Re: FreeBSD NAT-T patch integration

From: VANHULLEBUS Yvan <vanhu_bsd@xxxxxxxxxx>
Date: Thu, 26 Jun 2008 09:53:07 +0200

On Wed, Jun 25, 2008 at 07:13:59PM -0500, mgrooms wrote:
[...]

To my knowledge, here are the latest patch sets ...

http://vanhu.free.fr/FreeBSD/patch-natt-freebsd6-2007-05-31.diff
http://vanhu.free.fr/FreeBSD/patch-natt-freebsd7-2008-03-11.diff
http://vanhu.free.fr/FreeBSD/patch-natt-freebsd-HEAD-2008-03-19.diff

Yes: latest version of the patch will always be the file at that
location with the most recent date.

I have copies of repositories for HEAD, RELENG7 and RELENG6, and I can
generate more up-to date patches if needed.

I use patch for freebsd6 and freebsd7 in daily production, and can
quite quickly test new versions if needed.

I do NOT use directly the patch for HEAD actually, but should have a
testing device for that soon.

If some people have their own changes for those patches, please send
them to me !!!

What still lacks afaik in that patch:

- support for NAT-OA.
This is needed for transport mode when traffic is TCP (and when UDP
traffic have a non zero checksum), such support needs some stuff in
decapsulation process, complete support for NAT-OA payloads in PFKey,
and complete support in userland.

- Cleanup of PFKeyV2.
Actually, NAT-T ports are not sent in a RFC compliant way (but it
works).
That cleanup needs also to be done in userland, and is on my TODO list
(both kernel and userland).

- Better detection of NAT-T support.
Actually, ipsec-tools guess kernel support for NAT-T by checking some
stuff in /usr/include.
That just means you appliend the NAT-T patch, but that doesn't means
you enabled NAT-T support in your kernel.
Same problem exists for other implementations (at least Linux 2.6+ and
NetBSD), a cleaner detection should also do "some checks" at runtime
to ensure actual kernel really supports NAT-T.
But that's an userland problem, and you can easilly force ipsec-tools
compilation WITHOUT NAT-T support.

Yvan.

--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

References:
- Re: FreeBSD NAT-T patch integration
  - From: Julian Elischer
- Re: FreeBSD NAT-T patch integration
  - From: mgrooms

Prev by Date: Re: FreeBSD 7.0: sockets stuck in CLOSED state...
Next by Date: Re: FreeBSD 7.0: sockets stuck in CLOSED state...
Previous by thread: Re: FreeBSD NAT-T patch integration
Next by thread: Re: FreeBSD NAT-T patch integration
Index(es):
- Date
- Thread

Relevant Pages

Random panics seen in 2.6.18-rc1
... random panics in slab allocation/free routines. ... By adding one patch at a time to 2.6.17's mm/slab.c, ... leads the 2.6.18-rc1 kernel to panic in 30-60 minutes. ... # ACPI Support ...
(Linux-Kernel)
Re: [Bug #11358] net: forcedeth call restore mac addr in nv_shutdown path
... Yinghai Lu's patch, when I kexec while forecdeth is loaded I get the ... path and the kexec'd kernel still had the same problems as above. ... # CPUFreq processor drivers ... # SCSI support type ...
(Linux-Kernel)
Re: [SLE] hotswap sata disks
... SUSE kernel packaging. ... I have looked at the libata patch directory and it seems it ... I expect this version to have well-behaving PMP and hotplug support. ... script that handles un-mounting the disks, and then a rescan of the ...
(SuSE)
Re: [PATCH 0/2] MN10300: Add the MN10300 architecture to Linux kernel [try #3]
... The first patch suppresses AOUT support in the kernel if CONFIG_BINFMT_AOUT=n ... MN10300 does not support the AOUT binfmt, ...
(Linux-Kernel)
[announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2
... Transmeta and VIA announced support as well. ... patch makes sure Linux has full support for this hardware feature on x86 ... The NX feature changes this and adds a 'dont execute' bit to the PAE ... all pages are executable by default and the kernel has to be ...
(Linux-Kernel)