4 * Copyright (C)2004 USAGI/WIDE Project
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 * Masahide NAKAMURA @USAGI
32 #include <linux/xfrm.h>
35 #include "ip_common.h"
37 //#define NLMSG_FLUSH_BUF_SIZE (4096-512)
38 #define NLMSG_FLUSH_BUF_SIZE 8192
41 * Receiving buffer defines:
43 * data = struct xfrm_usersa_info
46 * ... (max count of rtattr is XFRM_MAX+1
48 * each rtattr data = struct xfrm_algo(dynamic size) or xfrm_address_t
50 #define NLMSG_BUF_SIZE 4096
51 #define RTA_BUF_SIZE 2048
52 #define XFRM_ALGO_KEY_BUF_SIZE 512
54 static void usage(void) __attribute__((noreturn));
56 static void usage(void)
58 fprintf(stderr, "Usage: ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ]\n");
59 fprintf(stderr, " [ reqid REQID ] [ seq SEQ ] [ replay-window SIZE ] [ flag FLAG-LIST ]\n");
60 fprintf(stderr, " [ encap ENCAP ] [ sel SELECTOR ] [ LIMIT-LIST ]\n");
61 fprintf(stderr, "Usage: ip xfrm state allocspi ID [ mode MODE ] [ reqid REQID ] [ seq SEQ ]\n");
62 fprintf(stderr, " [ min SPI max SPI ]\n");
63 fprintf(stderr, "Usage: ip xfrm state { delete | get } ID\n");
64 fprintf(stderr, "Usage: ip xfrm state { flush | list } [ ID ] [ mode MODE ] [ reqid REQID ]\n");
65 fprintf(stderr, " [ flag FLAG_LIST ]\n");
67 fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n");
68 //fprintf(stderr, "XFRM_PROTO := [ esp | ah | comp ]\n");
69 fprintf(stderr, "XFRM_PROTO := [ ");
70 fprintf(stderr, "%s | ", strxf_xfrmproto(IPPROTO_ESP));
71 fprintf(stderr, "%s | ", strxf_xfrmproto(IPPROTO_AH));
72 fprintf(stderr, "%s ", strxf_xfrmproto(IPPROTO_COMP));
73 fprintf(stderr, "]\n");
75 //fprintf(stderr, "SPI - security parameter index(default=0)\n");
77 fprintf(stderr, "MODE := [ transport | tunnel ](default=transport)\n");
78 //fprintf(stderr, "REQID - number(default=0)\n");
80 fprintf(stderr, "FLAG-LIST := [ FLAG-LIST ] FLAG\n");
81 fprintf(stderr, "FLAG := [ noecn | decap-dscp ]\n");
83 fprintf(stderr, "ENCAP := ENCAP-TYPE SPORT DPORT OADDR\n");
84 fprintf(stderr, "ENCAP-TYPE := espinudp | espinudp-nonike\n");
86 fprintf(stderr, "ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]\n");
87 fprintf(stderr, "ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY\n");
88 fprintf(stderr, "ALGO_TYPE := [ ");
89 fprintf(stderr, "%s | ", strxf_algotype(XFRMA_ALG_CRYPT));
90 fprintf(stderr, "%s | ", strxf_algotype(XFRMA_ALG_AUTH));
91 fprintf(stderr, "%s ", strxf_algotype(XFRMA_ALG_COMP));
92 fprintf(stderr, "]\n");
94 //fprintf(stderr, "ALGO_NAME - algorithm name\n");
95 //fprintf(stderr, "ALGO_KEY - algorithm key\n");
97 fprintf(stderr, "SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]\n");
99 fprintf(stderr, "UPSPEC := proto PROTO [ [ sport PORT ] [ dport PORT ] |\n");
100 fprintf(stderr, " [ type NUMBER ] [ code NUMBER ] ]\n");
103 //fprintf(stderr, "DEV - device name(default=none)\n");
104 fprintf(stderr, "LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]\n");
105 fprintf(stderr, "LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |\n");
106 fprintf(stderr, " [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] COUNT ]\n");
110 static int xfrm_algo_parse(struct xfrm_algo *alg, enum xfrm_attr_type_t type,
111 char *name, char *key, int max)
114 int slen = strlen(key);
117 /* XXX: verifying both name and key is required! */
118 fprintf(stderr, "warning: ALGONAME/ALGOKEY will send to kernel promiscuously!(verifying them isn't implemented yet)\n");
121 strncpy(alg->alg_name, name, sizeof(alg->alg_name));
123 if (slen > 2 && strncmp(key, "0x", 2) == 0) {
124 /* split two chars "0x" from the top */
130 /* Converting hexadecimal numbered string into real key;
131 * Convert each two chars into one char(value). If number
132 * of the length is odd, add zero on the top for rounding.
