tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec: duplicate sysctls

Le 05/03/2018 à 22:06, Joerg Sonnenberger a écrit :
On Mon, Mar 05, 2018 at 08:44:32AM +0100, Maxime Villard wrote:
As Ryota Ozaki noted a week ago, there are several duplicate sysctls

	net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev
	net.inet.esp.net_deflev   = net.inet.ipsec.esp_net_deflev
	net.inet.ah.cleartos      = net.inet.ipsec.ah_cleartos
	net.inet.ah.offsetmask    = net.inet.ipsec.ah_offsetmask
	net.inet.ah.trans_deflev  = net.inet.ipsec.ah_trans_deflev
	net.inet.ah.net_deflev    = net.inet.ipsec.ah_net_deflev

Under net.inet6 there are no duplicates, we use the convention on the
right here.

But I believe the one on the left is the best one. I guess it is fine to
switch everything to the left one and remove the duplicates?

I do prefer the convention on the right, "esp" or "ah" by itself is not
necessary a direct assocation with IPsec.

These sysctls are to be used when IPsec is enabled; so if someone is using
IPsec but has no idea what "ah" or "esp" means, this someone has a problem
in the first place.

Home | Main Index | Thread Index | Old Index