[Swan] _updown.klips and ip command return code causing conn failure
Tuomo Soini
tis at foobar.fi
Fri May 24 20:33:06 EEST 2013
On Fri, 24 May 2013 11:46:30 -0400 (EDT)
Paul Wouters <pwouters at redhat.com> wrote:
>
> I noticed this failure:
>
> from _updown.klips:
>
> if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep ipsec0; then
> cmd=change
>
> However, on a machine with
>
> eth0 Link encap:Ethernet HWaddr 00:01:49:00:C2:9B
> inet addr:192.168.10.2 Bcast:192.168.10.255
> Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr
> 00:01:49:00:C2:9C inet addr:192.168.100.2 Bcast:192.168.100.255
> Mask:255.255.255.0
>
> ipsec0 Link encap:Ethernet HWaddr 00:01:49:00:C2:9B
> inet addr:192.168.10.2 Mask:255.255.255.255
> ipsec1 Link encap:Ethernet HWaddr 00:01:49:00:C2:9C
> inet addr:192.168.100.2 Mask:255.255.255.255
>
> I got:
>
> "aaa" #2: up-client output: /usr/libexec/ipsec/_updown.klips:
> changesource "ip route change 192.168.20.0/24 dev ipsec0 src
> 192.168.100.2" failed (RTNETLINK answers: No such file or directory)
>
> checking manually:
>
> # ip -o route get 192.168.100.2
> local 192.168.100.2 dev lo src 192.168.100.2 \
> cache <local>
>
> # ip -o route get 111.111.111.111
> 111.111.111.111 via 192.168.100.1 dev eth1 src
> 192.168.100.2 \ cache
>
> (note none of those say "ipsec" in the output.
>
> # export PLUTO_MY_SOURCEIP=192.168.100.2
> # ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep ipsec0
> # echo $?
> 1
>
> I then tested using:
>
> # if test -n "`ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep
> ipsec0`"; then echo change; fi #
ipsec0 is wrong here anyway and won't work with ipsec1.
I'd remove whole changesource stuff - that's total crap. with *subnets=
that's not needed at all - changesource is ment to fix configuration
errors where there are two conns configured for same remote subnet and
only one of those is done with leftsubnet= - changesource is ment to
fix this error and I suggest removing this completely.
Note about shellscript coding style:
`` is legacy way to execute sub-shell and $() is preferred for
readability - I did large work to clean up most scripts to use
consistent style - including _updown.klips
Same for test - I converted everything I could to use [ ] for
consistentcy - so no test and no `` please.
> Which seems a better way to do things.
>
> I'll commit this change if no one objects once the tree is unfrozen,
Style really matters in scripts too.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan
mailing list