Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge))
Jan, did you already had a chance to test 1:0.7.3-3 to see if it behaves correctly? Stefan -- Stefan Bauer - PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 plzk.de - Linux - because it works -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal, or purge))
Hi Stefan, the version 1:0.7.3-3 works fine for me. Thanks for fixing it. Jan -- Jan Sievers | Freie Universität Berlin | siev...@zedat.fu-berlin.de Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge))
On 02/25/10 20:45, Stefan Bauer wrote: Am 25.02.2010 18:02, Jan Sievers schrieb: In your sample session you removed together with ipsec-tools also racoon, which calls setkey to flush SP database, if and only if, you have configured it to use racoon-tool. Again, i was just trying to reproduce this. If i do a dpkg-reconfigure racoon and select direct which is already the default and purge afterwards the ipsec-tools and racoon, the SA/SD database flushed. Ok. First of all you do not have to install racoon, but could just use ipsec-tools without ISAKMP. Just to mention it. How did you come to the conclusion, that it does not flush? Mind, providing your apt-get/aptitude remove output? As you see I use dpkg directly, since I just have lenny machines around here. And I have to say, that I even build the package on the lenny machine without having the newest debhelper library. But using racoon in direct mode, I get the following on removal: r...@host: dpkg -i ipsec-tools_0.7.3-1_i386.deb racoon_0.7.3-1_i386.deb Selecting previously deselected package ipsec-tools. (Reading database ... 50663 files and directories currently installed.) Unpacking ipsec-tools (from ipsec-tools_0.7.3-1_i386.deb) ... Selecting previously deselected package racoon. Unpacking racoon (from racoon_0.7.3-1_i386.deb) ... Setting up ipsec-tools (1:0.7.3-1) ... Processing triggers for man-db ... Setting up racoon (1:0.7.3-1) ... Starting IKE (ISAKMP/Oakley) server: racoon. r...@host: cat /etc/ipsec-tools.conf #!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; spdadd 192.0.2.1 192.0.2.2 any -P out ipsec esp/transport//require; r...@host: /etc/init.d/setkey start Loading IPsec SA/SP database from /etc/ipsec-tools.conf: done. r...@host: setkey -DP 192.0.2.1[any] 192.0.2.2[any] any out ipsec esp/transport//require created: Feb 26 10:29:29 2010 lastused: lifetime: 0(s) validtime: 0(s) spid=513 seq=0 pid=4682 refcnt=1 r...@host: grep CONFIG_MODE /etc/default/racoon CONFIG_MODE=direct r...@host: dpkg -r racoon ipsec-tools (Reading database ... 50733 files and directories currently installed.) Removing racoon ... Stopping IKE (ISAKMP/Oakley) server: racoon. Removing ipsec-tools ... Processing triggers for man-db ... r...@host: ping 192.0.2.2 connect: No such process As you see the SP database is still no empty. The ping fails. And with purge I get: r...@host: dpkg -i ipsec-tools_0.7.3-1_i386.deb racoon_0.7.3-1_i386.deb Selecting previously deselected package ipsec-tools. (Reading database ... 50654 files and directories currently installed.) Unpacking ipsec-tools (from ipsec-tools_0.7.3-1_i386.deb) ... Selecting previously deselected package racoon. Unpacking racoon (from racoon_0.7.3-1_i386.deb) ... Setting up ipsec-tools (1:0.7.3-1) ... Processing triggers for man-db ... Setting up racoon (1:0.7.3-1) ... Generating /etc/default/racoon... Starting IKE (ISAKMP/Oakley) server: racoon. r...@host: /etc/init.d/setkey start Loading IPsec SA/SP database from /etc/ipsec-tools.conf: done. r...@host: dpkg --purge racoon ipsec-tools (Reading database ... 50733 files and directories currently installed.) Removing racoon ... Stopping IKE (ISAKMP/Oakley) server: racoon. Purging configuration files for racoon ... dpkg - warning: while removing racoon, directory `/var/lib/racoon' not empty so not removed. Removing ipsec-tools ... Purging configuration files for ipsec-tools ... Processing triggers for man-db ... Right now, i just dont get it, why it doesnt work in your case. And I don't get it how it could possibly work :-) Who is calling the setkey init-script on removal or purge? Am I missing something? Thanks, Jan -- Jan Sievers | Freie Universität Berlin | siev...@zedat.fu-berlin.de Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge))
Am 26.02.2010 11:03, Jan Sievers schrieb: Right now, i just dont get it, why it doesnt work in your case. And I don't get it how it could possibly work :-) Who is calling the setkey init-script on removal or purge? Am I missing something? Damn, i just mentioned, i already integrated that flushing in the racoon.prerm script but did not included the changes in the last version. This will be fixed in 1:0.7.3-2 which is already waiting for an upload into unstable. Snippet from /var/lib/dpkg/info/racoon.prerm case $1 in remove|upgrade|deconfigure) # stopping the setkey service to flush the kernel IPsec SA/SP database /etc/init.d/setkey stop || echo Kernel IPsec SA/SP database flushed || echo 0 sorry for the trouble. Stefan -- Stefan Bauer - PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 plzk.de - Linux - because it works -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge))
