if (ap_num > 0) {
4692 			/* or's only with new style */
4693 			if (old_style) {
4694 				(void) printf("%s\n", gettext(
4695 				    "or's only with new style"));
4696 				return (-1);
4697 			}
4698 			new_style = B_TRUE;
4699 		}
4700 
4701 		ipsec_aalg = ipsec_ealg = ipsec_eaalg = B_FALSE;
4702 		tok_count = 0;
4703 
4704 		for (k = 0; action_table[k].string; k++) {
4705 			if (strcmp(act_props->ap[ap_num].act,
4706 			    action_table[k].string) == 0)
4707 				break;
4708 		}
4709 		/*
4710 		 * The following thing should never happen as
4711 		 * we have already tested for its validity in parse.
4712 		 */
4713 		if (action_table[k].string == NULL) {
4714 			warnx(gettext("(form act)Invalid action on line "
4715 			    "%d: %s"), (arg_indices[line_no] == 0) ? 1 :
4716 			    arg_indices[line_no],
4717 			    act_props->ap[ap_num].act);
4718 			warnx("%s", act_props->ap[ap_num].act);
4719 			return (-1);
4720 		}
4721 
4722 		/* we have a good action alloc an iap */
4723 		iap = alloc_iap(cptr);
4724 
4725 		iap->iap_action = action_table[k].value;
4726 		iap->iap_act_tok = action_table[k].tok_val;
4727 
4728 		switch (action_table[k].tok_val) {
4729 		case TOK_apply:
4730 			cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND;
4731 			break;
4732 		case TOK_permit:
4733 			cptr->ips_dir = SPD_RULE_FLAG_INBOUND;
4734 			break;
4735 		case TOK_ipsec:
4736 			if (old_style) {
4737 				/* Using saddr/daddr with ipsec action. */
4738 				if (!dir) {
4739 					/* No direction specified */
4740 					error_message(REQ_ERROR,
4741 					    IPSEC_CONF_IPSEC_DIR, line_no);
4742 					return (-1);
4743 				}
4744 				if (cptr->ips_dir == SPD_RULE_FLAG_INBOUND)
4745 					/*
4746 					 * Need to swap addresses if
4747 					 * 'dir in' or translation to
4748 					 * laddr/raddr will be incorrect.
4749 					 */
4750 					cptr->swap = 1;
4751 			}
4752 			if (!dir)
4753 				cptr->ips_dir =
4754 				    SPD_RULE_FLAG_INBOUND
4755 				    |SPD_RULE_FLAG_OUTBOUND;
4756 			break;
4757 		case TOK_bypass:
4758 			/* do something? */
4759 			break;
4760 		}
4761 
4762 		line_no++;
4763 		/*
4764 		 * Get the properties. NULL properties is not valid.
4765 		 * Later checks will catch it.
4766 		 */
4767 		for (i = 0; act_props->ap[ap_num].prop[i]; i++, line_no++) {
4768 			for (j = 0; property_table[j].string; j++) {
4769 				if (strcmp(act_props->ap[ap_num].prop[i],
4770 				    property_table[j].string) == 0) {
4771 					break;
4772 				}
4773 			}
4774 			if (property_table[j].string == NULL) {
4775 				warnx(gettext("Invalid properties on line "
4776 				    "%d: %s"),
4777 					(arg_indices[line_no] == 0) ?
4778 				    1 : arg_indices[line_no],
4779 				    act_props->ap[ap_num].prop[i]);
4780 				return (-1);
4781 			}
4782 
4783 			iap->iap_attr_tok[tok_count++]
4784 			    = property_table[j].value;
4785 
4786 			switch (property_table[j].value) {
4787 			case SPD_ATTR_AH_AUTH:
4788 				if (ipsec_aalg) {
4789 					error_message(DUP_ERROR,
4790 					    IPSEC_CONF_IPSEC_AALGS, line_no);
4791 					return (-1);
4792 				}
4793 				i++, line_no++;
4794 				if (act_props->ap[ap_num].prop[i] == NULL) {
4795 					error_message(BAD_ERROR,
4796 					    IPSEC_CONF_IPSEC_AALGS, line_no);
4797 					return (-1);
4798 				}
4799 				ret = parse_ipsec_alg(
4800 				    act_props->ap[ap_num].prop[i],
4801 				    iap, SPD_ATTR_AH_AUTH);
4802 				if (ret == -2) {
4803 					/* "none" - ignore */
4804 					break;
4805 				}
4806 				if (ret != 0) {
4807 					error_message(BAD_ERROR,
4808 					    IPSEC_CONF_IPSEC_AALGS, line_no);
4809 					return (-1);
4810 				}
4811 				ipsec_aalg = B_TRUE;
4812 				break;
4813 			case SPD_ATTR_ESP_ENCR:
4814 				/*
4815 				 * If this option was not given
4816 				 * and encr_auth_algs was given,
4817 				 * we provide null-encryption.  We do the
4818 				 * setting after we parse all the options.
4819 				 */
4820 				if (ipsec_ealg) {
4821 					error_message(DUP_ERROR,
4822 					    IPSEC_CONF_IPSEC_EALGS, line_no);
4823 					return (-1);
4824 				}
4825 				i++, line_no++;
4826 				if (act_props->ap[ap_num].prop[i] == NULL) {
4827 					error_message(BAD_ERROR,
4828 					    IPSEC_CONF_IPSEC_EALGS, line_no);
4829 					return (-1);
4830 				}
4831 				ret = parse_ipsec_alg(
4832 				    act_props->ap[ap_num].prop[i],
4833 				    iap, SPD_ATTR_ESP_ENCR);
4834 				if (ret == -2) {
4835 					/* "none" - ignore */
4836 					break;
4837 				}
4838 				if (ret != 0) {
4839 					error_message(BAD_ERROR,
4840 					    IPSEC_CONF_IPSEC_EALGS, line_no);
4841 					return (-1);
4842 				}
4843 				ipsec_ealg = B_TRUE;
4844 				break;
4845 			case SPD_ATTR_ESP_AUTH:
4846 				/*
4847 				 * If this option was not given and encr_algs
4848 				 * option was given, we still pass a default
4849 				 * value in ipsc_esp_auth_algs. This is to
4850 				 * encourage the use of authentication with
4851 				 * ESP.
4852 				 */
4853 				if (ipsec_eaalg) {
4854 					error_message(DUP_ERROR,
4855 					    IPSEC_CONF_IPSEC_EAALGS, line_no);
4856 					return (-1);
4857 				}
4858 				i++, line_no++;
4859 				if (act_props->ap[ap_num].prop[i] == NULL) {
4860 					error_message(BAD_ERROR,
4861 					    IPSEC_CONF_IPSEC_EAALGS, line_no);
4862 					return (-1);
4863 				}
4864 				ret = parse_ipsec_alg(
4865 				    act_props->ap[ap_num].prop[i],
4866 				    iap, SPD_ATTR_ESP_AUTH);
4867 				if (ret == -2) {
4868 					/* "none" - ignore */
4869 					break;
4870 				}
4871 				if (ret != 0) {
4872 					error_message(BAD_ERROR,
4873 					    IPSEC_CONF_IPSEC_EAALGS, line_no);
4874 					return (-1);
4875 				}
4876 				ipsec_eaalg = B_TRUE;
4877 				break;
4878 			case IPS_SA:
4879 				i++, line_no++;
4880 				if (act_props->ap[ap_num].prop[i] == NULL) {
4881 					error_message(BAD_ERROR,
4882 					    IPSEC_CONF_IPSEC_SA, line_no);
4883 					return (-1);
4884 				}
4885 
4886 				if (strcmp(act_props->ap[ap_num].prop[i],
4887 				    "unique") == 0) {
4888 					iap->iap_attr |= SPD_APPLY_UNIQUE;
4889 				} else if (strcmp(act_props->ap[ap_num].prop[i],
4890 				    "shared") != 0) {
4891 					/* "shared" is default. */
4892 					error_message(BAD_ERROR,
4893 					    IPSEC_CONF_IPSEC_SA, line_no);
4894 					return (-1);
4895 				}
4896 
4897 				break;
4898 			case IPS_DIR:
4899 				if (dir) {
4900 					error_message(DUP_ERROR,
4901 					    IPSEC_CONF_IPSEC_DIR, line_no);
4902 					return (-1);
4903 				}
4904 				if (new_style) {
4905 					error_message(BAD_ERROR,
4906 					    IPSEC_CONF_IPSEC_DIR, line_no);
4907 					return (-1);
4908 				}
4909 				old_style = B_TRUE;
4910 				dir = B_TRUE;
4911 				i++, line_no++;
4912 				if (act_props->ap[ap_num].prop[i] == NULL) {
4913 					error_message(BAD_ERROR,
4914 					    IPSEC_CONF_IPSEC_DIR, line_no);
4915 					return (-1);
4916 				}
4917 				if (strcmp(act_props->ap[ap_num].prop[i],
4918 				    "out") == 0) {
4919 					cptr->ips_dir = SPD_RULE_FLAG_OUTBOUND;
4920 				} else if (strcmp(act_props->ap[ap_num].prop[i],
4921 				    "in") == 0) {
