Page 1 of 1

Please remove xfrm and netkey from the kernel

Posted: 18 Apr 2012, 09:56
by Gordon
I know people have been nagging for these modules, but please make them modules and not part of the kernel. I can now no longer operate my VPN because xfrm and netkey are blocking KLIPS.

Re: Please remove xfrm and netkey from the kernel

Posted: 18 Apr 2012, 11:51
by johannes
Hmm, thanks, will look into that for the next kernel build.

Re: Please remove xfrm and netkey from the kernel

Posted: 09 Jun 2012, 15:35
by Gordon
Pretty please???

Re: Please remove xfrm and netkey from the kernel

Posted: 10 Jun 2012, 00:39
by johannes
Cool down. :) Still no new kernel released (not since 2.4.2). It's in our bug tracker for 2.5.1 but cannot promise 2.5.1 will have a new kernel either (releasing a new kernel creates huge amounts of testing work for us).

Re: Please remove xfrm and netkey from the kernel

Posted: 10 Jun 2012, 15:54
by Gordon
I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).

Annoyingly what caused my issue was a request to have the conflicting kernel elements be made readily available as modules, which would not have been been a problem if it had been executed as such. As I'm merely requesting to undo this previous change I was starting to wonder if it was actually being handled; after all undoing something should not require extensive testing, or...?

Re: Please remove xfrm and netkey from the kernel

Posted: 13 Jun 2012, 07:23
by carl
Gordon wrote:I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).

Annoyingly what caused my issue was a request to have the conflicting kernel elements be made readily available as modules, which would not have been been a problem if it had been executed as such. As I'm merely requesting to undo this previous change I was starting to wonder if it was actually being handled; after all undoing something should not require extensive testing, or...?
If you are in a hurry, it's possible for you to rebuild the kernel by yourself.
  • first enable sources for apt using "change-distribution elvin -us" and run an "apt-get update" (as root)
  • install package build dependices: "apt-get install devscripts"
  • download the kernel source "apt-get source bubba-kernel" (as normal user)
  • cd into the kernel direcory, make the changes (for example remove debian/patches/0010-Enable-missing-modules-to-make-Strongswan-work.patch or modify it to be =m)
  • run "debuild -uc -us" (optionally increase the revision number)
  • install the deb-file
Actually I'm in the dark what KLIPS actually is (google doesn't give any viable indications), could you give a link?

Re: Please remove xfrm and netkey from the kernel

Posted: 13 Jun 2012, 09:21
by johannes
Gordon wrote:I'm sorry if I sound somewhat impatient, but it is somewhat of a pressing issue to me. The thing is that a new kernel has been released meanwhile (I know because I had to rebuild the xtables addons and ipset modules twice now) and the latest software update mentioned a new kernel as well (although I believe it was just a module added?).
Nope, you are correct that the 2.5 release mentioned ecryptfs support to the kernel, but that kernel was actually released already in 2.4.2 (just that we didn't test that feature until 2.5)
Gordon wrote:after all undoing something should not require extensive testing, or...?
Well, yes, releasing a new kernel to several thousand users always requires extensive testing. One minor mistake in building the new kernel without this option enabled could cause severe issues and may affect any feature. Can't take any such risks, sorry.

I hope you can re-compile your kernel with help from Carl as above, while waiting... Sorry.

Re: Please remove xfrm and netkey from the kernel

Posted: 13 Jun 2012, 09:38
by Gordon
Thanks Carl,

I actually thought about trying to rebuild the kernel, but I dismissed this idea because I'm too much running in the dark about the boot procedure of the B3; i.e. I could easily make the box non-bootable and I would really like to stay away from that.

KLIPS is the original ipsec stack from the Freeswan days. Moving on to kernel 2.6 the kernel developers made a choice in favour of netkey and the Strongswan branch followed by removing KLIPS support in their 2.6 versions. Openswan still supports *and* maintains KLIPS to be compiled as a kernel module.

Advantages for KLIPS over netkey: Well, for one it doesn't generate the Oops on the kernel (ref http://forum.excito.net/viewtopic.php?f=9&t=3278). What I also like is that firewalling becomes simpler because the resulting VPN connections use an independent interface (ipsec0) rather then share the outbound interface on which you would want to drop just about everything. Advantages for netkey over KLIPS; I donĀ“t see any...