enc0 patch for ipsec
Max Laier
max at love2party.net
Fri Jun 16 15:35:36 UTC 2006
On Friday 16 June 2006 00:53, Andrew Thompson wrote:
> I have a patch attached that implements the much requested feature of
> packet filtering ipsec connections.
>
> This is a device to expose packets going in/out of ipsec and comes
> from OpenBSD. There are two functions, a bpf tap which has a basic
> header with the SPI number which our current tcpdump knows how to
> display, and handoff to pfil(9) for packet filtering.
>
> They way I have hooked it in is compiling it in with fast_ipsec and
> the extra work is only done when the enc0 interface is created. The
> interface is not created by default so its a minimal hit, the user
> will need to 'ifconfig enc0 create' in order to activate it. I
> believe the locking is correct so it can be created and destroyed at
> runtime.
I think it should get a "device enc" on its own. Some people might consider
enc(4) to be a security problem so getting it with FAST_IPSEC automatically
isn't preferable.
Other than that, great news. Thanks a lot.
> PRs 98219 and 94829 are requesting this feature.
>
>
>
> Andrew
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20060616/fc1f9d12/attachment-0001.pgp
More information about the freebsd-net
mailing list