Commit IPv6 support for FAST_IPSEC to the tree.

This commit includes all remaining changes for the time being including
user space updates.

Submitted by:    bz
Approved by:    re

38 files changed, 76 insertions, 133 deletions

diff --git a/contrib/netcat/netcat.c b/contrib/netcat/netcat.c
index a332024..bbf7919 100644
--- a/contrib/netcat/netcat.c
+++ b/contrib/netcat/netcat.c
@@ -42,7 +42,7 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #ifdef IPSEC
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #endif
 #include <netinet/tcp.h>
 #include <netinet/ip.h>
diff --git a/contrib/telnet/telnet/externs.h b/contrib/telnet/telnet/externs.h
index e9be27e..73743c0 100644
--- a/contrib/telnet/telnet/externs.h
+++ b/contrib/telnet/telnet/externs.h
@@ -72,7 +72,7 @@ typedef unsigned char cc_t;
 #include <string.h>
 
 #if defined(IPSEC)
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #if defined(IPSEC_POLICY_IPSEC)
 extern char *ipsec_policy_in;
 extern char *ipsec_policy_out;
diff --git a/contrib/traceroute/traceroute.c b/contrib/traceroute/traceroute.c
index 79ac962..5a9e8d2 100644
--- a/contrib/traceroute/traceroute.c
+++ b/contrib/traceroute/traceroute.c
@@ -228,7 +228,7 @@ static const char rcsid[] =
 
 #ifdef	IPSEC
 #include <net/route.h>
-#include <netinet6/ipsec.h>	/* XXX */
+#include <netipsec/ipsec.h>	/* XXX */
 #endif	/* IPSEC */
 
 #include <ctype.h>
diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist
index d06a447..a200e56 100644
--- a/etc/mtree/BSD.include.dist
+++ b/etc/mtree/BSD.include.dist
@@ -231,8 +231,6 @@
     ..
     netipx
     ..
-    netkey
-    ..
     netnatm
         api
         ..
diff --git a/include/Makefile b/include/Makefile
index c29f008..f03e030 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -34,7 +34,7 @@ LHDRS=	aio.h errno.h fcntl.h linker_set.h poll.h stdint.h syslog.h \
 	termios.h ucontext.h
 
 LDIRS=	bsm cam geom net net80211 netatalk netatm netgraph netinet netinet6 \
-	netipsec ${_netipx} netkey netnatm ${_netncp} netsmb \
+	netipsec ${_netipx} netnatm ${_netncp} netsmb \
 	nfs nfsclient nfsserver \
 	pccard sys vm
 
diff --git a/lib/libipsec/Makefile b/lib/libipsec/Makefile
index 933174d..a415e26 100644
--- a/lib/libipsec/Makefile
+++ b/lib/libipsec/Makefile
@@ -39,7 +39,7 @@ CFLAGS+=-DIPSEC_DEBUG -DIPSEC
 CFLAGS+=-DINET6
 .endif
 
-#.PATH:	${.CURDIR}/../../sys/netkey
+#.PATH:	${.CURDIR}/../../sys/netipsec
 #SRCS=	pfkey.c pfkey_dump.c
 SRCS+=	ipsec_strerror.c policy_parse.y policy_token.l
 SRCS+=	ipsec_dump_policy.c ipsec_get_policylen.c
diff --git a/lib/libipsec/ipsec_dump_policy.c b/lib/libipsec/ipsec_dump_policy.c
index 3ce525b..638d788 100644
--- a/lib/libipsec/ipsec_dump_policy.c
+++ b/lib/libipsec/ipsec_dump_policy.c
@@ -36,9 +36,9 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <sys/socket.h>
 
-#include <netkey/key_var.h>
+#include <netipsec/key_var.h>
 #include <netinet/in.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include <arpa/inet.h>
 
diff --git a/lib/libipsec/ipsec_get_policylen.c b/lib/libipsec/ipsec_get_policylen.c
index 911b2ce..232cb45 100644
--- a/lib/libipsec/ipsec_get_policylen.c
+++ b/lib/libipsec/ipsec_get_policylen.c
@@ -35,7 +35,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/types.h>
 #include <sys/param.h>
 
