-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xfrm refcount ips #1191
xfrm refcount ips #1191
Conversation
ea129f4
to
1a267ec
Compare
thanks for the PR. I gave it a try. first time I got an error. Then I tried
to re-run it manually in namespace and that run hit Segmentation fault.
I added config line. Is that correct?
leftinterface-ip=192.0.1.251/24
ipsec auto --up west
1v2 "west" #1: initiating IKEv2 connection
1v2 "west" #1: sent IKE_SA_INIT request to 192.1.2.23:500
1v2 "west" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "west" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN ***@***.***'
003 ERROR: "west" #2: No IP to set on xfrmi device [ipsec1] id [1]
003 "west" #2: CHILD SA encountered fatal error: INVALID_SYNTAX
036 "west" #1: encountered fatal error in state STATE_V2_ESTABLISHED_IKE_SA
002 "west" #2: deleting larval Child SA (DELETE_IKE)
003 ERROR: "west" #2: netlink response for Del SA ***@***.***: No such process (errno 3)
002 "west" #1: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
002 "west" #1: deleting IKE SA (ESTABLISHED_IKE_SA) and NOT sending notification
west #
The above output from kvm runner. And when tried to restart namespace seg
fault.
gdb bt from namesapce re-run.
"Program terminated with signal SIGSEGV, Segmentation fault."
I will push a testcase that I used. ikev2-xfrmi-15-interface-ip
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055a06442ad81 in refcnt_addref_where (what=0x55a06446f09b "xfrmi_ipaddr", pointer=0x55a06592f5a8,
refcnt=0x55a06592f5f0, where=0x55a0644e7760 <here>) at /home/build/libreswan/lib/libswan/refcnt.c:93
93 DEBUG_LOG("add");
(gdb) bt
#0 0x000055a06442ad81 in refcnt_addref_where (what=0x55a06446f09b "xfrmi_ipaddr", pointer=0x55a06592f5a8,
refcnt=0x55a06592f5f0, where=0x55a0644e7760 <here>) at /home/build/libreswan/lib/libswan/refcnt.c:93
#1 0x000055a06432cb10 in reference_xfrmi_ip (xfrmi=0x55a065923eb8, xfrmi_ipaddr=0x55a06592f5a8)
at /home/build/libreswan/programs/pluto/kernel_xfrm_interface.c:441
#2 0x000055a06432ecba in add_xfrm_interface (c=0x55a06591f868, logger=0x55a06592c438)
at /home/build/libreswan/programs/pluto/kernel_xfrm_interface.c:1138
#3 0x000055a0643d30f6 in process_v2_child_response_payloads (ike=0x55a065924808, child=0x55a06592c958,
md=0x55a065925968) at /home/build/libreswan/programs/pluto/ikev2_child.c:813
#4 0x000055a0643d3dce in process_v2_IKE_AUTH_response_child_sa_payloads (ike=0x55a065924808,
response_md=0x55a065925968) at /home/build/libreswan/programs/pluto/ikev2_child.c:1160
#5 0x000055a0642e122d in process_v2_IKE_AUTH_response_post_cert_decode (ike_sa=0x55a065924808, md=0x55a065925968)
at /home/build/libreswan/programs/pluto/ikev2_ike_auth.c:1441
#6 0x000055a0642e09c3 in process_v2_IKE_AUTH_response (ike=0x55a065924808, unused_child=0x0, md=0x55a065925968)
at /home/build/libreswan/programs/pluto/ikev2_ike_auth.c:1290
#7 0x000055a0643cc7ee in v2_dispatch (ike=0x55a065924808, md=0x55a065925968,
svm=0x55a064510e60 <v2_state_transition_table+672>) at /home/build/libreswan/programs/pluto/ikev2.c:2330
#8 0x000055a0643cc6ad in process_protected_v2_message (ike=0x55a065924808, md=0x55a065925968)
at /home/build/libreswan/programs/pluto/ikev2.c:2297
#9 0x000055a0643cc3ae in process_packet_with_secured_ike_sa (md=0x55a065925968, ike=0x55a065924808)
at /home/build/libreswan/programs/pluto/ikev2.c:2212
#10 0x000055a0643cb5a9 in ikev2_process_packet (md=0x55a065925968)
at /home/build/libreswan/programs/pluto/ikev2.c:1901
#11 0x000055a0643e3165 in process_md (md=0x55a065925968) at /home/build/libreswan/programs/pluto/demux.c:189
#12 0x000055a0643e3442 in process_iface_packet (fd=17, ifp_arg=0x0, logger=0x7ffc73df13b0)
at /home/build/libreswan/programs/pluto/demux.c:296
#13 0x000055a06438c1cd in fd_read_listener_event_handler (fd=17, events=2, arg=0x55a06591f718)
