Please remove xfrm and netkey from the kernel

Good ideas? Share with us!
Post Reply
Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Please remove xfrm and netkey from the kernel

Post by Gordon » 18 Apr 2012, 09:56

I know people have been nagging for these modules, but please make them modules and not part of the kernel. I can now no longer operate my VPN because xfrm and netkey are blocking KLIPS.

johannes
Posts: 1469
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Please remove xfrm and netkey from the kernel

Post by johannes » 18 Apr 2012, 11:51

Hmm, thanks, will look into that for the next kernel build.
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Please remove xfrm and netkey from the kernel

Post by Gordon » 09 Jun 2012, 15:35

Pretty please???

johannes
Posts: 1469
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Please remove xfrm and netkey from the kernel

Post by johannes » 10 Jun 2012, 00:39

Cool down. :) Still no new kernel released (not since 2.4.2). It's in our bug tracker for 2.5.1 but cannot promise 2.5.1 will have a new kernel either (releasing a new kernel creates huge amounts of testing work for us).
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Please remove xfrm and netkey from the kernel

Post by Gordon » 10 Jun 2012, 15:54

I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).

Annoyingly what caused my issue was a request to have the conflicting kernel elements be made readily available as modules, which would not have been been a problem if it had been executed as such. As I'm merely requesting to undo this previous change I was starting to wonder if it was actually being handled; after all undoing something should not require extensive testing, or...?

carl
Posts: 474
Joined: 07 May 2008, 04:41

Re: Please remove xfrm and netkey from the kernel

Post by carl » 13 Jun 2012, 07:23

Gordon wrote:I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).

Annoyingly what caused my issue was a request to have the conflicting kernel elements be made readily available as modules, which would not have been been a problem if it had been executed as such. As I'm merely requesting to undo this previous change I was starting to wonder if it was actually being handled; after all undoing something should not require extensive testing, or...?
If you are in a hurry, it's possible for you to rebuild the kernel by yourself.
  • first enable sources for apt using "change-distribution elvin -us" and run an "apt-get update" (as root)
  • install package build dependices: "apt-get install devscripts"
  • download the kernel source "apt-get source bubba-kernel" (as normal user)
  • cd into the kernel direcory, make the changes (for example remove debian/patches/0010-Enable-missing-modules-to-make-Strongswan-work.patch or modify it to be =m)
  • run "debuild -uc -us" (optionally increase the revision number)
  • install the deb-file
Actually I'm in the dark what KLIPS actually is (google doesn't give any viable indications), could you give a link?
/Carl Fürstenberg, Excito Software Developer
http://www.excito.com
support@excito.com

johannes
Posts: 1469
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Please remove xfrm and netkey from the kernel

Post by johannes » 13 Jun 2012, 09:21

Gordon wrote:I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).
Nope, you are correct that the 2.5 release mentioned ecryptfs support to the kernel, but that kernel was actually released already in 2.4.2 (just that we didn't test that feature until 2.5)
Gordon wrote:after all undoing something should not require extensive testing, or...?
Well, yes, releasing a new kernel to several thousand users always requires extensive testing. One minor mistake in building the new kernel without this option enabled could cause severe issues and may affect any feature. Can't take any such risks, sorry.

I hope you can re-compile your kernel with help from Carl as above, while waiting... Sorry.
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Please remove xfrm and netkey from the kernel

Post by Gordon » 13 Jun 2012, 09:38

Thanks Carl,

I actually thought about trying to rebuild the kernel, but I dismissed this idea because I'm too much running in the dark about the boot procedure of the B3; i.e. I could easily make the box non-bootable and I would really like to stay away from that.

KLIPS is the original ipsec stack from the Freeswan days. Moving on to kernel 2.6 the kernel developers made a choice in favour of netkey and the Strongswan branch followed by removing KLIPS support in their 2.6 versions. Openswan still supports *and* maintains KLIPS to be compiled as a kernel module.

Advantages for KLIPS over netkey: Well, for one it doesn't generate the Oops on the kernel (ref http://forum.excito.net/viewtopic.php?f=9&t=3278). What I also like is that firewalling becomes simpler because the resulting VPN connections use an independent interface (ipsec0) rather then share the outbound interface on which you would want to drop just about everything. Advantages for netkey over KLIPS; I don´t see any...

Post Reply