Commit 6b3b6e59 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

pfkey: Deprecate pfkey 



The pfkey user configuration interface was replaced by the netlink
user configuration interface more than a decade ago. In between
all maintained IKE implementations moved to the netlink interface.
So let config NET_KEY default to no in Kconfig. The pfkey code
will be removed in a second step.

Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Acked-by: default avatarAntony Antony <antony.antony@secunet.com>
Acked-by: default avatarTobias Brunner <tobias@strongswan.org>
Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: default avatarTuomo Soini <tis@foobar.fi>
Acked-by: default avatarPaul Wouters <paul@nohats.ca>
parent 7197e080

net/key/af_key.c

+2 −0
Original line number Diff line number Diff line
@@ -3903,6 +3903,8 @@ static int __init ipsec_pfkey_init(void) 
{

	int err = proto_register(&key_proto, 0);



	pr_warn_once("PFKEY is deprecated and scheduled to be removed in 2027, "

	             "please contact the netdev mailing list\n");

	if (err != 0)

		goto out;

net/xfrm/Kconfig

+7 −4
Original line number Diff line number Diff line
@@ -110,14 +110,17 @@ config XFRM_IPCOMP 
	select CRYPTO_DEFLATE



config NET_KEY

	tristate "PF_KEY sockets"

	tristate "PF_KEY sockets (deprecated)"

	select XFRM_ALGO

	help

	  PF_KEYv2 socket family, compatible to KAME ones.

	  They are required if you are going to use IPsec tools ported

	  from KAME.



	  Say Y unless you know what you are doing.

	  The PF_KEYv2 socket interface is deprecated and

	  scheduled for removal. All maintained IKE daemons

	  no longer need PF_KEY sockets. Please use the netlink

	  interface (XFRM_USER) to configure IPsec.



	  If unsure, say N.



config NET_KEY_MIGRATE

	bool "PF_KEY MIGRATE"