this is what i've done so far.  of course you can put more complex
	PF rule for tagging.  it basically eliminates code dupes between
	ipsec policy engine (which is essentially a packet filter) and PF
	(or ipf, if it starts support tagging).

itojun

------- Forwarded Message

	by coconut.itojun.org (Postfix) with ESMTP id A460793
	for <itojun@coconut.itojun.org>; Sat, 28 Jun 2003 08:15:33 +0900 (JST)
	id 9E0A670BA; Sat, 28 Jun 2003 08:15:21 +0900 (JST)
	id ABD837047; Sat, 28 Jun 2003 08:15:20 +0900 (JST)
	id 5E935703C; Sat, 28 Jun 2003 08:15:20 +0900 (JST)
To: snap-users@kame.net
From: itojun@iijlab.net
Date: Sat, 28 Jun 2003 08:15:18 +0900
Message-Id: <20030627231518.6B57993@coconut.itojun.org>
Reply-To: snap-users@kame.net
Subject: (KAME-snap 7878) PF tag and IPsec - usage example
Errors-To: owner-snap-users@kame.net
Sender: owner-snap-users@kame.net

	on kame/netbsd we have integrated PF (from openbsd) and KAME
	IPsec policy lookup engine (by using PF tags).
	here's a simple example which demonstrates its use.

itojun


1. setup policy like below:

# setkey -c <<EOF
spdadd tagged "ssh" -P in ipsec esp/transport//use;
spdadd 127.0.0.1 127.0.0.1 -P in ipsec esp/transport//require;
^D

(for traffic tagged with "ssh", ipsec is not mandatory; otherwise, ipsec is
mandatory)

2. setup pfkey like below:

# pfctl -e
# pfctl -f -
pass in on lo0 proto tcp from any to any port = ssh keep state tag ssh 
pass out on lo0 proto tcp from any to any port = ssh keep state tag ssh 
^D

(tag ssh traffic with "ssh")

3.
now, "telnet 127.0.0.1 25" will be banned as response packet is not
IPsec protected (there's no SA).  "telnet 127.0.0.1 22" will be okay as
it will be tagged by "ssh".

4. caveat
on outbound path, the order is (1) ipsec policy lookup (2) packet filtering,
therefore, tags attached on outbound is not be usable on outbound ipsec policy.
(for a router, tagging on inbound interface -> policy on outgoing would be
very useful, i think)

------- End of Forwarded Message