Introduce the concept of IPsec security policies scope.

Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an administrator creates with setkey(8) utility have GLOBAL scope.
Such policies can be applied by the kernel to outgoing packets and checked
agains inbound packets after IPsec processing.
Security policies created by if_ipsec(4) interfaces have IFNET scope.
Such policies are applied to packets that are passed through if_ipsec(4)
interface.
And security policies created by application using setsockopt()
IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
packets related to specific socket. Currently there is no way to list
PCB policies via setkey(8) utility.

Modify setkey(8) and libipsec(3) to be able distinguish the scope of
security policies in the `setkey -DP` listing. Add two optional flags:
'-t' to list only policies related to virtual *tunneling* interfaces,
i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
scope. By default policies from all scopes are listed.

To implement this PF_KEY's sadb_x_policy structure was modified.
sadb_x_policy_reserved field is used to pass the policy scope from the
kernel to userland. SADB_SPDDUMP message extended to support filtering
by scope: sadb_msg_satype field is used to specify bit mask of requested
scopes.

For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
policies sadb_x_policy_priority is used only to manage order of security
policies in the SPDB. For IFNET policies it is not used, so it can be used
to keep if_index.

After this change the output of `setkey -DP` now looks like:
# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
	out none
	spid=5 seq=1 pid=872 scope=global
	refcnt=1

No objection from:	#network
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9805

1 files changed, 16 insertions, 4 deletions

diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c
index 83a003405ca3..5619ac79b137 100644
--- a/lib/libipsec/pfkey_dump.c
+++ b/lib/libipsec/pfkey_dump.c
@@ -35,8 +35,9 @@ __FBSDID("$FreeBSD$");
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/socket.h>
-#include <netipsec/ipsec.h>
+#include <net/if.h>
 #include <net/pfkeyv2.h>
+#include <netipsec/ipsec.h>
 #include <netipsec/key_var.h>
 #include <netipsec/key_debug.h>
 
@@ -204,6 +205,13 @@ static struct val2str str_alg_comp[] = {
 	{ -1, NULL, },
 };
 
+static struct val2str str_sp_scope[] = {
+	{ IPSEC_POLICYSCOPE_GLOBAL, "global" },
+	{ IPSEC_POLICYSCOPE_IFNET, "ifnet" },
+	{ IPSEC_POLICYSCOPE_PCB, "pcb"},
+	{ -1, NULL },
+};
+
 /*
  * dump SADB_MSG formated.  For debugging, you should use kdebug_sadb().
  */
@@ -398,8 +406,7 @@ pfkey_sadump(m)
 }
 
 void
-pfkey_spdump(m)
-	struct sadb_msg *m;
+pfkey_spdump(struct sadb_msg *m)
 {
 	char pbuf[NI_MAXSERV];
 	caddr_t mhp[SADB_EXT_MAX + 1];
@@ -507,10 +514,15 @@ pfkey_spdump(m)
 	}
 
 
-	printf("\tspid=%ld seq=%ld pid=%ld\n",
+	printf("\tspid=%ld seq=%ld pid=%ld scope=",
 		(u_long)m_xpl->sadb_x_policy_id,
 		(u_long)m->sadb_msg_seq,
 		(u_long)m->sadb_msg_pid);
+	GETMSGV2S(str_sp_scope, m_xpl->sadb_x_policy_scope);
+	if (m_xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET &&
+	    if_indextoname(m_xpl->sadb_x_policy_ifindex, pbuf) != NULL)
+		printf("ifname=%s", pbuf);
+	printf("\n");
 
 	/* XXX TEST */
 	printf("\trefcnt=%u\n", m->sadb_msg_reserved);