Project

General

Profile

Bug #10842

Not destroying VTI interfaces when booting before creating a new one

Added by Martin VENÇON 2 months ago. Updated 9 days ago.

Status:
Feedback
Priority:
Low
Category:
IPsec
Target version:
Start date:
08/19/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
Affected Architecture:
All

Description

During the booting process, we call interface_ipsec_vti_configure() from interfaces.inc multiple times :
  • From interfaces_configures() (once)
  • From vpn_ipsec_configure() (up to twice)

When create the VTI interface we destroy it beforehand if it exists AND the system is not booting. That results in interface creation attempts when it already exists. An error ensues :

rc.bootup: The command '/sbin/ifconfig 'ipsec1000' create reqid '1000'' returned exit code '1', the output was 'ifconfig: create: bad value'

And this command takes around 20s to return this error on our hardware which is a long time, especially during the booting process.

Is there a specific reason to not destroy the interface when the system is booting ?

I suggest removing the !platform_booting() from

if (!platform_booting() && does_interface_exist($ipsecif)) {
    mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " destroy", false);
}
mwexec("/sbin/ifconfig " . escapeshellarg($ipsecif) . " create reqid " . escapeshellarg($ipsecifnum), false);

in interfaces.inc as it looks like it is solving the issue properly.

Associated revisions

Revision 9a012045 (diff)
Added by Viktor Gurov 2 months ago

Not destroying VTI interfaces when booting before creating a new one. Fixes #10842

History

#1 Updated by Jim Pingle 2 months ago

  • Category set to IPsec
  • Priority changed from Normal to Low

That code was added specifically to fix another problem that could happen when destroying an interface that doesn't exist, so removing it is not a viable solution. Though there may be some other way to address the problem.

#2 Updated by Martin VENÇON 2 months ago

Are we not checking if the interface exists in the condition ? Removing the platform_booting part from the condition while keeping the does_interface_exist would not allow the code to destroy the interface it it does not exists.
Unless I am missing something !

#3 Updated by Viktor Gurov 2 months ago

Martin VENÇON wrote:

Are we not checking if the interface exists in the condition ? Removing the platform_booting part from the condition while keeping the does_interface_exist would not allow the code to destroy the interface it it does not exists.

That's right

Fix:
https://github.com/pfsense/pfsense/pull/4427

#4 Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review

#5 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#6 Updated by Steve Beaver 9 days ago

  • Assignee changed from Renato Botelho to Martin VENÇON

Also available in: Atom PDF