4922 					cptr->ips_dir = SPD_RULE_FLAG_INBOUND;
4923 				} else {
4924 					error_message(BAD_ERROR,
4925 					IPSEC_CONF_IPSEC_DIR, line_no);
4926 					return (-1);
4927 				}
4928 				if ((cptr->ips_dir & SPD_RULE_FLAG_INBOUND) &&
4929 					iap->iap_act_tok == TOK_apply) {
4930 					warnx(gettext("Direction"
4931 					    " in conflict with action"));
4932 					return (-1);
4933 				}
4934 				if ((cptr->ips_dir & SPD_RULE_FLAG_OUTBOUND) &&
4935 					iap->iap_act_tok == TOK_permit) {
4936 					warnx(gettext("Direction"
4937 					    "in conflict with action"));
4938 					return (-1);
4939 				}
4940 
4941 				break;
4942 			}
4943 		}
4944 
4945 		if (!ipsec_ealg && ipsec_eaalg) {
4946 			/*
4947 			 * If the user has specified the auth alg to be used
4948 			 * with encryption and did not provide a encryption
4949 			 * algorithm, provide null encryption.
4950 			 */
4951 			iap->iap_eencr.alg_id = SADB_EALG_NULL;
4952 			ipsec_ealg = B_TRUE;
4953 		}
4954 
4955 		/* Set the level of IPSEC protection we want */
4956 		if (ipsec_aalg && (ipsec_ealg || ipsec_eaalg)) {
4957 			iap->iap_attr |= SPD_APPLY_AH|SPD_APPLY_ESP;
4958 		} else if (ipsec_aalg) {
4959 			iap->iap_attr |= SPD_APPLY_AH;
4960 		} else if (ipsec_ealg || ipsec_eaalg) {
4961 			iap->iap_attr |= SPD_APPLY_ESP;
4962 		}
4963 
4964 		/* convert src/dst to local/remote */
4965 		if (!new_style) {
4966 			switch (cptr->ips_acts->iap_act_tok) {
4967 			case TOK_apply:
4968 				/* outbound */
4969 				/* src=local, dst=remote */
4970 				/* this is ok. */
4971 				break;
4972 
4973 			case TOK_permit:
4974 				/* inbound */
4975 				/* src=remote, dst=local */
4976 				/* switch */
4977 				cptr->swap = 1;
4978 				break;
4979 			case TOK_bypass:
4980 			case TOK_drop:
4981 				/* check the direction for what to do */
4982 				if (cptr->ips_dir == SPD_RULE_FLAG_INBOUND)
4983 					cptr->swap = 1;
4984 				break;
4985 			default:
4986 				break;
4987 			}
4988 		}
4989 		/* Validate the properties */
4990 		if (ret = validate_properties(iap, dir,
4991 		    (ipsec_aalg || ipsec_ealg || ipsec_eaalg))) {
4992 			return (ret);
4993 		}
4994 	}
4995 
4996 	return (0);
4997 
4998 }
4999 
5000 static int
5001 print_cmd_buf(FILE *fp, int error)
5002 {
5003 	*(cbuf + cbuf_offset) = '\0';
5004 
5005 	if (fp == stderr) {
5006 		if (error != EEXIST) {
5007 			warnx(gettext("Malformed command (fatal):\n%s"), cbuf);
5008 			return (0);
5009 		}
5010 		if (ipsecconf_qflag) {
5011 			return (0);
5012 		}
5013 		warnx(gettext("Duplicate policy entry (ignored):\n%s"), cbuf);
5014 	} else {
5015 		if (fprintf(fp, "%s", cbuf) == -1) {
5016 			warn("fprintf");
5017 			return (-1);
5018 		}
5019 	}
5020 
5021 	return (0);
5022 }
5023 
5024 #ifdef	DEBUG
5025 
5026 static uchar_t *
5027 addr_ptr(int isv4, struct in6_addr *addr6, struct in_addr *addr4)
5028 {
5029 	if (isv4) {
5030 		IN6_V4MAPPED_TO_INADDR(addr6, addr4);
5031 		return ((uchar_t *)&addr4->s_addr);
5032 	} else {
5033 		return ((uchar_t *)&addr6->s6_addr);
5034 	}
5035 }
5036 
5037 static void
5038 dump_algreq(const char *tag, algreq_t *alg)
5039 {
5040 	(void) printf("%s algid %d, bits %d..%d\n",
