From owner-freebsd-net@freebsd.org  Tue Dec 27 10:19:25 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43AE4C8FF3E;
 Tue, 27 Dec 2016 10:19:25 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from butcher-nb.yandex.net (freefall.freebsd.org
 [IPv6:2610:1c1:1:6074::16:84])
 by mx1.freebsd.org (Postfix) with ESMTP id EB9271C6D;
 Tue, 27 Dec 2016 10:19:23 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Subject: Re: [RFC/RFT] projects/ipsec
To: freebsd-current@FreeBSD.org, freebsd-net@FreeBSD.org
References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org>
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Cc: "Bjoern A. Zeeb" <bz@FreeBSD.org>, George Neville-Neil <gnn@FreeBSD.org>
Message-ID: <a607059a-97c9-e36e-0269-bfc7d4f11eb9@FreeBSD.org>
Date: Tue, 27 Dec 2016 13:18:47 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Dec 2016 10:19:25 -0000

On 11.12.2016 02:07, Andrey V. Elsukov wrote:
> Hi All,
>
> I am pleased to announce that projects/ipsec, that I started several
> months ago is ready for testing and review.
> The main goals were:
>   * rework locking to make IPsec code more friendly for concurrent
>     processing;
>   * make lookup in SADB/SPDB faster;
>   * revise PFKEY implementation, remove stale code, make it closer
>     to RFC;
>   * implement IPsec VTI (virtual tunneling interface);
>   * make IPsec code loadable as kernel module.
>
> Currently all, except the last one is mostly done. So, I decided ask for
> a help to test the what already done, while I will work on the last task.

I finished the last task, now it is possible to load/unload IPsec and 
TCP-MD5 support as kernel modules.

New kernel option IPSEC_SUPPORT should be used to build the kernel that 
is able to load IPsec module.

So, if you have 'options IPSEC' in the kernel config, IPsec support will 
be build in the kernel without TCP-MD5 support.

If you have 'options IPSEC' and 'options TCP_SIGNATURE', IPsec and 
TCP-MD5 support will be build in the kernel.

If you have 'options IPSEC' and 'options IPSEC_SUPPORT', IPsec support 
will be build in the kernel and TCP-MD5 can be loaded.

If you have 'options IPSEC_SUPPORT', IPsec and TCP-MD5 can be loaded.

If you have 'options IPSEC_SUPPORT' and 'options TCP_SIGNATURE', TCP-MD5 
support will be build in the kernel and IPsec can be loaded.

If you have not IPSEC* options, it isn't possible to use IPsec as module.

So, if there will no objection, I'll merge projects/ipsec into head/ 
within two weeks.

-- 
WBR, Andrey V. Elsukov