[strongSwan] swanctl deadlock

Volodymyr Litovka doka.ua at gmx.com
Wed Nov 18 12:26:58 CET 2020 

Hi Tobias,

On 18.11.2020 12:49, Tobias Brunner wrote:
>> I'm using call to swanctl in updown script in order to distinguish
>> between deleting connection and IKE rekeying, checking for existence of
>> IKE session and, thus, trying to avoid unnecessary changes to the network:
> You can't detect IKE rekeying from the updown script as no updown event
> is generated during it.  If you are referring to reauthentication, it
> might be easier to do refcounting.

Sorry for the error in terminology - sure, I'm about reauthentication.
In current model I'm getting interface up/down every negotiated reauth
time, like this:

Nov 18 02:42:53 vpnhost updown: Deleting interface upon down-client event for 'doka'
Nov 18 02:42:56 vpnhost updown: Creating interface upon up-client event for 'doka'
Nov 18 02:43:07 vpnhost updown: Deleting interface upon down-client event for 'doka'
Nov 18 02:43:15 vpnhost updown: Creating interface upon up-client event for 'doka'
Nov 18 06:42:54 vpnhost updown: Deleting interface upon down-client event for 'doka'
Nov 18 06:42:57 vpnhost updown: Creating interface upon up-client event for 'doka'
Nov 18 06:43:07 vpnhost updown: Deleting interface upon down-client event for 'doka'
Nov 18 06:43:15 vpnhost updown: Creating interface upon up-client event for 'doka'
Nov 18 10:42:54 vpnhost updown: Deleting interface upon down-client event for 'doka'
Nov 18 10:42:58 vpnhost updown: Creating interface upon up-client event for 'doka'
Nov 18 10:43:07 vpnhost updown: Deleting interface upon down-client event for 'doka'
Nov 18 10:43:15 vpnhost updown: Creating interface upon up-client event for 'doka'

which lead to few seconds break between down and up events (it's another
subject to research why these pairs are duplicated - I mean two down/up
events close to each other).

I've never heard about "refcounting" before :-) Could you, please, give
some links to an explanation?

> While the updown script is called, the daemon's event bus is locked.
> This pretty much makes any call from it to the daemon prone to
> deadlocks.  Note that vici clients that listen to events don't have that
> problem because they are notified asynchronously.

Cool, thank you.

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/70ee5018/attachment.html>

More information about the Users mailing list