On Netgraph

[Eugene Grosbein]

27.05.2020 15:06, Tom Marcoen wrote:

> Hey all,
> 
> I'm new to this mailing list and also quite new to FreeBSD (huray, welcome
> to me!) so bare with me, please.
> 
> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and
> I was looking at some of the examples provided in
> /usr/share/examples/netgraph and now have the following question.
> The udp.tunnel example shows an iface point-to-point connection but it is
> unencrypted. Of course I could encrypt it with an IPsec tunnel on the host
> or tunnel it through SSH, but I was wondering whether there exists a nice
> Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> traffic on the inside hook and sending out encrypted traffic on the outside
> hook.

There is ng_mppc(4) netgraph node capable to perform relatively weak MPPE encryption
(and/or compression) but it is designed to work with ng_ppp(4) node encapsulating IP packets into PPP frames.
I doubt it's very efficient for inter-jail traffic.

Why do you need encryption for inter-jails traffic in first place?
Encryption is needed for traffic passing untrusted channels where data interception is possible
but inter-jail traffic does not leave the kernel at all until it hits destination jail.