CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2023/08/06 21:43:57
Modified files:
sys/netinet : ip_ipsp.c ipsec_input.c
Log message:
add the glue between ipsec security associations and sec(4) interfaces.
if TDBF_IFACE is set on a tdb, the ipsec stack will pass it to the
sec(4) driver to keep track of instead of wiring it up for security
associations to use.
when sec(4) transmits a packet, it will look up it's list of tdbs
to find the right SA to encrypt and send the packet out with.
if an incoming ipsec packet arrives with TDBF_IFACE set, it's passed
to sec(4) to be injected back into the network stack as if it was
received on the sec interface, instead of being reinjected into the
IP stack like normal SA/SPD processing does.
note that this means you do not have to configure tunnel endpoints
on sec(4) interfaces, instead you line the interface unit number
in the ipsec config up with the minor number of the sec(4) interfaces.
the peer IPs used on the SAs are what's used as the traffic endpoints.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
