Small patch to start ipsecctl on boot

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Small patch to start ipsecctl on boot

Jason Crawford
Here's a patch that should start ipsecctl in the appropriate place in
/etc/rc during boot. I know this would be very handy for me if it were
in /etc/rc

Jason

Index: rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.277
diff -u -r1.277 rc
--- rc 12 Jan 2006 21:54:15 -0000 1.277
+++ rc 13 Jan 2006 22:31:47 -0000
@@ -326,6 +326,12 @@
  echo 'starting isakmpd'; isakmpd ${isakmpd_flags}
  fi

+if [ X"${ipsec}" != X"NO" ]; then
+ if [ -f ${ipsec_rules} ]; then
+ ipsecctl -f ${ipsec_rules}
+ fi
+fi
+
 echo -n 'starting initial daemons:'

  # $portmap is imported from /etc/rc.conf;
Index: rc.conf
===================================================================
RCS file: /cvs/src/etc/rc.conf,v
retrieving revision 1.109
diff -u -r1.109 rc.conf
--- rc.conf 16 Nov 2005 09:19:36 -0000 1.109
+++ rc.conf 13 Jan 2006 22:31:47 -0000
@@ -61,6 +61,7 @@
  lockd=NO
  amd=NO
 pf=NO # Packet filter / NAT
+ipsec=NO # IPsec
  portmap=NO # Note: inetd(8) rpc services need portmap too
  inetd=YES # almost always needed
  check_quotas=YES # NO may be desirable in some YP environments
@@ -85,6 +86,7 @@
  syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
  pf_rules=/etc/pf.conf # Packet filter rules file
  pflogd_flags= # add more flags, ie. "-s 256"
+ipsec_rules=/etc/ipsec.conf # IPsec rules file
  afsd_flags= # Flags passed to afsd
  shlib_dirs= # extra directories for ldconfig, separated
  # by space

Reply | Threaded
Open this post in threaded view
|

Re: Small patch to start ipsecctl on boot

Hans-Joerg Hoexer
There's a little race between isakmpd coming up and calling ipsecctl.
I'm working on this, hang on a bit.

On Fri, Jan 13, 2006 at 05:42:42PM -0500, Jason Crawford wrote:

> Here's a patch that should start ipsecctl in the appropriate place in
> /etc/rc during boot. I know this would be very handy for me if it were
> in /etc/rc
>
> Jason
>
> Index: rc
> ===================================================================
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.277
> diff -u -r1.277 rc
> --- rc 12 Jan 2006 21:54:15 -0000 1.277
> +++ rc 13 Jan 2006 22:31:47 -0000
> @@ -326,6 +326,12 @@
>   echo 'starting isakmpd'; isakmpd ${isakmpd_flags}
>   fi
>
> +if [ X"${ipsec}" != X"NO" ]; then
> + if [ -f ${ipsec_rules} ]; then
> + ipsecctl -f ${ipsec_rules}
> + fi
> +fi
> +
>  echo -n 'starting initial daemons:'
>
>   # $portmap is imported from /etc/rc.conf;
> Index: rc.conf
> ===================================================================
> RCS file: /cvs/src/etc/rc.conf,v
> retrieving revision 1.109
> diff -u -r1.109 rc.conf
> --- rc.conf 16 Nov 2005 09:19:36 -0000 1.109
> +++ rc.conf 13 Jan 2006 22:31:47 -0000
> @@ -61,6 +61,7 @@
>   lockd=NO
>   amd=NO
>  pf=NO # Packet filter / NAT
> +ipsec=NO # IPsec
>   portmap=NO # Note: inetd(8) rpc services need portmap too
>   inetd=YES # almost always needed
>   check_quotas=YES # NO may be desirable in some YP environments
> @@ -85,6 +86,7 @@
>   syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
>   pf_rules=/etc/pf.conf # Packet filter rules file
>   pflogd_flags= # add more flags, ie. "-s 256"
> +ipsec_rules=/etc/ipsec.conf # IPsec rules file
>   afsd_flags= # Flags passed to afsd
>   shlib_dirs= # extra directories for ldconfig, separated
>   # by space

Reply | Threaded
Open this post in threaded view
|

Re: Small patch to start ipsecctl on boot

Jason Crawford
So ipsecctl will be added into /etc/rc before 3.9 then? I hadn't seen
anything about it so I figured I'd send something in. Any chance of
this being back-ported to 3.8 as well, since that has ipsecctl too?

Jason

On 1/13/06, Hans-Joerg Hoexer <[hidden email]> wrote:
> There's a little race between isakmpd coming up and calling ipsecctl.
> I'm working on this, hang on a bit.
>
> On Fri, Jan 13, 2006 at 05:42:42PM -0500, Jason Crawford wrote:
> > <snip my patch>

Reply | Threaded
Open this post in threaded view
|

Re: Small patch to start ipsecctl on boot

Brad Smith-14
On Fri, Jan 13, 2006 at 06:33:52PM -0500, Jason Crawford wrote:
> So ipsecctl will be added into /etc/rc before 3.9 then? I hadn't seen
> anything about it so I figured I'd send something in. Any chance of
> this being back-ported to 3.8 as well, since that has ipsecctl too?
 
No.

> Jason
>
> On 1/13/06, Hans-Joerg Hoexer <[hidden email]> wrote:
> > There's a little race between isakmpd coming up and calling ipsecctl.
> > I'm working on this, hang on a bit.
> >
> > On Fri, Jan 13, 2006 at 05:42:42PM -0500, Jason Crawford wrote:
> > > <snip my patch>

Reply | Threaded
Open this post in threaded view
|

Re: Small patch to start ipsecctl on boot

Theo de Raadt
In reply to this post by Jason Crawford
> Any chance of
> this being back-ported to 3.8 as well, since that has ipsecctl too?

No.  That is not how we do things.