summaryrefslogtreecommitdiffstats
path: root/sys/conf
diff options
context:
space:
mode:
Diffstat (limited to 'sys/conf')
-rw-r--r--sys/conf/NOTES24
-rw-r--r--sys/conf/files72
-rw-r--r--sys/conf/files.amd645
-rw-r--r--sys/conf/files.arm4
-rw-r--r--sys/conf/files.arm644
-rw-r--r--sys/conf/files.i3864
-rw-r--r--sys/conf/files.mips6
-rw-r--r--sys/conf/files.pc984
-rw-r--r--sys/conf/files.powerpc4
-rw-r--r--sys/conf/files.riscv4
-rw-r--r--sys/conf/files.sparc644
-rw-r--r--sys/conf/kern.opts.mk1
-rw-r--r--sys/conf/options5
13 files changed, 72 insertions, 69 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 6d15ae4..6c13640 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -613,23 +613,12 @@ options TCP_OFFLOAD # TCP offload support.
# In order to enable IPSEC you MUST also add device crypto to
# your kernel configuration
options IPSEC #IP security (requires device crypto)
+
+# Option IPSEC_SUPPORT does not enable IPsec, but makes it possible to
+# load it as a kernel module. You still MUST add device crypto to your kernel
+# configuration.
+options IPSEC_SUPPORT
#options IPSEC_DEBUG #debug for IP security
-#
-# #DEPRECATED#
-# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
-# coming through a tunnel to be processed by any configured packet filtering
-# twice. The default is that packets coming out of a tunnel are _not_ processed;
-# they are assumed trusted.
-#
-# IPSEC history is preserved for such packets, and can be filtered
-# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
-#
-#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel
-#
-# Set IPSEC_NAT_T to enable NAT-Traversal support. This enables
-# optional UDP encapsulation of ESP packets.
-#
-options IPSEC_NAT_T #NAT-T support, UDP encap of ESP
#
# SMB/CIFS requester
@@ -1015,7 +1004,8 @@ options ACCEPT_FILTER_HTTP
# carried in TCP option 19. This option is commonly used to protect
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
-# This requires the use of 'device crypto' and 'options IPSEC'.
+# This requires the use of 'device crypto' and either 'options IPSEC' or
+# 'options IPSEC_SUPPORT'.
options TCP_SIGNATURE #include support for RFC 2385
# DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
diff --git a/sys/conf/files b/sys/conf/files
index 52cb263..afd3ca5 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -574,22 +574,24 @@ contrib/ngatm/netnatm/sig/sig_unimsgcpy.c optional ngatm_uni \
compile-with "${NORMAL_C} -I$S/contrib/ngatm"
contrib/ngatm/netnatm/sig/sig_verify.c optional ngatm_uni \
compile-with "${NORMAL_C} -I$S/contrib/ngatm"
-crypto/blowfish/bf_ecb.c optional ipsec
-crypto/blowfish/bf_skey.c optional crypto | ipsec
-crypto/camellia/camellia.c optional crypto | ipsec
-crypto/camellia/camellia-api.c optional crypto | ipsec
-crypto/des/des_ecb.c optional crypto | ipsec | netsmb
-crypto/des/des_setkey.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_ecb.c optional ipsec | ipsec_support
+crypto/blowfish/bf_skey.c optional crypto | ipsec | ipsec_support
+crypto/camellia/camellia.c optional crypto | ipsec | ipsec_support
+crypto/camellia/camellia-api.c optional crypto | ipsec | ipsec_support
+crypto/des/des_ecb.c optional crypto | ipsec | ipsec_support | netsmb
+crypto/des/des_setkey.c optional crypto | ipsec | ipsec_support | netsmb
crypto/rc4/rc4.c optional netgraph_mppc_encryption | kgssapi
crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
- ipsec | random !random_loadable | wlan_ccmp
+ ipsec | ipsec_support | random !random_loadable | wlan_ccmp
crypto/rijndael/rijndael-api-fst.c optional geom_bde | random !random_loadable
-crypto/rijndael/rijndael-api.c optional crypto | ipsec | wlan_ccmp
+crypto/rijndael/rijndael-api.c optional crypto | ipsec | ipsec_support | \
+ wlan_ccmp
crypto/sha1.c optional carp | crypto | ipsec | \
- netgraph_mppc_encryption | sctp