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include <net/pfkeyv2.h>
 
diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3
index 0b7d756..1e24b63 100644
--- a/lib/libipsec/ipsec_set_policy.3
+++ b/lib/libipsec/ipsec_set_policy.3
@@ -41,7 +41,7 @@
 .Sh LIBRARY
 .Lb libipsec
 .Sh SYNOPSIS
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
 .Ft "char *"
 .Fn ipsec_set_policy "char *policy" "int len"
 .Ft int
diff --git a/lib/libipsec/ipsec_strerror.3 b/lib/libipsec/ipsec_strerror.3
index d162fa6..73fe68d 100644
--- a/lib/libipsec/ipsec_strerror.3
+++ b/lib/libipsec/ipsec_strerror.3
@@ -38,12 +38,12 @@
 .Nd error messages for the IPsec policy manipulation library
 .\"
 .Sh SYNOPSIS
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
 .Ft "const char *"
 .Fn ipsec_strerror
 .\"
 .Sh DESCRIPTION
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
 declares
 .Pp
 .Dl extern int ipsec_errcode;
diff --git a/lib/libipsec/ipsec_strerror.c b/lib/libipsec/ipsec_strerror.c
index 203b651..f9b2dc9 100644
--- a/lib/libipsec/ipsec_strerror.c
+++ b/lib/libipsec/ipsec_strerror.c
@@ -36,7 +36,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 
 #include <string.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include "ipsec_strerror.h"
 
diff --git a/lib/libipsec/pfkey.c b/lib/libipsec/pfkey.c
index ca75df4..2dd9d71 100644
--- a/lib/libipsec/pfkey.c
+++ b/lib/libipsec/pfkey.c
@@ -36,9 +36,9 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <net/pfkeyv2.h>
-#include <netkey/key_var.h>
+#include <netipsec/key_var.h>
 #include <netinet/in.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include <stdlib.h>
 #include <unistd.h>
diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c
index af8e384..068ad0e 100644
--- a/lib/libipsec/pfkey_dump.c
+++ b/lib/libipsec/pfkey_dump.c
@@ -35,13 +35,12 @@ __FBSDID("$FreeBSD$");
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/socket.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #include <net/pfkeyv2.h>
-#include <netkey/key_var.h>
-#include <netkey/key_debug.h>
+#include <netipsec/key_var.h>
+#include <netipsec/key_debug.h>
 
 #include <netinet/in.h>
-#include <netinet6/ipsec.h>
 #include <arpa/inet.h>
 
 #include <stdlib.h>
diff --git a/lib/libipsec/policy_parse.y b/lib/libipsec/policy_parse.y
index ae25958..9e2f979 100644
--- a/lib/libipsec/policy_parse.y
+++ b/lib/libipsec/policy_parse.y
@@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/socket.h>
 
 #include <netinet/in.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include <stdlib.h>
 #include <stdio.h>
diff --git a/lib/libipsec/policy_token.l b/lib/libipsec/policy_token.l
index f957569..d648702 100644
--- a/lib/libipsec/policy_token.l
+++ b/lib/libipsec/policy_token.l
@@ -36,9 +36,9 @@
 #include <sys/socket.h>
 #include <net/route.h>
 #include <net/pfkeyv2.h>
-#include <netkey/keydb.h>
+#include <netipsec/keydb.h>
 #include <netinet/in.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include <stdlib.h>
 #include <limits.h>
diff --git a/lib/libipsec/test-policy.c b/lib/libipsec/test-policy.c
index 65c111d..c1dfc79 100644
--- a/lib/libipsec/test-policy.c
+++ b/lib/libipsec/test-policy.c
@@ -38,8 +38,8 @@ __FBSDID("$FreeBSD$");
 
