Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Nov 2007 22:39:06 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/net if_enc.c src/sys/netipsec ipsec.h  ipsec_input.c ipsec_output.c xform.h xform_ipip.c
Message-ID:  <20071128223625.A53707@maildrop.int.zabbadoz.net>
In-Reply-To: <200711282233.lASMXrmm052782@repoman.freebsd.org>
References:  <200711282233.lASMXrmm052782@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 28 Nov 2007, Bjoern A. Zeeb wrote:

> bz          2007-11-28 22:33:53 UTC
>
>  FreeBSD src repository
>
>  Modified files:
>    sys/net              if_enc.c
>    sys/netipsec         ipsec.h ipsec_input.c ipsec_output.c
>                         xform.h xform_ipip.c
>  Log:
>  Add sysctls to if_enc(4) to control whether the firewalls or
>  bpf will see inner and outer headers or just inner or outer
>  headers for incoming and outgoing IPsec packets.
>
>  This is useful in bpf to not have over long lines for debugging
>  or selcting packets based on the inner headers.
>  It also properly defines the behavior of what the firewalls see.

That is not fully true at this point.

I'll flip the defaults of the sysctls in a few weeks. The same time
I'll remove the if (prot != IPPROTO_IPIP) checks.

People who want to pass those packets to pfil after that, can then
use ipencap on enc0 in pf, for example.



>  Last but not least it gives you if_enc(4) for IPv6 as well.
>
>  [ As some auxiliary state was not available in the later
>    input path we save it in the tdbi. That way tcpdump can give a
>    consistent view of either of (authentic,confidential) for both
>    before and after states. ]
>
>  Discussed with: thompsa (2007-04-25, basic idea of unifying paths)
>  Reviewed by:    thompsa, gnn
>
>  Revision  Changes    Path
>  1.7       +74 -11    src/sys/net/if_enc.c
>  1.14      +9 -2      src/sys/netipsec/ipsec.h
>  1.20      +21 -2     src/sys/netipsec/ipsec_input.c
>  1.17      +24 -2     src/sys/netipsec/ipsec_output.c
>  1.4       +3 -0      src/sys/netipsec/xform.h
>  1.16      +15 -1     src/sys/netipsec/xform_ipip.c
>

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071128223625.A53707>