Oscar: Why don't use iptables 1.3.3 and see if the policy match is present after install the iptables 1.3.3 code into the kernel? See the kernel options before install the patches ... some patches (as the documentation said) are *not* compatibles. Five patches from shorewall.net? Why don't try: kernel 2.6.12 iptables 1.3.3 After that, see If you still needs the patches (from patch-o-matic and from shorewall.net) Hope this helps, Jorge. El jue, 27-10-2005 a las 14:34 -0600, Oscar A. Valdez escribió: > I've been struggling to get IPSEC working on end-points on the same > systems as Netfilter, and I'm amazed at how difficult it is to gather > relevant information and to make it work on Linux, considering the > growing deployment of IPSEC and the importance of Netfilter for > firewalling. That's why I'm cross-posting to the netfilter users' and > devels' lists. > > I believe the most reliable guide is at > http://www.shorewall.net/IPSEC-2.6.html. Briefly, for my setup, the > requirements are: > > Kernel 2.6.12 patched with: > > * The five patches in > http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.12 (the > first four are the same as at > http://www.saout.de/misc/linux-2.6.12-ipsec-nat/ ) > > * The "policy match" extension from a recent Patch-o-matic-ng. > > * iptables 1.3.0 patched with the "policy match" extension from a > recent Patch-o-matic-ng. > > * ipsec-tools 0.5 > > I first unpack a vanilla kernel and the iptables tarball into > directories /tmp/linux-2.6.12.orig/ and /tmp/iptables-1.3.0.orig/, and > make copies of both unpacked directories (/tmp/linux-2.6.12/ > and /tmp/iptables-1.3.0/) > > I then apply the "policy match" extensions to the copies, with the > following patch-o-matic command: > > KERNEL_DIR=/tmp/linux-2.6.12/ \ > IPTABLES_DIR=/tmp/iptables-1.3.0/ ./runme extra > > Then, I generate the patch files by running > > diff -Nurp iptables-1.3.0.orig/ iptables-1.3.0/ \ > > ipsec-nf-policy-match.diff > > and > > diff -Nurp kernel-2.6.12.orig/ linux-2.6.12/ > ipsec-k-policy-match.diff > > When I try to compile the patched kernel, I get the following error: > > + make ARCH=i386 nonint_oldconfig > CONFIG_IP_NF_MATCH_POLICY > CONFIG_IP6_NF_MATCH_POLICY > make[1]: *** [nonint_oldconfig] Error 2 > make: *** [nonint_oldconfig] Error 2 > > It seems this is caused by the linux-2.4.0-nonintconfig.patch. I'll > appreciate clues on how to get around this error, and I promise to keep > the lists posted on my progress. -- Jorge Isaac Davila Lopez
Attachment:
signature.asc
Description: This is a digitally signed message part