Replace enc(4) with a new implementation as a cloner device. We still

create enc0 by default, but it is possible to add additional enc
interfaces.  This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.

manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@

1 files changed, 8 insertions, 3 deletions

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 51348864aae..ba3e830841d 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.c,v 1.178 2010/06/03 16:15:00 naddy Exp $	*/
+/*	$OpenBSD: if_bridge.c,v 1.179 2010/06/29 21:28:37 reyk Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -2319,6 +2319,9 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 #ifdef INET6
 	struct ip6_hdr *ip6;
 #endif /* INET6 */
+#if NPF > 0
+	struct ifnet *encif;
+#endif
 
 	if (dir == BRIDGE_IN) {
 		switch (af) {
@@ -2454,7 +2457,8 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 			switch (af) {
 #ifdef INET
 			case AF_INET:
-				if (pf_test(dir, &encif[0].sc_if,
+				if ((encif = enc_getif(0)) == NULL ||
+				    pf_test(dir, encif,
 				    &m, NULL) != PF_PASS) {
 					m_freem(m);
 					return (1);
@@ -2463,7 +2467,8 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 #endif /* INET */
 #ifdef INET6
 			case AF_INET6:
-				if (pf_test6(dir, &encif[0].sc_if,
+				if ((encif = enc_getif(0)) == NULL ||
+				    pf_test6(dir, encif,
 				    &m, NULL) != PF_PASS) {
 					m_freem(m);
 					return (1);