Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Dec 2013 17:02:03 +0100
From:      Fleuriot Damien <ml@my.gd>
To:        "firmdog@gmail.com" <firmdog@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: do I have to compile a new kernel? or just add options somehow?
Message-ID:  <6442241B-5DA7-4F04-A382-F691EF2B120E@my.gd>
In-Reply-To: <CAHcg-UG60A4MXC9dSobw7j6JAdsEdK38HMDq07bhp1w4GBaGPw@mail.gmail.com>
References:  <CAHcg-UF6hdDBrnw+jY6ajzdD9NnSzAPnu8pwMqvGfkK3feWgKQ@mail.gmail.com> <1A249B2C-B341-4270-B343-627901FD9562@my.gd> <CAHcg-UF1HfTq_OianFxiD1Xy_EyA6GApuOKPG+b+1XF2a1c27g@mail.gmail.com> <D8B22251-346B-4507-8705-58CBD3D2026F@my.gd> <CAHcg-UHOeWi9xTMe9x2BBYW+wh6PO_do2SSoioopxmgNbSZg2Q@mail.gmail.com> <EBFA2511-A297-41DA-99DC-A8070BA47AB7@my.gd> <CAHcg-UFC8RZ2RZE=j8u=6NO1=duMYz_thV_8pHk6YZW=7-CxFw@mail.gmail.com> <9909F4F0-623F-46F1-BD21-B3D2D9E4653A@my.gd> <CAHcg-UG60A4MXC9dSobw7j6JAdsEdK38HMDq07bhp1w4GBaGPw@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I don't think you'll be able to pass options to the module at load time.

man 4 crypto yields a tiny bit of info, but doesn't answer your =
question.


On Dec 6, 2013, at 2:55 PM, "firmdog@gmail.com" <firmdog@gmail.com> =
wrote:

>=20
> Is there a way to pass options to a module at boot time? That is the =
part that I can't understand.
>=20
> "crypto" is easy to load as a module or simply load at boot time with =
loader.conf .... But how to enable the options? (like  IPSEC and =
IPSEC_NAT_T )
>=20
>=20
>=20
>=20
>=20
>=20
> On Fri, Dec 6, 2013 at 5:46 AM, Fleuriot Damien <ml@my.gd> wrote:
> As I said earlier, you might not need to rebuild it, but I can't say =
if IPsec Nat Traversal is enabled in the module.
>=20
>=20
>=20
> On Dec 5, 2013, at 9:41 PM, "firmdog@gmail.com" <firmdog@gmail.com> =
wrote:
>=20
>>=20
>> I ran  #kldload crypto.  Did you see that?  Then I ran kldstat and it =
shows the module loaded.
>>=20
>> Why do I have to recompile the kernel if I can run kldload or use =
loader.conf to load the module at boot time?
>>=20
>>=20
>>=20
>>=20
>>=20
>> On Thu, Dec 5, 2013 at 12:13 PM, Fleuriot Damien <ml@my.gd> wrote:
>> Merely adding the options and rebooting is not sufficient to get the =
options from your kernel as opposed to a module.
>>=20
>> You need to actually recompile the kernel, I hope you did that.
>>=20
>>=20
>> On Dec 5, 2013, at 5:48 PM, "firmdog@gmail.com" <firmdog@gmail.com> =
wrote:
>>=20
>>>=20
>>> Looks like it "might have" worked for me. First I added a couple of =
options to the GENERIC config:
>>>=20
>>> root@:~ # grep IPSEC /usr/src/sys/i386/conf/GENERIC
>>> options         IPSEC           # IP security (requires device =
crypto)
>>> options         IPSEC_NAT_T     # NAT-T support, UDP encap of ESP
>>>=20
>>> Then rebooted:
>>>=20
>>> root@:~ # uname -a
>>> FreeBSD  8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Mon Jun  3 =
01:14:28 UTC 2013     =
root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
>>>=20
>>> root@:~ # kldload crypto
>>> root@:~ # kldstat=20
>>> Id Refs Address    Size     Name
>>>  1    5 0xc0400000 d5c4ec   kernel
>>>  2    1 0xc58eb000 23000    crypto.ko
>>>  3    1 0xc58da000 a000     zlib.ko
>>>=20
>>>=20
>>> The reason I am doing this is because a new Cisco VPN router will =
not work with my IPF Freebsd firewall. The IPF firewall blocks the UDP =
ipsec packets on port 4500. So now I need to see if doing the above =
exercise helps with IPF blocking IPsec traversal across NAT
>>>=20
>>>=20
>>>=20
>>>=20
>>> On Thu, Dec 5, 2013 at 10:57 AM, Fleuriot Damien <ml@my.gd> wrote:
>>> Oh but you can load modules at boot time for GENERIC just fine.
>>>=20
>>> While there is a "crypto" module nested under =
/usr/src/sys/modules/crypto/ , I'm not familiar enough with it to say =
whether it incorporates both the device and the IPSEC options you're =
interested in.
>>>=20
>>> You're better off rebuilding GENERIC, or your own kernel, IMHO.
>>>=20
>>>=20
>>>=20
>>> If you're curious, you can always run :
>>> kldload crypto
>>>=20
>>> If kldload says the module doesn't exist (I think it should, for =
GENERIC), you'll need to build it:
>>> cd /usr/src/sys/modules/crypto/ && make && make install
>>>=20
>>>=20
>>>=20
>>> Here's little me trying to load it under a brand new 8.4 box:
>>>=20
>>> # kldload /boot/kernel/crypto.ko
>>> kldload: can't load /boot/kernel/crypto.ko: Exec format error
>>>=20
>>>=20
>>> If you run into this error like me, "dmesg" will provide you with a =
clue, as it does in my case:
>>> KLD crypto.ko: depends on zlib - not available or version mismatch
>>> linker_load_file: Unsupported file type
>>>=20
>>>=20
>>>=20
>>> I really encourage you to rebuild your own kernel, stripped of all =
the stuff you don't want/need (ISA NICs, wifi, firewire, floppy =
controller... )
>>>=20
>>>=20
>>> Warren Block has written pretty cool articles, here:
>>> http://www.wonkity.com/~wblock/docs/html/buildworld.html
>>> http://www.wonkity.com/~wblock/docs/html/kernelconfig.html
>>>=20
>>>=20
>>>=20
>>>=20
>>> I hope that helps,
>>>=20
>>>=20
>>> On Dec 5, 2013, at 4:30 PM, "firmdog@gmail.com" <firmdog@gmail.com> =
wrote:
>>>=20
>>>>=20
>>>> So the answer is that it's NOT possible to load modules at boot =
time for GENERIC? I have to actually build a new kernel?
>>>>=20
>>>> Thanks!
>>>>=20
>>>>=20
>>>> On Thu, Dec 5, 2013 at 9:42 AM, Fleuriot Damien <ml@my.gd> wrote:
>>>>=20
>>>> On Dec 5, 2013, at 3:35 PM, "firmdog@gmail.com" <firmdog@gmail.com> =
wrote:
>>>>=20
>>>> > I am having difficulty understanding what is compiled into the =
GENERIC
>>>> > kernel.
>>>> >
>>>> > I need to enable "device crypto" with IPSEC and IPSEC_NAT_T =
options.
>>>> >
>>>> > Can I just configure the GENERIC kernel in a config file? Or do I =
have to
>>>> > compile a totally new kernel?
>>>> > _______________________________________________
>>>> > freebsd-questions@freebsd.org mailing list
>>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> > To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"
>>>>=20
>>>>=20
>>>> While it's far from being a good practice, you can simply add your:
>>>> device crypto
>>>> options IPSEC
>>>> options IPSEC_NAT_T
>>>>=20
>>>> to /sys/amd64/conf/GENERIC (assuming you're running a 64bit release =
that is).
>>>>=20
>>>>=20
>>>> Then: cd /usr/src && make kernel-toolchain && make buildkernel
>>>>=20
>>>> Once the kernel is built, you only need to "make installkernel" and =
reboot.
>>>>=20
>>>> It is good practice, before rebooting, to run "mergemaster -p" , =
even if you've only done a minor upgrade, let good habits sink in ;)
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Regarding what is compiled in the GENERIC kernel, you can find the =
included options and devices at:
>>>> /sys/amd64/conf/GENERIC
>>>> or
>>>> /sys/i386/conf/GENERIC
>>>>=20
>>>> You may also run config -x /boot/kernel/kernel , if your kernel was =
built with INCLUDE_CONFIG_FILE , which GENERIC does.
>>>>=20
>>>>=20
>>>=20
>>>=20
>>=20
>>=20
>=20
>=20




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?6442241B-5DA7-4F04-A382-F691EF2B120E>