Bug 225403 - net/openbgpd breaks on 10.3 due to no tcpmd5 module
Summary: net/openbgpd breaks on 10.3 due to no tcpmd5 module
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Many People
Assignee: Hiroki Sato
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-23 13:15 UTC by Oliver H
Modified: 2018-05-13 11:38 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (hrs)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver H 2018-01-23 13:15:45 UTC
On 10.3-RELEASE-p26 (still a "production" version), bgpd fails to start when updated to 5.2.20121209_3. No error is logged to the terminal, but /var/log/messages shows:

bgpd[57713]: fatal in SE: pfkey setup failed: Address family not supported by protocol family
bgpd[57712]: fatal in RDE: rde_dispatch_imsg_session: pipe closed
bgpd[57711]: dispatch_imsg in main: pipe closed
bgpd[57711]: dispatch_imsg in main: pipe closed
bgpd[57711]: Lost child: session engine exited

This happens even with a bare bgpd.conf file that just has an "AS xxxxx" line in it.

We believe the issue is that 10.3 is not built with the TCP_SIGNATURE build option by default and has no 11.1 equivalent of IPSEC_SUPPORT option nor tcpmd5.ko kernel module available.

If that's the case, could the port be patched to check for a required module's availability? It could issue a warning that a custom kernel should be built or, preferably, still just work but without the new functionality.

It may be worth urgently putting something into a package installation message while the problem is resolved, since it caught us totally off-guard and there is no quick workaround to fix once it's installed.

Thank you for maintaining the port.
Comment 1 Dirk Meyer freebsd_committer 2018-04-02 05:59:58 UTC
FreeBSD 10.3-RELEASE has TCPMD5 support

you could build an custom kernel with this options:

/usr/src/sys/amd64/conf/TCPMD5:

include GENERIC

device          crypto          # core crypto support
options         IPSEC                   #IP security (requires device crypto)
options         TCP_SIGNATURE           #include support for RFC 2385
Comment 2 Gert Doering 2018-04-30 11:55:48 UTC
I ran into this as well today - upgrading a happy 10.3 system to 10.4-RELEASE-p8 and openbgpd fails to start with this error.

"You can build a new kernel" is not exactly the right answer here - yes, surely I could, but I would expect a port to actually run on a default kernel unless some feature is asked-for that is not available - read: as long as I am not using TCP-MD5 for my links (which I'm not doing because this is just internal with only trusted infrastructure in between), why should I need to build my own kernel?
Comment 3 Gert Doering 2018-04-30 11:58:47 UTC
Downgrading to openbgpd-5.2.20121209_2 brought it back to operational.  It now logs (as expected)

bgpd[1172]: no kernel support for PF_KEY

but then keeps working fine.
Comment 4 Oliver H 2018-05-10 11:30:48 UTC
Closing since 10.3 is no longer production.
Comment 5 Gert Doering 2018-05-10 11:54:04 UTC
It breaks 10.4 as well.

So closing it "because 10.3 has expired while this bug was ignored" is a nice try, but missing the point.  The binpkgs provided still do not work on 10.4
Comment 6 Dirk Meyer freebsd_committer 2018-05-13 11:38:02 UTC
still needs fixing or tagging for FreeBSD 10.4