svn commit: r313115 - in projects/ipsec: share/man/man4 sys/conf sys/net sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Fri Feb 3 00:00:21 UTC 2017
Author: ae
Date: Fri Feb 3 00:00:19 2017
New Revision: 313115
URL: https://svnweb.freebsd.org/changeset/base/313115
Log:
Fix the wording.
Submitted by: wblock
Modified:
projects/ipsec/share/man/man4/ipsec.4
projects/ipsec/share/man/man4/tcp.4
projects/ipsec/share/man/man4/udp.4
projects/ipsec/sys/conf/NOTES
projects/ipsec/sys/net/if_ipsec.c
projects/ipsec/sys/netipsec/ipsec.c
projects/ipsec/sys/netipsec/ipsec.h
Modified: projects/ipsec/share/man/man4/ipsec.4
==============================================================================
--- projects/ipsec/share/man/man4/ipsec.4 Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/share/man/man4/ipsec.4 Fri Feb 3 00:00:19 2017 (r313115)
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd January 24, 2017
+.Dd February 3, 2017
.Dt IPSEC 4
.Os
.Sh NAME
@@ -152,13 +152,13 @@ Refer to
.Xr setkey 8
on how to use it.
.Pp
-Depending from the socket's address family, IPPROTO_IP or IPPROTO_IPV6
+Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6
transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options
may be used to configure per-socket security policies.
-The properly formed IPsec policy specification structure can be
+A properly-formed IPsec policy specification structure can be
created using
.Xr ipsec_set_policy 3
-function and used as socket option value for
+function and used as socket option value for the
.Xr setsockopt 2
call.
.Pp
@@ -284,23 +284,22 @@ talks more about the behavior.
If set to non-zero, debug messages will be generated via
.Xr syslog 3 .
.It Li ipsec.natt_cksum_policy
-This variable controls how the kernel handles TCP and UDP checksums
-when ESP in UDP encapsulation is used for IPsec transport mode.
-If set to non-zero value, the kernel fully recomputes checksums for
+Controls how the kernel handles TCP and UDP checksums when ESP in UDP
+encapsulation is used for IPsec transport mode.
+If set to a non-zero value, the kernel fully recomputes checksums for
inbound TCP segments and UDP datagrams after they are decapsulated and
-decrypted.
+decrypted.
If set to 0 and original addresses were configured for corresponding SA
-by the IKE daemon, the kernel will incrementally recompute checksums for
-inbound TCP segments and UDP datagrams.
-If addresses weren't configured, the checksums will be ignored.
+by the IKE daemon, the kernel incrementally recomputes checksums for
+inbound TCP segments and UDP datagrams.
+If addresses were not configured, the checksums are ignored.
.It Li ipsec.check_policy_history
-This variable enables strict policy checking for inbound packets.
-The default behavior for inbound security policies is just make sure,
-that a handled by IPsec packet was decrypted and authenticated.
-If this variable is set to non-zero value, each handled by IPsec packet
-will be checked against the history of used IPsec security associations.
-The check requires matching of the IPsec security protocol, mode, and SA
-addresses.
+Enables strict policy checking for inbound packets.
+By default, inbound security policies check that packets handled by IPsec
+have been decrypted and authenticated.
+If this variable is set to a non-zero value, each packet handled by IPsec
+is checked against the history of IPsec security associations.
+The IPsec security protocol, mode, and SA addresses must match.
.El
.Pp
Variables under the
Modified: projects/ipsec/share/man/man4/tcp.4
==============================================================================
--- projects/ipsec/share/man/man4/tcp.4 Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/share/man/man4/tcp.4 Fri Feb 3 00:00:19 2017 (r313115)
@@ -34,7 +34,7 @@
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd January 1, 2017
+.Dd February 3, 2017
.Dt TCP 4
.Os
.Sh NAME
@@ -273,9 +273,9 @@ This option enables the use of MD5 diges
on writes to the specified socket.
Outgoing traffic is digested;
digests on incoming traffic are verified.
-When socket has enabled this option, all outgoing TCP segments
+When this option is enabled on a socket, all outgoing TCP segments
must be signed with MD5 digests, and all inbound TCP segments
-also must be signed.
+must also be signed.
.Pp
One common use for this in a
.Fx
@@ -291,10 +291,9 @@ utility.
This entry can only be specified on a per-host basis at this time.
.Pp
If an SADB entry cannot be found for the destination,
-the system will not send any outgoing segments and will drop any
-inbound segments.
+the system does not send any outgoing segments and drops any inbound segments.
.Pp
-Each dropped segment will be taken into account in the TCP protocol statistics.
