From owner-svn-src-projects@freebsd.org Fri Feb 3 00:00:21 2017 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 493B6CCBD45 for ; Fri, 3 Feb 2017 00:00:21 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B80C1359; Fri, 3 Feb 2017 00:00:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1300KnJ056521; Fri, 3 Feb 2017 00:00:20 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1300JeY056513; Fri, 3 Feb 2017 00:00:19 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201702030000.v1300JeY056513@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 3 Feb 2017 00:00:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r313115 - in projects/ipsec: share/man/man4 sys/conf sys/net sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 00:00:21 -0000 Author: ae Date: Fri Feb 3 00:00:19 2017 New Revision: 313115 URL: https://svnweb.freebsd.org/changeset/base/313115 Log: Fix the wording. Submitted by: wblock Modified: projects/ipsec/share/man/man4/ipsec.4 projects/ipsec/share/man/man4/tcp.4 projects/ipsec/share/man/man4/udp.4 projects/ipsec/sys/conf/NOTES projects/ipsec/sys/net/if_ipsec.c projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h Modified: projects/ipsec/share/man/man4/ipsec.4 ============================================================================== --- projects/ipsec/share/man/man4/ipsec.4 Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/share/man/man4/ipsec.4 Fri Feb 3 00:00:19 2017 (r313115) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 24, 2017 +.Dd February 3, 2017 .Dt IPSEC 4 .Os .Sh NAME @@ -152,13 +152,13 @@ Refer to .Xr setkey 8 on how to use it. .Pp -Depending from the socket's address family, IPPROTO_IP or IPPROTO_IPV6 +Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6 transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options may be used to configure per-socket security policies. -The properly formed IPsec policy specification structure can be +A properly-formed IPsec policy specification structure can be created using .Xr ipsec_set_policy 3 -function and used as socket option value for +function and used as socket option value for the .Xr setsockopt 2 call. .Pp @@ -284,23 +284,22 @@ talks more about the behavior. If set to non-zero, debug messages will be generated via .Xr syslog 3 . .It Li ipsec.natt_cksum_policy -This variable controls how the kernel handles TCP and UDP checksums -when ESP in UDP encapsulation is used for IPsec transport mode. -If set to non-zero value, the kernel fully recomputes checksums for +Controls how the kernel handles TCP and UDP checksums when ESP in UDP +encapsulation is used for IPsec transport mode. +If set to a non-zero value, the kernel fully recomputes checksums for inbound TCP segments and UDP datagrams after they are decapsulated and -decrypted. +decrypted. If set to 0 and original addresses were configured for corresponding SA -by the IKE daemon, the kernel will incrementally recompute checksums for -inbound TCP segments and UDP datagrams. -If addresses weren't configured, the checksums will be ignored. +by the IKE daemon, the kernel incrementally recomputes checksums for +inbound TCP segments and UDP datagrams. +If addresses were not configured, the checksums are ignored. .It Li ipsec.check_policy_history -This variable enables strict policy checking for inbound packets. -The default behavior for inbound security policies is just make sure, -that a handled by IPsec packet was decrypted and authenticated. -If this variable is set to non-zero value, each handled by IPsec packet -will be checked against the history of used IPsec security associations. -The check requires matching of the IPsec security protocol, mode, and SA -addresses. +Enables strict policy checking for inbound packets. +By default, inbound security policies check that packets handled by IPsec +have been decrypted and authenticated. +If this variable is set to a non-zero value, each packet handled by IPsec +is checked against the history of IPsec security associations. +The IPsec security protocol, mode, and SA addresses must match. .El .Pp Variables under the Modified: projects/ipsec/share/man/man4/tcp.4 ============================================================================== --- projects/ipsec/share/man/man4/tcp.4 Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/share/man/man4/tcp.4 Fri Feb 3 00:00:19 2017 (r313115) @@ -34,7 +34,7 @@ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd January 1, 2017 +.Dd February 3, 2017 .Dt TCP 4 .Os .Sh NAME @@ -273,9 +273,9 @@ This option enables the use of MD5 diges on writes to the specified socket. Outgoing traffic is digested; digests on incoming traffic are verified. -When socket has enabled this option, all outgoing TCP segments +When this option is enabled on a socket, all outgoing TCP segments must be signed with MD5 digests, and all inbound TCP segments -also must be signed. +must also be signed. .Pp One common use for this in a .Fx @@ -291,10 +291,9 @@ utility. This entry can only be specified on a per-host basis at this time. .Pp If an SADB entry cannot be found for the destination, -the system will not send any outgoing segments and will drop any -inbound segments. +the system does not send any outgoing segments and drops any inbound segments. .Pp -Each dropped segment will be taken into account in the TCP protocol statistics. +Each dropped segment is taken into account in the TCP protocol statistics. .El .Pp The option level for the Modified: projects/ipsec/share/man/man4/udp.4 ============================================================================== --- projects/ipsec/share/man/man4/udp.4 Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/share/man/man4/udp.4 Fri Feb 3 00:00:19 2017 (r313115) @@ -28,7 +28,7 @@ .