On Tue, Feb 17, 2009 at 02:41:41PM +0000, Bjoern A. Zeeb wrote: [...] > I am not going to find my posting from a few years back but the > solution is to keep the kernel and libipsec (and setkey) in base in > sync and not install libipsec and setkey from the ipsec-tools port. > Done.
There are two drawbacks with this solution: - It will take some regular effort to sync those version, unless we do have "some automated way to do it" (something like the mechanism used for /usr/ports ?). - if we just have a copy of sources in FreeBSD's tree, someone may commit something, then someone else (or a script) may just overwrite the changes, as it is supposed to be "just a copy". But if we can deal with those issues, of course, having the up to date versions directly shipped with FreeBSD is better ! [....] > We have about 3 months left to get that patch in for 8; ideally 6 > weeks. Can you update the nat-t patch in a way as discussed here > before so that the extra address is in etc. and we can move forward? Done, new version is available here: http://people.freebsd.org/~vanhu/NAT-T/experimental/patch-FreeBSD-TRUNK-NATT-pfkey-clean-2009-02-26.diff > I basically do not care if racoon from ipsec-tools is not going to > work for two weeks of HEAD or four as someone will quickly add a > conditional patch to the port for a __FreeBSD_version > 8xxxxx and > that can be removed once ipsec-tools properly detect the state of the > system. Things will continue working as soon as people compile without NAT-T. When compiling with NAT-T, we will need to have "old FreeBSD+patch and old ipsec-tools" or "FreeBSd with new NAT-T code and up to date (actually even not in HEAD) racoon". For people who may ask the question, when NAT-T+pfkey cleanup code will be no more experimental, I'll backport a patchset at least for FreeBSD 7.x. Yvan. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
