Project

General

Profile

Issue #3593

Need variable tracking make_before_break state into updown scripts

Added by Philip Prindeville about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.9.0
Resolution:

Description

The updown script might want to know what stage of the make_before_break sequence it is being invoked during.

I propose the variable $PLUTO_MAKE_BREAK_PHASE, with the following values:

0 - make_before_break is "no".
1 - creating initial (first) SA, valid for $PLUTO_VERB = "up-host".
2 - creating replacement SA, valid for $PLUTO_VERB = "up-host".
3 - deleting previous SA, valid for $PLUTO_VERB = "down-host".
4 - deleting current (last) SA, valid for $PLUTO_VERB = "down-host".

History

#1 Updated by Tobias Brunner about 1 month ago

  • Category changed from charon to configuration
  • Status changed from New to Feedback

The updown script might want to know what stage of the make_before_break sequence it is being invoked during.

First, the updown plugin (and script) is a legacy tool. You might want to look into vici events.

I propose the variable $PLUTO_MAKE_BREAK_PHASE, with the following values:

As responder, the daemon itself doesn't know. The old and new IKE_SAs are completely independent, there is nothing that ties them explicitly together. So there is no way to pass something like that to the script. One option to handle that is some kind of refcounting in the script.

To avoid this issue, just don't use reauthentication, use rekeying, see ExpiryRekey for details.

Also available in: Atom PDF