Implement etherip(4) driver

This commit is not removing the existing EtherIP part of gif(4) and
it keeps EtherIP of gif(4) working.

ok jbg@ sthen@ mpi@ reyk@ yasuoka@

1 files changed, 187 insertions, 0 deletions

diff --git a/share/man/man4/etherip.4 b/share/man/man4/etherip.4
new file mode 100644
index 00000000000..5940ce1480c
--- /dev/null
+++ b/share/man/man4/etherip.4
@@ -0,0 +1,187 @@
+.\"	$OpenBSD: etherip.4,v 1.1 2015/12/03 12:42:03 goda Exp $
+.\"
+.\" Copyright (c) 2015 YASUOKA Masahiko <yasuoka@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following requests are required for all man pages.
+.\"
+.Dd $Mdocdate: December 3 2015 $
+.Dt ETHERIP 4
+.Os
+.Sh NAME
+.Nm etherip
+.Nd EtherIP tunnel interface
+.Sh SYNOPSIS
+.Cd "pseudo-device etherip"
+.Sh DESCRIPTION
+The
+.Nm
+interface is a pseudo-device for tunnelling ethernet frames accross IP[46]
+networks using RFC 3378 EtherIP encapsulation.
+.Pp
+A
+.Nm
+interface can be created using the
+.Ic ifconfig etherip Ns Ar N Ic create
+command and it must be configured with the addresses used for
+the outer header.  This can be done by
+.Xr ifconfig 8 Ns 's
+.Ic tunnel
+command (which uses the
+.Dv SIOCSIFPHYADDR
+ioctl).
+These commands are also done by setting up a
+.Xr hostname.if 5
+configuration files for
+.Xr netstart 8 .
+.Pp
+The
+.Nm
+interface must be made a member of a
+.Xr bridge 4 .
+The
+.Xr sysctl 3
+variable
+.Dv net.inet.etherip.allow
+must be set to 1, unless
+.Xr ipsec 4
+is being used to protect the traffic.
+Ethernet frames are then encapsulated and sent across the network
+to another
+.Xr bridge 4 ,
+which decapsulates the datagram and processes the resulting Ethernet
+frame as if it had originated on a normal Ethernet interface.
+This effectively allows a layer 2 network to be extended from one point to
+another, possibly through the Internet.
+This mechanism may be used in
+conjunction with IPsec by specifying the appropriate IPsec flows
+between the two bridges.
+To only protect the bridge traffic between
+the two bridges, the transport protocol 97 (etherip) selector may be
+used in
+.Xr ipsec.conf 5 .
+Otherwise, the Ethernet frames will be sent in the clear between the
+two bridges.
+.Sh EXAMPLES
+Given two physically separate Ethernet networks, a bridge can
+be used as follows to make them appear as the same local area network.
+If bridge1 on network1 has the external IP address 1.2.3.4 on em0,
+bridge2 on network2 has the external IP address 4.3.2.1 on em0, and
+both bridges have em1 on their internal network (network1 and network2,
+respectively), the following configuration can be used to bridge
+network1 and network2.
+.Pp
+First create the bridge interface,
+adding the encapsulation interface and internal Ethernet interface
+to the bridge interface:
+.Bd -literal -offset indent
+# ifconfig bridge0 add etherip0 add em1
+.Ed
+.Pp
+Create and configure the etherip0 interface:
+.Bd -literal -offset indent
+(on bridge 1) # ifconfig etherip0 tunnel 1.2.3.4 4.3.2.1
+(on bridge 2) # ifconfig etherip0 tunnel 4.3.2.1 1.2.3.4
+.Ed
+.Pp
+Create Security Associations (SAs) between the external IP address of each
+bridge and matching ingress flows by using the following
+.Xr ipsec.conf 5
+file on bridge1:
+.Bd -literal -offset indent
+esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \e
+        authkey file "auth1:auth2" enckey file "enc1:enc2"
+flow esp proto etherip from 1.2.3.4 to 4.3.2.1
+.Ed
+.Pp
+Now load these rules into the kernel by issuing the
+.Xr ipsecctl 8
+command:
+.Bd -literal -offset indent
+# ipsecctl -f ipsec.conf
+.Ed
+.Pp
+Appropriate
+.Xr ipsec.conf 5
+for bridge2:
+.Bd -literal -offset indent
+esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \e
+        authkey file "auth2:auth1" enckey file "enc2:enc1"
+flow esp proto etherip from 4.3.2.1 to 1.2.3.4
+.Ed
+.Pp
+And load them:
+.Bd -literal -offset indent
+# ipsecctl -f ipsec.conf
+.Ed
+.Pp
+To use dynamic (as opposed to static) keying,
+use this
+.Xr ipsec.conf 5
+on bridge1:
+.Bd -literal -offset indent
+ike esp proto etherip from 1.2.3.4 to 4.3.2.1
+.Ed
+.Pp
+And on bridge2:
+.Bd -literal -offset indent
+ike esp proto etherip from 4.3.2.1 to 1.2.3.4
+.Ed
+.Pp
+Bring up the internal interface (if not already up) and encapsulation
+interface:
+.Bd -literal -offset indent
+# ifconfig em1 up
+# ifconfig etherip0 up
+.Ed
+.Pp
+Finally, bring the bridge interface up and allow it to start processing
+frames:
+.Pp
+.Dl # ifconfig bridge0 up
+.Pp
+The internal interface on each bridge need not have an IP
+address: the bridge can function without it.
+.Pp
+Note:  It is possible to put the above commands in the
+.Xr hostname.if 5
+files, using the
+.Sq !\&
+operator.
+.Sh SEE ALSO
+.Xr sysctl 3 ,
+.Xr bridge 4 ,
+.Xr inet 4 ,
+.Xr inet6 4 ,
+.Xr ipsec 4 ,
+.Xr hostname.if 5 ,
+.Xr ifconfig 8 ,
+.Xr netstart 8
+.Sh STANDARDS
+.Rs
+.%A R. Housley
+.%A S. Hollenbeck
+.%D September 2002
+.%R RFC 3378
+.%T EtherIP: Tunneling Ethernet Frames in IP Datagrams
+.Re
+.Sh HISTORY
+The
+.Nm
+device first appeared in OpenBSD 5.9.
+.Sh AUTHORS
+The
+.Nm
+driver was written by
+.An Kazuya Goda Aq Mt goda@openbsd.org .