Bug 1889836
| Summary: | libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Paul Wouters <pwouters> |
| Component: | libreswan | Assignee: | Daiki Ueno <dueno> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.4 | CC: | omoris |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libreswan-4.1-1.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:38:31 UTC | Type: | Task |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul Wouters
2020-10-20 16:54:55 UTC
Paul, do we have a list of all these backward compatibility items? I know about ikev2= options but is there actually anything else? You can see them from the included patch:
paul@thinkpad:~/rhel/libreswan-8.4 (rhel-8.4.0>)$ grep "+ " libreswan-4.1-maintain-obsolete-keywords.patch
+++ libreswan-4.1/lib/libipsecconf/keywords.c 2020-10-27 23:47:09.999098076 -0400
+ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */
+ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, /* obsolete _ */
+ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */
+ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */
+ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */
+ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */
+ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */
+ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */
+ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */
+ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */
+ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
+ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */
+ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
+ { "xauthusername", kv_conn | kv_leftright | kv_alias, kt_string, KSCF_USERNAME, NULL, NULL, }, /* obsolete name */
+ { "xauthname", kv_conn | kv_leftright | kv_alias, kt_string, KSCF_USERNAME, NULL, NULL, }, /* obsolete name */
+ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete _ */
+ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete name */
+ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
+ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */
+ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */
+ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */
+ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */
+ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+ { "policy_label", kv_conn | kv_alias, kt_string, KSCF_POLICY_LABEL, NULL, NULL, }, /* obsolete _ */
+ { "remote_peer_type", kv_conn | kv_alias, kt_enum, KNCF_REMOTEPEERTYPE, &kw_remote_peer_type, NULL, }, /* obsolete _ */
+ { "nm_configured", kv_conn | kv_alias, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
+ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
+ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
most of these are variants with an underscore that was changed to a dash. But some names also changes more.
Note that this is _only_ about re-instating some old names. There is change of functionality whatsoever (unlike the ikev2= keyword where we change the functionality compared to upstream)
Note that items with kt_obsolete and KNCF_WARNIGNORE used to not do anything anymore already and log a warning - which we re-instate. Where 4.1 would give an error for "unknown keyword" Items with kt_alias as just aliases for another keyword. During CI testing with libreswan-4.1-1.el8 I found a few previously obsoleted keyword causing errors. Don't we want to handle them the same way as the ones mentioned in comment #2 (ie. re-instate warning instead of throwing an error)? * nat_traversal (removed) * oe (removed) * plutorestartoncrash (removed) * virtual_private (renamed to virtual-private) * connaddrfamily (removed)
+ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
that one should not be giving you an error, as I put it back ?
oe= is really super super old and was never really part of libreswan. I'm okay with that giving an error, but if you want to restore it, we can.
plutorestartoncrash is also really old and really has been obsoleted since the OS changed from sysvinit to systemd. I don't think anyone will have used this option outside of testing anyway.
virtual_private is old but since it appears in so many configs we even left if in upstream. you can see in the rhel patch that it was already there:
{ "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
(eg no + line in the patch). So I am confused how you get an error on this ?
connaddrfamily cannot really be added because the option was broken for 6in4 / 4in6 which is why we split it:
pluto: Split connaddrfamily= into hostaddrfamily= and clientaddrfamily=
This was already done in 3.25 though, so everyone on rhel7 would have already hit this is it had been a problem for them.
(In reply to Paul Wouters from comment #10) > + { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, > NULL, NULL, }, /* obsolete _ */ > > that one should not be giving you an error, as I put it back ? This one is different, I am missing "nat_traversal". But as far as I can see, it was obsoleted really a long time ago, I see it was removed from the testsuite four years ago already. Hence I think it is probably fine to error on it. > oe= is really super super old and was never really part of libreswan. I'm > okay with that giving an error, but if you want to restore it, we can. Nope, I am okay with error as long as you are fine with that. > plutorestartoncrash is also really old and really has been obsoleted since > the OS changed from sysvinit to systemd. I don't think anyone will have used > this option outside of testing anyway. Agreed. > virtual_private is old but since it appears in so many configs we even left > if in upstream. you can see in the rhel patch that it was already there: > > > { "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, > NULL, }, /* obsolete variant, very common */ > > (eg no + line in the patch). So I am confused how you get an error on this ? You are right, both virtual_private and virtual-private are really supported. The reason I got an error is that previously configuration "virtual_private=" (no parameter on the right side) worked and now it does not: # cat /etc/ipsec.d/ipsec.conf ... config setup virtual_private= # If logfile= is unset, syslog is used to send log messages too. ... # /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:31: syntax error, unexpected STRING, expecting EOL [if] With "virtual_private=''" it works fine. So I guess the parsing of config changed a bit in the rebase and empty right side is not allowed anymore. I am perfectly fine with that but I guess it would be better to document it in the Release Notes. > connaddrfamily cannot really be added because the option was broken for 6in4 > / 4in6 which is why we split it: > > pluto: Split connaddrfamily= into hostaddrfamily= and clientaddrfamily= > > > This was already done in 3.25 though, so everyone on rhel7 would have > already hit this is it had been a problem for them. Agreed. So all in all, I think we are good. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:1803 |