Jivin Eran Ben-Avi lays it down ...
> Hi,
> 
> While working with openswan 2.4.9  on kernel 2.6.22.7 I found a bug in file sysctl_net_ipsec.c.
> The initialization of ipsec_table is improper for newer kernel versions since ctl_table structure was updated.
> The 7th parameter which refer to *parent was initialized mistakenly with *proc_handler as it was in older kernel versions.
> As a result ipsec proc entries under /proc/sys/net/ipsec were created as directories instead of files which led  to improper behavior of openswan.
> Patch attached - the patch is only for newer kernel versions.Ofcourse it should be updated for backward compatibility.

The newly released 2.4.10 version has a fix for this included,  but it
only names the one field to avoid the structure alignment changes.
Probably more a topic for the openswan dev list.

I figure it needs to be more like the attached changes to 2.4.9 going forward.
Will repost one I update to 2.4.10 (and then probably 2.5...) ;-)

Cheers,
Davidm

> --- linux/net/ipsec/sysctl_net_ipsec.c	2004-07-10 17:11:18.000000000 -0200
> +++ ../openswan-2.4.9_a/linux/net/ipsec/sysctl_net_ipsec.c	2007-11-06 11:13:13.000000000 -0200
> @@ -74,45 +74,45 @@
>  static ctl_table ipsec_table[] = {
>  #ifdef CONFIG_KLIPS_DEBUG
>  	{ NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
> -	  sizeof(int), 0644, NULL, &proc_dointvec},    
> +	  sizeof(int), 0644, NULL, NULL, &proc_dointvec},    
>  	{ NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
> -	  sizeof(int), 0644, NULL, &proc_dointvec},    
> +	  sizeof(int), 0644, NULL, NULL, &proc_dointvec},    
....


-- 
David McCullough,  david_mccullough@securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com