Date: Wed, 26 Aug 2009 21:28:11 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: VANHULLEBUS Yvan <vanhu@FreeBSD.org> Cc: freebsd-net@freebsd.org Subject: Re: NAT-T patch for 7-STABLE Message-ID: <20090826210423.H93661@maildrop.int.zabbadoz.net> In-Reply-To: <20090826204500.GB9228@zeninc.net> References: <20090813154703.Y93661@maildrop.int.zabbadoz.net> <20090826204500.GB9228@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Aug 2009, VANHULLEBUS Yvan wrote: Hi, > On Thu, Aug 13, 2009 at 04:04:05PM +0000, Bjoern A. Zeeb wrote: >> Hi, > > Hi. > Sorry for the very late answer, but I wanted to work on the userland > part as soon as I had your patch, then I had an unexpected failure in > my internet access (still not completely resolved, hope you'll get > this mail). > > >> I just MFCed the UDP Control Block, which is a prerequisite for merging >> the NAT-T patch from HEAD (8) to 7-STABLE: >> http://svn.freebsd.org/viewvc/base?view=revision&revision=196192 >> >> I also merged back the NAT-T changes from FreeBSD 8/HEAD. This >> will allow us to provide the same API for tools for FreeBSD 7 (with >> patch) and stock FreeBSD 8.x and 9 (HEAD). > > Great ! > > With that, I could easilly start tests on kernel+userland. Fantastic; I had hoped that. > ipsec-tools HEAD is now expected to compile/work with that kernel API, > and I have a running tunnel with FreeBSD7+patchset+ipsec-tools HEAD as > the responder (with NAT-T used). > > More tests will come soon, but please all report any issue ! > > > Latest ipsec-tools snapshot will also compile and work (actually, this > is exactly the same as HEAD, except some typo fixes....) with that API. Yes, I could remove my private patches to make ipsec-tools HEAD compile on FreeBSD 8/9 or 7+patch after the latest update two days ago. For anyone brave enough to track the bleeding edge of all worlds, I have put together an initial start of a collection of things... The following is not for you if you: (1) don't know how to apply a patch to the kernel, recompile your kernel or wonder what I am talking about. (2) if you don't know freebsd ports creation and compiling bascis. You'll need change the makefile, touch internals, run a cvs checkout, ... (3) don't know how to not shoot yourself in the foot ----- my text template that I should streamline put on the wiki;) ------ If you are on FreeBSD 6 or earlier, you can stop reading here. In case you are on 7-STABLE before r196192 either update to latest 7-STABLE or take the patch from SVN r196192 or http://people.freebsd.org/~bz/20090730-01-mfc-r192649-udpcb.diff (which should be the same modulo the naming of the spare in the struct field "notyetmfced" vs. u_pspare). In case you are on 7-STABLE or applied the previous patch) you'll need this patch on top for NAT-T: http://people.freebsd.org/~bz/20090813-01-mfc-r194062-natt.diff . In case you are on a recent FreeBSD 8 or FreeBSD 9, you need no patches for the kernel. To build an ipsec-tools-devel CVS HEAD checkout port: apply the patch from .. to your ports tree http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/138139 and give the instructions from this one and below a try: http://people.freebsd.org/~bz/20090824-ipsec-tools.tar.gz (basically the cvs checkout and the tarball creation; I guess it's lacking a make makesum at the end) It may give you something usable. I am not trying the snapshot regularly and the port isn't ready to be used as a automatic port as you have to do it all by hand incl. updating PORTVERSION, the cvs checkout, creating the tarball, make makesum and all that. But at least for me it compiles the CVS checkout directly, with the port options from below, on a 8.x/9.x system, without the needs for doing any autocrap stuff manually before creating the src tarball. You may change the port options of course, I just cannot test all combinations to see if they work. If doing this on 7.x make sure to have the kernel patch(es) mentioned above applied upfront and have the headers installed correctly before you start building the port. Successfully tested combination of options: WITH_DEBUG=true WITH_IPV6=true WITHOUT_ADMINPORT=true WITHOUT_STATS=true WITH_DPD=true WITH_NATT=true WITH_NATTF=true WITH_FRAG=true WITH_HYBRID=true WITHOUT_PAM=true WITHOUT_RADIUS=true WITHOUT_LDAP=true WITHOUT_GSSAPI=true WITHOUT_SAUNSPEC=true WITH_RC5=true WITH_IDEA=true WITHOUT_READLINE=true ------------------------------------------------------------------------ /bz -- Bjoern A. Zeeb What was I talking about and who are you again?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090826210423.H93661>