svn commit: r313115 - in projects/ipsec: share/man/man4 sys/conf sys/net sys/netipsec

Andrey V. Elsukov ae at FreeBSD.org
Fri Feb 3 00:00:21 UTC 2017 

Author: ae
Date: Fri Feb  3 00:00:19 2017
New Revision: 313115
URL: https://svnweb.freebsd.org/changeset/base/313115

Log:
  Fix the wording.
  
  Submitted by:	wblock

Modified:
  projects/ipsec/share/man/man4/ipsec.4
  projects/ipsec/share/man/man4/tcp.4
  projects/ipsec/share/man/man4/udp.4
  projects/ipsec/sys/conf/NOTES
  projects/ipsec/sys/net/if_ipsec.c
  projects/ipsec/sys/netipsec/ipsec.c
  projects/ipsec/sys/netipsec/ipsec.h

Modified: projects/ipsec/share/man/man4/ipsec.4
==============================================================================
--- projects/ipsec/share/man/man4/ipsec.4	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/share/man/man4/ipsec.4	Fri Feb  3 00:00:19 2017	(r313115)
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 24, 2017
+.Dd February 3, 2017
 .Dt IPSEC 4
 .Os
 .Sh NAME
@@ -152,13 +152,13 @@ Refer to
 .Xr setkey 8
 on how to use it.
 .Pp
-Depending from the socket's address family, IPPROTO_IP or IPPROTO_IPV6
+Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6
 transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options
 may be used to configure per-socket security policies.
-The properly formed IPsec policy specification structure can be
+A properly-formed IPsec policy specification structure can be
 created using
 .Xr ipsec_set_policy 3
-function and used as socket option value for
+function and used as socket option value for the
 .Xr setsockopt 2
 call.
 .Pp
@@ -284,23 +284,22 @@ talks more about the behavior.
 If set to non-zero, debug messages will be generated via
 .Xr syslog 3 .
 .It Li ipsec.natt_cksum_policy
-This variable controls how the kernel handles TCP and UDP checksums
-when ESP in UDP encapsulation is used for IPsec transport mode.
-If set to non-zero value, the kernel fully recomputes checksums for 
+Controls how the kernel handles TCP and UDP checksums when ESP in UDP
+encapsulation is used for IPsec transport mode.
+If set to a non-zero value, the kernel fully recomputes checksums for
 inbound TCP segments and UDP datagrams after they are decapsulated and
-decrypted. 
+decrypted.
 If set to 0 and original addresses were configured for corresponding SA
-by the IKE daemon, the kernel will incrementally recompute checksums for
-inbound TCP segments and UDP datagrams. 
-If addresses weren't configured, the checksums will be ignored.
+by the IKE daemon, the kernel incrementally recomputes checksums for
+inbound TCP segments and UDP datagrams.
+If addresses were not configured, the checksums are ignored.
 .It Li ipsec.check_policy_history
-This variable enables strict policy checking for inbound packets.
-The default behavior for inbound security policies is just make sure,
-that a handled by IPsec packet was decrypted and authenticated.
-If this variable is set to non-zero value, each handled by IPsec packet
-will be checked against the history of used IPsec security associations.
-The check requires matching of the IPsec security protocol, mode, and SA
-addresses.
+Enables strict policy checking for inbound packets.
+By default, inbound security policies check that packets handled by IPsec
+have been decrypted and authenticated.
+If this variable is set to a non-zero value, each packet handled by IPsec
+is checked against the history of IPsec security associations.
+The IPsec security protocol, mode, and SA addresses must match.
 .El
 .Pp
 Variables under the

Modified: projects/ipsec/share/man/man4/tcp.4
==============================================================================
--- projects/ipsec/share/man/man4/tcp.4	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/share/man/man4/tcp.4	Fri Feb  3 00:00:19 2017	(r313115)
@@ -34,7 +34,7 @@
 .\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
 .\" $FreeBSD$
 .\"
-.Dd January 1, 2017
+.Dd February 3, 2017
 .Dt TCP 4
 .Os
 .Sh NAME
@@ -273,9 +273,9 @@ This option enables the use of MD5 diges
 on writes to the specified socket.
 Outgoing traffic is digested;
 digests on incoming traffic are verified.
-When socket has enabled this option, all outgoing TCP segments
+When this option is enabled on a socket, all outgoing TCP segments
 must be signed with MD5 digests, and all inbound TCP segments
-also must be signed.
+must also be signed.
 .Pp
 One common use for this in a
 .Fx
@@ -291,10 +291,9 @@ utility.
 This entry can only be specified on a per-host basis at this time.
 .Pp
 If an SADB entry cannot be found for the destination,
-the system will not send any outgoing segments and will drop any
-inbound segments.
+the system does not send any outgoing segments and drops any inbound segments.
 .Pp
-Each dropped segment will be taken into account in the TCP protocol statistics.
+Each dropped segment is taken into account in the TCP protocol statistics.
 .El
 .Pp
 The option level for the

Modified: projects/ipsec/share/man/man4/udp.4
==============================================================================
--- projects/ipsec/share/man/man4/udp.4	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/share/man/man4/udp.4	Fri Feb  3 00:00:19 2017	(r313115)
@@ -28,7 +28,7 @@
 .\"     @(#)udp.4	8.1 (Berkeley) 6/5/93
 .\" $FreeBSD$
 .\"
-.Dd December 12, 2016
+.Dd February 3, 2017
 .Dt UDP 4
 .Os
 .Sh NAME
@@ -106,9 +106,9 @@ level to encapsulate
 .Tn ESP
 packets in
 .Tn UDP .
-The only one supported value for this option is
+Only one value is supported for this option:
 .Tn UDP_ENCAP_ESPINUDP
-from RFC 3948 defined in
+from RFC 3948, defined in
 .In netinet/udp.h .
 .Sh MIB VARIABLES
 The

Modified: projects/ipsec/sys/conf/NOTES
==============================================================================
--- projects/ipsec/sys/conf/NOTES	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/sys/conf/NOTES	Fri Feb  3 00:00:19 2017	(r313115)
@@ -630,8 +630,8 @@ options 	TCP_OFFLOAD		# TCP offload supp
 # your kernel configuration
 options 	IPSEC			#IP security (requires device crypto)
 
-# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to 
-# load it as kernel module. You still MUST add device crypto to your kernel
+# Option IPSEC_SUPPORT does not enable IPsec, but makes it possible to 
+# load it as a kernel module. You still MUST add device crypto to your kernel
 # configuration.
 options		IPSEC_SUPPORT
 #options 	IPSEC_DEBUG		#debug for IP security
@@ -1029,7 +1029,7 @@ options 	ACCEPT_FILTER_HTTP
 # carried in TCP option 19. This option is commonly used to protect
 # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
 # This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
-# This requires the use of 'device crypto' and one of 'options IPSEC' or
+# This requires the use of 'device crypto' and either 'options IPSEC' or
 # 'options IPSEC_SUPPORT'.
 options 	TCP_SIGNATURE		#include support for RFC 2385
 

Modified: projects/ipsec/sys/net/if_ipsec.c
==============================================================================
--- projects/ipsec/sys/net/if_ipsec.c	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/sys/net/if_ipsec.c	Fri Feb  3 00:00:19 2017	(r313115)
@@ -879,7 +879,7 @@ ipsec_set_addresses(struct ifnet *ifp, s
 
 	}
 	/*
-	 * We can not service IPsec tunnel when source address is
+	 * We cannot service IPsec tunnel when source address is
 	 * not our own.
 	 */
 #ifdef INET

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/sys/netipsec/ipsec.c	Fri Feb  3 00:00:19 2017	(r313115)
@@ -182,10 +182,10 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF
 	"AH tunnel mode default level.");
 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
-	"If set clear type-of-service field when doing AH computation.");
+	"If set, clear type-of-service field when doing AH computation.");
 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0,
-	"If not set clear offset field mask when doing AH computation.");
+	"If not set, clear offset field mask when doing AH computation.");
 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0,
 	"Do not fragment bit on encap.");
@@ -203,7 +203,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, na
 	"Method to fix TCP/UDP checksum for transport mode IPsec after NAT.");
 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_filtertunnel), 0,
-	"If set filter packets from an IPsec tunnel.");
+	"If set, filter packets from an IPsec tunnel.");
 SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
     ipsec4stat, "IPsec IPv4 statistics.");
 
@@ -266,7 +266,7 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_E
 	"Explicit Congestion Notification handling.");
 SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel,
 	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel),  0,
-	"If set filter packets from an IPsec tunnel.");
+	"If set, filter packets from an IPsec tunnel.");
 SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats,
     struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics.");
 #endif /* INET6 */

Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.h	Thu Feb  2 23:18:13 2017	(r313114)
+++ projects/ipsec/sys/netipsec/ipsec.h	Fri Feb  3 00:00:19 2017	(r313115)
@@ -112,10 +112,10 @@ struct secpolicy {
  * PCB security policies.
  * Application can setup private security policies for socket.
  * Such policies can have IPSEC, BYPASS and ENTRUST type.
- * By default policies set to NULL, this mean that they have ENTRUST type.
- * When application sets BYPASS or IPSEC type policy, flags field
- * also updated. In case when flags is not set, the system could store
- * used security policy into the sp_in/sp_out pointer to speedup further
+ * By default, policies are set to NULL. This means that they have ENTRUST type.
+ * When application sets BYPASS or IPSEC type policy, the flags field
+ * is also updated. When flags is not set, the system could store
+ * used security policy into the sp_in/sp_out pointer to speed up further
  * lookups.
  */
 struct inpcbpolicy {

More information about the svn-src-projects mailing list