The rS313330 introduced new security policy types for IFNET and PCB.
IFNET security policies are used by if_ipsec(4) interface. The are automatically created when if_ipsec(4) interface is configured.
PCB security policies are used by application to apply SP for specific socket.
Basically, they all have a different scope.
I added several constants to describe the scope of policy (IPSEC_POLICYSCOPE_XXX).
Currently only IPSEC_POLICYSCOPE_IFNET and IPSEC_POLICYSCOPE_GLOBAL are used.
These scopes can be used to filter the listing that does `setkey -DP' command.
Two additional flags are added to setkey(8) utility:
-g to show only policies from global scope; -t to show only policies from ifnet scope (virtual *tunnel* interface).
To achieve this I used sadb_x_policy_reserved field in the struct sadb_x_policy to specify policy scope.
How it worked now:
# setkey -DPt 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:145 spid=1 seq=3 pid=873 scope=ifnet refcnt=1 ::/0[any] ::/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:145 spid=3 seq=2 pid=873 scope=ifnet refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique:145 spid=2 seq=1 pid=873 scope=ifnet refcnt=1 ::/0[any] ::/0[any] any out ipsec esp/tunnel/87.250.242.145-87.250.242.144/unique:145 spid=4 seq=0 pid=873 scope=ifnet refcnt=1 # setkey -DPg ::/0 ::/0 icmp6 135,0 out none spid=5 seq=1 pid=872 scope=global refcnt=1 ::/0 ::/0 icmp6 136,0 out none spid=6 seq=0 pid=872 scope=global refcnt=1