Unconditionally enable support for O_IPSEC opcode.

IPsec support can be loaded as kernel module, thus do not depend from kernel option IPSEC and always build O_IPSEC opcode implementation as enabled. Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
2017-11-17 22:40:02 +00:00 · 2017-11-17 22:40:02 +00:00 · 2234692101
commit 2234692101
parent 63d5d6c71f
2 changed files with 2 additions and 5 deletions
--- a/sys/modules/ipfw/Makefile
+++ b/sys/modules/ipfw/Makefile
@ -7,7 +7,7 @@ SRCS=	ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c
 SRCS+=	ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c
 SRCS+=	ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c
 SRCS+=	ip_fw_table_value.c
-SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h opt_ipsec.h
+SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h

 CFLAGS+= -DIPFIREWALL
 #
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@ -37,7 +37,6 @@ __FBSDID("$FreeBSD$");
 #error "IPFIREWALL requires INET"
 #endif /* INET */
 #include "opt_inet6.h"
-#include "opt_ipsec.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -1945,10 +1944,8 @@ do {								\
 				break;

 			case O_IPSEC:
-#ifdef IPSEC
 				match = (m_tag_find(m,
 				    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
-#endif
 				/* otherwise no match */
 				break;

@ -2563,7 +2560,7 @@ do {								\
 			case O_NAT:
 				l = 0;          /* exit inner loop */
 				done = 1;       /* exit outer loop */
- 				if (!IPFW_NAT_LOADED) {
+				if (!is_ipv4 || !IPFW_NAT_LOADED) {
 				    retval = IP_FW_DENY;
 				    break;
 				}