CVS commit: src

Kengo NAKAHARA Wed, 10 Jan 2018 03:10:06 -0800

Module Name:    src
Committed By:   knakahara
Date:           Wed Jan 10 11:08:56 UTC 2018


Modified Files:
        src/distrib/sets/lists/man: mi
        src/share/man/man4: Makefile ipsec.4
Added Files:
        src/share/man/man4: ipsecif.4

Log Message:
add ipsec(4) interface man as ipsecif.4.


To generate a diff of this commit:
cvs rdiff -u -r1.1569 -r1.1570 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.649 -r1.650 src/share/man/man4/Makefile
cvs rdiff -u -r1.41 -r1.42 src/share/man/man4/ipsec.4
cvs rdiff -u -r0 -r1.1 src/share/man/man4/ipsecif.4

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/distrib/sets/lists/man/mi
diff -u src/distrib/sets/lists/man/mi:1.1569 src/distrib/sets/lists/man/mi:1.1570
--- src/distrib/sets/lists/man/mi:1.1569	Tue Jan  9 03:31:14 2018
+++ src/distrib/sets/lists/man/mi	Wed Jan 10 11:08:55 2018
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1569 2018/01/09 03:31:14 christos Exp $
+# $NetBSD: mi,v 1.1570 2018/01/10 11:08:55 knakahara Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -1329,6 +1329,7 @@
 ./usr/share/man/cat4/ipnat.0			man-ipf-catman		ipfilter,.cat
 ./usr/share/man/cat4/ippp.0			man-sys-catman		.cat
 ./usr/share/man/cat4/ipsec.0			man-sys-catman		.cat
+./usr/share/man/cat4/ipsecif.0			man-sys-catman		.cat
 ./usr/share/man/cat4/ipw.0			man-sys-catman		.cat
 ./usr/share/man/cat4/irda.0			man-sys-catman		.cat
 ./usr/share/man/cat4/irframe.0			man-sys-catman		.cat
@@ -4428,6 +4429,7 @@
 ./usr/share/man/html4/ipnat.html		man-ipf-htmlman		ipfilter,html
 ./usr/share/man/html4/ippp.html			man-sys-htmlman		html
 ./usr/share/man/html4/ipsec.html		man-sys-htmlman		html
+./usr/share/man/html4/ipsecif.html		man-sys-htmlman		html
 ./usr/share/man/html4/ipw.html			man-sys-htmlman		html
 ./usr/share/man/html4/irda.html			man-sys-htmlman		html
 ./usr/share/man/html4/irframe.html		man-sys-htmlman		html
@@ -7365,6 +7367,7 @@
 ./usr/share/man/man4/ipnat.4			man-sys-man		ipfilter,.man
 ./usr/share/man/man4/ippp.4			man-sys-man		.man
 ./usr/share/man/man4/ipsec.4			man-sys-man		.man
+./usr/share/man/man4/ipsecif.4			man-sys-man		.man
 ./usr/share/man/man4/ipw.4			man-sys-man		.man
 ./usr/share/man/man4/irda.4			man-sys-man		.man
 ./usr/share/man/man4/irframe.4			man-sys-man		.man

Index: src/share/man/man4/Makefile
diff -u src/share/man/man4/Makefile:1.649 src/share/man/man4/Makefile:1.650
--- src/share/man/man4/Makefile:1.649	Fri Dec 29 08:15:21 2017
+++ src/share/man/man4/Makefile	Wed Jan 10 11:08:55 2018
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.649 2017/12/29 08:15:21 kre Exp $
+#	$NetBSD: Makefile,v 1.650 2018/01/10 11:08:55 knakahara Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/18/93
 
 MAN=	aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
@@ -141,7 +141,7 @@ MAN +=	sbt.4 sdhc.4 sdmmc.4
 MAN +=	hil.4 hilkbd.4 hilid.4 hilms.4
 
 # IPv6/IPsec
-MAN+=	faith.4 gif.4 inet6.4 icmp6.4 ip6.4 ipsec.4 stf.4
+MAN+=	faith.4 gif.4 inet6.4 icmp6.4 ip6.4 ipsec.4 ipsecif.4 stf.4
 
