svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
Andrey V. Elsukov
bu7cher at yandex.ru
Fri May 10 09:13:31 UTC 2019
On 10.05.2019 11:46, Alexey Dokuchaev wrote:
> On Thu, May 09, 2019 at 10:38:15PM +0000, Andrew Gallatin wrote:
>> Author: gallatin
>> Date: Thu May 9 22:38:15 2019
>> New Revision: 347410
>> URL: https://svnweb.freebsd.org/changeset/base/347410
>> Remove IPSEC from GENERIC due to performance issues
>> @@ -30,7 +30,6 @@ options PREEMPTION # Enable ...
>> options VIMAGE # Subsystem virtualization, e.g. VNET
>> options INET # InterNETworking
>> options INET6 # IPv6 communications protocols
>> -options IPSEC # IP (v4/v6) security
>> options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
> I've asked this question some two years ago, but no one could answer it
> back then, so I'll try again.
> What is the reason behind having IPSEC_SUPPORT option instead of no special
> option at all? If I grep for SUPPORT in conf/GENERIC, I see things like
> INVARIANT_SUPPORT or IEEE80211_SUPPORT_MESH (with meaningful explanations)
> but IPSEC_SUPPORT which, per the comment, "allows to kldload of ipsec and
> tcpmd5", is totally beyond me. Lots of kernel features are/can be loaded
> as modules, but we don't have things like SOUND_SUPPORT or USB_SUPPORT.
IPSEC_SUPPORT builds into the kernel PF_KEY domain protocol, that is
required by IPsec implementation to interact with userlevel. Currently
the kernel does not support unregistering of protocol domains. This is
mostly why option IPSEC_SUPPORT was introduced. The second cause -
reduce overhead that IPSEC produces even when it is not used.
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 554 bytes
Desc: OpenPGP digital signature
More information about the svn-src-head