GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/ipsecctl/ipsecctl.c Lines: 0 360 0.0 %
Date: 2017-11-13 Branches: 0 247 0.0 %

Line Branch Exec Source
1
/*	$OpenBSD: ipsecctl.c,v 1.82 2017/04/19 15:59:38 bluhm Exp $	*/
2
/*
3
 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
4
 *
5
 * Permission to use, copy, modify, and distribute this software for any
6
 * purpose with or without fee is hereby granted, provided that the above
7
 * copyright notice and this permission notice appear in all copies.
8
 *
9
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
 */
17
18
#include <sys/socket.h>
19
#include <sys/sysctl.h>
20
#include <sys/queue.h>
21
#include <sys/stat.h>
22
#include <net/pfkeyv2.h>
23
#include <net/route.h>
24
#include <netinet/in.h>
25
#include <netinet/ip_ipsp.h>
26
#include <arpa/inet.h>
27
28
#include <err.h>
29
#include <errno.h>
30
#include <fcntl.h>
31
#include <netdb.h>
32
#include <stdio.h>
33
#include <stdlib.h>
34
#include <string.h>
35
#include <unistd.h>
36
37
#include "ipsecctl.h"
38
#include "pfkey.h"
39
40
int		 ipsecctl_rules(char *, int);
41
FILE		*ipsecctl_fopen(const char *, const char *);
42
int		 ipsecctl_commit(int, struct ipsecctl *);
43
int		 ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *);
44
void		 ipsecctl_free_rule(struct ipsec_rule *);
45
void		 ipsecctl_print_addr(struct ipsec_addr_wrap *);
46
void		 ipsecctl_print_proto(u_int8_t);
47
void		 ipsecctl_print_port(u_int16_t, const char *);
48
void		 ipsecctl_print_key(struct ipsec_key *);
49
void		 ipsecctl_print_flow(struct ipsec_rule *, int);
50
void		 ipsecctl_print_sa(struct ipsec_rule *, int);
51
void		 ipsecctl_print_sabundle(struct ipsec_rule *, int);
52
int		 ipsecctl_flush(int);
53
void		 ipsecctl_get_rules(struct ipsecctl *);
54
void		 ipsecctl_print_title(char *);
55
void		 ipsecctl_show_flows(int);
56
void		 ipsecctl_show_sas(int);
57
int		 ipsecctl_monitor(int);
58
void		 usage(void);
59
const char	*ipsecctl_lookup_option(char *, const char **);
60
static int	 unmask(struct ipsec_addr *, sa_family_t);
61
int		 sacompare(const void *, const void *);
62
63
const char	*showopt;
64
char		*isakmpd_fifo = "/var/run/isakmpd.fifo";
65
66
int		 first_title = 1;
67
68
static const char *showopt_list[] = {
69
	"flow", "sa", "all", NULL
70
};
71
72
static const char *direction[] = {"?", "in", "out"};
73
static const char *flowtype[] = {"?", "use", "acquire", "require", "deny",
74
    "bypass", "dontacq"};
75
static const char *satype[] = {"?", "esp", "ah", "ipcomp", "tcpmd5", "ipip"};
76
static const char *tmode[] = {"?", "transport", "tunnel"};
77
static const char *auth[] = {"?", "psk", "rsa"};
78
79
struct sad {
80
	struct sadb_msg	*sad_msg;
81
	u_int32_t	 sad_spi;
82
};
83
84
int
85
sacompare(const void *va, const void *vb)
86
{
87
	const struct sad *a = va, *b = vb;
88
89
	if (a->sad_spi < b->sad_spi)
90
		return (-1);
91
	if (a->sad_spi > b->sad_spi)
92
		return (1);
93
	return (0);
94
}
95
96
int
97
ipsecctl_rules(char *filename, int opts)
