[Openswan dev] problems with 2.4.10

Paul Wouters paul at xelerance.com
Wed Dec 5 14:08:17 EST 2007 

On Wed, 5 Dec 2007, Laszlo Attila Toth wrote:

> 1)
> There are scripts in packaging/utils started by '#!/bin/sh'
> however they are using the "source" command which doesn't exist in sh, only in
> bash, also the scripts should be started with "#!/bin/bash" or
> use dot (.) instead of source.
>
> for instance in:
> packaging/utils/kernelpatch

I will fix these.

>
> 2) KLIPS should be depend on NF_CONNTRACK but it isn't. Without it (kernel
> 2.6.22, ubuntu gutsy):

That is fixed in 2.4.11, released yesterday.

> 3) natt or klips patch doesn't contains include/net/xfrmudp.h
> (the klips patch is made by make kpatch)

The include file comes from the nat-t patch. If you want KLIPS with
NAT-T you have to apply the NAT-T patch. Are you saying you compiled
without NAT-T support and still got this error?

> 4) The natt patch can't be applied properly (some parts of net/ipv4/udp.c is
> rejected). It is attached (as an stgit patch).

Against which kernel? AFAIK, it works against vanilla 2.6.22.

> 5) undeclared variables
>
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c: In function
> 'ipsec_xmit_encap_bundle':
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1343: error: 'ixt_e'
> undeclared (first use in this function)
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1343: error: (Each
> undeclared identifier is reported only once
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1343: error: for each
> function it appears in.)
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1345: error: 'blocksize'
> undeclared (first use in this function)
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1354: error: 'ixt_a'
> undeclared (first use in this function)
>
> This is because CONFIG_KLIPS_ALG is unset, but CONFIG_KLIPS_ESP is set.

Are you building using openswan's "make module", or a kernel build after
running make kpatch? We define CONFIG_KLIPS_ALG in KLIPSCOMPILE in Makefile.inc

> I found:
> ./net/ipsec/Kconfig:130:# remove all of CONFIG_KLIPS_ALG
>
> Why this define is used if it is unused? It quite confusing.

Michael removed some of these at some point because KLIPS depended
on CONFIG_KLIPS_ALG anyway. But to better support the OCF patch, some
of that code again needed to be coditional for the OCF code. Since for
2.4.x, the OCF code is a seperate patch, that might not be obvious when
you look at it from just the openswan source code point of view. In
openswan 2.5/3.x the OCF code has been integrated.

> Please remove from ipsec_xmit_encap_bundle(), and so on, here is the list.
> Which one is required and which is pontless?
>
> net/ipsec/pfkey_v2_ext_process.c:146:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_init.c:245:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_sa.c:1020:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_sa.c:1046:#if defined CONFIG_KLIPS_ALG
> net/ipsec/ipsec_sa.c:1271:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_proc.c:119:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_proc.c:863:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_esp.c:156:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_esp.c:216:#ifdef CONFIG_KLIPS_A

I think what is needed is a way to define CONFIG_KLIPS_ALG per default,
even when not building within he openswan source tree. I'll look at
fixing this.

> I tried 2.4.11 but it is also buggy, I couldn't compile it.

You mean the same issues? Or other issues? If other issues, please
give us more information so we can address them.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Dev mailing list