FreeBSD NAT-T patch integration [CFR/CFT]

VANHULLEBUS Yvan vanhu at
Fri Jul 18 08:28:38 UTC 2008

On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote:
> Please test/review the following patch against HEAD:

For those who may be interested,I ported Sam's changes to FreeBSD7,
the patch is here:

Please note that this patch has NOT been pushed to the "official"
location for NAT-T patches, as I did NOT test it for now (kernel has
been compiled successfully, but I'll only be able to switch to it
tomorrow, as I actually use the tunnel to that gate to access it).

> This adds only the kernel portion of the NAT-T support; you must provide 
> the user-level code from another place.

Note for people who are interested:
user-level code comes from ipsec-tools, as for previous versions of
the NAT-T patch.

Sam's changes have only impacts on the kernel itself, so if you are
already running a FreeBSD kernel+userland with NAT-T patchset, you'll
only need to repatch/rebuild your kernel, rebuilding world (at least
includes) and ipsec-tools is NOT needed.

Of course, if you're running a FreeBSD host which actually does know
NOTHING about NAT-T, you'll need to apply the patch, rebuild your
kernel, at least rebuild includes (or ipsec-tools won't detect NAT-T
support), then rebuild ipsec-tools.
But that was already the procedure with previous versions of the

> The main difference from the patches floating around are in the 
> ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP 
> frames.  Assuming folks are ok w/ these changes I'll commit to HEAD.  
> Once this stuff goes in we can look at getting the user-mode mods into 
> the tree.

I reported your changes on locking system (and just changed INP_WLOCKS
to INP_LOCKS) on the RELENG7 version, is that ok ?

While I'm here, a few words about authors and contributors of the
patch, just to ensure it has been told at least once :-)

Original authors of the patch are Emmanuel Dreyfus (manu at, for the NetBSD version) and me (for the FreeBSD version),
when patches for both BSDs were very similar.

Larry ported the patch to FAST_IPSEC stack (Larry, I'm quite sure you
also reported other patches, but I don't remember exactly what).

Bjoern reported some fixes.

I ported the patch to FreeBSD7 and to actual HEAD, and also made some
other various things on it.

Sam made the changes we're talking about in that thread.

Matthew did a LOT of tests with various implementations and reported

I would also like to thanks Julien VANHERZEELE, which is the guy at my
works who does IPSec qualification, and who also set up lots of tests
related to NAT-T for years.

If some other people reported me some patches / bugs and have not been
cited here, please accept my apologies for such a bad memory.

If some other people have some patches, bug reports, etc... related to
that patch, please report them as soon as possible !



More information about the freebsd-net mailing list