[Swan] _updown.klips and ip command return code causing conn failure

Paul Wouters pwouters at redhat.com
Sat May 25 20:33:29 EEST 2013


On Fri, 24 May 2013, Tuomo Soini wrote:

>> I then tested using:
>>
>> # if test -n "`ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep
>> ipsec0`"; then echo change; fi #
>
> ipsec0 is wrong here anyway and won't work with ipsec1.

Yes, it should grep for "ipsec", not ipsec0.

> I'd remove whole changesource stuff - that's total crap. with *subnets=
> that's not needed at all - changesource is ment to fix configuration
> errors where there are two conns configured for same remote subnet and
> only one of those is done with leftsubnet= - changesource is ment to
> fix this error and I suggest removing this completely.

I checked the git logs and followed it all through before _updown was
split per-stack, and it has always been there. It clearly predates
the leftsubnetS= syntax.

On this "error case', removing it has no ill effects, and bringing the
tunnel up works with proper sourceip for the remote subnet, and bringing
down the tunnel properly removes that route.

Once we have a few more klips test cases back up and running, I'll try
and remove it and see if any known cases break.


> Note about shellscript coding style:
>
> `` is legacy way to execute sub-shell and $() is preferred for
> readability - I did large work to clean up most scripts to use
> consistent style - including _updown.klips
>
> Same for test - I converted everything I could to use [ ] for
> consistentcy - so no test and no `` please.

Good to know. We should write up the coding style for shell scripts
into the documentation in two weeks :)

Paul


More information about the Swan mailing list