<html><body><span class="xfm_29650874"><div>Hi,</div><div><br/></div><div>I build module without warnings and errors:</div><div><br/></div><div>KLIPS module built successfully.<br/>ipsec.ko is in /home/pit/rpmbuild/BUILD/libreswan-3.21/modobj</div><div>-rw-rw-r-- 1 pit pit 13828120 сен 4 16:41 ipsec.ko<br/> text data bss dec hex filename<br/> 372218 13592 7828 393638 601a6 ipsec.ko</div><div><br/></div><div>[root@spr1-vpn02 libreswan-3.21]# modinfo ipsec<br/>filename: /lib/modules/3.10.0-514.26.2.el7.local.x86_64/kernel/net/ipsec/ipsec.ko<br/>license: GPL<br/>version: 3.21<br/>rhelversion: 7.3<br/>srcversion: 0D27AD035636BF35CE10816<br/>depends:<br/>vermagic: 3.10.0-514.26.2.el7.local.x86_64 SMP mod_unload modversions<br/>parm: ipsec_replaywin_override:override replay window (-1=no change, 0=disable, N=override value (int)<br/>parm: ipsec_irs_cache_allocated_max:Maximum outstanding receive packets (before they are dropped) (int)<br/>parm: ipsec_ixs_cache_allocated_max:Maximum outstanding transmit packets (int)<br/>parm: ocf_available:int<br/>parm: natt_available:int</div><div><br/></div><div>But after "modpobe ipsec" I have "kernel panic" :(</div><div>BUG: unable to handle kernel paging request at 000000000000711c</div><div>register_netdevice_notifier</div><div>ipsec_device_event+0x1c/0x360</div><div><br/><br/></div><div style="font-size:0.9em;font-style:italic;"> --- Исходное сообщение ---<br/> От кого: "Paul Wouters" <paul@nohats.ca><br/> Дата: 1 сентября 2017, 16:32:53<br/></div> <br/><blockquote class="xfmc1" style="border-left:1px solid rgb(204, 204, 204);margin:0px 0px 0px 0.8ex;padding-left:1ex;"><span><pre>On Fri, 1 Sep 2017, <a href="mailto:pit11@ukr.net" target="_blank" rel="noreferrer noopener">pit11@ukr.net</a> wrote:
> Centos 7.3.1611
> kernel 3.10.0-514.26.2.el7.local.x86_64
>
> 1. That kernel I built with 0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch and 0002-SAREF-implement-IP_IPSEC_BINDREF.patch from 3.11.0-15.25. The assembly
> was successful.
> 2. Libreswan 3.21 make module.
The real fix is to upgrade your users from l2tp/ipsec to either
ikev1-xauth or to ikev2.
But meanwhile:
> First problem:
> ==========
> In file included from /home/pit/rpmbuild/BUILD/libreswan-3.21/modobj/ipsec_xmit.c:57:0:
> /home/pit/rpmbuild/BUILD/libreswan-3.21/modobj/ipsec_xmit.c: In function 'ipsec_xmit_ipip':
> /home/pit/rpmbuild/BUILD/libreswan-3.21/linux/include/libreswan/ipsec_tunnel.h:32:42: warning: passing argument 1 of '__ip_select_ident' from incompatible pointer type
> [enabled by default]
> #define lsw_ip4_hdr(ixirs) ((struct iphdr *)
> (ixirs)->iph)
> ^
> /home/pit/rpmbuild/BUILD/libreswan-3.21/linux/include/libreswan/ipsec_param2.h:33:60: note: in definition of macro 'KLIPS_IP_SELECT_IDENT'
> # define KLIPS_IP_SELECT_IDENT(iph, skb) __ip_select_ident(iph, skb_dst(skb), 0)
Looks like the kernel has some backporting done, so you might need to
tweak the IP_SELECT_IDENT_NEW define version conditions in
./linux/include/libreswan/ipsec_kversion.h to match your kernel.
> Second problem:
> =============
> /home/pit/rpmbuild/BUILD/libreswan-3.21/modobj/ipsec_xmit.c: In function 'ipsec_xmit_send':
> /home/pit/rpmbuild/BUILD/libreswan-3.21/modobj/ipsec_xmit.c:2918:11: warning: passing argument 3 of 'NF_HOOK' from incompatible pointer type [enabled by default]
> ipsec_xmit_send2);
That one is a little harder now:
err = NF_HOOK(PF_INET, LSW_NF_INET_LOCAL_OUT,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
dev_net(ixs->skb->dev),
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
ixs->skb->sk,
#endif
again it looks like you have a backport and so we should change this
hardcoded versions with a new deinfe like NEW_NF_HOOK so it can
be set independent of the kernel version.
Paul
</pre></span></blockquote> </span></body></html>