libipsec and IPsec related apps. (and some KAME related man pages)

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

12 files changed, 3441 insertions, 0 deletions

diff --git a/lib/libipsec/Makefile b/lib/libipsec/Makefile
new file mode 100644
index 0000000..963e96d
--- /dev/null
+++ b/lib/libipsec/Makefile
@@ -0,0 +1,50 @@
+# Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of the project nor the names of its contributors
+#    may be used to endorse or promote products derived from this software
+#    without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+# $FreeBSD$
+
+LIB=	ipsec
+CFLAGS+=-I${.OBJDIR}
+CFLAGS+=-DIPSEC_DEBUG -DIPSEC -DINET6
+
+.PATH:	${.CURDIR}/../../sys/netkey
+SRCS=	pfkey.c pfkey_dump.c
+SRCS+=	ipsec_strerror.c policy_parse.y policy_token.l
+SRCS+=	ipsec_dump_policy.c ipsec_get_policylen.c
+SRCS+=	key_debug.c
+LDADD+=	-ll -ly
+CLEANFILES+=	y.tab.c y.tab.h
+YFLAGS+=-d -p __libyy
+LFLAGS+=-P__libyy
+
+MAN3=	ipsec_set_policy.3 ipsec_strerror.3
+MLINKS+=ipsec_set_policy.3 ipsec_get_policylen.3 \
+	ipsec_set_policy.3 ipsec_dump_policy.3
+
+SRCS+= y.tab.h
+y.tab.h:	policy_parse.y
+
+.include <bsd.lib.mk>
diff --git a/lib/libipsec/ipsec_dump_policy.c b/lib/libipsec/ipsec_dump_policy.c
new file mode 100644
index 0000000..a9ef2f5
--- /dev/null
+++ b/lib/libipsec/ipsec_dump_policy.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netkey/key_var.h>
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <arpa/inet.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+
+static const char *ipsp_dir_strs[] = {
+	"any", "in", "out",
+};
+
+static const char *ipsp_policy_strs[] = {
+	"discard", "none", "ipsec", "entrust", "bypass",
+};
+
+static int set_addresses __P((char *buf, caddr_t ptr));
+
+/*
+ * policy is sadb_x_policy buffer.
+ * Must call free() later.
+ * When delimiter == NULL, alternatively ' '(space) is applied.
+ */
+char *
+ipsec_dump_policy(policy, delimiter)
+	caddr_t policy;
+	char *delimiter;
+{
+	struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
+	struct sadb_x_ipsecrequest *xisr;
+	int xtlen, buflen;
+	char *buf;
+	int error;
+
+	/* sanity check */
+	if (policy == NULL)
+		return NULL;
+	if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
+		ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+		return NULL;
+	}
+
+	/* set delimiter */
+	if (delimiter == NULL)
+		delimiter = " ";
+
+	switch (xpl->sadb_x_policy_dir) {
+	case IPSEC_DIR_ANY:
+	case IPSEC_DIR_INBOUND:
+	case IPSEC_DIR_OUTBOUND:
+		break;
+	default:
+		ipsec_errcode = EIPSEC_INVAL_DIR;
+		return NULL;
+	}
+
+	switch (xpl->sadb_x_policy_type) {
+	case IPSEC_POLICY_DISCARD:
+	case IPSEC_POLICY_NONE:
+	case IPSEC_POLICY_IPSEC:
+	case IPSEC_POLICY_BYPASS:
+	case IPSEC_POLICY_ENTRUST:
+		break;
+	default:
+		ipsec_errcode = EIPSEC_INVAL_POLICY;
+		return NULL;
+	}
+
+	buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir])
+		+ 1	/* space */
+		+ strlen(ipsp_policy_strs[xpl->sadb_x_policy_type])
+		+ 1;	/* NUL */
+
+	if ((buf = malloc(buflen)) == NULL) {
+		ipsec_errcode = EIPSEC_NO_BUFS;
+		return NULL;
+	}
+	strcpy(buf, ipsp_dir_strs[xpl->sadb_x_policy_dir]);
+	strcat(buf, " ");
+	strcat(buf, ipsp_policy_strs[xpl->sadb_x_policy_type]);
+
+	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
+		ipsec_errcode = EIPSEC_NO_ERROR;
+		return buf;
+	}
+
+	xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
+	xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
+
+	/* count length of buffer for use */
+	/* XXX non-seriously */
+	while (xtlen > 0) {
+		buflen += 20;
+		if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL)
+			buflen += 50;
+		xtlen -= xisr->sadb_x_ipsecrequest_len;
+		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+				+ xisr->sadb_x_ipsecrequest_len);
+	}
+
+	/* validity check */
+	if (xtlen < 0) {
+		ipsec_errcode = EIPSEC_INVAL_SADBMSG;
+		free(buf);
+		return NULL;
+	}
+
+	if ((buf = realloc(buf, buflen)) == NULL) {
+		ipsec_errcode = EIPSEC_NO_BUFS;
+		return NULL;
+	}
+
+	xtlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
+	xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
+
+	while (xtlen > 0) {
+		strcat(buf, delimiter);
+
+		switch (xisr->sadb_x_ipsecrequest_proto) {
+		case IPPROTO_ESP:
+			strcat(buf, "esp");
+			break;
+		case IPPROTO_AH:
+			strcat(buf, "ah");
+			break;
+		case IPPROTO_IPCOMP:
+			strcat(buf, "ipcomp");
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_PROTO;
+			free(buf);
+			return NULL;
+		}
+
+		strcat(buf, "/");
+
+		switch (xisr->sadb_x_ipsecrequest_mode) {
+		case IPSEC_MODE_ANY:
+			strcat(buf, "any");
+			break;
+		case IPSEC_MODE_TRANSPORT:
+			strcat(buf, "transport");
+			break;
+		case IPSEC_MODE_TUNNEL:
+			strcat(buf, "tunnel");
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_MODE;
+			free(buf);
+			return NULL;
+		}
+
+		strcat(buf, "/");
+
+		if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
+			error = set_addresses(buf, (caddr_t)(xisr + 1));
+			if (error) {
+				ipsec_errcode = EIPSEC_INVAL_MODE;
+				free(buf);
+				return NULL;
+			}
+		}
+
+		switch (xisr->sadb_x_ipsecrequest_level) {
+		case IPSEC_LEVEL_DEFAULT:
+			strcat(buf, "/default");
+			break;
+		case IPSEC_LEVEL_USE:
+			strcat(buf, "/use");
+			break;
+		case IPSEC_LEVEL_REQUIRE:
+			strcat(buf, "/require");
+			break;
+		case IPSEC_LEVEL_UNIQUE:
+			strcat(buf, "/unique");
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_LEVEL;
+			free(buf);
+			return NULL;
+		}
+
+		xtlen -= xisr->sadb_x_ipsecrequest_len;
+		xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+				+ xisr->sadb_x_ipsecrequest_len);
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return buf;
+}
+
+static int
+set_addresses(buf, ptr)
+	char *buf;
+	caddr_t ptr;
+{
+	char tmp[100]; /* XXX */
+	struct sockaddr *saddr = (struct sockaddr *)ptr;
+
+	getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
+		NULL, 0, NI_NUMERICHOST);
+
+	strcat(buf, tmp);
+
+	strcat(buf, "-");
+
+	saddr = (struct sockaddr *)((caddr_t)saddr + saddr->sa_len);
+	getnameinfo(saddr, saddr->sa_len, tmp, sizeof(tmp),
+		NULL, 0, NI_NUMERICHOST);
+
+	strcat(buf, tmp);
+
+	return 0;
+}
diff --git a/lib/libipsec/ipsec_get_policylen.c b/lib/libipsec/ipsec_get_policylen.c
new file mode 100644
index 0000000..a8a3e5d
--- /dev/null
+++ b/lib/libipsec/ipsec_get_policylen.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <net/pfkeyv2.h>
+
+#include "ipsec_strerror.h"
+
+int
+ipsec_get_policylen(policy)
+	caddr_t policy;
+{
+	return policy ? PFKEY_EXTLEN(policy) : -1;
+}
diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3
new file mode 100644
index 0000000..559d5fa
--- /dev/null
+++ b/lib/libipsec/ipsec_set_policy.3
@@ -0,0 +1,253 @@
+.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $
+.\"     $FreeBSD$
+.\"
+.Dd May 5, 1998
+.Dt IPSEC_SET_POLICY 3
+.Os KAME
+.\"
+.Sh NAME
+.Nm ipsec_set_policy ,
+.Nm ipsec_get_policylen ,
+.Nm ipsec_dump_policy
+.Nd manipulate IPsec policy specification structure from readable string
+.\"
+.Sh SYNOPSIS
+.Fd #include <netinet6/ipsec.h>
+.Ft "char *"
+.Fn ipsec_set_policy "char *policy" "int len"
+.Ft int
+.Fn ipsec_get_policylen "char *buf"
+.Ft "char *"
+.Fn ipsec_dump_policy "char *buf" "char *delim"
+.\"
+.Sh DESCRIPTION
+.Fn ipsec_set_policy
+generates IPsec policy specification structure, namely
+.Li struct sadb_x_policy
+and/or
+.Li struct sadb_x_ipsecrequest
+from human-readable policy specification.
+policy specification must be given as C string
+.Fa policy
+and length
+.Fa len
+of
+.Fa policy .
+.Fn ipsec_set_policy
+will return the buffer of IPsec policy specification structure.
+.Pp
+You may want the length of the generated buffer such when calling
+.Xr setsockopt 2 .
+.Fn ipsec_get_policylen
+will return the length.
+.Pp
+.Fn ipsec_dump_policy
+converts IPsec policy structure into readable form.
+Therefore,
+.Fn ipsec_dump_policy
+can be regarded as inverse conversion of
+.Fn ipsec_set_policy .
+.Fa buf
+points to a IPsec policy structure,
+.Li struct sadb_x_policy .
+.Fa delim
+is a delimiter string, which is usually a blank character.
+If you set
+.Fa delim
+to
+.Dv NULL ,
+single whitespace is assumed.
+.Fn ipsec_dump_policy
+returns pointer to dynamically allocated string.
+It is caller's responsibility to reclaim the region, by using
+.Xr free 3 .
+.Pp
+.\"
+.Fa policy
+is formatted as either of the following:
+.Bl -tag  -width "discard"
+.It Ar direction Li entrust
+.Ar direction
+must be
+.Li in
+or
+.Li out .
+.Ar direction
+specifies which direction the policy needs to be applied.
+.Li entrust
+means to consult to SPD defined by
+.Xr setkey 8 .
+.It Ar direction Li bypass
+.Li bypass
+means to be bypassed the IPsec processing.
+.Po
+packet will be transmitted in clear
+.Pc .
+This is for privileged socket.
+.It Xo
+.Ar direction
+.Li ipsec
+.Ar request ...
+.Xc
+.Li ipsec
+means that the matching packets are subject to IPsec processing.
+.Li ipsec
+can be followed by one or more
+.Ar request
+string, which is formatted as below:
+.Bl -tag  -width "discard"
+.It Xo
+.Ar protocol
+.Li /
+.Ar mode
+.Li /
+.Ar src
+.Li -
+.Ar dst
+.Op Ar /level
+.Xc
+.Ar protocol
+is either
+.Li ah ,
+.Li esp
+or
+.Li ipcomp .
+.Pp
+.Ar mode
+is either
+.Li transport
+or
+.Li tunnel .
+.Pp
+.Ar src
+and
+.Ar dst
+specifies IPsec endpoint.
+.Ar src
+always means
+.Dq sending node
+and
+.Ar dst
+always means
+.Dq receiving node .
+Therefore, when
+.Ar direction
+is
+.Li in ,
+.Ar dst
+is this node
+and
+.Ar src
+is the other node
+.Pq peer .
+.Pp
+.Ar level
+must be set to one of the following:
+.Li default , use
+or
+.Li require .
+.Li default
+means that the kernel should consult the system default policy
+defined by
+.Xr sysctl 8 ,
+such as
+.Li net.inet.ipsec.esp_trans_deflev .
+See
+.Xr ipsec 4
+regarding the system default.
+.Li use
+means that a relevant SA can be used when available,
+since the kernel may perform IPsec operation against packets when possible.
+In this case, packets can be transmitted in clear
+.Pq when SA is not available ,
+or encrypted
+.Pq when SA is available .
+.Li require
+means that a relevant SA is required,
+since the kernel must perform IPsec operation against packets.
+If the
+.Ar request
+string is kept unambiguous,
+.Ar level
+and slash prior to
+.Ar level
+can be omitted.
+However, it is encouraged to specify them explicitly
+to avoid unintended behaviors.
+If
+.Ar level
+is omitted, it will be interpreted as
+.Li default .
+.El
+.El
+.Pp
+Note that there is a bit difference of specification from
+.Xr setkey 8 .
+In specification by
+.Xr setkey 8 ,
+both entrust and bypass are not used.  Refer to
+.Xr setkey 8
+for detail.
+.Pp
+Here are several examples
+.Pq long lines are wrapped for readability :
+.Bd -literal -offset indent
+in discard
+out ipsec esp/transport/10.1.1.1-10.1.1.2/require
+in ipsec ah/transport/10.1.1.2-10.1.1.1/require
+in ipsec esp/transport/10.1.1.2-10.1.1.1/use
+        ah/tunnel/10.1.1.2-10.1.1.1/require
+in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
+        esp/transport/10.1.1.2-10.1.1.1/use
+.Ed
+.\"
+.Sh RETURN VALUES
+.Fn ipsec_set_policy
+returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
+.Fn ipsec_get_policylen
+returns with positive value
+.Pq meaning the buffer size
+on success, and negative value on errors.
+.Fn ipsec_dump_policy
+returns a pointer to dynamically allocated region on success,
+and
+.Dv NULL
+on errors.
+.\"
+.Sh SEE ALSO
+.Xr ipsec_strerror 3 ,
+.Xr ispec 4
+.Xr setkey 8
+.\"
+.Sh HISTORY
+The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
+.\"
+.\" .Sh BUGS
+.\" (to be written)
diff --git a/lib/libipsec/ipsec_strerror.3 b/lib/libipsec/ipsec_strerror.3
new file mode 100644
index 0000000..58ac2b6
--- /dev/null
+++ b/lib/libipsec/ipsec_strerror.3
@@ -0,0 +1,66 @@
+.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     $Id: ipsec_strerror.3,v 1.2 1999/09/21 03:49:19 itojun Exp $
+.\"     $FreeBSD$
+.\"
+.Dd May 6, 1998
+.Dt IPSEC_STRERROR 3
+.Os KAME
+.\"
+.Sh NAME
+.Nm ipsec_strerror
+.Nd error code for IPsec policy manipulation library
+.\"
+.Sh SYNOPSIS
+.Fd #include <netinet6/ipsec.h>
+.Ft "char *"
+.Fn ipsec_strerror
+.\"
+.Sh DESCRIPTION
+.Pa netinet6/ipsec.h
+declares
+.Pp
+.Dl extern int ipsec_errcode;
+.Pp
+which is used to pass error code from IPsec policy manipulation library
+to user program.
+.Fn ipsec_strerror
+can be used to obtain error message string for the error code.
+.\"
+.Sh RETURN VALUES
+.Fn ipsec_strerror
+always return a pointer to C string.
+The C string must not be overwritten by user programs.
+.\"
+.\" .Sh SEE ALSO
+.\"
+.Sh HISTORY
+The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
+.\"
+.\" .Sh BUGS
+.\" (to be written)
diff --git a/lib/libipsec/ipsec_strerror.c b/lib/libipsec/ipsec_strerror.c
new file mode 100644
index 0000000..601b1d7
--- /dev/null
+++ b/lib/libipsec/ipsec_strerror.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <string.h>
+#include <netinet6/ipsec.h>
+
+#include "ipsec_strerror.h"
+
+int ipsec_errcode;
+
+static char *ipsec_errlist[] = {
+"Success",					/*EIPSEC_NO_ERROR*/
+"Not supported",				/*EIPSEC_NOT_SUPPORTED*/
+"Invalid argument",				/*EIPSEC_INVAL_ARGUMENT*/
+"Invalid sadb message",				/*EIPSEC_INVAL_SADBMSG*/
+"Invalid version",				/*EIPSEC_INVAL_VERSION*/
+"Invalid security policy",			/*EIPSEC_INVAL_POLICY*/
+"Invalid address specification",		/*EIPSEC_INVAL_ADDRESS*/
+"Invalid ipsec protocol",			/*EIPSEC_INVAL_PROTO*/
+"Invalid ipsec mode",				/*EIPSEC_INVAL_MODE*/
+"Invalid ipsec level",				/*EIPSEC_INVAL_LEVEL*/
+"Invalid SA type",				/*EIPSEC_INVAL_SATYPE*/
+"Invalid message type",				/*EIPSEC_INVAL_MSGTYPE*/
+"Invalid extension type",			/*EIPSEC_INVAL_EXTTYPE*/
+"Invalid algorithm type",			/*EIPSEC_INVAL_ALGS*/
+"Invalid key length",				/*EIPSEC_INVAL_KEYLEN*/
+"Invalid address family",			/*EIPSEC_INVAL_FAMILY*/
+"Invalid prefix length",			/*EIPSEC_INVAL_PREFIXLEN*/
+"Invalid direciton",				/*EIPSEC_INVAL_DIR*/
+"SPI range violation",				/*EIPSEC_INVAL_SPI*/
+"No protocol specified",			/*EIPSEC_NO_PROTO*/
+"No algorithm specified",			/*EIPSEC_NO_ALGS*/
+"No buffers available",				/*EIPSEC_NO_BUFS*/
+"Must get supported algorithms list first",	/*EIPSEC_DO_GET_SUPP_LIST*/
+"Protocol mismatch",				/*EIPSEC_PROTO_MISMATCH*/
+"Family mismatch",				/*EIPSEC_FAMILY_MISMATCH*/
+"Too few arguments",				/*EIPSEC_FEW_ARGUMENTS*/
+NULL,						/*EIPSEC_SYSTEM_ERROR*/
+"Unknown error",				/*EIPSEC_MAX*/
+};
+
+char *ipsec_strerror(void)
+{
+	if (ipsec_errcode < 0 || ipsec_errcode > EIPSEC_MAX)
+		ipsec_errcode = EIPSEC_MAX;
+
+	return ipsec_errlist[ipsec_errcode];
+}
+
+void ipsec_set_strerror(char *str)
+{
+	ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+	ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
+
+	return;
+}
diff --git a/lib/libipsec/ipsec_strerror.h b/lib/libipsec/ipsec_strerror.h
new file mode 100644
index 0000000..752ba75
--- /dev/null
+++ b/lib/libipsec/ipsec_strerror.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+extern int ipsec_errcode;
+extern void ipsec_set_strerror(char *str);
+
+#define	EIPSEC_NO_ERROR		0	/*success*/
+#define	EIPSEC_NOT_SUPPORTED	1	/*not supported*/
+#define	EIPSEC_INVAL_ARGUMENT	2	/*invalid argument*/
+#define	EIPSEC_INVAL_SADBMSG	3	/*invalid sadb message*/
+#define	EIPSEC_INVAL_VERSION	4	/*invalid version*/
+#define	EIPSEC_INVAL_POLICY	5	/*invalid security policy*/
+#define	EIPSEC_INVAL_ADDRESS	6	/*invalid address specification*/
+#define	EIPSEC_INVAL_PROTO	7	/*invalid ipsec protocol*/
+#define	EIPSEC_INVAL_MODE	8	/*Invalid ipsec mode*/
+#define	EIPSEC_INVAL_LEVEL	9	/*invalid ipsec level*/
+#define	EIPSEC_INVAL_SATYPE	10	/*invalid SA type*/
+#define	EIPSEC_INVAL_MSGTYPE	11	/*invalid message type*/
+#define	EIPSEC_INVAL_EXTTYPE	12	/*invalid extension type*/
+#define	EIPSEC_INVAL_ALGS	13	/*Invalid algorithm type*/
+#define	EIPSEC_INVAL_KEYLEN	14	/*invalid key length*/
+#define	EIPSEC_INVAL_FAMILY	15	/*invalid address family*/
+#define	EIPSEC_INVAL_PREFIXLEN	16	/*SPI range violation*/
+#define	EIPSEC_INVAL_DIR	17	/*Invalid direciton*/
+#define	EIPSEC_INVAL_SPI	18	/*invalid prefixlen*/
+#define	EIPSEC_NO_PROTO		19	/*no protocol specified*/
+#define	EIPSEC_NO_ALGS		20	/*No algorithm specified*/
+#define	EIPSEC_NO_BUFS		21	/*no buffers available*/
+#define	EIPSEC_DO_GET_SUPP_LIST	22	/*must get supported algorithm first*/
+#define	EIPSEC_PROTO_MISMATCH	23	/*protocol mismatch*/
+#define	EIPSEC_FAMILY_MISMATCH	24	/*family mismatch*/
+#define	EIPSEC_FEW_ARGUMENTS	25	/*Too few arguments*/
+#define	EIPSEC_SYSTEM_ERROR	26	/*system error*/
+#define	EIPSEC_MAX		27	/*unknown error*/
diff --git a/lib/libipsec/pfkey.c b/lib/libipsec/pfkey.c
new file mode 100644
index 0000000..318be33
--- /dev/null
+++ b/lib/libipsec/pfkey.c
@@ -0,0 +1,1421 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static char *rcsid = "@(#) pfkey.c $Revision: 1.10 $";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <net/pfkeyv2.h>
+#include <netkey/key_var.h>
+#include <netinet/in.h>
+#include <netinet6/in6.h>
+#include <netinet6/ipsec.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+
+#include "ipsec_strerror.h"
+
+#define	CALLOC(size, cast) (cast)calloc(1, (size))
+
+static int pfkey_send_x1 __P((int so, u_int type, u_int satype, u_int mode,
+	struct sockaddr *src, struct sockaddr *dst, u_int32_t spi, u_int wsize,
+	caddr_t keymat,
+	u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
+	u_int flags,
+	u_int32_t l_alloc, u_int32_t l_bytes,
+	u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq));
+static int pfkey_send_x2 __P((int so, u_int type, u_int satype, u_int mode,
+	struct sockaddr *src, struct sockaddr *dst, u_int32_t spi));
+static int pfkey_send_x3 __P((int so, u_int type, u_int satype));
+
+static caddr_t pfkey_setsadbmsg __P((caddr_t buf, u_int type, u_int tlen,
+	u_int satype, u_int mode, u_int32_t seq, pid_t pid));
+static caddr_t pfkey_setsadbsa __P((caddr_t buf, u_int32_t spi, u_int wsize,
+	u_int auth, u_int enc, u_int32_t flags));
+static caddr_t pfkey_setsadbaddr __P((caddr_t buf, u_int exttype,
+	struct sockaddr *saddr, u_int prefixlen, u_int ul_proto));
+static caddr_t pfkey_setsadbkey(caddr_t buf, u_int type,
+	caddr_t key, u_int keylen);
+static caddr_t pfkey_setsadblifetime(caddr_t buf, u_int type,
+	u_int32_t l_alloc, u_int32_t l_bytes,
+	u_int32_t l_addtime, u_int32_t l_usetime);
+
+/*
+ * check key length against algorithm specified.
+ * supported is either SADB_EXT_SUPPORTED_ENCRYPT or SADB_EXT_SUPPORTED_AUTH.
+ * Refer to keyv2.h to get more info.
+ * keylen is the unit of bit.
+ * OUT:
+ *	-1: invalid.
+ *	 0: valid.
+ */
+struct sadb_msg *ipsec_supported = NULL;
+
+int
+ipsec_check_keylen(supported, alg_id, keylen)
+	u_int supported;
+	u_int alg_id;
+	u_int keylen;
+{
+	u_int tlen;
+	caddr_t p;
+	struct sadb_supported *sup;
+	struct sadb_alg *alg;
+
+	/* validity check */
+	if (ipsec_supported == NULL) {
+		ipsec_errcode = EIPSEC_DO_GET_SUPP_LIST;
+		return -1;
+	}
+	switch (supported) {
+	case SADB_EXT_SUPPORTED_AUTH:
+	case SADB_EXT_SUPPORTED_ENCRYPT:
+		break;
+	default:
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	tlen = ipsec_supported->sadb_msg_len - sizeof(struct sadb_msg);
+	p = (caddr_t)ipsec_supported + sizeof(struct sadb_msg);
+
+	for (;
+	     tlen > 0;
+	     tlen -= sup->sadb_supported_len, p += sup->sadb_supported_len) {
+
+		sup = (struct sadb_supported *)p;
+
+		if (sup->sadb_supported_exttype != supported)
+			continue;
+
+	    {
+		u_int ttlen = sup->sadb_supported_len;
+		caddr_t pp = p + sizeof(*sup);
+
+		for (;
+		     ttlen > 0;
+	     	     ttlen -= sizeof(*alg), pp += sizeof(*alg)) {
+			alg = (struct sadb_alg *)pp;
+
+			if (alg->sadb_alg_id == alg_id)
+				goto found;
+	    	}
+	    }
+	}
+
+	ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+	return -1;
+	/* NOTREACHED */
+
+    found:
+	if (keylen < alg->sadb_alg_minbits
+	 || keylen > alg->sadb_alg_maxbits) {
+		ipsec_errcode = EIPSEC_INVAL_KEYLEN;
+		return -1;
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * set the rate for SOFT lifetime against HARD one.
+ * If rate is more than 100 or equal to zero, then set to 100.
+ */
+static u_int soft_lifetime_allocations_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_bytes_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_addtime_rate = PFKEY_SOFT_LIFETIME_RATE;
+static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
+
+u_int
+pfkey_set_softrate(type, rate)
+	u_int type, rate;
+{
+	ipsec_errcode = EIPSEC_NO_ERROR;
+
+	if (rate > 100 || rate == 0)
+		rate = 100;
+
+	switch (type) {
+	case SADB_X_LIFETIME_ALLOCATIONS:
+		soft_lifetime_allocations_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_BYTES:
+		soft_lifetime_bytes_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_ADDTIME:
+		soft_lifetime_addtime_rate = rate;
+		return 0;
+	case SADB_X_LIFETIME_USETIME:
+		soft_lifetime_usetime_rate = rate;
+		return 0;
+	}
+
+	ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+	return 1;
+}
+
+/*
+ * get current rate for SOFT lifetime against HARD one.
+ * ATTENTION: ~0 is returned if invalid type was passed.
+ */
+u_int
+pfkey_get_softrate(type)
+	u_int type;
+{
+	switch (type) {
+	case SADB_X_LIFETIME_ALLOCATIONS:
+		return soft_lifetime_allocations_rate;
+	case SADB_X_LIFETIME_BYTES:
+		return soft_lifetime_bytes_rate;
+	case SADB_X_LIFETIME_ADDTIME:
+		return soft_lifetime_addtime_rate;
+	case SADB_X_LIFETIME_USETIME:
+		return soft_lifetime_usetime_rate;
+	}
+
+	return ~0;
+}
+
+/*
+ * sending SADB_GETSPI message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_getspi(so, satype, mode, src, dst, min, max, seq)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t min, max, seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	int need_spirange = 0;
+	caddr_t p;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	if (min > max || (min > 0 && min <= 255)) {
+		ipsec_errcode = EIPSEC_INVAL_SPI;
+		return -1;
+	}
+
+	/* create new sadb_msg to send. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len);
+
+	if (min > 255 && max < ~0) {
+		need_spirange++;
+		len += sizeof(struct sadb_spirange);
+	}
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_GETSPI,
+	                     len, satype, mode, seq, getpid());
+
+	/* set sadb_address for source */
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_SRC,
+	                      src,
+	                      _INALENBYAF(src->sa_family) << 3,
+	                      IPSEC_ULPROTO_ANY);
+
+	/* set sadb_address for destination */
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_DST,
+	                      dst,
+	                      _INALENBYAF(dst->sa_family) << 3,
+	                      IPSEC_ULPROTO_ANY);
+
+	/* proccessing spi range */
+	if (need_spirange) {
+		int _len = sizeof(struct sadb_spirange);
+
+#define	_SADB_SPIRANGE(p) ((struct sadb_spirange *)(p))
+		_SADB_SPIRANGE(p)->sadb_spirange_len = PFKEY_UNIT64(_len);
+		_SADB_SPIRANGE(p)->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
+		_SADB_SPIRANGE(p)->sadb_spirange_min = min;
+		_SADB_SPIRANGE(p)->sadb_spirange_max = max;
+#undef _SADB_SPIRANGE(p)
+		p += _len;
+	}
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_UPDATE message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_update(so, satype, mode, src, dst, spi, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
+			wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_ADD message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_add(so, satype, mode, src, dst, spi, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int satype, mode, wsize;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc;
+	u_int64_t l_bytes, l_addtime, l_usetime;
+	u_int32_t seq;
+{
+	int len;
+	if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
+			wsize, keymat, e_type, e_keylen, a_type, a_keylen, flags,
+			l_alloc, l_bytes, l_addtime, l_usetime, seq)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DELETE message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_delete(so, satype, mode, src, dst, spi)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	int len;
+	if ((len = pfkey_send_x2(so, SADB_DELETE, satype, mode, src, dst, spi)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_GET message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_get(so, satype, mode, src, dst, spi)
+	int so;
+	u_int satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	int len;
+	if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_REGISTER message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_register(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_REGISTER, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * receiving SADB_REGISTER message from the kernel, and copy buffer for
+ * sadb_supported returned into ipsec_supported.
+ * OUT:
+ *	 0: success and return length sent.
+ *	-1: error occured, and set errno.
