[Swan] [libreswan] libreswan on GCE(Google Compute Engine) CentOS 6.3 instance (#3)
Paul Wouters
pwouters at redhat.com
Wed Feb 27 21:02:02 EET 2013
On Wed, 27 Feb 2013, T.J. Yang wrote:
> We are basically trying to unload kernel modules. Would "lsmod" be better?
>
> lsmod also try to cat out /proc/modules file which got removed purposely.
hmm okay. I'm not sure I agree removing /proc/modules gains security but
okay :)
> Can we access /sys/ ?
>
> yes.
Ok so we can detect the presence of the code, but it means we will be
trying to unload modules that might have been built inline.
Does /proc/modules simply not exist? Is there _any_ way to tell the
kernel supports module (un)loading ?
> [root at ks3c63 ~]# ipsec _stackmanager stop
> NETKEY IPsec stack could not be cleared
> Opening /proc/modules: No such file or directory
As I thought.
> We cannot use the config file to determine the stack, because the admin
> might have changed the protostack= in /etc/ipsec.conf and that's the
> reason for restarting. So we always try to unload either stack. Since
> they cannot both be loaded at once, if we find netkey, we don't have to
> look for klips and vice versa. But if you run "stop" on a stopped
> system, we end up needing to check for both. We do that now by looking
> at /proc/net/pfkey and /proc/net/pf_key.
>
> no /proc/net/pf_key, only pfkey file.
Yes, you are using NETKEY which gives /proc/net/pfkey. The KLIPS stack
provides /proc/net/pf_key.
Paul
More information about the Swan
mailing list