From ume@mahoroba.org  Sun Nov 16 07:28:55 2003
Return-Path: <ume@mahoroba.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A399616A4CE; Sun, 16 Nov 2003 07:28:55 -0800 (PST)
Received: from cheer.mahoroba.org (flets19-018.kamome.or.jp [218.45.19.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8A14743FD7; Sun, 16 Nov 2003 07:28:49 -0800 (PST)
	(envelope-from ume@mahoroba.org)
Received: from lyrics.mahoroba.org (IDENT:OM4VvpveXPc6iUXBvAXfJK083W51Ke8EVV9EdlrlBzTLlM+ANRlrbCr7xgqweP+D@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841])
	(user=ume mech=CRAM-MD5 bits=0)
	by cheer.mahoroba.org (8.12.9p2/8.12.9) with ESMTP/inet6 id hAGFQLEU072279
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 17 Nov 2003 00:26:24 +0900 (JST)
	(envelope-from ume@mahoroba.org)
Message-Id: <yger80872si.wl%ume@mahoroba.org>
Date: Mon, 17 Nov 2003 00:26:21 +0900
From: Hajimu UMEMOTO <ume@mahoroba.org>
To: Kostyuk Oleg <cub@cub.org.ua>
Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-current@freebsd.org
In-Reply-To: <3FB74D04.1000602@cub.org.ua>
Subject: Re: /etc/rc.d/ipsec starts not in time
References: <E1AGIbn-0001Ux-7o@cub.org.ua>
	<ygefzgpq508.wl%ume@mahoroba.org>
	<3FB6B4FE.4C1AF03C@mindspring.com>
	<ygeekw8pvop.wl%ume@mahoroba.org>
	<3FB74D04.1000602@cub.org.ua>

>Number:         59338
>Category:       conf
>Synopsis:       /etc/rc.d/ipsec starts not in time
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 16 07:30:20 PST 2003
>Closed-Date:    Sun Nov 16 08:03:16 PST 2003
>Last-Modified:  Sun Nov 16 08:03:16 PST 2003
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 Hi,
 
 >>>>> On Sun, 16 Nov 2003 12:10:12 +0200
 >>>>> Kostyuk Oleg <cub@cub.org.ua> said:
 
 >>It is not sufficient.  There is setkey(8) in /usr/sbin.  It means that
 >>we cannot protect NFS exported /usr by IPsec.  If there is no
 >>objection, I wish to move setkey(8) into /sbin like NetBSD did.
 > 
 > tlambert2> This type of order inversion is common.
 > tlambert2> Can we simply delay exportation until later in the boot process?
 > tlambert2> Wouldn't this have the same effect?
 > 
 > Oops, I should explain the situation clearly.  The client which mounts
 > /usr by NFS cannot use IPsec due to lack of setkey(8).
 
 cub> I think, you not exactly understand my problem.
 
 I don't think so.
 
 cub> I not export anything, not protect NFS exported /usr and
 cub> have ordinary workstation with 40G HD and /usr on it.
 cub> Using IPSec - hostorical behavior :), and i live without
 cub> problems on 4.x .
 
 cub> But I use NFS exports from others.
 cub> And, in case if IPSec used between my mashine and NFS server,
 cub> I can't boot smoothly - booting hold up on mounting NFS
 cub> until I press Ctrl+C .
 
 cub> Patch, which I send, resolve my problem.
 cub> But I not sure - applicable this patch for diskless ?....
 
 setkey(8) is in /usr/sbin.  Currently, ipsec is done after
 mountcritremote.  So, the user who use NFS mounted /usr can use
 setkey(8).
 It seems your patch changes to invoke ipsec before networking.  It
 means that the user who use NFS mounted /usr cannot use setkey(8),
 anymore.
 So, I believe that moving setkey(8) into /sbin is required to
 establish your needs.
 
 Sincerely,
 
 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: eik 
State-Changed-When: Sun Nov 16 17:01:02 CET 2003 
State-Changed-Why:  
misfiled follow-up to PR 58832 


Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: eik 
Responsible-Changed-When: Sun Nov 16 17:01:02 CET 2003 
Responsible-Changed-Why:  
misfiled follow-up to PR 58832 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59338 
>Unformatted:
