ipsec-tools has a make config option to enable NAT-T support or leave it disabled. To be able to compile in NAT-T support patched header files have to be installed to the system the port is build on. People enabling NAT-T support but not having installed the patched header files do not get NAT-T support and only a single line output from configure/autotools tells you about this so it is unlikely that anyone will ever notice. Usually people install ipsec-tools and wonder why NAT-T support is not working. We have already seen those problems on freebsd-net@ for example. Fix: If NATT is enabled in make config tell gnu configure that we really want it and not only optionally want it so the port will fail to build if no patched header files are available. How-To-Repeat: turn on option NATT in make config compiling on an unpatched base system and look at the configure output or try to use the package with a patched kernel. There is no error message though you said "I want this to be on".
State Changed From-To: open->feedback Awaiting maintainers feedback
On Mon, Nov 13, 2006 at 06:49:14PM +0000, Edwin Groothuis wrote: > Maintainer of security/ipsec-tools, > > Please note that PR ports/105488 has just been submitted. > > If it contains a patch for an upgrade, an enhancement or a bug fix > you agree on, reply to this email stating that you approve the patch > and a committer will take care of it. > > The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/105488 > Hi. The main reason why I set up enable-natt=kernel by default is to be the more transparent as possible. People who just don't know what is NAT-T won't care about it (and will automagically have it when the patch will be included in FreeBSD's CVS), and people who want it should have read the warning about needing a kernel patch. But if you know a way to have a more complex menu option, like "yes/no/force", or "yes/if supported/no", and report the option to configure (so the default will always be "if supported", but you can force to "yes" and have an error if includes don't support NAT-T), it would be an interesting patch to report. Yvan. -- NETASQ http://www.netasq.com
On Wed, 15 Nov 2006, VANHULLEBUS Yvan wrote: > People who just don't know what is NAT-T won't care about it (and will > automagically have it when the patch will be included in FreeBSD's > CVS), and people who want it should have read the warning about > needing a kernel patch. People who won't care don't need it and would leave it to default which is off anyway so that case does not matter. People who want it do not want it to be left out when they have to explicitly to turn it on. By turning it on they say "I want this" but do not say "I want this maybe". If they do a make package and deploy it and it turns out to not be in it might take them hours to figure out what went wrong. It's a YES/NO thing and no MAYBE. If you want a MAYBE do it for the default NO case but that will not permit people to leave it out when their system would have the header files that support it. So if you want a MAYBE do not provide an option but that will not allow the poeple to chose - that's what the options from make config are about. It's basically like a light switch: you can turn it on and there should be light (or something will be wrong and you want to know about that) or turn it off and light should be off (and not coincidentally stay on). -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
On Wed, Nov 15, 2006 at 09:27:52PM +0000, Bjoern A. Zeeb wrote: > On Wed, 15 Nov 2006, VANHULLEBUS Yvan wrote: > > >People who just don't know what is NAT-T won't care about it (and will > >automagically have it when the patch will be included in FreeBSD's > >CVS), and people who want it should have read the warning about > >needing a kernel patch. > > People who won't care don't need it and would leave it to default > which is off anyway so that case does not matter. When this option has been included, I guessed integrating NAT-T support in FreeBSD's CVS would be quite fast, so I put the default to easy migration when it will be included, even for people who don't know what NAT-T means (but which may still need). This patch integration took lot more time than I hoped (and it is still not done). But now lots of people have WITH_NATT=true in their /var/db/ports/ipsec-tools file, we can't just apply the patch you provided, as it would break ipsec-tools compilation for all people that don't know what NAT-T is, and who don't know the patch's existence. > People who want it do not want it to be left out when they have to > explicitly to turn it on. By turning it on they say "I want this" > but do not say "I want this maybe". If they do a make package and > deploy it and it turns out to not be in it might take them hours to > figure out what went wrong. > > It's a YES/NO thing and no MAYBE. If you want a MAYBE do it for > the default NO case but that will not permit people to leave it out > when their system would have the header files that support it. If I used a YES/NO which means Yes => force, NO => maybe, someone else whoud already have filled a PR for "I set up NAT-T support to NO and it is compiled on my host which have the NAT-T patch !".......... > So if you want a MAYBE do not provide an option but that will not > allow the poeple to chose - that's what the options from make config > are about. The only solution to make sure (quite) all people are happy would be to have a YES/NO/FORCE (or a YES/TEST/NO, or whatever else, as soon as the actual default value in option files don't break things). Of course, the best long term solution will be to have NAT-T support officially integrated in FreeBSD......... Yvan. -- NETASQ http://www.netasq.com
http://people.freebsd.org/~sat/diffs/ipsec-tools.diff Approve, please :-)
On Mon, Dec 04, 2006 at 07:11:03AM +0300, Andrew Pantyukhin wrote: > http://people.freebsd.org/~sat/diffs/ipsec-tools.diff > > Approve, please :-) I was searching "something to do" with a single define, but it is probably as easy to do that. It provides the requested feature, it won't break things for people who already have ipsec-tools and who don't know what "NAT-T" means, so it's ok for me. Thanks for it. Yvan. -- NETASQ http://www.netasq.com
State Changed From-To: feedback->closed Something committed, thanks!
sat 2006-12-04 10:24:33 UTC FreeBSD ports repository Modified files: security/ipsec-tools Makefile Log: - An option to force NATT functionality - Sneak in master sites beautification and use_ldconfig while I'm here PR: ports/105488 Submitted by: bz Approved by: VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer) Revision Changes Path 1.14 +7 -3 ports/security/ipsec-tools/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"