From owner-cvs-all@FreeBSD.ORG Sun Aug 5 16:30:13 2007 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8CD716A417; Sun, 5 Aug 2007 16:30:13 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 7FEFC13C483; Sun, 5 Aug 2007 16:30:13 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9D75741C64E; Sun, 5 Aug 2007 18:30:11 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 00IcBJFTAJRg; Sun, 5 Aug 2007 18:30:11 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 0DDC741C655; Sun, 5 Aug 2007 18:30:11 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 2CC32444885; Sun, 5 Aug 2007 16:30:05 +0000 (UTC) Date: Sun, 5 Aug 2007 16:30:05 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org In-Reply-To: <200708051616.l75GGGe4018242@repoman.freebsd.org> Message-ID: <20070805161921.P87821@maildrop.int.zabbadoz.net> References: <200708051616.l75GGGe4018242@repoman.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 src/share/man/man4 ipsec.4 src/sys/conf NOTES options src/sys/netinet ip_input.c ip_ipsec.c ip_ipsec.h src/sys/netinet6 ip6_ipsec.c ip6_ipsec.h X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 16:30:13 -0000 On Sun, 5 Aug 2007, Bjoern A. Zeeb wrote: > bz 2007-08-05 16:16:15 UTC > > FreeBSD src repository > > Modified files: > sbin/ipfw ipfw.8 > share/man/man4 ipsec.4 > sys/conf NOTES options > sys/netinet ip_input.c ip_ipsec.c ip_ipsec.h > sys/netinet6 ip6_ipsec.c ip6_ipsec.h > Log: > Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL. > Also rename the related functions in a similar way. > There are no functional changes. > > For a packet coming in with IPsec tunnel mode, the default is > to only call into the firewall with the "outer" IP header and > payload. > > With this option turned on, in addition to the "outer" parts, > the "inner" IP header and payload are passed to the > firewall too when going through ip_input() the second time. > > The option was never only related to a gif(4) tunnel within > an IPsec tunnel and thus the name was very misleading. > > Discussed at: BSDCan 2007 > Best new name suggested by: rwatson > Reviewed by: rwatson > Approved by: re (bmah) > > Revision Changes Path > 1.203 +2 -2 src/sbin/ipfw/ipfw.8 > 1.22 +3 -3 src/share/man/man4/ipsec.4 > 1.1448 +4 -4 src/sys/conf/NOTES > 1.604 +1 -1 src/sys/conf/options > 1.331 +1 -1 src/sys/netinet/ip_input.c > 1.7 +3 -3 src/sys/netinet/ip_ipsec.c > 1.2 +1 -1 src/sys/netinet/ip_ipsec.h > 1.6 +3 -3 src/sys/netinet6/ip6_ipsec.c > 1.2 +1 -1 src/sys/netinet6/ip6_ipsec.h For netinet6 you will find the "helper" functions which are still unused. ip6_input() will need the same check that ip_input() has if we want feature parity with legacy IP (being able to not filter on the "inner" header/payload from an IPsec tunnel mode) I am unsure why it's not yet there. Anyone know a reason other than "just missing"? -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.