From owner-cvs-src@FreeBSD.ORG Wed Nov 28 22:39:41 2007 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7AC616A417; Wed, 28 Nov 2007 22:39:41 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id A0B5C13C4D9; Wed, 28 Nov 2007 22:39:41 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 54D8841C74D; Wed, 28 Nov 2007 23:39:39 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id fBOkznQecfdW; Wed, 28 Nov 2007 23:39:39 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id F174641C749; Wed, 28 Nov 2007 23:39:38 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id C88F4444885; Wed, 28 Nov 2007 22:39:06 +0000 (UTC) Date: Wed, 28 Nov 2007 22:39:06 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org In-Reply-To: <200711282233.lASMXrmm052782@repoman.freebsd.org> Message-ID: <20071128223625.A53707@maildrop.int.zabbadoz.net> References: <200711282233.lASMXrmm052782@repoman.freebsd.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: cvs commit: src/sys/net if_enc.c src/sys/netipsec ipsec.h ipsec_input.c ipsec_output.c xform.h xform_ipip.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 22:39:42 -0000 On Wed, 28 Nov 2007, Bjoern A. Zeeb wrote: > bz 2007-11-28 22:33:53 UTC > > FreeBSD src repository > > Modified files: > sys/net if_enc.c > sys/netipsec ipsec.h ipsec_input.c ipsec_output.c > xform.h xform_ipip.c > Log: > Add sysctls to if_enc(4) to control whether the firewalls or > bpf will see inner and outer headers or just inner or outer > headers for incoming and outgoing IPsec packets. > > This is useful in bpf to not have over long lines for debugging > or selcting packets based on the inner headers. > It also properly defines the behavior of what the firewalls see. That is not fully true at this point. I'll flip the defaults of the sysctls in a few weeks. The same time I'll remove the if (prot != IPPROTO_IPIP) checks. People who want to pass those packets to pfil after that, can then use ipencap on enc0 in pf, for example. > Last but not least it gives you if_enc(4) for IPv6 as well. > > [ As some auxiliary state was not available in the later > input path we save it in the tdbi. That way tcpdump can give a > consistent view of either of (authentic,confidential) for both > before and after states. ] > > Discussed with: thompsa (2007-04-25, basic idea of unifying paths) > Reviewed by: thompsa, gnn > > Revision Changes Path > 1.7 +74 -11 src/sys/net/if_enc.c > 1.14 +9 -2 src/sys/netipsec/ipsec.h > 1.20 +21 -2 src/sys/netipsec/ipsec_input.c > 1.17 +24 -2 src/sys/netipsec/ipsec_output.c > 1.4 +3 -0 src/sys/netipsec/xform.h > 1.16 +15 -1 src/sys/netipsec/xform_ipip.c > -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.