Date: Wed, 28 Nov 2007 22:39:06 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/net if_enc.c src/sys/netipsec ipsec.h ipsec_input.c ipsec_output.c xform.h xform_ipip.c Message-ID: <20071128223625.A53707@maildrop.int.zabbadoz.net> In-Reply-To: <200711282233.lASMXrmm052782@repoman.freebsd.org> References: <200711282233.lASMXrmm052782@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Nov 2007, Bjoern A. Zeeb wrote: > bz 2007-11-28 22:33:53 UTC > > FreeBSD src repository > > Modified files: > sys/net if_enc.c > sys/netipsec ipsec.h ipsec_input.c ipsec_output.c > xform.h xform_ipip.c > Log: > Add sysctls to if_enc(4) to control whether the firewalls or > bpf will see inner and outer headers or just inner or outer > headers for incoming and outgoing IPsec packets. > > This is useful in bpf to not have over long lines for debugging > or selcting packets based on the inner headers. > It also properly defines the behavior of what the firewalls see. That is not fully true at this point. I'll flip the defaults of the sysctls in a few weeks. The same time I'll remove the if (prot != IPPROTO_IPIP) checks. People who want to pass those packets to pfil after that, can then use ipencap on enc0 in pf, for example. > Last but not least it gives you if_enc(4) for IPv6 as well. > > [ As some auxiliary state was not available in the later > input path we save it in the tdbi. That way tcpdump can give a > consistent view of either of (authentic,confidential) for both > before and after states. ] > > Discussed with: thompsa (2007-04-25, basic idea of unifying paths) > Reviewed by: thompsa, gnn > > Revision Changes Path > 1.7 +74 -11 src/sys/net/if_enc.c > 1.14 +9 -2 src/sys/netipsec/ipsec.h > 1.20 +21 -2 src/sys/netipsec/ipsec_input.c > 1.17 +24 -2 src/sys/netipsec/ipsec_output.c > 1.4 +3 -0 src/sys/netipsec/xform.h > 1.16 +15 -1 src/sys/netipsec/xform_ipip.c > -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071128223625.A53707>