From 1dee437284682cc1945460ca622b94ed01da61e9 Mon Sep 17 00:00:00 2001 From: "Angelos D. Keromytis" Date: Tue, 26 Jun 2001 23:24:12 +0000 Subject: PF-related text/references (jsyn@nthought.com) --- share/man/man4/bridge.4 | 45 ++++++++++++++++++++++----------------------- share/man/man4/enc.4 | 29 +++++++++++++---------------- share/man/man4/ipsec.4 | 10 +++++----- 3 files changed, 40 insertions(+), 44 deletions(-) diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4 index 25698d08e93..a1608fcf2c4 100644 --- a/share/man/man4/bridge.4 +++ b/share/man/man4/bridge.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bridge.4,v 1.31 2001/06/23 07:19:32 angelos Exp $ +.\" $OpenBSD: bridge.4,v 1.32 2001/06/26 23:24:10 angelos Exp $ .\" .\" Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -52,10 +52,9 @@ a transparent filter for .Xr ip 4 datagrams. .Pp -.\"XXX - replace with ipfw when it is in-tree -.\"The bridges provided by this interface are learning bridges with -.\"IP filtering, see -..\"Xr ipf 4 . +The bridges provided by this interface are learning bridges with +filtering, see +.Xr pf 4 . In general a bridge works like a hub, forwarding traffic from one interface to another. It differs from a hub in that it will "learn" which machines @@ -80,17 +79,18 @@ bridge will forward the packet only to the destination segment. If the destination is on the same segment as the origin segment, the bridge will drop the packet because the receiver has already had a chance to see the frame. -.\"XXX - replace with ipfw when it is in-tree -.\"Before forwarding a frame, the bridge will check to see if the packet -.\"contains an -.\".Xr ip 4 -.\"datagram; if so, the datagram is run through the -.\".Xr ipf 4 -.\"interface so that it can be filtered. -.\"Only the -.\".Xr ipf 4 -.\"input rules for the source interface are checked with the datagram; -.\"output rules have no effect. +Before forwarding a frame, the bridge will check to see if the packet +contains an +.Xr ip 4 +or +.Xr ip 6 +datagram; if so, the datagram is run through the +.Xr pf 4 +interface so that it can be filtered. +Only the +.Xr pf 4 +input rules for the source interface are checked with the datagram; +output rules have no effect. .Sh IOCTLS A .Nm @@ -540,10 +540,9 @@ command and the .Xr bridge 4 kernel interface first appeared in .Ox 2.5 . -.\".Sh BUGS -.\"XXX - replace with ipfw when it is in-tree -.\".Pp -.\"Only -.\".Xr ipf 4 -.\"input rules are checked with incoming packet; there is no easy way to -.\"handle output rules. +.Sh BUGS +.Pp +Only +.Xr pf 4 +input rules are checked with incoming packets; there is no easy way to +handle output rules. diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4 index f2a15a407bc..457c08caebb 100644 --- a/share/man/man4/enc.4 +++ b/share/man/man4/enc.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: enc.4,v 1.13 2001/06/22 12:15:44 mpech Exp $ +.\" $OpenBSD: enc.4,v 1.14 2001/06/26 23:24:11 angelos Exp $ .\" .Dd October 7, 1999 .Dt ENC 4 @@ -9,20 +9,17 @@ .Sh SYNOPSIS .Cd "pseudo-device enc 4" .Sh DESCRIPTION -.\"XXX - replace with ipfw when it is in-tree -.\"The -.\".Nm -.\"interface is a software loopback mechanism that allows hosts or -.\"firewalls to filter -.\".Xr ipsec 4 -.\"traffic using -.\".Xr ipf 5 . -.\"The -.\".Xr vpn 8 -.\"manpage shows an example of such a setup. -.\".Pp -.\"The other use of the -.\"XXX +The +.Nm +interface is a software loopback mechanism that allows hosts or +firewalls to filter +.Xr ipsec 4 +traffic using +.Xr pf 4 . +The +.Xr vpn 8 +manpage shows an example of such a setup. +.Pp The .Nm interface is a software loopback mechanism that allows an administrator @@ -54,6 +51,6 @@ or all incoming packets after they have been similarly processed: .Xr inet 4 , .Xr ipsec 4 , .Xr netintro 4 , -.\".Xr ipf 5 , +.Xr pf 4 , .Xr tcpdump 8 , .Xr vpn 8 diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index 9a2a76ac58a..402a80baf51 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.4,v 1.44 2001/06/26 05:44:00 mpech Exp $ +.\" $OpenBSD: ipsec.4,v 1.45 2001/06/26 23:24:11 angelos Exp $ .\" .\" Copyright 1997 Niels Provos .\" All rights reserved. @@ -282,8 +282,8 @@ interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow matching, especially on the packet output path. Inside the TCP/IP stack, packets go through the following stages: .Bd -literal -offset indent -UL/R -> [X] -> IPF/NAT(enc0) -> IPSec -> IPF/NAT(IF) -> IF -UL/R <-------- IPF/NAT(enc0) <- IPSec -> IPF/NAT(IF) <- IF +UL/R -> [X] -> PF/NAT(enc0) -> IPSec -> PF/NAT(IF) -> IF +UL/R <-------- PF/NAT(enc0) <- IPSec -> PF/NAT(IF) <- IF .Ed .Pp With @@ -296,8 +296,8 @@ The Stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined -that the packet should be IPSec-processed, it is processed by the IPF/NAT code. -Unless IPF drops the packet, it will then be IPsec-processed, even if the +that the packet should be IPSec-processed, it is processed by the PF/NAT code. +Unless PF drops the packet, it will then be IPsec-processed, even if the packet has been modified by NAT. .Pp Security Associations can be set up manually with the -- cgit v1.2.3