FreeBSD 6.2中编译PF_KEYv2 Socket，出现 Protocol not supported错误

linhaohong

不知道大家有没有人看Unix Network Programming V1 3ed，在19章 Key Management Sockets中，编译dump和add都没有问题，但运行时都会提示：
linhaohong# ./dump
socket error: Protocol not supported
linhaohong# ./add 127.0.0.1 127.0.0.1 HMAC-SHA-1-96 160 0123456789abcdef0123456789abcdef01234567
socket error: Protocol not supported

而我在SUSE linux 9.0上运行没有问题：
zwtmglab:/home/linhaohong/unpv13e/key # ./add 127.0.0.1 127.0.0.1 HMAC-SHA-1-96 160 0123456789abcdef0123456789abcdef01234567
Sending add message:
SADB Message Add, errno 0, satype IPsec AH, seq 0, pid 2009
SA: SPI=1989672960 Replay Window=0 State=Mature
  Authentication Algorithm: HMAC-SHA-1
  Encryption Algorithm: None
Source address:   127.0.0.1/32
Dest address:   127.0.0.1/32
Authentication key, 160 bits: 0x0123456789abcdef0123456789abcdef01234567

Reply returned:
SADB Message Add, errno 0, satype IPsec AH, seq 0, pid 2009
SA: SPI=1989672960 Replay Window=0 State=Mature
  Authentication Algorithm: HMAC-SHA-1
  Encryption Algorithm: None
Hard lifetime:
  0 allocations, 0 bytes0 addtime, 0 usetime
Soft lifetime:
  0 allocations, 0 bytes0 addtime, 0 usetime
Current lifetime:
  0 allocations, 0 bytes
  added at Thu Sep  6 12:56:25 2007, never used
Source address:   127.0.0.1/32
Dest address:   127.0.0.1/32
Proxy address:   0.0.0.0 (IP proto 255)
[unknown extension 19]
zwtmglab:/home/linhaohong/unpv13e/key # ./dump
Sending dump message:
SADB Message Dump, errno 0, satype Unspecified, seq 0, pid 2051

Messages returned:
SADB Message Dump, errno 0, satype IPsec AH, seq 0, pid 2051
SA: SPI=1989672960 Replay Window=0 State=Mature
  Authentication Algorithm: HMAC-SHA-1
  Encryption Algorithm: None
Hard lifetime:
  0 allocations, 0 bytes0 addtime, 0 usetime
Soft lifetime:
  0 allocations, 0 bytes0 addtime, 0 usetime
Current lifetime:
  0 allocations, 0 bytes
  added at Thu Sep  6 12:56:25 2007, never used
Source address:   127.0.0.1/32
Dest address:   127.0.0.1/32
Proxy address:   0.0.0.0 (IP proto 255)
Authentication key, 160 bits: 0x0123456789abcdef0123456789abcdef01234567
[unknown extension 19]
注意：linux中需要把#include <net/pfkeyv2.h>调整为#include <linux/pfkeyv2.h>，并将unp.h的struct in_pktinfo定义注释掉。

linhaohong

已经解决，缺省内核配置文件没有包括IPSec，需要修改配置文件加入如下行，并重新编译即可：
options   IPSEC        #IP security
options   IPSEC_ESP    #IP security (crypto; define w/ IPSEC)
options   IPSEC_DEBUG  #debug for IP security

重新编译内核重启后，就可以运行PF_KEYv2，如下：
linhaohong# ./dump
Sending dump message:
SADB Message Dump, errno 0, satype Unspecified, seq 0, pid 772

Messages returned:
SADB Message Dump, errno 2, satype Unspecified, seq 0, pid 772
errno No such file or directory
linhaohong# ./add 127.0.0.1 127.0.0.1 HMAC-SHA-1-96 160 0123456789abcdef0123456789abcdef01234567
Sending add message:
SADB Message Add, errno 0, satype IPsec AH, seq 0, pid 777
SA: SPI=1989672960 Replay Window=0 State=Mature
  Authentication Algorithm: HMAC-SHA-1
  Encryption Algorithm: None
Source address:   127.0.0.1/32
Dest address:   127.0.0.1/32
Authentication key, 160 bits: 0x0123456789abcdef0123456789abcdef01234567

Reply returned:
SADB Message Add, errno 0, satype IPsec AH, seq 0, pid 777
SA: SPI=1989672960 Replay Window=0 State=Mature
  Authentication Algorithm: HMAC-SHA-1
  Encryption Algorithm: None
Source address:   127.0.0.1/32
Dest address:   127.0.0.1/32
linhaohong# ./dump                                                              Sending dump message:
SADB Message Dump, errno 0, satype Unspecified, seq 0, pid 778

Messages returned:
SADB Message Dump, errno 0, satype IPsec AH, seq 0, pid 778
SA: SPI=1989672960 Replay Window=0 State=Mature
  Authentication Algorithm: HMAC-SHA-1
  Encryption Algorithm: None
[unknown extension 19]
Current lifetime:
  0 allocations, 0 bytes
  added at Fri Sep  7 15:49:30 2007, never used
Source address:   127.0.0.1/32 (IP proto 255)
Dest address:   127.0.0.1/32 (IP proto 255)
Authentication key, 160 bits: 0x0123456789abcdef0123456789abcdef01234567
linhaohong#

linhaohong

启用IPSEC后dmesg出现如下警告：
WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced performance.

说明：
内核启用IPSec后，由于IPSec代码并没有完全SMP安全。为了提供安全性，当内核加载IPSec时，FreeBSD内核运行单线程网络堆栈。
GIANT-LOCKED信息只是通知开发人员部分内核使用Big Giant Lock(如非完全线程)。只是通知信息，可以忽略它。

如果内核不包括IPSec选项时，dmesg将不会出现上述告警。内核将运行在完全线程网络堆栈方式，支持SMP安全。

月是夜的明

IPsec如果交叉编译该怎么办呢 楼主求教