pfsync and ipsec do not currently work; from lukasz czarniecki

i've chosen to comment out the pertinent text rather than remove it...

confirmation/ok dlg

1 files changed, 22 insertions, 18 deletions

diff --git a/share/man/man4/pfsync.4 b/share/man/man4/pfsync.4
index a0c1852b080..2fe6792b2ef 100644
--- a/share/man/man4/pfsync.4
+++ b/share/man/man4/pfsync.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pfsync.4,v 1.32 2015/02/01 08:33:48 jsg Exp $
+.\"	$OpenBSD: pfsync.4,v 1.33 2015/06/25 10:18:56 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Michael Shalayeff
 .\" Copyright (c) 2003-2004 Ryan McBride
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 1 2015 $
+.Dd $Mdocdate: June 25 2015 $
 .Dt PFSYNC 4
 .Os
 .Sh NAME
@@ -112,24 +112,24 @@ An alternative destination address for
 packets can be specified using the
 .Ic syncpeer
 keyword.
-This can be used in combination with
-.Xr ipsec 4
-to protect the synchronisation traffic.
-In such a configuration, the syncdev should be set to the
-.Xr enc 4
-interface, as this is where the traffic arrives when it is decapsulated,
-e.g.:
-.Bd -literal -offset indent
-# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
-.Ed
+.\" This can be used in combination with
+.\" .Xr ipsec 4
+.\" to protect the synchronisation traffic.
+.\" In such a configuration, the syncdev should be set to the
+.\" .Xr enc 4
+.\" interface, as this is where the traffic arrives when it is decapsulated,
+.\" e.g.:
+.\" .Bd -literal -offset indent
+.\" # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
+.\" .Ed
 .Pp
 It is important that the pfsync traffic be well secured
 as there is no authentication on the protocol and it would
 be trivial to spoof packets which create states, bypassing the pf ruleset.
-Either run the pfsync protocol on a trusted network \- ideally a network
-dedicated to pfsync messages such as a crossover cable between two firewalls,
-or specify a peer address and protect the traffic with
-.Xr ipsec 4 .
+Only run the pfsync protocol on a trusted network \- ideally a network
+dedicated to pfsync messages such as a crossover cable between two firewalls.
+.\" or specify a peer address and protect the traffic with
+.\" .Xr ipsec 4 .
 .Sh EXAMPLES
 .Nm
 and
@@ -219,10 +219,10 @@ net.inet.carp.preempt=1
 .Sh SEE ALSO
 .Xr bpf 4 ,
 .Xr carp 4 ,
-.Xr enc 4 ,
+.\" .Xr enc 4 ,
 .Xr inet 4 ,
 .Xr inet6 4 ,
-.Xr ipsec 4 ,
+.\" .Xr ipsec 4 ,
 .Xr netintro 4 ,
 .Xr pf 4 ,
 .Xr hostname.if 5 ,
@@ -244,3 +244,7 @@ protocol and kernel implementation were significantly modified between
 and
 .Ox 4.5 .
 The two protocols are incompatible and will not interoperate.
+.Sh BUGS
+.Nm
+does not currently work with
+.Xr ipsec 4 .