do I have to compile a new kernel? or just add options somehow?
firmdog at gmail.com
firmdog at gmail.com
Fri Dec 6 13:55:13 UTC 2013
Is there a way to pass options to a module at boot time? That is the part
that I can't understand.
"crypto" is easy to load as a module or simply load at boot time with
loader.conf .... But how to enable the options? (like IPSEC and
IPSEC_NAT_T )
On Fri, Dec 6, 2013 at 5:46 AM, Fleuriot Damien <ml at my.gd> wrote:
> As I said earlier, you might not need to rebuild it, but I can't say if
> IPsec Nat Traversal is enabled in the module.
>
>
>
> On Dec 5, 2013, at 9:41 PM, "firmdog at gmail.com" <firmdog at gmail.com> wrote:
>
>
> I ran #kldload crypto. Did you see that? Then I ran kldstat and it
> shows the module loaded.
>
> Why do I have to recompile the kernel if I can run kldload or use loader.conf
> to load the module at boot time?
>
>
>
>
>
> On Thu, Dec 5, 2013 at 12:13 PM, Fleuriot Damien <ml at my.gd> wrote:
>
>> Merely adding the options and rebooting is not sufficient to get the
>> options from your kernel as opposed to a module.
>>
>> You need to actually recompile the kernel, I hope you did that.
>>
>>
>> On Dec 5, 2013, at 5:48 PM, "firmdog at gmail.com" <firmdog at gmail.com>
>> wrote:
>>
>>
>> Looks like it "might have" worked for me. First I added a couple of
>> options to the GENERIC config:
>>
>> root@:~ # grep IPSEC /usr/src/sys/i386/conf/GENERIC
>> options IPSEC # IP security (requires device crypto)
>> options IPSEC_NAT_T # NAT-T support, UDP encap of ESP
>>
>> Then rebooted:
>>
>> root@:~ # uname -a
>> FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Mon Jun 3 01:14:28
>> UTC 2013 root at bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386
>>
>> root@:~ # kldload crypto
>> root@:~ # kldstat
>> Id Refs Address Size Name
>> 1 5 0xc0400000 d5c4ec kernel
>> 2 1 0xc58eb000 23000 crypto.ko
>> 3 1 0xc58da000 a000 zlib.ko
>>
>>
>> The reason I am doing this is because a new Cisco VPN router will not
>> work with my IPF Freebsd firewall. The IPF firewall blocks the UDP ipsec
>> packets on port 4500. So now I need to see if doing the above exercise
>> helps with IPF blocking IPsec traversal across NAT
>>
>>
>>
>>
>> On Thu, Dec 5, 2013 at 10:57 AM, Fleuriot Damien <ml at my.gd> wrote:
>>
>>> Oh but you can load modules at boot time for GENERIC just fine.
>>>
>>> While there is a "crypto" module nested under
>>> /usr/src/sys/modules/crypto/ , I'm not familiar enough with it to say
>>> whether it incorporates both the device and the IPSEC options you're
>>> interested in.
>>>
>>> You're better off rebuilding GENERIC, or your own kernel, IMHO.
>>>
>>>
>>>
>>> If you're curious, you can always run :
>>> kldload crypto
>>>
>>> If kldload says the module doesn't exist (I think it should, for
>>> GENERIC), you'll need to build it:
>>> cd /usr/src/sys/modules/crypto/ && make && make install
>>>
>>>
>>>
>>> Here's little me trying to load it under a brand new 8.4 box:
>>>
>>> # kldload /boot/kernel/crypto.ko
>>> kldload: can't load /boot/kernel/crypto.ko: Exec format error
>>>
>>>
>>> If you run into this error like me, "dmesg" will provide you with a
>>> clue, as it does in my case:
>>> KLD crypto.ko: depends on zlib - not available or version mismatch
>>> linker_load_file: Unsupported file type
>>>
>>>
>>>
>>> I really encourage you to rebuild your own kernel, stripped of all the
>>> stuff you don't want/need (ISA NICs, wifi, firewire, floppy controller... )
>>>
>>>
>>> Warren Block has written pretty cool articles, here:
>>> http://www.wonkity.com/~wblock/docs/html/buildworld.html
>>> http://www.wonkity.com/~wblock/docs/html/kernelconfig.html
>>>
>>>
>>>
>>>
>>> I hope that helps,
>>>
>>>
>>> On Dec 5, 2013, at 4:30 PM, "firmdog at gmail.com" <firmdog at gmail.com>
>>> wrote:
>>>
>>>
>>> So the answer is that it's NOT possible to load modules at boot time for
>>> GENERIC? I have to actually build a new kernel?
>>>
>>> Thanks!
>>>
>>>
>>> On Thu, Dec 5, 2013 at 9:42 AM, Fleuriot Damien <ml at my.gd> wrote:
>>>
>>>>
>>>> On Dec 5, 2013, at 3:35 PM, "firmdog at gmail.com" <firmdog at gmail.com>
>>>> wrote:
>>>>
>>>> > I am having difficulty understanding what is compiled into the GENERIC
>>>> > kernel.
>>>> >
>>>> > I need to enable "device crypto" with IPSEC and IPSEC_NAT_T options.
>>>> >
>>>> > Can I just configure the GENERIC kernel in a config file? Or do I
>>>> have to
>>>> > compile a totally new kernel?
>>>> > _______________________________________________
>>>> > freebsd-questions at freebsd.org mailing list
>>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> > To unsubscribe, send any mail to "
>>>> freebsd-questions-unsubscribe at freebsd.org"
>>>>
>>>>
>>>> While it's far from being a good practice, you can simply add your:
>>>> device crypto
>>>> options IPSEC
>>>> options IPSEC_NAT_T
>>>>
>>>> to /sys/amd64/conf/GENERIC (assuming you're running a 64bit release
>>>> that is).
>>>>
>>>>
>>>> Then: cd /usr/src && make kernel-toolchain && make buildkernel
>>>>
>>>> Once the kernel is built, you only need to "make installkernel" and
>>>> reboot.
>>>>
>>>> It is good practice, before rebooting, to run "mergemaster -p" , even
>>>> if you've only done a minor upgrade, let good habits sink in ;)
>>>>
>>>>
>>>>
>>>>
>>>> Regarding what is compiled in the GENERIC kernel, you can find the
>>>> included options and devices at:
>>>> /sys/amd64/conf/GENERIC
>>>> or
>>>> /sys/i386/conf/GENERIC
>>>>
>>>> You may also run config -x /boot/kernel/kernel , if your kernel was
>>>> built with INCLUDE_CONFIG_FILE , which GENERIC does.
>>>>
>>>>
>>>
>>>
>>
>>
>
>
More information about the freebsd-questions
mailing list