I've updated the KAME code in FreeBSD 5.0-CURRENT to sync it with the
latest from the KAME repository. The diffs are rather large (1.5MB) but
some of the code in FreeBSD was quite old, and this also now includes
everything that's in KAME (for better or for worse - it was far too
difficult for me to try and separate changes in different areas). As a
nice bonus, that also includes ALTQ for IPv4 and IPv6.

Itojun suggests that there are a couple of things which shouldn't go into
FreeBSD yet, such as the RFC2292bis code which is still pre-RFC - after
Usenix I'll take a look at removing this stuff from my patched code.

So far the merged kernel is working nicely and interoperates with the
current FreeBSD KAME code - I've been running it since yesterday and so
far the only problem I've seen is a hung NFS mount when I was running NFS
over IPSec (hung in state nfsrcvlk) - I haven't replicated this yet or
determined whether it happens with regular NFS mounts also.

Other remaining issues:
* ALTQ has not been tested beyond checking that LINT compiles with it in
* the ipfw module doesn't compile (missing opt_foo.h headers - should be
easy to fix)
* I didn't resolve one patch to the tx driver yet, so it doesn't work
* For some reason the stf.h header isn't being generated by config(8) when
you include "device stf", so you have to put "#define NSTF 1" or
"... 0" in stf.h in your kernel build dir by hand
* There's a lot of whitespace diffs and twisty little ifdef mazes which
would need to be cleaned up before an eventual FreeBSD import

The userland from the latest KAME snapshot works fine: racoon also
compiles, but I haven't tested it yet (I need to update my other machine
to an official freebsd4 KAME snap)

I'll be away at Usenix most of this week (from Tuesday), but when I return
I'll keep working on this to get it commit-ready. I'd like to hear any
problems people have with the patches: you can find them at



P.S. Note that the patches are based on the latest -current, which means
you have to jump through the config(8) hoops as described on

In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <[EMAIL PROTECTED]>

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to