[Midnightbsd-cvs] src: lib/libipsec: Merge changes.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Oct 30 17:31:08 EDT 2008
Log Message:
-----------
Merge changes.
Modified Files:
--------------
src/lib/libipsec:
ipsec_set_policy.3 (r1.2 -> r1.3)
ipsec_strerror.3 (r1.2 -> r1.3)
-------------- next part --------------
Index: ipsec_strerror.3
===================================================================
RCS file: /home/cvs/src/lib/libipsec/ipsec_strerror.3,v
retrieving revision 1.2
retrieving revision 1.3
diff -L lib/libipsec/ipsec_strerror.3 -L lib/libipsec/ipsec_strerror.3 -u -r1.2 -r1.3
--- lib/libipsec/ipsec_strerror.3
+++ lib/libipsec/ipsec_strerror.3
@@ -27,7 +27,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/lib/libipsec/ipsec_strerror.3,v 1.13.2.1 2006/03/09 12:41:34 gnn Exp $
+.\" $FreeBSD: src/lib/libipsec/ipsec_strerror.3,v 1.15 2007/07/01 12:08:05 gnn Exp $
.\"
.Dd February 14, 2006
.Dt IPSEC_STRERROR 3
@@ -38,12 +38,12 @@
.Nd error messages for the IPsec policy manipulation library
.\"
.Sh SYNOPSIS
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
.Ft "const char *"
.Fn ipsec_strerror
.\"
.Sh DESCRIPTION
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
declares
.Pp
.Dl extern int ipsec_errcode;
Index: ipsec_set_policy.3
===================================================================
RCS file: /home/cvs/src/lib/libipsec/ipsec_set_policy.3,v
retrieving revision 1.2
retrieving revision 1.3
diff -L lib/libipsec/ipsec_set_policy.3 -L lib/libipsec/ipsec_set_policy.3 -u -r1.2 -r1.3
--- lib/libipsec/ipsec_set_policy.3
+++ lib/libipsec/ipsec_set_policy.3
@@ -27,7 +27,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/lib/libipsec/ipsec_set_policy.3,v 1.20.2.1 2006/03/09 12:41:34 gnn Exp $
+.\" $FreeBSD: src/lib/libipsec/ipsec_set_policy.3,v 1.23 2007/07/01 12:08:05 gnn Exp $
.\"
.Dd February 14, 2006
.Dt IPSEC_SET_POLICY 3
@@ -41,7 +41,7 @@
.Sh LIBRARY
.Lb libipsec
.Sh SYNOPSIS
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
.Ft "char *"
.Fn ipsec_set_policy "char *policy" "int len"
.Ft int
@@ -51,13 +51,13 @@
.Sh DESCRIPTION
The
.Fn ipsec_set_policy
-function generates an IPsec policy specification structure,
+function generates an IPsec policy specification structure,
.Li struct sadb_x_policy
and/or
.Li struct sadb_x_ipsecrequest
from a human-readable policy specification.
-The policy specification must be given as a C string,
-passed in the
+The policy specification must be given as a C string,
+passed in the
.Fa policy
argument and the length of the string, given as
.Fa len .
@@ -66,7 +66,7 @@
function returns pointer to a buffer which contains a properly formed
IPsec policy specification structure.
The buffer is dynamically allocated, and must be freed by using the
-.Xr free 3
+.Xr free 3
library function.
.Pp
The
@@ -94,13 +94,13 @@
.Fn ipsec_dump_policy
function returns a pointer to dynamically allocated string.
It is the caller's responsibility to free the returned pointer using the
-.Xr free 3
+.Xr free 3
library call.
.Pp
-A
+A
.Fa policy
is given in the following way:
-.Bl -tag -width "discard"
+.Bl -tag -width "discard"
.It Ar direction Li discard
The
.Ar direction
@@ -108,7 +108,7 @@
.Li in
or
.Li out
-and
+and
specifies which direction the policy needs to be applied, either on
inbound or outbound packets.
When the
@@ -121,10 +121,11 @@
in the kernel, as controlled by
.Xr setkey 8 .
.It Ar direction Li bypass
-A direction of
+A direction of
.Li bypass
indicates that IPsec processing should not occur and that the
-packet will be transmitted in clear. The bypass option is only
+packet will be transmitted in clear.
+The bypass option is only
available to privileged sockets.
.It Xo
.Ar direction
@@ -138,7 +139,7 @@
can be followed by one or more
.Ar request
string, which is formatted as:
-.Bl -tag -width "discard"
+.Bl -tag -width "discard"
.It Xo
.Ar protocol
.Li /
@@ -164,8 +165,8 @@
is either
.Li transport
or
-.Li tunnel
-the meanings of both modes are described in
+.Li tunnel
+the meanings of both modes are described in
.Xr ipsec 4 .
.Pp
The
@@ -210,9 +211,10 @@
means that the kernel should consult the default security policies as
defined by a set of
.Xr sysctl 8 ,
-variables. The relevant
-.Xr sysctl 8
-variables are described in
+variables.
+The relevant
+.Xr sysctl 8
+variables are described in
.Xr ipsec 4 .
.Pp
When
@@ -221,15 +223,16 @@
(SA)
can be used when available but is not necessary.
If the SA is available then packets will be handled by IPsec,
-i.e. encrypted and/or authenticated but if an SA is not available then
-packets will be transmitted in the clear. The
+i.e., encrypted and/or authenticated but if an SA is not available then
+packets will be transmitted in the clear.
+The
.Li use
option is not recommended because it allows for accidental
mis-configurations where encrypted or authenticated link becomes
unencrypted or unauthenticated, the
.Li require
keyword is recommended instead of
-.Li use
+.Li use
where possible.
Using the
.Li require
@@ -250,7 +253,7 @@
.Li unique
keyword in this way:
.Li unique : number ,
-where
+where
.Li number
must be between 1 and 32767.
.Pp
@@ -270,7 +273,7 @@
.El
.Pp
Note that there is a difference between the specification allowed here
-and in
+and in
.Xr setkey 8 .
When specifying security policies with
.Xr setkey 8 ,
@@ -278,42 +281,16 @@
Refer to
.Xr setkey 8
for details.
-.Sh EXAMPLES
-Set a policy that all inbound packets are discarded.
-.Bd -literal -offset indent
-in discard
-
-.Ed
-.\"
-All outbound packets are required to be processed by IPsec and
-transported using ESP.
-.Bd -literal -offset indent
-out ipsec esp/transport//require
-
-.Ed
-.\"
-All inbound packets are required to be authenticated using the AH protocol.
-.Bd -literal -offset indent
-in ipsec ah/transport//require
-
-.Ed
-.\"
-Tunnel packets outbound through the endpoints at 10.1.1.2 and 10.1.1.1.
-.Bd -literal -offset indent
-out ipsec esp/tunnel/10.1.1.2-10.1.1.1/require
-
-.Ed
-.\"
.Sh RETURN VALUES
The
.Fn ipsec_set_policy
function returns a pointer to the allocated buffer containing a the
policy specification if successful; otherwise a NULL pointer is
-returned.
+returned.
.Pp
The
.Fn ipsec_get_policylen
-function returns a positive value,
+function returns a positive value,
indicating the buffer size,
on success, and a negative value on error.
.Pp
@@ -323,6 +300,26 @@
containing a human readable security policy on success, and
.Dv NULL
on error.
+.Sh EXAMPLES
+Set a policy that all inbound packets are discarded.
+.Pp
+.Dl "in discard"
+.Pp
+.\"
+All outbound packets are required to be processed by IPsec and
+transported using ESP.
+.Pp
+.Dl "out ipsec esp/transport//require"
+.Pp
+.\"
+All inbound packets are required to be authenticated using the AH protocol.
+.Pp
+.Dl "in ipsec ah/transport//require"
+.Pp
+.\"
+Tunnel packets outbound through the endpoints at 10.1.1.2 and 10.1.1.1.
+.Pp
+.Dl "out ipsec esp/tunnel/10.1.1.2-10.1.1.1/require"
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr ipsec 4 ,
@@ -332,4 +329,4 @@
.Pp
IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack
was initially integrated into
-.Fx 4.0
+.Fx 4.0 .
More information about the Midnightbsd-cvs
mailing list