From owner-freebsd-net@FreeBSD.ORG Tue Apr 11 21:50:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 504B816A402 for ; Tue, 11 Apr 2006 21:50:21 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61BCD43D68 for ; Tue, 11 Apr 2006 21:50:09 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id B93BF200149; Tue, 11 Apr 2006 23:50:07 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id ED39E200148; Tue, 11 Apr 2006 23:50:04 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 12F1B444F41; Tue, 11 Apr 2006 21:47:17 +0000 (UTC) Date: Tue, 11 Apr 2006 21:47:17 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Kelly Yancey In-Reply-To: <20060411153224.L55107@gateway.posi.net> Message-ID: <20060411213528.F13011@maildrop.int.zabbadoz.net> References: <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc> <20060331223613.GD80492@spc.org> <20060402130227.G99958@atlantis.atlantis.dp.ua> <20060402113516.D76259@maildrop.int.zabbadoz.net> <20060402151039.R51461@atlantis.atlantis.dp.ua> <20060411153224.L55107@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: Dmitry Pryanishnikov , freebsd-net@freebsd.org, VANHULLEBUS Yvan Subject: Re: tcpdump and ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 21:50:21 -0000 On Tue, 11 Apr 2006, Kelly Yancey wrote: Hi, > On Sun, 2 Apr 2006, Dmitry Pryanishnikov wrote: > >> On Sun, 2 Apr 2006, Bjoern A. Zeeb wrote: >>>> Why not? IMHO it will be very useful feature: think about e.g. traffic >>>> shaping for several different networks which are routed via the same >>>> ipsec tunnel. Without the enc0, you can only shape them together, e.g.: >>> >>> why not shaping on the internal interface in case this is a gateway? >>> You know src and dst there too. >> >> Gateway can also contain sources of traffic, and we should be able >> to shape all outgoing or incoming traffic (not only transit packets, >> but also locally-originated). >> >>> The only difference enc0 makes is for host-only-setups or if you want >>> to see all your unencrpyted ipsec traffic on a gateway in one place. >> >> It seems to me that it's also useful for general traffic >> shaping/accounting/filtering purposes. >> > I agree 100%. At work, we implemented the enc interface for FreeBSD > 4.7 and 4.10 along with extending the divert interface such that we > could perform filtering and NAT on packets after tunnel decapsulation. you know you can do this with what's in there already w/o enc(4)? At least I have been doing it for more than two years now with 5.x and greater. Actually this mail will get to you via such a setup. > Just because one person doesn't have a use for the enc interface, does > not mean that no one does. agreed. good arguments for example would also be that filtering IPSec traffic with pf would becomen possible easily as long as there is no such thing like the ipsec flag in ipfw... -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT