From cub@cub.org.ua  Sun Nov  2 05:49:48 2003
Return-Path: <cub@cub.org.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DE06716A4CE; Sun,  2 Nov 2003 05:49:48 -0800 (PST)
Received: from shop.digma.com.ua (shop.digma.com.ua [217.12.194.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6721C43FDD; Sun,  2 Nov 2003 05:49:44 -0800 (PST)
	(envelope-from cub@cub.org.ua)
Received: from cub.org.ua (demani.digma [172.22.5.7])
	by shop.digma.com.ua (8.12.6p2/8.12.6) with ESMTP id hA2Dneba056188;
	Sun, 2 Nov 2003 15:49:40 +0200 (EET)
	(envelope-from cub@cub.org.ua)
Received: from cub by cub.org.ua with local (Exim 4.22)
	id 1AGIbn-0001Ux-7o; Sun, 02 Nov 2003 15:49:35 +0200
Message-Id: <E1AGIbn-0001Ux-7o@cub.org.ua>
Date: Sun, 02 Nov 2003 15:49:35 +0200
From: Kostyuk Oleg <cub@cub.org.ua>
Sender: Kostyuk Oleg <cub@cub.org.ua>
Reply-To: Kostyuk Oleg <cub@cub.org.ua>
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-current@freebsd.org
Subject: /etc/rc.d/ipsec starts not in time
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         58832
>Category:       conf
>Synopsis:       /etc/rc.d/ipsec starts not in time
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 02 06:00:34 PST 2003
>Closed-Date:    Sun Nov 13 08:10:25 GMT 2005
>Last-Modified:  Sun Nov 13 08:10:25 GMT 2005
>Originator:     Kostyuk Oleg
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
	System: FreeBSD demani.digma 5.1-CURRENT
	FreeBSD 5.1-CURRENT #4: Sun Nov 2 13:45:34 EET 2003
	root@demani.digma:/var/.0/usr/obj/usr/src/sys/CUB i386


>Description:
	I use ipsec between my desktop and nfs/ntp server.
	On boot my mashine stops on "Mounting NFS file systems".

	If I press Ctrl+C, booting continue ok, but nfs mounts
	left unmounted and time not in sync.

	I try to use -b flag to mount_nfs in fstab, but this
	not help me.

	Problem is in order of starting /etc/rc.d/ipsec.
	It must start BEFORE any network interaction,
	may be even before configuring interfaces.
	But I not sure in case with diskless mashines.

>How-To-Repeat:
	Create entry in /etc/fstab for nfs mount,
	create /etc/ipsec.conf to establish secure connection
	to same server (on both sides, of course :), and reboot.

>Fix:

	(~)% grep -h '\$FreeBSD' /usr/src/etc/rc.d/ipsec /etc/rc.d/ipsec
	# $FreeBSD: src/etc/rc.d/ipsec,v 1.6 2003/07/30 18:53:59 mtm Exp $
	# $FreeBSD: src/etc/rc.d/ipsec,v 1.6 2003/07/30 18:53:59 mtm Exp $


	(~)% diff -u /usr/src/etc/rc.d/ipsec /etc/rc.d/ipsec
	--- /usr/src/etc/rc.d/ipsec     Wed Jul 30 21:53:59 2003
	+++ /etc/rc.d/ipsec     Sun Nov  2 14:43:59 2003
	@@ -5,8 +5,8 @@
	 #

	 # PROVIDE: ipsec
	 # REQUIRE: root beforenetlkm mountcritlocal
	-# BEFORE:  DAEMON
	+# BEFORE:  NETWORK
	 # KEYWORD: FreeBSD NetBSD

	 #      it does not really require beforenetlkm.

>Release-Note:
>Audit-Trail:
From PR 59338:

 Hi,

 >>>>> On Sun, 16 Nov 2003 12:10:12 +0200
 >>>>> Kostyuk Oleg <cub@cub.org.ua> said:

 >>It is not sufficient.  There is setkey(8) in /usr/sbin.  It means that
 >>we cannot protect NFS exported /usr by IPsec.  If there is no
 >>objection, I wish to move setkey(8) into /sbin like NetBSD did.
 >
 > tlambert2> This type of order inversion is common.
 > tlambert2> Can we simply delay exportation until later in the boot process?
 > tlambert2> Wouldn't this have the same effect?
 >
 > Oops, I should explain the situation clearly.  The client which mounts
 > /usr by NFS cannot use IPsec due to lack of setkey(8).

 cub> I think, you not exactly understand my problem.

 I don't think so.

 cub> I not export anything, not protect NFS exported /usr and
 cub> have ordinary workstation with 40G HD and /usr on it.
 cub> Using IPSec - hostorical behavior :), and i live without
 cub> problems on 4.x .

 cub> But I use NFS exports from others.
 cub> And, in case if IPSec used between my mashine and NFS server,
 cub> I can't boot smoothly - booting hold up on mounting NFS
 cub> until I press Ctrl+C .

 cub> Patch, which I send, resolve my problem.
 cub> But I not sure - applicable this patch for diskless ?....

 setkey(8) is in /usr/sbin.  Currently, ipsec is done after
 mountcritremote.  So, the user who use NFS mounted /usr can use
 setkey(8).
 It seems your patch changes to invoke ipsec before networking.  It
 means that the user who use NFS mounted /usr cannot use setkey(8),
 anymore.
 So, I believe that moving setkey(8) into /sbin is required to
 establish your needs.

 Sincerely,

 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/


From: Jean-Yves Lefort <jylefort@brutele.be>
To: freebsd-gnats-submit@FreeBSD.org, cub@cub.org.ua
Cc:  
Subject: Re: conf/58832: /etc/rc.d/ipsec starts not in time
Date: Tue, 28 Sep 2004 19:11:34 +0200

 This is a duplicate of 72135.
 
 The patch I've provided there might be more appropriate.
 
 -- 
 Jean-Yves Lefort
 
 jylefort@brutele.be
 http://lefort.be.eu.org/
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Nov 13 08:08:57 GMT 2005 
State-Changed-Why:  
See patch in conf/72135. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58832 
>Unformatted:
