Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate

code is compiled in to support the O_IPSEC operator. Previously no support was included and ipsec rules were always matching. Note that we do not return an error when an ipsec rule is added and the kernel does not have IPsec support compiled in; this is done intentionally but we may want to revisit this (document this in the man page). PR: 58899 Submitted by: Bjoern A. Zeeb Approved by: re (rwatson)
svn path=/head/; revision=123096
2003-12-02 00:23:45 +00:00 · 2003-12-02 00:23:45 +00:00 · d559f5c3d8 · 2020-12-20 02:59:44 +00:00
commit d559f5c3d8
parent 186e347f2c
2 changed files with 9 additions and 1 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 13, 2002
+.Dd December 1, 2003
 .Dt IPFW 8
 .Os
 .Sh NAME
@ -987,6 +987,13 @@ is different from specifying
 .Cm proto Ar ipsec
 as the latter will only look at the specific IP protocol field,
 irrespective of IPSEC kernel support and the validity of the IPSEC data.
+.Pp
+Further note that this flag is silently ignored in kernels without
+IPSEC support.
+It does not affect rule processing when given and the
+rules are handled as if with no
+.Cm ipsec
+flag.
 .It Cm iptos Ar spec
 Matches IP packets whose
 .Cm tos
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@ -37,6 +37,7 @@
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
 #include "opt_inet.h"
+#include "opt_ipsec.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */