diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index fea10947cf2d..7d64d65593de 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 13, 2002 +.Dd December 1, 2003 .Dt IPFW 8 .Os .Sh NAME @@ -987,6 +987,13 @@ is different from specifying .Cm proto Ar ipsec as the latter will only look at the specific IP protocol field, irrespective of IPSEC kernel support and the validity of the IPSEC data. +.Pp +Further note that this flag is silently ignored in kernels without +IPSEC support. +It does not affect rule processing when given and the +rules are handled as if with no +.Cm ipsec +flag. .It Cm iptos Ar spec Matches IP packets whose .Cm tos diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 6511722ec4ae..c2578a08151f 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -37,6 +37,7 @@ #include "opt_ipdn.h" #include "opt_ipdivert.h" #include "opt_inet.h" +#include "opt_ipsec.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */