From owner-freebsd-current@FreeBSD.ORG Sun Nov 16 07:28:55 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A399616A4CE; Sun, 16 Nov 2003 07:28:55 -0800 (PST) Received: from cheer.mahoroba.org (flets19-018.kamome.or.jp [218.45.19.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A14743FD7; Sun, 16 Nov 2003 07:28:49 -0800 (PST) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:OM4VvpveXPc6iUXBvAXfJK083W51Ke8EVV9EdlrlBzTLlM+ANRlrbCr7xgqweP+D@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)hAGFQLEU072279 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Nov 2003 00:26:24 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 17 Nov 2003 00:26:21 +0900 Message-ID: From: Hajimu UMEMOTO To: Kostyuk Oleg In-Reply-To: <3FB74D04.1000602@cub.org.ua> References: <3FB6B4FE.4C1AF03C@mindspring.com> <3FB74D04.1000602@cub.org.ua> User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on cheer.mahoroba.org cc: FreeBSD-gnats-submit@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: /etc/rc.d/ipsec starts not in time X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 15:28:55 -0000 Hi, >>>>> On Sun, 16 Nov 2003 12:10:12 +0200 >>>>> Kostyuk Oleg said: >>It is not sufficient. There is setkey(8) in /usr/sbin. It means that >>we cannot protect NFS exported /usr by IPsec. If there is no >>objection, I wish to move setkey(8) into /sbin like NetBSD did. > > tlambert2> This type of order inversion is common. > tlambert2> Can we simply delay exportation until later in the boot process? > tlambert2> Wouldn't this have the same effect? > > Oops, I should explain the situation clearly. The client which mounts > /usr by NFS cannot use IPsec due to lack of setkey(8). cub> I think, you not exactly understand my problem. I don't think so. cub> I not export anything, not protect NFS exported /usr and cub> have ordinary workstation with 40G HD and /usr on it. cub> Using IPSec - hostorical behavior :), and i live without cub> problems on 4.x . cub> But I use NFS exports from others. cub> And, in case if IPSec used between my mashine and NFS server, cub> I can't boot smoothly - booting hold up on mounting NFS cub> until I press Ctrl+C . cub> Patch, which I send, resolve my problem. cub> But I not sure - applicable this patch for diskless ?.... setkey(8) is in /usr/sbin. Currently, ipsec is done after mountcritremote. So, the user who use NFS mounted /usr can use setkey(8). It seems your patch changes to invoke ipsec before networking. It means that the user who use NFS mounted /usr cannot use setkey(8), anymore. So, I believe that moving setkey(8) into /sbin is required to establish your needs. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/