[Openswan dev] 2.4.7 klips on 2.6 currently requires >= 2.6.18

Axel Thimm Axel.Thimm at ATrpms.net
Sun Nov 26 13:03:13 EST 2006

On Sun, Nov 26, 2006 at 04:13:16AM +0100, Paul Wouters wrote:
> On Sun, 26 Nov 2006, Axel Thimm wrote:
> > >     Axel> While building on 2.6.18 kernels is OK, for 2.6.17 (and
> > >     Axel> probably earlier kernels therefore) it bails out with
> > >
> > >   Is this a virgin kernel, or a redhat one?
> >
> > It's a Red Hat one.
> Yes. And it is RedHat that is causing the problems here.
> RedHat adds functionality in their kernel before it merges into Linus'
> kernel. As a result, API changes (eg to skb_linearize in this case)
> appear in "2.6.17" in redhat's tree, while they only appear in the
> official linus tree on 2.6.18. We have #ifdef's for these API changes
> in linux/include/ipsec_kversion.h, but we do not know how to detect
> the kernel we are compiling for is a "-1" redhat kernel. We have a
> choice of either breaking it for redhat, or for everyone else. And
> since redhat creates this problem, and they're smaller then everyone
> else combined, we decided to break it for them.
> I don't know what the proper way to permanently fix these issues is.
> For now, you'll have to tweak ipsec_kversion.h and lower certain
> checks for the latest kernel release by 1 version number. (for older
> checks, the "off by one" no longer bites you)

I fully agree that the default behaviour should be matching the
vanilla kernel. What Red Hat/Fedora users and perhaps other distros
with extra API-breaking^Wchanging patches would need is some
documentation (in the wiki perhaps?) of how to manually tune the build
to match such a mixed kernel.

> If you are rebuilding openswan packages for KLIPS, you will also need
> to apply the nat-t patch to the kernel,

I thought that the natt patch was there from kernel 2.6.6 onwards or
did I misunderstand what I read (it was in the openswan wiki)?

> generated by 'make natt-patch' or openswan, or as seperate source
> file from the ftp server. We had one report of the ftp conntrack
> helping module failing when this patch was applied.

I could add the patch to ATrpms' supplied Fedora kernel & add-ons (as
I was doing at kernel 2.4 times). It mainly harbors swsusp2 patches

> Openswan-2.4.7 adds support for fedora style "new host key".
> Note that I have various bugzilla items open against openswan in fedora,
> the most important part being the incorrect call to generate a new host
> key which causes rpm/yum/anaconda to hang indefinately when installing
> the packge on machines with not enough random. Currently, Xen's random is
> broken and installing fedora through virt-install and including redhat's
> openswan package will cause indefinate hangs.

What's the proper call? I'd like to get proper packages out
there. That would help anaconda installs in xen, although FC6 has the
ability to add repos during the install, e.g. never to try to install
the buggy version.
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20061126/42e540e7/attachment.bin 

More information about the Dev mailing list