 #include <netinet/in.h>
 #include <net/pfkeyv2.h>
-#include <netkey/key_debug.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/key_debug.h>
+#include <netipsec/ipsec.h>
 
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index be5f66e..9280bef 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -76,7 +76,7 @@ __FBSDID("$FreeBSD$");
 #include <arpa/inet.h>
 
 #ifdef IPSEC
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #endif /*IPSEC*/
 
 #include <ctype.h>
diff --git a/sbin/ping6/Makefile b/sbin/ping6/Makefile
index 89e7fbe..e7a1e1d 100644
--- a/sbin/ping6/Makefile
+++ b/sbin/ping6/Makefile
@@ -3,7 +3,7 @@
 PROG=	ping6
 MAN=	ping6.8
 
-CFLAGS+=-DIPSEC -DKAME_SCOPEID -DUSE_RFC2292BIS \
+CFLAGS+=-DIPSEC -DFAST_IPSEC -DKAME_SCOPEID -DUSE_RFC2292BIS \
 	-DHAVE_POLL_H -DHAVE_ARC4RANDOM
 WARNS?=	2
 
diff --git a/sbin/ping6/ping6.c b/sbin/ping6/ping6.c
index bcf86b3..a7ab9a1 100644
--- a/sbin/ping6/ping6.c
+++ b/sbin/ping6/ping6.c
@@ -134,8 +134,8 @@ static const char rcsid[] =
 #endif
 
 #ifdef IPSEC
-#include <netinet6/ah.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ah.h>
+#include <netipsec/ipsec.h>
 #endif
 
 #include <md5.h>
diff --git a/sbin/setkey/Makefile b/sbin/setkey/Makefile
index 9dd7cf5..03c2ea2 100644
--- a/sbin/setkey/Makefile
+++ b/sbin/setkey/Makefile
@@ -44,9 +44,9 @@ CLEANFILES=	y.tab.c y.tab.h key_test.o keytest
 
 # libpfkey
 # ipsec_strerror.c is for avoiding shlib reference to non-exported function.
-.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
+.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netipsec
 SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
-CFLAGS+= -I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
+CFLAGS+= -I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netipsec
 
 SRCS+=	y.tab.h
 y.tab.h: parse.y
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index e90c3a1..85f4fab 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -38,8 +38,8 @@
 #include <net/route.h>
 #include <netinet/in.h>
 #include <net/pfkeyv2.h>
-#include <netkey/key_var.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/key_var.h>
+#include <netipsec/ipsec.h>
 #include <arpa/inet.h>
 
 #include <string.h>
diff --git a/sbin/setkey/setkey.c b/sbin/setkey/setkey.c
index 5bdd6df..9bb9a88 100644
--- a/sbin/setkey/setkey.c
+++ b/sbin/setkey/setkey.c
@@ -38,9 +38,9 @@
 #include <net/route.h>
 #include <netinet/in.h>
 #include <net/pfkeyv2.h>
-#include <netkey/keydb.h>
-#include <netkey/key_debug.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/keydb.h>
+#include <netipsec/key_debug.h>
+#include <netipsec/ipsec.h>
 
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/sbin/setkey/test-pfkey.c b/sbin/setkey/test-pfkey.c
index b1fb238..672f03c 100644
--- a/sbin/setkey/test-pfkey.c
+++ b/sbin/setkey/test-pfkey.c
@@ -36,9 +36,9 @@
 #include <net/route.h>
 #include <net/pfkeyv2.h>
 #include <netinet/in.h>
-#include <netkey/keydb.h>
-#include <netkey/key_var.h>
-#include <netkey/key_debug.h>
+#include <netipsec/keydb.h>
+#include <netipsec/key_var.h>
+#include <netipsec/key_debug.h>
 
