conf/128030: Isn't it time to enable IPsec in GENERIC?

Lionel Fourquaux lionel.fourquaux+fbsdbug at normalesup.org
Sun Oct 12 11:10:01 UTC 2008


>Number:         128030
>Category:       conf
>Synopsis:       Isn't it time to enable IPsec in GENERIC?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 12 11:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Lionel Fourquaux
>Release:        FreeBSD 7.0-RELEASE-p5
>Organization:
>Environment:
FreeBSD emris.lan 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Wed Oct  1 10:10:12 UTC 2008     root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
I believe there is a clear case for enabling IPsec in the GENERIC kernel:
 * freebsd-update does not (and cannot) patch custom kernels, making it harder to maintain an IPsec-enabled FreeBSD environment;
 * AFAIK, the IPsec implementation in FreeBSD is not experimental any more;
 * AFAIK, there is no reason nowadays to try to squeeze the kernel in the smallest possible file, a few more kilobytes won't cause harm;
 * IPsec in more and more an "expected" part of a full-featured network stack (it's part of the IPv6 spec, and it's available out-of-the box in other OSes, be it OpenBSD, Linux, or even Windows).
Unless there is an overwhelming reason not to do it, having IPsec support (disabled by default, but with no need for a custom kernel build) looks like a good idea.

>How-To-Repeat:
Try to enable IPsec using a GENERIC kernel.
>Fix:
According to the handbook, this require adding these lines to the GENERIC conf file.

options   IPSEC        #IP security
device    crypto

Bug report kern/97057 suggests that IPSEC_FILTERGIF is also required for pf to work correctly.


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list