From owner-freebsd-net@FreeBSD.ORG Thu Feb 26 14:03:25 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FDFB106564A for ; Thu, 26 Feb 2009 14:03:25 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id DED048FC18 for ; Thu, 26 Feb 2009 14:03:24 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 87E812798B8; Thu, 26 Feb 2009 15:03:23 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id AA3D217051; Thu, 26 Feb 2009 15:11:38 +0100 (CET) Date: Thu, 26 Feb 2009 15:11:38 +0100 From: VANHULLEBUS Yvan To: "Bjoern A. Zeeb" Message-ID: <20090226141138.GA91564@zeninc.net> References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> <20090217143425.GA58591@zeninc.net> <20090217143409.J53478@maildrop.int.zabbadoz.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090217143409.J53478@maildrop.int.zabbadoz.net> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: NATT patch and FreeBSD's setkey X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 14:03:25 -0000 On Tue, Feb 17, 2009 at 02:41:41PM +0000, Bjoern A. Zeeb wrote: [...] > I am not going to find my posting from a few years back but the > solution is to keep the kernel and libipsec (and setkey) in base in > sync and not install libipsec and setkey from the ipsec-tools port. > Done. There are two drawbacks with this solution: - It will take some regular effort to sync those version, unless we do have "some automated way to do it" (something like the mechanism used for /usr/ports ?). - if we just have a copy of sources in FreeBSD's tree, someone may commit something, then someone else (or a script) may just overwrite the changes, as it is supposed to be "just a copy". But if we can deal with those issues, of course, having the up to date versions directly shipped with FreeBSD is better ! [....] > We have about 3 months left to get that patch in for 8; ideally 6 > weeks. Can you update the nat-t patch in a way as discussed here > before so that the extra address is in etc. and we can move forward? Done, new version is available here: http://people.freebsd.org/~vanhu/NAT-T/experimental/patch-FreeBSD-TRUNK-NATT-pfkey-clean-2009-02-26.diff > I basically do not care if racoon from ipsec-tools is not going to > work for two weeks of HEAD or four as someone will quickly add a > conditional patch to the port for a __FreeBSD_version > 8xxxxx and > that can be removed once ipsec-tools properly detect the state of the > system. Things will continue working as soon as people compile without NAT-T. When compiling with NAT-T, we will need to have "old FreeBSD+patch and old ipsec-tools" or "FreeBSd with new NAT-T code and up to date (actually even not in HEAD) racoon". For people who may ask the question, when NAT-T+pfkey cleanup code will be no more experimental, I'll backport a patchset at least for FreeBSD 7.x. Yvan.