135 /* calculate length of the converted values(real key) */
136 len = (plen + 1) / 2;
138 invarg("\"ALGOKEY\" makes buffer overflow\n", key);
140 for (i = - (plen % 2), j = 0; j < len; i += 2, j++) {
144 vbuf[0] = i >= 0 ? p[i] : '0';
148 if (get_u8(&val, vbuf, 16))
149 invarg("\"ALGOKEY\" is invalid", key);
151 alg->alg_key[j] = val;
157 invarg("\"ALGOKEY\" makes buffer overflow\n", key);
159 strncpy(alg->alg_key, key, len);
163 alg->alg_key_len = len * 8;
168 static int xfrm_seq_parse(__u32 *seq, int *argcp, char ***argvp)
171 char **argv = *argvp;
173 if (get_u32(seq, *argv, 0))
174 invarg("\"SEQ\" is invalid", *argv);
184 static int xfrm_state_flag_parse(__u8 *flags, int *argcp, char ***argvp)
187 char **argv = *argvp;
188 int len = strlen(*argv);
190 if (len > 2 && strncmp(*argv, "0x", 2) == 0) {
193 if (get_u8(&val, *argv, 16))
194 invarg("\"FLAG\" is invalid", *argv);
198 if (strcmp(*argv, "noecn") == 0)
199 *flags |= XFRM_STATE_NOECN;
200 else if (strcmp(*argv, "decap-dscp") == 0)
201 *flags |= XFRM_STATE_DECAP_DSCP;
203 PREV_ARG(); /* back track */
213 filter.state_flags_mask = XFRM_FILTER_MASK_FULL;
221 static int xfrm_state_modify(int cmd, unsigned flags, int argc, char **argv)
223 struct rtnl_handle rth;
226 struct xfrm_usersa_info xsinfo;
227 char buf[RTA_BUF_SIZE];
234 memset(&req, 0, sizeof(req));
236 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xsinfo));
237 req.n.nlmsg_flags = NLM_F_REQUEST|flags;
238 req.n.nlmsg_type = cmd;
239 req.xsinfo.family = preferred_family;
241 req.xsinfo.lft.soft_byte_limit = XFRM_INF;
242 req.xsinfo.lft.hard_byte_limit = XFRM_INF;
243 req.xsinfo.lft.soft_packet_limit = XFRM_INF;
244 req.xsinfo.lft.hard_packet_limit = XFRM_INF;
247 if (strcmp(*argv, "mode") == 0) {
249 xfrm_mode_parse(&req.xsinfo.mode, &argc, &argv);
250 } else if (strcmp(*argv, "reqid") == 0) {
252 xfrm_reqid_parse(&req.xsinfo.reqid, &argc, &argv);
253 } else if (strcmp(*argv, "seq") == 0) {
255 xfrm_seq_parse(&req.xsinfo.seq, &argc, &argv);
256 } else if (strcmp(*argv, "replay-window") == 0) {
258 if (get_u8(&req.xsinfo.replay_window, *argv, 0))
259 invarg("\"replay-window\" value is invalid", *argv);
260 } else if (strcmp(*argv, "flag") == 0) {
262 xfrm_state_flag_parse(&req.xsinfo.flags, &argc, &argv);
263 } else if (strcmp(*argv, "sel") == 0) {
265 xfrm_selector_parse(&req.xsinfo.sel, &argc, &argv);
266 } else if (strcmp(*argv, "limit") == 0) {
268 xfrm_lifetime_cfg_parse(&req.xsinfo.lft, &argc, &argv);
269 } else if (strcmp(*argv, "encap") == 0) {
270 struct xfrm_encap_tmpl encap;
273 xfrm_encap_type_parse(&encap.encap_type, &argc, &argv);
275 if (get_u16(&encap.encap_sport, *argv, 0))
276 invarg("\"encap\" sport value is invalid", *argv);
277 encap.encap_sport = htons(encap.encap_sport);
279 if (get_u16(&encap.encap_dport, *argv, 0))
280 invarg("\"encap\" dport value is invalid", *argv);
281 encap.encap_dport = htons(encap.encap_dport);
283 get_addr(&oa, *argv, AF_UNSPEC);
