[src/trunk]: src add ipsec(4) interface man as ipsecif.4.

[knakahara <knakahara%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6c6194affde0
branches:  trunk
changeset: 358627:6c6194affde0
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Wed Jan 10 11:08:55 2018 +0000

description:
add ipsec(4) interface man as ipsecif.4.

diffstat:

 distrib/sets/lists/man/mi |    5 +-
 share/man/man4/Makefile   |    4 +-
 share/man/man4/ipsec.4    |    7 +-
 share/man/man4/ipsecif.4  |  148 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 160 insertions(+), 4 deletions(-)

diffs (231 lines):

diff -r ffa9e8d599e3 -r 6c6194affde0 distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Wed Jan 10 11:06:06 2018 +0000
+++ b/distrib/sets/lists/man/mi Wed Jan 10 11:08:55 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1569 2018/01/09 03:31:14 christos Exp $
+# $NetBSD: mi,v 1.1570 2018/01/10 11:08:55 knakahara Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -1329,6 +1329,7 @@
 ./usr/share/man/cat4/ipnat.0                   man-ipf-catman          ipfilter,.cat
 ./usr/share/man/cat4/ippp.0                    man-sys-catman          .cat
 ./usr/share/man/cat4/ipsec.0                   man-sys-catman          .cat
+./usr/share/man/cat4/ipsecif.0                 man-sys-catman          .cat
 ./usr/share/man/cat4/ipw.0                     man-sys-catman          .cat
 ./usr/share/man/cat4/irda.0                    man-sys-catman          .cat
 ./usr/share/man/cat4/irframe.0                 man-sys-catman          .cat
@@ -4428,6 +4429,7 @@
 ./usr/share/man/html4/ipnat.html               man-ipf-htmlman         ipfilter,html
 ./usr/share/man/html4/ippp.html                        man-sys-htmlman         html
 ./usr/share/man/html4/ipsec.html               man-sys-htmlman         html
+./usr/share/man/html4/ipsecif.html             man-sys-htmlman         html
 ./usr/share/man/html4/ipw.html                 man-sys-htmlman         html
 ./usr/share/man/html4/irda.html                        man-sys-htmlman         html
 ./usr/share/man/html4/irframe.html             man-sys-htmlman         html
@@ -7365,6 +7367,7 @@
 ./usr/share/man/man4/ipnat.4                   man-sys-man             ipfilter,.man
 ./usr/share/man/man4/ippp.4                    man-sys-man             .man
 ./usr/share/man/man4/ipsec.4                   man-sys-man             .man
+./usr/share/man/man4/ipsecif.4                 man-sys-man             .man
 ./usr/share/man/man4/ipw.4                     man-sys-man             .man
 ./usr/share/man/man4/irda.4                    man-sys-man             .man
 ./usr/share/man/man4/irframe.4                 man-sys-man             .man
diff -r ffa9e8d599e3 -r 6c6194affde0 share/man/man4/Makefile
--- a/share/man/man4/Makefile   Wed Jan 10 11:06:06 2018 +0000
+++ b/share/man/man4/Makefile   Wed Jan 10 11:08:55 2018 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.649 2017/12/29 08:15:21 kre Exp $
+#      $NetBSD: Makefile,v 1.650 2018/01/10 11:08:55 knakahara Exp $
 #      @(#)Makefile    8.1 (Berkeley) 6/18/93
 
 MAN=   aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
@@ -141,7 +141,7 @@
 MAN += hil.4 hilkbd.4 hilid.4 hilms.4
 
 # IPv6/IPsec
-MAN+=  faith.4 gif.4 inet6.4 icmp6.4 ip6.4 ipsec.4 stf.4
+MAN+=  faith.4 gif.4 inet6.4 icmp6.4 ip6.4 ipsec.4 ipsecif.4 stf.4
 
 # ISDN devices
 MAN+=  daic.4 isdntrc.4 isdntel.4 isdnbchan.4 ippp.4 irip.4 isdnctl.4 isdn.4 \
diff -r ffa9e8d599e3 -r 6c6194affde0 share/man/man4/ipsec.4
--- a/share/man/man4/ipsec.4    Wed Jan 10 11:06:06 2018 +0000
+++ b/share/man/man4/ipsec.4    Wed Jan 10 11:08:55 2018 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: ipsec.4,v 1.41 2017/05/21 09:13:46 wiz Exp $
+.\"    $NetBSD: ipsec.4,v 1.42 2018/01/10 11:08:55 knakahara Exp $
 .\"    $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -35,6 +35,10 @@
 .Nm ipsec
 .Nd IP security protocol
 .Sh DESCRIPTION
+This manual pages describes the IPSEC.
+For the network device driver please see
+.Xr ipsecif 4 .
+.Pp
 .Nm
 is a security protocol in the Internet Protocol (IP) layer.
 .Nm
@@ -281,6 +285,7 @@
 .Xr ipsec_set_policy 3 ,
 .Xr fast_ipsec 4 ,
 .Xr icmp6 4 ,
+.Xr ipsecif 4 ,
 .Xr intro 4 ,
 .Xr ip6 4 ,
 .Xr racoon 8 ,
diff -r ffa9e8d599e3 -r 6c6194affde0 share/man/man4/ipsecif.4
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man4/ipsecif.4  Wed Jan 10 11:08:55 2018 +0000
@@ -0,0 +1,148 @@
+.\"    $NetBSD: ipsecif.4,v 1.1 2018/01/10 11:08:55 knakahara Exp $
+.\"
+.\" Copyright (C) 2017 Internet Initiative Japan Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd December 22, 2017
+.Dt IPSECIF 4
+.Os
+.Sh NAME
+.Nm ipsec
+.Nd ipsec interface
+.Sh SYNOPSIS
+.Cd "pseudo-device ipsecif"
+.Sh DESCRIPTION
+The
+.Nm
+is similar to
+.Xr gif 4
+over
+.Xr ipsec 4
+transport mode.
+.Xr gif 4
+over
+.Xr ipsec 4
+transport mode are managed by userland programs. In contrast,
+.Nm
+manages its security policies by itself, that is, when user sets
+.Nm
+tunnel source and destination address pair, the related security policies
+are created automatically in kernel. Therefore, the security policies of
+.Nm
+are added/deleted atomically. It also means
+.Nm
+ensures both of in and out security policy pair exist, that is,
+.Nm
+avoids the troubles which is caused by only one of in and out security
+policy pair exists.
+.Pp
+There is four security policies generated by
+.Nm ,
+that is, in and out pair for each IPv4 and IPv6. Here is
+.Xr ipsec.conf 5
+which is the same meaing as that security policies.
+.Bd -literal
+spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique;
+spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique;
+spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique;
+spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
+.Ed
+.Pp
+Therefore,
+.Nm
+configuration will fail if you already add such security policies, and
+vice versa.
+.Pp
+The related security associates can be established by IKE daemon such as
+.Xr racoon 8 .
+They can also be manipulated manually by
+.Xr setkey 8
+with -u option which we set security policy's unique#.
+.Pp
+Some if_flags change
+.Nm
+befavior. IFF_LINK0 can enable Network Address Translator traversal,
+IFF_LINK1 can enable ECN friendly mode like
+.Xr gif 4 ,
+and IFF_LINK2 can enable forwarding inner IPv6 packets.
+Only IFF_LINK2 is set by default. If you use only IPv4 packets as
+inner packets, you would want to unset IFF_LINK2 to reduce security
+associates for IPv6 packets.
+
+.Sh EXAMPLES
+Configuration example:
+.Bd -literal
+Host X--NetBSD A  ----------------tunnel---------- NetBSD B------Host E
+           \\                                          |
+            \\                                        /
+             +-----Router B--------Router C---------+
+.Ed
+.Pp
+On
+.Nx
+system A
+.Bd -literal
+# ifconfig wm0 inet 192.168.0.1/24
+# ifconfig ipsec0 create
+# ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2
+# ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1
+start IKE daemon or set security associates manually.
+# ifconfig wm1 inet 10.100.0.1/24
+# route add 10.200.0.1 172.16.100.1
+.Ed
+.Pp
+On
+.Nx
+system B
+.Bd -literal
+# ifconfig wm0 inet 192.168.0.2/24
+# ifconfig ipsec0 create
+# ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1
+# ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1
+start IKE daemon or set security associates manually.
+# ifconfig wm1 inet 10.200.0.1/24
+# route add 10.100.0.1 172.16.200.1
+.Ed
+.Pp
+.Sh SEE ALSO
+.Xr inet 4 ,
+.Xr inet6 4 ,
+.Xr ipsec 4 ,
+.Xr gif 4 ,
+.Xr ifconfig 8 ,
+.Xr setkey 8
+.Sh HISTORY
+The
+.Nm
+device first appeared in
+.Nx 8.0 .
+.Sh LIMITATIONS
+Currently, the
+.Nm
+interface supports esp protocol only.
+.Nm
+does not support Network Address Translator traversal(NAT-T).