Re: Recent IPSEC changes

[Robert Swindells <rjs%fdy2.co.uk@localhost>]

Ryota Ozaki <ozaki-r%netbsd.org@localhost> wrote:
>On Fri, Oct 13, 2017 at 4:41 PM, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>
> Ryota Ozaki <ozaki-r%netbsd.org@localhost> wrote:
>>On Fri, Oct 13, 2017 at 5:49 AM, Robert Swindells <rjs%fdy2.co.uk@localhost> wrote:
>>>
>>> I think something in the recent IPSEC changes is setting the ipsec_used
>>> flag to be always true.
>>
>>Not really on my machine. I guess it depends on environments.
>
> My environment is INET, INET6 & IPSEC in the kernel config, no modules.
>
> I have taken out any other protocols.

My config is similar to GENERIC in in terms of network protocols.

>
>>>There is a change that affects the ipsec_used flag:
>>>  http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netipsec/key.c#rev1.199
>>
>> Ok.
>>
>>>It turns on the flag when a socket is enabled the IP_IPSEC_POLICY option.
>>>There was a bug that having such a socket didn't turn on the flag; the
>>>above commit fixed the bug.
>>
>> The flag is on at boot for me.
>
>Heh. ipsec_used is initially 0. And only key_update_used() changes the
>value. Could you add KASSERT(0) to at the beginning of key_update_used,
>rebuild a kernel and try to boot it? Then, we can know who changes it
>(or it's initialized with 1 unexpectedly).

I added a printf in key_socksplist_add(), it gets called multiple times
at startup.

Replacing it with KASSERT(0) suggests that the first one is from inetd.

>>
>>>Do you have any processes having a socket with IP_IPSEC_POLICY on your
>>>machine in mind?
>>
>> No.
>
>Hmm.

I wrote "no", but inetd(8) does seem to be creating some.

I have not put a policy specifier into /etc/inetd.conf, just uncommented
some services.