From cc977adc71830f7bee0af42cd2ddb647991fe430 Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Sun, 5 Aug 2007 16:16:15 +0000 Subject: [PATCH] Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL. Also rename the related functions in a similar way. There are no functional changes. For a packet coming in with IPsec tunnel mode, the default is to only call into the firewall with the "outer" IP header and payload. With this option turned on, in addition to the "outer" parts, the "inner" IP header and payload are passed to the firewall too when going through ip_input() the second time. The option was never only related to a gif(4) tunnel within an IPsec tunnel and thus the name was very misleading. Discussed at: BSDCan 2007 Best new name suggested by: rwatson Reviewed by: rwatson Approved by: re (bmah) --- sbin/ipfw/ipfw.8 | 4 ++-- share/man/man4/ipsec.4 | 6 +++--- sys/conf/NOTES | 8 ++++---- sys/conf/options | 2 +- sys/netinet/ip_input.c | 2 +- sys/netinet/ip_ipsec.c | 6 +++--- sys/netinet/ip_ipsec.h | 2 +- sys/netinet6/ip6_ipsec.c | 6 +++--- sys/netinet6/ip6_ipsec.h | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 4521ca371294..2525f289e6f4 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 16, 2007 +.Dd August 5, 2007 .Dt IPFW 8 .Os .Sh NAME @@ -1251,7 +1251,7 @@ Matches IPv4 packets whose precedence field is equal to .It Cm ipsec Matches packets that have IPSEC history associated with them (i.e., the packet comes encapsulated in IPSEC, the kernel -has IPSEC support and IPSEC_FILTERGIF option, and can correctly +has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly decapsulate it). .Pp Note that specifying diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index 3bfd7bd42120..4bc45d6ee28d 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 1, 2007 +.Dd August 5, 2007 .Dt IPSEC 4 .Os .Sh NAME @@ -37,7 +37,7 @@ .Nd Internet Protocol Security protocol .Sh SYNOPSIS .Cd "options IPSEC" -.Cd "options IPSEC_FILTERGIF" +.Cd "options IPSEC_FILTERTUNNEL" .Cd "device crypto" .Pp .In sys/types.h @@ -89,7 +89,7 @@ inbound. To properly filter on the inner packets of an .Nm tunnel with firewalls, add -.Cd "options IPSEC_FILTERGIF" +.Cd "options IPSEC_FILTERTUNNEL" to the kernel configuration file. .\" .Ss Kernel interface diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 2daa91a437e6..6303c0b0459c 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -501,15 +501,15 @@ options INET6 #IPv6 communications protocols options IPSEC #IP security (requires device crypto) #options IPSEC_DEBUG #debug for IP security # -# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel -# to be processed by any configured packet filtering (ipfw, ipf). -# The default is that packets coming from a tunnel are _not_ processed; +# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel +# to be processed by any configured packet filtering twice. +# The default is that packets coming out of a tunnel are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered # using ipfw(8)'s 'ipsec' keyword, when this option is enabled. # -#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel +#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel options IPX #IPX/SPX communications protocols diff --git a/sys/conf/options b/sys/conf/options index 633cdbb4fa81..337bd2a20e9f 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -362,7 +362,7 @@ INET opt_inet.h INET6 opt_inet6.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h -IPSEC_FILTERGIF opt_ipsec.h +IPSEC_FILTERTUNNEL opt_ipsec.h IPDIVERT DUMMYNET opt_ipdn.h IPFILTER opt_ipfilter.h diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index f7a0ed364f0c..3d7276f68d76 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -395,7 +395,7 @@ ip_input(struct mbuf *m) /* * Bypass packet filtering for packets from a tunnel (gif). */ - if (ip_ipsec_filtergif(m)) + if (ip_ipsec_filtertunnel(m)) goto passin; #endif /* IPSEC */ diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 593bb5ae64a7..7db0cdddb282 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -69,11 +69,11 @@ extern struct protosw inetsw[]; * 1 = jump over firewall, 0 = packet goes through firewall. */ int -ip_ipsec_filtergif(struct mbuf *m) +ip_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) /* - * Bypass packet filtering for packets from a tunnel (gif). + * Bypass packet filtering for packets from a tunnel. */ if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; diff --git a/sys/netinet/ip_ipsec.h b/sys/netinet/ip_ipsec.h index f0b0b5abcf46..af82b31bf49c 100644 --- a/sys/netinet/ip_ipsec.h +++ b/sys/netinet/ip_ipsec.h @@ -32,7 +32,7 @@ #ifndef _NETINET_IP_IPSEC_H_ #define _NETINET_IP_IPSEC_H_ -int ip_ipsec_filtergif(struct mbuf *); +int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_fwd(struct mbuf *); int ip_ipsec_input(struct mbuf *); int ip_ipsec_mtu(struct mbuf *); diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index 12b43f292bbb..5e13241e5ddc 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -77,11 +77,11 @@ extern struct protosw inet6sw[]; * 1 = jump over firewall, 0 = packet goes through firewall. */ int -ip6_ipsec_filtergif(struct mbuf *m) +ip6_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) /* - * Bypass packet filtering for packets from a tunnel (gif). + * Bypass packet filtering for packets from a tunnel. */ if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; diff --git a/sys/netinet6/ip6_ipsec.h b/sys/netinet6/ip6_ipsec.h index c3ff8c06b534..2b5668dbae3e 100644 --- a/sys/netinet6/ip6_ipsec.h +++ b/sys/netinet6/ip6_ipsec.h @@ -32,7 +32,7 @@ #ifndef _NETINET_IP6_IPSEC_H_ #define _NETINET_IP6_IPSEC_H_ -int ip6_ipsec_filtergif(struct mbuf *); +int ip6_ipsec_filtertunnel(struct mbuf *); int ip6_ipsec_fwd(struct mbuf *); int ip6_ipsec_input(struct mbuf *, int); int ip6_ipsec_mtu(struct mbuf *);