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/sbin/setkey/test-policy.c b/sbin/setkey/test-policy.c
index 27cd478..9e9b723 100644
--- a/sbin/setkey/test-policy.c
+++ b/sbin/setkey/test-policy.c
@@ -34,11 +34,10 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet6/in6.h>
-#include <netkey/keyv2.h>
+#include <netipsec/ipsec.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include <netinet6/ipsec.h>
 
 char *requests[] = {
 "must_error",		/* must be error */
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
index 13db9be..fe45770 100644
--- a/sbin/setkey/token.l
+++ b/sbin/setkey/token.l
@@ -36,10 +36,10 @@
 #include <sys/socket.h>
 #include <net/route.h>
 #include <net/pfkeyv2.h>
-#include <netkey/keydb.h>
-#include <netkey/key_debug.h>
+#include <netipsec/keydb.h>
+#include <netipsec/key_debug.h>
 #include <netinet/in.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 
 #include <stdlib.h>
 #include <limits.h>
diff --git a/share/man/man7/hier.7 b/share/man/man7/hier.7
index 3c4fc87..637d1fa 100644
--- a/share/man/man7/hier.7
+++ b/share/man/man7/hier.7
@@ -32,7 +32,7 @@
 .\"	@(#)hier.7	8.1 (Berkeley) 6/5/93
 .\" $FreeBSD$
 .\"
-.Dd June 10, 2007
+.Dd June 28, 2007
 .Dt HIER 7
 .Os
 .Sh NAME
@@ -318,10 +318,12 @@ see
 C include files for Internet protocol version 6;
 see
 .Xr inet6 4
+.It Pa netipsec/
+kernel key-management service;
+see
+.Xr ipsec 4
 .It Pa netipx/
 IPX/SPX protocol stacks
-.It Pa netkey/
-kernel key-management service
 .It Pa netnatm/
 NATM include files;
 see
diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile
index 19e4c38..d8794d9 100644
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@@ -10,7 +10,6 @@ SRCS=	if.c inet.c main.c mbuf.c mcast.c mroute.c route.c \
 WARNS?=	3
 
 CFLAGS+=-DIPSEC
-CFLAGS+=-DFAST_IPSEC
 CFLAGS+=-DSCTP
 
 .if ${MK_INET6_SUPPORT} != "no"
diff --git a/usr.bin/netstat/ipsec.c b/usr.bin/netstat/ipsec.c
index 125be12..2dc6410 100644
--- a/usr.bin/netstat/ipsec.c
+++ b/usr.bin/netstat/ipsec.c
@@ -104,11 +104,7 @@ __FBSDID("$FreeBSD$");
 
 #include <netinet/in.h>
 
-#if defined(IPSEC) && !defined(FAST_IPSEC)
-#include <netinet6/ipsec.h>
-#endif
-
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ah_var.h>
 #include <netipsec/esp_var.h>
@@ -250,9 +246,24 @@ print_ipsecstats(const struct ipsecstat *ipsecstat)
 	hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output");
 	p(spdcachelookup, "\t%ju SPD cache lookup%s\n");
 	pes(spdcachemiss, "\t%ju SPD cache miss%s\n");
-#undef p
 #undef pes
 #undef hist
+	p(ips_in_polvio, "\t%ju inbound packet%s violated process "
+		"security policy\n");
+	p(ips_out_polvio, "\t%ju outbound packet%s violated process "
+		"security policy\n");
+	p(ips_out_nosa, "\t%ju outbound packet%s with no SA available\n");
+	p(ips_out_nomem, "\t%ju outbound packet%s failed due to "
+		"insufficient memory\n");
+	p(ips_out_noroute, "\t%ju outbound packet%s with no route "
+		"available\n");
+	p(ips_out_inval, "\t%ju invalid outbound packet%s\n");
+	p(ips_out_bundlesa, "\t%ju outbound packet%s with bundled SAs\n");
+	p(ips_mbcoalesced, "\t%ju mbuf%s coalesced during clone\n");
+	p(ips_clcoalesced, "\t%ju cluster%s coalesced during clone\n");
+	p(ips_clcopied, "\t%ju cluster%s copied during clone\n");
+	p(ips_mbinserted, "\t%ju mbuf%s inserted during makespace\n");
+#undef p
 }
 
 void
@@ -269,11 +280,8 @@ ipsec_stats(u_long off, const char *name, int af1 __unused)
 }
 
 
-#ifdef FAST_IPSEC
-
 static void ipsec_hist_new(const u_int32_t *hist, size_t histmax,
 			   const struct val2str *name, const char *title);
-static void print_newipsecstats(const struct newipsecstat *newipsecstat);
 static void print_ahstats(const struct ahstat *ahstat);
 static void print_espstats(const struct espstat *espstat);
 static void print_ipcompstats(const struct ipcompstat *ipcompstat);
@@ -311,43 +319,6 @@ ipsec_hist_new(const u_int32_t *hist, size_t histmax,
 }
   
 static void
-print_newipsecstats(const struct newipsecstat *newipsecstat)
-{
-#define	p(f, m) if (newipsecstat->f || sflag <= 1) \
-    printf(m, newipsecstat->f, plural(newipsecstat->f))
-
-	p(ips_in_polvio, "\t%u inbound packet%s violated process "
-		"security policy\n");
-	p(ips_out_polvio, "\t%u outbound packet%s violated process "
-		"security policy\n");
-	p(ips_out_nosa, "\t%u outbound packet%s with no SA available\n");
-	p(ips_out_nomem, "\t%u outbound packet%s failed due to "
-		"insufficient memory\n");
-	p(ips_out_noroute, "\t%u outbound packet%s with no route "
-		"available\n");
-	p(ips_out_inval, "\t%u invalid outbound packet%s\n");
-	p(ips_out_bundlesa, "\t%u outbound packet%s with bundled SAs\n");
-	p(ips_mbcoalesced, "\t%u mbuf%s coalesced during clone\n");
-	p(ips_clcoalesced, "\t%u cluster%s coalesced during clone\n");
-	p(ips_clcopied, "\t%u cluster%s copied during clone\n");
-	p(ips_mbinserted, "\t%u mbuf%s inserted during makespace\n");
-#undef p
-}
-  
-void
-ipsec_stats_new(u_long off, const char *name, int family __unused)
-{
-	struct newipsecstat newipsecstat;
-
-	if (off == 0)
-		return;
-  	printf ("%s:\n", name);
-	kread(off, (char *)&newipsecstat, sizeof(newipsecstat));
-
-	print_newipsecstats(&newipsecstat);
-}
-
-static void
 print_ahstats(const struct ahstat *ahstat)
 {
 #define	p32(f, m) if (ahstat->f || sflag <= 1) \
@@ -491,5 +462,4 @@ ipcomp_stats(u_long off, const char *name, int family __unused)
 	print_ipcompstats(&ipcompstat);
 }
 
-#endif /* FAST_IPSEC */
 #endif /*IPSEC*/
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 766b5ea..434121f8 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -100,7 +100,7 @@ static struct nlist nl[] = {
 #define N_ICMP6STAT	13
 	{ .n_name = "_icmp6stat" },
 #define N_IPSECSTAT	14
-	{ .n_name = "_ipsecstat" },
+	{ .n_name = "_ipsec4stat" },
 #define N_IPSEC6STAT	15
 	{ .n_name = "_ipsec6stat" },
 #define N_PIM6STAT	16
@@ -141,8 +141,6 @@ static struct nlist nl[] = {
 	{ .n_name = "_carpstats" },
 #define N_PFSYNCSTAT	34
 	{ .n_name = "_pfsyncstats" },
-#define	N_FAST_IPSECSTAT 35
-	{ .n_name = "_newipsecstat" },
 #define	N_AHSTAT	36
 	{ .n_name = "_ahstat" },
 #define	N_ESPSTAT	37
@@ -181,19 +179,15 @@ struct protox {
 	{ -1,		-1,		1,	protopr,
 	  igmp_stats,	NULL,		"igmp",	IPPROTO_IGMP },
 #ifdef IPSEC
-	{ -1,		N_IPSECSTAT,	1,	NULL,
+	{ -1,		N_IPSECSTAT,	1,	NULL,	/* keep as compat */
 	  ipsec_stats,	NULL,		"ipsec",	0},
-#ifdef FAST_IPSEC
-	{ -1,		N_FAST_IPSECSTAT, 1,	0,
-	  ipsec_stats_new, NULL,	"fastipsec",	0},
-	{ -1,		N_AHSTAT,	1,	0,
+	{ -1,		N_AHSTAT,	1,	NULL,
 	  ah_stats,	NULL,		"ah",		0},
-	{ -1,		N_ESPSTAT,	1,	0,
+	{ -1,		N_ESPSTAT,	1,	NULL,
 	  esp_stats,	NULL,		"esp",		0},
-	{ -1,		N_IPCOMPSTAT,	1,	0,
+	{ -1,		N_IPCOMPSTAT,	1,	NULL,
 	  ipcomp_stats,	NULL,		"ipcomp",	0},
 #endif
-#endif
 	{ -1,		-1,		1,	protopr,
 	  pim_stats,	NULL,		"pim",	IPPROTO_PIM },
 	{ -1,		N_CARPSTAT,	1,	0,
@@ -526,17 +520,6 @@ main(int argc, char *argv[])
 
