[Openswan dev] ocf debian

Harald Jenny harald at a-little-linux-box.at
Mon Dec 20 02:47:57 EST 2010 

On Sun, Dec 19, 2010 at 03:55:22PM -0500, Paul Wouters wrote:
> On Sun, 19 Dec 2010, Harald Jenny wrote:
> 
> >>>So OCF using cryptoapi gets loaded per default?
> >>
> >>We were already loading the cryptoapi modules manually because they cannot
> >>get automatically loaded. I added cryptosoft to the list of modules to load.
> >>So now the software ocd driver gets loaded. People still need to preload their
> >>hardware driver.
> >
> >But doesn't this force every user to use OCF even he may not want it?
> 
> Yes it does. Though at this moment, since OCF is not standard in the kernel (and prob
> never will be because of the alternative but less developed "acrypto"), the user
> has explicitely decided to want ocf. So it makes sense.

Not userfriendly and may really piss off admins. I as an admin may decide to
install OCF on a machine for later testing (at my decision) but the next time I
restart openswan they get loaded anyway (which may result in undesired
behavior).

> 
> >>>Maybe we could add a hint to ipsec --versioncode that loads cryptodev when we
> >>>detect that pluto was compiled with OCF support?
> >>
> >>ipsec --version should not have any side effects.
> >
> >Uhm but we declare already we are using KLIPS... so this would just be an
> >extension.
> 
> You said "loads cryptodev", that is a side effect.

Sorry what I meant was: run internal "ipsec --versioncode" - when we detect
pluto was compiled with OCF support then load cryptodev (I'm personally not a
fan of modifying ipsec scripts as they will be overwritten when the next
version gets installed.

> 
> >>We already log OCF capabilities when pluto starts. I believe klips also logs some
> >>ocf thing. So it is already there. Also, ipsec verify now tells you if your
> >>klips has ocf support. I could enhance it to check if ANY ocf driver is loaded.
> >
> >Hmmm... I just wanted to load the OCF modules when KLIPS when compiled with it.
> 
> _startklips already does that now, except for the specific hardware modules. I'm not
> sure if it would make sense to try all the hardware that hardly anyone would have.
> Though I'm willing to do something that looks into "lspci" and loads whatever it
> finds. But then someone needs to tell me the pci identifiers for these hardware
> cards, since I don't have many of them.

Hmmm sorry from the git log entry I thought you always try to load cryptoloop
regardless if KLIPS is compiled with it or OCF is installed.

> 
> Paul

Kind regards
Harald

More information about the Dev mailing list