284 memcpy(&encap.encap_oa, &oa.data, sizeof(encap.encap_oa));
285 addattr_l(&req.n, sizeof(req.buf), XFRMA_ENCAP,
286 (void *)&encap, sizeof(encap));
288 /* try to assume ALGO */
289 int type = xfrm_algotype_getbyname(*argv);
291 case XFRMA_ALG_CRYPT:
297 struct xfrm_algo alg;
298 char buf[XFRM_ALGO_KEY_BUF_SIZE];
305 case XFRMA_ALG_CRYPT:
307 duparg("ALGOTYPE", *argv);
312 duparg("ALGOTYPE", *argv);
317 duparg("ALGOTYPE", *argv);
322 invarg("\"ALGOTYPE\" is invalid\n", *argv);
335 memset(&alg, 0, sizeof(alg));
337 xfrm_algo_parse((void *)&alg, type, name, key,
339 len = sizeof(struct xfrm_algo) + alg.alg.alg_key_len;
341 addattr_l(&req.n, sizeof(req.buf), type,
346 /* try to assume ID */
348 invarg("unknown", *argv);
352 xfrm_id_parse(&req.xsinfo.saddr, &req.xsinfo.id,
353 &req.xsinfo.family, 0, &argc, &argv);
354 if (preferred_family == AF_UNSPEC)
355 preferred_family = req.xsinfo.family;
362 fprintf(stderr, "Not enough information: \"ID\" is required\n");
366 if (ealgop || aalgop || calgop) {
367 if (req.xsinfo.id.proto != IPPROTO_ESP &&
368 req.xsinfo.id.proto != IPPROTO_AH &&
369 req.xsinfo.id.proto != IPPROTO_COMP) {
370 fprintf(stderr, "\"ALGO\" is invalid with proto=%s\n", strxf_xfrmproto(req.xsinfo.id.proto));
374 if (req.xsinfo.id.proto == IPPROTO_ESP ||
375 req.xsinfo.id.proto == IPPROTO_AH ||
376 req.xsinfo.id.proto == IPPROTO_COMP) {
377 fprintf(stderr, "\"ALGO\" is required with proto=%s\n", strxf_xfrmproto(req.xsinfo.id.proto));
382 if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
385 if (req.xsinfo.family == AF_UNSPEC)
386 req.xsinfo.family = AF_INET;
388 if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
396 static int xfrm_state_allocspi(int argc, char **argv)
398 struct rtnl_handle rth;
401 struct xfrm_userspi_info xspi;
402 char buf[RTA_BUF_SIZE];
407 char res_buf[NLMSG_BUF_SIZE];
408 struct nlmsghdr *res_n = (struct nlmsghdr *)res_buf;
410 memset(res_buf, 0, sizeof(res_buf));
412 memset(&req, 0, sizeof(req));
414 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xspi));
415 req.n.nlmsg_flags = NLM_F_REQUEST;
416 req.n.nlmsg_type = XFRM_MSG_ALLOCSPI;
417 req.xspi.info.family = preferred_family;
420 req.xsinfo.lft.soft_byte_limit = XFRM_INF;
421 req.xsinfo.lft.hard_byte_limit = XFRM_INF;
422 req.xsinfo.lft.soft_packet_limit = XFRM_INF;
423 req.xsinfo.lft.hard_packet_limit = XFRM_INF;
427 if (strcmp(*argv, "mode") == 0) {
429 xfrm_mode_parse(&req.xspi.info.mode, &argc, &argv);
430 } else if (strcmp(*argv, "reqid") == 0) {
432 xfrm_reqid_parse(&req.xspi.info.reqid, &argc, &argv);
433 } else if (strcmp(*argv, "seq") == 0) {
435 xfrm_seq_parse(&req.xspi.info.seq, &argc, &argv);
436 } else if (strcmp(*argv, "min") == 0) {
438 duparg("min", *argv);
443 if (get_u32(&req.xspi.min, *argv, 0))
444 invarg("\"min\" value is invalid", *argv);
445 } else if (strcmp(*argv, "max") == 0) {
447 duparg("max", *argv);
452 if (get_u32(&req.xspi.max, *argv, 0))
