Date: Tue, 23 Sep 2003 12:58:42 +0200 (MEST) From: Adrian Steinmann <ast@marabu.ch> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Luigi Rizzo <rizzo@icir.org> Subject: i386/57125: Comment to IPSEC_FILTERGIF in LINT is now misleading Message-ID: <200309231058.h8NAwgn8063487@nano.marabu.ch> Resent-Message-ID: <200309231100.h8NB0XjQ032597@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57125
>Category: i386
>Synopsis: Comment to IPSEC_FILTERGIF in LINT is now misleading
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 23 04:00:33 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Adrian Steinmann
>Release: FreeBSD 4.8-STYX-20030912 i386
>Organization:
Webgroup Consulting AG
>Environment:
System: FreeBSD nano.marabu.ch 4.8-STYX-20030912 FreeBSD 4.8-STYX-20030912 #0: Fri Sep 12 23:38:08 GMT 2003 root@rumori.com:/usr/src/sys/compile/STYX i386
>Description:
ipfw now has the ipsec keyword which should work when
options IPSEC_FILTERGIF is enabled in kernel. LINT still
seems to imply that this feature cannot be used like in
openbsd, yet this is no longer true.
>How-To-Repeat:
Read /usr/src/sys/i386/conf/LINT:
options IPSEC_FILTERGIF
# Note that enabling this can be problematic as there are no mechanisms
# in place for distinguishing packets coming out of a tunnel (e.g. no
# encX devices as found on openbsd).
and read 'man ipsec':
...
ipsec Matches packets that have IPSEC history associated with them
(i.e. the packet comes encapsulated in IPSEC, the kernel has
IPSEC support and IPSEC_FILTERGIF option, and can correctly
decapsulate it).
...
>Fix:
remove comment from LINT, or mention ipfw ipsec keyword there.
Adrian
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309231058.h8NAwgn8063487>