+Each dropped segment is taken into account in the TCP protocol statistics.
.El
.Pp
The option level for the
Modified: projects/ipsec/share/man/man4/udp.4
==============================================================================
--- projects/ipsec/share/man/man4/udp.4 Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/share/man/man4/udp.4 Fri Feb 3 00:00:19 2017 (r313115)
@@ -28,7 +28,7 @@
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd December 12, 2016
+.Dd February 3, 2017
.Dt UDP 4
.Os
.Sh NAME
@@ -106,9 +106,9 @@ level to encapsulate
.Tn ESP
packets in
.Tn UDP .
-The only one supported value for this option is
+Only one value is supported for this option:
.Tn UDP_ENCAP_ESPINUDP
-from RFC 3948 defined in
+from RFC 3948, defined in
.In netinet/udp.h .
.Sh MIB VARIABLES
The
Modified: projects/ipsec/sys/conf/NOTES
==============================================================================
--- projects/ipsec/sys/conf/NOTES Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/sys/conf/NOTES Fri Feb 3 00:00:19 2017 (r313115)
@@ -630,8 +630,8 @@ options TCP_OFFLOAD # TCP offload supp
# your kernel configuration
options IPSEC #IP security (requires device crypto)
-# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to
-# load it as kernel module. You still MUST add device crypto to your kernel
+# Option IPSEC_SUPPORT does not enable IPsec, but makes it possible to
+# load it as a kernel module. You still MUST add device crypto to your kernel
# configuration.
options IPSEC_SUPPORT
#options IPSEC_DEBUG #debug for IP security
@@ -1029,7 +1029,7 @@ options ACCEPT_FILTER_HTTP
# carried in TCP option 19. This option is commonly used to protect
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
-# This requires the use of 'device crypto' and one of 'options IPSEC' or
+# This requires the use of 'device crypto' and either 'options IPSEC' or
# 'options IPSEC_SUPPORT'.
options TCP_SIGNATURE #include support for RFC 2385
Modified: projects/ipsec/sys/net/if_ipsec.c
==============================================================================
--- projects/ipsec/sys/net/if_ipsec.c Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/sys/net/if_ipsec.c Fri Feb 3 00:00:19 2017 (r313115)
@@ -879,7 +879,7 @@ ipsec_set_addresses(struct ifnet *ifp, s
}
/*
- * We can not service IPsec tunnel when source address is
+ * We cannot service IPsec tunnel when source address is
* not our own.
*/
#ifdef INET
Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/sys/netipsec/ipsec.c Fri Feb 3 00:00:19 2017 (r313115)
@@ -182,10 +182,10 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF
"AH tunnel mode default level.");
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0,
- "If set clear type-of-service field when doing AH computation.");
+ "If set, clear type-of-service field when doing AH computation.");
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0,
- "If not set clear offset field mask when doing AH computation.");
+ "If not set, clear offset field mask when doing AH computation.");
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0,
"Do not fragment bit on encap.");
@@ -203,7 +203,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, na
"Method to fix TCP/UDP checksum for transport mode IPsec after NAT.");
SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_filtertunnel), 0,
- "If set filter packets from an IPsec tunnel.");
+ "If set, filter packets from an IPsec tunnel.");
SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
ipsec4stat, "IPsec IPv4 statistics.");
@@ -266,7 +266,7 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_E
"Explicit Congestion Notification handling.");
SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel), 0,
- "If set filter packets from an IPsec tunnel.");
+ "If set, filter packets from an IPsec tunnel.");
SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats,
struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics.");
#endif /* INET6 */
Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.h Thu Feb 2 23:18:13 2017 (r313114)
+++ projects/ipsec/sys/netipsec/ipsec.h Fri Feb 3 00:00:19 2017 (r313115)
@@ -112,10 +112,10 @@ struct secpolicy {
* PCB security policies.
* Application can setup private security policies for socket.
* Such policies can have IPSEC, BYPASS and ENTRUST type.
- * By default policies set to NULL, this mean that they have ENTRUST type.
- * When application sets BYPASS or IPSEC type policy, flags field
- * also updated. In case when flags is not set, the system could store
- * used security policy into the sp_in/sp_out pointer to speedup further
+ * By default, policies are set to NULL. This means that they have ENTRUST type.
+ * When application sets BYPASS or IPSEC type policy, the flags field
+ * is also updated. When flags is not set, the system could store
+ * used security policy into the sp_in/sp_out pointer to speed up further
* lookups.
*/
struct inpcbpolicy {
More information about the svn-src-projects
mailing list