do I have to compile a new kernel? or just add options somehow?

firmdog at gmail.com firmdog at gmail.com
Thu Dec 5 20:41:28 UTC 2013 

I ran  #kldload crypto.  Did you see that?  Then I ran kldstat and it shows
the module loaded.

Why do I have to recompile the kernel if I can run kldload or use loader.conf
to load the module at boot time?





On Thu, Dec 5, 2013 at 12:13 PM, Fleuriot Damien <ml at my.gd> wrote:

> Merely adding the options and rebooting is not sufficient to get the
> options from your kernel as opposed to a module.
>
> You need to actually recompile the kernel, I hope you did that.
>
>
> On Dec 5, 2013, at 5:48 PM, "firmdog at gmail.com" <firmdog at gmail.com> wrote:
>
>
> Looks like it "might have" worked for me. First I added a couple of
> options to the GENERIC config:
>
> root@:~ # grep IPSEC /usr/src/sys/i386/conf/GENERIC
> options         IPSEC           # IP security (requires device crypto)
> options         IPSEC_NAT_T     # NAT-T support, UDP encap of ESP
>
> Then rebooted:
>
> root@:~ # uname -a
> FreeBSD  8.4-RELEASE FreeBSD 8.4-RELEASE #0 r251259: Mon Jun  3 01:14:28
> UTC 2013     root at bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
>
> root@:~ # kldload crypto
> root@:~ # kldstat
> Id Refs Address    Size     Name
>  1    5 0xc0400000 d5c4ec   kernel
>  2    1 0xc58eb000 23000    crypto.ko
>  3    1 0xc58da000 a000     zlib.ko
>
>
> The reason I am doing this is because a new Cisco VPN router will not work
> with my IPF Freebsd firewall. The IPF firewall blocks the UDP ipsec packets
> on port 4500. So now I need to see if doing the above exercise helps with
> IPF blocking IPsec traversal across NAT
>
>
>
>
> On Thu, Dec 5, 2013 at 10:57 AM, Fleuriot Damien <ml at my.gd> wrote:
>
>> Oh but you can load modules at boot time for GENERIC just fine.
>>
>> While there is a "crypto" module nested under
>> /usr/src/sys/modules/crypto/ , I'm not familiar enough with it to say
>> whether it incorporates both the device and the IPSEC options you're
>> interested in.
>>
>> You're better off rebuilding GENERIC, or your own kernel, IMHO.
>>
>>
>>
>> If you're curious, you can always run :
>> kldload crypto
>>
>> If kldload says the module doesn't exist (I think it should, for
>> GENERIC), you'll need to build it:
>> cd /usr/src/sys/modules/crypto/ && make && make install
>>
>>
>>
>> Here's little me trying to load it under a brand new 8.4 box:
>>
>> # kldload /boot/kernel/crypto.ko
>> kldload: can't load /boot/kernel/crypto.ko: Exec format error
>>
>>
>> If you run into this error like me, "dmesg" will provide you with a clue,
>> as it does in my case:
>> KLD crypto.ko: depends on zlib - not available or version mismatch
>> linker_load_file: Unsupported file type
>>
>>
>>
>> I really encourage you to rebuild your own kernel, stripped of all the
>> stuff you don't want/need (ISA NICs, wifi, firewire, floppy controller... )
>>
>>
>> Warren Block has written pretty cool articles, here:
>> http://www.wonkity.com/~wblock/docs/html/buildworld.html
>> http://www.wonkity.com/~wblock/docs/html/kernelconfig.html
>>
>>
>>
>>
>> I hope that helps,
>>
>>
>> On Dec 5, 2013, at 4:30 PM, "firmdog at gmail.com" <firmdog at gmail.com>
>> wrote:
>>
>>
>> So the answer is that it's NOT possible to load modules at boot time for
>> GENERIC? I have to actually build a new kernel?
>>
>> Thanks!
>>
>>
>> On Thu, Dec 5, 2013 at 9:42 AM, Fleuriot Damien <ml at my.gd> wrote:
>>
>>>
>>> On Dec 5, 2013, at 3:35 PM, "firmdog at gmail.com" <firmdog at gmail.com>
>>> wrote:
>>>
>>> > I am having difficulty understanding what is compiled into the GENERIC
>>> > kernel.
>>> >
>>> > I need to enable "device crypto" with IPSEC and IPSEC_NAT_T options.
>>> >
>>> > Can I just configure the GENERIC kernel in a config file? Or do I have
>>> to
>>> > compile a totally new kernel?
>>> > _______________________________________________
>>> > freebsd-questions at freebsd.org mailing list
>>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> > To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
>>>
>>> While it's far from being a good practice, you can simply add your:
>>> device crypto
>>> options IPSEC
>>> options IPSEC_NAT_T
>>>
>>> to /sys/amd64/conf/GENERIC (assuming you're running a 64bit release that
>>> is).
>>>
>>>
>>> Then: cd /usr/src && make kernel-toolchain && make buildkernel
>>>
>>> Once the kernel is built, you only need to "make installkernel" and
>>> reboot.
>>>
>>> It is good practice, before rebooting, to run "mergemaster -p" , even if
>>> you've only done a minor upgrade, let good habits sink in ;)
>>>
>>>
>>>
>>>
>>> Regarding what is compiled in the GENERIC kernel, you can find the
>>> included options and devices at:
>>> /sys/amd64/conf/GENERIC
>>> or
>>> /sys/i386/conf/GENERIC
>>>
>>> You may also run config -x /boot/kernel/kernel , if your kernel was
>>> built with INCLUDE_CONFIG_FILE , which GENERIC does.
>>>
>>>
>>
>>
>
>

More information about the freebsd-questions mailing list