Date: Fri, 18 Jul 2008 10:28:34 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] Message-ID: <20080718082834.GA11096@zen.inc> In-Reply-To: <487EC62A.3070301@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: [...] > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch For those who may be interested,I ported Sam's changes to FreeBSD7, the patch is here: http://people.freebsd.org/~vanhu/patch-natt-test-releng7-20080717.diff Please note that this patch has NOT been pushed to the "official" location for NAT-T patches, as I did NOT test it for now (kernel has been compiled successfully, but I'll only be able to switch to it tomorrow, as I actually use the tunnel to that gate to access it). > This adds only the kernel portion of the NAT-T support; you must provide > the user-level code from another place. Note for people who are interested: user-level code comes from ipsec-tools, as for previous versions of the NAT-T patch. Sam's changes have only impacts on the kernel itself, so if you are already running a FreeBSD kernel+userland with NAT-T patchset, you'll only need to repatch/rebuild your kernel, rebuilding world (at least includes) and ipsec-tools is NOT needed. Of course, if you're running a FreeBSD host which actually does know NOTHING about NAT-T, you'll need to apply the patch, rebuild your kernel, at least rebuild includes (or ipsec-tools won't detect NAT-T support), then rebuild ipsec-tools. But that was already the procedure with previous versions of the patch. > The main difference from the patches floating around are in the > ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP > frames. Assuming folks are ok w/ these changes I'll commit to HEAD. > Once this stuff goes in we can look at getting the user-mode mods into > the tree. I reported your changes on locking system (and just changed INP_WLOCKS to INP_LOCKS) on the RELENG7 version, is that ok ? While I'm here, a few words about authors and contributors of the patch, just to ensure it has been told at least once :-) Original authors of the patch are Emmanuel Dreyfus (manu at NetBSD.org, for the NetBSD version) and me (for the FreeBSD version), when patches for both BSDs were very similar. Larry ported the patch to FAST_IPSEC stack (Larry, I'm quite sure you also reported other patches, but I don't remember exactly what). Bjoern reported some fixes. I ported the patch to FreeBSD7 and to actual HEAD, and also made some other various things on it. Sam made the changes we're talking about in that thread. Matthew did a LOT of tests with various implementations and reported bugs. I would also like to thanks Julien VANHERZEELE, which is the guy at my works who does IPSec qualification, and who also set up lots of tests related to NAT-T for years. If some other people reported me some patches / bugs and have not been cited here, please accept my apologies for such a bad memory. If some other people have some patches, bug reports, etc... related to that patch, please report them as soon as possible ! Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080718082834.GA11096>