Re: svn commit: r304572 - in head: sbin/ipfw sys/conf sys/netinet sys/netinet6
On Sun, Aug 21, 2016 at 07:20:12PM +, Bjoern A. Zeeb wrote: > On 21 Aug 2016, at 19:08, Slawa Olhovchenkov wrote: > > > On Sun, Aug 21, 2016 at 06:55:30PM +, Bjoern A. Zeeb wrote: > > > >> Author: bz > >> Date: Sun Aug 21 18:55:30 2016 > >> New Revision: 304572 > >> URL: https://svnweb.freebsd.org/changeset/base/304572 > >> > >> Log: > >> Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was > >> deprecated > >> more than 7 years ago in favour of a sysctl in r192648. > > > > Need note to UPDAING. > > Why? The default behaviour hasn’t changed and a new custom kernel > with the option will not compile anymore. Is there a compelling reason > to warn users anyway? Old config don't compiling and need updating? This is break compatibility and need record in UPDATING (because this place where find information about like events). After config updating behaivor changed? Yes. This is need also record in UPDATING. For restoring old beheaivor need updating /boot/loader.conf? Yes. This is also need be documented. Good documentation is very positive for krama :) ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r304572 - in head: sbin/ipfw sys/conf sys/netinet sys/netinet6
On 21 Aug 2016, at 19:08, Slawa Olhovchenkov wrote: On Sun, Aug 21, 2016 at 06:55:30PM +, Bjoern A. Zeeb wrote: Author: bz Date: Sun Aug 21 18:55:30 2016 New Revision: 304572 URL: https://svnweb.freebsd.org/changeset/base/304572 Log: Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated more than 7 years ago in favour of a sysctl in r192648. Need note to UPDAING. Why? The default behaviour hasn’t changed and a new custom kernel with the option will not compile anymore. Is there a compelling reason to warn users anyway? ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r304572 - in head: sbin/ipfw sys/conf sys/netinet sys/netinet6
On Sun, Aug 21, 2016 at 06:55:30PM +, Bjoern A. Zeeb wrote:
> Author: bz
> Date: Sun Aug 21 18:55:30 2016
> New Revision: 304572
> URL: https://svnweb.freebsd.org/changeset/base/304572
>
> Log:
> Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
> more than 7 years ago in favour of a sysctl in r192648.
Need note to UPDAING.
> Modified:
> head/sbin/ipfw/ipfw.8
> head/sys/conf/NOTES
> head/sys/conf/options
> head/sys/netinet/ip_ipsec.c
> head/sys/netinet6/ip6_ipsec.c
>
> Modified: head/sbin/ipfw/ipfw.8
> ==
> --- head/sbin/ipfw/ipfw.8 Sun Aug 21 18:37:21 2016(r304571)
> +++ head/sbin/ipfw/ipfw.8 Sun Aug 21 18:55:30 2016(r304572)
> @@ -1,7 +1,7 @@
> .\"
> .\" $FreeBSD$
> .\"
> -.Dd August 13, 2016
> +.Dd August 21, 2016
> .Dt IPFW 8
> .Os
> .Sh NAME
> @@ -1588,8 +1588,7 @@ Matches IPv4 packets whose precedence fi
> .It Cm ipsec
> Matches packets that have IPSEC history associated with them
> (i.e., the packet comes encapsulated in IPSEC, the kernel
> -has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly
> -decapsulate it).
> +has IPSEC support, and can correctly decapsulate it).
> .Pp
> Note that specifying
> .Cm ipsec
>
> Modified: head/sys/conf/NOTES
> ==
> --- head/sys/conf/NOTES Sun Aug 21 18:37:21 2016(r304571)
> +++ head/sys/conf/NOTES Sun Aug 21 18:55:30 2016(r304572)
> @@ -626,17 +626,6 @@ options TCP_OFFLOAD # TCP offload supp
> options IPSEC #IP security (requires device crypto)
> #options IPSEC_DEBUG #debug for IP security
> #
> -# #DEPRECATED#
> -# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
> -# coming through a tunnel to be processed by any configured packet filtering
> -# twice. The default is that packets coming out of a tunnel are _not_
> processed;
> -# they are assumed trusted.
> -#
> -# IPSEC history is preserved for such packets, and can be filtered
> -# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
> -#
> -#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel
> -#
> # Set IPSEC_NAT_T to enable NAT-Traversal support. This enables
> # optional UDP encapsulation of ESP packets.
