From owner-freebsd-questions  Mon Sep 22 11:03:46 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id LAA04883
          for questions-outgoing; Mon, 22 Sep 1997 11:03:46 -0700 (PDT)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA04863
          for <freebsd-questions@FreeBSD.ORG>; Mon, 22 Sep 1997 11:03:26 -0700 (PDT)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id LAA09326; Mon, 22 Sep 1997 11:02:54 -0700 (PDT)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma009320; Mon Sep 22 11:02:43 1997
Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id LAA21297; Mon, 22 Sep 1997 11:02:43 -0700 (PDT)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199709221802.LAA21297@bubba.whistle.com>
Subject: Re: [Fwd: DIVERT or tun0?]
In-Reply-To: <3426AAF3.167EB0E7@whistle.com> from Julian Elischer at "Sep 22, 97 10:29:23 am"
To: alexlh@xs4all.nl
Date: Mon, 22 Sep 1997 11:02:43 -0700 (PDT)
Cc: freebsd-questions@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


> Can someone explain to what the difference is between the tunnel device
> and DIVERT sockets? And why we need them both?

The tunnel device is an interface. You can route packets into and out
of it just like any other interface. In other words, it's a terminus
for packets.

Divert sockets are not an interface, but more like a "tap" into
the various packet flows between interfaces. The main thing you
can do with divert sockets that you can't do with an interface is
match packets based on anything that ipfw(8) can match, rather than
just destination IP address (which is the only field the routing code
uses to determine which interface to send a packet out of).

For example, suppose you wanted to pass all packets going to some
other IP network through an encryption layer. With the tunnel device
you can't do this, because when you write the encrypted packet back
to the system, it still has the same destination IP address (so it
just loops back out to your encryption layer again).

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com