[Pkg-swan-devel] resolvconf update script failure leads to forgotten device

corey kasten coreykasten at gmail.com
Thu May 5 17:25:24 UTC 2016

Tobias and Yves-Alexis:
I would appreciate it if you could take at look at the below.

Corey Kasten

On Thu, May 5, 2016 at 10:21 AM, corey kasten <coreykasten at gmail.com> wrote:

> Hi!
> I'm using strongswan 5.1.2-0ubuntu2.4 on ubuntu 14.04, and I noticed a
> scenario where resolvconf is run which correctly adds the interface, but
> when the triggered update scripts run, one of them fails, and resolvconf
> exits non-zero, which causes invoke_resolvconf() (in
> src/libhydra/plugins/resolve/resolve_handler.c) to report a failure, which
> in turn makes strongswan think the name server line failed to get
> installed. This, in turn, makes strongswan forget about the installed
> interface, and "ipsec down" does not remove the interface. See here for the
> current patch implementation:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?filename=0001-Added-support-for-the-resolvconf-framework-in-resolv.patch;att=1;msg=20;bug=664873
> I suggest to change the code in invoke_resolvconf() to do the following:
> 1. Call "resolvconf --disable-updates"
> 2. Call resolvconf the way it is currently in invoke_resolveconf(). This
> has the effect of installing or deleting the interface without running the
> update script, and the exit code returned by "pclose()" will tell you
> whether the resolvconf install succeeded.
> 3. Call "resolvconf --enable-updates" which will cause the postponed
> update scripts to be run, and the errors here can be ignored or logged with
> "DBG1()".
> 4. Return the pclose() return value from step 2.
> This way, strongswan will correctly register whether the interface has
> been installed, and if it was installed, correctly remove it on "ipsec
> down" even though one of the update scripts had failed.
> Does this seem sensible?
> Best Regards,
> Corey Kasten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20160505/0f88e31d/attachment.html>

More information about the Pkg-swan-devel mailing list