From: Steffen Klassert <steffen.klassert@secunet.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
Paul Wouters <paul@nohats.ca>,
Andreas Steffen <andreas.steffen@strongswan.org>,
Tobias Brunner <tobias@strongswan.org>,
Antony Antony <antony@phenome.org>, Tuomo Soini <tis@foobar.fi>,
"David S. Miller" <davem@davemloft.net>,
Florian Westphal <fw@strlen.de>,
Sabrina Dubroca <sd@queasysnail.net>
Cc: <netdev@vger.kernel.org>, <devel@linux-ipsec.org>
Subject: [PATCH v2 ipsec-next] pfkey: Deprecate pfkey
Date: Tue, 28 Oct 2025 07:29:09 +0100 [thread overview]
Message-ID: <aQBitXM2fxLb82Eq@secunet.com> (raw)
The pfkey user configuration interface was replaced by the netlink
user configuration interface more than a decade ago. In between
all maintained IKE implementations moved to the netlink interface.
So let config NET_KEY default to no in Kconfig. The pfkey code
will be removed in a second step.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Antony Antony <antony.antony@secunet.com>
Acked-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Tuomo Soini <tis@foobar.fi>
Acked-by: Paul Wouters <paul@nohats.ca>
---
Changes in v2:
- Add some new tags.
- Fix two typos in the commit message.
net/key/af_key.c | 2 ++
net/xfrm/Kconfig | 11 +++++++----
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..571200433aa9 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3903,6 +3903,8 @@ static int __init ipsec_pfkey_init(void)
{
int err = proto_register(&key_proto, 0);
+ pr_warn_once("PFKEY is deprecated and scheduled to be removed in 2027, "
+ "please contact the netdev mailing list\n");
if (err != 0)
goto out;
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
index f0157702718f..4a62817a88f8 100644
--- a/net/xfrm/Kconfig
+++ b/net/xfrm/Kconfig
@@ -110,14 +110,17 @@ config XFRM_IPCOMP
select CRYPTO_DEFLATE
config NET_KEY
- tristate "PF_KEY sockets"
+ tristate "PF_KEY sockets (deprecated)"
select XFRM_ALGO
help
PF_KEYv2 socket family, compatible to KAME ones.
- They are required if you are going to use IPsec tools ported
- from KAME.
- Say Y unless you know what you are doing.
+ The PF_KEYv2 socket interface is deprecated and
+ scheduled for removal. All maintained IKE daemons
+ no longer need PF_KEY sockets. Please use the netlink
+ interface (XFRM_USER) to configure IPsec.
+
+ If unsure, say N.
config NET_KEY_MIGRATE
bool "PF_KEY MIGRATE"
--
2.43.0
next reply other threads:[~2025-10-28 6:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 6:29 Steffen Klassert [this message]
2025-11-01 12:26 ` [PATCH v2 ipsec-next] pfkey: Deprecate pfkey Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQBitXM2fxLb82Eq@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=andreas.steffen@strongswan.org \
--cc=antony@phenome.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=fw@strlen.de \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=paul@nohats.ca \
--cc=sd@queasysnail.net \
--cc=tis@foobar.fi \
--cc=tobias@strongswan.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.