[Openswan dev] ocf debian

Harald Jenny harald at a-little-linux-box.at
Fri Dec 17 13:06:57 EST 2010 

On Fri, Dec 17, 2010 at 08:53:07AM +1000, David McCullough wrote:
> 
> Jivin Paul Wouters lays it down ...
> > On Thu, 16 Dec 2010, Harald Jenny wrote:
> > 
> > [ bumping this to dev at openswan.org ]
> > 
> > >>> 	D) Never enable OCF in user space for openswan,  has not affect as B
> > >>> 	   above removes the need for it.
> > >>
> > >> I'll document this a little better in Makefile.inc. Perhaps we should have
> > >> two options there, one for HAVE_OCF_USERLAND and one for HAVE_OCF_KERNEL ?
> > >
> > > Sounds like a very good idea - but must it even be made a compile time option
> > > then for KLIPS? I guess it would rather call for two options like protostack,
> > > namely cryptstack and hashstack, with values "built-in" (both crypto and hash,
> > > default value and fallback), "ocf" (both crypto and hash) and "cryptoapi"
> > > (currently only crypto). How about this?
> > 
> > The big issue is that OCF requires us to link to openssl, and for instance
> > Red Hat does not allow us to do that because of certification. So, yes we
> > might be able to add an option, but it would be of limited value.
> > 
> > >> Okay, and that's probably the most useful and easest to do. So a dkms without
> > >> userland ocf pacakge. Then change the klips DKMS to require the ocf-dkms.
> > >
> > > Well I would rather call it an option, not a requirements - maybe there are
> > > people out there who don't want to use OCF?
> > 
> > David, can we have a module parameter for OCF? eg modprobe ipsec ocf={0,1} ?
> 
> What would the parameter do ?

I guess enable or disable use of OCF ;-) ?

> 
> If this is to enable/disable ocf,  then we have the problem of loading with
> needing ocf to be loaded.

You mean when compiled with OCF we must load something?

> 
> I don't think it's useful,  OCF support is a noop if you don't load and OCF
> drivers.

It would be bypassed completely?

> 
> > >> Harald, let's focus on getting the ocf dkms package going? That's the big one
> > >> for everyone right now.
> > >
> > > I can prepare a package for you but it won't be ready before next week, about
> > > inclusion into standard Debian we will have to wait after Squeeze release.
> 
> Cheers,
> Davidm

Kind regards
Harald

> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list