From owner-freebsd-questions@FreeBSD.ORG Fri Dec 6 13:55:13 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BF0FDAB8 for ; Fri, 6 Dec 2013 13:55:13 +0000 (UTC) Received: from mail-ee0-x22c.google.com (mail-ee0-x22c.google.com [IPv6:2a00:1450:4013:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 45F2A1ED2 for ; Fri, 6 Dec 2013 13:55:13 +0000 (UTC) Received: by mail-ee0-f44.google.com with SMTP id b57so311519eek.31 for ; Fri, 06 Dec 2013 05:55:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/jVlqlV4EJLrmHVc5dn5KUijM1wqAkV4Laro4NUCJBU=; b=L2tmxB97hG0/r4LyG35nR4dOaSOxcVfPzWahI2Sh7PRrGdvFpelMwPJnlS0JD3qB51 aLznys1LgglB2OLwmqy/oOQQq9KmEMqOkvM9u24nLXx52UO2yJNcl21twcj6ltDF/AL1 fW12bJpLZNHFeOmbelJ1KgMd4p/etuzlv/2TPDosY9pMhUQAlbfBbjwt1uc4PxLzuNA9 kaPH2XTKw+kMbLw/DcHBm8FMS3Zf5YJjQp254R97qxXUml13d80Q2IF0aLlL8/WYhjGQ 9bquxj7vOWBheYsCliqOf+AwJlSsv/IECBYM8fVZ8riGkz1pyVrUOLJAwIPESXzUCKkg nCGw== MIME-Version: 1.0 X-Received: by 10.15.73.134 with SMTP id h6mr2699428eey.90.1386338111633; Fri, 06 Dec 2013 05:55:11 -0800 (PST) Received: by 10.14.210.199 with HTTP; Fri, 6 Dec 2013 05:55:11 -0800 (PST) In-Reply-To: <9909F4F0-623F-46F1-BD21-B3D2D9E4653A@my.gd> References: <1A249B2C-B341-4270-B343-627901FD9562@my.gd> <9909F4F0-623F-46F1-BD21-B3D2D9E4653A@my.gd> Date: Fri, 6 Dec 2013 08:55:11 -0500 Message-ID: Subject: Re: do I have to compile a new kernel? or just add options somehow? From: "firmdog@gmail.com" To: Fleuriot Damien Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Dec 2013 13:55:13 -0000 Is there a way to pass options to a module at boot time? That is the part that I can't understand. "crypto" is easy to load as a module or simply load at boot time with loader.conf .... But how to enable the options? (like IPSEC and IPSEC_NAT_T ) On Fri, Dec 6, 2013 at 5:46 AM, Fleuriot Damien wrote: > As I said earlier, you might not need to rebuild it, but I can't say if > IPsec Nat Traversal is enabled in the module. > > > > On Dec 5, 2013, at 9:41 PM, "firmdog@gmail.com" wrote: > > > I ran #kldload crypto. Did you see that? Then I ran kldstat and it > shows the module loaded. > > Why do I have to recompile the kernel if I can run kldload or use loader.conf > to load the module at boot time? > > > > > > On Thu, Dec 5, 2013 at 12:13 PM, Fleuriot Damien wrote: > >> Merely adding the options and rebooting is not sufficient to get the >> options from your kernel as opposed to a module. >> >> You need to actually recompile the kernel, I hope you did that. >> >> >> On Dec 5, 2013, at 5:48 PM, "firmdog@gmail.com" >> wrote: >> >> >> Looks like it "might have" worked for me. First I added a couple of >> options to the GENERIC config: >> >> root@:~ # grep IPSEC /usr/src/sys/i386/conf/GENERIC >> options IPSEC # IP security (requires device crypto) >> options IPSEC_NAT_T # NAT-T support, UDP encap of ESP >> >> Then rebooted: >> >> root@:~ # uname -a >> FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Mon Jun 3 01:14:28 >> UTC 2013 root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386 >> >> root@:~ # kldload crypto >> root@:~ # kldstat >> Id Refs Address Size Name >> 1 5 0xc0400000 d5c4ec kernel >> 2 1 0xc58eb000 23000 crypto.ko >> 3 1 0xc58da000 a000 zlib.ko >> >> >> The reason I am doing this is because a new Cisco VPN router will not >> work with my IPF Freebsd firewall. The IPF firewall blocks the UDP ipsec >> packets on port 4500. So now I need to see