> #
>
> Modified: head/sys/conf/options
> ==
> --- head/sys/conf/options Sun Aug 21 18:37:21 2016(r304571)
> +++ head/sys/conf/options Sun Aug 21 18:55:30 2016(r304572)
> @@ -424,7 +424,6 @@ IPFIREWALL_VERBOSEopt_ipfw.h
> IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
> IPSECopt_ipsec.h
> IPSEC_DEBUG opt_ipsec.h
> -IPSEC_FILTERTUNNEL opt_ipsec.h
> IPSEC_NAT_T opt_ipsec.h
> IPSTEALTH
> KRPC
>
> Modified: head/sys/netinet/ip_ipsec.c
> ==
> --- head/sys/netinet/ip_ipsec.c Sun Aug 21 18:37:21 2016
> (r304571)
> +++ head/sys/netinet/ip_ipsec.c Sun Aug 21 18:55:30 2016
> (r304572)
> @@ -68,11 +68,7 @@ __FBSDID("$FreeBSD$");
>
> extern struct protosw inetsw[];
>
> -#ifdef IPSEC_FILTERTUNNEL
> -static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1;
> -#else
> static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0;
> -#endif
> #define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel)
>
> SYSCTL_DECL(_net_inet_ipsec);
>
> Modified: head/sys/netinet6/ip6_ipsec.c
> ==
> --- head/sys/netinet6/ip6_ipsec.c Sun Aug 21 18:37:21 2016
> (r304571)
> +++ head/sys/netinet6/ip6_ipsec.c Sun Aug 21 18:55:30 2016
> (r304572)
> @@ -79,11 +79,7 @@ __FBSDID("$FreeBSD$");
>
> extern struct protosw inet6sw[];
>
> -#ifdef IPSEC_FILTERTUNNEL
> -static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 1;
> -#else
> static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 0;
> -#endif
> #define V_ip6_ipsec6_filtertunnel VNET(ip6_ipsec6_filtertunnel)
>
> SYSCTL_DECL(_net_inet6_ipsec6);
> ___
> svn-src-...@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-all
> To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r304572 - in head: sbin/ipfw sys/conf sys/netinet sys/netinet6
Author: bz
Date: Sun Aug 21 18:55:30 2016
New Revision: 304572
URL: https://svnweb.freebsd.org/changeset/base/304572
Log:
Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
more than 7 years ago in favour of a sysctl in r192648.
Modified:
head/sbin/ipfw/ipfw.8
head/sys/conf/NOTES
head/sys/conf/options
head/sys/netinet/ip_ipsec.c
head/sys/netinet6/ip6_ipsec.c
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Sun Aug 21 18:37:21 2016(r304571)
+++ head/sbin/ipfw/ipfw.8 Sun Aug 21 18:55:30 2016(r304572)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd August 13, 2016
+.Dd August 21, 2016
.Dt IPFW 8
.Os
.Sh NAME
@@ -1588,8 +1588,7 @@ Matches IPv4 packets whose precedence fi
.It Cm ipsec
Matches packets that have IPSEC history associated with them
(i.e., the packet comes encapsulated in IPSEC, the kernel
-has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly
-decapsulate it).
+has IPSEC support, and can correctly decapsulate it).
.Pp
Note that specifying
.Cm ipsec
Modified: head/sys/conf/NOTES
==
--- head/sys/conf/NOTES Sun Aug 21 18:37:21 2016(r304571)
+++ head/sys/conf/NOTES Sun Aug 21 18:55:30 2016(r304572)
@@ -626,17 +626,6 @@ optionsTCP_OFFLOAD # TCP offload supp
optionsIPSEC #IP security (requires device crypto)
#options IPSEC_DEBUG #debug for IP security
#
-# #DEPRECATED#
-# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
-# coming through a tunnel to be processed by any configured packet filtering
-# twice. The default is that packets coming out of a tunnel are _not_
processed;
-# they are assumed trusted.
-#
-# IPSEC history is preserved for such packets, and can be filtered
-# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
-#
-#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel
-#
# Set IPSEC_NAT_T to enable NAT-Traversal support. This enables
# optional UDP encapsulation of ESP packets.
#
Modified: head/sys/conf/options
==
--- head/sys/conf/options Sun Aug 21 18:37:21 2016(r304571)
+++ head/sys/conf/options Sun Aug 21 18:55:30 2016(r304572)
@@ -424,7 +424,6 @@ IPFIREWALL_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
IPSEC opt_ipsec.h
IPSEC_DEBUGopt_ipsec.h
-IPSEC_FILTERTUNNEL opt_ipsec.h
IPSEC_NAT_Topt_ipsec.h
IPSTEALTH
KRPC
Modified: head/sys/netinet/ip_ipsec.c
==
--- head/sys/netinet/ip_ipsec.c Sun Aug 21 18:37:21 2016(r304571)
+++ head/sys/netinet/ip_ipsec.c Sun Aug 21 18:55:30 2016(r304572)
@@ -68,11 +68,7 @@ __FBSDID("$FreeBSD$");
extern struct protosw inetsw[];
-#ifdef IPSEC_FILTERTUNNEL
-static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1;
-#else
static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0;
-#endif
#defineV_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel)
SYSCTL_DECL(_net_inet_ipsec);
Modified: head/sys/netinet6/ip6_ipsec.c
==
--- head/sys/netinet6/ip6_ipsec.c Sun Aug 21 18:37:21 2016
(r304571)
+++ head/sys/netinet6/ip6_ipsec.c Sun Aug 21 18:55:30 2016
(r304572)
@@ -79,11 +79,7 @@ __FBSDID("$FreeBSD$");
extern struct protosw inet6sw[];
-#ifdef IPSEC_FILTERTUNNEL
-static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 1;
-#else
static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 0;
-#endif
#defineV_ip6_ipsec6_filtertunnel VNET(ip6_ipsec6_filtertunnel)
SYSCTL_DECL(_net_inet6_ipsec6);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
