We have a case where the charon daemon faults and gets restarted badly (the
crash is something to do with elliptical DH groups and heap corruption that we
still have to track down - that's another topic).
Today's topic is that when the daemon restarts, the security policies all get
deleted. This leaves the kernel completely wide open...
The log entries are:
11:51:00 09[KNL] adding policy 10.2.10.121/32 === 10.2.10.122/32 out
11:51:00 09[KNL] unable to add policy: File exists. (5017)
11:51:00 09[KNL] unable to add policy 10.2.10.121/32 === 10.2.10.122/32 out
11:51:00 09[KNL] adding policy 10.2.10.122/32 === 10.2.10.121/32 in
11:51:00 09[KNL] unable to add policy: File exists. (5017)
11:51:00 09[KNL] unable to add policy 10.2.10.122/32 === 10.2.10.121/32 in
11:51:00 09[CFG] installing trap failed
11:51:00 09[KNL] deleting policy 10.2.10.121/32 === 10.2.10.122/32 out
11:51:00 09[KNL] deleting policy 10.2.10.122/32 === 10.2.10.121/32 in
I didn't study the error recovery path in depth, but the error is reported by
add_policy_internal (in
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c). The kernel will only
return EEXIST when the operation is SADB_X_SPDADD. add_policy_internal is only
called with the update parameter FALSE from the add_policy method.
I checked the KLIPS and Netlink versions and it looks like the add_policy
method is always supposed to update existing SPs in the kernel.
With that in mind, would the fix for this problem be to handle EEXIST in
add_policy_internal by replacing
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
with
status = pfkey_send(this, msg, &out, &len);
if (status != SUCCESS && !update && out->sadb_msg_errno == EEXIST)
{
msg->sadb_msg_type = SADB_X_SPDUPDATE;
status = pfkey_send(this, msg, &out, &len);
}
if (status != SUCCESS)
TIA for your advice.
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
