cvs commit: src/sys/net if_enc.c src/sys/netipsec ipsec.h
ipsec_input.c ipsec_output.c xform.h xform_ipip.c
Bjoern A. Zeeb
bz at FreeBSD.org
Wed Nov 28 14:39:42 PST 2007
On Wed, 28 Nov 2007, Bjoern A. Zeeb wrote:
> bz 2007-11-28 22:33:53 UTC
>
> FreeBSD src repository
>
> Modified files:
> sys/net if_enc.c
> sys/netipsec ipsec.h ipsec_input.c ipsec_output.c
> xform.h xform_ipip.c
> Log:
> Add sysctls to if_enc(4) to control whether the firewalls or
> bpf will see inner and outer headers or just inner or outer
> headers for incoming and outgoing IPsec packets.
>
> This is useful in bpf to not have over long lines for debugging
> or selcting packets based on the inner headers.
> It also properly defines the behavior of what the firewalls see.
That is not fully true at this point.
I'll flip the defaults of the sysctls in a few weeks. The same time
I'll remove the if (prot != IPPROTO_IPIP) checks.
People who want to pass those packets to pfil after that, can then
use ipencap on enc0 in pf, for example.
> Last but not least it gives you if_enc(4) for IPv6 as well.
>
> [ As some auxiliary state was not available in the later
> input path we save it in the tdbi. That way tcpdump can give a
> consistent view of either of (authentic,confidential) for both
> before and after states. ]
>
> Discussed with: thompsa (2007-04-25, basic idea of unifying paths)
> Reviewed by: thompsa, gnn
>
> Revision Changes Path
> 1.7 +74 -11 src/sys/net/if_enc.c
> 1.14 +9 -2 src/sys/netipsec/ipsec.h
> 1.20 +21 -2 src/sys/netipsec/ipsec_input.c
> 1.17 +24 -2 src/sys/netipsec/ipsec_output.c
> 1.4 +3 -0 src/sys/netipsec/xform.h
> 1.16 +15 -1 src/sys/netipsec/xform_ipip.c
>
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
More information about the cvs-src
mailing list