Project

General

Profile

Issue #2197

charon does not add routes for passthrough policies when local_addrs is not set.

Added by Noel Kuntze about 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
kernel-interface
Affected version:
5.5.1
Resolution:
Fixed

Description

charon currently does not add the necessary routes to table 220 when passthrough policies are defined without the local addrs.


Related issues

Related to Issue #3106: passthrough-children not in table 220Closed

History

#1 Updated by Noel Kuntze about 4 years ago

Additional testing reveled, that it seems to occur depending on when charon is started and the network is available and routes for the passed through networks exist in the main routing table. when charon is restarted after the routes exist in the main routing table, the necessary routes for passthrough are installed in table 220.

#2 Updated by Noel Kuntze about 4 years ago

Not even that. It just does not work when charon starts. It only works when the daemon is restarted and the configuration loaded later, after the initial system start.

#3 Updated by Tobias Brunner about 4 years ago

  • Category set to kernel-interface
  • Status changed from New to Feedback

Not even that. It just does not work when charon starts. It only works when the daemon is restarted and the configuration loaded later, after the initial system start.

What do you consider the difference between a restart and an original start? If the daemon is started after the network is up (see #2205), there should be no difference to a restart. When installing the routes for passthrough policies, charon will have to look up some stuff (next hop, interface). It obviously can only do that if the main routing table actually contains appropriate routes. Check the log to see what happens in either case (with knl at 2).

I guess the shunt manager could listen for roam events and try to reinstall the shunts if necessary. But it would have to know that that's necessary as failing to install the route while installing the policy is currently not considered a failure. So instead, some kind of route manager might be something to consider (even if it is only implemented in kernel_netlink_net_t), which could handle route (re-)installation (this could also be a solution for #85).

#4 Updated by Noel Kuntze about 4 years ago

Tobias Brunner wrote:

Not even that. It just does not work when charon starts. It only works when the daemon is restarted and the configuration loaded later, after the initial system start.

What do you consider the difference between a restart and an original start?

An original start is when charon starts as part of the system start and when the network is probably not up yet. A restart is when I restart the systemd unit of charon when the system already booted and the network is up.

If the daemon is started after the network is up (see #2205), there should be no difference to a restart. When installing the routes for passthrough policies, charon will have to look up some stuff (next hop, interface). It obviously can only do that if the main routing table actually contains appropriate routes. Check the log to see what happens in either case (with knl at 2).

Well, I guess that the main routing table isn't populated with the routes yet, so it doesn't install any routes into table 220.

I guess the shunt manager could listen for roam events and try to reinstall the shunts if necessary. But it would have to know that that's necessary as failing to install the route while installing the policy is currently not considered a failure. So instead, some kind of route manager might be something to consider (even if it is only implemented in kernel_netlink_net_t), which could handle route (re-)installation (this could also be a solution for #85).

I think so, too. A generic solution to such a situation is desireable, I think.

#5 Updated by Noel Kuntze about 4 years ago

To be able to test this at home, I created a passthrough policy with my LAN's subnet.

#6 Updated by Tobias Brunner about 4 years ago

Does using network-online.target, as discussed in #2205, make a difference?

#7 Updated by Noel Kuntze about 4 years ago

It wouldn't, because network-online.target isn't pulled in when my network managing software connected to a network. Besides, it's not a general solution to the problem, because when the target is pulled in and charon is started, it might not be a network for which a passthrough policy is defined and charon will still not install passthrough policies later, when at some point the computer connects to a network for which a passthrough policy is defined.

#8 Updated by Noel Kuntze about 2 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

Fixed through inclusion of bypass-lan plugin.

#9 Updated by Tobias Brunner over 1 year ago

  • Related to Issue #3106: passthrough-children not in table 220 added

Also available in: Atom PDF