98
{
99
	struct ipsecctl		 ipsec;
100
	struct ipsec_rule	*rp;
101
	int			 action, error = 0;
102
103
	bzero(&ipsec, sizeof(ipsec));
104
	ipsec.opts = opts;
105
	TAILQ_INIT(&ipsec.rule_queue);
106
	TAILQ_INIT(&ipsec.bundle_queue);
107
108
	if (parse_rules(filename, &ipsec) < 0) {
109
		warnx("Syntax error in config file: ipsec rules not loaded");
110
		error = 1;
111
	} else {
112
		if (opts & IPSECCTL_OPT_DELETE)
113
			action = ACTION_DELETE;
114
		else
115
			action = ACTION_ADD;
116
117
		if ((opts & IPSECCTL_OPT_NOACTION) == 0)
118
			error = ipsecctl_commit(action, &ipsec);
119
120
	}
121
122
	/* This also frees the rules in ipsec.bundle_queue. */
123
	while ((rp = TAILQ_FIRST(&ipsec.rule_queue))) {
124
		TAILQ_REMOVE(&ipsec.rule_queue, rp, rule_entry);
125
		ipsecctl_free_rule(rp);
126
	}
127
128
	return (error);
129
}
130
131
FILE *
132
ipsecctl_fopen(const char *name, const char *mode)
133
{
134
	struct stat	 st;
135
	FILE		*fp;
136
137
	fp = fopen(name, mode);
138
	if (fp == NULL)
139
		return (NULL);
140
141
	if (fstat(fileno(fp), &st)) {
142
		fclose(fp);
143
		return (NULL);
144
	}
145
	if (S_ISDIR(st.st_mode)) {
146
		fclose(fp);
147
		errno = EISDIR;
148
		return (NULL);
149
	}
150
	return (fp);
151
}
152
153
int
154
ipsecctl_commit(int action, struct ipsecctl *ipsec)
155
{
156
	struct ipsec_rule	*rp;
157
	int			 ret = 0;
158
159
	if (pfkey_init() == -1)
160
		errx(1, "ipsecctl_commit: failed to open PF_KEY socket");
161
162
	TAILQ_FOREACH(rp, &ipsec->rule_queue, rule_entry) {
163
		if (rp->type & RULE_IKE) {
164
			if (ike_ipsec_establish(action, rp, isakmpd_fifo) ==
165
			    -1) {
166
				warnx("failed to %s ike rule %d",
167
				    action == ACTION_DELETE ? "delete" : "add",
168
				    rp->nr);
169
				ret = 2;
170
			}
171
		} else {
172
			if (pfkey_ipsec_establish(action, rp) == -1) {
173
				warnx("failed to %s rule %d",
174
				    action == ACTION_DELETE ? "delete" : "add",
175
				    rp->nr);
176
				ret = 2;
177
			}
178
		}
179
	}
180
181
	return (ret);
182
}
183
184
int
185
ipsecctl_add_rule(struct ipsecctl *ipsec, struct ipsec_rule *r)
186
{
187
	TAILQ_INSERT_TAIL(&ipsec->rule_queue, r, rule_entry);
188
189
	if ((ipsec->opts & IPSECCTL_OPT_VERBOSE) && !(ipsec->opts &
190
	    IPSECCTL_OPT_SHOW))
191
		ipsecctl_print_rule(r, ipsec->opts);
192
193
	return (0);
194
}
195
196
void
197
ipsecctl_free_rule(struct ipsec_rule *rp)
198
{
199
	if (rp->src) {
200
		free(rp->src->name);
201
		free(rp->src);
202
	}
203
	if (rp->dst) {
204
		free(rp->dst->name);
205
		free(rp->dst);
206
	}
207
	if (rp->dst2) {
208
		free(rp->dst2->name);
209
		free(rp->dst2);
210
	}
211
	if (rp->local) {
212
		free(rp->local->name);
213
		free(rp->local);
214
	}
215
	if (rp->peer) {
216
		free(rp->peer->name);
217
		free(rp->peer);
218
	}
219
	if (rp->auth) {
220
		free(rp->auth->srcid);
221
		free(rp->auth->dstid);
222
		free(rp->auth);
223
	}
224
	if (rp->ikeauth) {
225
		free(rp->ikeauth->string);
226
		free(rp->ikeauth);
