3 files changed, 103 insertions, 3 deletions

diff --git a/sbin/ifconfig/Makefile b/sbin/ifconfig/Makefile
index a3623d507b77..543392600395 100644
--- a/sbin/ifconfig/Makefile
+++ b/sbin/ifconfig/Makefile
@@ -34,6 +34,7 @@ SRCS+=	ifvlan.c		# SIOC[GS]ETVLAN support
 SRCS+=	ifvxlan.c		# VXLAN support
 SRCS+=	ifgre.c			# GRE keys etc
 SRCS+=	ifgif.c			# GIF reversed header workaround
+SRCS+=	ifipsec.c		# IPsec VTI
 
 SRCS+=	sfp.c			# SFP/SFP+ information
 LIBADD+=	m
diff --git a/sbin/ifconfig/ifipsec.c b/sbin/ifconfig/ifipsec.c
new file mode 100644
index 000000000000..fed5a842235c
--- /dev/null
+++ b/sbin/ifconfig/ifipsec.c
@@ -0,0 +1,101 @@
+/*-
+ * Copyright (c) 2016 Yandex LLC
+ * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+#include <sys/stdint.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <net/ethernet.h>
+#include <net/if.h>
+#include <net/if_ipsec.h>
+#include <net/route.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include <errno.h>
+
+#include "ifconfig.h"
+
+static void
+ipsec_status(int s)
+{
+	uint32_t reqid;
+
+	ifr.ifr_data = (caddr_t)&reqid;
+	if (ioctl(s, IPSECGREQID, &ifr) == -1)
+		return;
+	printf("\treqid: %u\n", reqid);
+}
+
+static
+DECL_CMD_FUNC(setreqid, val, arg)
+{
+	char *ep;
+	uint32_t v;
+
+	v = strtoul(val, &ep, 0);
+	if (*ep != '\0') {
+		warn("Invalid reqid value %s", val);
+		return;
+	}
+	ifr.ifr_data = (char *)&v;
+	if (ioctl(s, IPSECSREQID, &ifr) == -1) {
+		warn("ioctl(IPSECSREQID)");
+		return;
+	}
+}
+
+static struct cmd ipsec_cmds[] = {
+	DEF_CMD_ARG("reqid",		setreqid),
+};
+
+static struct afswtch af_ipsec = {
+	.af_name	= "af_ipsec",
+	.af_af		= AF_UNSPEC,
+	.af_other_status = ipsec_status,
+};
+
+static __constructor void
+ipsec_ctor(void)
+{
+	size_t i;
+
+	for (i = 0; i < nitems(ipsec_cmds); i++)
+		cmd_register(&ipsec_cmds[i]);
+	af_register(&af_ipsec);
+#undef N
+}
diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
index 1eab81490ad9..4eff17783642 100644
--- a/sbin/setkey/setkey.8
+++ b/sbin/setkey/setkey.8
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 3, 2016
+.Dd February 6, 2017
 .Dt SETKEY 8
 .Os
 .\"
@@ -270,8 +270,6 @@ must be a decimal number, or a hexadecimal number with
 prefix.
 SPI values between 0 and 255 are reserved for future use by IANA
 and they cannot be used.
-TCP-MD5 associations must use 0x1000 and therefore only have per-host
-granularity at this time.
 .\"
 .Pp
 .It Ar extensions