"James E. Flemer" wrote: > The commit message for src/sys/netipsec/ipsec.c r1.1 > mentions that FAST_IPSEC and INET6 should not be used > together. As far as I can tell from the commit log, > nothing has changed that would negate that recommendation > since the import. However, when compiling a -current (as > of today) kernel with FAST_IPSEC and without INET6, there > is some breakage (with -Werror). > > The prototype and definition of ipsec6_setspidx_in6pcb() > are within #ifdef INET6 blocks (line 187 & 491), but the > function is used on line 292, regardless of INET6. > > I'm not familiar enough with this code to offer up a patch.
The IPSEC code came in with the KAME (IPv6) code in the first place, so it's not surprising that a lot of stuff that works easily in the presence of IPv6 doesn't work nearly so well without it. I don't know if this is an oversight, or it's an intentional advocacy of making IPv6 part of all standard distributions. 8-). The easy thing to do is to include IPv6, if you need certain IPSEC features, even if you're not going to use IPv6. FWIW, there's also a penalty to every IPv4 connection when a kernel contains IPSEC, and that penalty isn't there when you use IPSEC with IPv6, instead: even if you are not going to use it, a context structure for IPSEC has to be carried around on every IPv4 connection. I noticed this when IPv6 first came in, and again, when the allocation of the context structure ran me short of connection memory, at one point. Very annoying. If you can't live with this sort of thing, you'll have to dive into IPSEC internals a little more than humans should have to tolerate. Sorry. 8-(. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