5041 	    tag, alg->alg_id, alg->alg_minbits, alg->alg_maxbits);
5042 }
5043 
5044 static void
5045 dump_conf(ips_conf_t *conf)
5046 {
5047 	boolean_t isv4 = conf->ips_isv4;
5048 	struct in_addr addr;
5049 	char buf[INET6_ADDRSTRLEN];
5050 	int af;
5051 	ips_act_props_t *iap = conf->ips_acts;
5052 
5053 	af = isv4 ? AF_INET : AF_INET6;
5054 
5055 	(void) printf("Source Addr is %s\n",
5056 	    inet_ntop(af, addr_ptr(isv4, &conf->ips_src_addr_v6, &addr),
5057 		buf, INET6_ADDRSTRLEN));
5058 
5059 	(void) printf("Dest Addr is %s\n",
5060 	    inet_ntop(af, addr_ptr(isv4, &conf->ips_dst_addr_v6, &addr),
5061 		buf, INET6_ADDRSTRLEN));
5062 
5063 	(void) printf("Source Mask is %s\n",
5064 	    inet_ntop(af, addr_ptr(isv4, &conf->ips_src_mask_v6, &addr),
5065 		buf, INET6_ADDRSTRLEN));
5066 
5067 	(void) printf("Dest Mask is %s\n",
5068 	    inet_ntop(af, addr_ptr(isv4, &conf->ips_dst_mask_v6, &addr),
5069 		buf, INET6_ADDRSTRLEN));
5070 
5071 	(void) printf("Source port %d\n", ntohs(conf->ips_src_port_min));
5072 	(void) printf("Dest port %d\n", ntohs(conf->ips_dst_port_min));
5073 	(void) printf("ULP %d\n", conf->ips_ulp_prot);
5074 
5075 	(void) printf("ICMP type %d-%d code %d-%d", conf->ips_icmp_type,
5076 	    conf->ips_icmp_type_end,
5077 	    conf->ips_icmp_code,
5078 	    conf->ips_icmp_code_end);
5079 
5080 	while (iap != NULL) {
5081 		(void) printf("------------------------------------\n");
5082 		(void) printf("IPsec act is %d\n", iap->iap_action);
5083 		(void) printf("IPsec attr is %d\n", iap->iap_attr);
5084 		dump_algreq("AH authentication", &iap->iap_aauth);
5085 		dump_algreq("ESP authentication", &iap->iap_eauth);
5086 		dump_algreq("ESP encryption", &iap->iap_eencr);
5087 		(void) printf("------------------------------------\n");
5088 		iap = iap->iap_next;
5089 	}
5090 
5091 	(void) fflush(stdout);
5092 }
5093 #endif	/* DEBUG */
5094 
5095 
5096 static int
5097 ipsec_conf_add(boolean_t just_check, boolean_t smf_managed)
5098 {
5099 	act_prop_t *act_props = malloc(sizeof (act_prop_t));
5100 	ips_conf_t conf;
5101 	FILE *fp, *policy_fp;
5102 	int ret, flushret, i, j, diag, num_rules, good_rules;
5103 	char *warning = gettext(
5104 		"\tWARNING : New policy entries that are being added may\n "
5105 		"\taffect the existing connections. Existing connections\n"
5106 		"\tthat are not subjected to policy constraints, may be\n"
5107 		"\tsubjected to policy constraints because of the new\n"
5108 		"\tpolicy. This can disrupt the communication of the\n"
5109 		"\texisting connections.\n\n");
5110 
5111 	boolean_t first_time = B_TRUE;
5112 	num_rules = 0;
5113 	good_rules = 0;
5114 
5115 	if (act_props == NULL) {
5116 		warn(gettext("memory"));
5117 		return (-1);
5118 	}
5119 
5120 	if (strcmp(filename, "-") == 0)
5121 		fp = stdin;
5122 	else
5123 		fp = fopen(filename, "r");
5124 
5125 	/*
5126 	 * Treat the non-existence of a policy file as a special
5127 	 * case when ipsecconf is being managed by smf(5).
5128 	 * The assumption is the administrator has not yet
5129 	 * created a policy file, this should not force the service
5130 	 * into maintenance mode.