On 02/26/10 12:08, Stefan Bauer wrote: Damn, i just mentioned, i already integrated that flushing in the racoon.prerm script but did not included the changes in the last version. This will be fixed in 1:0.7.3-2 which is already waiting for an upload into unstable. That's nice thanks. At the risk of beeing stubborn, would you mind adding an invocation like that to a prerm script of ipsec-tools? That would be fine. Snippet from /var/lib/dpkg/info/racoon.prerm case $1 in remove|upgrade|deconfigure) # stopping the setkey service to flush the kernel IPsec SA/SP database /etc/init.d/setkey stop || echo Kernel IPsec SA/SP database flushed || echo 0 If you did not change that in setkey.init script, it already says something like Flushing IPsec SA/SP database: done. So you probably don't need the 'echo' statement. Besides, I don't think we should call /etc/init.d/setkey stop on *upgrade*. Or do you plan to call /etc/init.d/setkey start in *preinst upgrade* phase? Even then IPsec connections would fail during a short period. Or am I wrong? I am also not sure about the deconfigure case. As of writing this I start thinking if it is not even better to *only* call /etc/init.d/setkey stop in an *ipsec-tools.setkey.prerm* script, since the IPsec SP database is closely associated with the setkey service and just indirectly with racoon, which is just one ISAKMP daemon of many. And probably somebody could install racoon and ipsec-tools and decide later to only use ipsec-tools and deinstall racoon, which would flush the SP database, although the person wants to continue to use ipsec-tools. sorry for the trouble. No trouble at all. Thanks for responding on bug reports! Jan -- Jan Sievers | Freie Universität Berlin | siev...@zedat.fu-berlin.de Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge))
Am 26.02.2010 14:24, Jan Sievers schrieb: As of writing this I start thinking if it is not even better to *only* call /etc/init.d/setkey stop in an *ipsec-tools.setkey.prerm* script, since the IPsec SP database is closely associated with the setkey service and just indirectly with racoon, which is just one ISAKMP daemon of many. And probably somebody could install racoon and ipsec-tools and decide later to only use ipsec-tools and deinstall racoon, which would flush the SP database, although the person wants to continue to use ipsec-tools. Good point. I moved the associated maintainer script from racoon to ipsec-tools as it's indeed a possible case that someone *only* removes racoon. This will be in 1:0.7.3-3 soon. In case of upgrade of either ipsec-tools or racoon i'll keep the SA/SD associations in kernel. thanks stefan -- Stefan Bauer - PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 plzk.de - Linux - because it works -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge))
Am 25.02.2010 18:02, Jan Sievers schrieb: In your sample session you removed together with ipsec-tools also racoon, which calls setkey to flush SP database, if and only if, you have configured it to use racoon-tool. Again, i was just trying to reproduce this. If i do a dpkg-reconfigure racoon and select direct which is already the default and purge afterwards the ipsec-tools and racoon, the SA/SD database flushed. How did you come to the conclusion, that it does not flush? Mind, providing your apt-get/aptitude remove output? Right now, i just dont get it, why it doesnt work in your case. thanks Stefan -- Stefan Bauer - PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 plzk.de - Linux - because it works -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge
found 569949 1:0.7.3-1 fixed 569949 1:0.7.3-2 thanks hi and thank you for your report. This will get fixed in the next release entering unstable soon. Cheers -- Stefan Bauer - PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 plzk.de - Linux - because it works -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge
fixed 569949 1:0.7.3-1 hi, i just reviewed old changeslog and even in the lenny version, the setkey init-script invokes ... on stop but setkey is not stopped on remove. + stop) + echo -n Flushing IPsec SA/SP database: + $SETKEY -F + $SETKEY -FP + echo done. + ;; lurchi:/home/sb# apt-get remove ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: ipsec-tools racoon 0 upgraded, 0 newly installed, 2 to remove and 20 not upgraded. After this operation, 1,307kB disk space will be freed. Do you want to continue [Y/n]? Y (Reading database ... 39468 files and directories currently installed.) Removing racoon ... Flushing IPsec SA/SP database: done. Stopping IKE (ISAKMP/Oakley) server: racoon. Flushing IPsec SA/SP database: done. Removing ipsec-tools ... Processing triggers for man-db ... lurchi:/home/sb# This is already fixed in newer versions. Stefan -- Stefan Bauer - PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 plzk.de - Linux - because it works -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569949: ipsec-tools: does not flush SAD and SPD on removal or purge
Package: ipsec-tools Version: 1:0.7.1-1.3+lenny2 Severity: normal Hi, On removal and purging of ipsec-tools package the IPsec SA/SP database does not get flushed. This leaves the system possibly in a state with active IPsec SPD entries, without the tools to manage the SP database. Currently the only solution in this case is either to reboot or to reinstall the package, run setkey or init-script and remove package again. While I think it's a good idea to *not* run setkey init-script after installation, I do not see a good reason, why setkey init-script does not get invoked on removal. I think an invokation of /etc/init.d/setkey stop in a prerm script would be a good idea. Jan -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages ipsec-tools depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkrb531.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime libraries ii libpam0g1.0.1-5+lenny1 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries ipsec-tools recommends no packages. ipsec-tools suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100215122411.30715.10761.report...@island.zedat.fu-berlin.de
