diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 4521ca371294..2525f289e6f4 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 16, 2007 +.Dd August 5, 2007 .Dt IPFW 8 .Os .Sh NAME @@ -1251,7 +1251,7 @@ Matches IPv4 packets whose precedence field is equal to .It Cm ipsec Matches packets that have IPSEC history associated with them (i.e., the packet comes encapsulated in IPSEC, the kernel -has IPSEC support and IPSEC_FILTERGIF option, and can correctly +has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly decapsulate it). .Pp Note that specifying diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index 3bfd7bd42120..4bc45d6ee28d 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 1, 2007 +.Dd August 5, 2007 .Dt IPSEC 4 .Os .Sh NAME @@ -37,7 +37,7 @@ .Nd Internet Protocol Security protocol .Sh SYNOPSIS .Cd "options IPSEC" -.Cd "options IPSEC_FILTERGIF" +.Cd "options IPSEC_FILTERTUNNEL" .Cd "device crypto" .Pp .In sys/types.h @@ -89,7 +89,7 @@ inbound. To properly filter on the inner packets of an .Nm tunnel with firewalls, add -.Cd "options IPSEC_FILTERGIF" +.Cd "options IPSEC_FILTERTUNNEL" to the kernel configuration file. .\" .Ss Kernel interface diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 2daa91a437e6..6303c0b0459c 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -501,15 +501,15 @@ options INET6 #IPv6 communications protocols options IPSEC #IP security (requires device crypto) #options IPSEC_DEBUG #debug for IP security # -# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel -# to be processed by any configured packet filtering (ipfw, ipf). -# The default is that packets coming from a tunnel are _not_ processed; +# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel +# to be processed by any configured packet filtering twice. +# The default is that packets coming out of a tunnel are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered # using ipfw(8)'s 'ipsec' keyword, when this option is enabled. # -#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel +#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel options IPX #IPX/SPX communications protocols diff --git a/sys/conf/options b/sys/conf/options index 633cdbb4fa81..337bd2a20e9f 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -362,7 +362,7 @@ INET opt_inet.h INET6 opt_inet6.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h -IPSEC_FILTERGIF opt_ipsec.h +IPSEC_FILTERTUNNEL opt_ipsec.h IPDIVERT DUMMYNET opt_ipdn.h IPFILTER opt_ipfilter.h diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index f7a0ed364f0c..3d7276f68d76 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -395,7 +395,7 @@ ip_input(struct mbuf *m) /* * Bypass packet filtering for packets from a tunnel (gif). */ - if (ip_ipsec_filtergif(m)) + if (ip_ipsec_filtertunnel(m)) goto passin; #endif /* IPSEC */ diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 593bb5ae64a7..7db0cdddb282 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -69,11 +69,11 @@ extern struct protosw inetsw[]; * 1 = jump over firewall, 0 = packet goes through firewall. */ int -ip_ipsec_filtergif(struct mbuf *m) +ip_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) /* - * Bypass packet filtering for packets from a tunnel (gif). + * Bypass packet filtering for packets from a tunnel. */ if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; diff --git a/sys/netinet/ip_ipsec.h b/sys/netinet/ip_ipsec.h index f0b0b5abcf46..af82b31bf49c 100644 --- a/sys/netinet/ip_ipsec.h +++ b/sys/netinet/ip_ipsec.h @@ -32,7 +32,7 @@ #ifndef _NETINET_IP_IPSEC_H_ #define _NETINET_IP_IPSEC_H_ -int ip_ipsec_filtergif(struct mbuf *); +int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_fwd(struct mbuf *); int ip_ipsec_input(struct mbuf *); int ip_ipsec_mtu(struct mbuf *); diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index 12b43f292bbb..5e13241e5ddc 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -77,11 +77,11 @@ extern struct protosw inet6sw[]; * 1 = jump over firewall, 0 = packet goes through firewall. */ int -ip6_ipsec_filtergif(struct mbuf *m) +ip6_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) /* - * Bypass packet filtering for packets from a tunnel (gif). + * Bypass packet filtering for packets from a tunnel. */ if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; diff --git a/sys/netinet6/ip6_ipsec.h b/sys/netinet6/ip6_ipsec.h index c3ff8c06b534..2b5668dbae3e 100644 --- a/sys/netinet6/ip6_ipsec.h +++ b/sys/netinet6/ip6_ipsec.h @@ -32,7 +32,7 @@ #ifndef _NETINET_IP6_IPSEC_H_ #define _NETINET_IP6_IPSEC_H_ -int ip6_ipsec_filtergif(struct mbuf *); +int ip6_ipsec_filtertunnel(struct mbuf *); int ip6_ipsec_fwd(struct mbuf *); int ip6_ipsec_input(struct mbuf *, int); int ip6_ipsec_mtu(struct mbuf *);