[strongSwan-dev] route reinstallation test report and analysis

Sun, 06 May 2012 03:14:28 -0700 

Hi Tobias,

I tested your new route reinstallation code for the netlink plugin,
and this is what I found:

- it works for link down/up on the external interface
- it fails when removing and re-adding the IP address, on either the
  external or the internal interface - the route is not restored.

My test scenario looks like ikev2/net2net-cert.
Each test run was prepared by /etc/init.d/ipsec restart.

-----------------------------------------------------------------
root@moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
root@moon:~# ip link set eth0 down
root@moon:~# ip route ls table 220
root@moon:~# ip link set eth0 up
root@moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
-----------------------------------------------------------------
root@moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
root@moon:~# ip addr del 192.168.0.1/24 dev eth0
root@moon:~# ip addr add 192.168.0.1/24 dev eth0
root@moon:~# ip route ls table 220
-----------------------------------------------------------------
root@moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
root@moon:~# ip addr del 10.1.0.1/16 dev eth1
root@moon:~# ip addr add 10.1.0.1/16 dev eth1
root@moon:~# ip route ls table 220
-----------------------------------------------------------------

The change lookup code uses an uninitialized struct member:

----------------------------------------------------------------------------
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -370,6 +370,7 @@
        {
                net_change_t *change, lookup = {
                        .if_name = route->if_name,
+                       .ip = NULL,
                };
                /* check if a generic change for this interface is queued */
                change = this->net_changes->get(this->net_changes, &lookup);
----------------------------------------------------------------------------

but this does not seem to be the only reason for the failure.

reinstall_routes() compares the route's preferred source IP and the route's
outgoing network interface to the IP address and interface as reported
by the RTM_NEWADDR netlink message.

In the netlink message, IP address and network interface belong together,
while the route's preferred source IP belongs to an interface
different from the route's outgoing one.

That's why reinstall_routes() cannot match the net_change created by
RTM_NEWADDR to any recorded route.

Regards,
Mirko

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to