[Swan-dev] libreswan-git/klips doesn't remove old ip addresses from ipsec device

[Wolfgang Nothdurft]

Am 07.05.2014 17:14, schrieb Paul Wouters:
> On Wed, 7 May 2014, Wolfgang Nothdurft wrote:
>
>> If the ip address of a dynamic base device changes the old ip address
>> will not removed even after an ipsec restart.
>>
>> The problem was introduced with the
>>
>> commit eafef8377e6aa5be0001d4b61c48cbee3e8097c4
>> Author: Paul Wouters <pwouters at redhat.com>
>> Date:   Fri Mar 28 19:05:56 2014 -0400
>>
>>    _stackmanager: optimize unloading stacks
>>
>> https://lists.libreswan.org/pipermail/swan-commit/2014-March/001055.html
>>
>> With this change the ipsec modules won't be unloaded on stop.
>>
>> Should it be part of the network scripts to care about an ip address
>> change and removing it from the ipsec device?
>>
>> What is the recommend procedure that the network scripts have to do
>> when the ip address changed?
>>
>> I think one simple solution were to flush the ip from ipsec after
>> clearing the eroutes or replacing the ip instead of adding id in the
>> startklips function.
>
> You would have to delete the IP and the aliases too, so that's not
> trivial as aliases can be added in the old and new method.
>
> As the above fix was mostly meant for the NETKEY/XFRM unloading issues,
> I've just pushed a change that will unload KLIPS when stop is called
> and which won't unload netkey modules unless changing to klips:
>
> diff --git a/programs/_stackmanager/_stackmanager.in
> b/programs/_stackmanager/_stackmanager.in
> index d2f52fb..d19091a 100644
> --- a/programs/_stackmanager/_stackmanager.in
> +++ b/programs/_stackmanager/_stackmanager.in
> @@ -434,19 +434,16 @@ esac
>
>   case ${action} in
>       stop)
> -       # We don't unload on stop - only when we detect a stack change.
>          We do try and cleanup state
> -       case ${stack} in
> -           netkey)
> +       # We don't unload NETKEY/XFRM on stop - only when we detect a
> stack change.
> +       if [ -f ${ipsecpfkey} ]; then
> +               ipsec eroute --clear
> +               # this clears all IP addresses on ipsecX interfaces by
> unloading the module
> +               stopklips()
> +       elif [ -f ${kamepfkey} ]; then
>                  ip xfrm state flush
>                  ip xfrm policy flush
> -               ;;
> -           klips)
> -               ipsec eroute --clear
> -               ;;
> -           mast)
> -               ipsec eroute --clear
> -               ;;
> -       esac
> +               # module unloading skipped on purpose - can hang for a
> long time or fail
> +       fi
>          ;;
>       start)
>          case ${stack} in
>
> Hope this addresses your issue,
>


yes, thanks.

but you have a typo at

 > +               # this clears all IP addresses on ipsecX interfaces by
 > unloading the module
 > +               stopklips()

should be stopklips without brackets.

Wolfgang