453 invarg("\"max\" value is invalid", *argv);
455 /* try to assume ID */
457 invarg("unknown", *argv);
461 xfrm_id_parse(&req.xspi.info.saddr, &req.xspi.info.id,
462 &req.xspi.info.family, 0, &argc, &argv);
463 if (req.xspi.info.id.spi) {
464 fprintf(stderr, "\"SPI\" must be zero\n");
467 if (preferred_family == AF_UNSPEC)
468 preferred_family = req.xspi.info.family;
474 fprintf(stderr, "Not enough information: \"ID\" is required\n");
480 fprintf(stderr, "\"max\" is missing\n");
483 if (req.xspi.min > req.xspi.max) {
484 fprintf(stderr, "\"min\" valie is larger than \"max\" one\n");
489 fprintf(stderr, "\"min\" is missing\n");
493 /* XXX: Default value defined in PF_KEY;
494 * See kernel's net/key/af_key.c(pfkey_getspi).
496 req.xspi.min = 0x100;
497 req.xspi.max = 0x0fffffff;
499 /* XXX: IPCOMP spi is 16-bits;
500 * See kernel's net/xfrm/xfrm_user(verify_userspi_info).
502 if (req.xspi.info.id.proto == IPPROTO_COMP)
503 req.xspi.max = 0xffff;
506 if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
509 if (req.xspi.info.family == AF_UNSPEC)
510 req.xspi.info.family = AF_INET;
513 if (rtnl_talk(&rth, &req.n, 0, 0, res_n, NULL, NULL) < 0)
516 if (xfrm_state_print(NULL, res_n, (void*)stdout) < 0) {
517 fprintf(stderr, "An error :-)\n");
526 static int xfrm_state_filter_match(struct xfrm_usersa_info *xsinfo)
531 if (filter.id_src_mask)
532 if (xfrm_addr_match(&xsinfo->saddr, &filter.xsinfo.saddr,
535 if (filter.id_dst_mask)
536 if (xfrm_addr_match(&xsinfo->id.daddr, &filter.xsinfo.id.daddr,
539 if ((xsinfo->id.proto^filter.xsinfo.id.proto)&filter.id_proto_mask)
541 if ((xsinfo->id.spi^filter.xsinfo.id.spi)&filter.id_spi_mask)
543 if ((xsinfo->mode^filter.xsinfo.mode)&filter.mode_mask)
545 if ((xsinfo->reqid^filter.xsinfo.reqid)&filter.reqid_mask)
547 if (filter.state_flags_mask)
548 if ((xsinfo->flags & filter.xsinfo.flags) == 0)
554 int xfrm_state_print(const struct sockaddr_nl *who, struct nlmsghdr *n,
557 FILE *fp = (FILE*)arg;
558 struct xfrm_usersa_info *xsinfo;
559 struct xfrm_user_expire *xexp;
560 int len = n->nlmsg_len;
561 struct rtattr * tb[XFRMA_MAX+1];
564 if (n->nlmsg_type != XFRM_MSG_NEWSA &&
565 n->nlmsg_type != XFRM_MSG_DELSA &&
566 n->nlmsg_type != XFRM_MSG_EXPIRE) {
567 fprintf(stderr, "Not a state: %08x %08x %08x\n",
568 n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags);
572 if (n->nlmsg_type == XFRM_MSG_EXPIRE) {
573 xexp = NLMSG_DATA(n);
574 xsinfo = &xexp->state;
576 len -= NLMSG_LENGTH(sizeof(*xexp));
579 xsinfo = NLMSG_DATA(n);
581 len -= NLMSG_LENGTH(sizeof(*xsinfo));
585 fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
589 if (!xfrm_state_filter_match(xsinfo))
592 if (n->nlmsg_type == XFRM_MSG_EXPIRE)
593 rta = XFRMEXP_RTA(xexp);
595 rta = XFRMS_RTA(xsinfo);
597 parse_rtattr(tb, XFRMA_MAX, rta, len);
599 if (n->nlmsg_type == XFRM_MSG_DELSA)
600 fprintf(fp, "Deleted ");
601 else if (n->nlmsg_type == XFRM_MSG_EXPIRE)
