From owner-svn-src-projects@freebsd.org  Thu Dec 22 12:33:00 2016
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BB42C8BCD3
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Thu, 22 Dec 2016 12:33:00 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E86801589;
 Thu, 22 Dec 2016 12:32:59 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMCWxb7032319;
 Thu, 22 Dec 2016 12:32:59 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMCWxei032317;
 Thu, 22 Dec 2016 12:32:59 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201612221232.uBMCWxei032317@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Thu, 22 Dec 2016 12:32:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r310391 - projects/ipsec/sys/conf
X-SVN-Group: projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 12:33:00 -0000

Author: ae
Date: Thu Dec 22 12:32:58 2016
New Revision: 310391
URL: https://svnweb.freebsd.org/changeset/base/310391

Log:
  Add kernel option IPSEC_SUPPORT.
  
  It is supposed to be used in kernel that supports IPsec as kernel module.
  Currently we don't have ability to unregister network domain(9), thus to
  have loadable IPsec, we need PF_KEY is build in the kernel.
  
  There will be three options to control IPsec build:
  * options IPSEC: all IPsec related code is build in the kernel.
  * options TCP_SIGNATURE: TCP-MD5 support is build in the kernel.
  * options IPSEC_SUPPORT:
    PF_KEY support is build in the kernel and IPsec consumer code contains
    runtime checks for presence of IPsec modules.
  
  TCP_SIGNATURE support is also planned to be implemented as kernel module.
  If kernel has IPSEC_SUPPORT option, but has not TCP_SIGNATURE option,
  it will be possible to load TCP_SIGNATURE as module.
  If kernel has IPSEC option, but has not TCP_SIGNATURE option - TCP_SIGNATURE
  support will not be available.
  If both IPSEC and IPSEC_SUPPORT are enabled, but TCP_SIGNATURE is not -
  TCP_SIGNATURE support would be available as kernel module.

Modified:
  projects/ipsec/sys/conf/NOTES
  projects/ipsec/sys/conf/options

Modified: projects/ipsec/sys/conf/NOTES
==============================================================================
--- projects/ipsec/sys/conf/NOTES	Thu Dec 22 12:18:40 2016	(r310390)
+++ projects/ipsec/sys/conf/NOTES	Thu Dec 22 12:32:58 2016	(r310391)
@@ -627,6 +627,11 @@ options 	TCP_OFFLOAD		# TCP offload supp
 # In order to enable IPSEC you MUST also add device crypto to 
 # your kernel configuration
 options 	IPSEC			#IP security (requires device crypto)
+
+# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to 
+# load it as kernel module. You still MUST add device crypto to your kernel
+# configuration.
+options		IPSEC_SUPPORT
 #options 	IPSEC_DEBUG		#debug for IP security
 
 #
@@ -1023,7 +1028,8 @@ options 	ACCEPT_FILTER_HTTP
 # carried in TCP option 19. This option is commonly used to protect
 # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
 # This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
-# This requires the use of 'device crypto' and 'options IPSEC'.
+# This requires the use of 'device crypto' and one of 'options IPSEC' or
+# 'options IPSEC_SUPPORT'.
 options 	TCP_SIGNATURE		#include support for RFC 2385
 
 # DUMMYNET enables the "dummynet" bandwidth limiter.  You need IPFIREWALL

Modified: projects/ipsec/sys/conf/options
==============================================================================
--- projects/ipsec/sys/conf/options	Thu Dec 22 12:18:40 2016	(r310390)
+++ projects/ipsec/sys/conf/options	Thu Dec 22 12:32:58 2016	(r310391)
@@ -428,6 +428,7 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPSEC			opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
+IPSEC_SUPPORT		opt_ipsec.h
 IPSTEALTH
 KRPC
 LIBALIAS
@@ -450,7 +451,7 @@ TCP_HHOOK		opt_inet.h
 TCP_OFFLOAD		opt_inet.h # Enable code to dispatch TCP offloading
 TCP_RFC7413		opt_inet.h
 TCP_RFC7413_MAX_KEYS	opt_inet.h
-TCP_SIGNATURE		opt_inet.h
+TCP_SIGNATURE		opt_ipsec.h
 VLAN_ARRAY		opt_vlan.h
 XBONEHACK
 FLOWTABLE		opt_route.h