NAT-T patch for 7-STABLE

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Wed Aug 26 21:30:08 UTC 2009 

On Wed, 26 Aug 2009, VANHULLEBUS Yvan wrote:

Hi,

> On Thu, Aug 13, 2009 at 04:04:05PM +0000, Bjoern A. Zeeb wrote:
>> Hi,
>
> Hi.
> Sorry for the very late answer, but I wanted to work on the userland
> part as soon as I had your patch, then I had an unexpected failure in
> my internet access (still not completely resolved, hope you'll get
> this mail).
>
>
>> I just MFCed the UDP Control Block, which is a prerequisite for merging
>> the NAT-T patch from HEAD (8) to 7-STABLE:
>> http://svn.freebsd.org/viewvc/base?view=revision&revision=196192
>>
>> I also merged back the NAT-T changes from FreeBSD 8/HEAD. This
>> will allow us to provide the same API for tools for FreeBSD 7 (with
>> patch) and stock FreeBSD 8.x and 9 (HEAD).
>
> Great !
>
> With that, I could easilly start tests on kernel+userland.

Fantastic; I had hoped that.


> ipsec-tools HEAD is now expected to compile/work with that kernel API,
> and I have a running tunnel with FreeBSD7+patchset+ipsec-tools HEAD as
> the responder (with NAT-T used).
>
> More tests will come soon, but please all report any issue !
>
>
> Latest ipsec-tools snapshot will also compile and work (actually, this
> is exactly the same as HEAD, except some typo fixes....) with that API.

Yes, I could remove my private patches to make ipsec-tools HEAD
compile on FreeBSD 8/9 or 7+patch after the latest update two days ago.



For anyone brave enough to track the bleeding edge of all worlds, I
have put together an initial start of a collection of things...

The following is not for you if you:
(1) don't know how to apply a patch to the kernel, recompile your
     kernel or wonder what I am talking about.
(2) if you don't know freebsd ports creation and compiling bascis.
     You'll need change the makefile, touch internals, run a cvs
     checkout, ...
(3) don't know how to not shoot yourself in the foot

----- my text template that I should streamline put on the wiki;) ------
If you are on FreeBSD 6 or earlier, you can stop reading here.

In case you are on 7-STABLE before r196192 either update to latest
7-STABLE or take the patch from SVN r196192  or
http://people.freebsd.org/~bz/20090730-01-mfc-r192649-udpcb.diff
(which should be the same modulo the naming of the spare in the struct
field "notyetmfced" vs. u_pspare).

In case you are on 7-STABLE or applied the previous patch) you'll need
this patch on top for NAT-T:
http://people.freebsd.org/~bz/20090813-01-mfc-r194062-natt.diff .

In case you are on a recent FreeBSD 8 or FreeBSD 9, you need no
patches for the kernel.


To build an ipsec-tools-devel CVS HEAD checkout port:

apply the patch from .. to your ports tree
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138139

and give the instructions from this one and below a try:
http://people.freebsd.org/~bz/20090824-ipsec-tools.tar.gz

(basically the cvs checkout and the tarball creation;
  I guess it's lacking a make makesum at the end)

It may give you something usable.  I am not trying the snapshot regularly
and the port isn't ready to be used as a automatic port as you have to do
it all by hand incl. updating PORTVERSION, the cvs checkout, creating the
tarball, make makesum and all that.
But at least for me it compiles the CVS checkout directly, with the port
options from below, on a 8.x/9.x system, without the needs for doing any
autocrap stuff manually before creating the src tarball.
You may change the port options of course, I just cannot test all
combinations to see if they work.

If doing this on 7.x make sure to have the kernel patch(es) mentioned above
applied upfront and have the headers installed correctly before you start
building the port.

Successfully tested combination of options:
WITH_DEBUG=true
WITH_IPV6=true
WITHOUT_ADMINPORT=true
WITHOUT_STATS=true
WITH_DPD=true
WITH_NATT=true
WITH_NATTF=true
WITH_FRAG=true
WITH_HYBRID=true
WITHOUT_PAM=true
WITHOUT_RADIUS=true
WITHOUT_LDAP=true
WITHOUT_GSSAPI=true
WITHOUT_SAUNSPEC=true
WITH_RC5=true
WITH_IDEA=true
WITHOUT_READLINE=true
------------------------------------------------------------------------

/bz

-- 
Bjoern A. Zeeb           What was I talking about and who are you again?

More information about the freebsd-net mailing list