5131 	 */
5132 
5133 	if (fp == NULL) {
5134 		if (smf_managed) {
5135 			(void) fprintf(stdout, gettext(
5136 			    "Policy configuration file (%s) does not exist.\n"
5137 			    "IPsec policy not configured.\n"), filename);
5138 			return (0);
5139 		}
5140 		warn(gettext("%s : Policy config file cannot be opened"),
5141 		    filename);
5142 		usage();
5143 		return (-1);
5144 	}
5145 	/*
5146 	 * This will create the file if it does not exist.
5147 	 * Make sure the umask is right.
5148 	 */
5149 	(void) umask(0022);
5150 	policy_fp = fopen(POLICY_CONF_FILE, "a");
5151 	if (policy_fp == NULL) {
5152 		warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
5153 		return (-1);
5154 	}
5155 
5156 	/*
5157 	 * Pattern, action, and properties are allocated in
5158 	 * parse_pattern_or_prop and in parse_action (called by
5159 	 * parse_one) as we parse arguments.
5160 	 */
5161 	while ((ret = parse_one(fp, act_props)) == 0) {
5162 
5163 		/*
5164 		 * If there is no action and parse returned success,
5165 		 * it means that there is nothing to add.
5166 		 */
5167 
5168 		if (act_props->pattern[0] == NULL &&
5169 		    act_props->ap[0].act == NULL)
5170 				break;
5171 
5172 		num_rules++;
5173 
5174 		ret = form_ipsec_conf(act_props, &conf);
5175 		if (ret != 0) {
5176 			warnx(gettext("form_ipsec_conf error"));
5177 			(void) print_cmd_buf(stderr, NOERROR);
5178 			continue;
5179 		}
5180 
5181 		good_rules++;
5182 
5183 		if (first_time) {
5184 			/*
5185 			 * Time to assume that there are valid policy entries.
5186 			 * If the IPsec kernel modules are not loaded this
5187 			 * will load them now.
5188 			 */
5189 			first_time = B_FALSE;
5190 			fetch_algorithms();
5191 			ipsec_conf_admin(SPD_CLONE);
5192 		}
5193 
5194 		/*
5195 		 * shp, dhp, splen, and dplen are globals set by
5196 		 * form_ipsec_conf() while parsing the addresses.
5197 		 */
5198 		if (shp == NULL && dhp == NULL) {
5199 			switch (do_port_adds(&conf)) {
5200 			case 0:
5201 				/* no error */
5202 				break;
5203 			case EEXIST:
5204 				/* duplicate entries, continue adds */
5205 				(void) print_cmd_buf(stderr, EEXIST);
5206 				goto next;
5207 			default:
5208 				/* other error, bail */
5209 				ret = -1;
5210 				goto bail;
5211 			}
5212 		} else {
5213 			ret = do_address_adds(&conf, &diag);
5214 			switch (ret) {
5215 			case 0:
5216 				/* no error. */
5217 				break;
5218 			case EEXIST:
5219 				(void) print_cmd_buf(stderr, EEXIST);
5220 				goto next;
5221 			case EBUSY:
5222 				warnx(gettext(
5223 					"Can't set mask and /NN prefix."));
5224 				ret = -1;
5225 				break;
5226 			case ENOENT:
5227 				warnx(gettext("Cannot find tunnel "
5228 				    "interface %s."), interface_name);
5229 				ret = -1;
5230 				break;
5231 			case EINVAL:
5232 				/*
5233 				 * PF_POLICY didn't like what we sent.  We
5234 				 * can't check all input up here, but we
5235 				 * do in-kernel.
5236 				 */
5237 				warnx(gettext("PF_POLICY invalid input:\n\t%s"),
5238 				    spdsock_diag(diag));
5239 				break;
5240 			case EOPNOTSUPP:
5241 				warnx(gettext("Can't set /NN"
5242 					" prefix on multi-host name."));
5243 				ret = -1;
5244 				break;
5245 			case ERANGE:
5246 				warnx(gettext("/NN prefix is too big!"));
5247 				ret = -1;
5248 				break;
5249 			case ESRCH:
5250 				warnx(gettext("No matching IPv4 or "
5251 					"IPv6 saddr/daddr pairs"));
5252 				ret = -1;
5253 				break;
5254 			default:
5255 				/* Should never get here. */
5256 				errno = ret;
5257 				warn(gettext("Misc. error"));
5258 				ret = -1;
5259 			}
5260 			if (ret == -1)
5261 				goto bail;
5262 		}
5263 
5264 		/*
5265 		 * Go ahead and add policy entries to config file.
5266 		 * The # should help re-using the ipsecpolicy.conf
5267 		 * for input again as # will be treated as comment.
5268 		 */
5269 		if (fprintf(policy_fp, "%s %lld \n", INDEX_TAG,
5270 		    conf.ips_policy_index) == -1) {
5271 			warn("fprintf");
5272 			warnx(gettext("Addition incomplete, Please "
5273 			    "flush all the entries and re-configure :"));
5274 			reconfigure();
5275 			ret = -1;
5276 			break;
5277 		}
5278 		if (print_cmd_buf(policy_fp, NOERROR) == -1) {
5279 			warnx(gettext("Addition incomplete. Please "
5280 			    "flush all the entries and re-configure :"));
5281 			reconfigure();
5282 			ret = -1;
5283 			break;
5284 		}
5285 		/*
5286 		 * We add one newline by default to separate out the
5287 		 * entries. If the last character is not a newline, we
5288 		 * insert a newline for free. This makes sure that all
5289 		 * entries look consistent in the file.
5290 		 */
5291 		if (*(cbuf + cbuf_offset - 1) == '\n') {
5292 			if (fprintf(policy_fp, "\n") == -1) {
5293 				warn("fprintf");
5294 				warnx(gettext("Addition incomplete. "
5295 				    "Please flush all the entries and "
5296 				    "re-configure :"));
5297 				reconfigure();
5298 				ret = -1;
5299 				break;
5300 			}
5301 		} else {
5302 			if (fprintf(policy_fp, "\n\n") == -1) {
5303 				warn("fprintf");
5304 				warnx(gettext("Addition incomplete. "
5305 				    "Please flush all the entries and "
5306 				    "re-configure :"));
5307 				reconfigure();
5308 				ret = -1;
5309 				break;
5310 			}
5311 		}
5312 next:
5313 		/*
5314 		 * Make sure this gets to the disk before
5315 		 * we parse the next entry.
5316 		 */
5317 		(void) fflush(policy_fp);
5318 		for (i = 0; act_props->pattern[i] != NULL; i++)
5319 			free(act_props->pattern[i]);
5320 		for (j = 0; act_props->ap[j].act != NULL; j++) {
5321 			free(act_props->ap[j].act);
5322 			for (i = 0; act_props->ap[j].prop[i] != NULL; i++)
5323 				free(act_props->ap[j].prop[i]);
5324 		}
5325 	}
5326 bail:
5327 	if (ret == -1) {
5328 		(void) print_cmd_buf(stderr, EINVAL);
5329 		for (i = 0; act_props->pattern[i] != NULL; i++)
5330 			free(act_props->pattern[i]);
5331 		for (j = 0; act_props->ap[j].act != NULL; j++) {
5332 			free(act_props->ap[j].act);
5333 			for (i = 0; act_props->ap[j].prop[i] != NULL; i++)
5334 				free(act_props->ap[j].prop[i]);
5335 		}
5336 	}
5337 #ifdef DEBUG_HEAVY
5338 	(void) printf("ipsec_conf_add: ret val = %d\n", ret);
5339 	(void) fflush(stdout);
5340 #endif
5341 	if (!good_rules) {
5342 		(void) restore_all_signals();
5343 		(void) unlock(lfd);
5344 		EXIT_OK("Policy file does not contain any valid rules.");
5345 	}
5346 	if (smf_managed && !just_check) {
5347 		(void) fprintf(stdout, gettext(
5348 		    "%d policy rules added.\n"), good_rules);
5349 		(void) fflush(stdout);
5350 	}
5351 
5352 	if (num_rules != good_rules) {
5353 		/* This is an error */
5354 		(void) restore_all_signals();
5355 		(void) unlock(lfd);
5356 		EXIT_BADCONFIG2("%d policy rule(s) contained errors.",
5357 		    num_rules - good_rules);
5358 	}
5359 
5360 	/* looks good, flip it in */
5361 	if (ret == 0 && !just_check) {
5362 		if (!ipsecconf_qflag) {
5363 			(void) printf("%s", warning);
5364 		}
5365 		ipsec_conf_admin(SPD_FLIP);
5366 	} else {
5367 		nuke_adds();
5368 		if (just_check) {
