Subject: backward compat in ipsec policy engine
To: None <tech-net@netbsd.org>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
List: tech-net
Date: 01/28/2000 05:52:00
I'm now trying to upgrade KAME IPsec portion to more recent one.
Since KAME tree changed kernel IPsec policy engine, there's binary
compatibility issue with old binary and new binary.
the most important change is in sys/netkey/keyv2.h. the attached
part declares PF_KEY message type.
the problem is that, now binary compiled with old header is not usable
on new kernel. due to semantics change, it is not trivial to emulate
old calls in new kernel. for safety reasons, we may want to
avoid cod #11 to #16 (skip them), and put new message type from 17.
however, freebsd merged the Nov 1999 KAME tree, and will be shipping
it in freebsd 4.0. if we would like to keep the same numbers (for
COMPAT_FREEBSD maybe), we shouldn't change the numbers.
which route should I take?
- safe behavior when we run old binary on new kernel
(-> skip old type #)
- compatibility with freebsd (no # changes. old binaries will not
run any more)
itojun
***************
*** 71,91 ****
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
- #define SADB_X_SPDADD 13
- #define SADB_X_SPDDELETE 14
- #define SADB_X_SPDDUMP 15
- #define SADB_X_SPDFLUSH 16
- #define SADB_MAX 16
--- 65,95 ----
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
+ #define SADB_X_SPDUPDATE 13 /* not yet */
+ #define SADB_X_SPDADD 14
+ #define SADB_X_SPDDELETE 15
+ #define SADB_X_SPDGET 16 /* not yet */
+ #define SADB_X_SPDACQUIRE 17 /* not yet */
+ #define SADB_X_SPDDUMP 18
+ #define SADB_X_SPDFLUSH 19
+ #define SADB_X_SPDSETIDX 20 /* add only SPD selector */
+ #define SADB_X_SPDEXPIRE 21 /* not yet */
+ #define SADB_MAX 21