New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

Please remove xfrm and netkey from the kernel

Good ideas? Share with us!
Post Reply
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Please remove xfrm and netkey from the kernel

Post by Gordon »

I know people have been nagging for these modules, but please make them modules and not part of the kernel. I can now no longer operate my VPN because xfrm and netkey are blocking KLIPS.
johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Please remove xfrm and netkey from the kernel

Post by johannes »

Hmm, thanks, will look into that for the next kernel build.
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Please remove xfrm and netkey from the kernel

Post by Gordon »

Pretty please???
johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Please remove xfrm and netkey from the kernel

Post by johannes »

Cool down. :) Still no new kernel released (not since 2.4.2). It's in our bug tracker for 2.5.1 but cannot promise 2.5.1 will have a new kernel either (releasing a new kernel creates huge amounts of testing work for us).
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Please remove xfrm and netkey from the kernel

Post by Gordon »

I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).

Annoyingly what caused my issue was a request to have the conflicting kernel elements be made readily available as modules, which would not have been been a problem if it had been executed as such. As I'm merely requesting to undo this previous change I was starting to wonder if it was actually being handled; after all undoing something should not require extensive testing, or...?
carl
Posts: 474
Joined: 07 May 2008, 04:41

Re: Please remove xfrm and netkey from the kernel

Post by carl »

Gordon wrote:I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).

Annoyingly what caused my issue was a request to have the conflicting kernel elements be made readily available as modules, which would not have been been a problem if it had been executed as such. As I'm merely requesting to undo this previous change I was starting to wonder if it was actually being handled; after all undoing something should not require extensive testing, or...?
If you are in a hurry, it's possible for you to rebuild the kernel by yourself.
  • first enable sources for apt using "change-distribution elvin -us" and run an "apt-get update" (as root)
  • install package build dependices: "apt-get install devscripts"
  • download the kernel source "apt-get source bubba-kernel" (as normal user)
  • cd into the kernel direcory, make the changes (for example remove debian/patches/0010-Enable-missing-modules-to-make-Strongswan-work.patch or modify it to be =m)
  • run "debuild -uc -us" (optionally increase the revision number)
  • install the deb-file
Actually I'm in the dark what KLIPS actually is (google doesn't give any viable indications), could you give a link?
/Carl Fürstenberg, Excito Software Developer
http://www.excito.com
support@excito.com
johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Please remove xfrm and netkey from the kernel

Post by johannes »

Gordon wrote:I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).
Nope, you are correct that the 2.5 release mentioned ecryptfs support to the kernel, but that kernel was actually released already in 2.4.2 (just that we didn't test that feature until 2.5)
Gordon wrote:after all undoing something should not require extensive testing, or...?
Well, yes, releasing a new kernel to several thousand users always requires extensive testing. One minor mistake in building the new kernel without this option enabled could cause severe issues and may affect any feature. Can't take any such risks, sorry.

I hope you can re-compile your kernel with help from Carl as above, while waiting... Sorry.
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Please remove xfrm and netkey from the kernel

Post by Gordon »

Thanks Carl,

I actually thought about trying to rebuild the kernel, but I dismissed this idea because I'm too much running in the dark about the boot procedure of the B3; i.e. I could easily make the box non-bootable and I would really like to stay away from that.

KLIPS is the original ipsec stack from the Freeswan days. Moving on to kernel 2.6 the kernel developers made a choice in favour of netkey and the Strongswan branch followed by removing KLIPS support in their 2.6 versions. Openswan still supports *and* maintains KLIPS to be compiled as a kernel module.

Advantages for KLIPS over netkey: Well, for one it doesn't generate the Oops on the kernel (ref http://forum.excito.net/viewtopic.php?f=9&t=3278). What I also like is that firewalling becomes simpler because the resulting VPN connections use an independent interface (ipsec0) rather then share the outbound interface on which you would want to drop just about everything. Advantages for netkey over KLIPS; I don´t see any...
Post Reply