227
	}
228
	free(rp->xfs);
229
	free(rp->p1xfs);
230
	free(rp->p2xfs);
231
	free(rp->p1life);
232
	free(rp->p2life);
233
	if (rp->authkey) {
234
		free(rp->authkey->data);
235
		free(rp->authkey);
236
	}
237
	if (rp->enckey) {
238
		free(rp->enckey->data);
239
		free(rp->enckey);
240
	}
241
	free(rp->p1name);
242
	free(rp->p2name);
243
	free(rp->p2lid);
244
	free(rp->p2nid);
245
	free(rp->p2rid);
246
	free(rp);
247
}
248
249
void
250
ipsecctl_print_addr(struct ipsec_addr_wrap *ipa)
251
{
252
	int		bits;
253
	char		buf[NI_MAXHOST];
254
255
	if (ipa == NULL) {
256
		printf("?");
257
		return;
258
	}
259
	if (inet_ntop(ipa->af, &ipa->address, buf, sizeof(buf)) == NULL)
260
		printf("?");
261
	else
262
		printf("%s", buf);
263
264
	bits = unmask(&ipa->mask, ipa->af);
265
	if (bits != (ipa->af == AF_INET ? 32 : 128))
266
		printf("/%d", bits);
267
}
268
269
void
270
ipsecctl_print_proto(u_int8_t proto)
271
{
272
	struct protoent *p;
273
274
	if ((p = getprotobynumber(proto)) != NULL)
275
		printf("%s", p->p_name);
276
	else
277
		printf("%u", proto);
278
}
279
280
void
281
ipsecctl_print_port(u_int16_t port, const char *proto)
282
{
283
	struct servent *s;
284
285
	if ((s = getservbyport(port, proto)) != NULL)
286
		printf("%s", s->s_name);
287
	else
288
		printf("%u", ntohs(port));
289
}
290
291
void
292
ipsecctl_print_key(struct ipsec_key *key)
293
{
294
	int	i;
295
296
	for (i = 0; i < (int)key->len; i++)
297
		printf("%02x", key->data[i]);
298
}
299
300
void
301
ipsecctl_print_flow(struct ipsec_rule *r, int opts)
302
{
303
	printf("flow %s %s", satype[r->satype], direction[r->direction]);
304
305
	if (r->proto) {
306
		printf(" proto ");
307
		ipsecctl_print_proto(r->proto);
308
	}
309
	printf(" from ");
310
	ipsecctl_print_addr(r->src);
311
	if (r->sport) {
312
		printf(" port ");
313
		ipsecctl_print_port(r->sport,
314
		    r->proto == IPPROTO_TCP ? "tcp" : "udp");
315
	}
316
	printf(" to ");
317
	ipsecctl_print_addr(r->dst);
318
	if (r->dport) {
319
		printf(" port ");
320
		ipsecctl_print_port(r->dport,
321
		    r->proto == IPPROTO_TCP ? "tcp" : "udp");
322
	}
323
	if (r->local) {
324
		printf(" local ");
325
		ipsecctl_print_addr(r->local);
326
	}
327
	if (r->peer) {
328
		printf(" peer ");
329
		ipsecctl_print_addr(r->peer);
330
	}
331
	if (r->auth) {
332
		if (r->auth->srcid)
333
			printf(" srcid %s", r->auth->srcid);
334
		if (r->auth->dstid)
335
			printf(" dstid %s", r->auth->dstid);
336
		if (r->auth->type > 0)
337
			printf(" %s", auth[r->auth->type]);
338
	}
339
	printf(" type %s", flowtype[r->flowtype]);
340
	printf("\n");
341
}
342
343
/* ARGSUSED1 */
344
void
345
ipsecctl_print_sa(struct ipsec_rule *r, int opts)
346
{
347
	printf("%s ", satype[r->satype]);
348
	/* tunnel/transport is only meaningful for esp/ah/ipcomp */
349
	if (r->satype != IPSEC_TCPMD5 && r->satype != IPSEC_IPIP)
350
		printf("%s ", tmode[r->tmode]);
351
	printf("from ");
352
	ipsecctl_print_addr(r->src);
353
	printf(" to ");
354
	ipsecctl_print_addr(r->dst);
