i386/57125: Comment to IPSEC_FILTERGIF in LINT is now misleading
Adrian Steinmann
ast at marabu.ch
Tue Sep 23 04:00:38 PDT 2003
>Number: 57125
>Category: i386
>Synopsis: Comment to IPSEC_FILTERGIF in LINT is now misleading
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 23 04:00:33 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Adrian Steinmann
>Release: FreeBSD 4.8-STYX-20030912 i386
>Organization:
Webgroup Consulting AG
>Environment:
System: FreeBSD nano.marabu.ch 4.8-STYX-20030912 FreeBSD 4.8-STYX-20030912 #0: Fri Sep 12 23:38:08 GMT 2003 root at rumori.com:/usr/src/sys/compile/STYX i386
>Description:
ipfw now has the ipsec keyword which should work when
options IPSEC_FILTERGIF is enabled in kernel. LINT still
seems to imply that this feature cannot be used like in
openbsd, yet this is no longer true.
>How-To-Repeat:
Read /usr/src/sys/i386/conf/LINT:
options IPSEC_FILTERGIF
# Note that enabling this can be problematic as there are no mechanisms
# in place for distinguishing packets coming out of a tunnel (e.g. no
# encX devices as found on openbsd).
and read 'man ipsec':
...
ipsec Matches packets that have IPSEC history associated with them
(i.e. the packet comes encapsulated in IPSEC, the kernel has
IPSEC support and IPSEC_FILTERGIF option, and can correctly
decapsulate it).
...
>Fix:
remove comment from LINT, or mention ipfw ipsec keyword there.
Adrian
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list