Bug 1889836 - libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
Summary: libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and r...
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libreswan
Version: 8.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Paul Wouters
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-20 16:54 UTC by Paul Wouters
Modified: 2020-11-24 18:19 UTC (History)
1 user (show)

Fixed In Version: libreswan-4.1-1.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Task
Target Upstream Version:


Attachments (Terms of Use)

Description Paul Wouters 2020-10-20 16:54:55 UTC
libreswan 4.0 has removed some backwards compatible aliases. Re-add these for RHEL 8 versions.

RHEL 7/8 also carries a patch for different ikev2= value handling. This patch also needs to be ported to RHEL 8.4.0

This will result in fully backwards compatible libreswan ipsec.conf syntax with libreswan 3.x published in RHEL 8

Comment 1 Ondrej Moriš 2020-11-02 15:31:56 UTC
Paul, do we have a list of all these backward compatibility items? I know about ikev2= options but is there actually anything else?

Comment 2 Paul Wouters 2020-11-03 03:27:32 UTC
You can see them from the included patch:

paul@thinkpad:~/rhel/libreswan-8.4 (rhel-8.4.0>)$ grep "+ " libreswan-4.1-maintain-obsolete-keywords.patch
+++ libreswan-4.1/lib/libipsecconf/keywords.c	2020-10-27 23:47:09.999098076 -0400
+  { "curl_iface",  kv_config | kv_alias,  kt_string,  KSF_CURLIFACE, NULL, NULL, },  /* obsolete _ */
+  { "curl_timeout",  kv_config | kv_alias,  kt_time,  KBF_CURLTIMEOUT, NULL, NULL, },  /* obsolete _ */
+  { "plutostderrlogtime",  kv_config | kv_alias,  kt_bool,  KBF_LOGTIME, NULL, NULL, },  /* obsolete */
+  { "crl_strict",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete _ */
+  { "strictcrlpolicy",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete; used on openswan */
+  { "ocsp_strict",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },  /* obsolete _ */
+  { "ocsp_enable",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },  /* obsolete _ */
+  { "ocsp_uri",  kv_config | kv_alias,  kt_string,  KSF_OCSP_URI, NULL, NULL, },  /* obsolete _ */
+  { "ocsp_timeout",  kv_config | kv_alias,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },  /* obsolete _ */
+  { "ocsp_trust_name",  kv_config | kv_alias,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },  /* obsolete _ */
+  { "keep_alive",  kv_config | kv_alias,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
+  { "secctx_attr_value",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete _ */
+  { "secctx-attr-value",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
+  { "xauthusername",  kv_conn | kv_leftright | kv_alias,  kt_string,  KSCF_USERNAME, NULL, NULL, },  /* obsolete name */
+  { "xauthname",  kv_conn | kv_leftright | kv_alias,  kt_string,  KSCF_USERNAME, NULL, NULL, },  /* obsolete name */
+  { "ike_frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },  /* obsolete _ */
+  { "ike-frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },  /* obsolete name */
+  { "nat_keepalive",  kv_conn | kv_alias,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
+  { "initial_contact",  kv_conn | kv_alias,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },  /* obsolete _ */
+  { "cisco_unity",  kv_conn | kv_alias,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },  /* obsolete _ */
+  { "send_vendorid",  kv_conn | kv_alias,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },  /* obsolete _ */
+  { "sha2_truncbug",  kv_conn | kv_alias,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },  /* obsolete _ */
+  { "labeled_ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+  { "labeled-ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+  { "policy_label",  kv_conn | kv_alias,  kt_string,  KSCF_POLICY_LABEL, NULL, NULL, },  /* obsolete _ */
+  { "remote_peer_type",  kv_conn | kv_alias,  kt_enum,  KNCF_REMOTEPEERTYPE,  &kw_remote_peer_type, NULL, },  /* obsolete _ */
+  { "nm_configured",  kv_conn | kv_alias,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, },  /* obsolete _ */
+  { "modecfgdns1",  kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
+  { "modecfgdns2",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+  { "modecfgdomain",  kv_conn | kv_alias,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */

most of these are variants with an underscore that was changed to a dash. But some names also changes more.

Note that this is _only_ about re-instating some old names. There is change of functionality whatsoever  (unlike the ikev2= keyword where we change the functionality compared to upstream)

Comment 3 Paul Wouters 2020-11-03 03:29:20 UTC
Note that items with kt_obsolete and KNCF_WARNIGNORE used to not do anything anymore already and log a warning - which we re-instate. Where 4.1 would give an error for "unknown keyword"

Items with kt_alias as just aliases for another keyword.

Comment 9 Ondrej Moriš 2020-11-24 11:25:38 UTC
During CI testing with libreswan-4.1-1.el8 I found a few previously obsoleted keyword causing errors. Don't we want to handle them the same way as the ones mentioned in comment #2 (ie. re-instate warning instead of throwing an error)?

 * nat_traversal (removed)
 * oe (removed)
 * plutorestartoncrash (removed)
 * virtual_private (renamed to virtual-private)
 * connaddrfamily (removed)

Comment 10 Paul Wouters 2020-11-24 18:19:53 UTC
+  { "nat_keepalive",  kv_conn | kv_alias,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },  /* obsolete _ */

that one should not be giving you an error, as I put it back ?

oe= is really super super old and was never really part of libreswan. I'm okay with that giving an error, but if you want to restore it, we can.

plutorestartoncrash is also really old and really has been obsoleted since the OS changed from sysvinit to systemd. I don't think anyone will have used this option outside of testing anyway.

virtual_private is old but since it appears in so many configs we even left if in upstream. you can see in the rhel patch that it was already there:


   { "virtual_private",  kv_config,  kt_string,  KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */

(eg no + line in the patch). So I am confused how you get an error on this ?

connaddrfamily cannot really be added because the option was broken for 6in4 / 4in6 which is why we split it:

    pluto: Split connaddrfamily= into hostaddrfamily= and clientaddrfamily=


This was already done in 3.25 though, so everyone on rhel7 would have already hit this is it had been a problem for them.


Note You need to log in before you can comment on or make changes to this bug.