===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/netstat/inet.c,v
retrieving revision 1.162
retrieving revision 1.163
diff -u -r1.162 -r1.163
--- src/usr.bin/netstat/inet.c	2017/11/07 16:51:23	1.162
+++ src/usr.bin/netstat/inet.c	2018/08/13 14:36:54	1.163
@@ -1,4 +1,4 @@
-/*	$OpenBSD: inet.c,v 1.162 2017/11/07 16:51:23 visa Exp $	*/
+/*	$OpenBSD: inet.c,v 1.163 2018/08/13 14:36:54 mpi Exp $	*/
 /*	$NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $	*/
 
 /*
@@ -1006,6 +1006,40 @@
 	p(etherips_opackets, "\t%llu output ethernet-in-IP packet%s\n");
 	p(etherips_ibytes, "\t%llu input byte%s\n");
 	p(etherips_obytes, "\t%llu output byte%s\n");
+#undef p
+}
+
+/*
+ * Dump IPsec statistics structure.
+ */
+void
+ipsec_stats(char *name)
+{
+	struct ipsecstat ipsecstat;
+	int mib[] = { CTL_NET, PF_INET, IPPROTO_IP, IPCTL_IPSEC_STATS };
+	size_t len = sizeof(ipsecstat);
+
+	if (sysctl(mib, sizeof(mib) / sizeof(mib[0]),
+	    &ipsecstat, &len, NULL, 0) == -1) {
+		if (errno != ENOPROTOOPT)
+			warn("%s", name);
+		return;
+	}
+
+	printf("%s:\n", name);
+#define p(f, m) if (ipsecstat.f || sflag <= 1) \
+	printf(m, ipsecstat.f, plural(ipsecstat.f))
+	p(ipsec_ipackets, "\t%llu input IPsec packet%s\n");
+	p(ipsec_opackets, "\t%llu output IPsec packet%s\n");
+	p(ipsec_ibytes, "\t%llu input byte%s\n");
+	p(ipsec_obytes, "\t%llu output byte%s\n");
+	p(ipsec_idecompbytes, "\t%llu input byte%s, decompressed\n");
+	p(ipsec_ouncompbytes, "\t%llu output byte%s, uncompressed\n");
+	p(ipsec_idrops, "\t%llu packet%s dropped on input\n");
+	p(ipsec_odrops, "\t%llu packet%s dropped on output\n");
+	p(ipsec_crypto, "\t%llu packet%s that failed crypto processing\n");
+	p(ipsec_noxform, "\t%llu packet%s for which no XFORM was set in TDB received\n");
+	p(ipsec_notdb, "\t%llu packet%s for which no TDB was found\n");
 #undef p
 }