svn commit: r310391 - projects/ipsec/sys/conf
Andrey V. Elsukov
ae at FreeBSD.org
Thu Dec 22 12:33:00 UTC 2016
Author: ae
Date: Thu Dec 22 12:32:58 2016
New Revision: 310391
URL: https://svnweb.freebsd.org/changeset/base/310391
Log:
Add kernel option IPSEC_SUPPORT.
It is supposed to be used in kernel that supports IPsec as kernel module.
Currently we don't have ability to unregister network domain(9), thus to
have loadable IPsec, we need PF_KEY is build in the kernel.
There will be three options to control IPsec build:
* options IPSEC: all IPsec related code is build in the kernel.
* options TCP_SIGNATURE: TCP-MD5 support is build in the kernel.
* options IPSEC_SUPPORT:
PF_KEY support is build in the kernel and IPsec consumer code contains
runtime checks for presence of IPsec modules.
TCP_SIGNATURE support is also planned to be implemented as kernel module.
If kernel has IPSEC_SUPPORT option, but has not TCP_SIGNATURE option,
it will be possible to load TCP_SIGNATURE as module.
If kernel has IPSEC option, but has not TCP_SIGNATURE option - TCP_SIGNATURE
support will not be available.
If both IPSEC and IPSEC_SUPPORT are enabled, but TCP_SIGNATURE is not -
TCP_SIGNATURE support would be available as kernel module.
Modified:
projects/ipsec/sys/conf/NOTES
projects/ipsec/sys/conf/options
Modified: projects/ipsec/sys/conf/NOTES
==============================================================================
--- projects/ipsec/sys/conf/NOTES Thu Dec 22 12:18:40 2016 (r310390)
+++ projects/ipsec/sys/conf/NOTES Thu Dec 22 12:32:58 2016 (r310391)
@@ -627,6 +627,11 @@ options TCP_OFFLOAD # TCP offload supp
# In order to enable IPSEC you MUST also add device crypto to
# your kernel configuration
options IPSEC #IP security (requires device crypto)
+
+# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to
+# load it as kernel module. You still MUST add device crypto to your kernel
+# configuration.
+options IPSEC_SUPPORT
#options IPSEC_DEBUG #debug for IP security
#
@@ -1023,7 +1028,8 @@ options ACCEPT_FILTER_HTTP
# carried in TCP option 19. This option is commonly used to protect
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
-# This requires the use of 'device crypto' and 'options IPSEC'.
+# This requires the use of 'device crypto' and one of 'options IPSEC' or
+# 'options IPSEC_SUPPORT'.
options TCP_SIGNATURE #include support for RFC 2385
# DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
Modified: projects/ipsec/sys/conf/options
==============================================================================
--- projects/ipsec/sys/conf/options Thu Dec 22 12:18:40 2016 (r310390)
+++ projects/ipsec/sys/conf/options Thu Dec 22 12:32:58 2016 (r310391)
@@ -428,6 +428,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
IPSEC opt_ipsec.h
IPSEC_DEBUG opt_ipsec.h
+IPSEC_SUPPORT opt_ipsec.h
IPSTEALTH
KRPC
LIBALIAS
@@ -450,7 +451,7 @@ TCP_HHOOK opt_inet.h
TCP_OFFLOAD opt_inet.h # Enable code to dispatch TCP offloading
TCP_RFC7413 opt_inet.h
TCP_RFC7413_MAX_KEYS opt_inet.h
-TCP_SIGNATURE opt_inet.h
+TCP_SIGNATURE opt_ipsec.h
VLAN_ARRAY opt_vlan.h
XBONEHACK
FLOWTABLE opt_route.h
More information about the svn-src-projects
mailing list