Re: enc0 patch for ipsec
- From: Max Laier <max@xxxxxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 17:35:27 +0200
On Friday 16 June 2006 00:53, Andrew Thompson wrote:
I have a patch attached that implements the much requested feature of
packet filtering ipsec connections.
This is a device to expose packets going in/out of ipsec and comes
from OpenBSD. There are two functions, a bpf tap which has a basic
header with the SPI number which our current tcpdump knows how to
display, and handoff to pfil(9) for packet filtering.
They way I have hooked it in is compiling it in with fast_ipsec and
the extra work is only done when the enc0 interface is created. The
interface is not created by default so its a minimal hit, the user
will need to 'ifconfig enc0 create' in order to activate it. I
believe the locking is correct so it can be created and destroyed at
runtime.
I think it should get a "device enc" on its own. Some people might consider
enc(4) to be a security problem so getting it with FAST_IPSEC automatically
isn't preferable.
Other than that, great news. Thanks a lot.
PRs 98219 and 94829 are requesting this feature.
Andrew
--
/"\ Best regards, | mlaier@xxxxxxxxxxx
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
Attachment:
pgpP9fuexbmQZ.pgp
Description: PGP signature
- Follow-Ups:
- Re: enc0 patch for ipsec
- From: Scott Ullrich
- Re: enc0 patch for ipsec
- References:
- enc0 patch for ipsec
- From: Andrew Thompson
- enc0 patch for ipsec
- Prev by Date: Re: MFC of socket/protocol reference improvements
- Next by Date: Re: enc0 patch for ipsec
- Previous by thread: enc0 patch for ipsec
- Next by thread: Re: enc0 patch for ipsec
- Index(es):