+ */
+int
+pfkey_recv_register(so)
+	int so;
+{
+	pid_t pid = getpid();
+	struct sadb_msg *newmsg;
+	struct sadb_supported *sup;
+	caddr_t p;
+	int tlen;
+
+	/* receive message */
+	do {
+		if ((newmsg = pfkey_recv(so)) == NULL)
+			return -1;
+
+	} while (newmsg->sadb_msg_type != SADB_REGISTER
+	    || newmsg->sadb_msg_pid != pid);
+
+	/* check and fix */
+	newmsg->sadb_msg_len = PFKEY_UNUNIT64(newmsg->sadb_msg_len);
+
+	tlen = newmsg->sadb_msg_len - sizeof(struct sadb_msg);
+	p = (caddr_t)newmsg + sizeof(struct sadb_msg);
+	while (tlen > 0) {
+		sup = (struct sadb_supported *)p;
+		switch (sup->sadb_supported_exttype) {
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+			sup->sadb_supported_len = PFKEY_EXTLEN(sup);
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			free(newmsg);
+			return -1;
+		}
+
+		tlen -= sup->sadb_supported_len;
+		p += sup->sadb_supported_len;
+	}
+
+	if (tlen < 0) {
+		ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	if (ipsec_supported != NULL)
+		free(ipsec_supported);
+
+	ipsec_supported = newmsg;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * sending SADB_FLUSH message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_flush(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_FLUSH, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_DUMP message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_dump(so, satype)
+	int so;
+	u_int satype;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_DUMP, satype)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_PROMISC message to the kernel.
+ * NOTE that this function handles promisc mode toggle only.
+ * IN:
+ *	flag:	set promisc off if zero, set promisc on if non-zero.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ *	0     : error occured, and set errno.
+ *	others: a pointer to new allocated buffer in which supported
+ *	        algorithms is.
+ */
+int
+pfkey_send_promisc_toggle(so, flag)
+	int so;
+	int flag;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_PROMISC, (flag ? 1 : 0))) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDADD message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	char *policy;
+	int policylen;
+	u_int32_t seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	if (prefs > (_INALENBYAF(src->sa_family) << 3)
+	 || prefd > (_INALENBYAF(dst->sa_family) << 3)) {
+		ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family))
+		+ policylen;
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDADD, len,
+	                     SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, seq, getpid());
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_SRC,
+	                      src,
+	                      prefs,
+	                      proto);
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_DST,
+	                      dst,
+	                      prefd,
+	                      proto);
+	memcpy(p, policy, policylen);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_X_SPDDELETE message to the kernel.
+ * The length of key material is a_keylen + e_keylen.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, seq)
+	int so;
+	struct sockaddr *src, *dst;
+	u_int prefs, prefd, proto;
+	u_int32_t seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+	if (prefs > (_INALENBYAF(src->sa_family) << 3)
+	 || prefd > (_INALENBYAF(dst->sa_family) << 3)) {
+		ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family))
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(_SALENBYAF(src->sa_family));
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, SADB_X_SPDDELETE, len,
+	                     SADB_SATYPE_UNSPEC, IPSEC_MODE_ANY, seq, getpid());
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_SRC,
+	                      src,
+	                      prefs,
+	                      proto);
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_DST,
+	                      dst,
+	                      prefd,
+	                      proto);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_SPDFLUSH message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spdflush(so)
+	int so;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC)) < 0)
+		return -1;
+
+	return len;
+}
+
+/*
+ * sending SADB_SPDDUMP message to the kernel.
+ * OUT:
+ *	positive: success and return length sent.
+ *	-1	: error occured, and set errno.
+ */
+int
+pfkey_send_spddump(so)
+	int so;
+{
+	int len;
+
+	if ((len = pfkey_send_x3(so, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC)) < 0)
+		return -1;
+
+	return len;
+}
+
+/* sending SADB_ADD or SADB_UPDATE message to the kernel */
+static int
+pfkey_send_x1(so, type, satype, mode, src, dst, spi, wsize,
+		keymat, e_type, e_keylen, a_type, a_keylen, flags,
+		l_alloc, l_bytes, l_addtime, l_usetime, seq)
+	int so;
+	u_int type, satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+	u_int wsize;
+	caddr_t keymat;
+	u_int e_type, e_keylen, a_type, a_keylen, flags;
+	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+
+	switch (satype) {
+	case SADB_SATYPE_ESP:
+		if (e_type == SADB_EALG_NONE) {
+			ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_AH:
+		if (e_type != SADB_EALG_NONE) {
+			ipsec_errcode = EIPSEC_INVAL_ALGS;
+			return -1;
+		}
+		if (a_type == SADB_AALG_NONE) {
+			ipsec_errcode = EIPSEC_NO_ALGS;
+			return -1;
+		}
+		break;
+	case SADB_X_SATYPE_IPCOMP:
+		break;
+	default:
+		ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_sa)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len)
+		+ sizeof(struct sadb_lifetime)
+		+ sizeof(struct sadb_lifetime);
+
+	if (e_type != SADB_EALG_NONE)
+		len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
+	if (a_type != SADB_AALG_NONE)
+		len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(a_keylen));
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, type, len,
+	                     satype, mode, seq, getpid());
+	p = pfkey_setsadbsa(p, spi, wsize, a_type, e_type, flags);
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_SRC,
+	                      src,
+	                      _INALENBYAF(src->sa_family) << 3,
+	                      IPSEC_ULPROTO_ANY);
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_DST,
+	                      dst,
+	                      _INALENBYAF(dst->sa_family) << 3,
+	                      IPSEC_ULPROTO_ANY);
+
+	if (e_type != SADB_EALG_NONE)
+		p = pfkey_setsadbkey(p, SADB_EXT_KEY_ENCRYPT,
+		                   keymat, e_keylen);
+	if (a_type != SADB_AALG_NONE)
+		p = pfkey_setsadbkey(p, SADB_EXT_KEY_AUTH,
+		                   keymat + e_keylen, a_keylen);
+
+	/* set sadb_lifetime for destination */
+	p = pfkey_setsadblifetime(p, SADB_EXT_LIFETIME_HARD,
+			l_alloc, l_bytes, l_addtime, l_usetime);
+	p = pfkey_setsadblifetime(p, SADB_EXT_LIFETIME_SOFT,
+			l_alloc, l_bytes, l_addtime, l_usetime);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/* sending SADB_DELETE or SADB_GET message to the kernel */
+static int
+pfkey_send_x2(so, type, satype, mode, src, dst, spi)
+	int so;
+	u_int type, satype, mode;
+	struct sockaddr *src, *dst;
+	u_int32_t spi;
+{
+	struct sadb_msg *newmsg;
+	int len;
+	caddr_t p;
+
+	/* validity check */
+	if (src == NULL || dst == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+	if (src->sa_family != dst->sa_family) {
+		ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+		return -1;
+	}
+
+	/* create new sadb_msg to reply. */
+	len = sizeof(struct sadb_msg)
+		+ sizeof(struct sadb_sa)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(src->sa_len)
+		+ sizeof(struct sadb_address)
+		+ PFKEY_ALIGN8(dst->sa_len);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	p = pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, mode, 0, getpid());
+	p = pfkey_setsadbsa(p, spi, 0, 0, 0, 0);
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_SRC,
+	                      src,
+	                      _INALENBYAF(src->sa_family) << 3,
+	                      IPSEC_ULPROTO_ANY);
+	p = pfkey_setsadbaddr(p,
+	                      SADB_EXT_ADDRESS_DST,
+	                      dst,
+	                      _INALENBYAF(dst->sa_family) << 3,
+	                      IPSEC_ULPROTO_ANY);
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * sending SADB_REGISTER, SADB_FLUSH, SADB_DUMP or SADB_X_PROMISC message
+ * to the kernel
+ */
+static int
+pfkey_send_x3(so, type, satype)
+	int so;
+	u_int type, satype;
+{
+	struct sadb_msg *newmsg;
+	int len;
+
+	/* validity check */
+	switch (type) {
+	case SADB_X_PROMISC:
+		if (satype != 0 && satype != 1) {
+			ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	default:
+		switch (satype) {
+		case SADB_SATYPE_UNSPEC:
+		case SADB_SATYPE_AH:
+		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_IPCOMP:
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+	}
+
+	/* create new sadb_msg to send. */
+	len = sizeof(struct sadb_msg);
+
+	if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	(void)pfkey_setsadbmsg((caddr_t)newmsg, type, len, satype, 0, 0, getpid());
+
+	/* send message */
+	len = pfkey_send(so, newmsg, len);
+	free(newmsg);
+
+	if (len < 0)
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * open a socket.
+ * OUT:
+ *	-1: fail.
+ *	others : success and return value of socket.
+ */
+int
+pfkey_open()
+{
+	int so;
+	const int bufsiz = 128 * 1024;	/*is 128K enough?*/
+
+	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	/*
+	 * This is a temporary workaround for KAME PR 154.
+	 * Don't really care even if it fails.
+	 */
+	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
+	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return so;
+}
+
+/*
+ * close a socket.
+ * OUT:
+ *	 0: success.
+ *	-1: fail.
+ */
+void
+pfkey_close(so)
+	int so;
+{
+	(void)close(so);
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return;
+}
+
+/*
+ * receive sadb_msg data, and return pointer to new buffer allocated.
+ * Must free this buffer later.
+ * OUT:
+ *	NULL	: error occured.
+ *	others	: a pointer to sadb_msg structure.
+ */
+struct sadb_msg *
+pfkey_recv(so)
+	int so;
+{
+	struct sadb_msg buf, *newmsg;
+	int len, reallen;
+
+	while ((len = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK)) < 0) {
+		if (errno == EINTR) continue;
+		ipsec_set_strerror(strerror(errno));
+		return NULL;
+	}
+
+	if (len < sizeof(buf)) {
+		recv(so, (caddr_t)&buf, sizeof(buf), 0);
+		ipsec_errcode = EIPSEC_MAX;
+		return NULL;
+	}
+
+	/* read real message */
+	reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
+	if ((newmsg = CALLOC(reallen, struct sadb_msg *)) == 0) {
+		ipsec_set_strerror(strerror(errno));
+		return NULL;
+	}
+
+	while ((len = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
+		if (errno == EINTR) continue;
+		ipsec_set_strerror(strerror(errno));
+		free(newmsg);
+		return NULL;
+	}
+
+	if (len != reallen) {
+		ipsec_errcode = EIPSEC_SYSTEM_ERROR;
+		free(newmsg);
+		return NULL;
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return newmsg;
+}
+
+/*
+ * send message to a socket.
+ * OUT:
+ *	 others: success and return length sent.
+ *	-1     : fail.
+ */
+int
+pfkey_send(so, msg, len)
+	int so;
+	struct sadb_msg *msg;
+	int len;
+{
+	if ((len = send(so, (caddr_t)msg, len, 0)) < 0) {
+		ipsec_set_strerror(strerror(errno));
+		return -1;
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return len;
+}
+
+/*
+ * %%% Utilities
+ * NOTE: These functions are derived from netkey/key.c in KAME.
+ */
+/*
+ * set the pointer to each header in this message buffer.
+ * IN:	msg: pointer to message buffer.
+ *	mhp: pointer to the buffer initialized like below:
+ *		caddr_t mhp[SADB_EXT_MAX + 1];
+ * OUT:	-1: invalid.
+ *	 0: valid.
+ */
+int
+pfkey_align(msg, mhp)
+	struct sadb_msg *msg;
+	caddr_t *mhp;
+{
+	struct sadb_ext *ext;
+	int tlen, extlen;
+	int i;
+
+	/* validity check */
+	if (msg == NULL || mhp == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	/* initialize */
+	for (i = 0; i < SADB_EXT_MAX + 1; i++)
+		mhp[i] = NULL;
+
+	mhp[0] = (caddr_t)msg;
+
+	tlen = PFKEY_UNUNIT64(msg->sadb_msg_len) - sizeof(struct sadb_msg);
+	ext = (struct sadb_ext *)((caddr_t)msg + sizeof(struct sadb_msg));
+
+	while (tlen > 0) {
+		/* duplicate check */
+		/* XXX Are there duplication either KEY_AUTH or KEY_ENCRYPT ?*/
+		if (mhp[ext->sadb_ext_type] != NULL) {
+			ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+			return -1;
+		}
+
+		/* set pointer */
+		switch (ext->sadb_ext_type) {
+		case SADB_EXT_SA:
+		case SADB_EXT_LIFETIME_CURRENT:
+		case SADB_EXT_LIFETIME_HARD:
+		case SADB_EXT_LIFETIME_SOFT:
+		case SADB_EXT_ADDRESS_SRC:
+		case SADB_EXT_ADDRESS_DST:
+		case SADB_EXT_ADDRESS_PROXY:
+		case SADB_EXT_KEY_AUTH:
+			/* XXX should to be check weak keys. */
+		case SADB_EXT_KEY_ENCRYPT:
+			/* XXX should to be check weak keys. */
+		case SADB_EXT_IDENTITY_SRC:
+		case SADB_EXT_IDENTITY_DST:
+		case SADB_EXT_SENSITIVITY:
+		case SADB_EXT_PROPOSAL:
+		case SADB_EXT_SUPPORTED_AUTH:
+		case SADB_EXT_SUPPORTED_ENCRYPT:
+		case SADB_EXT_SPIRANGE:
+		case SADB_X_EXT_POLICY:
+			mhp[ext->sadb_ext_type] = (caddr_t)ext;
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
+			return -1;
+		}
+
+		extlen = PFKEY_EXTLEN(ext);
+		tlen -= extlen;
+		ext = (struct sadb_ext *)((caddr_t)ext + extlen);
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * check basic usage for sadb_msg,
+ * NOTE: This routine is derived from netkey/key.c in KAME.
+ * IN:	msg: pointer to message buffer.
+ *	mhp: pointer to the buffer initialized like below:
+ *
+ *		caddr_t mhp[SADB_EXT_MAX + 1];
+ *
+ * OUT:	-1: invalid.
+ *	 0: valid.
+ */
+int
+pfkey_check(mhp)
+	caddr_t *mhp;
+{
+	struct sadb_msg *msg;
+
+	/* validity check */
+	if (mhp == NULL || mhp[0] == NULL) {
+		ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return -1;
+	}
+
+	msg = (struct sadb_msg *)mhp[0];
+
+	/* check version */
+	if (msg->sadb_msg_version != PF_KEY_V2) {
+		ipsec_errcode = EIPSEC_INVAL_VERSION;
+		return -1;
+	}
+
+	/* check type */
+	if (msg->sadb_msg_type > SADB_MAX) {
+		ipsec_errcode = EIPSEC_INVAL_MSGTYPE;
+		return -1;
+	}
+
+	/* check SA type */
+	switch (msg->sadb_msg_satype) {
+	case SADB_SATYPE_UNSPEC:
+		switch (msg->sadb_msg_type) {
+		case SADB_GETSPI:
+		case SADB_UPDATE:
+		case SADB_ADD:
+		case SADB_DELETE:
+		case SADB_GET:
+		case SADB_ACQUIRE:
+		case SADB_EXPIRE:
+			ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_ESP:
+	case SADB_SATYPE_AH:
+	case SADB_X_SATYPE_IPCOMP:
+		switch (msg->sadb_msg_type) {
+		case SADB_X_SPDADD:
+		case SADB_X_SPDDELETE:
+		case SADB_X_SPDGET:
+		case SADB_X_SPDDUMP:
+		case SADB_X_SPDFLUSH:
+			ipsec_errcode = EIPSEC_INVAL_SATYPE;
+			return -1;
+		}
+		break;
+	case SADB_SATYPE_RSVP:
+	case SADB_SATYPE_OSPFV2:
+	case SADB_SATYPE_RIPV2:
+	case SADB_SATYPE_MIP:
+		ipsec_errcode = EIPSEC_NOT_SUPPORTED;
+		return -1;
+	case 1:	/* XXX: What does it do ? */
+		if (msg->sadb_msg_type == SADB_X_PROMISC)
+			break;
+		/*FALLTHROUGH*/
+	default:
+		ipsec_errcode = EIPSEC_INVAL_SATYPE;
+		return -1;
+	}
+
+	/* check field of upper layer protocol and address family */
+	if (mhp[SADB_EXT_ADDRESS_SRC] != NULL
+	 && mhp[SADB_EXT_ADDRESS_DST] != NULL) {
+		struct sadb_address *src0, *dst0;
+
+		src0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_SRC]);
+		dst0 = (struct sadb_address *)(mhp[SADB_EXT_ADDRESS_DST]);
+
+		if (src0->sadb_address_proto != dst0->sadb_address_proto) {
+			ipsec_errcode = EIPSEC_PROTO_MISMATCH;
+			return -1;
+		}
+
+		if (PFKEY_ADDR_SADDR(src0)->sa_family
+		 != PFKEY_ADDR_SADDR(dst0)->sa_family) {
+			ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+			return -1;
+		}
+
+		switch (PFKEY_ADDR_SADDR(src0)->sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			break;
+		default:
+			ipsec_errcode = EIPSEC_INVAL_FAMILY;
+			return -1;
+		}
+
+		/*
+		 * prefixlen == 0 is valid because there must be the case
+		 * all addresses are matched.
+		 */
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+/*
+ * set data into sadb_msg.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbmsg(buf, type, tlen, satype, mode, seq, pid)
+	caddr_t buf;
+	u_int type, satype, mode;
+	u_int tlen;
+	u_int32_t seq;
+	pid_t pid;
+{
+	struct sadb_msg *p;
+	u_int len;
+
+	p = (struct sadb_msg *)buf;
+	len = sizeof(struct sadb_sa);
+
+	memset(p, 0, len);
+	p->sadb_msg_version = PF_KEY_V2;
+	p->sadb_msg_type = type;
+	p->sadb_msg_errno = 0;
+	p->sadb_msg_satype = satype;
+	p->sadb_msg_len = PFKEY_UNIT64(tlen);
+	p->sadb_msg_mode = mode;
+	p->sadb_msg_reserved = 0;
+	p->sadb_msg_seq = seq;
+	p->sadb_msg_pid = (u_int32_t)pid;
+
+	return(buf + len);
+}
+
+/*
+ * copy secasvar data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ */
+static caddr_t
+pfkey_setsadbsa(buf, spi, wsize, auth, enc, flags)
+	caddr_t buf;
+	u_int32_t spi, flags;
+	u_int wsize, auth, enc;
+{
+	struct sadb_sa *p;
+	u_int len;
+
+	p = (struct sadb_sa *)buf;
+	len = sizeof(struct sadb_sa);
+
+	memset(p, 0, len);
+	p->sadb_sa_len = PFKEY_UNIT64(len);
+	p->sadb_sa_exttype = SADB_EXT_SA;
+	p->sadb_sa_spi = spi;
+	p->sadb_sa_replay = wsize;
+	p->sadb_sa_state = SADB_SASTATE_LARVAL;
+	p->sadb_sa_auth = auth;
+	p->sadb_sa_encrypt = enc;
+	p->sadb_sa_flags = flags;
+
+	return(buf + len);
+}
+
+/*
+ * set data into sadb_address.
+ * `buf' must has been allocated sufficiently.
+ * prefixlen is in bits.
+ */
+static caddr_t
+pfkey_setsadbaddr(buf, exttype, saddr, prefixlen, ul_proto)
+	caddr_t buf;
+	u_int exttype;
+	struct sockaddr *saddr;
+	u_int prefixlen;
+	u_int ul_proto;
+{
+	struct sadb_address *p;
+	u_int len;
+
+	p = (struct sadb_address *)buf;
+	len = sizeof(struct sadb_address) + PFKEY_ALIGN8(saddr->sa_len);
+
+	memset(p, 0, len);
+	p->sadb_address_len = PFKEY_UNIT64(len);
+	p->sadb_address_exttype = exttype & 0xffff;
+	p->sadb_address_proto = ul_proto & 0xff;
+	p->sadb_address_prefixlen = prefixlen;
+	p->sadb_address_reserved = 0;
+
+	memcpy(p + 1, saddr, saddr->sa_len);
+
+	return(buf + len);
+}
+
+/*
+ * set sadb_key structure after clearing buffer with zero.
+ * OUT: the pointer of buf + len.
+ */
+static caddr_t
+pfkey_setsadbkey(buf, type, key, keylen)
+	caddr_t buf, key;
+	u_int type, keylen;
+{
+	struct sadb_key *p;
+	u_int len;
+
+	p = (struct sadb_key *)buf;
+	len = sizeof(struct sadb_key) + PFKEY_ALIGN8(keylen);
+
+	memset(p, 0, len);
+	p->sadb_key_len = PFKEY_UNIT64(len);
+	p->sadb_key_exttype = type;
+	p->sadb_key_bits = keylen << 3;
+	p->sadb_key_reserved = 0;
+
+	memcpy(p + 1, key, keylen);
+
+	return buf + len;
+}
+
+/*
+ * set sadb_lifetime structure after clearing buffer with zero.
+ * OUT: the pointer of buf + len.
+ */
+static caddr_t
+pfkey_setsadblifetime(buf, type, l_alloc, l_bytes, l_addtime, l_usetime)
+	caddr_t buf;
+	u_int type;
+	u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
+{
+	struct sadb_lifetime *p;
+	u_int len;
+
+	p = (struct sadb_lifetime *)buf;
+	len = sizeof(struct sadb_lifetime);
+
+	memset(p, 0, len);
+	p->sadb_lifetime_len = PFKEY_UNIT64(len);
+	p->sadb_lifetime_exttype = type;
+
+	switch (type) {
+	case SADB_EXT_LIFETIME_SOFT:
+		p->sadb_lifetime_allocations
+			= (l_alloc * soft_lifetime_allocations_rate) /100;
+		p->sadb_lifetime_bytes
+			= ((l_bytes * soft_lifetime_bytes_rate) /100) << 10;
+		p->sadb_lifetime_addtime
+			= (l_addtime * soft_lifetime_addtime_rate) /100;
+		p->sadb_lifetime_usetime
+			= (l_usetime * soft_lifetime_usetime_rate) /100;
+		break;
+	case SADB_EXT_LIFETIME_HARD:
+		p->sadb_lifetime_allocations = l_alloc;
+		p->sadb_lifetime_bytes = l_bytes << 10;
+		p->sadb_lifetime_addtime = l_addtime;
+		p->sadb_lifetime_usetime = l_usetime;
+		break;
+	}
+
+	return buf + len;
+}
+
diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c
new file mode 100644
index 0000000..b7def24
--- /dev/null
+++ b/lib/libipsec/pfkey_dump.c
@@ -0,0 +1,463 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet6/ipsec.h>
+#include <net/pfkeyv2.h>
+#include <netkey/key_var.h>
+#include <netkey/key_debug.h>
+
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+#ifdef INET6
+#include <netinet6/in6.h>
+#endif
+#include <arpa/inet.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include "ipsec_strerror.h"
+
+#define	GETMSGSTR(str, num) \
+{ \
+	if (sizeof((str)[0]) == 0 \
+	 || num >= sizeof(str)/sizeof((str)[0])) \
+		printf("%d ", (num)); \
+	else if (strlen((str)[(num)]) == 0) \
+		printf("%d ", (num)); \
+	else \
+		printf("%s ", (str)[(num)]); \
+}
+
+#define	GETAF(p) \
+	(((struct sockaddr *)(p))->sa_family)
+
+static char *_str_ipaddr __P((u_int family, caddr_t addr));
+static char *_str_prefport __P((u_int family, u_int pref, u_int port));
+static char *_str_time __P((time_t t));
+static void _str_lifetime_byte __P((struct sadb_lifetime *x, char *str));
+
+/*
+ * Must to be re-written about following strings.
+ */
+static char *_str_satype[] = {
+	"unspec",
+	"unknown",
+	"ah",
+	"esp",
+	"unknown",
+	"rsvp",
+	"ospfv2",
+	"ripv2",
+	"mip",
+	"ipcomp",
+};
+
+static char *_str_mode[] = {
+	"any",
+	"transport",
+	"tunnel",
+};
+
+static char *_str_upper[] = {
+/*0*/	"ip", "icmp", "igmp", "ggp", "ip4",
+	"", "tcp", "", "egp", "",
+/*10*/	"", "", "", "", "",
+	"", "", "udp", "", "",
+/*20*/	"", "", "idp", "", "",
+	"", "", "", "", "tp",
+/*30*/	"", "", "", "", "",
+	"", "", "", "", "",
+/*40*/	"", "ip6", "", "rt6", "frag6",
+	"", "rsvp", "gre", "", "",
+/*50*/	"esp", "ah", "", "", "",
+	"", "", "", "icmp6", "none",
+/*60*/	"dst6",
+};
+
+static char *_str_state[] = {
+	"larval",
+	"mature",
+	"dying",
+	"dead",
+};
+
+static char *_str_alg_auth[] = {
+	"none",
+	"hmac-md5",
+	"hmac-sha1",
+	"md5",
+	"sha",
+	"null",
+};
+
+static char *_str_alg_enc[] = {
+	"none",
+	"des-cbc",
+	"3des-cbc",
+	"null",
+	"blowfish-cbc",
+	"cast128-cbc",
+	"rc5-cbc",
+};
+
+static char *_str_alg_comp[] = {
+	"none",
+	"oui",
+	"deflate",
+	"lzs",
+};
+
+/*
+ * dump SADB_MSG formated.  For debugging, you should use kdebug_sadb().
+ */
+void
+pfkey_sadump(m)
+	struct sadb_msg *m;
+{
+	caddr_t mhp[SADB_EXT_MAX + 1];
+	struct sadb_sa *m_sa;
+	struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
+	struct sadb_address *m_saddr, *m_daddr, *m_paddr;
+	struct sadb_key *m_auth, *m_enc;
+	struct sadb_ident *m_sid, *m_did;
+	struct sadb_sens *m_sens;
+
+	/* check pfkey message. */
+	if (pfkey_align(m, mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+	if (pfkey_check(mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+
+	m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+	m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
+	m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+	m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
+	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+	m_paddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_PROXY];
+	m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
+	m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
+	m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
+	m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
+	m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
+
+	/* source address */
+	if (m_saddr == NULL) {
+		printf("no ADDRESS_SRC extension.\n");
+		return;
+	}
+	printf("%s ",
+		_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)));
+
+	/* destination address */
+	if (m_daddr == NULL) {
+		printf("no ADDRESS_DST extension.\n");
+		return;
+	}
+	printf("%s ",
+		_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)));
+
+	/* SA type */
+	if (m_sa == NULL) {
+		printf("no SA extension.\n");
+		return;
+	}
+	printf("\n\t");
+
+	GETMSGSTR(_str_satype, m->sadb_msg_satype);
+
+	printf("mode=");
+	GETMSGSTR(_str_mode, m->sadb_msg_mode);
+
+	printf("spi=%u(0x%08x) replay=%u flags=0x%08x\n",
+		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
+		(u_int32_t)ntohl(m_sa->sadb_sa_spi),
+		m_sa->sadb_sa_replay,
+		m_sa->sadb_sa_flags);
+
+	/* encryption key */
+	if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
+		printf("\tC: ");
+		GETMSGSTR(_str_alg_comp, m_sa->sadb_sa_encrypt);
+	} else if (m->sadb_msg_satype == SADB_SATYPE_ESP) {
+		if (m_enc != NULL) {
+			printf("\tE: ");
+			GETMSGSTR(_str_alg_enc, m_sa->sadb_sa_encrypt);
+			ipsec_hexdump((caddr_t)m_enc + sizeof(*m_enc),
+				      m_enc->sadb_key_bits / 8);
+			printf("\n");
+		}
+	}
+
+	/* authentication key */
+	if (m_auth != NULL) {
+		printf("\tA: ");
+		GETMSGSTR(_str_alg_auth, m_sa->sadb_sa_auth);
+		ipsec_hexdump((caddr_t)m_auth + sizeof(*m_auth),
+		              m_auth->sadb_key_bits / 8);
+		printf("\n");
+	}
+
+	/* state */
+	printf("\tstate=");
+	GETMSGSTR(_str_state, m_sa->sadb_sa_state);
+
+	printf("seq=%lu pid=%lu\n",
+		(u_long)m->sadb_msg_seq,
+		(u_long)m->sadb_msg_pid);
+
+	/* lifetime */
+	if (m_lftc != NULL) {
+		time_t tmp_time = time(0);
+
+		printf("\tcreated: %s",
+			_str_time(m_lftc->sadb_lifetime_addtime));
+		printf("\tcurrent: %s\n", _str_time(tmp_time));
+		printf("\tdiff: %lu(s)",
+			(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
+			0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
+
+		printf("\thard: %lu(s)",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_addtime));
+		printf("\tsoft: %lu(s)\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_addtime));
+
+		printf("\tlast: %s",
+			_str_time(m_lftc->sadb_lifetime_usetime));
+		printf("\thard: %lu(s)",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_usetime));
+		printf("\tsoft: %lu(s)\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_usetime));
+
+		_str_lifetime_byte(m_lftc, "current");
+		_str_lifetime_byte(m_lfth, "hard");
+		_str_lifetime_byte(m_lfts, "soft");
+		printf("\n");
+
+		printf("\tallocated: %lu",
+			(unsigned long)m_lftc->sadb_lifetime_allocations);
+		printf("\thard: %lu",
+			(u_long)(m_lfth == NULL ?
+			0 : m_lfth->sadb_lifetime_allocations));
+		printf("\tsoft: %lu\n",
+			(u_long)(m_lfts == NULL ?
+			0 : m_lfts->sadb_lifetime_allocations));
+	}
+
+	/* XXX DEBUG */
+	printf("\trefcnt=%d\n", m->sadb_msg_reserved);
+
+	return;
+}
+
+void
+pfkey_spdump(m)
+	struct sadb_msg *m;
+{
+	caddr_t mhp[SADB_EXT_MAX + 1];
+	struct sadb_address *m_saddr, *m_daddr;
+	struct sadb_x_policy *m_xpl;
+
+	/* check pfkey message. */
+	if (pfkey_align(m, mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+	if (pfkey_check(mhp)) {
+		printf("%s\n", ipsec_strerror());
+		return;
+	}
+
+	m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+	m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+	m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+
+	/* source address */
+	if (m_saddr == NULL) {
+		printf("no ADDRESS_SRC extension.\n");
+		return;
+	}
+	printf("%s%s ",
+		_str_ipaddr(GETAF(m_saddr + 1), _INADDRBYSA(m_saddr + 1)),
+		_str_prefport(GETAF(m_saddr + 1),
+		     m_saddr->sadb_address_prefixlen,
+		     _INPORTBYSA(m_saddr + 1)));
+
+	/* destination address */
+	if (m_daddr == NULL) {
+		printf("no ADDRESS_DST extension.\n");
+		return;
+	}
+	printf("%s%s ",
+		_str_ipaddr(GETAF(m_daddr + 1), _INADDRBYSA(m_daddr + 1)),
+		_str_prefport(GETAF(m_daddr + 1),
+		     m_daddr->sadb_address_prefixlen,
+		     _INPORTBYSA(m_daddr + 1)));
+
+	/* upper layer protocol */
+	if (m_saddr->sadb_address_proto != m_saddr->sadb_address_proto) {
+		printf("upper layer protocol mismatched.\n");
+		return;
+	}
+	if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
+		printf("any");
+	else
+		GETMSGSTR(_str_upper, m_saddr->sadb_address_proto);
+
+	/* policy */
+    {
+	char *d_xpl;
+
+	if (m_xpl == NULL) {
+		printf("no X_POLICY extension.\n");
+		return;
+	}
+	d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
+
+	/* dump SPD */
+	printf("\n\t%s\n", d_xpl);
+	free(d_xpl);
+    }
+
+	printf("\tseq=%ld pid=%ld\n",
+		(u_long)m->sadb_msg_seq,
+		(u_long)m->sadb_msg_pid);
+
+	/* XXX TEST */
+	printf("\trefcnt=%d\n", m->sadb_msg_reserved);
+
+	return;
+}
+
+/*
+ * set "ipaddress" to buffer.
