Date: Thu, 22 Dec 2016 12:32:59 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310391 - projects/ipsec/sys/conf Message-ID: <201612221232.uBMCWxei032317@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 22 12:32:58 2016 New Revision: 310391 URL: https://svnweb.freebsd.org/changeset/base/310391 Log: Add kernel option IPSEC_SUPPORT. It is supposed to be used in kernel that supports IPsec as kernel module. Currently we don't have ability to unregister network domain(9), thus to have loadable IPsec, we need PF_KEY is build in the kernel. There will be three options to control IPsec build: * options IPSEC: all IPsec related code is build in the kernel. * options TCP_SIGNATURE: TCP-MD5 support is build in the kernel. * options IPSEC_SUPPORT: PF_KEY support is build in the kernel and IPsec consumer code contains runtime checks for presence of IPsec modules. TCP_SIGNATURE support is also planned to be implemented as kernel module. If kernel has IPSEC_SUPPORT option, but has not TCP_SIGNATURE option, it will be possible to load TCP_SIGNATURE as module. If kernel has IPSEC option, but has not TCP_SIGNATURE option - TCP_SIGNATURE support will not be available. If both IPSEC and IPSEC_SUPPORT are enabled, but TCP_SIGNATURE is not - TCP_SIGNATURE support would be available as kernel module. Modified: projects/ipsec/sys/conf/NOTES projects/ipsec/sys/conf/options Modified: projects/ipsec/sys/conf/NOTES ============================================================================== --- projects/ipsec/sys/conf/NOTES Thu Dec 22 12:18:40 2016 (r310390) +++ projects/ipsec/sys/conf/NOTES Thu Dec 22 12:32:58 2016 (r310391) @@ -627,6 +627,11 @@ options TCP_OFFLOAD # TCP offload supp # In order to enable IPSEC you MUST also add device crypto to # your kernel configuration options IPSEC #IP security (requires device crypto) + +# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to +# load it as kernel module. You still MUST add device crypto to your kernel +# configuration. +options IPSEC_SUPPORT #options IPSEC_DEBUG #debug for IP security # @@ -1023,7 +1028,8 @@ options ACCEPT_FILTER_HTTP # carried in TCP option 19. This option is commonly used to protect # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. # This is enabled on a per-socket basis using the TCP_MD5SIG socket option. -# This requires the use of 'device crypto' and 'options IPSEC'. +# This requires the use of 'device crypto' and one of 'options IPSEC' or +# 'options IPSEC_SUPPORT'. options TCP_SIGNATURE #include support for RFC 2385 # DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL Modified: projects/ipsec/sys/conf/options ============================================================================== --- projects/ipsec/sys/conf/options Thu Dec 22 12:18:40 2016 (r310390) +++ projects/ipsec/sys/conf/options Thu Dec 22 12:32:58 2016 (r310391) @@ -428,6 +428,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h +IPSEC_SUPPORT opt_ipsec.h IPSTEALTH KRPC LIBALIAS @@ -450,7 +451,7 @@ TCP_HHOOK opt_inet.h TCP_OFFLOAD opt_inet.h # Enable code to dispatch TCP offloading TCP_RFC7413 opt_inet.h TCP_RFC7413_MAX_KEYS opt_inet.h -TCP_SIGNATURE opt_inet.h +TCP_SIGNATURE opt_ipsec.h VLAN_ARRAY opt_vlan.h XBONEHACK FLOWTABLE opt_route.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612221232.uBMCWxei032317>