[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] [PATCH] config updates with non-fatal errors
From: Andreas Steffen <andreas.steffen () strongswan ! org>
Date: 2007-08-02 14:10:08
Message-ID: 46B1E5C0.6060309 () strongswan ! org
[Download RAW message or body]
Hi Gerd,
here is a slightly different implementation of your proposed patch.
If a DNS lookup failure occurs during "ipsec update" and either
rightallowany=yes is set or the % allow_any prefix has been used
then the connection will not be updated by right=%any, but the
latest successfully resolved IP will be kept, thereby avoiding
a disrupture of a running connection.
This new trial version is also available as a release candidate:
http://download.strongswan.org/strongswan-2.8.7rc0.tar.bz2
Regards
Andreas
Gerd v. Egidy wrote:
> Hi,
>
>> I cooked up the attached patch trying to fix this. Is there any special
>> reason you don't want to update the config in the case of non-fatal errors?
>> I've seen that you added the line I'm changing now with the changeset
>> allowing the start with non-fatal errors. So I think there must be some
>> reason behind this, but I fail to see it.
>
> I think I found it out myself: as soon as a (even temporary) dns error occurs,
> the connection is teared down. because the host experiencing the dns error
> doesn't know the ip of the remote host it can't reestablish the connection.
> So even short dns problems will result in broken connections.
>
> I developed another patch working around this problem: starter can now find
> out which connections have dns problems and will keep just the config of
> these. Other ones are updated as regular. This works just when the right|
> left=%<fqdn> syntax is used.
>
> Please take a look at this patch and consider integrating it.
>
> Kind regards,
>
> Gerd
======================================================================
Andreas Steffen andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
["starter.diff" (text/plain)]
? starter
? starter.diff
Index: cmp.c
===================================================================
RCS file: /var/cvsroot/strongswan/programs/starter/cmp.c,v
retrieving revision 1.12
diff -r1.12 cmp.c
39c39,46
< ADDCMP(addr);
---
> if (c2->dns_failed)
> {
> c2->addr = c1->addr;
> }
> else
> {
> ADDCMP(addr);
> }
Index: confread.c
===================================================================
RCS file: /var/cvsroot/strongswan/programs/starter/confread.c,v
retrieving revision 1.42
diff -r1.42 confread.c
183,184c183
< bool fallback_to_any = FALSE;
<
---
> /* check for allow_any prefix */
187d185
< fallback_to_any = TRUE;
196c194
< if (fallback_to_any)
---
> if (streq(ugh, "does not look numeric and name lookup failed"))
198c196
< plog("# fallback to %s=%%any due to '%%' prefix");
---
> end->dns_failed = TRUE;
200,201d197
< end->allow_any = FALSE;
< cfg->non_fatal_err++;
313a310,330
> * handles left|right=<FQDN> DNS resolution failure
> */
> static void
> handle_dns_failure( const char *label, starter_end_t *end, starter_config_t *cfg)
> {
> if (end->dns_failed)
> {
> if (end->allow_any)
> {
> plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
> label, label);
> }
> else
> {
> /* declare an error */
> cfg->err++;
> }
> }
> }
>
> /*
474a492,494
>
> handle_dns_failure("left", &conn->left, cfg);
> handle_dns_failure("right", &conn->right, cfg);
Index: confread.h
===================================================================
RCS file: /var/cvsroot/strongswan/programs/starter/confread.h,v
retrieving revision 1.27
diff -r1.27 confread.h
66a67
> bool dns_failed;
Index: starterwhack.c
===================================================================
RCS file: /var/cvsroot/strongswan/programs/starter/starterwhack.c,v
retrieving revision 1.21
diff -r1.21 starterwhack.c
170a171
> w->allow_any = end->allow_any && !end->dns_failed;
177d177
< w->allow_any = end->allow_any;
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic