From fa43ee09d4da2bd923f5bc116b713b8731e7f83b Mon Sep 17 00:00:00 2001
From: Bruce M Simpson <bms@FreeBSD.org>
Date: Tue, 22 Jun 2004 22:02:57 +0000
Subject: [PATCH] Correct a misleading comment regarding the IPSEC_FILTERGIF
 option.

PR:		57125
Requested by:	Adrian Steinmann
---
 sys/conf/NOTES | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index ecb447dee3cd..d31f4ffdc1b0 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -372,9 +372,8 @@ options 	IPSEC_DEBUG		#debug for IP security
 # The default is that packets coming from a tunnel are _not_ processed;
 # they are assumed trusted.
 #
-# Note that enabling this can be problematic as there are no mechanisms
-# in place for distinguishing packets coming out of a tunnel (e.g. no
-# encX devices as found on openbsd).
+# IPSEC history is preserved for such packets, and can be filtered
+# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
 #
 #options 	IPSEC_FILTERGIF		#filter ipsec packets from a tunnel