602 fprintf(fp, "Expired ");
604 xfrm_state_info_print(xsinfo, tb, fp, NULL, NULL);
606 if (n->nlmsg_type == XFRM_MSG_EXPIRE) {
608 fprintf(fp, "hard %u", xexp->hard);
609 fprintf(fp, "%s", _SL_);
618 static int xfrm_state_get_or_delete(int argc, char **argv, int delete)
620 struct rtnl_handle rth;
623 struct xfrm_usersa_id xsid;
628 memset(&req, 0, sizeof(req));
630 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xsid));
631 req.n.nlmsg_flags = NLM_F_REQUEST;
632 req.n.nlmsg_type = delete ? XFRM_MSG_DELSA : XFRM_MSG_GETSA;
633 req.xsid.family = preferred_family;
637 * XXX: Source address is not used and ignore it to follow
638 * XXX: a manner of setkey e.g. in the case of deleting/getting
639 * XXX: message of IPsec SA.
641 xfrm_address_t ignore_saddr;
644 invarg("unknown", *argv);
648 memset(&id, 0, sizeof(id));
649 xfrm_id_parse(&ignore_saddr, &id, &req.xsid.family, 0,
652 memcpy(&req.xsid.daddr, &id.daddr, sizeof(req.xsid.daddr));
653 req.xsid.spi = id.spi;
654 req.xsid.proto = id.proto;
659 if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
662 if (req.xsid.family == AF_UNSPEC)
663 req.xsid.family = AF_INET;
666 if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
669 char buf[NLMSG_BUF_SIZE];
670 struct nlmsghdr *res_n = (struct nlmsghdr *)buf;
672 memset(buf, 0, sizeof(buf));
674 if (rtnl_talk(&rth, &req.n, 0, 0, res_n, NULL, NULL) < 0)
677 if (xfrm_state_print(NULL, res_n, (void*)stdout) < 0) {
678 fprintf(stderr, "An error :-)\n");
689 * With an existing state of nlmsg, make new nlmsg for deleting the state
690 * and store it to buffer.
692 static int xfrm_state_keep(const struct sockaddr_nl *who,
696 struct xfrm_buffer *xb = (struct xfrm_buffer *)arg;
697 struct rtnl_handle *rth = xb->rth;
698 struct xfrm_usersa_info *xsinfo = NLMSG_DATA(n);
699 int len = n->nlmsg_len;
700 struct nlmsghdr *new_n;
701 struct xfrm_usersa_id *xsid;
703 if (n->nlmsg_type != XFRM_MSG_NEWSA) {
704 fprintf(stderr, "Not a state: %08x %08x %08x\n",
705 n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags);
709 len -= NLMSG_LENGTH(sizeof(*xsinfo));
711 fprintf(stderr, "BUG: wrong nlmsg len %d\n", len);
715 if (!xfrm_state_filter_match(xsinfo))
718 if (xb->offset > xb->size) {
719 fprintf(stderr, "Flush buffer overflow\n");
723 new_n = (struct nlmsghdr *)(xb->buf + xb->offset);
724 new_n->nlmsg_len = NLMSG_LENGTH(sizeof(*xsid));
725 new_n->nlmsg_flags = NLM_F_REQUEST;
726 new_n->nlmsg_type = XFRM_MSG_DELSA;
727 new_n->nlmsg_seq = ++rth->seq;
729 xsid = NLMSG_DATA(new_n);
730 xsid->family = xsinfo->family;
731 memcpy(&xsid->daddr, &xsinfo->id.daddr, sizeof(xsid->daddr));
732 xsid->spi = xsinfo->id.spi;
733 xsid->proto = xsinfo->id.proto;
735 xb->offset += new_n->nlmsg_len;
741 static int xfrm_state_list_or_flush(int argc, char **argv, int flush)
744 struct rtnl_handle rth;
748 filter.xsinfo.family = preferred_family;
751 if (strcmp(*argv, "mode") == 0) {
753 xfrm_mode_parse(&filter.xsinfo.mode, &argc, &argv);
755 filter.mode_mask = XFRM_FILTER_MASK_FULL;
757 } else if (strcmp(*argv, "reqid") == 0) {
759 xfrm_reqid_parse(&filter.xsinfo.reqid, &argc, &argv);
761 filter.reqid_mask = XFRM_FILTER_MASK_FULL;
763 } else if (strcmp(*argv, "flag") == 0) {
765 xfrm_state_flag_parse(&filter.xsinfo.flags, &argc, &argv);
767 filter.state_flags_mask = XFRM_FILTER_MASK_FULL;
771 invarg("unknown", *argv);
775 xfrm_id_parse(&filter.xsinfo.saddr, &filter.xsinfo.id,
776 &filter.xsinfo.family, 1, &argc, &argv);
777 if (preferred_family == AF_UNSPEC)
778 preferred_family = filter.xsinfo.family;
783 if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
787 struct xfrm_buffer xb;
788 char buf[NLMSG_FLUSH_BUF_SIZE];
792 xb.size = sizeof(buf);
800 fprintf(stderr, "Flush round = %d\n", i);
802 if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETSA) < 0) {
803 perror("Cannot send dump request");
807 if (rtnl_dump_filter(&rth, xfrm_state_keep, &xb, NULL, NULL) < 0) {
808 fprintf(stderr, "Flush terminated\n");
811 if (xb.nlmsg_count == 0) {
813 fprintf(stderr, "Flush completed\n");
817 if (rtnl_send(&rth, xb.buf, xb.offset) < 0) {
818 perror("Failed to send flush request\n");
822 fprintf(stderr, "Flushed nlmsg count = %d\n", xb.nlmsg_count);
829 if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETSA) < 0) {
830 perror("Cannot send dump request");
834 if (rtnl_dump_filter(&rth, xfrm_state_print, stdout, NULL, NULL) < 0) {
835 fprintf(stderr, "Dump terminated\n");
845 static int xfrm_state_flush_all(void)
847 struct rtnl_handle rth;
850 struct xfrm_usersa_flush xsf;
853 memset(&req, 0, sizeof(req));
855 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xsf));
856 req.n.nlmsg_flags = NLM_F_REQUEST;
857 req.n.nlmsg_type = XFRM_MSG_FLUSHSA;
858 req.xsf.proto = IPSEC_PROTO_ANY;
860 if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
864 fprintf(stderr, "Flush all\n");
866 if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
874 int do_xfrm_state(int argc, char **argv)
877 return xfrm_state_list_or_flush(0, NULL, 0);
879 if (matches(*argv, "add") == 0)
880 return xfrm_state_modify(XFRM_MSG_NEWSA, 0,
882 if (matches(*argv, "update") == 0)
883 return xfrm_state_modify(XFRM_MSG_UPDSA, 0,
885 if (matches(*argv, "allocspi") == 0)
886 return xfrm_state_allocspi(argc-1, argv+1);
887 if (matches(*argv, "delete") == 0 || matches(*argv, "del") == 0)
888 return xfrm_state_get_or_delete(argc-1, argv+1, 1);
889 if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0
890 || matches(*argv, "lst") == 0)
891 return xfrm_state_list_or_flush(argc-1, argv+1, 0);
892 if (matches(*argv, "get") == 0)
893 return xfrm_state_get_or_delete(argc-1, argv+1, 0);
894 if (matches(*argv, "flush") == 0) {
896 return xfrm_state_flush_all();
898 return xfrm_state_list_or_flush(argc-1, argv+1, 1);
900 if (matches(*argv, "help") == 0)
902 fprintf(stderr, "Command \"%s\" is unknown, try \"ip xfrm state help\".\n", *argv);