-crypto/sha2/sha256c.c optional crypto | geom_bde | ipsec | random !random_loadable | \
- sctp | zfs
-crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | zfs
+ ipsec_support | netgraph_mppc_encryption | sctp
+crypto/sha2/sha256c.c optional crypto | geom_bde | ipsec | \
+ ipsec_support | random !random_loadable | sctp | zfs
+crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | \
+ ipsec_support | zfs
crypto/skein/skein.c optional crypto | zfs
crypto/skein/skein_block.c optional crypto | zfs
crypto/siphash/siphash.c optional inet | inet6
@@ -3592,8 +3594,7 @@ libkern/strtouq.c standard
libkern/strvalid.c standard
libkern/timingsafe_bcmp.c standard
libkern/zlib.c optional crypto | geom_uzip | ipsec | \
- mxge | netgraph_deflate | \
- ddb_ctf | gzio
+ ipsec_support | mxge | netgraph_deflate | ddb_ctf | gzio
net/altq/altq_cbq.c optional altq
net/altq/altq_cdnr.c optional altq
net/altq/altq_codel.c optional altq
@@ -3629,6 +3630,7 @@ net/if_fwsubr.c optional fwip
net/if_gif.c optional gif inet | gif inet6 | \
netgraph_gif inet | netgraph_gif inet6
net/if_gre.c optional gre inet | gre inet6
+net/if_ipsec.c optional inet ipsec | inet6 ipsec
net/if_iso88025subr.c optional token
net/if_lagg.c optional lagg
net/if_loop.c optional loop
@@ -3814,7 +3816,6 @@ netinet/ip_encap.c optional inet | inet6
netinet/ip_fastfwd.c optional inet
netinet/ip_icmp.c optional inet | inet6
netinet/ip_input.c optional inet
-netinet/ip_ipsec.c optional inet ipsec
netinet/ip_mroute.c optional mrouting inet
netinet/ip_options.c optional inet
netinet/ip_output.c optional inet
@@ -3883,7 +3884,6 @@ netinet6/ip6_id.c optional inet6
netinet6/ip6_input.c optional inet6
netinet6/ip6_mroute.c optional mrouting inet6
netinet6/ip6_output.c optional inet6
-netinet6/ip6_ipsec.c optional inet6 ipsec
netinet6/mld6.c optional inet6
netinet6/nd6.c optional inet6
netinet6/nd6_nbr.c optional inet6
@@ -3896,15 +3896,25 @@ netinet6/udp6_usrreq.c optional inet6
netipsec/ipsec.c optional ipsec inet | ipsec inet6
netipsec/ipsec_input.c optional ipsec inet | ipsec inet6
netipsec/ipsec_mbuf.c optional ipsec inet | ipsec inet6
+netipsec/ipsec_mod.c optional ipsec inet | ipsec inet6
netipsec/ipsec_output.c optional ipsec inet | ipsec inet6
-netipsec/key.c optional ipsec inet | ipsec inet6
-netipsec/key_debug.c optional ipsec inet | ipsec inet6
-netipsec/keysock.c optional ipsec inet | ipsec inet6
+netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/key.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/key_debug.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/keysock.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/subr_ipsec.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/udpencap.c optional ipsec inet
netipsec/xform_ah.c optional ipsec inet | ipsec inet6
netipsec/xform_esp.c optional ipsec inet | ipsec inet6
netipsec/xform_ipcomp.c optional ipsec inet | ipsec inet6
netipsec/xform_tcp.c optional ipsec inet tcp_signature | \
- ipsec inet6 tcp_signature
+ ipsec inet6 tcp_signature | ipsec_support inet tcp_signature | \
+ ipsec_support inet6 tcp_signature
netnatm/natm.c optional natm
netnatm/natm_pcb.c optional natm
netnatm/natm_proto.c optional natm
@@ -4278,18 +4288,18 @@ ofed/drivers/infiniband/hw/mthca/mthca_uar.c optional mthca \
compile-with "${OFED_C}"
# crypto support
-opencrypto/cast.c optional crypto | ipsec
-opencrypto/criov.c optional crypto | ipsec
-opencrypto/crypto.c optional crypto | ipsec
+opencrypto/cast.c optional crypto | ipsec | ipsec_support
+opencrypto/criov.c optional crypto | ipsec | ipsec_support
+opencrypto/crypto.c optional crypto | ipsec | ipsec_support
opencrypto/cryptodev.c optional cryptodev
-opencrypto/cryptodev_if.m optional crypto | ipsec
-opencrypto/cryptosoft.c optional crypto | ipsec
-opencrypto/cryptodeflate.c optional crypto | ipsec
-opencrypto/gmac.c optional crypto | ipsec
-opencrypto/gfmult.c optional crypto | ipsec
