[Swan] protostack=mast

Pavel Kopchyk pkopchyk at gmail.com
Thu Mar 21 11:18:31 EET 2013


After applying the patch:

** snip
+ '[' mast = mast ']'
+ virt=mast0
+ '[' '!' -d /sys/devices/virtual/net/mast0 ']'
+ ipsec tncfg --clear
++ sort -r
++ cut -d: -f2
++ grep ipsec
++ ip -oneline link show
+ for device in '$(ip -oneline link show | grep ipsec | cut -d: -f2 | sort -r)'
+ ipsec tncfg --delete ipsec1
+ for device in '$(ip -oneline link show | grep ipsec | cut -d: -f2 | sort -r)'
+ ipsec tncfg --delete ipsec0
+ ip link show dev mast0
+ grep -q 'mtu 0 '
+ RETVAL=0
+ '[' 0 -eq 0 ']'
+ echo 'Fixup of mtu on mast0 to 16260'
Fixup of mtu on mast0 to 16260
+ ip link set mtu 16260 dev mast0
+ exit 0

# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
24: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
    link/void
26: mast0: <NOARP> mtu 16260 qdisc noop state DOWN qlen 10
    link/[65534]


The problem is not only with the MTU. After service ipsec start -
interface mast0 remains in state DOWN.


In _stackmanager at start (in my case) we are trying to remove ipsecX
interfaces.
Another test:

# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff

# modprobe ipsec

# modinfo ipsec
filename:
/lib/modules/2.6.32-358.2.1.el6.SAref.i686/extra/libreswan/ipsec.ko
license:        GPL
version:        3.1
srcversion:     70EA27E9F4F4B8F214991E4
depends:
vermagic:       2.6.32-358.2.1.el6.SAref.i686 SMP mod_unload modversions 686
parm:           ipsec_replaywin_override:override replay window (-1=no
change, 0=disable, N=override value (int)
parm:           ipsec_irs_cache_allocated_max:Maximum outstanding
receive packets (before they are dropped) (int)
parm:           ipsec_ixs_cache_allocated_max:Maximum outstanding
transmit packets (int)
parm:           ocf_available:int
parm:           natt_available:int

# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10                        |
    link/void
        |
34: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
        | new interfaces by default
    link/void                                                                  |
35: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10                         |
    link/[65534]                                                               |

# ipsec tncfg --delete ipsec1
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10                      |
    link/void
      | interface ipsec1 - removed
35: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10                       |
    link/[65534]                                                             |

# ipsec tncfg --delete ipsec0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
      | interface ipsec0 - stayed!!!
    link/void                                                                |

# ipsec tncfg --delete ipsec0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
      | interface ipsec0 - stayed!!!
    link/void                                                                |

# ipsec tncfg --delete mast0
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
33: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
      | interface mast0 - removed
    link/void                                                                |


# rmmod ipsec
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff


Regards,

Pavel


2013/3/21 Paul Wouters <pwouters at redhat.com>:
> On Wed, 20 Mar 2013, Pavel Kopchyk wrote:
>
>> As I said before, I'm trying to setup libreswan 3.1 on CentOS 6.4 with
>> SAref support.
>>
>> Another problem was found:
>
>
>> 23: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>        link/[65534]
>
>
> Ah yes, we only checked mtu for ipsec0, not mast0. Try this patch?
>
> diff --git a/programs/_stackmanager/_stackmanager.in
> b/programs/_stackmanager/_stackmanager.in
> index eb2cf30..36ae9e4 100644
> --- a/programs/_stackmanager/_stackmanager.in
> +++ b/programs/_stackmanager/_stackmanager.in
> @@ -261,6 +261,15 @@ startklips() {
>         # PAUL: We tell in the man page for ipsec.conf protostack= that
>         #       the user should do this
>
> +       # Double check the mtu is not 0
> +       # if it is set it to a saner default
> +       ip link show dev $virt | grep -q 'mtu 0 '
> +       RETVAL=$?
> +       if [ "$RETVAL" -eq 0 ]; then
> +               echo "Fixup of mtu on $virt to 16260" >&2
> +               ip link set mtu 16260 dev $virt
> +       fi
> +
>      elif [ $stack = "klips" ]; then
>         # in klips mode we attach it to the physical device
>         # clear tables out in case dregs have been left over
>


More information about the Swan mailing list