 # ISDN devices
 MAN+=	daic.4 isdntrc.4 isdntel.4 isdnbchan.4 ippp.4 irip.4 isdnctl.4 isdn.4 \

Index: src/share/man/man4/ipsec.4
diff -u src/share/man/man4/ipsec.4:1.41 src/share/man/man4/ipsec.4:1.42
--- src/share/man/man4/ipsec.4:1.41	Sun May 21 09:13:46 2017
+++ src/share/man/man4/ipsec.4	Wed Jan 10 11:08:55 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec.4,v 1.41 2017/05/21 09:13:46 wiz Exp $
+.\"	$NetBSD: ipsec.4,v 1.42 2018/01/10 11:08:55 knakahara Exp $
 .\"	$KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -35,6 +35,10 @@
 .Nm ipsec
 .Nd IP security protocol
 .Sh DESCRIPTION
+This manual pages describes the IPSEC.
+For the network device driver please see
+.Xr ipsecif 4 .
+.Pp
 .Nm
 is a security protocol in the Internet Protocol (IP) layer.
 .Nm
@@ -281,6 +285,7 @@ routines from looking into IP payload.
 .Xr ipsec_set_policy 3 ,
 .Xr fast_ipsec 4 ,
 .Xr icmp6 4 ,
+.Xr ipsecif 4 ,
 .Xr intro 4 ,
 .Xr ip6 4 ,
 .Xr racoon 8 ,

Added files:

Index: src/share/man/man4/ipsecif.4
diff -u /dev/null src/share/man/man4/ipsecif.4:1.1
--- /dev/null	Wed Jan 10 11:08:56 2018
+++ src/share/man/man4/ipsecif.4	Wed Jan 10 11:08:55 2018
@@ -0,0 +1,148 @@
+.\"	$NetBSD: ipsecif.4,v 1.1 2018/01/10 11:08:55 knakahara Exp $
+.\"
+.\" Copyright (C) 2017 Internet Initiative Japan Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd December 22, 2017
+.Dt IPSECIF 4
+.Os
+.Sh NAME
+.Nm ipsec
+.Nd ipsec interface
+.Sh SYNOPSIS
+.Cd "pseudo-device ipsecif"
+.Sh DESCRIPTION
+The
+.Nm
+is similar to
+.Xr gif 4
+over
+.Xr ipsec 4
+transport mode.
+.Xr gif 4
+over
+.Xr ipsec 4
+transport mode are managed by userland programs. In contrast,
+.Nm
+manages its security policies by itself, that is, when user sets
+.Nm
+tunnel source and destination address pair, the related security policies
+are created automatically in kernel. Therefore, the security policies of
+.Nm
+are added/deleted atomically. It also means
+.Nm
+ensures both of in and out security policy pair exist, that is,
+.Nm
+avoids the troubles which is caused by only one of in and out security
+policy pair exists.
+.Pp
+There is four security policies generated by
+.Nm ,
+that is, in and out pair for each IPv4 and IPv6. Here is
+.Xr ipsec.conf 5
+which is the same meaing as that security policies.
+.Bd -literal
+spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique;
+spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique;
+spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique;
+spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
+.Ed
+.Pp
+Therefore,
+.Nm
+configuration will fail if you already add such security policies, and
+vice versa.
+.Pp
+The related security associates can be established by IKE daemon such as
+.Xr racoon 8 .
+They can also be manipulated manually by
+.Xr setkey 8
+with -u option which we set security policy's unique#.
+.Pp
+Some if_flags change
+.Nm
+befavior. IFF_LINK0 can enable Network Address Translator traversal,
+IFF_LINK1 can enable ECN friendly mode like
+.Xr gif 4 ,
+and IFF_LINK2 can enable forwarding inner IPv6 packets.
+Only IFF_LINK2 is set by default. If you use only IPv4 packets as
+inner packets, you would want to unset IFF_LINK2 to reduce security
+associates for IPv6 packets.
+
+.Sh EXAMPLES
+Configuration example:
+.Bd -literal
+Host X--NetBSD A  ----------------tunnel---------- NetBSD B------Host E
+           \\                                          |
+            \\                                        /
+             +-----Router B--------Router C---------+
+.Ed
+.Pp
+On
+.Nx
+system A
+.Bd -literal
+# ifconfig wm0 inet 192.168.0.1/24
+# ifconfig ipsec0 create
+# ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2
+# ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1
+start IKE daemon or set security associates manually.
+# ifconfig wm1 inet 10.100.0.1/24
+# route add 10.200.0.1 172.16.100.1
+.Ed
+.Pp
+On
+.Nx
+system B
+.Bd -literal
+# ifconfig wm0 inet 192.168.0.2/24
+# ifconfig ipsec0 create
+# ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1
+# ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1
+start IKE daemon or set security associates manually.
+# ifconfig wm1 inet 10.200.0.1/24
+# route add 10.100.0.1 172.16.200.1
+.Ed
+.Pp
+.Sh SEE ALSO
+.Xr inet 4 ,
+.Xr inet6 4 ,
+.Xr ipsec 4 ,
+.Xr gif 4 ,
+.Xr ifconfig 8 ,
+.Xr setkey 8
+.Sh HISTORY
+The
+.Nm
+device first appeared in
+.Nx 8.0 .
+.Sh LIMITATIONS
+Currently, the
+.Nm
+interface supports esp protocol only.
+.Nm
+does not support Network Address Translator traversal(NAT-T).

CVS commit: src

Reply via email to