Date: Wed, 27 May 2020 18:20:29 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Tom Marcoen <tom.marcoen@gmail.com>, freebsd-net@freebsd.org Subject: Re: On Netgraph Message-ID: <d5c2b323-66a6-d88e-91d5-f697aa4fdefe@grosbein.net> In-Reply-To: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com> References: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
27.05.2020 15:06, Tom Marcoen wrote: > Hey all, > > I'm new to this mailing list and also quite new to FreeBSD (huray, welcome > to me!) so bare with me, please. > > I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and > I was looking at some of the examples provided in > /usr/share/examples/netgraph and now have the following question. > The udp.tunnel example shows an iface point-to-point connection but it is > unencrypted. Of course I could encrypt it with an IPsec tunnel on the host > or tunnel it through SSH, but I was wondering whether there exists a nice > Netgraph solution, e.g. a node with two hooks, receiving unencrypted > traffic on the inside hook and sending out encrypted traffic on the outside > hook. There is ng_mppc(4) netgraph node capable to perform relatively weak MPPE encryption (and/or compression) but it is designed to work with ng_ppp(4) node encapsulating IP packets into PPP frames. I doubt it's very efficient for inter-jail traffic. Why do you need encryption for inter-jails traffic in first place? Encryption is needed for traffic passing untrusted channels where data interception is possible but inter-jail traffic does not leave the kernel at all until it hits destination jail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5c2b323-66a6-d88e-91d5-f697aa4fdefe>