+ */
+static char *
+_str_ipaddr(family, addr)
+	u_int family;
+	caddr_t addr;
+{
+	static char buf[128];
+	char addrbuf[128];
+
+	if (addr == NULL)
+		return "";
+
+	inet_ntop(family, addr, addrbuf, sizeof(addrbuf));
+
+	snprintf(buf, sizeof(buf), "%s", addrbuf);
+
+	return buf;
+}
+
+/*
+ * set "/prefix[port number]" to buffer.
+ */
+static char *
+_str_prefport(family, pref, port)
+	u_int family, pref, port;
+{
+	static char buf[128];
+	char prefbuf[10];
+	char portbuf[10];
+
+	if (pref == (_INALENBYAF(family) << 3))
+		prefbuf[0] = '\0';
+	else
+		snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
+
+	if (port == IPSEC_PORT_ANY)
+		snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+	else
+		snprintf(portbuf, sizeof(portbuf), "[%u]", ntohs(port));
+
+	snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
+
+	return buf;
+}
+
+/*
+ * set "Mon Day Time Year" to buffer
+ */
+static char *
+_str_time(t)
+	time_t t;
+{
+	static char buf[128];
+
+	if (t == 0) {
+		int i = 0;
+		for (;i < 20;) buf[i++] = ' ';
+	} else {
+		char *t0;
+		t0 = ctime(&t);
+		memcpy(buf, t0 + 4, 20);
+	}
+
+	buf[20] = '\0';
+
+	return(buf);
+}
+
+static void
+_str_lifetime_byte(x, str)
+	struct sadb_lifetime *x;
+	char *str;
+{
+	double y;
+	char *unit;
+	int w;
+
+	if (x == NULL) {
+		printf("\t%s: 0(bytes)", str);
+		return;
+	}
+
+	y = (x->sadb_lifetime_bytes) * 1.0;
+	unit = "";
+	w = 0;
+	printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
+}
diff --git a/lib/libipsec/policy_parse.y b/lib/libipsec/policy_parse.y
new file mode 100644
index 0000000..ffa1a6f
--- /dev/null
+++ b/lib/libipsec/policy_parse.y
@@ -0,0 +1,426 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+/* KAME $Id: policy_parse.y,v 1.1 1999/10/20 01:26:41 sakane Exp $ */
+
+/*
+ * IN/OUT bound policy configuration take place such below:
+ *	in <policy>
+ *	out <policy>
+ *
+ * <policy> is one of following:
+ *	"discard", "none", "ipsec <requests>", "entrust", "bypass",
+ *
+ * The following requests are accepted as <requests>:
+ *
+ *	protocol/mode/src-dst/level
+ *	protocol/mode/src-dst		parsed as protocol/mode/src-dst/default
+ *	protocol/mode/src-dst/		parsed as protocol/mode/src-dst/default
+ *	protocol/transport		parsed as protocol/mode/any-any/default
+ *	protocol/transport//level	parsed as protocol/mode/any-any/level
+ *
+ * You can concatenate these requests with either ' '(single space) or '\n'.
+ */
+
+%{
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <netdb.h>
+
+#include "ipsec_strerror.h"
+
+#define	ATOX(c) \
+  (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
+
+static caddr_t pbuf = NULL;		/* sadb_x_policy buffer */
+static int tlen = 0;			/* total length of pbuf */
+static int offset = 0;			/* offset of pbuf */
+static int p_dir, p_type, p_protocol, p_mode, p_level;
+static struct sockaddr *p_src = NULL;
+static struct sockaddr *p_dst = NULL;
+
+extern void yyerror __P((char *msg));
+static struct sockaddr *parse_sockaddr __P((/*struct _val *buf*/));
+static int rule_check __P((void));
+static int init_x_policy __P((void));
+static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
+static int set_sockaddr __P((struct sockaddr *addr));
+static void policy_parse_request_init __P((void));
+static caddr_t policy_parse __P((char *msg, int msglen));
+
+extern void __policy__strbuffer__init__ __P((char *msg));
+extern int yyparse();
+extern int yylex();
+
+%}
+
+%union {
+	u_int num;
+	struct _val {
+		int len;
+		char *buf;
+	} val;
+}
+
+%token DIR ACTION PROTOCOL MODE LEVEL
+%token IPADDRESS
+%token ME ANY
+%token SLASH HYPHEN
+%type <num> DIR ACTION PROTOCOL MODE LEVEL
+%type <val> IPADDRESS
+
+%%
+policy_spec
+	:	DIR ACTION
+		{
+			p_dir = $1;
+			p_type = $2;
+
+			if (init_x_policy())
+				return -1;
+		}
+		rules
+	;
+
+rules
+	:	/*NOTHING*/
+	|	rules rule {
+			if (rule_check() < 0)
+				return -1;
+
+			if (set_x_request(p_src, p_dst) < 0)
+				return -1;
+
+			policy_parse_request_init();
+		}
+	;
+
+rule
+	:	protocol SLASH mode SLASH addresses SLASH level
+	|	protocol SLASH mode SLASH addresses SLASH
+	|	protocol SLASH mode SLASH addresses
+	|	protocol SLASH mode SLASH
+	|	protocol SLASH mode SLASH SLASH level
+	|	protocol SLASH mode
+	|	protocol SLASH {
+			ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
+			return -1;
+		}
+	|	protocol {
+			ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
+			return -1;
+		}
+	;
+
+protocol
+	:	PROTOCOL { p_protocol = $1; }
+	;
+
+mode
+	:	MODE { p_mode = $1; }
+	;
+
+level
+	:	LEVEL { p_level = $1; }
+	;
+
+addresses
+	:	IPADDRESS {
+			p_src = parse_sockaddr(&$1);
+			if (p_src == NULL)
+				return -1;
+		}
+		HYPHEN
+		IPADDRESS {
+			p_dst = parse_sockaddr(&$4);
+			if (p_dst == NULL)
+				return -1;
+		}
+	|	ME HYPHEN ANY {
+			if (p_dir != IPSEC_DIR_OUTBOUND) {
+				ipsec_errcode = EIPSEC_INVAL_DIR;
+				return -1;
+			}
+		}
+	|	ANY HYPHEN ME {
+			if (p_dir != IPSEC_DIR_INBOUND) {
+				ipsec_errcode = EIPSEC_INVAL_DIR;
+				return -1;
+			}
+		}
+		/*
+	|	ME HYPHEN ME
+		*/
+	;
+
+%%
+
+void
+yyerror(msg)
+	char *msg;
+{
+	fprintf(stderr, "%s\n", msg);
+
+	return;
+}
+
+static struct sockaddr *
+parse_sockaddr(buf)
+	struct _val *buf;
+{
+	struct addrinfo hints, *res;
+	char *serv = NULL;
+	int error;
+	struct sockaddr *newaddr = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = PF_UNSPEC;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(buf->buf, serv, &hints, &res);
+	if (error != 0 || res->ai_addr == NULL) {
+		ipsec_set_strerror(error == EAI_SYSTEM ?
+				   gai_strerror(error) : strerror(errno));
+		return NULL;
+	}
+
+	if (res->ai_addr == NULL) {
+		ipsec_set_strerror(gai_strerror(error));
+		return NULL;
+	}
+
+	newaddr = malloc(res->ai_addr->sa_len);
+	if (newaddr == NULL) {
+		ipsec_errcode = EIPSEC_NO_BUFS;
+		freeaddrinfo(res);
+		return NULL;
+	}
+	memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
+
+	/*
+	 * XXX: If the scope of the destination is link-local,
+	 * embed the scope-id(in this case, interface index)
+	 * into the address.
