Date: Thu, 26 Feb 2009 15:11:38 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@freebsd.org Subject: Re: NATT patch and FreeBSD's setkey Message-ID: <20090226141138.GA91564@zeninc.net> In-Reply-To: <20090217143409.J53478@maildrop.int.zabbadoz.net> References: <85c4b1850902170448p7a59d50bt6bdaa89aa01c51d7@mail.gmail.com> <20090217143425.GA58591@zeninc.net> <20090217143409.J53478@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 17, 2009 at 02:41:41PM +0000, Bjoern A. Zeeb wrote: [...] > I am not going to find my posting from a few years back but the > solution is to keep the kernel and libipsec (and setkey) in base in > sync and not install libipsec and setkey from the ipsec-tools port. > Done. There are two drawbacks with this solution: - It will take some regular effort to sync those version, unless we do have "some automated way to do it" (something like the mechanism used for /usr/ports ?). - if we just have a copy of sources in FreeBSD's tree, someone may commit something, then someone else (or a script) may just overwrite the changes, as it is supposed to be "just a copy". But if we can deal with those issues, of course, having the up to date versions directly shipped with FreeBSD is better ! [....] > We have about 3 months left to get that patch in for 8; ideally 6 > weeks. Can you update the nat-t patch in a way as discussed here > before so that the extra address is in etc. and we can move forward? Done, new version is available here: http://people.freebsd.org/~vanhu/NAT-T/experimental/patch-FreeBSD-TRUNK-NATT-pfkey-clean-2009-02-26.diff > I basically do not care if racoon from ipsec-tools is not going to > work for two weeks of HEAD or four as someone will quickly add a > conditional patch to the port for a __FreeBSD_version > 8xxxxx and > that can be removed once ipsec-tools properly detect the state of the > system. Things will continue working as soon as people compile without NAT-T. When compiling with NAT-T, we will need to have "old FreeBSD+patch and old ipsec-tools" or "FreeBSd with new NAT-T code and up to date (actually even not in HEAD) racoon". For people who may ask the question, when NAT-T+pfkey cleanup code will be no more experimental, I'll backport a patchset at least for FreeBSD 7.x. Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090226141138.GA91564>