On Friday 16 June 2006 00:53, Andrew Thompson wrote: > I have a patch attached that implements the much requested feature of > packet filtering ipsec connections. > > This is a device to expose packets going in/out of ipsec and comes > from OpenBSD. There are two functions, a bpf tap which has a basic > header with the SPI number which our current tcpdump knows how to > display, and handoff to pfil(9) for packet filtering. > > They way I have hooked it in is compiling it in with fast_ipsec and > the extra work is only done when the enc0 interface is created. The > interface is not created by default so its a minimal hit, the user > will need to 'ifconfig enc0 create' in order to activate it. I > believe the locking is correct so it can be created and destroyed at > runtime.
I think it should get a "device enc" on its own. Some people might consider enc(4) to be a security problem so getting it with FAST_IPSEC automatically isn't preferable. Other than that, great news. Thanks a lot. > PRs 98219 and 94829 are requesting this feature. > > > > Andrew -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpfxhTKiNfrd.pgp
Description: PGP signature
