svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf

Andrey V. Elsukov bu7cher at
Fri May 10 09:13:31 UTC 2019

On 10.05.2019 11:46, Alexey Dokuchaev wrote:
> On Thu, May 09, 2019 at 10:38:15PM +0000, Andrew Gallatin wrote:
>> Author: gallatin
>> Date: Thu May  9 22:38:15 2019
>> New Revision: 347410
>> URL:
>> Log:
>>   Remove IPSEC from GENERIC due to performance issues
>> @@ -30,7 +30,6 @@ options 	PREEMPTION		# Enable ...
>>  options 	VIMAGE			# Subsystem virtualization, e.g. VNET
>>  options 	INET			# InterNETworking
>>  options 	INET6			# IPv6 communications protocols
>> -options 	IPSEC			# IP (v4/v6) security
>>  options 	IPSEC_SUPPORT		# Allow kldload of ipsec and tcpmd5
> I've asked this question some two years ago, but no one could answer it
> back then, so I'll try again.
> What is the reason behind having IPSEC_SUPPORT option instead of no special
> option at all?  If I grep for SUPPORT in conf/GENERIC, I see things like
> INVARIANT_SUPPORT or IEEE80211_SUPPORT_MESH (with meaningful explanations)
> but IPSEC_SUPPORT which, per the comment, "allows to kldload of ipsec and
> tcpmd5", is totally beyond me.  Lots of kernel features are/can be loaded
> as modules, but we don't have things like SOUND_SUPPORT or USB_SUPPORT.

IPSEC_SUPPORT builds into the kernel PF_KEY domain protocol, that is
required by IPsec implementation to interact with userlevel. Currently
the kernel does not support unregistering of protocol domains. This is
mostly why option IPSEC_SUPPORT was introduced. The second cause -
reduce overhead that IPSEC produces even when it is not used.

WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the svn-src-head mailing list