Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Nov 2003 00:26:21 +0900
From:      Hajimu UMEMOTO <ume@mahoroba.org>
To:        Kostyuk Oleg <cub@cub.org.ua>
Cc:        freebsd-current@freebsd.org
Subject:   Re: /etc/rc.d/ipsec starts not in time
Message-ID:  <yger80872si.wl%ume@mahoroba.org>
In-Reply-To: <3FB74D04.1000602@cub.org.ua>
References:  <E1AGIbn-0001Ux-7o@cub.org.ua> <ygefzgpq508.wl%ume@mahoroba.org> <3FB6B4FE.4C1AF03C@mindspring.com> <ygeekw8pvop.wl%ume@mahoroba.org> <3FB74D04.1000602@cub.org.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

>>>>> On Sun, 16 Nov 2003 12:10:12 +0200
>>>>> Kostyuk Oleg <cub@cub.org.ua> said:

>>It is not sufficient.  There is setkey(8) in /usr/sbin.  It means that
>>we cannot protect NFS exported /usr by IPsec.  If there is no
>>objection, I wish to move setkey(8) into /sbin like NetBSD did.
> 
> tlambert2> This type of order inversion is common.
> tlambert2> Can we simply delay exportation until later in the boot process?
> tlambert2> Wouldn't this have the same effect?
> 
> Oops, I should explain the situation clearly.  The client which mounts
> /usr by NFS cannot use IPsec due to lack of setkey(8).

cub> I think, you not exactly understand my problem.

I don't think so.

cub> I not export anything, not protect NFS exported /usr and
cub> have ordinary workstation with 40G HD and /usr on it.
cub> Using IPSec - hostorical behavior :), and i live without
cub> problems on 4.x .

cub> But I use NFS exports from others.
cub> And, in case if IPSec used between my mashine and NFS server,
cub> I can't boot smoothly - booting hold up on mounting NFS
cub> until I press Ctrl+C .

cub> Patch, which I send, resolve my problem.
cub> But I not sure - applicable this patch for diskless ?....

setkey(8) is in /usr/sbin.  Currently, ipsec is done after
mountcritremote.  So, the user who use NFS mounted /usr can use
setkey(8).
It seems your patch changes to invoke ipsec before networking.  It
means that the user who use NFS mounted /usr cannot use setkey(8),
anymore.
So, I believe that moving setkey(8) into /sbin is required to
establish your needs.

Sincerely,

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yger80872si.wl%ume>