[Pkg-swan-devel] resolvconf update script failure leads to forgotten device

corey kasten coreykasten at gmail.com
Thu May 5 17:21:34 UTC 2016


I'm using strongswan 5.1.2-0ubuntu2.4 on ubuntu 14.04, and I noticed a
scenario where resolvconf is run which correctly adds the interface, but
when the triggered update scripts run, one of them fails, and resolvconf
exits non-zero, which causes invoke_resolvconf() (in
src/libhydra/plugins/resolve/resolve_handler.c) to report a failure, which
in turn makes strongswan think the name server line failed to get
installed. This, in turn, makes strongswan forget about the installed
interface, and "ipsec down" does not remove the interface. See here for the
current patch implementation:

I suggest to change the code in invoke_resolvconf() to do the following:

1. Call "resolvconf --disable-updates"
2. Call resolvconf the way it is currently in invoke_resolveconf(). This
has the effect of installing or deleting the interface without running the
update script, and the exit code returned by "pclose()" will tell you
whether the resolvconf install succeeded.
3. Call "resolvconf --enable-updates" which will cause the postponed update
scripts to be run, and the errors here can be ignored or logged with "

4. Return the pclose() return value from step 2.

This way, strongswan will correctly register whether the interface has been
installed, and if it was installed, correctly remove it on "ipsec down"
even though one of the update scripts had failed.

Does this seem sensible?

Best Regards,
Corey Kasten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20160505/c4b0aa12/attachment.html>

More information about the Pkg-swan-devel mailing list