From owner-freebsd-net@FreeBSD.ORG Fri Jul 18 08:28:38 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEEF6106567B for ; Fri, 18 Jul 2008 08:28:38 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 436E28FC18 for ; Fri, 18 Jul 2008 08:28:37 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id E6A603F7B; Fri, 18 Jul 2008 10:28:34 +0200 (CEST) Date: Fri, 18 Jul 2008 10:28:34 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20080718082834.GA11096@zen.inc> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <487EC62A.3070301@freebsd.org> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2008 08:28:38 -0000 On Wed, Jul 16, 2008 at 09:10:18PM -0700, Sam Leffler wrote: [...] > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch For those who may be interested,I ported Sam's changes to FreeBSD7, the patch is here: http://people.freebsd.org/~vanhu/patch-natt-test-releng7-20080717.diff Please note that this patch has NOT been pushed to the "official" location for NAT-T patches, as I did NOT test it for now (kernel has been compiled successfully, but I'll only be able to switch to it tomorrow, as I actually use the tunnel to that gate to access it). > This adds only the kernel portion of the NAT-T support; you must provide > the user-level code from another place. Note for people who are interested: user-level code comes from ipsec-tools, as for previous versions of the NAT-T patch. Sam's changes have only impacts on the kernel itself, so if you are already running a FreeBSD kernel+userland with NAT-T patchset, you'll only need to repatch/rebuild your kernel, rebuilding world (at least includes) and ipsec-tools is NOT needed. Of course, if you're running a FreeBSD host which actually does know NOTHING about NAT-T, you'll need to apply the patch, rebuild your kernel, at least rebuild includes (or ipsec-tools won't detect NAT-T support), then rebuild ipsec-tools. But that was already the procedure with previous versions of the patch. > The main difference from the patches floating around are in the > ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP > frames. Assuming folks are ok w/ these changes I'll commit to HEAD. > Once this stuff goes in we can look at getting the user-mode mods into > the tree. I reported your changes on locking system (and just changed INP_WLOCKS to INP_LOCKS) on the RELENG7 version, is that ok ? While I'm here, a few words about authors and contributors of the patch, just to ensure it has been told at least once :-) Original authors of the patch are Emmanuel Dreyfus (manu at NetBSD.org, for the NetBSD version) and me (for the FreeBSD version), when patches for both BSDs were very similar. Larry ported the patch to FAST_IPSEC stack (Larry, I'm quite sure you also reported other patches, but I don't remember exactly what). Bjoern reported some fixes. I ported the patch to FreeBSD7 and to actual HEAD, and also made some other various things on it. Sam made the changes we're talking about in that thread. Matthew did a LOT of tests with various implementations and reported bugs. I would also like to thanks Julien VANHERZEELE, which is the guy at my works who does IPSec qualification, and who also set up lots of tests related to NAT-T for years. If some other people reported me some patches / bugs and have not been cited here, please accept my apologies for such a bad memory. If some other people have some patches, bug reports, etc... related to that patch, please report them as soon as possible ! Yvan. -- NETASQ http://www.netasq.com