On Wed, 28 Nov 2007, Bjoern A. Zeeb wrote:
bz 2007-11-28 22:33:53 UTCFreeBSD src repository Modified files: sys/net if_enc.c sys/netipsec ipsec.h ipsec_input.c ipsec_output.c xform.h xform_ipip.c Log: Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see.
That is not fully true at this point. I'll flip the defaults of the sysctls in a few weeks. The same time I'll remove the if (prot != IPPROTO_IPIP) checks. People who want to pass those packets to pfil after that, can then use ipencap on enc0 in pf, for example.
Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn Revision Changes Path 1.7 +74 -11 src/sys/net/if_enc.c 1.14 +9 -2 src/sys/netipsec/ipsec.h 1.20 +21 -2 src/sys/netipsec/ipsec_input.c 1.17 +24 -2 src/sys/netipsec/ipsec_output.c 1.4 +3 -0 src/sys/netipsec/xform.h 1.16 +15 -1 src/sys/netipsec/xform_ipip.c
-- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"