 	kread(0, 0, 0);
 	if (tp) {
-#ifdef FAST_IPSEC
-		/*
-		 * HACK: fallback to printing the new FAST IPSEC stats
-		 *	 if the kernel was built with FAST_IPSEC rather
-		 *	 than the KAME IPSEC stack (the two are mutually
-		 *	 exclusive).
-		 */
-		if (nl[tp->pr_sindex].n_value == 0 &&
-		    strcmp(tp->pr_name, "ipsec") == 0)
-			tp = name2protox("fastipsec");
-#endif
 		printproto(tp, tp->pr_name);
 		exit(0);
 	}
diff --git a/usr.bin/netstat/netstat.h b/usr.bin/netstat/netstat.h
index ff8beb4..a2df187 100644
--- a/usr.bin/netstat/netstat.h
+++ b/usr.bin/netstat/netstat.h
@@ -80,13 +80,10 @@ void	carp_stats (u_long, const char *, int);
 void	pfsync_stats (u_long, const char *, int);
 #ifdef IPSEC
 void	ipsec_stats(u_long, const char *, int);
-#ifdef FAST_IPSEC
-void	ipsec_stats_new (u_long, const char *, int);
 void	esp_stats (u_long, const char *, int);
 void	ah_stats (u_long, const char *, int);
 void	ipcomp_stats (u_long, const char *, int);
 #endif
-#endif
 
 #ifdef INET6
 void	ip6_stats(u_long, const char *, int);
diff --git a/usr.bin/netstat/pfkey.c b/usr.bin/netstat/pfkey.c
index ed2c00c..ad22ae8 100644
--- a/usr.bin/netstat/pfkey.c
+++ b/usr.bin/netstat/pfkey.c
@@ -79,11 +79,7 @@ static const char rcsid[] =
 
 #include <netinet/in.h>
 
-#if defined(IPSEC) && !defined(FAST_IPSEC)
-#include <netkey/keysock.h>
-#endif
-
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 #include <netipsec/keysock.h>
 #endif
 
diff --git a/usr.bin/telnet/Makefile b/usr.bin/telnet/Makefile
index c5525b3..14829c1 100644
--- a/usr.bin/telnet/Makefile
+++ b/usr.bin/telnet/Makefile
@@ -23,7 +23,7 @@ DPADD=		${LIBTERMCAP} ${LIBTELNET}
 LDADD=		-ltermcap ${LIBTELNET}
 
