I just discovered that i won't get my hardened gentoo kernel work with openswan/shorewall out of the box. There are a few patches that are missing, for example policy match. There is a list at the top of this document: http://www.shorewall.net/IPSEC-2.6.html And this howto shows also what how to patch the kernel to get openswan/shorewall work: http://gentoo-wiki.com/HOWTO_Shorewall_Firewall_IPsec_VPN_and_2.6_kernel It would be great if the missing patches were included in the gentoo hardened kernel. (and iptables too ofcourse) Thanks!
from http://gentoo-wiki.com/HOWTO_Shorewall_Firewall_IPsec_VPN_and_2.6_kernel: "Update: As of kernel 2.6.16, policy match support is built-in. No patching needed (tested with gentoo-sources-2.6.16-r1, iptables-1.3.5 + extensions USE flag, ipsec-tools-0.6.2-r1 on ~x86). Just follow this guide until the first emerge instruction in "Get the software" section (if necessary, add sys-kernel/gentoo-sources to /etc/portage/package.keywords), then jump to "Recompile your kernel" and finally jump down to "Test Shorewall"." so just try the 2.6.16 hardened sources, and it looks like the other tools also have the relevant support. So nothing to fix :)
So what I actually wanted was to get 2.6.16 marked stable, since it also fixes #137061 thanks!
.16 probably wont be marked stable unless the grsec/pax patches come out of http://grsecurity.net/~spender/ and find themselves here http://grsecurity.net/download.php ; Perhaps you could/should start a thread on the grsec ml and find out whats the status..
(In reply to comment #3) > .16 probably wont be marked stable unless the grsec/pax patches come > out of http://grsecurity.net/~spender/ and find themselves here > http://grsecurity.net/download.php ; > > Perhaps you could/should start a thread on the grsec ml and find out > whats the status.. I joined list and posted message. List is moderated and my message has still not been accepted. Look slike nothing have been accepted since May.