5 files changed, 2 insertions, 23 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 9a1ab784a3d71..7577f9413d29d 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 13, 2016
+.Dd August 21, 2016
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -1588,8 +1588,7 @@ Matches IPv4 packets whose precedence field is equal to
 .It Cm ipsec
 Matches packets that have IPSEC history associated with them
 (i.e., the packet comes encapsulated in IPSEC, the kernel
-has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly
-decapsulate it).
+has IPSEC support, and can correctly decapsulate it).
 .Pp
 Note that specifying
 .Cm ipsec
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 9055349d755d1..ddaed9c1cf007 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -626,17 +626,6 @@ options 	TCP_OFFLOAD		# TCP offload support.
 options 	IPSEC			#IP security (requires device crypto)
 #options 	IPSEC_DEBUG		#debug for IP security
 #
-# #DEPRECATED#
-# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
-# coming through a tunnel to be processed by any configured packet filtering
-# twice. The default is that packets coming out of a tunnel are _not_ processed;
-# they are assumed trusted.
-#
-# IPSEC history is preserved for such packets, and can be filtered
-# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
-#
-#options 	IPSEC_FILTERTUNNEL	#filter ipsec packets from a tunnel
-#
 # Set IPSEC_NAT_T to enable NAT-Traversal support.  This enables
 # optional UDP encapsulation of ESP packets.
 #
diff --git a/sys/conf/options b/sys/conf/options
index adf4cfafe8cb8..092241bb7fbb8 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -424,7 +424,6 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPSEC			opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
-IPSEC_FILTERTUNNEL	opt_ipsec.h
 IPSEC_NAT_T		opt_ipsec.h
 IPSTEALTH
 KRPC
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c
index ac1e3d56d73ce..1b72553a42e52 100644
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@@ -68,11 +68,7 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inetsw[];
 
-#ifdef IPSEC_FILTERTUNNEL
-static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 1;
-#else
 static VNET_DEFINE(int, ip4_ipsec_filtertunnel) = 0;
-#endif
 #define	V_ip4_ipsec_filtertunnel VNET(ip4_ipsec_filtertunnel)
 
 SYSCTL_DECL(_net_inet_ipsec);
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index a99f1db14e8e6..926e45c657139 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -79,11 +79,7 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inet6sw[];
 
-#ifdef IPSEC_FILTERTUNNEL
-static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 1;
-#else
 static VNET_DEFINE(int, ip6_ipsec6_filtertunnel) = 0;
-#endif
 #define	V_ip6_ipsec6_filtertunnel	VNET(ip6_ipsec6_filtertunnel)
 
 SYSCTL_DECL(_net_inet6_ipsec6);