355
	printf(" spi 0x%08x", r->spi);
356
357
	if (r->satype != IPSEC_TCPMD5) {
358
		if (r->xfs && r->xfs->authxf)
359
			printf(" auth %s", r->xfs->authxf->name);
360
		if (r->xfs && r->xfs->encxf)
361
			printf(" enc %s", r->xfs->encxf->name);
362
		if (r->xfs && r->xfs->compxf)
363
			printf(" comp %s", r->xfs->compxf->name);
364
	}
365
	if (r->authkey && (opts & IPSECCTL_OPT_SHOWKEY)) {
366
		if (r->satype == IPSEC_TCPMD5)
367
			printf(" ");
368
		else
369
			printf(" \\\n\t");
370
		printf("authkey 0x");
371
		ipsecctl_print_key(r->authkey);
372
	}
373
	if (r->enckey && (opts & IPSECCTL_OPT_SHOWKEY)) {
374
		if (r->satype == IPSEC_TCPMD5)
375
			printf(" ");
376
		else
377
			printf(" \\\n\t");
378
		printf("enckey 0x");
379
		ipsecctl_print_key(r->enckey);
380
	}
381
	printf("\n");
382
}
383
384
void
385
ipsecctl_print_sabundle(struct ipsec_rule *r, int opts)
386
{
387
	printf("[bundle %s to ", satype[r->proto]);
388
	ipsecctl_print_addr(r->dst);
389
	printf(" spi 0x%08x with %s to ", r->spi, satype[r->proto2]);
390
	ipsecctl_print_addr(r->dst2);
391
	printf(" spi 0x%08x", r->spi2);
392
393
	printf("]\n");
394
}
395
396
void
397
ipsecctl_print_rule(struct ipsec_rule *r, int opts)
398
{
399
	if (opts & IPSECCTL_OPT_VERBOSE2)
400
		printf("@%d ", r->nr);
401
402
	if (r->type & RULE_FLOW)
403
		ipsecctl_print_flow(r, opts);
404
	if (r->type & RULE_SA)
405
		ipsecctl_print_sa(r, opts);
406
	if (r->type & RULE_IKE)
407
		ike_print_config(r, opts);
408
	if (r->type & RULE_BUNDLE)
409
		ipsecctl_print_sabundle(r, opts);
410
}
411
412
int
413
ipsecctl_flush(int opts)
414
{
415
	if (opts & IPSECCTL_OPT_NOACTION)
416
		return (0);
417
418
	if (pfkey_init() == -1)
419
		errx(1, "ipsecctl_flush: failed to open PF_KEY socket");
420
421
	if (pfkey_ipsec_flush() == -1)
422
		errx(1, "ipsecctl_flush: failed to flush");
423
424
	return (0);
425
}
426
427
void
428
ipsecctl_get_rules(struct ipsecctl *ipsec)
429
{
430
	struct sadb_msg *msg;
431
	struct ipsec_rule *rule;
432
	int		 mib[4];
433
	size_t		 need;
434
	char		*buf, *lim, *next;
435
436
	mib[0] = CTL_NET;
437
	mib[1] = PF_KEY;
438
	mib[2] = PF_KEY_V2;
439
	mib[3] = NET_KEY_SPD_DUMP;
440
441
	if (sysctl(mib, 4, NULL, &need, NULL, 0) == -1)
442
		err(1, "ipsecctl_get_rules: sysctl");
443
	if (need == 0)
444
		return;
445
	if ((buf = malloc(need)) == NULL)
446
		err(1, "ipsecctl_get_rules: malloc");
447
	if (sysctl(mib, 4, buf, &need, NULL, 0) == -1)
448
		err(1, "ipsecctl_get_rules: sysctl");
449
	lim = buf + need;
450
451
	for (next = buf; next < lim; next += msg->sadb_msg_len *
452
	    PFKEYV2_CHUNK) {
453
		msg = (struct sadb_msg *)next;
454
		if (msg->sadb_msg_len == 0)
455
			break;
456
457
		rule = calloc(1, sizeof(struct ipsec_rule));
458
		if (rule == NULL)
459
			err(1, "ipsecctl_get_rules: calloc");
460
		rule->nr = ipsec->rule_nr++;
461
		rule->type |= RULE_FLOW;
462
463
		if (pfkey_parse(msg, rule))
464
			errx(1, "ipsecctl_get_rules: "
465
			    "failed to parse PF_KEY message");
466
467
		ipsecctl_add_rule(ipsec, rule);
468
	}
469
470
	free(buf);
471
}
472
473
void
474
ipsecctl_print_title(char *title)
475
{
476
	if (!first_title)
477
		printf("\n");
478
	first_title = 0;
479
	printf("%s\n", title);
480
}
481
482
void
483
ipsecctl_show_flows(int opts)
484
{
485
	struct ipsecctl ipsec;
486
	struct ipsec_rule *rp;
487
488
	bzero(&ipsec, sizeof(ipsec));
489
	ipsec.opts = opts;
490
	TAILQ_INIT(&ipsec.rule_queue);
491
492
	ipsecctl_get_rules(&ipsec);
493
494
	if (opts & IPSECCTL_OPT_SHOWALL)
495
		ipsecctl_print_title("FLOWS:");
496
497
	if (TAILQ_FIRST(&ipsec.rule_queue) == 0) {
498
		if (opts & IPSECCTL_OPT_SHOWALL)
499
			printf("No flows\n");
500
		return;
501
	}
502
503
	while ((rp = TAILQ_FIRST(&ipsec.rule_queue))) {
504
		TAILQ_REMOVE(&ipsec.rule_queue, rp, rule_entry);
505
506
		ipsecctl_print_rule(rp, ipsec.opts);
507
508
		free(rp->src->name);
509
		free(rp->src);
510
		free(rp->dst->name);
511
		free(rp->dst);
512
		if (rp->local) {
513
			free(rp->local->name);
514
			free(rp->local);
515
		}
516
		if (rp->peer) {
517
			free(rp->peer->name);
518
			free(rp->peer);
519
		}
520
		if (rp->auth) {
521
			free(rp->auth->srcid);
522
			free(rp->auth->dstid);
523
			free(rp->auth);
524
		}
525
		free(rp);
526
	}
527
}
528
529
void
530
ipsecctl_show_sas(int opts)
531
{
532
	struct sadb_msg *msg;
533
	struct sad	*sad;
534
	int		 mib[5], sacount, i;
535
	size_t		 need = 0;
536
	char		*buf, *lim, *next;
537
538
	mib[0] = CTL_NET;
539
	mib[1] = PF_KEY;
540
	mib[2] = PF_KEY_V2;
541
	mib[3] = NET_KEY_SADB_DUMP;
542
	mib[4] = SADB_SATYPE_UNSPEC;
543
544
	if (opts & IPSECCTL_OPT_SHOWALL)
545
		ipsecctl_print_title("SAD:");
546
547
	/* When the SAD is empty we get ENOENT, no need to err(). */
548
	if (sysctl(mib, 5, NULL, &need, NULL, 0) == -1 && errno != ENOENT)
549
		err(1, "ipsecctl_show_sas: sysctl");
550
	if (need == 0) {
551
		if (opts & IPSECCTL_OPT_SHOWALL)
552
			printf("No entries\n");
553
		return;
554
	}
555
	if ((buf = malloc(need)) == NULL)
556
		err(1, "ipsecctl_show_sas: malloc");
557
	if (sysctl(mib, 5, buf, &need, NULL, 0) == -1)
558
		err(1, "ipsecctl_show_sas: sysctl");
559
	sacount = 0;
560
	lim = buf + need;
561
	for (next = buf; next < lim;
562
	    next += msg->sadb_msg_len * PFKEYV2_CHUNK) {
563
		msg = (struct sadb_msg *)next;
564
		if (msg->sadb_msg_len == 0)
565
			break;
566
		sacount++;
567
	}
568
	if ((sad = calloc(sacount, sizeof(*sad))) == NULL)
569
		err(1, "ipsecctl_show_sas: calloc");
570
	i = 0;
571
	for (next = buf; next < lim;
572
	    next += msg->sadb_msg_len * PFKEYV2_CHUNK) {
573
		msg = (struct sadb_msg *)next;
574
		if (msg->sadb_msg_len == 0)
575
			break;
576
		sad[i].sad_spi = pfkey_get_spi(msg);
577
		sad[i].sad_msg = msg;
578
		i++;
579
	}
580
	qsort(sad, sacount, sizeof(*sad), sacompare);
581
	for (i = 0; i < sacount; i++)
582
		pfkey_print_sa(sad[i].sad_msg, opts);
583
	free(sad);
584
	free(buf);
585
}
586
587
int
588
ipsecctl_monitor(int opts)
589
{
590
