diff options
author | sam <sam@FreeBSD.org> | 2003-02-23 00:47:06 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2003-02-23 00:47:06 +0000 |
commit | 87582b9c57b44ade7cb2f19751545fb813262b93 (patch) | |
tree | 824e8df7239aadec937312f500ce5b1b196ed895 /sys/conf | |
parent | e34fd150f8cb9c6bcadb708854383f53b1092d05 (diff) | |
download | FreeBSD-src-87582b9c57b44ade7cb2f19751545fb813262b93.zip FreeBSD-src-87582b9c57b44ade7cb2f19751545fb813262b93.tar.gz |
Add a new config option IPSEC_FILTERGIF to control whether or not
packets coming out of a GIF tunnel are re-processed by ipfw, et. al.
By default they are not reprocessed. With the option they are.
This reverts 1.214. Prior to that change packets were not re-processed.
After they were which caused problems because packets do not have
distinguishing characteristics (like a special network if) that allows
them to be filtered specially.
This is really a stopgap measure designed for immediate MFC so that
4.8 has consistent handling to what was in 4.7.
PR: 48159
Reviewed by: Guido van Rooij <guido@gvr.org>
MFC after: 1 day
Diffstat (limited to 'sys/conf')
-rw-r--r-- | sys/conf/NOTES | 11 | ||||
-rw-r--r-- | sys/conf/options | 1 |
2 files changed, 12 insertions, 0 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index cc511e4..f03279a 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -364,6 +364,17 @@ options INET6 #IPv6 communications protocols options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security +# +# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel +# to be processed by any configured packet filtering (ipfw, ipf). +# The default is that packets coming from a tunnel are _not_ processed; +# they are assumed trusted. +# +# Note that enabling this can be problematic as there are no mechanisms +# in place for distinguishing packets coming out of a tunnel (e.g. no +# encX devices as found on openbsd). +# +#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel #options FAST_IPSEC #new IPsec (cannot define w/ IPSEC) diff --git a/sys/conf/options b/sys/conf/options index 4ec220d..7a16efc 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -327,6 +327,7 @@ INET6 opt_inet6.h IPSEC opt_ipsec.h IPSEC_ESP opt_ipsec.h IPSEC_DEBUG opt_ipsec.h +IPSEC_FILTERGIF opt_ipsec.h FAST_IPSEC opt_ipsec.h IPDIVERT DUMMYNET opt_ipdn.h |