Project

General

Profile

Issue #2178

ha and updown...

Added by Luka Logar over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.5.1
Resolution:

Description

Hi,

Currently updown script isn't called on passive node, which makes left|rightfirewall option incompatible with the ha usage scenarios.
As the fix is quite simple (patch attached) and seems to be working just fine, I am wondering if this was left out on purpose or just an oversight...

ha_updown.patch (751 Bytes) ha_updown.patch Luka Logar, 28.11.2016 08:11
ha_updownV2.patch (1.6 KB) ha_updownV2.patch Luka Logar, 01.12.2016 13:53

History

#1 Updated by Luka Logar over 5 years ago

It looks I was a bit over optimistic. With the above/first patch the updown script is not called when passive IKE SA is destroyed (during reauthentication and/or maybe otherwise), so in the modified patch the child_updown() is called (for each CHILD SA) in the ike_state_change() function when a passive IKE SA is being destroyed. I am not sure if this is the right place for the child_updown() call or if there is a more appropriate mechanism for this.

I have also noticed that, as the CHILD_SA rekeying on the passive node is made of creating new CHILD SA and dropping old one, there is an extra updown/child_up, updown/child_down call for each CHILD SA rekeying.

By the way, I also had to modify updown script for iptables to insert rules after the general -j CLUSTERIP rule - iptables -I INPUT 3 ...

Also available in: Atom PDF