Project

General

Profile

Actions

Bug #10842

closed

Not destroying VTI interfaces when booting before creating a new one

Added by Martin VENÇON about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
IPsec
Target version:
Start date:
08/19/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

During the booting process, we call interface_ipsec_vti_configure() from interfaces.inc multiple times :
  • From interfaces_configures() (once)
  • From vpn_ipsec_configure() (up to twice)

When create the VTI interface we destroy it beforehand if it exists AND the system is not booting. That results in interface creation attempts when it already exists. An error ensues :

rc.bootup: The command '/sbin/ifconfig 'ipsec1000' create reqid '1000'' returned exit code '1', the output was 'ifconfig: create: bad value'

And this command takes around 20s to return this error on our hardware which is a long time, especially during the booting process.

Is there a specific reason to not destroy the interface when the system is booting ?

I suggest removing the !platform_booting() from

if (!platform_booting() && does_interface_exist($ipsecif)) {
    mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " destroy", false);
}
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " create reqid " . escapeshellarg($ipsecifnum), false);

in interfaces.inc as it looks like it is solving the issue properly.

Actions #1

Updated by Jim Pingle about 1 year ago

  • Category set to IPsec
  • Priority changed from Normal to Low

That code was added specifically to fix another problem that could happen when destroying an interface that doesn't exist, so removing it is not a viable solution. Though there may be some other way to address the problem.

Actions #2

Updated by Martin VENÇON about 1 year ago

Are we not checking if the interface exists in the condition ? Removing the platform_booting part from the condition while keeping the does_interface_exist would not allow the code to destroy the interface it it does not exists.
Unless I am missing something !

Actions #3

Updated by Viktor Gurov about 1 year ago

Martin VENÇON wrote:

Are we not checking if the interface exists in the condition ? Removing the platform_booting part from the condition while keeping the does_interface_exist would not allow the code to destroy the interface it it does not exists.

That's right

Fix:
https://github.com/pfsense/pfsense/pull/4427

Actions #4

Updated by Jim Pingle about 1 year ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Renato Botelho about 1 year ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #6

Updated by Steve Beaver about 1 year ago

  • Assignee changed from Renato Botelho to Martin VENÇON
Actions #7

Updated by Martin VENÇON about 1 year ago

Successfully tested !
Thanks !

Actions #8

Updated by Renato Botelho about 1 year ago

  • Status changed from Feedback to Resolved
  • Assignee changed from Martin VENÇON to Viktor Gurov
Actions

Also available in: Atom PDF