Project

General

Profile

Actions

Bug #10842

closed

Not destroying VTI interfaces when booting before creating a new one

Added by Martin VENÇON over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
08/19/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

During the booting process, we call interface_ipsec_vti_configure() from interfaces.inc multiple times :
  • From interfaces_configures() (once)
  • From vpn_ipsec_configure() (up to twice)

When create the VTI interface we destroy it beforehand if it exists AND the system is not booting. That results in interface creation attempts when it already exists. An error ensues :

rc.bootup: The command '/sbin/ifconfig 'ipsec1000' create reqid '1000'' returned exit code '1', the output was 'ifconfig: create: bad value'

And this command takes around 20s to return this error on our hardware which is a long time, especially during the booting process.

Is there a specific reason to not destroy the interface when the system is booting ?

I suggest removing the !platform_booting() from

if (!platform_booting() && does_interface_exist($ipsecif)) {
    mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " destroy", false);
}
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " create reqid " . escapeshellarg($ipsecifnum), false);

in interfaces.inc as it looks like it is solving the issue properly.

Actions #1

Updated by Jim Pingle over 4 years ago

  • Category set to IPsec
  • Priority changed from Normal to Low

That code was added specifically to fix another problem that could happen when destroying an interface that doesn't exist, so removing it is not a viable solution. Though there may be some other way to address the problem.

Actions #2

Updated by Martin VENÇON over 4 years ago

Are we not checking if the interface exists in the condition ? Removing the platform_booting part from the condition while keeping the does_interface_exist would not allow the code to destroy the interface it it does not exists.
Unless I am missing something !

Actions #3

Updated by Viktor Gurov over 4 years ago

Martin VENÇON wrote:

Are we not checking if the interface exists in the condition ? Removing the platform_booting part from the condition while keeping the does_interface_exist would not allow the code to destroy the interface it it does not exists.

That's right

Fix:
https://github.com/pfsense/pfsense/pull/4427

Actions #4

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #6

Updated by Anonymous about 4 years ago

  • Assignee changed from Renato Botelho to Martin VENÇON
Actions #7

Updated by Martin VENÇON about 4 years ago

Successfully tested !
Thanks !

Actions #8

Updated by Renato Botelho about 4 years ago

  • Status changed from Feedback to Resolved
  • Assignee changed from Martin VENÇON to Viktor Gurov
Actions

Also available in: Atom PDF