cvs commit: src/sbin/ipfw ipfw.8 src/share/man/man4 ipsec.4 src/sys/conf NOTES options src/sys/netinet ip_input.c ip_ipsec.c ip_ipsec.h src/sys/netinet6 ip6_ipsec.c ip6_ipsec.h

Sam Leffler sam at errno.com
Sun Aug 5 16:24:55 PDT 2007


Bjoern A. Zeeb wrote:
> On Sun, 5 Aug 2007, Bjoern A. Zeeb wrote:
> 
>> bz          2007-08-05 16:16:15 UTC
>>
>>  FreeBSD src repository
>>
>>  Modified files:
>>    sbin/ipfw            ipfw.8
>>    share/man/man4       ipsec.4
>>    sys/conf             NOTES options
>>    sys/netinet          ip_input.c ip_ipsec.c ip_ipsec.h
>>    sys/netinet6         ip6_ipsec.c ip6_ipsec.h
>>  Log:
>>  Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.
>>  Also rename the related functions in a similar way.
>>  There are no functional changes.
>>
>>  For a packet coming in with IPsec tunnel mode, the default is
>>  to only call into the firewall with the "outer" IP header and
>>  payload.
>>
>>  With this option turned on, in addition to the "outer" parts,
>>  the "inner" IP header and payload are passed to the
>>  firewall too when going through ip_input() the second time.
>>
>>  The option was never only related to a gif(4) tunnel within
>>  an IPsec tunnel and thus the name was very misleading.
>>
>>  Discussed at:                   BSDCan 2007
>>  Best new name suggested by:     rwatson
>>  Reviewed by:                    rwatson
>>  Approved by:                    re (bmah)
>>
>>  Revision  Changes    Path
>>  1.203     +2 -2      src/sbin/ipfw/ipfw.8
>>  1.22      +3 -3      src/share/man/man4/ipsec.4
>>  1.1448    +4 -4      src/sys/conf/NOTES
>>  1.604     +1 -1      src/sys/conf/options
>>  1.331     +1 -1      src/sys/netinet/ip_input.c
>>  1.7       +3 -3      src/sys/netinet/ip_ipsec.c
>>  1.2       +1 -1      src/sys/netinet/ip_ipsec.h
>>  1.6       +3 -3      src/sys/netinet6/ip6_ipsec.c
>>  1.2       +1 -1      src/sys/netinet6/ip6_ipsec.h
> 
> 
> For netinet6 you will find the "helper" functions which are still
> unused. ip6_input() will need the same check that ip_input() has
> if we want feature parity with legacy IP (being able to not filter on
> the "inner" header/payload from an IPsec tunnel mode)
> 
> I am unsure why it's not yet there. Anyone know a reason other than
> "just missing"?

There was no ipv6 support when the FILTERGIF stuff was added.

	Sam



More information about the cvs-all mailing list