NATT patch and FreeBSD's setkey
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Thu Feb 26 06:03:25 PST 2009
On Tue, Feb 17, 2009 at 02:41:41PM +0000, Bjoern A. Zeeb wrote:
[...]
> I am not going to find my posting from a few years back but the
> solution is to keep the kernel and libipsec (and setkey) in base in
> sync and not install libipsec and setkey from the ipsec-tools port.
> Done.
There are two drawbacks with this solution:
- It will take some regular effort to sync those version, unless we do
have "some automated way to do it" (something like the mechanism
used for /usr/ports ?).
- if we just have a copy of sources in FreeBSD's tree, someone may
commit something, then someone else (or a script) may just overwrite
the changes, as it is supposed to be "just a copy".
But if we can deal with those issues, of course, having the up to date
versions directly shipped with FreeBSD is better !
[....]
> We have about 3 months left to get that patch in for 8; ideally 6
> weeks. Can you update the nat-t patch in a way as discussed here
> before so that the extra address is in etc. and we can move forward?
Done, new version is available here:
http://people.freebsd.org/~vanhu/NAT-T/experimental/patch-FreeBSD-TRUNK-NATT-pfkey-clean-2009-02-26.diff
> I basically do not care if racoon from ipsec-tools is not going to
> work for two weeks of HEAD or four as someone will quickly add a
> conditional patch to the port for a __FreeBSD_version > 8xxxxx and
> that can be removed once ipsec-tools properly detect the state of the
> system.
Things will continue working as soon as people compile without NAT-T.
When compiling with NAT-T, we will need to have "old FreeBSD+patch and
old ipsec-tools" or "FreeBSd with new NAT-T code and up to date
(actually even not in HEAD) racoon".
For people who may ask the question, when NAT-T+pfkey cleanup code
will be no more experimental, I'll backport a patchset at least for
FreeBSD 7.x.
Yvan.
More information about the freebsd-net
mailing list