From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C43B42BD03C for ; Fri, 4 Jul 2025 08:26:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751617618; cv=none; b=VW9WA+9NoSuqcmQJlOsyZ8l1gzua4JInJ/dm8IIoV32jHTb/1ct9ZRLx4ONkG88qy8WkCqlB8ZfwLI5N+/cEDPYOeVJqmCIgI/CIiUkcgB2jz+Z1cMNE6L4RD8oLjdjztOvcD3hOWUDukN+oabeE9sK02mYjrrubVNt9zqjscxc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751617618; c=relaxed/simple; bh=9rLW76PiU8kxGz2wkzwgVQ/4unn3cMJeqBMXxzoUOcs=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=TAHsrC96szPAuCXTOhMRfU4TqC/9HgH6lEGDSIAA2ySuZskRM7ML1/YWuGp725dFHYWqjg32q+Vs1e+U4f86Et2FHKVkrLUIiIcTSjjfsRepaVAGqbvz6FLQ25MJnr+SPfhEQd3q5AcFoPKfQHDU2o0T0HXEnQI+oRsYgOTahss= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=strlen.de Received: by Chamillionaire.breakpoint.cc (Postfix, from userid 1003) id DCBB860491; Fri, 4 Jul 2025 10:26:47 +0200 (CEST) Date: Fri, 4 Jul 2025 10:26:39 +0200 From: Florian Westphal To: Steffen Klassert Cc: Herbert Xu , Paul Wouters , Andreas Steffen , Tobias Brunner , Antony Antony , Tuomo Soini , "David S. Miller" , netdev@vger.kernel.org, devel@linux-ipsec.org Subject: Re: [PATCH RFC ipsec-next] pfkey: Deprecate pfkey Message-ID: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Steffen Klassert wrote: > The pfkey user configuration interface was replaced by the netlink > user configuration interface more than a decade ago. In between > all maintained IKE implementations moved to the netlink interface. > So let 'config NET_KEY' default to no in Kconfig. The pfkey code > will be removed in a second step. I'd suggest to also do something like b144fcaf46d4 ("dccp: Print deprecation notice.") > Signed-off-by: Steffen Klassert > --- > net/xfrm/Kconfig | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig > index f0157702718f..aedea7a892db 100644 > --- a/net/xfrm/Kconfig > +++ b/net/xfrm/Kconfig > @@ -110,14 +110,17 @@ config XFRM_IPCOMP > select CRYPTO_DEFLATE > > config NET_KEY > - tristate "PF_KEY sockets" > + tristate "PF_KEY sockets (deprecated)" > select XFRM_ALGO > + default n > help > PF_KEYv2 socket family, compatible to KAME ones. > - They are required if you are going to use IPsec tools ported > - from KAME. > > - Say Y unless you know what you are doing. > + The PF_KEYv2 socket interface is deprecated and > + scheduled for removal. Please use the netlink > + interface (XFRM_USER) to configure IPsec. Perhaps this should mention that all existing IKE daemons no longer need this resp. that this is only required for ancient/unmaintained KAME tools?