svn commit: r325960 - in head/sys: modules/ipfw netpfil/ipfw

Andrey V. Elsukov ae at FreeBSD.org
Fri Nov 17 22:40:03 UTC 2017 

Author: ae
Date: Fri Nov 17 22:40:02 2017
New Revision: 325960
URL: https://svnweb.freebsd.org/changeset/base/325960

Log:
  Unconditionally enable support for O_IPSEC opcode.
  
  IPsec support can be loaded as kernel module, thus do not depend from
  kernel option IPSEC and always build O_IPSEC opcode implementation as
  enabled.
  
  Obtained from:	Yandex LLC
  MFC after:	1 week
  Sponsored by:	Yandex LLC

Modified:
  head/sys/modules/ipfw/Makefile
  head/sys/netpfil/ipfw/ip_fw2.c

Modified: head/sys/modules/ipfw/Makefile
==============================================================================
--- head/sys/modules/ipfw/Makefile	Fri Nov 17 20:53:52 2017	(r325959)
+++ head/sys/modules/ipfw/Makefile	Fri Nov 17 22:40:02 2017	(r325960)
@@ -7,7 +7,7 @@ SRCS=	ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c
 SRCS+=	ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c
 SRCS+=	ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c
 SRCS+=	ip_fw_table_value.c
-SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h opt_ipsec.h
+SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h
 
 CFLAGS+= -DIPFIREWALL
 #

Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c	Fri Nov 17 20:53:52 2017	(r325959)
+++ head/sys/netpfil/ipfw/ip_fw2.c	Fri Nov 17 22:40:02 2017	(r325960)
@@ -37,7 +37,6 @@ __FBSDID("$FreeBSD$");
 #error "IPFIREWALL requires INET"
 #endif /* INET */
 #include "opt_inet6.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1945,10 +1944,8 @@ do {								\
 				break;
 
 			case O_IPSEC:
-#ifdef IPSEC
 				match = (m_tag_find(m,
 				    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
-#endif
 				/* otherwise no match */
 				break;
 
@@ -2563,7 +2560,7 @@ do {								\
 			case O_NAT:
 				l = 0;          /* exit inner loop */
 				done = 1;       /* exit outer loop */
- 				if (!IPFW_NAT_LOADED) {
+				if (!is_ipv4 || !IPFW_NAT_LOADED) {
 				    retval = IP_FW_DENY;
 				    break;
 				}

More information about the svn-src-head mailing list