5369 			(void) fprintf(stdout, gettext(
5370 			    "IPsec policy was not modified.\n"));
5371 			(void) fflush(stdout);
5372 		}
5373 	}
5374 	flushret = ipsec_conf_flush(SPD_STANDBY);
5375 	if (flushret != 0)
5376 		return (flushret);
5377 	return (ret);
5378 }
5379 
5380 
5381 static int
5382 ipsec_conf_sub()
5383 {
5384 	act_prop_t *act_props = malloc(sizeof (act_prop_t));
5385 	FILE *remove_fp, *policy_fp;
5386 	char rbuf[MAXLEN], pbuf[MAXLEN], /* remove buffer, and policy buffer */
5387 	    *warning = gettext(
5388 		"\tWARNING: Policy entries that are being removed may\n"
5389 		"\taffect the existing connections.  Existing connections\n"
5390 		"\tthat are subjected to policy constraints may no longer\n"
5391 		"\tbe subjected to policy contraints because of its\n"
5392 		"\tremoval.  This can compromise security, and disrupt\n"
5393 		"\tthe communication of the existing connection.\n"
5394 		"\tConnections that are latched will remain unaffected\n"
5395 		"\tuntil they close.\n");
5396 	int ret = 0;
5397 	int index_len, pindex = 0; /* init value in case of pfile error */
5398 
5399 	if (act_props == NULL) {
5400 		warn(gettext("memory"));
5401 		return (-1);
5402 	}
5403 
5404 	/* clone into standby DB */
5405 	(void) ipsec_conf_admin(SPD_CLONE);
5406 
5407 	if (strcmp(filename, "-") == 0)
5408 		remove_fp = stdin;
5409 	else
5410 		remove_fp = fopen(filename, "r");
5411 
5412 	if (remove_fp == NULL) {
5413 		warn(gettext("%s : Input file cannot be opened"), filename);
5414 		usage();
5415 		free(act_props);
5416 		return (-1);
5417 	}
5418 
5419 	/* open policy file so we can locate the correct policy */
5420 	(void) umask(0022);  /* in case it gets created! */
5421 	policy_fp = fopen(POLICY_CONF_FILE, "r+");
5422 	if (policy_fp == NULL) {
5423 		warn(gettext("%s cannot be opened"), POLICY_CONF_FILE);
5424 		(void) fclose(remove_fp);
5425 		free(act_props);
5426 		return (-1);
5427 	}
5428 
5429 	/* don't print the warning if we're in q[uiet] mode */
5430 	if (!ipsecconf_qflag)
5431 		(void) printf("%s", warning);
5432 
5433 	/* this bit is done primarily so we can read what we write */
5434 	index_len = strlen(INDEX_TAG);
5435 
5436 	/*
5437 	 * We want to look for the policy in rbuf in the policy file.
5438 	 * Go through the list of policies to remove, locating each one.
5439 	 */
5440 	while (fgets(rbuf, MAXLEN, remove_fp) != NULL) {
5441 		char *buf;
5442 		int offset, prev_offset, prev_prev_offset, nlines;
5443 		fpos_t ipos;
5444 		int pbuf_len = 0;
5445 		char *tmp;
5446 		/* skip blanks here (so we don't need to do it below)! */
5447 		for (tmp = rbuf; (*tmp != '\0') && isspace(*tmp); tmp++);
5448 		if (*tmp == '\0')
5449 			continue;
5450 
5451 		/* skip the INDEX_TAG lines in the remove buffer */
5452 		if (strncasecmp(rbuf, INDEX_TAG, index_len) == 0)
5453 			continue;
5454 
5455 		/* skip commented lines */
5456 		if (*tmp == '#')
5457 			continue;
5458 
5459 		/*
5460 		 * We start by presuming only good policies are in the pfile,
5461 		 * and so only good policies from the rfile will match them.
5462 		 * ipsec_conf_del ensures this later by calling parse_one() on
5463 		 * pfile before it deletes the entry.
