[Openswan dev] ocf debian

Paul Wouters paul at xelerance.com
Sun Dec 19 15:55:22 EST 2010

On Sun, 19 Dec 2010, Harald Jenny wrote:

>>> So OCF using cryptoapi gets loaded per default?
>> We were already loading the cryptoapi modules manually because they cannot
>> get automatically loaded. I added cryptosoft to the list of modules to load.
>> So now the software ocd driver gets loaded. People still need to preload their
>> hardware driver.
> But doesn't this force every user to use OCF even he may not want it?

Yes it does. Though at this moment, since OCF is not standard in the kernel (and prob
never will be because of the alternative but less developed "acrypto"), the user
has explicitely decided to want ocf. So it makes sense.

>>> Maybe we could add a hint to ipsec --versioncode that loads cryptodev when we
>>> detect that pluto was compiled with OCF support?
>> ipsec --version should not have any side effects.
> Uhm but we declare already we are using KLIPS... so this would just be an
> extension.

You said "loads cryptodev", that is a side effect.

>> We already log OCF capabilities when pluto starts. I believe klips also logs some
>> ocf thing. So it is already there. Also, ipsec verify now tells you if your
>> klips has ocf support. I could enhance it to check if ANY ocf driver is loaded.
> Hmmm... I just wanted to load the OCF modules when KLIPS when compiled with it.

_startklips already does that now, except for the specific hardware modules. I'm not
sure if it would make sense to try all the hardware that hardly anyone would have.
Though I'm willing to do something that looks into "lspci" and loads whatever it
finds. But then someone needs to tell me the pci identifiers for these hardware
cards, since I don't have many of them.


More information about the Dev mailing list