New flag 0x4 can be configured in net.enc.[in|out].ipsec_bpf_mask.
When it is set, if_enc(4) additionally captures a packet via BPF after
invoking pfil hook. This may be useful for debugging.
MFC after: 2 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D11804
- added sysctls to if_enc(4) to control whether the firewalls or
bpf will see inner and outer headers or just inner headers
for incoming and outgoing IPsec packets.
- if_enc work with IPv6 now as well.
Reviewed by: brueffer
Merge in parts of the old fast_ipsec.4 man page to ipsec.4 and
start updating ipsec.4 man page.
Reviewed by: brueffer, sam (slightly earlier versions), bmah
Approved by: re (bmah)
encryption. There are two functions, a bpf tap which has a basic header with
the SPI number which our current tcpdump knows how to display, and handoff to
pfil(9) for packet filtering.
Obtained from: OpenBSD
Based on: kern/94829
No objections: arch, net
MFC after: 1 month
