[Swan] _updown.klips and ip command return code causing conn failure

Tuomo Soini tis at foobar.fi
Fri May 24 20:33:06 EEST 2013


On Fri, 24 May 2013 11:46:30 -0400 (EDT)
Paul Wouters <pwouters at redhat.com> wrote:

> 
> I noticed this failure:
> 
> from _updown.klips:
> 
> if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep ipsec0; then
>       cmd=change
> 
> However, on a machine with
> 
> eth0      Link encap:Ethernet  HWaddr 00:01:49:00:C2:9B
>            inet addr:192.168.10.2  Bcast:192.168.10.255
> Mask:255.255.255.0 eth1      Link encap:Ethernet  HWaddr
> 00:01:49:00:C2:9C inet addr:192.168.100.2  Bcast:192.168.100.255
> Mask:255.255.255.0
> 
> ipsec0    Link encap:Ethernet  HWaddr 00:01:49:00:C2:9B
>            inet addr:192.168.10.2  Mask:255.255.255.255
> ipsec1    Link encap:Ethernet  HWaddr 00:01:49:00:C2:9C
>            inet addr:192.168.100.2  Mask:255.255.255.255
> 
> I got:
> 
> "aaa" #2: up-client output: /usr/libexec/ipsec/_updown.klips:
> changesource "ip route change 192.168.20.0/24 dev ipsec0 src
> 192.168.100.2" failed (RTNETLINK answers: No such file or directory)
> 
> checking manually:
> 
> # ip -o route get 192.168.100.2
> local 192.168.100.2 dev lo  src 192.168.100.2 \
> cache <local>
> 
> # ip -o route get 111.111.111.111
> 111.111.111.111 via 192.168.100.1 dev eth1  src
> 192.168.100.2 \    cache
> 
> (note none of those say "ipsec" in the output.
> 
> # export PLUTO_MY_SOURCEIP=192.168.100.2
> # ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep ipsec0
> # echo $?
> 1
> 
> I then tested using:
> 
> # if test -n "`ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep
> ipsec0`"; then echo change; fi #

ipsec0 is wrong here anyway and won't work with ipsec1.

I'd remove whole changesource stuff - that's total crap. with *subnets=
that's not needed at all - changesource is ment to fix configuration
errors where there are two conns configured for same remote subnet and
only one of those is done with leftsubnet= - changesource is ment to
fix this error and I suggest removing this completely.

Note about shellscript coding style:

`` is legacy way to execute sub-shell and $() is preferred for
readability - I did large work to clean up most scripts to use
consistent style - including _updown.klips

Same for test - I converted everything I could to use [ ] for
consistentcy - so no test and no `` please.

> Which seems a better way to do things.
> 
> I'll commit this change if no one objects once the tree is unfrozen,

Style really matters in scripts too.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan mailing list