Bug 462731
| Summary: | invalid behaviour of NETKEY / XFRM deleting SPD | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Johannes Russek <johannes.russek> | ||||||
| Component: | kernel | Assignee: | Herbert Xu <herbert.xu> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Red Hat Kernel QE team <kernel-qe> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 5.3 | CC: | dzickus, emcnabb, herbert.xu, mjenner, tis, uwe.knop | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-09-02 08:45:40 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Johannes Russek
2008-09-18 16:14:46 UTC
we don't support strongswan, can you give openswan a try? strongswan is just considered to be the more secure and elaborate solution. stuff like ikev2 and mobike is in strongswan but not in openswan, as well as sophisticated pki infrastructure support (like scep, ocsp, crl cache etc..) which is what we like about it (we are using the redhat / dogtag pki which works very well together with strongswan!). also, as far as i can nail it doen, this actually has been working pre 5.2! regards, johannes Johannes, we need to determine whether this is a bug in Stronswan or the kernel. Could you please strace strongswan when you perform the action that leads to the policies being deleted? Please run strace with -s 4096 so we get the complete netlink messages. This should tell us what netlink commands it issued and hence whether the bug is in the kernel or Strongswan. Thanks! Created attachment 349106 [details]
output from strace -f -s 8096 during ipsec status
This is the output of
strace -f -o pluto.out -s 8096 ipsec start
then after the connection is being brought up with
ipsec up testconnection
i created the attachment with fail -f pluto.out >> pluto_status.out
and issued ipsec status, which then leads to the described behaviour.
this is the latest strongswan (4.3.1) as well as the latest kernel (2.6.18-128.1.14.el5).
I've set up a test environment for this kind of testing within qemu now, so if you need anything else, please just let me know, i will be able to supply you with that much faster than before.
Thanks,
Johannes
I'm sorry, that's of course supposed to say "tail -f pluto.out". OK the strace doesn't show any problems. pluto does getpolicy three times and get valid results each time. Can you run ip xfrm monitor in addition to strace to see if something else is deleting the policies? Thanks! ip xfrm monitor doesn't show anything when ipsec status is issued. before that, i get a lot of those: Unknown message: 00000096 0x0000001e 0x00000000 Unknown message: 00000096 0x0000001e 0x00000000 Unknown message: 00000096 0x0000001e 0x00000000 but i don't think that's a problem since the ipsec is up and running while i'm getting those. anything else i can do? Johannes What does ip -s x p say when the policies are present? What does it say immediately after you run ipsec status? Can you try to replicate what pluto is sending by using ip xfrm? For example, does ip xfrm policy get dir in SELECTOR (you'll have to spell this out with your selector) cause the policy to be deleted? If not please strace ip xfrm policy get so I can see what's different between its message and that sent from pluto. Thanks. Hello Herbert, sorry i wasn't in the lab untill now. However, this confirmed that the error indeed appears not to be in pluto: [root@fw01 ~]# ip xfrm policy get dir out src 192.168.100.0/24 dst 192.168.2.0/24 src 192.168.100.0/24 dst 192.168.2.0/24 dir out priority 2344 tmpl src 192.168.121.187 dst 192.168.121.233 proto esp reqid 16385 mode tunnel [root@fw01 ~]# ip xfrm policy get dir out src 192.168.100.0/24 dst 192.168.2.0/24 RTNETLINK answers: No such file or directory there was absolutely nothing done inbetween, both commands were applied right after each other. Thanks for your help so far. For more info ask as usual :) Regards, Johannes Hmm, indeed I can reproduce this too on a RHEL5 kernel. Let me investigate. Created attachment 350249 [details]
ipsec: Add missing braces to fix policy querying
Braces were missing in the policy querying functions causing the queried policies to be deleted.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. in kernel-2.6.18-158.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please do NOT transition this bugzilla state to VERIFIED until our QE team has sent specific instructions indicating when to do so. However feel free to provide a comment indicating that this fix has been verified. was able to verify the fix in the test kernel :) An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1243.html |