diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 9a1ab784a3d7..7577f9413d29 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 13, 2016 +.Dd August 21, 2016 .Dt IPFW 8 .Os .Sh NAME @@ -1588,8 +1588,7 @@ Matches IPv4 packets whose precedence field is equal to .It Cm ipsec Matches packets that have IPSEC history associated with them (i.e., the packet comes encapsulated in IPSEC, the kernel -has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly -decapsulate it). +has IPSEC support, and can correctly decapsulate it). .Pp Note that specifying .Cm ipsec diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 9055349d755d..ddaed9c1cf00 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -626,17 +626,6 @@ options TCP_OFFLOAD # TCP offload support. options IPSEC #IP security (requires device crypto) #options IPSEC_DEBUG #debug for IP security # -# #DEPRECATED# -# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets -# coming through a tunnel to be processed by any configured packet filtering -# twice. The default is that packets coming out of a tunnel are _not_ processed; -# they are assumed trusted. -# -# IPSEC history is preserved for such packets, and can be filtered -# using ipfw(8)'s 'ipsec' keyword, when this option is enabled. -# -#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel -# # Set IPSEC_NAT_T to enable NAT-Traversal support. This enables # optional UDP encapsulation of ESP packets. # diff --git a/sys/conf/options b/sys/conf/options index adf4cfafe8cb..092241bb7fbb 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -424,7 +424,6 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h -IPSEC_FILTERTUNNEL opt_ipsec.h IPSEC_NAT_T opt_ipsec.h IPSTEALTH KRPC diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index ac1e3d56d73c..1b72553a42e5 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -68,11 +68,7 @@ __FBSDID("$FreeBSD$"); extern struct protosw inetsw[]; -#ifdef IPSEC_FILTERTUNNEL -static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1; -#else static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0; -#endif #define V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel) SYSCTL_DECL(_net_inet_ipsec); diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index a99f1db14e8e..926e45c65713 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -79,11 +79,7 @@ __FBSDID("$FreeBSD$"); extern struct protosw inet6sw[]; -#ifdef IPSEC_FILTERTUNNEL -static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 1; -#else static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 0; -#endif #define V_ip6_ipsec6_filtertunnel VNET(ip6_ipsec6_filtertunnel) SYSCTL_DECL(_net_inet6_ipsec6);