Support for the enc(4) pseudo-interface
Marin Bernard
lists at olivarim.com
Mon Mar 20 14:08:56 UTC 2017
Sorry for the noise: the webmail ate my message. Here is the full version:
Hi all,
I set up IPsec between several FreeBSD 11-RELEASE hosts. IKEv2 is managed by
security/openiked.
I use pf to filter the traffic, and the rulesets include several references
to the enc0 pseudo-interface, which allow inbound traffic filtering
*after* IPsec decryption. So far, the whole configuration works fine.
I noticed that the enc0 pseudo-interface was not shown in the output of the
`ifconfig` command, whereas it is on OpenBSD. AFAIK, the GENERIC kernel
does not include the enc pseudo-device, since I could not fine a "device
enc" line in the kernel config file. The lack of such adevice would
explain why it is not manageable as a network interface, and why
`ifconfig enc0 create` fails.
Yet, it appears that pf is able to handle references to enc(4) in its ruleset
even if the kernel does not support it. Is it expected behaviour? Is it
safe to use such a configuration on a production machine ?
Thanks,
Marin.
20 mars 2017 14:20 "Marin Bernard" a écrit:
> Hi all,
>
> I've just set up IPsec between two FreeBSD 11-RELEASE hosts with security/openiked.
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list