Re: [Swan-dev] libreswan-git/klips doesn't remove old ip addresses from ipsec device

Wed, 07 May 2014 08:20:04 -0700 

On Wed, 7 May 2014, Wolfgang Nothdurft wrote:
If the ip address of a dynamic base device changes the old ip address will not removed even after an ipsec restart. 

The problem was introduced with the

commit eafef8377e6aa5be0001d4b61c48cbee3e8097c4
Author: Paul Wouters <[email protected]>
Date:   Fri Mar 28 19:05:56 2014 -0400

   _stackmanager: optimize unloading stacks

https://lists.libreswan.org/pipermail/swan-commit/2014-March/001055.html

With this change the ipsec modules won't be unloaded on stop.


Should it be part of the network scripts to care about an ip address change 
and removing it from the ipsec device?



What is the recommend procedure that the network scripts have to do when the 
ip address changed?



I think one simple solution were to flush the ip from ipsec after clearing 
the eroutes or replacing the ip instead of adding id in the startklips 
function.


You would have to delete the IP and the aliases too, so that's not
trivial as aliases can be added in the old and new method.

As the above fix was mostly meant for the NETKEY/XFRM unloading issues,
I've just pushed a change that will unload KLIPS when stop is called
and which won't unload netkey modules unless changing to klips:

diff --git a/programs/_stackmanager/_stackmanager.in
b/programs/_stackmanager/_stackmanager.in
index d2f52fb..d19091a 100644
--- a/programs/_stackmanager/_stackmanager.in
+++ b/programs/_stackmanager/_stackmanager.in
@@ -434,19 +434,16 @@ esac

 case ${action} in
     stop)
-       # We don't unload on stop - only when we detect a stack change.
        We do try and cleanup state
-       case ${stack} in
-           netkey)
+       # We don't unload NETKEY/XFRM on stop - only when we detect a stack 
change.
+       if [ -f ${ipsecpfkey} ]; then
+               ipsec eroute --clear
+               # this clears all IP addresses on ipsecX interfaces by 
unloading the module
+               stopklips()
+       elif [ -f ${kamepfkey} ]; then
                ip xfrm state flush
                ip xfrm policy flush
-               ;;
-           klips)
-               ipsec eroute --clear
-               ;;
-           mast)
-               ipsec eroute --clear
-               ;;
-       esac
+               # module unloading skipped on purpose - can hang for a long 
time or fail
+       fi
        ;;
     start)
        case ${stack} in

Hope this addresses your issue,

Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev






















					Reply via email to