ipsec(4), sysctl(3) and net.inet.ip.ipsec-acl (OpenBSD 2.8)

[Eduardo Souza Machado da Silva <esms@lcmi.ufsc.br>]

Hi Mr. Angelos,

first of all, congratulations for your great job on OpenBSD IPSec stack. 

Short message:

	OpenBSD 2.8 GENERIC#399 i386

	sysctl(3) and ipsec(4) write about net.inet.ip.ipsec-acl 
	which doesn't existe anymore.

I'm playing with IPSec in 2 machines running OpenBSD 2.7 and found
net.inet.ip.ipsec-acl=1 as default (in opposite of what is in sysctl(3)).

Now I have just installed 1 new machine with 2.8 and and no more
net.inet.ip.ipsec-acl (according with your message on September at
http://www.geocrawler.com/archives/3/261/2000/9/0/4365834/): 

>5)
>Changing net.inet.ip.ipsec-acl 1 or 0 seems not to matter.  If
>I have
>rules for enc0, they are obeyed.  So what does ipsec-acl
>control?

  If you`re using rc.vpn or isakmpd, it`s taken care of automatically (you
  should set it to 1, aka paranoid mode); briefly, it does incoming packet
  checking after it`s been processed by IPsec (it`s also explained somewhat
  in the ipsecadm and sysctl(3) man pages). It`s been deprecated (as of a
  couple of hours ago).  

  -Angelos


I think (from 2.8 point of view) sysctl(3) and ipsec(4) are not updated
yet. I'll bring this machine to -STABLE branch as soon as possible. Sorry
if this bug had already fixed, I found no other message about ipsec-acl in
-tech list.. 

Thanks for your time.
Eduardo

fourier:src> uname -a
OpenBSD fourier 2.8 GENERIC#399 i386


net.inet.ip.ipsec-expire-acquire = 30
net.inet.ip.ipsec-invalid-life = 60
net.inet.ip.ipsec-pfs = 1
net.inet.ip.ipsec-soft-allocs = 0
net.inet.ip.ipsec-allocs = 0
net.inet.ip.ipsec-soft-bytes = 0
net.inet.ip.ipsec-bytes = 0
net.inet.ip.ipsec-timeout = 86400
net.inet.ip.ipsec-soft-timeout = 80000
net.inet.ip.ipsec-soft-firstuse = 3600
net.inet.ip.ipsec-firstuse = 7200
net.inet.ip.ipsec-enc-alg = aes
net.inet.ip.ipsec-auth-alg = hmac-sha1