Unconditionally enable support for O_IPSEC opcode.

IPsec support can be loaded as kernel module, thus do not depend from
kernel option IPSEC and always build O_IPSEC opcode implementation as
enabled.

Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC

sys/modules/ipfw/Makefile

@@ -7,7 +7,7 @@ SRCS=	ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c
 SRCS+=	ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c
 SRCS+=	ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c
 SRCS+=	ip_fw_table_value.c
-SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h opt_ipsec.h
+SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h
 
 CFLAGS+= -DIPFIREWALL
 #

sys/netpfil/ipfw/ip_fw2.c

@@ -37,7 +37,6 @@ __FBSDID("$FreeBSD$");
 #error "IPFIREWALL requires INET"
 #endif /* INET */
 #include "opt_inet6.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1945,10 +1944,8 @@ do {								\
 				break;
 
 			case O_IPSEC:
-#ifdef IPSEC
 				match = (m_tag_find(m,
 				    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
-#endif
 				/* otherwise no match */
 				break;
 
@@ -2563,7 +2560,7 @@ do {								\
 			case O_NAT:
 				l = 0;          /* exit inner loop */
 				done = 1;       /* exit outer loop */
- 				if (!IPFW_NAT_LOADED) {
+				if (!is_ipv4 || !IPFW_NAT_LOADED) {
 				    retval = IP_FW_DENY;
 				    break;
 				}