svn commit: r242190 - user/andre/tcp_workqueue/sys/netipsec
Andre Oppermann
andre at FreeBSD.org
Sat Oct 27 21:03:30 UTC 2012
Author: andre
Date: Sat Oct 27 21:03:29 2012
New Revision: 242190
URL: http://svn.freebsd.org/changeset/base/242190
Log:
Add ASCII art to ipsec pfil description for better overview.
Modified:
user/andre/tcp_workqueue/sys/netipsec/ipsec_pfil.c
Modified: user/andre/tcp_workqueue/sys/netipsec/ipsec_pfil.c
==============================================================================
--- user/andre/tcp_workqueue/sys/netipsec/ipsec_pfil.c Sat Oct 27 20:17:59 2012 (r242189)
+++ user/andre/tcp_workqueue/sys/netipsec/ipsec_pfil.c Sat Oct 27 21:03:29 2012 (r242190)
@@ -94,6 +94,41 @@ extern struct protosw inetsw[];
* tunnel have to be made.
* This should be represented as virtual interfaces in the kernel.
*
+ *
+ * + +--------------------------------------+ip_enqueue()
+ * | | ^
+ * v v |
+ * ip_input() |
+ * + |
+ * | |
+ * v |
+ * pfil_run_hooks()+---+ |
+ * | |
+ * v |
+ * ipsec_pfil_run()+------>AH|ESP? |
+ * + + + |
+ * | no | | yes |
+ * | policy?<----+ | |
+ * | + + | |
+ * | no | | yes | |
+ * |<-----+ | v |
+ * | | verify/decrypt |
+ * | | no + + |
+ * | X------+ | |
+ * | drop v |
+ * | next_hdr |
+ * | + + |
+ * | other | | ip +
+ * |<------------------+ +------>find_if()
+ * |
+ * v
+ * next_pfil_hook()
+ * v +
+ * | |
+ * |<------------+
+ * |
+ * v
+ *
* Next steps:
* - Implement 1 in a pfil hook to block non-encrypted packets.
* - Implement 2 in a pfil hook to in-path transform transport mode packets.
More information about the svn-src-user
mailing list