From owner-freebsd-bugs@FreeBSD.ORG Sun Oct 12 11:10:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C66410656AB for ; Sun, 12 Oct 2008 11:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 177EE8FC0C for ; Sun, 12 Oct 2008 11:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m9CBA0nV077081 for ; Sun, 12 Oct 2008 11:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m9CBA0wc077080; Sun, 12 Oct 2008 11:10:00 GMT (envelope-from gnats) Resent-Date: Sun, 12 Oct 2008 11:10:00 GMT Resent-Message-Id: <200810121110.m9CBA0wc077080@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Lionel Fourquaux Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18D94106568C for ; Sun, 12 Oct 2008 11:05:49 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 071388FC12 for ; Sun, 12 Oct 2008 11:05:49 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m9CB5mLQ014954 for ; Sun, 12 Oct 2008 11:05:48 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id m9CB5mci014951; Sun, 12 Oct 2008 11:05:48 GMT (envelope-from nobody) Message-Id: <200810121105.m9CB5mci014951@www.freebsd.org> Date: Sun, 12 Oct 2008 11:05:48 GMT From: Lionel Fourquaux To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: conf/128030: Isn't it time to enable IPsec in GENERIC? X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Oct 2008 11:10:01 -0000 >Number: 128030 >Category: conf >Synopsis: Isn't it time to enable IPsec in GENERIC? >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Oct 12 11:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Lionel Fourquaux >Release: FreeBSD 7.0-RELEASE-p5 >Organization: >Environment: FreeBSD emris.lan 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Wed Oct 1 10:10:12 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: I believe there is a clear case for enabling IPsec in the GENERIC kernel: * freebsd-update does not (and cannot) patch custom kernels, making it harder to maintain an IPsec-enabled FreeBSD environment; * AFAIK, the IPsec implementation in FreeBSD is not experimental any more; * AFAIK, there is no reason nowadays to try to squeeze the kernel in the smallest possible file, a few more kilobytes won't cause harm; * IPsec in more and more an "expected" part of a full-featured network stack (it's part of the IPv6 spec, and it's available out-of-the box in other OSes, be it OpenBSD, Linux, or even Windows). Unless there is an overwhelming reason not to do it, having IPsec support (disabled by default, but with no need for a custom kernel build) looks like a good idea. >How-To-Repeat: Try to enable IPsec using a GENERIC kernel. >Fix: According to the handbook, this require adding these lines to the GENERIC conf file. options IPSEC #IP security device crypto Bug report kern/97057 suggests that IPSEC_FILTERGIF is also required for pf to work correctly. >Release-Note: >Audit-Trail: >Unformatted: