[Openswan dev] DPD broken in 2.6.23?

Frank Eberle himself at frank-eberle.de
Mon Oct 19 10:04:39 EDT 2009 

Hello,

I'm testing DPD with two systems running 2.4.15 (system-A) and 2.6.23
(system-B). The configuration looks like

192.168.209.0/24 -- system-A <---> system-B -- 192.168.11.0/24

-- snip ---------------------------------
conn C216
	type=tunnel
	keyingtries=0
	authby=secret
	pfs=no
	compress=no
	keylife="3600"
	ikelifetime="7800"
	ike=3des-md5-modp1024
	auth=esp
	esp=3des-md5
	left=10.0.0.1
	auto=start
	right=10.0.0.2
	leftsubnet=192.168.11.0/24
	rightsubnet=192.168.209.0/24
	dpdaction=hold
	dpddelay=5
	dpdtimeout=20
-- snip ---------------------------------

When I've interrupted the network connection between the two systems the
tunnel was set to 'hold' on both sides. After reconnecting the network
and sending pings from one network to the other I've got the following
behaviour.

Ping from 192.168.209.0/24 to 192.168.11.0/24: the tunnel was re-established
Ping from 192.168.11.0/24 to 192.168.209.0/24: the tunnel was NOT
re-established

I've analysed the code and found in Pluto kernel_netlink.c, function
netlink_acquire() the following lines

-- snip ---------------------------------
if (!(ugh = xfrm_to_ip_address(family, srcx, &src))
	&& !(ugh = xfrm_to_ip_address(family, dstx, &dst))
	&& (ugh = add_port (family, &src, acquire->sel.sport))
	&& (ugh = add_port (family, &dst, acquire->sel.dport))
	&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
	&& !(ugh = addrtosubnet(&src, &ours))
	&& !(ugh = addrtosubnet(&dst, &his)))
      record_and_initiate_opportunistic(&ours, &his, transport_proto
					  , "%acquire-netlink");
-- snip ---------------------------------

record_and_initiate_opportunistic() was never called, so I've checked
the if-statement. The return value of add_port() defined in initaddr.c
ist equal NULL when no error has occurred.  So in normal situations when
add_port() does not fail, the if-statement is always invalid. I've
changed the code to

-- snip ---------------------------------
if (!(ugh = xfrm_to_ip_address(family, srcx, &src))
	&& !(ugh = xfrm_to_ip_address(family, dstx, &dst))
	&& !(ugh = add_port (family, &src, acquire->sel.sport))
	&& !(ugh = add_port (family, &dst, acquire->sel.dport))
	&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
	&& !(ugh = addrtosubnet(&src, &ours))
	&& !(ugh = addrtosubnet(&dst, &his)))
      record_and_initiate_opportunistic(&ours, &his, transport_proto
					  , "%acquire-netlink");
-- snip ---------------------------------

and DPD is working again as expected.

I'm missing something or is there really a bug in the code?


Regards

Frank

More information about the Dev mailing list