BenV's notes

Today I wanted ipsec-tools on my Slackware64 (v13.37) domU.
Sounds simple: figure out where they host the stuff, download, configure ; make ; package, install. Right?
*BZZZZZ* WRONG!

First the figuring out where it’s hosted is easy. Google, feel lucky, boom. Launchpad. Nope, doesn’t seem original. Ah, here we go. Looks legit. Except for their ticket system that’s been filled with garbage. Does anyone maintain this shit?
After downloading and untarring we go through the configure step. The final configure string after getting rid of SELinux stuff and kerberos etc was this:

./configure --enable-stats --enable-hybrid --enable-shared --enable-frag --enable-adminport --enable-rc5 --enable-idea --enable-dpd --prefix=/usr --enable-security-context=no

Of course this quickly failed:

checking /lib/modules/3.2.6/build/include/linux/pfkeyv2.h usability... no
checking /lib/modules/3.2.6/build/include/linux/pfkeyv2.h presence... no
checking for /lib/modules/3.2.6/build/include/linux/pfkeyv2.h... no
checking /usr/src/linux/include/linux/pfkeyv2.h usability... no
checking /usr/src/linux/include/linux/pfkeyv2.h presence... no
checking for /usr/src/linux/include/linux/pfkeyv2.h... no
configure: error: Unable to find linux-2.6 kernel headers. Aborting.

Yeah well, this is a Xen domU. Obviously I didn’t build the kernel on there…
However, after installing the kernel headers in the correct place (/usr/include) the output was still the same. Should have known, why would they check the most obvious place for kernel headers?
And if you happen to have a symlink /usr/src/linux because you did have your kernel compilation there, make will fail like this:

libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc -I./src/include-glibc -I../../src/racoon/missing -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc -I../../src/include-glibc -g -O2 -Wall -Werror -Wno-unused -MT ipsec_dump_policy.lo -MD -MP -MF .deps/ipsec_dump_policy.Tpo -c ipsec_dump_policy.c -fPIC -DPIC -o .libs/ipsec_dump_policy.o
cc1: warnings being treated as errors
In file included from ../../src/include-glibc/linux/pfkeyv2.h:9:0,
from ../../src/include-glibc/net/pfkeyv2.h:7,
from ../../src/include-glibc/netinet/ipsec.h:3,
from ipsec_dump_policy.c:43:
../../src/include-glibc/linux/types.h:13:2: error: #warning "Attempt to use kernel headers from user space, see http://kernelnewbies.org/KernelHeaders"

Fortunately they created a configure option for this: –with-kernel-headers=/usr/include. Attempt 2:

root@ipsec:/usr/src/ipsec-tools-0.8.0# ./configure --enable-stats --enable-hybrid --enable-shared --enable-frag --enable-adminport --enable-rc5 --enable-idea --enable-dpd --prefix=/usr --enable-security-context=no --with-kernel-headers=/usr/include
# configure goes through
root@ipsec:/usr/src/ipsec-tools-0.8.0# make
libtool: link: gcc -I../../src/libipsec -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc -I../../src/include-glibc -g -O2 -Wall -Werror -Wno-unused -o .libs/setkey setkey.o parse.o token.o ../libipsec/.libs/libipsec.so -lrt -lutil -lcrypto -lresolv -lcrypt
token.o: In function `yylex':
/usr/src/ipsec-tools-0.8.0/src/setkey/token.c:1996: undefined reference to `yywrap'
collect2: ld returned 1 exit status
make[4]: *** [setkey] Error 1

Hmm, odd. Google hints that you should install flex and bison, but I have those installed.
A closer look at the configure log reveals:

configure:11270: checking for bison
configure:11286: found /usr/bin/bison
configure:11297: result: bison -y
configure:11313: checking for flex
configure:11329: found /usr/bin/flex
configure:11340: result: flex
configure:11377: flex conftest.l
flex: fatal internal error, exec failed
# snipped out some stuff
configure:11416: gcc -o conftest -g -O2 conftest.c -lfl >&5
/usr/lib64/gcc/x86_64-slackware-linux/4.5.2/../../../../lib64/libfl.a(libmain.o): In function `main':
libmain.c:(.text+0x7): undefined reference to `yylex'
collect2: ld returned 1 exit status
configure:11416: $? = 1

So they KNOW it fails. Yet they continue. Idiots.
Or as configure puts it:

checking lex library... none needed

However, they also created a configure option for this failure: –with-flexlib. After adding it we get it to compile:

./configure --enable-stats --enable-hybrid --enable-shared --enable-frag --enable-adminport --enable-rc5 --enable-idea --enable-dpd --prefix=/usr --enable-security-context=no --with-kernel-headers=/usr/include --with-flexlib=-lfl


And you trust your security to these clowns.