Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Aug 2007 16:30:05 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sbin/ipfw ipfw.8 src/share/man/man4 ipsec.4  src/sys/conf NOTES options src/sys/netinet ip_input.c ip_ipsec.c  ip_ipsec.h src/sys/netinet6 ip6_ipsec.c ip6_ipsec.h
Message-ID:  <20070805161921.P87821@maildrop.int.zabbadoz.net>
In-Reply-To: <200708051616.l75GGGe4018242@repoman.freebsd.org>
References:  <200708051616.l75GGGe4018242@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 5 Aug 2007, Bjoern A. Zeeb wrote:

> bz          2007-08-05 16:16:15 UTC
>
>  FreeBSD src repository
>
>  Modified files:
>    sbin/ipfw            ipfw.8
>    share/man/man4       ipsec.4
>    sys/conf             NOTES options
>    sys/netinet          ip_input.c ip_ipsec.c ip_ipsec.h
>    sys/netinet6         ip6_ipsec.c ip6_ipsec.h
>  Log:
>  Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.
>  Also rename the related functions in a similar way.
>  There are no functional changes.
>
>  For a packet coming in with IPsec tunnel mode, the default is
>  to only call into the firewall with the "outer" IP header and
>  payload.
>
>  With this option turned on, in addition to the "outer" parts,
>  the "inner" IP header and payload are passed to the
>  firewall too when going through ip_input() the second time.
>
>  The option was never only related to a gif(4) tunnel within
>  an IPsec tunnel and thus the name was very misleading.
>
>  Discussed at:                   BSDCan 2007
>  Best new name suggested by:     rwatson
>  Reviewed by:                    rwatson
>  Approved by:                    re (bmah)
>
>  Revision  Changes    Path
>  1.203     +2 -2      src/sbin/ipfw/ipfw.8
>  1.22      +3 -3      src/share/man/man4/ipsec.4
>  1.1448    +4 -4      src/sys/conf/NOTES
>  1.604     +1 -1      src/sys/conf/options
>  1.331     +1 -1      src/sys/netinet/ip_input.c
>  1.7       +3 -3      src/sys/netinet/ip_ipsec.c
>  1.2       +1 -1      src/sys/netinet/ip_ipsec.h
>  1.6       +3 -3      src/sys/netinet6/ip6_ipsec.c
>  1.2       +1 -1      src/sys/netinet6/ip6_ipsec.h


For netinet6 you will find the "helper" functions which are still
unused. ip6_input() will need the same check that ip_input() has
if we want feature parity with legacy IP (being able to not filter on
the "inner" header/payload from an IPsec tunnel mode)

I am unsure why it's not yet there. Anyone know a reason other than
"just missing"?


-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070805161921.P87821>