if doing the above exercise >> helps with IPF blocking IPsec traversal across NAT >> >> >> >> >> On Thu, Dec 5, 2013 at 10:57 AM, Fleuriot Damien wrote: >> >>> Oh but you can load modules at boot time for GENERIC just fine. >>> >>> While there is a "crypto" module nested under >>> /usr/src/sys/modules/crypto/ , I'm not familiar enough with it to say >>> whether it incorporates both the device and the IPSEC options you're >>> interested in. >>> >>> You're better off rebuilding GENERIC, or your own kernel, IMHO. >>> >>> >>> >>> If you're curious, you can always run : >>> kldload crypto >>> >>> If kldload says the module doesn't exist (I think it should, for >>> GENERIC), you'll need to build it: >>> cd /usr/src/sys/modules/crypto/ && make && make install >>> >>> >>> >>> Here's little me trying to load it under a brand new 8.4 box: >>> >>> # kldload /boot/kernel/crypto.ko >>> kldload: can't load /boot/kernel/crypto.ko: Exec format error >>> >>> >>> If you run into this error like me, "dmesg" will provide you with a >>> clue, as it does in my case: >>> KLD crypto.ko: depends on zlib - not available or version mismatch >>> linker_load_file: Unsupported file type >>> >>> >>> >>> I really encourage you to rebuild your own kernel, stripped of all the >>> stuff you don't want/need (ISA NICs, wifi, firewire, floppy controller... ) >>> >>> >>> Warren Block has written pretty cool articles, here: >>> http://www.wonkity.com/~wblock/docs/html/buildworld.html >>> http://www.wonkity.com/~wblock/docs/html/kernelconfig.html >>> >>> >>> >>> >>> I hope that helps, >>> >>> >>> On Dec 5, 2013, at 4:30 PM, "firmdog@gmail.com" >>> wrote: >>> >>> >>> So the answer is that it's NOT possible to load modules at boot time for >>> GENERIC? I have to actually build a new kernel? >>> >>> Thanks! >>> >>> >>> On Thu, Dec 5, 2013 at 9:42 AM, Fleuriot Damien wrote: >>> >>>> >>>> On Dec 5, 2013, at 3:35 PM, "firmdog@gmail.com" >>>> wrote: >>>> >>>> > I am having difficulty understanding what is compiled into the GENERIC >>>> > kernel. >>>> > >>>> > I need to enable "device crypto" with IPSEC and IPSEC_NAT_T options. >>>> > >>>> > Can I just configure the GENERIC kernel in a config file? Or do I >>>> have to >>>> > compile a totally new kernel? >>>> > _______________________________________________ >>>> > freebsd-questions@freebsd.org mailing list >>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> > To unsubscribe, send any mail to " >>>> freebsd-questions-unsubscribe@freebsd.org" >>>> >>>> >>>> While it's far from being a good practice, you can simply add your: >>>> device crypto >>>> options IPSEC >>>> options IPSEC_NAT_T >>>> >>>> to /sys/amd64/conf/GENERIC (assuming you're running a 64bit release >>>> that is). >>>> >>>> >>>> Then: cd /usr/src && make kernel-toolchain && make buildkernel >>>> >>>> Once the kernel is built, you only need to "make installkernel" and >>>> reboot. >>>> >>>> It is good practice, before rebooting, to run "mergemaster -p" , even >>>> if you've only done a minor upgrade, let good habits sink in ;) >>>> >>>> >>>> >>>> >>>> Regarding what is compiled in the GENERIC kernel, you can find the >>>> included options and devices at: >>>> /sys/amd64/conf/GENERIC >>>> or >>>> /sys/i386/conf/GENERIC >>>> >>>> You may also run config -x /boot/kernel/kernel , if your kernel was >>>> built with INCLUDE_CONFIG_FILE , which GENERIC does. >>>> >>>> >>> >>> >> >> > >