Re: RFC: ipsec(4) pseudo interface

[christos%astron.com@localhost (Christos Zoulas)]

In article <02c36311-2fcd-08cf-cc71-b472e7c01be9%iij.ad.jp@localhost>,
Kengo NAKAHARA  <k-nakahara%iij.ad.jp@localhost> wrote:
>Hi,
>
>We implement ipsec(4) pseudo interface for route-based VPNs. This pseudo
>interface manages its security policy(SP) by itself, in particular, we do
>    # ifconfig ipsec0 tunnel 10.0.0.1 10.0.0.2
>the SPs "10.0.0.1 -> 10.0.0.2"(out) and "10.0.0.2 -> 10.0.0.1"(in) are
>generated automatically and atomically. And then, when we do
>    # ifconfig ipsec0 deletetunnel
>the SPs are destroyed automatically and atomically, too.
>
>Here is the patches and an unified patch.
>    http://netbsd.org/~knakahara/if_ipsec/if_ipsec.tgz
>    http://netbsd.org/~knakahara/if_ipsec/if_ipsec-unified.patch
>
>By the way, I have one question. In the above patch(s), I temporarily add
>manual for ipsecX pseudo interface as if_ipsec.4, because there is already
>ipsec.4 for general ipsec protocol. How should I add the man of ipsec(4)
>pseudo interface?
>    (a) Add if_ipsec.4
>    (b) move current ipsec.4(for ipsec protocol) to ipsec.9, and then
>        add ipsec.4(for ipsec pseudo interface)
>    (c) any other
>
>Could you comment the patch or the question?

I've wanted this feature for a long time! Looks ok to me, but the
sockaddr_copy()/port setting code, should be abstracted to a single
function since it is repeated in ioctl().

christos