Hi,

On 14.12.2004 22:44, Patrick McHardy wrote:

>>What is the timeline for getting these patches (and policy match) into
>>the kernel.org tree? The next major release of Shorewall relies on them
>>for native 2.6 IPSEC support.  

> I will submit them once 2.6.10 is out.

Yesterday I had a problem with 2.6.10, IPSEC and connection tracking, 
please see:

  http://lists.netfilter.org/pipermail/netfilter/2005-January/057751.html

Thanks to Michael Mueller's hint on the netfilter list, Patricks 
McHardy's patches and Ronald Moesbergen's adaption to Kernel 2.6.9 I was 
able to build my own working patches against 2.6.10. Please find them 
attached and consider it as my small participation (and my excuse for 
breaking in :-) .

Please not that someone changed xfrm_policy_get_afinfo() and 
xfrm_policy_put_afinfo() to static somewhere between 2.6.9 and 2.6.10, 
so I had to "resurrect" them. Works for me, review probably necessary.

In retrospect the topic is kind of problematic. At least this one:

  http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html

itches me to run 2.6.10. With a plain 2.6.x kernel I can't, because 
connection tracking and IPSEC together is well known as NoGo. My own 
knowledge of kernel hacking can only be considered improvable, so my 
private patch is a risk as well as running <= 2.6.9.
Fscking lost, huh? :-)

I would love to hear the ipsec-nat patches will make it into 2.6.11.

Kind Regards,
              Robert

P.S.: Some minutes ago I found Ronald Moesbergen's patches for 2.6.10 on 
the list. No competition intended.