+	 */
+	if (newaddr->sa_family == AF_INET6) {
+		struct sockaddr_in6 *sin6;
+
+		sin6 = (struct sockaddr_in6 *)newaddr;
+		if(IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) &&
+		   sin6->sin6_scope_id != 0)
+			*(u_short *)&sin6->sin6_addr.s6_addr[2] =
+				htons(sin6->sin6_scope_id & 0xffff);
+	}
+
+	freeaddrinfo(res);
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return newaddr;
+}
+
+static int
+rule_check()
+{
+	if (p_type == IPSEC_POLICY_IPSEC) {
+		if (p_protocol == IPPROTO_IP) {
+			ipsec_errcode = EIPSEC_NO_PROTO;
+			return -1;
+		}
+
+		if (p_mode != IPSEC_MODE_TRANSPORT
+		 && p_mode != IPSEC_MODE_TUNNEL) {
+			ipsec_errcode = EIPSEC_INVAL_MODE;
+			return -1;
+		}
+
+		if (p_src == NULL && p_dst == NULL) {
+			 if (p_mode != IPSEC_MODE_TRANSPORT) {
+				ipsec_errcode = EIPSEC_INVAL_ADDRESS;
+				return -1;
+			}
+		}
+		else if (p_src->sa_family != p_dst->sa_family) {
+			ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+			return -1;
+		}
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static int
+init_x_policy()
+{
+	struct sadb_x_policy *p;
+
+	tlen = sizeof(struct sadb_x_policy);
+
+	pbuf = malloc(tlen);
+	if (pbuf == NULL) {
+		ipsec_errcode = EIPSEC_NO_BUFS;
+		return -1;
+	}
+	p = (struct sadb_x_policy *)pbuf;
+	p->sadb_x_policy_len = 0;	/* must update later */
+	p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	p->sadb_x_policy_type = p_type;
+	p->sadb_x_policy_dir = p_dir;
+	p->sadb_x_policy_reserved = 0;
+	offset = tlen;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static int
+set_x_request(src, dst)
+	struct sockaddr *src, *dst;
+{
+	struct sadb_x_ipsecrequest *p;
+	int reqlen;
+
+	reqlen = sizeof(*p)
+		+ (src ? src->sa_len : 0)
+		+ (dst ? dst->sa_len : 0);
+	tlen += reqlen;		/* increment to total length */
+
+	pbuf = realloc(pbuf, tlen);
+	if (pbuf == NULL) {
+		ipsec_errcode = EIPSEC_NO_BUFS;
+		return -1;
+	}
+	p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
+	p->sadb_x_ipsecrequest_len = reqlen;
+	p->sadb_x_ipsecrequest_proto = p_protocol;
+	p->sadb_x_ipsecrequest_mode = p_mode;
+	p->sadb_x_ipsecrequest_level = p_level;
+	offset += sizeof(*p);
+
+	if (set_sockaddr(src) || set_sockaddr(dst))
+		return -1;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static int
+set_sockaddr(addr)
+	struct sockaddr *addr;
+{
+	if (addr == NULL) {
+		ipsec_errcode = EIPSEC_NO_ERROR;
+		return 0;
+	}
+
+	/* tlen has already incremented */
+
+	memcpy(&pbuf[offset], addr, addr->sa_len);
+
+	offset += addr->sa_len;
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return 0;
+}
+
+static void
+policy_parse_request_init()
+{
+	p_protocol = IPPROTO_IP;
+	p_mode = IPSEC_MODE_ANY;
+	p_level = IPSEC_LEVEL_DEFAULT;
+	if (p_src != NULL) {
+		free(p_src);
+		p_src = NULL;
+	}
+	if (p_dst != NULL) {
+		free(p_dst);
+		p_dst = NULL;
+	}
+
+	return;
+}
+
+static caddr_t
+policy_parse(msg, msglen)
+	char *msg;
+	int msglen;
+{
+	int error;
+	pbuf = NULL;
+	tlen = 0;
+
+	/* initialize */
+	p_dir = IPSEC_DIR_INVALID;
+	p_type = IPSEC_POLICY_DISCARD;
+	policy_parse_request_init();
+	__policy__strbuffer__init__(msg);
+
+	error = yyparse();	/* it must be set errcode. */
+	if (error) {
+		if (pbuf != NULL)
+			free(pbuf);
+		return NULL;
+	}
+
+	/* update total length */
+	((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+
+	return pbuf;
+}
+
+caddr_t
+ipsec_set_policy(msg, msglen)
+	char *msg;
+	int msglen;
+{
+	caddr_t policy;
+
+	policy = policy_parse(msg, msglen);
+	if (policy == NULL) {
+		if (ipsec_errcode == EIPSEC_NO_ERROR)
+			ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+		return NULL;
+	}
+
+	ipsec_errcode = EIPSEC_NO_ERROR;
+	return policy;
+}
+
diff --git a/lib/libipsec/policy_token.l b/lib/libipsec/policy_token.l
new file mode 100644
index 0000000..1e7b714
--- /dev/null
+++ b/lib/libipsec/policy_token.l
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+%{
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <net/route.h>
+#include <net/pfkeyv2.h>
+#include <netkey/keydb.h>
+#include <netkey/key_debug.h>
+#include <netinet/in.h>
+#include <netinet6/ipsec.h>
+
+#include <stdlib.h>
+#include <limits.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "y.tab.h"
+#define	yylval __libyylval	/* XXX */
+%}
+
+%option noyywrap
+
+/* common section */
+nl		\n
+ws		[ \t]+
+digit		[0-9]
+letter		[0-9A-Za-z]
+hexdigit	[0-9A-Fa-f]
+special		[()+\|\?\*,]
+dot		\.
+comma		\,
+hyphen		\-
+colon		\:
+slash		\/
+bcl		\{
+ecl		\}
+blcl		\[
+elcl		\]
+percent		\%
+semi		\;
+usec		{dot}{digit}{1,6}
+comment		\#.*
+ccomment	"/*"
+bracketstring	\<[^>]*\>
+quotedstring	\"[^"]*\"
+decstring	{digit}+
+hexpair		{hexdigit}{hexdigit}
+hexstring	0[xX]{hexdigit}+
+octetstring	{octet}({dot}{octet})+
+ipaddress	[a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(@{letter}{letter}+)?
+name		{letter}(({letter}|{digit}|{hyphen})*({letter}|{digit}))*
+hostname	{name}(({dot}{name})+{dot}?)?
+
+%%
+
+in		{ yylval.num = IPSEC_DIR_INBOUND; return(DIR); }
+out		{ yylval.num = IPSEC_DIR_OUTBOUND; return(DIR); }
+
+discard		{ yylval.num = IPSEC_POLICY_DISCARD; return(ACTION); }
+none		{ yylval.num = IPSEC_POLICY_NONE; return(ACTION); }
+ipsec		{ yylval.num = IPSEC_POLICY_IPSEC; return(ACTION); }
+bypass		{ yylval.num = IPSEC_POLICY_BYPASS; return(ACTION); }
+entrust		{ yylval.num = IPSEC_POLICY_ENTRUST; return(ACTION); }
+
+esp		{ yylval.num = IPPROTO_ESP; return(PROTOCOL); }
+ah		{ yylval.num = IPPROTO_AH; return(PROTOCOL); }
+ipcomp		{ yylval.num = IPPROTO_IPCOMP; return(PROTOCOL); }
+
+transport	{ yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
+tunnel		{ yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
+
+me		{ return(ME); }
+any		{ return(ANY); }
+
+default		{ yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); }
+use		{ yylval.num = IPSEC_LEVEL_USE; return(LEVEL); }
+require		{ yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); }
+unique		{ yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
+{slash}		{ return(SLASH); }
+
+{ipaddress}	{
+			yylval.val.len = strlen(yytext);
+			yylval.val.buf = strdup(yytext);
+			return(IPADDRESS);
+		}
+
+{hyphen}	{ return(HYPHEN); }
+
+{ws}		{ ; }
+{nl}		{ ; }
+
+%%
+
+void
+__policy__strbuffer__init__(msg)
+	char *msg;
+{
+	YY_BUFFER_STATE yyb;
+
+	yyb = (YY_BUFFER_STATE)yy_scan_string(msg);
+	yy_switch_to_buffer(yyb);
+
+	return;
+}
+
diff --git a/lib/libipsec/test-policy.c b/lib/libipsec/test-policy.c
new file mode 100644
index 0000000..3b9d18c
--- /dev/null
+++ b/lib/libipsec/test-policy.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <netinet6/in6.h>
+#include <netkey/keyv2.h>
+#include <netkey/key_debug.h>
+#include <netinet6/ipsec.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <err.h>
+
+char *requests[] = {
+"must_error",				/* error */
+"in ipsec must_error",			/* error */
+"out ipsec esp/must_error",		/* error */
+"out discard",
+"out none",
+"in entrust",
+"out entrust",
+"in bypass",				/* may be error */
+"out ipsec esp",			/* error */
+"in ipsec ah/transport",
+"in ipsec ah/tunnel",			/* error */
+"out ipsec ah/transport/",
+"out ipsec ah/tunnel/",			/* error */
+"in ipsec esp / transport / 10.0.0.1-10.0.0.2",
+"in ipsec esp/tunnel/::1-::2",
+"in ipsec esp/tunnel/10.0.0.1-::2",	/* error */
+"in ipsec esp/tunnel/::1-::2/require",
+"out ipsec ah/transport//use",
+"out ipsec ah/transport esp/use",
+"in ipsec ah/transport esp/tunnel",	/* error */
+"in ipsec
+	ah / transport
+	esp / tunnel / ::1-::2",
+"
+out ipsec
+ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+",
+"out ipsec esp/transport/fec0::10-fec0::11/use",
+};
+
+int test(char *buf, int family);
+
+int
+main(ac, av)
+	int ac;
+	char **av;
+{
+	int do_setsockopt;
+	char *buf;
+	int i;
+
+	if (ac != 1)
+		do_setsockopt = 1;
+	else
+		do_setsockopt = 0;
+
+	for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) {
+		printf("*** requests ***\n");
+		printf("\t[%s]\n", requests[i]);
+
+		buf = ipsec_set_policy(requests[i], strlen(requests[i]));
+		if (buf == NULL) {
+			printf("ipsec_set_policy: %s\n", ipsec_strerror());
+			continue;
+		}
+
+		printf("\tsetlen:%d\n", ipsec_get_policylen(buf));
+
+		if (do_setsockopt) {
+			printf("\tPF_INET:\n");
+			test(buf, PF_INET);
+
+			printf("\tPF_INET6:\n");
+			test(buf, PF_INET6);
+		} else {
+			kdebug_sadb_x_policy((struct sadb_ext *)buf);
+		}
+		free(buf);
+	}
+
+	return 0;
+}
+
+int
+test(policy, family)
+	char *policy;
+	int family;
+{
+	int so, proto, optname;
+	int len;
+	char getbuf[1024];
+
+	switch (family) {
+	case PF_INET:
+		proto = IPPROTO_IP;
+		optname = IP_IPSEC_POLICY;
+		break;
+	case PF_INET6:
+		proto = IPPROTO_IPV6;
+		optname = IPV6_IPSEC_POLICY;
+		break;
+	}
+
+	if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
+		err(1, "socket");
+
+	len = ipsec_get_policylen(policy);
+	if (setsockopt(so, proto, optname, policy, len) < 0) {
+		printf("error on setsockopt");
+		goto end;
+	}
+
+	len = sizeof(getbuf);
+	memset(getbuf, 0, sizeof(getbuf));
+	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
+		printf("error on getsockopt");
+		goto end;
+	}
+
+    {
+	char *buf = NULL;
+
+	printf("\tgetlen:%d\n", len);
+
+	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
+		printf("%s\n", ipsec_strerror());
+		goto end;
+	} else {
+		printf("\t[%s]\n", buf);
+		free(buf);
+	}
+    }
+
+    end:
+	close (so);
+
+	return 0;
+}
+