From owner-cvs-all@FreeBSD.ORG Sun Oct 5 17:44:31 2008 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CE281065688; Sun, 5 Oct 2008 17:44:31 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 694368FC14; Sun, 5 Oct 2008 17:44:31 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id m95HiQsx011004; Sun, 5 Oct 2008 17:44:26 GMT (envelope-from bz@repoman.freebsd.org) Received: (from svn2cvs@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id m95HiQYX011003; Sun, 5 Oct 2008 17:44:26 GMT (envelope-from bz@repoman.freebsd.org) Message-Id: <200810051744.m95HiQYX011003@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to bz@repoman.freebsd.org using -f From: "Bjoern A. Zeeb" Date: Sun, 5 Oct 2008 17:41:46 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: RELENG_7 Cc: Subject: cvs commit: src/share/man/man4 enc.4 src/sys/net if_enc.c src/sys/netipsec ipsec.h ipsec_input.c ipsec_output.c xform.h xform_ipip.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 17:44:31 -0000 bz 2008-10-05 17:41:46 UTC FreeBSD src repository Modified files: (Branch: RELENG_7) share/man/man4 enc.4 sys/net if_enc.c sys/netipsec ipsec.h ipsec_input.c ipsec_output.c xform.h xform_ipip.c Log: SVN rev 183630 on 2008-10-05 17:41:46Z by bz MFC: rev. 1.7 net/if_enc.c rev. 1.14 netipsec/ipsec.h, 1.20 netipsec/ipsec_input.c rev. 1.17 netipsec/ipsec_output.c rev. 1.4 netipsec/xform.h, 1.16 netipsec/xform_ipip.c SVN r174054, 174055 Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Note: The defaults were not changed but you may want to do that. See the the man page for more details. PR: kern/127785 Approved by: re (gnn) Revision Changes Path 1.5.2.1 +52 -7 src/share/man/man4/enc.4 1.6.2.3 +74 -11 src/sys/net/if_enc.c 1.13.2.2 +9 -2 src/sys/netipsec/ipsec.h 1.19.2.2 +21 -2 src/sys/netipsec/ipsec_input.c 1.16.2.3 +24 -2 src/sys/netipsec/ipsec_output.c 1.3.2.1 +3 -0 src/sys/netipsec/xform.h 1.15.2.1 +15 -1 src/sys/netipsec/xform_ipip.c