Bug 59338

 Hi,
 
 >>>>> On Sun, 16 Nov 2003 12:10:12 +0200
 >>>>> Kostyuk Oleg <cub@cub.org.ua> said:
 
 >>It is not sufficient.  There is setkey(8) in /usr/sbin.  It means that
 >>we cannot protect NFS exported /usr by IPsec.  If there is no
 >>objection, I wish to move setkey(8) into /sbin like NetBSD did.
 > 
 > tlambert2> This type of order inversion is common.
 > tlambert2> Can we simply delay exportation until later in the boot process?
 > tlambert2> Wouldn't this have the same effect?
 > 
 > Oops, I should explain the situation clearly.  The client which mounts
 > /usr by NFS cannot use IPsec due to lack of setkey(8).
 
 cub> I think, you not exactly understand my problem.
 
 I don't think so.
 
 cub> I not export anything, not protect NFS exported /usr and
 cub> have ordinary workstation with 40G HD and /usr on it.
 cub> Using IPSec - hostorical behavior :), and i live without
 cub> problems on 4.x .
 
 cub> But I use NFS exports from others.
 cub> And, in case if IPSec used between my mashine and NFS server,
 cub> I can't boot smoothly - booting hold up on mounting NFS
 cub> until I press Ctrl+C .
 
 cub> Patch, which I send, resolve my problem.
 cub> But I not sure - applicable this patch for diskless ?....
 
 setkey(8) is in /usr/sbin.  Currently, ipsec is done after
 mountcritremote.  So, the user who use NFS mounted /usr can use
 setkey(8).
 It seems your patch changes to invoke ipsec before networking.  It
 means that the user who use NFS mounted /usr cannot use setkey(8),
 anymore.
 So, I believe that moving setkey(8) into /sbin is required to
 establish your needs.
 
 Sincerely,
 
 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/