 .if !defined(RELEASE_CRUNCH)
-CFLAGS+=	-DIPSEC
+CFLAGS+=	-DIPSEC -DFAST_IPSEC
 DPADD+=		${LIBIPSEC}
 LDADD+=		-lipsec
 .else
@@ -35,7 +35,7 @@ CFLAGS+=	-DHAS_CGETENT
 .if !defined(RELEASE_CRUNCH)
 .if ${MK_OPENSSL} != "no"
 SRCS+=		authenc.c 
-CFLAGS+=	-DENCRYPTION -DAUTHENTICATION -DIPSEC
+CFLAGS+=	-DENCRYPTION -DAUTHENTICATION -DIPSEC -DFAST_IPSEC
 DPADD+=		${LIBMP} ${LIBCRYPTO} ${LIBCRYPT} ${LIBIPSEC} ${LIBPAM}
 LDADD+=		-lmp -lcrypto -lcrypt -lipsec ${MINUSLPAM}
 .endif
diff --git a/usr.sbin/inetd/Makefile b/usr.sbin/inetd/Makefile
index 35f2c22..9156afc 100644
--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@@ -21,7 +21,7 @@ LDADD=	-lutil -lwrap
 
 # XXX for src/release/picobsd
 .if !defined(RELEASE_CRUNCH)
-CFLAGS+= -DIPSEC
+CFLAGS+= -DIPSEC -DFAST_IPSEC
 DPADD+=	${LIBIPSEC}
 LDADD+=	-lipsec
 .endif
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index 6032462..56791b2 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -144,7 +144,7 @@ __FBSDID("$FreeBSD$");
 #include "pathnames.h"
 
 #ifdef IPSEC
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #ifndef IPSEC_POLICY_IPSEC	/* no ipsec support on old ipsec */
 #undef IPSEC
 #endif
diff --git a/usr.sbin/rrenumd/Makefile b/usr.sbin/rrenumd/Makefile
index c31a7c7..52452d0 100644
--- a/usr.sbin/rrenumd/Makefile
+++ b/usr.sbin/rrenumd/Makefile
@@ -18,7 +18,7 @@ PROG=	rrenumd
 MAN=	rrenumd.conf.5 rrenumd.8
 SRCS=	rrenumd.c  parser.y lexer.l
 
-CFLAGS+= -DIPSEC -I. -I${.CURDIR}
+CFLAGS+= -DIPSEC -DFAST_IPSEC -I. -I${.CURDIR}
 YFLAGS=	-d
 
 LDADD=	-lipsec -ll -ly
diff --git a/usr.sbin/rrenumd/rrenumd.c b/usr.sbin/rrenumd/rrenumd.c
index 2f863d6..fddd6a1 100644
--- a/usr.sbin/rrenumd/rrenumd.c
+++ b/usr.sbin/rrenumd/rrenumd.c
@@ -49,7 +49,7 @@
 #include <arpa/inet.h>
 
 #ifdef IPSEC
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #endif
 
 #include <stdio.h>
diff --git a/usr.sbin/traceroute6/Makefile b/usr.sbin/traceroute6/Makefile
index 6ff72d2..cecd20d 100644
--- a/usr.sbin/traceroute6/Makefile
+++ b/usr.sbin/traceroute6/Makefile
@@ -18,7 +18,7 @@ MAN=	traceroute6.8
 BINOWN=	root
 BINMODE= 4555
 
-CFLAGS+= -DIPSEC -DUSE_RFC2292BIS -DHAVE_POLL
+CFLAGS+= -DIPSEC -DFAST_IPSEC -DUSE_RFC2292BIS -DHAVE_POLL
 
 DPADD=	${LIBIPSEC}
 LDADD=	-lipsec
diff --git a/usr.sbin/traceroute6/traceroute6.c b/usr.sbin/traceroute6/traceroute6.c
index 327fa84..edc8dc7 100644
--- a/usr.sbin/traceroute6/traceroute6.c
+++ b/usr.sbin/traceroute6/traceroute6.c
@@ -279,7 +279,7 @@ static const char rcsid[] =
 
 #ifdef IPSEC
 #include <net/route.h>
-#include <netinet6/ipsec.h>
+#include <netipsec/ipsec.h>
 #endif
 
 #define DUMMY_PORT 10010