i386/57125: Comment to IPSEC_FILTERGIF in LINT is now misleading

[Adrian Steinmann]

>Number:         57125
>Category:       i386
>Synopsis:       Comment to IPSEC_FILTERGIF in LINT is now misleading
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 23 04:00:33 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Adrian Steinmann
>Release:        FreeBSD 4.8-STYX-20030912 i386
>Organization:
Webgroup Consulting AG
>Environment:
System: FreeBSD nano.marabu.ch 4.8-STYX-20030912 FreeBSD 4.8-STYX-20030912 #0: Fri Sep 12 23:38:08 GMT 2003 root at rumori.com:/usr/src/sys/compile/STYX i386
>Description:
	ipfw now has the ipsec keyword which should work when
	options IPSEC_FILTERGIF is enabled in kernel. LINT still
	seems to imply that this feature cannot be used like in
	openbsd, yet this is no longer true.
>How-To-Repeat:
	Read /usr/src/sys/i386/conf/LINT:

options IPSEC_FILTERGIF
# Note that enabling this can be problematic as there are no mechanisms
# in place for distinguishing packets coming out of a tunnel (e.g. no
# encX devices as found on openbsd).

and read 'man ipsec':
...
     ipsec   Matches packets that have IPSEC history associated with them
             (i.e. the packet comes encapsulated in IPSEC, the kernel has
             IPSEC support and IPSEC_FILTERGIF option, and can correctly
             decapsulate it).
...


>Fix:

remove comment from LINT, or mention ipfw ipsec keyword there.

Adrian
>Release-Note:
>Audit-Trail:
>Unformatted: