Use new strongSwan HA kernel patchset keeping iptables ABI

Allows us to install stock debian iptables without the need for patching and
compiling our own.

testing/scripts/build-baseimage

@@ -20,7 +20,6 @@ INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
 INC=$INC,libalog0.4.1-base-dev,hostapd
 SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
 INC=$INC,${SERVICES// /,}
-EXC=iptables
 
 CACHEDIR=$BUILDDIR/cache
 APTCACHE=$LOOPDIR/var/cache/apt/archives
@@ -67,7 +66,7 @@ execute "mount -o bind $CACHEDIR $APTCACHE"
 do_on_exit graceful_umount $APTCACHE
 
 log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
-execute "debootstrap --arch=$BASEIMGARCH --include=$INC --exclude $EXC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
 
 execute "mount -t proc none $LOOPDIR/proc"
 do_on_exit graceful_umount $LOOPDIR/proc

testing/scripts/recipes/004_iptables.mk

@@ -1,37 +0,0 @@
-#!/usr/bin/make
-
-PV  = 1.4.16.3
-PKG = iptables-$(PV)
-TAR = $(PKG).tar.bz2
-SRC = http://www.netfilter.org/projects/iptables/files/$(TAR)
-
-NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
-
-CONFIG_OPTS =
-
-PATCHES = \
-	iptables-xfrm-hooks
-
-all: install
-
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked: $(TAR)
-	tar xfj $(TAR)
-	@touch $@
-
-.$(PKG)-patches-applied: .$(PKG)-unpacked
-	cd $(PKG) && cat $(addprefix ../patches/, $(PATCHES)) | patch -p1
-	@touch $@
-
-.$(PKG)-configured: .$(PKG)-patches-applied
-	cd $(PKG) && ./configure $(CONFIG_OPTS)
-	@touch $@
-
-.$(PKG)-built: .$(PKG)-configured
-	cd $(PKG) && make -j $(NUM_CPUS)
-	@touch $@
-
-install: .$(PKG)-built
-	cd $(PKG) && make install

testing/scripts/recipes/patches/iptables-xfrm-hooks

@@ -1,61 +0,0 @@
-From 4553ba0130bb9f0aa266cc1e4c3288a52f34eed6 Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Wed, 7 Apr 2010 11:40:15 +0200
-Subject: [PATCH] Added XFRM hooks to iptables headers
-
----
- include/linux/netfilter.h      |    2 ++
- include/linux/netfilter_ipv4.h |    6 +++++-
- include/linux/netfilter_ipv6.h |    6 +++++-
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
-index 2eb00b6..b692c67 100644
---- a/include/linux/netfilter.h
-+++ b/include/linux/netfilter.h
-@@ -35,6 +35,8 @@ enum nf_inet_hooks {
- 	NF_INET_FORWARD,
- 	NF_INET_LOCAL_OUT,
- 	NF_INET_POST_ROUTING,
-+	NF_INET_XFRM_IN,
-+	NF_INET_XFRM_OUT,
- 	NF_INET_NUMHOOKS
- };
- 
-diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
-index 4d7ba3e..28d3ca9 100644
---- a/include/linux/netfilter_ipv4.h
-+++ b/include/linux/netfilter_ipv4.h
-@@ -47,7 +47,11 @@
- #define NF_IP_LOCAL_OUT		3
- /* Packets about to hit the wire. */
- #define NF_IP_POST_ROUTING	4
--#define NF_IP_NUMHOOKS		5
-+/* Packets going into XFRM input transformation. */
-+#define NF_IP_XFRM_IN		5
-+/* Packets going into XFRM output transformation. */
-+#define NF_IP_XFRM_OUT		6
-+#define NF_IP_NUMHOOKS		7
- 
- enum nf_ip_hook_priorities {
- 	NF_IP_PRI_FIRST = INT_MIN,
-diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
-index 7430b39..18590a5 100644
---- a/include/linux/netfilter_ipv6.h
-+++ b/include/linux/netfilter_ipv6.h
-@@ -51,7 +51,11 @@
- #define NF_IP6_LOCAL_OUT		3
- /* Packets about to hit the wire. */
- #define NF_IP6_POST_ROUTING	4
--#define NF_IP6_NUMHOOKS		5
-+/* Packets going into XFRM input transformation. */
-+#define NF_IP6_XFRM_IN		5
-+/* Packets going into XFRM output transformation. */
-+#define NF_IP6_XFRM_OUT		6
-+#define NF_IP6_NUMHOOKS		7
- 
- 
- enum nf_ip6_hook_priorities {
--- 
-1.6.3.3
-

testing/testing.conf

@@ -22,7 +22,7 @@ KERNELVERSION=3.8.1
 KERNEL=linux-$KERNELVERSION
 KERNELTARBALL=$KERNEL.tar.bz2
 KERNELCONFIG=$DIR/../config/kernel/config-3.8
-KERNELPATCH=ha-3.8.patch.bz2
+KERNELPATCH=ha-3.8-abicompat.patch.bz2
 
 # strongSwan version used in tests
 SWANVERSION=5.0.3