5464 		 */
5465 		for (offset = prev_offset = prev_prev_offset = 0;
5466 		    fgets(pbuf, MAXLEN, policy_fp) != NULL;
5467 		    offset += pbuf_len) {
5468 			prev_offset = offset;
5469 			pbuf_len = strlen(pbuf);
5470 
5471 			/* skip blank lines which seperate policy entries */
5472 			if (pbuf[0] == '\n')
5473 				continue;
5474 
5475 			/* if we found an index, save it */
5476 			if (strncasecmp(pbuf, INDEX_TAG, index_len) == 0) {
5477 				buf = pbuf + index_len;
5478 				buf++;
5479 				if ((pindex = parse_index(buf, NULL)) == -1) {
5480 					/* bad index, we can't continue */
5481 					warnx(gettext(
5482 						"Invalid index in the file"));
5483 					(void) fclose(remove_fp);
5484 					(void) fclose(policy_fp);
5485 					free(act_props);
5486 					return (-1);
5487 				}
5488 
5489 				/* save this position in case it's the one */
5490 				if (fgetpos(policy_fp, &ipos) != 0) {
5491 					(void) fclose(remove_fp);
5492 					(void) fclose(policy_fp);
5493 					free(act_props);
5494 					return (-1);
5495 				}
5496 			}
5497 
5498 			/* Does pbuf contain the remove policy? */
5499 			if (strncasecmp(rbuf, pbuf, pbuf_len) == 0) {
5500 				/* we found the one to remove! */
5501 				if (pindex == 0) {
5502 					warnx(gettext("Didn't find a valid "
5503 					    "index for policy"));
5504 					(void) fclose(remove_fp);
5505 					(void) fclose(policy_fp);
5506 					free(act_props);
5507 					return (-1);
5508 				}
5509 
5510 				/* off it - back up to the last INDEX! */
5511 				if (fsetpos(policy_fp, &ipos) != 0) {
5512 					(void) fclose(remove_fp);
5513 					(void) fclose(policy_fp);
5514 					free(act_props);
5515 					return (-1);
5516 				}
5517 
5518 				/* parse_one sets linecount = #lines to off */
5519 				if (parse_one(policy_fp, act_props) == -1) {
5520 					warnx(gettext("Invalid policy entry "
5521 					    "in the file"));
5522 					(void) fclose(remove_fp);
5523 					(void) fclose(policy_fp);
5524 					free(act_props);
5525 					return (-1);
5526 				}
5527 
5528 				nlines = linecount + 2;
5529 				goto delete;
5530 			}
5531 			/*
5532 			 * When we find a match, we want to pass the offset
5533 			 * of the line that is before it - the INDEX_TAG line.
5534 			 */
5535 			prev_prev_offset = prev_offset;
5536 		}
5537 		/* Didn't find a match - look at the next remove policy */
5538 		continue;
5539 
5540 delete:
5541 		(void) fclose(policy_fp);
5542 
5543 		if (delete_from_file(prev_prev_offset, nlines) != 0) {
5544 			warnx(gettext("delete_from_file failure.  "
5545 			    "Please flush all entries and re-configure :"));
5546 			reconfigure();
5547 			(void) fclose(remove_fp);
5548 			free(act_props);
5549 			return (-1);
5550 		}
5551 
5552 		if (pfp_delete_rule(pindex) != 0) {
5553 			warnx(gettext("Deletion incomplete. Please flush"
5554 			    "all the entries and re-configure :"));
5555 			reconfigure();
5556 			(void) fclose(remove_fp);
5557 			free(act_props);
5558 			return (-1);
5559 		}
5560 
5561 		/* reset the globals */
5562 		linecount = 0;
5563 		pindex = 0;
5564 		/* free(NULL) also works. */
5565 		free(interface_name);
5566 		interface_name = NULL;
5567 
5568 		/* reopen for next pass, automagically starting over. */
5569 		policy_fp = fopen(POLICY_CONF_FILE, "r");
5570 		if (policy_fp == NULL) {
5571 			warn(gettext("%s cannot be re-opened, can't continue"),
5572 			    POLICY_CONF_FILE);
5573 			(void) fclose(remove_fp);
5574 			free(act_props);
5575 			return (-1);
5576 		}
5577 
5578 	} /* read next remove policy */
5579 
5580 	if ((ret = pfp_delete_rule(pindex)) != 0) {
5581 		warnx(gettext("Removal incomplete.  Please flush "
5582 		    "all the entries and re-configure :"));
5583 		reconfigure();
5584 		free(act_props);
5585 		return (ret);
5586 	}
5587 
5588 	/* nothing left to look for */
5589 	(void) fclose(remove_fp);
5590 	free(act_props);
5591 
5592 	return (0);
5593 }
5594 
5595 /*
5596  * Constructs a tunnel interface ID extension.  Returns the length
5597  * of the extension in 64-bit-words.
5598  */
5599 static int
5600 attach_tunname(spd_if_t *tunname)
5601 {
5602 	if (tunname == NULL || interface_name == NULL)
5603 		return (0);
5604 
5605 	tunname->spd_if_exttype = SPD_EXT_TUN_NAME;
5606 	/*
5607 	 * Use "-3" because there's 4 bytes in the message itself, and
5608 	 * we lose one because of the '\0' terminator.
5609 	 */
5610 	tunname->spd_if_len = SPD_8TO64(
5611 	    P2ROUNDUP(sizeof (*tunname) + strlen(interface_name) - 3, 8));
5612 	(void) strlcpy((char *)tunname->spd_if_name, interface_name, LIFNAMSIZ);
5613 	return (tunname->spd_if_len);
5614 }
5615