From owner-cvs-all@FreeBSD.ORG Sun Aug 5 23:24:55 2007 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A82116A418; Sun, 5 Aug 2007 23:24:55 +0000 (UTC) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 37F7F13C4A5; Sun, 5 Aug 2007 23:24:55 +0000 (UTC) (envelope-from sam@errno.com) Received: from trouble.errno.com (trouble.errno.com [10.0.0.248]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id l75NOswE045802 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 5 Aug 2007 16:24:54 -0700 (PDT) (envelope-from sam@errno.com) Message-ID: <46B65D98.9090000@errno.com> Date: Sun, 05 Aug 2007 16:30:32 -0700 From: Sam Leffler User-Agent: Thunderbird 2.0.0.0 (X11/20070530) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <200708051616.l75GGGe4018242@repoman.freebsd.org> <20070805161921.P87821@maildrop.int.zabbadoz.net> In-Reply-To: <20070805161921.P87821@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 src/share/man/man4 ipsec.4 src/sys/conf NOTES options src/sys/netinet ip_input.c ip_ipsec.c ip_ipsec.h src/sys/netinet6 ip6_ipsec.c ip6_ipsec.h X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 23:24:55 -0000 Bjoern A. Zeeb wrote: > On Sun, 5 Aug 2007, Bjoern A. Zeeb wrote: > >> bz 2007-08-05 16:16:15 UTC >> >> FreeBSD src repository >> >> Modified files: >> sbin/ipfw ipfw.8 >> share/man/man4 ipsec.4 >> sys/conf NOTES options >> sys/netinet ip_input.c ip_ipsec.c ip_ipsec.h >> sys/netinet6 ip6_ipsec.c ip6_ipsec.h >> Log: >> Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL. >> Also rename the related functions in a similar way. >> There are no functional changes. >> >> For a packet coming in with IPsec tunnel mode, the default is >> to only call into the firewall with the "outer" IP header and >> payload. >> >> With this option turned on, in addition to the "outer" parts, >> the "inner" IP header and payload are passed to the >> firewall too when going through ip_input() the second time. >> >> The option was never only related to a gif(4) tunnel within >> an IPsec tunnel and thus the name was very misleading. >> >> Discussed at: BSDCan 2007 >> Best new name suggested by: rwatson >> Reviewed by: rwatson >> Approved by: re (bmah) >> >> Revision Changes Path >> 1.203 +2 -2 src/sbin/ipfw/ipfw.8 >> 1.22 +3 -3 src/share/man/man4/ipsec.4 >> 1.1448 +4 -4 src/sys/conf/NOTES >> 1.604 +1 -1 src/sys/conf/options >> 1.331 +1 -1 src/sys/netinet/ip_input.c >> 1.7 +3 -3 src/sys/netinet/ip_ipsec.c >> 1.2 +1 -1 src/sys/netinet/ip_ipsec.h >> 1.6 +3 -3 src/sys/netinet6/ip6_ipsec.c >> 1.2 +1 -1 src/sys/netinet6/ip6_ipsec.h > > > For netinet6 you will find the "helper" functions which are still > unused. ip6_input() will need the same check that ip_input() has > if we want feature parity with legacy IP (being able to not filter on > the "inner" header/payload from an IPsec tunnel mode) > > I am unsure why it's not yet there. Anyone know a reason other than > "just missing"? There was no ipv6 support when the FILTERGIF stuff was added. Sam