2 files changed, 53 insertions, 4 deletions

diff --git a/sbin/brconfig/brconfig.8 b/sbin/brconfig/brconfig.8
index a94926d0391..26efc0285d7 100644
--- a/sbin/brconfig/brconfig.8
+++ b/sbin/brconfig/brconfig.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: brconfig.8,v 1.35 2002/06/09 08:13:05 todd Exp $
+.\"	$OpenBSD: brconfig.8,v 1.36 2002/06/15 02:27:03 angelos Exp $
 .\"
 .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
 .\" All rights reserved.
@@ -185,6 +185,29 @@ being forwarded by the bridge.
 Clear the
 .Cm link1
 flag on the bridge interface.
+.It Cm link2
+Setting this flag causes all packets to be passed on to
+.Xr ipsec 4
+for processing, based on the policies established by the administrator
+using the
+.Xr ipsecadm 8
+command.
+If appropriate security associations (SAs) exist, they will be used to
+encrypt or decrypt the packets.
+Otherwise, any key management daemons such as
+.Xr isakmpd 8
+or
+.Xr photurisd 8
+that are running on the bridge will be invoked to establish the
+necessary SAs.
+These daemons have to be configured as if they were running on the
+host whose traffic they are protecting (i.e., they need to have the
+appropriate authentication and authorization material, such as keys
+and certificates, to impersonate the protected host(s).
+.It Cm -link2
+Clear the
+.Cm link2
+flag on the bridge interface.
 .It Cm rule Op Ar rulespec
 Add a filtering rule to an interface.
 Rules have a similiar syntax to
@@ -389,7 +412,9 @@ commands are used to add and delete span ports to and from a bridge.
 .Xr ipsec 4 ,
 .Xr bridgename.if 5 ,
 .Xr ifconfig 8 ,
-.Xr ipsecadm 8
+.Xr ipsecadm 8 ,
+.Xr isakmpd 8 ,
+.Xr photurisd 8
 .Sh AUTHORS
 The
 .Xr brconfig 8
diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4
index edd54a5354d..ef3411bbef2 100644
--- a/share/man/man4/bridge.4
+++ b/share/man/man4/bridge.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bridge.4,v 1.41 2002/05/28 17:50:04 jasoni Exp $
+.\"	$OpenBSD: bridge.4,v 1.42 2002/06/15 02:26:44 angelos Exp $
 .\"
 .\" Copyright (c) 1999-2001 Jason L. Wright (jason@thought.net)
 .\" All rights reserved.
@@ -545,6 +545,26 @@ have different mtu's or when IP fragments are reassembled by
 .Xr pf 4 . 
 Non-IP packets which are too large for the outgoing interface will be
 dropped.
+.Pp
+If the LINK2 flag is set on the
+.Xr bridge 4
+interface, the bridge will also perform transparent
+.Xr ipsec 4
+processing on the packets (encrypt or decrypt them), according to the
+policies set with the
+.Xr ipsecadm 8
+command by the administrator.
+If appropriate security associations (SAs) do not exist, any key
+management daemons such as
+.Xr isakmpd 8
+or
+.Xr photurisd 8
+that are running on the bridge will be invoked to establish the
+necessary SAs.
+These daemons have to be configured as if they were running on the
+host whose traffic they are protecting (i.e., they need to have the
+appropriate authentication and authorization material, such as keys
+and certificates, to impersonate the protected host(s).
 .Sh SEE ALSO
 .Xr errno 2 ,
 .Xr ioctl 2 ,
@@ -552,10 +572,14 @@ dropped.
 .Xr gif 4 ,
 .Xr ip 4 ,
 .Xr ip6 4 ,
+.Xr ipsec 4 ,
 .Xr netintro 4 ,
 .Xr pf 4 ,
 .Xr bridgename.if 5 ,
-.Xr brconfig 8
+.Xr brconfig 8 ,
+.Xr ipsecadm 8 ,
+.Xr isakmpd 8 ,
+.Xr photurisd 8,
 .Sh AUTHORS
 The
 .Xr brconfig 8