Allow to specify an alternative enc(4) interface for an SA. All

traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@

1 files changed, 20 insertions, 1 deletions

diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 67dc4fe6f34..e247d8ab5c0 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.31 2008/10/22 23:04:45 mpf Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.32 2010/07/01 02:09:45 reyk Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -1004,4 +1004,23 @@ export_tag(void **p, struct tdb *tdb)
 	    PADUP(stag->sadb_x_tag_taglen)) / sizeof(uint64_t);
 	*p += PADUP(stag->sadb_x_tag_taglen) + sizeof(struct sadb_x_tag);
 }
+
+/* Import enc(4) tap device information for SA */
+void
+import_tap(struct tdb *tdb, struct sadb_x_tap *stap)
+{
+	if (stap)
+		tdb->tdb_tap = stap->sadb_x_tap_unit;
+}
+
+/* Export enc(4) tap device information for SA */
+void
+export_tap(void **p, struct tdb *tdb)
+{
+	struct sadb_x_tap *stag = (struct sadb_x_tap *)*p;
+
+	stag->sadb_x_tap_unit = tdb->tdb_tap;
+	stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t);
+	*p += sizeof(struct sadb_x_tap);
+}
 #endif