FreeBSD NAT-T patch integration [CFR/CFT]
Sam Leffler
sam at freebsd.org
Thu Jul 17 04:10:21 UTC 2008
Sam Leffler wrote:
> Larry Baird wrote:
>>> And how do I know that it works ?
>>> Well, when it doesn't work, I do know it, quite quickly most of the
>>> time !
>>>
>> I have to chime in here. I did most of the initial porting of the
>> NAT-T patches from Kame IPSec to FAST_IPSEC. I did look at every
>> line of code during this process. I found no security problems during
>> the port. Like Yvan, my company uses the NAT-T patches commercially.
>> Like he says, if it had problems, we would hear about it. If the
>> patches
>> don't get commited, I highly suspect Yvan or myself would try to keep
>> the
>> patches up todate. So far I have done FAST_IPSEC pacthes for FreeBSD
>> 4,5,6. Yvan did 7 and 8 by himself. Keeping up gets to be a pain
>> after a while. I do plan to look at the FreeBSD 7 patches soon, but
>> it sure would be nice
>> to see it commited.
>>
Please test/review the following patch against HEAD:
http://people.freebsd.org/~sam/nat_t-20080616.patch
This adds only the kernel portion of the NAT-T support; you must provide
the user-level code from another place.
The main difference from the patches floating around are in the
ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP
frames. Assuming folks are ok w/ these changes I'll commit to HEAD.
Once this stuff goes in we can look at getting the user-mode mods into
the tree.
Sam
PS. Thanks especially to Matthew Grooms who tested an earlier version
and fixed a bug.
More information about the freebsd-net
mailing list