Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL

kernel option.
This also permits tuning of the option per virtual network stack, as
well as separately per inet, inet6.

The kernel option is left for a transition period, marked deprecated,
and will be removed soon.

Initially requested by:	phk (1 year 1 day ago)
MFC after:		4 weeks

1 files changed, 4 insertions, 3 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 7ba6ac4..0e5bb44 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -524,9 +524,10 @@ options 	ROUTETABLES=2		# max 16. 1 is back compatible.
 options 	IPSEC			#IP security (requires device crypto)
 #options 	IPSEC_DEBUG		#debug for IP security
 #
-# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel
-# to be processed by any configured packet filtering twice.
-# The default is that packets coming out of a tunnel are _not_ processed;
+# #DEPRECATED#
+# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
+# coming through a tunnel to be processed by any configured packet filtering
+# twice. The default is that packets coming out of a tunnel are _not_ processed;
 # they are assumed trusted.
 #
 # IPSEC history is preserved for such packets, and can be filtered