[Swan-dev] libreswan-git/klips doesn't remove old ip addresses from ipsec device
Wolfgang Nothdurft
wolfgang at linogate.de
Thu May 8 13:26:38 EEST 2014
Am 07.05.2014 17:14, schrieb Paul Wouters:
> On Wed, 7 May 2014, Wolfgang Nothdurft wrote:
>
>> If the ip address of a dynamic base device changes the old ip address
>> will not removed even after an ipsec restart.
>>
>> The problem was introduced with the
>>
>> commit eafef8377e6aa5be0001d4b61c48cbee3e8097c4
>> Author: Paul Wouters <pwouters at redhat.com>
>> Date: Fri Mar 28 19:05:56 2014 -0400
>>
>> _stackmanager: optimize unloading stacks
>>
>> https://lists.libreswan.org/pipermail/swan-commit/2014-March/001055.html
>>
>> With this change the ipsec modules won't be unloaded on stop.
>>
>> Should it be part of the network scripts to care about an ip address
>> change and removing it from the ipsec device?
>>
>> What is the recommend procedure that the network scripts have to do
>> when the ip address changed?
>>
>> I think one simple solution were to flush the ip from ipsec after
>> clearing the eroutes or replacing the ip instead of adding id in the
>> startklips function.
>
> You would have to delete the IP and the aliases too, so that's not
> trivial as aliases can be added in the old and new method.
>
> As the above fix was mostly meant for the NETKEY/XFRM unloading issues,
> I've just pushed a change that will unload KLIPS when stop is called
> and which won't unload netkey modules unless changing to klips:
>
> diff --git a/programs/_stackmanager/_stackmanager.in
> b/programs/_stackmanager/_stackmanager.in
> index d2f52fb..d19091a 100644
> --- a/programs/_stackmanager/_stackmanager.in
> +++ b/programs/_stackmanager/_stackmanager.in
> @@ -434,19 +434,16 @@ esac
>
> case ${action} in
> stop)
> - # We don't unload on stop - only when we detect a stack change.
> We do try and cleanup state
> - case ${stack} in
> - netkey)
> + # We don't unload NETKEY/XFRM on stop - only when we detect a
> stack change.
> + if [ -f ${ipsecpfkey} ]; then
> + ipsec eroute --clear
> + # this clears all IP addresses on ipsecX interfaces by
> unloading the module
> + stopklips()
> + elif [ -f ${kamepfkey} ]; then
> ip xfrm state flush
> ip xfrm policy flush
> - ;;
> - klips)
> - ipsec eroute --clear
> - ;;
> - mast)
> - ipsec eroute --clear
> - ;;
> - esac
> + # module unloading skipped on purpose - can hang for a
> long time or fail
> + fi
> ;;
> start)
> case ${stack} in
>
> Hope this addresses your issue,
>
yes, thanks.
but you have a typo at
> + # this clears all IP addresses on ipsecX interfaces by
> unloading the module
> + stopklips()
should be stopklips without brackets.
Wolfgang
More information about the Swan-dev
mailing list