[Swan] protostack=mast
Pavel Kopchyk
pkopchyk at gmail.com
Thu Mar 21 11:18:31 EET 2013
After applying the patch:
** snip
+ '[' mast = mast ']'
+ virt=mast0
+ '[' '!' -d /sys/devices/virtual/net/mast0 ']'
+ ipsec tncfg --clear
++ sort -r
++ cut -d: -f2
++ grep ipsec
++ ip -oneline link show
+ for device in '$(ip -oneline link show | grep ipsec | cut -d: -f2 | sort -r)'
+ ipsec tncfg --delete ipsec1
+ for device in '$(ip -oneline link show | grep ipsec | cut -d: -f2 | sort -r)'
+ ipsec tncfg --delete ipsec0
+ ip link show dev mast0
+ grep -q 'mtu 0 '
+ RETVAL=0
+ '[' 0 -eq 0 ']'
+ echo 'Fixup of mtu on mast0 to 16260'
Fixup of mtu on mast0 to 16260
+ ip link set mtu 16260 dev mast0
+ exit 0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
24: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
26: mast0: <NOARP> mtu 16260 qdisc noop state DOWN qlen 10
link/[65534]
The problem is not only with the MTU. After service ipsec start -
interface mast0 remains in state DOWN.
In _stackmanager at start (in my case) we are trying to remove ipsecX
interfaces.
Another test:
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
# modprobe ipsec
# modinfo ipsec
filename:
/lib/modules/2.6.32-358.2.1.el6.SAref.i686/extra/libreswan/ipsec.ko
license: GPL
version: 3.1
srcversion: 70EA27E9F4F4B8F214991E4
depends:
vermagic: 2.6.32-358.2.1.el6.SAref.i686 SMP mod_unload modversions 686
parm: ipsec_replaywin_override:override replay window (-1=no
change, 0=disable, N=override value (int)
parm: ipsec_irs_cache_allocated_max:Maximum outstanding
receive packets (before they are dropped) (int)
parm: ipsec_ixs_cache_allocated_max:Maximum outstanding
transmit packets (int)
parm: ocf_available:int
parm: natt_available:int
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10 |
link/void
|
34: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
| new interfaces by default
link/void |
35: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10 |
link/[65534] |
# ipsec tncfg --delete ipsec1
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10 |
link/void
| interface ipsec1 - removed
35: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10 |
link/[65534] |
# ipsec tncfg --delete ipsec0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
| interface ipsec0 - stayed!!!
link/void |
# ipsec tncfg --delete ipsec0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
| interface ipsec0 - stayed!!!
link/void |
# ipsec tncfg --delete mast0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
| interface mast0 - removed
link/void |
# rmmod ipsec
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
Regards,
Pavel
2013/3/21 Paul Wouters <pwouters at redhat.com>:
> On Wed, 20 Mar 2013, Pavel Kopchyk wrote:
>
>> As I said before, I'm trying to setup libreswan 3.1 on CentOS 6.4 with
>> SAref support.
>>
>> Another problem was found:
>
>
>> 23: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>> link/[65534]
>
>
> Ah yes, we only checked mtu for ipsec0, not mast0. Try this patch?
>
> diff --git a/programs/_stackmanager/_stackmanager.in
> b/programs/_stackmanager/_stackmanager.in
> index eb2cf30..36ae9e4 100644
> --- a/programs/_stackmanager/_stackmanager.in
> +++ b/programs/_stackmanager/_stackmanager.in
> @@ -261,6 +261,15 @@ startklips() {
> # PAUL: We tell in the man page for ipsec.conf protostack= that
> # the user should do this
>
> + # Double check the mtu is not 0
> + # if it is set it to a saner default
> + ip link show dev $virt | grep -q 'mtu 0 '
> + RETVAL=$?
> + if [ "$RETVAL" -eq 0 ]; then
> + echo "Fixup of mtu on $virt to 16260" >&2
> + ip link set mtu 16260 dev $virt
> + fi
> +
> elif [ $stack = "klips" ]; then
> # in klips mode we attach it to the physical device
> # clear tables out in case dregs have been left over
>
More information about the Swan
mailing list