	return (pfkey_monitor(opts));
591
}
592
593
__dead void
594
usage(void)
595
{
596
	extern char	*__progname;
597
598
	fprintf(stderr, "usage: %s [-dFkmnv] [-D macro=value] [-f file]"
599
	    " [-i fifo] [-s modifier]\n", __progname);
600
	exit(1);
601
}
602
603
const char *
604
ipsecctl_lookup_option(char *cmd, const char **list)
605
{
606
	if (cmd != NULL && *cmd)
607
		for (; *list; list++)
608
			if (!strncmp(cmd, *list, strlen(cmd)))
609
				return (*list);
610
	return (NULL);
611
}
612
613
int
614
main(int argc, char *argv[])
615
{
616
	int		 error = 0;
617
	int		 ch;
618
	int		 opts = 0;
619
	char		*rulesopt = NULL;
620
621
	if (argc < 2)
622
		usage();
623
624
	while ((ch = getopt(argc, argv, "D:df:Fi:kmnvs:")) != -1) {
625
		switch (ch) {
626
		case 'D':
627
			if (cmdline_symset(optarg) < 0)
628
				warnx("could not parse macro definition %s",
629
				    optarg);
630
			break;
631
632
		case 'd':
633
			opts |= IPSECCTL_OPT_DELETE;
634
			break;
635
636
		case 'f':
637
			rulesopt = optarg;
638
			break;
639
640
		case 'F':
641
			opts |= IPSECCTL_OPT_FLUSH;
642
			break;
643
644
		case 'i':
645
			isakmpd_fifo = optarg;
646
			break;
647
648
		case 'k':
649
			opts |= IPSECCTL_OPT_SHOWKEY;
650
			break;
651
652
		case 'm':
653
			opts |= IPSECCTL_OPT_MONITOR;
654
			break;
655
656
		case 'n':
657
			opts |= IPSECCTL_OPT_NOACTION;
658
			break;
659
660
		case 'v':
661
			if (opts & IPSECCTL_OPT_VERBOSE)
662
				opts |= IPSECCTL_OPT_VERBOSE2;
663
			opts |= IPSECCTL_OPT_VERBOSE;
664
			break;
665
666
		case 's':
667
			showopt = ipsecctl_lookup_option(optarg, showopt_list);
668
			if (showopt == NULL) {
669
				warnx("Unknown show modifier '%s'", optarg);
670
				usage();
671
				/* NOTREACHED */
672
			}
673
			opts |= IPSECCTL_OPT_SHOW;
674
			break;
675
676
		default:
677
			usage();
678
			/* NOTREACHED */
679
		}
680
	}
681
682
	if (argc != optind) {
683
		warnx("unknown command line argument: %s ...", argv[optind]);
684
		usage();
685
		/* NOTREACHED */
686
	}
687
	if (opts & IPSECCTL_OPT_FLUSH)
688
		if (ipsecctl_flush(opts))
689
			error = 1;
690
691
	if (rulesopt != NULL)
692
		if (ipsecctl_rules(rulesopt, opts))
693
			error = 1;
694
695
	if (showopt != NULL) {
696
		switch (*showopt) {
697
		case 'f':
698
			ipsecctl_show_flows(opts);
699
			break;
700
		case 's':
701
			ipsecctl_show_sas(opts);
702
			break;
703
		case 'a':
704
			opts |= IPSECCTL_OPT_SHOWALL;
705
			ipsecctl_show_flows(opts);
706
			ipsecctl_show_sas(opts);
707
		}
708
	}
709
710
	if (opts & IPSECCTL_OPT_MONITOR)
711
		if (ipsecctl_monitor(opts))
712
			error = 1;
713
714
	exit(error);
715
}
716
717
/* ARGSUSED1 */
718
static int
719
unmask(struct ipsec_addr *ipa, sa_family_t af)
720
{
721
	int		i = 31, j = 0, b = 0;
722
	u_int32_t	tmp;
723
724
	while (j < 4 && ipa->addr32[j] == 0xffffffff) {
725
		b += 32;
726
		j++;
727
	}
728
	if (j < 4) {
729
		tmp = ntohl(ipa->addr32[j]);
730
		for (i = 31; tmp & (1 << i); --i)
731
			b++;
732
	}
733
	return (b);
734
}