[strongSwan-dev] route reinstallation test report and analysis

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Sun May 6 12:14:12 CEST 2012 

Hi Tobias,

I tested your new route reinstallation code for the netlink plugin,
and this is what I found:

- it works for link down/up on the external interface
- it fails when removing and re-adding the IP address, on either the
  external or the internal interface - the route is not restored.

My test scenario looks like ikev2/net2net-cert.
Each test run was prepared by /etc/init.d/ipsec restart.

-----------------------------------------------------------------
root at moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
root at moon:~# ip link set eth0 down
root at moon:~# ip route ls table 220
root at moon:~# ip link set eth0 up
root at moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
-----------------------------------------------------------------
root at moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
root at moon:~# ip addr del 192.168.0.1/24 dev eth0
root at moon:~# ip addr add 192.168.0.1/24 dev eth0
root at moon:~# ip route ls table 220
-----------------------------------------------------------------
root at moon:~# ip route ls table 220
10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1
root at moon:~# ip addr del 10.1.0.1/16 dev eth1
root at moon:~# ip addr add 10.1.0.1/16 dev eth1
root at moon:~# ip route ls table 220
-----------------------------------------------------------------

The change lookup code uses an uninitialized struct member:

----------------------------------------------------------------------------
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -370,6 +370,7 @@
 	{
 		net_change_t *change, lookup = {
 			.if_name = route->if_name,
+			.ip = NULL,
 		};
 		/* check if a generic change for this interface is queued */
 		change = this->net_changes->get(this->net_changes, &lookup);
----------------------------------------------------------------------------

but this does not seem to be the only reason for the failure.

reinstall_routes() compares the route's preferred source IP and the route's
outgoing network interface to the IP address and interface as reported
by the RTM_NEWADDR netlink message.

In the netlink message, IP address and network interface belong together,
while the route's preferred source IP belongs to an interface
different from the route's outgoing one.

That's why reinstall_routes() cannot match the net_change created by
RTM_NEWADDR to any recorded route.

Regards,
Mirko

More information about the Dev mailing list