\" @(#)udp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd December 12, 2016 +.Dd February 3, 2017 .Dt UDP 4 .Os .Sh NAME @@ -106,9 +106,9 @@ level to encapsulate .Tn ESP packets in .Tn UDP . -The only one supported value for this option is +Only one value is supported for this option: .Tn UDP_ENCAP_ESPINUDP -from RFC 3948 defined in +from RFC 3948, defined in .In netinet/udp.h . .Sh MIB VARIABLES The Modified: projects/ipsec/sys/conf/NOTES ============================================================================== --- projects/ipsec/sys/conf/NOTES Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/sys/conf/NOTES Fri Feb 3 00:00:19 2017 (r313115) @@ -630,8 +630,8 @@ options TCP_OFFLOAD # TCP offload supp # your kernel configuration options IPSEC #IP security (requires device crypto) -# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to -# load it as kernel module. You still MUST add device crypto to your kernel +# Option IPSEC_SUPPORT does not enable IPsec, but makes it possible to +# load it as a kernel module. You still MUST add device crypto to your kernel # configuration. options IPSEC_SUPPORT #options IPSEC_DEBUG #debug for IP security @@ -1029,7 +1029,7 @@ options ACCEPT_FILTER_HTTP # carried in TCP option 19. This option is commonly used to protect # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. # This is enabled on a per-socket basis using the TCP_MD5SIG socket option. -# This requires the use of 'device crypto' and one of 'options IPSEC' or +# This requires the use of 'device crypto' and either 'options IPSEC' or # 'options IPSEC_SUPPORT'. options TCP_SIGNATURE #include support for RFC 2385 Modified: projects/ipsec/sys/net/if_ipsec.c ============================================================================== --- projects/ipsec/sys/net/if_ipsec.c Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/sys/net/if_ipsec.c Fri Feb 3 00:00:19 2017 (r313115) @@ -879,7 +879,7 @@ ipsec_set_addresses(struct ifnet *ifp, s } /* - * We can not service IPsec tunnel when source address is + * We cannot service IPsec tunnel when source address is * not our own. */ #ifdef INET Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/sys/netipsec/ipsec.c Fri Feb 3 00:00:19 2017 (r313115) @@ -182,10 +182,10 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF "AH tunnel mode default level."); SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, - "If set clear type-of-service field when doing AH computation."); + "If set, clear type-of-service field when doing AH computation."); SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, - "If not set clear offset field mask when doing AH computation."); + "If not set, clear offset field mask when doing AH computation."); SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0, "Do not fragment bit on encap."); @@ -203,7 +203,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, na "Method to fix TCP/UDP checksum for transport mode IPsec after NAT."); SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_filtertunnel), 0, - "If set filter packets from an IPsec tunnel."); + "If set, filter packets from an IPsec tunnel."); SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); @@ -266,7 +266,7 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_E "Explicit Congestion Notification handling."); SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel), 0, - "If set filter packets from an IPsec tunnel."); + "If set, filter packets from an IPsec tunnel."); SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics."); #endif /* INET6 */ Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Thu Feb 2 23:18:13 2017 (r313114) +++ projects/ipsec/sys/netipsec/ipsec.h Fri Feb 3 00:00:19 2017 (r313115) @@ -112,10 +112,10 @@ struct secpolicy { * PCB security policies. * Application can setup private security policies for socket. * Such policies can have IPSEC, BYPASS and ENTRUST type. - * By default policies set to NULL, this mean that they have ENTRUST type. - * When application sets BYPASS or IPSEC type policy, flags field - * also updated. In case when flags is not set, the system could store - * used security policy into the sp_in/sp_out pointer to speedup further + * By default, policies are set to NULL. This means that they have ENTRUST type. + * When application sets BYPASS or IPSEC type policy, the flags field + * is also updated. When flags is not set, the system could store + * used security policy into the sp_in/sp_out pointer to speed up further * lookups. */ struct inpcbpolicy {