On 10.05.2019 11:46, Alexey Dokuchaev wrote: > On Thu, May 09, 2019 at 10:38:15PM +0000, Andrew Gallatin wrote: >> Author: gallatin >> Date: Thu May 9 22:38:15 2019 >> New Revision: 347410 >> URL: https://svnweb.freebsd.org/changeset/base/347410 >> >> Log: >> Remove IPSEC from GENERIC due to performance issues >> >> @@ -30,7 +30,6 @@ options PREEMPTION # Enable ... >> options VIMAGE # Subsystem virtualization, e.g. VNET >> options INET # InterNETworking >> options INET6 # IPv6 communications protocols >> -options IPSEC # IP (v4/v6) security >> options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 > > I've asked this question some two years ago, but no one could answer it > back then, so I'll try again. > > What is the reason behind having IPSEC_SUPPORT option instead of no special > option at all? If I grep for SUPPORT in conf/GENERIC, I see things like > INVARIANT_SUPPORT or IEEE80211_SUPPORT_MESH (with meaningful explanations) > but IPSEC_SUPPORT which, per the comment, "allows to kldload of ipsec and > tcpmd5", is totally beyond me. Lots of kernel features are/can be loaded > as modules, but we don't have things like SOUND_SUPPORT or USB_SUPPORT.
IPSEC_SUPPORT builds into the kernel PF_KEY domain protocol, that is required by IPsec implementation to interact with userlevel. Currently the kernel does not support unregistering of protocol domains. This is mostly why option IPSEC_SUPPORT was introduced. The second cause - reduce overhead that IPSEC produces even when it is not used. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature