etherip(4) was introduced in 5.9 as a clean alternative to gif(4)'s layer-2

mode that was enabled when it was added to a bridge(4). Update the manual
pages to direct people towards using etherip(4) for this purpose.
Reads fine to jmc@, ok mpi@.

This code will be removed from gif(4) in the future. Switching should be
as simple as renaming the config file (hostname.gifX -> hostname.etheripX),
changing the interface name in hostname.bridgeX, and updating firewall
rules etc. to match - I've tested this with etherip+bridge+isakmpd+ospf
tunnels.

2 files changed, 18 insertions, 154 deletions

diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4
index 5dee22dedfe..c3938ba5d66 100644
--- a/share/man/man4/bridge.4
+++ b/share/man/man4/bridge.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bridge.4,v 1.72 2015/09/14 17:09:26 schwarze Exp $
+.\"	$OpenBSD: bridge.4,v 1.73 2016/06/07 20:25:48 sthen Exp $
 .\"
 .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
 .\" All rights reserved.
@@ -24,7 +24,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 14 2015 $
+.Dd $Mdocdate: June 7 2016 $
 .Dt BRIDGE 4
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@ The
 .Nm
 device creates a logical link between two or more Ethernet interfaces or
 encapsulation interfaces (see
-.Xr gif 4 ) .
+.Xr etherip 4 ) .
 This link between the interfaces selectively forwards frames from
 each interface on the bridge to every other interface on the bridge.
 A bridge can serve several services, including isolation of traffic between
@@ -122,7 +122,7 @@ without rapid state transitions.
 Note that RSTP will be compatible with remote bridges running common STP.
 .Pp
 STP will not work on
-.Xr gif 4
+.Xr etherip 4
 members because they lack a hardware MAC address.
 .Sh SPAN PORTS
 The bridge can have interfaces added to it as span ports.
@@ -651,7 +651,7 @@ and certificates, to impersonate the protected host(s)).
 .Xr errno 2 ,
 .Xr ioctl 2 ,
 .Xr arp 4 ,
-.Xr gif 4 ,
+.Xr etherip 4 ,
 .Xr ip 4 ,
 .Xr ip6 4 ,
 .Xr ipsec 4 ,
diff --git a/share/man/man4/gif.4 b/share/man/man4/gif.4
index 3348b78b152..c8209745799 100644
--- a/share/man/man4/gif.4
+++ b/share/man/man4/gif.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: gif.4,v 1.28 2015/12/02 10:08:05 yasuoka Exp $
+.\"	$OpenBSD: gif.4,v 1.29 2016/06/07 20:25:48 sthen Exp $
 .\"	$KAME: gif.4,v 1.15 2000/04/19 09:39:42 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 2 2015 $
+.Dd $Mdocdate: June 7 2016 $
 .Dt GIF 4
 .Os
 .Sh NAME
@@ -42,10 +42,6 @@ The
 interface is a generic tunnelling pseudo-device for IPv4 and IPv6.
 It can tunnel IPv[46] over IPv[46] with behavior mainly based on
 RFC 4213 IPv6-over-IPv4, for a total of four possible combinations.
-When instead used as a member in a
-.Xr bridge 4 ,
-it will tunnel Ethernet packets over IPv[46] using RFC 3378 EtherIP
-encapsulation (version 3), providing two more combinations.
 .Pp
 A
 .Nm
@@ -56,7 +52,7 @@ command or by setting up a
 configuration file for
 .Xr netstart 8 .
 .Pp
-For all six modes the
+The
 .Nm
 interface must be configured with the
 addresses used for the outer header.
@@ -67,137 +63,15 @@ command (which uses the
 .Dv SIOCSIFPHYADDR
 ioctl).
 .Pp
-For the IPv[46] over IPv[46] modes the addresses of the inner
-header must be configured by using
+The addresses of the inner header must be configured by using
 .Xr ifconfig 8
 in the normal way.
-Note that IPv6 link-local address
-.Pq those start with Li fe80::
-will be automatically configured whenever possible.
-One may need to remove any IPv6 link-local address manually using
-.Xr ifconfig 8 ,
-to disable the use of IPv6 as inner header, for example when
-a pure IPv4-over-IPv6 tunnel is required.
 The routing table can be used to direct packets toward the
 .Nm
 interface.
-.Pp
-For the Ethernet-over-IP modes the
-.Nm
-interface must be made a member of a
-.Xr bridge 4 .
-The
-.Xr sysctl 3
-variable
-.Dv net.inet.etherip.allow
-must be set to 1, unless
-.Xr ipsec 4
-is being used to protect the traffic.
-Ethernet frames are then encapsulated and sent across the network
-to another
-.Xr bridge 4 ,
-which decapsulates the datagram and processes the resulting Ethernet
-frame as if it had originated on a normal Ethernet interface.
-This effectively allows a layer 2 network to be extended from one point to
-another, possibly through the Internet.
-This mechanism may be used in
-conjunction with IPsec by specifying the appropriate IPsec flows
-between the two bridges.
-To only protect the bridge traffic between
-the two bridges, the transport protocol 97 (etherip) selector may be
-used in
-.Xr ipsec.conf 5 .
-Otherwise, the Ethernet frames will be sent in the clear between the
-two bridges.
-.Sh EXAMPLES
-Given two physically separate Ethernet networks, a bridge can
-be used as follows to make them appear as the same local area network.
-If bridge1 on network1 has the external IP address 1.2.3.4 on fxp0,
-bridge2 on network2 has the external IP address 4.3.2.1 on fxp0, and
-both bridges have fxp1 on their internal network (network1 and network2,
-respectively), the following configuration can be used to bridge
-network1 and network2.
-.Pp
-First create the bridge interface,
-adding the encapsulation interface and internal Ethernet interface
-to the bridge interface:
-.Bd -literal -offset indent
-# ifconfig bridge0 add gif0 add fxp1
-.Ed
-.Pp
-Create and configure the gif0 interface:
-.Bd -literal -offset indent
-(on bridge 1) # ifconfig gif0 tunnel 1.2.3.4 4.3.2.1
-(on bridge 2) # ifconfig gif0 tunnel 4.3.2.1 1.2.3.4
-.Ed
-.Pp
-Create Security Associations (SAs) between the external IP address of each
-bridge and matching ingress flows by using the following
-.Xr ipsec.conf 5
-file on bridge1:
-.Bd -literal -offset indent
-esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \e
-        authkey file "auth1:auth2" enckey file "enc1:enc2"
-flow esp proto etherip from 1.2.3.4 to 4.3.2.1
-.Ed
-.Pp
-Now load these rules into the kernel by issuing the
-.Xr ipsecctl 8
-command:
-.Bd -literal -offset indent
-# ipsecctl -f ipsec.conf
-.Ed
-.Pp
-Appropriate
-.Xr ipsec.conf 5
-for bridge2:
-.Bd -literal -offset indent
-esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \e
-        authkey file "auth2:auth1" enckey file "enc2:enc1"
-flow esp proto etherip from 4.3.2.1 to 1.2.3.4
-.Ed
-.Pp
-And load them:
-.Bd -literal -offset indent
-# ipsecctl -f ipsec.conf
-.Ed
-.Pp
-To use dynamic (as opposed to static) keying,
-use this
-.Xr ipsec.conf 5
-on bridge1:
-.Bd -literal -offset indent
-ike esp proto etherip from 1.2.3.4 to 4.3.2.1
-.Ed
-.Pp
-And on bridge2:
-.Bd -literal -offset indent
-ike esp proto etherip from 4.3.2.1 to 1.2.3.4
-.Ed
-.Pp
-Bring up the internal interface (if not already up) and encapsulation
-interface:
-.Bd -literal -offset indent
-# ifconfig fxp1 up
-# ifconfig gif0 up
-.Ed
-.Pp
-Finally, bring the bridge interface up and allow it to start processing
-frames:
-.Pp
-.Dl # ifconfig bridge0 up
-.Pp
-The internal interface on each bridge need not have an IP
-address: the bridge can function without it.
-.Pp
-Note:  It is possible to put the above commands in the
-.Xr hostname.if 5
-files, using the
-.Sq !\&
-operator.
 .Sh SEE ALSO
 .Xr sysctl 3 ,
-.Xr bridge 4 ,
+.Xr etherip 4 ,
 .Xr inet 4 ,
 .Xr inet6 4 ,
 .Xr ipsec 4 ,
@@ -206,14 +80,6 @@ operator.
 .Xr netstart 8
 .Sh STANDARDS
 .Rs
-.%A R. Housley
-.%A S. Hollenbeck
-.%D September 2002
-.%R RFC 3378
-.%T EtherIP: Tunneling Ethernet Frames in IP Datagrams
-.Re
-.Pp
-.Rs
 .%A E. Nordmark
 .%A R. Gilligan
 .%D October 2005
@@ -224,6 +90,14 @@ operator.
 The
 .Nm
 device first appeared in WIDE hydrangea IPv6 kit.
+.Pp
+Previously,
+.Nm
+supported RFC 3378 EtherIP tunnels over
+.Xr bridge 4
+interfaces.
+This is now handled by
+.Xr etherip 4 .
 .Sh BUGS
 There are many tunnelling protocol specifications,
 defined differently from each other.
@@ -245,13 +119,3 @@ and your node will generate packets with a spoofed source address.
 .Pp
 If the outer protocol is IPv6, path MTU discovery for encapsulated packet
 may affect communication over the interface.
-.Pp
-When used in conjunction with a
-.Xr bridge 4
-interface,
-only one bridge tunnel may be operational for every pair of
-source/destination addresses.
-If more than one
-.Nm
-interface is configured with the same pair of outer addresses, the
-one with the lowest index number will receive all traffic.