at /home/build/libreswan/programs/pluto/server.c:793
#14 0x00007fcc52f92ca5 in event_process_active_single_queue () from /lib64/libevent_core-2.1.so.7
#15 0x00007fcc52f9480f in event_base_loop () from /lib64/libevent_core-2.1.so.7
#16 0x000055a06438d31f in run_server (conffile=0x55a06584fc38 "/etc/ipsec.conf", logger=0x7ffc73df1710)
at /home/build/libreswan/programs/pluto/server.c:1068
#17 0x000055a064386a64 in main (argc=4, argv=0x7ffc73df1cd8)
at /home/build/libreswan/programs/pluto/plutomain.c:1824
…On Thu, Jul 13, 2023 at 07:08:53AM -0700, Brady Johnson wrote:
You can view, comment on, or merge this pull request online at:
#1191
-- Commit Summary --
* Enable interface-ip configuration option
* Remove XFRM I/F IP management from updown script
* Add XFRM I/F IP mgmt (with ref-counting) to Pluto
-- File Changes --
M configs/d.ipsec.conf/ipsec-interface.xml (1)
M include/ip_cidr.h (3)
M lib/libipsecconf/keywords.c (3)
M lib/libswan/ip_cidr.c (18)
M programs/_updown.xfrm/_updown.xfrm.in (16)
M programs/pluto/kernel_xfrm_interface.c (519)
M programs/pluto/kernel_xfrm_interface.h (15)
M programs/whack/whack.c (10)
-- Patch Links --
https://github.com/libreswan/libreswan/pull/1191.patch
https://github.com/libreswan/libreswan/pull/1191.diff
--
Reply to this email directly or view it on GitHub:
#1191
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
|
@antonyantony Thanks for trying this, I havent gotten that far yet. I first tried with the simplest test I believe the syntax should be EDIT: The syntax is actually with the left/right prefix. |
a240ba4
to
6c72022
Compare
6c72022
to
7475cbb
Compare
251a51b
to
efa8299
Compare
|
from the log:
|
The leak in
was generated by running |
On Wed, 2 Aug 2023, cagney wrote:
+002 "road"[1] 192.1.2.23 #2: route-client output: PATH/libexec/ipsec/_updown.xfrm: doroute "ip -4 route replace 0.0.0.0/1 dev ips
ec1 src 192.0.2.1 && ip -4 route replace 128.0.0.0/1 dev ipsec1 src 192.0.2.1" failed (Error: Invalid prefsrc address.)
004 "road"[1] 192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.0.2.1-192.0.2.1:0-65535 0] -> [0.0.0.0-255.
255.255.255:0-65535 0] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
"road"[1] 192.1.2.23 #2: route-client output: /usr/local/libexec/ipsec/_updown.xfrm: doroute "ip -4 route replace 0.0.0.0/1 dev ip
sec1 src 192.0.2.1 && ip -4 route replace 128.0.0.0/1 dev ipsec1 src 192.0.2.1" failed (Error: Invalid prefsrc addre
ss.)
Note that when we replace a route to 0/0, we use two "half routes", eg
0.0.0.0/1 and 128.0.0.0/1
Could it be that 192.0.2.1 was not put on the interface yet? So that it
had no better route than 128.0.0.0/1 for itself ?
|
efa8299
to
c3c554c
Compare
I fixed this memory leak and the test failure with changes I just pushed. |
that one is tricky; re-running tests |
pfree() instead of delref()?
|
c3c554c
to
6a361e6
Compare
Thanks for pointing that out. Strange I didnt see that when I ran the tests yesterday. I was indeed calling pfree() without first calling delref(). Fixed and pushed. |
when run in batch mode kvm performs additional checks the tests now pass; I'll do a full test run next; thanks |
clean result:
(had to re-run some unreliable tests, but that is unrelated) |
For reference, I also ran the wip xfrmi tests using:
this is how they compare:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test results don't show any regressions.
6a361e6
to
59e5648
Compare
59e5648
to
af88b20
Compare
- Part 3 of 3: Reference count IPs on XFRM interfaces in Pluto Signed-off-by: Brady Johnson <bradyallenjohnson@gmail.com>
- Part 2 of 3: Reference count IPs on XFRM interfaces in Pluto Signed-off-by: Brady Johnson <bradyallenjohnson@gmail.com>
- Part 1 of 3: Reference count IPs on XFRM interfaces in Pluto Signed-off-by: Brady Johnson <bradyallenjohnson@gmail.com>
af88b20
to
5259d13
Compare
merged! |
No description provided.