Project

General

Profile

Issue #777

column length in attributes table of strongswan database is too short

Added by Noel Kuntze over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.2.1
Resolution:

Description

Hello strongSwan team,

I encountered that if strongSwan is used with an SQL configuration backend and an sql database pool,
UNITY_LOCAL_LAN attributes with several subnets don't seem to be handled correctly.
I did not check if this is also the case if they are defined in strongswan.conf directly with the attr plugin,
and not attr-sql.

[root@ip-172-31-32-229 ~]# ipsec pool --addattr UNITY_LOCAL_LAN --pool customers --subnet 10.0.0.0/255.0.0.0,172.16.0.0/255.240.0.0,192.168.0.0/255.255.0.0
added UNITY_LOCAL_LAN attribute (UNITY_LOCAL_LAN) in pool 'customers'.
[root@ip-172-31-32-229 ~]# ipsec pool --statusattr
type description pool identity value
3 INTERNAL_IP4_DNS customers 172.31.0.2
28678 UNITY_LOCAL_LAN customers 0a:00:00:00:ff:00:00:00:00:00:00:00:00:00:ac:10

mysql> SELECT id, identity, pool, type, HEX as value from attributes;
------------+------+-------+----------------------------------+ | id | identity | pool | type | value |
------------+------+-------+----------------------------------+ | 3 | 0 | 1 | 3 | AC1F0002 | | 16 | 0 | 1 | 28678 | 0A000000FF000000000000000000AC10 |
------------+------+-------+----------------------------------+

Extending the length of the value column in the attribute tables fixed the problem:

mysql> SHOW COLUMNS FROM attributes;
--------------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra |
--------------------------+------+-----+---------+----------------+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | identity | int(10) unsigned | NO | MUL | 0 | | | pool | int(10) unsigned | NO | MUL | 0 | | | type | int(10) unsigned | NO | | NULL | | | value | varbinary(200) | YES | | NULL | |
--------------------------+------+-----+---------+----------------+
5 rows in set (0.00 sec)

mysql> SELECT id, identity, pool, type, HEX as value from attributes;
------------+------+-------+--------------------------------------------------------------------------------------+ | id | identity | pool | type | value |
------------+------+-------+--------------------------------------------------------------------------------------+ | 3 | 0 | 1 | 3 | | | 17 | 0 | 1 | 28678 | 0A000000FF000000000000000000AC100000FFF00000000000000000C0A80000FFFF0000000000000000 |
------------+------+-------+--------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

[root@ip-172-31-32-229 ~]# ipsec pool --addattr UNITY_LOCAL_LAN --pool customers --subnet 10.0.0.0/255.0.0.0,172.16.0.0/255.240.0.0,192.168.0.0/255.255.0.0
added UNITY_LOCAL_LAN attribute (UNITY_LOCAL_LAN) in pool 'customers'.
[root@ip-172-31-32-229 ~]# ipsec pool --statusattr
type description pool identity value
3 INTERNAL_IP4_DNS customers
28678 UNITY_LOCAL_LAN customers 10.0.0.0/255.0.0.0,172.16.0.0/255.240.0.0,192.168.0.0/255.255.0.0

The default column length can only include just one subnet and its netmask. I think this should be noted down in the article about attr-sql and the manpage and help message
of the "ipsec pool" tool. Maybe checking the column length before inserting the values help to make users aware of that problem.

Regards,
Noel Kuntze

query.txt (486 Bytes) query.txt SQL query Noel Kuntze, 25.11.2014 20:32

Also available in: Atom PDF