svn commit: r304572 - in head: sbin/ipfw sys/conf sys/netinet sys/netinet6

Bjoern A. Zeeb bz at FreeBSD.org
Sun Aug 21 18:55:32 UTC 2016 

Author: bz
Date: Sun Aug 21 18:55:30 2016
New Revision: 304572
URL: https://svnweb.freebsd.org/changeset/base/304572

Log:
  Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
  more than 7 years ago in favour of a sysctl in r192648.

Modified:
  head/sbin/ipfw/ipfw.8
  head/sys/conf/NOTES
  head/sys/conf/options
  head/sys/netinet/ip_ipsec.c
  head/sys/netinet6/ip6_ipsec.c

Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8	Sun Aug 21 18:37:21 2016	(r304571)
+++ head/sbin/ipfw/ipfw.8	Sun Aug 21 18:55:30 2016	(r304572)
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 13, 2016
+.Dd August 21, 2016
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -1588,8 +1588,7 @@ Matches IPv4 packets whose precedence fi
 .It Cm ipsec
 Matches packets that have IPSEC history associated with them
 (i.e., the packet comes encapsulated in IPSEC, the kernel
-has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly
-decapsulate it).
+has IPSEC support, and can correctly decapsulate it).
 .Pp
 Note that specifying
 .Cm ipsec

Modified: head/sys/conf/NOTES
==============================================================================
--- head/sys/conf/NOTES	Sun Aug 21 18:37:21 2016	(r304571)
+++ head/sys/conf/NOTES	Sun Aug 21 18:55:30 2016	(r304572)
@@ -626,17 +626,6 @@ options 	TCP_OFFLOAD		# TCP offload supp
 options 	IPSEC			#IP security (requires device crypto)
 #options 	IPSEC_DEBUG		#debug for IP security
 #
-# #DEPRECATED#
-# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
-# coming through a tunnel to be processed by any configured packet filtering
-# twice. The default is that packets coming out of a tunnel are _not_ processed;
-# they are assumed trusted.
-#
-# IPSEC history is preserved for such packets, and can be filtered
-# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
-#
-#options 	IPSEC_FILTERTUNNEL	#filter ipsec packets from a tunnel
-#
 # Set IPSEC_NAT_T to enable NAT-Traversal support.  This enables
 # optional UDP encapsulation of ESP packets.
 #

Modified: head/sys/conf/options
==============================================================================
--- head/sys/conf/options	Sun Aug 21 18:37:21 2016	(r304571)
+++ head/sys/conf/options	Sun Aug 21 18:55:30 2016	(r304572)
@@ -424,7 +424,6 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPSEC			opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
-IPSEC_FILTERTUNNEL	opt_ipsec.h
 IPSEC_NAT_T		opt_ipsec.h
 IPSTEALTH
 KRPC

Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c	Sun Aug 21 18:37:21 2016	(r304571)
+++ head/sys/netinet/ip_ipsec.c	Sun Aug 21 18:55:30 2016	(r304572)
@@ -68,11 +68,7 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inetsw[];
 
-#ifdef IPSEC_FILTERTUNNEL
-static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1;
-#else
 static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0;
-#endif
 #define	V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel)
 
 SYSCTL_DECL(_net_inet_ipsec);

Modified: head/sys/netinet6/ip6_ipsec.c
==============================================================================
--- head/sys/netinet6/ip6_ipsec.c	Sun Aug 21 18:37:21 2016	(r304571)
+++ head/sys/netinet6/ip6_ipsec.c	Sun Aug 21 18:55:30 2016	(r304572)
@@ -79,11 +79,7 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inet6sw[];
 
-#ifdef IPSEC_FILTERTUNNEL
-static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 1;
-#else
 static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 0;
-#endif
 #define	V_ip6_ipsec6_filtertunnel	VNET(ip6_ipsec6_filtertunnel)
 
 SYSCTL_DECL(_net_inet6_ipsec6);

More information about the svn-src-head mailing list