On Sun, 5 Aug 2007, Bjoern A. Zeeb wrote:
bz 2007-08-05 16:16:15 UTC
FreeBSD src repository
Modified files:
sbin/ipfw ipfw.8
share/man/man4 ipsec.4
sys/conf NOTES options
sys/netinet ip_input.c ip_ipsec.c ip_ipsec.h
sys/netinet6 ip6_ipsec.c ip6_ipsec.h
Log:
Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.
Also rename the related functions in a similar way.
There are no functional changes.
For a packet coming in with IPsec tunnel mode, the default is
to only call into the firewall with the "outer" IP header and
payload.
With this option turned on, in addition to the "outer" parts,
the "inner" IP header and payload are passed to the
firewall too when going through ip_input() the second time.
The option was never only related to a gif(4) tunnel within
an IPsec tunnel and thus the name was very misleading.
Discussed at: BSDCan 2007
Best new name suggested by: rwatson
Reviewed by: rwatson
Approved by: re (bmah)
Revision Changes Path
1.203 +2 -2 src/sbin/ipfw/ipfw.8
1.22 +3 -3 src/share/man/man4/ipsec.4
1.1448 +4 -4 src/sys/conf/NOTES
1.604 +1 -1 src/sys/conf/options
1.331 +1 -1 src/sys/netinet/ip_input.c
1.7 +3 -3 src/sys/netinet/ip_ipsec.c
1.2 +1 -1 src/sys/netinet/ip_ipsec.h
1.6 +3 -3 src/sys/netinet6/ip6_ipsec.c
1.2 +1 -1 src/sys/netinet6/ip6_ipsec.h
For netinet6 you will find the "helper" functions which are still
unused. ip6_input() will need the same check that ip_input() has
if we want feature parity with legacy IP (being able to not filter on
the "inner" header/payload from an IPsec tunnel mode)
I am unsure why it's not yet there. Anyone know a reason other than
"just missing"?
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
