[Swan-dev] crash after pluto: Fix addresspool reference count

wolfgang at linogate.de wolfgang at linogate.de
Sat Oct 7 11:57:54 UTC 2017


On Sat, 7 Oct 2017 13:35:18 +0200, Antony Antony wrote
> On Sat, Oct 07, 2017 at 12:02:59PM +0200, wolfgang at linogate.de wrote:
> > I also couldn't stay away and found some time today to look into it. I 
> > have added a solution and two test cases to lsw299, which I think worked 
> >now properly.
> 
> Wow It is great to receive patches with tests, thanks.
> 
> Are you running the full KVM test suite? because you patched 
> testing/baseconfigs/east/etc/ipsec.d/passwd

No I had problems to get the whole kvm suite running in the past, but the
docker test runs fine for me at the moment, but I'm only running the single tests.

The additional users in testing/baseconfigs/east/etc/ipsec.d/passwd are needed
for the two new tests and can be reused if another tests needed it.

> I had quick look. I will push the testcases. I will not apply the 
> fix yet. There are some red flags here. May be some of the issues I 
> am noticing now are not new.

I don't see an issue now and it only depends on the single side case when you
use an ip in /etc/ipsec.d/passwd anyway.

> > We use this feature for years without problems. Sure it is not optimal, 
> > but it
> > works. The static address pool is only temporary installed to assign the user
> > defined static ip to the client and deleted once the instance is gone.
> 
> why you specify range per user?
> 
> +use6:xOzlFlqtwJIu2:east-any:192.0.2.101-192.0.2.200
> 
> If you do that things will likely get messy.

I don't think so, because it is a possible configuration. The user can connect
with the same username with multiple clients. If he is connected already with
another client the addresspool is shared/re-used for the second connection, if
it is the first connection a new addresspool with the range is installed.

> 
> > Having multiple address pools on one connection would be a nice thing, but 
> > I think it is not easy to implement.
> 
> yes.  multiple connections sharing exact pools is supported.
> I don't see a need for multiple pools per connection yet.
> 
> If the address from the xauth file is made into an addresspool, used 
> only by this specific instance. I would add a variable in "struct 
> ip_pool" to indicate "do not share this pool".
> 
> > Overlapping ip addresses in global and static pools are configuration problems
> > and the log clearly show the user that he need to configure to separate pools.
> 
> I don't think it will work as you imagine. Currently if an 
> addrsspool is added in via xauth password file. That pool could be shared.
> 

An that is necessary if you have a pool range(see above). The pool is not
connected to the non-instance connection, but the last instance connection
deletes the shared static pool.

Wolfgang


More information about the Swan-dev mailing list