-opencrypto/rmd160.c optional crypto | ipsec
-opencrypto/skipjack.c optional crypto | ipsec
-opencrypto/xform.c optional crypto | ipsec
+opencrypto/cryptodev_if.m optional crypto | ipsec | ipsec_support
+opencrypto/cryptosoft.c optional crypto | ipsec | ipsec_support
+opencrypto/cryptodeflate.c optional crypto | ipsec | ipsec_support
+opencrypto/gmac.c optional crypto | ipsec | ipsec_support
+opencrypto/gfmult.c optional crypto | ipsec | ipsec_support
+opencrypto/rmd160.c optional crypto | ipsec | ipsec_support
+opencrypto/skipjack.c optional crypto | ipsec | ipsec_support
+opencrypto/xform.c optional crypto | ipsec | ipsec_support
rpc/auth_none.c optional krpc | nfslockd | nfscl | nfsd
rpc/auth_unix.c optional krpc | nfslockd | nfscl | nfsd
rpc/authunix_prot.c optional krpc | nfslockd | nfscl | nfsd
diff --git a/sys/conf/files.amd64 b/sys/conf/files.amd64
index da1b432..4ad9ba5 100644
--- a/sys/conf/files.amd64
+++ b/sys/conf/files.amd64
@@ -179,8 +179,9 @@ aesni_wrap.o optional aesni \
compile-with "${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc} ${WERROR} ${NO_WCAST_QUAL} ${PROF} -mmmx -msse -msse4 -maes ${.IMPSRC}" \
no-implicit-rule \
clean "aesni_wrap.o"
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | \
+ ipsec_support | netsmb
crypto/via/padlock.c optional padlock
crypto/via/padlock_cipher.c optional padlock
crypto/via/padlock_hash.c optional padlock
diff --git a/sys/conf/files.arm b/sys/conf/files.arm
index a5657bc..04bedd4 100644
--- a/sys/conf/files.arm
+++ b/sys/conf/files.arm
@@ -105,8 +105,8 @@ cddl/compat/opensolaris/kern/opensolaris_atomic.c optional zfs | dtrace compile-
cddl/dev/dtrace/arm/dtrace_asm.S optional dtrace compile-with "${DTRACE_S}"
cddl/dev/dtrace/arm/dtrace_subr.c optional dtrace compile-with "${DTRACE_C}"
cddl/dev/fbt/arm/fbt_isa.c optional dtrace_fbt | dtraceall compile-with "${FBT_C}"
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb
dev/dwc/if_dwc.c optional dwc
dev/dwc/if_dwc_if.m optional dwc
dev/fb/fb.c optional sc
diff --git a/sys/conf/files.arm64 b/sys/conf/files.arm64
index 053eb5d..10eb61f 100644
--- a/sys/conf/files.arm64
+++ b/sys/conf/files.arm64
@@ -65,8 +65,8 @@ arm64/cavium/thunder_pcie_pem.c optional soc_cavm_thunderx pci
arm64/cavium/thunder_pcie_pem_fdt.c optional soc_cavm_thunderx pci fdt
arm64/cavium/thunder_pcie_common.c optional soc_cavm_thunderx pci
arm64/cloudabi64/cloudabi64_sysvec.c optional compat_cloudabi64
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb
dev/acpica/acpi_if.m optional acpi
dev/ahci/ahci_generic.c optional ahci fdt
dev/hwpmc/hwpmc_arm64.c optional hwpmc
diff --git a/sys/conf/files.i386 b/sys/conf/files.i386
index c9a98a5..2373780 100644
--- a/sys/conf/files.i386
+++ b/sys/conf/files.i386
@@ -143,7 +143,7 @@ compat/svr4/svr4_syscallnames.c optional compat_svr4
compat/svr4/svr4_sysent.c optional compat_svr4
compat/svr4/svr4_sysvec.c optional compat_svr4
compat/svr4/svr4_termios.c optional compat_svr4
-bf_enc.o optional crypto | ipsec \
+bf_enc.o optional crypto | ipsec | ipsec_support \
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
no-implicit-rule
@@ -159,7 +159,7 @@ aesni_wrap.o optional aesni \
compile-with "${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc} ${WERROR} ${NO_WCAST_QUAL} ${PROF} -mmmx -msse -msse4 -maes ${.IMPSRC}" \
no-implicit-rule \
clean "aesni_wrap.o"
-crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb
+crypto/des/arch/i386/des_enc.S optional crypto | ipsec | ipsec_support | netsmb
crypto/via/padlock.c optional padlock
crypto/via/padlock_cipher.c optional padlock
crypto/via/padlock_hash.c optional padlock
diff --git a/sys/conf/files.mips b/sys/conf/files.mips
index 0fe0795..f3a0dc8 100644
--- a/sys/conf/files.mips
+++ b/sys/conf/files.mips
@@ -82,8 +82,10 @@ mips/mips/sc_machdep.c optional sc
dev/uart/uart_cpu_fdt.c optional uart fdt
# crypto support -- use generic
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | \
+ ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | \
+ ipsec_support | netsmb
# AP common nvram interface MIPS specific, but maybe should be more generic
dev/nvram2env/nvram2env.c optional nvram2env
diff --git a/sys/conf/files.pc98 b/sys/conf/files.pc98
index ae45b80..a3c5149 100644
--- a/sys/conf/files.pc98
+++ b/sys/conf/files.pc98
@@ -90,11 +90,11 @@ compat/svr4/svr4_syscallnames.c optional compat_svr4
compat/svr4/svr4_sysent.c optional compat_svr4
compat/svr4/svr4_sysvec.c optional compat_svr4
compat/svr4/svr4_termios.c optional compat_svr4
-bf_enc.o optional crypto | ipsec \
+bf_enc.o optional crypto | ipsec | ipsec_support \
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
no-implicit-rule
-crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb
+crypto/des/arch/i386/des_enc.S optional crypto | ipsec | ipsec_support | netsmb
dev/agp/agp_ali.c optional agp
dev/agp/agp_amd.c optional agp
dev/agp/agp_i810.c optional agp
diff --git a/sys/conf/files.powerpc b/sys/conf/files.powerpc
index d1d5312..1d6aa11 100644
--- a/sys/conf/files.powerpc
+++ b/sys/conf/files.powerpc
@@ -20,8 +20,8 @@ cddl/contrib/opensolaris/common/atomic/powerpc64/opensolaris_atomic.S optional z
cddl/dev/dtrace/powerpc/dtrace_asm.S optional dtrace compile-with "${DTRACE_S}"
cddl/dev/dtrace/powerpc/dtrace_subr.c optional dtrace compile-with "${DTRACE_C}"
cddl/dev/fbt/powerpc/fbt_isa.c optional dtrace_fbt | dtraceall compile-with "${FBT_C}"
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb
dev/bm/if_bm.c optional bm powermac
dev/adb/adb_bus.c optional adb
dev/adb/adb_kbd.c optional adb
diff --git a/sys/conf/files.riscv b/sys/conf/files.riscv
index fe30078..addef0e 100644
--- a/sys/conf/files.riscv
+++ b/sys/conf/files.riscv
@@ -3,8 +3,8 @@ cddl/compat/opensolaris/kern/opensolaris_atomic.c optional zfs | dtrace compile-
cddl/dev/dtrace/riscv/dtrace_asm.S optional dtrace compile-with "${DTRACE_S}"
cddl/dev/dtrace/riscv/dtrace_subr.c optional dtrace compile-with "${DTRACE_C}"
cddl/dev/fbt/riscv/fbt_isa.c optional dtrace_fbt | dtraceall compile-with "${FBT_C}"
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb
dev/ofw/ofw_cpu.c optional fdt
dev/uart/uart_cpu_fdt.c optional uart fdt
dev/xilinx/axi_quad_spi.c optional xilinx_spi
diff --git a/sys/conf/files.sparc64 b/sys/conf/files.sparc64
index a9643bd..ab543f1 100644
--- a/sys/conf/files.sparc64
+++ b/sys/conf/files.sparc64
@@ -23,8 +23,8 @@ ukbdmap.h optional ukbd_dflt_keymap \
clean "ukbdmap.h"
#
cddl/contrib/opensolaris/common/atomic/sparc64/opensolaris_atomic.S optional zfs compile-with "${ZFS_S}"
-crypto/blowfish/bf_enc.c optional crypto | ipsec
-crypto/des/des_enc.c optional crypto | ipsec | netsmb
+crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support
+crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb
dev/atkbdc/atkbd.c optional atkbd atkbdc
dev/atkbdc/atkbd_atkbdc.c optional atkbd atkbdc
dev/atkbdc/atkbdc.c optional atkbdc
diff --git a/sys/conf/kern.opts.mk b/sys/conf/kern.opts.mk
index bb4270e..81d16df 100644
--- a/sys/conf/kern.opts.mk
+++ b/sys/conf/kern.opts.mk
@@ -34,6 +34,7 @@ __DEFAULT_YES_OPTIONS = \
INET \
INET6 \
IPFILTER \
+ IPSEC_SUPPORT \
ISCSI \
KERNEL_SYMBOLS \
NETGRAPH \
diff --git a/sys/conf/options b/sys/conf/options
index a58f97a..5dd66e0 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -423,8 +423,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
IPSEC opt_ipsec.h
IPSEC_DEBUG opt_ipsec.h
-IPSEC_FILTERTUNNEL opt_ipsec.h
-IPSEC_NAT_T opt_ipsec.h
+IPSEC_SUPPORT opt_ipsec.h
IPSTEALTH
KRPC
LIBALIAS
@@ -446,7 +445,7 @@ SIFTR
TCP_OFFLOAD opt_inet.h # Enable code to dispatch TCP offloading
TCP_RFC7413 opt_inet.h
TCP_RFC7413_MAX_KEYS opt_inet.h
-TCP_SIGNATURE opt_inet.h
+TCP_SIGNATURE opt_ipsec.h
VLAN_ARRAY opt_vlan.h
XBONEHACK
FLOWTABLE opt_route.h
OpenPOWER on IntegriCloud