On 2015/10/20 23:00, Sebastian Benoit wrote: > Christian Weisgerber(na...@mips.inka.de) on 2015.10.20 20:46:12 +0000: > > On 2015-10-20, Reyk Floeter <r...@openbsd.org> wrote: > > > > > For historical reasons, isakmpd and iked are compiled static: > > > people used NFS over ipsec.
isakmpd is an odd one. Reading cvs log, it started as a static binary but used dlopen to load the libs. Anyone know the history of that? > > > Is anyone still using this? Is it more than one person? > > > > > > Otherwise I'd suggest to make iked dynamic. > > > > Already, iked is started after /usr has been mounted, so why the > > static requirement? > > > > > --- etc/rc 18 Oct 2015 21:33:18 -0000 1.467 > > > +++ etc/rc 20 Oct 2015 18:03:58 -0000 > > > @@ -353,7 +353,7 @@ make_keys > > > > > > echo -n 'starting early daemons:' > > > start_daemon syslogd ldattach pflogd nsd unbound ntpd > > > -start_daemon iscsid isakmpd iked sasyncd ldapd npppd > > > +start_daemon iscsid isakmpd sasyncd ldapd npppd > > > echo '.' > > > > Most of these are dynamically linked. > > > > You can make iked dynamic without moving it in the startup sequence. > > In a lot of cases it will need the routing daemons to work anyway, so why > start it so much earlier? But in other cases (yay OSPFv3 - also bgpd with 'ipsec esp ike', and pfsync setups without dedicated nic, if that still works) you want IPsec up and running before the routing daemons.
