mandos general protection error ...

Teddy Hogeborn teddy at fukt.bsnet.se
Fri Jan 23 21:58:36 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dick Middleton <dick at fouter.net> writes:

> Here's the latest log for server using strace -f

Thanks.  I'll look at it in some more detail later.  But here's
something I found:

[pid 31328] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

That is worrying.  It's *Python*; it's not supposed to do that.

> I found the problem with ipv6 - seems like ip6tables (which I didn't
> know existed) had been configured with policy DROP by the fwbuilder
> script I was using for the ipv4 firewall.

Ah, one thing less to worry about!  :)

> I also have to set neighbours for the ipv6 nodes - I'm sure that
> should be automatic - must be something missing.

What do you mean, "set neighbours"?  I do not know what you are
talking about.

But anyway, I thought of something else.  You use "--interface br0" (a
channel bonding device) with mandos-client.  You're aware, right, that
this will not work in the initial RAM disk environment?  Networking is
not configured at that stage, and the files and programs to do so are
not available.  What mandos-client does is to bring one interface
(default "eth0") into the UP state, and then simply use it.
Mandos-client will then assume that IPv6 automatic link-local
addresses exist and work.  If you are *not* using bonding mode
"balance-rr", "balance-xor", "broadcast", or "802.3ad", you will
probably want to try to just simply use one of the network interfaces
connected to the switch; i.e. one of the "slave" interfaces.  If you
*are* using one of those, I'm not sure what you should do.  You could
probably try to do that anyway.

In fact, this could be at least part of the problem which you are
having.  Avahi might be confused by all the interfaces somehow, or we
might have to be more than slightly advanced when calling Avahi to
take this possible scenario into account.  We'll have to look into it
some more.

Using the network from the initial RAM disk environment, which
mandos-client must do, is tricky, since none of the configuration
files or tools needed are available, and we don't want to duplicate
the entire functionality of ifupdown inside mandos-client.  We sort of
solve it by assuming we can just bring one interface up and then use
IPv6 link-local addresses.  I don't know how or if this will work on,
for instance, a 802.3ad bonded channel.  At the worst we might have to
provide some sort of hook for configuring the network interface before
mandos-client can use it, which Mandos users then can connect to some
shell script or other which sets up some usable interface.  I guess
we'll also, in that case, have to have a hook for taking *down* the
interface after mandos-client is done with it, since the normal
ifupdown system will probably not react favorably to an already
existing "br0".

/Teddy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJei+COWBmT5XqI90RAnezAKDRk4YhEfYl5J/A1q3fpITezSbRdgCeNbm9
KvUgYAORE2+b02EEaRmfpy8=
=segq
-----END PGP SIGNATURE-----

More information about the Mandos-Dev mailing list