System: Gateways: Configuration - host route behavior when address not set

[AdSchellevis]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

When having a gateway configured with a fixed address on a dynamic configured interface, there is a chance a host route is being set before the actual service (such as OpenVPN) has had the chance to configure the device.

This may lead to errors in OpenVPN as described in the log section below.

To Reproduce

Configure a new style OpenVPN server, then update the gateway to contain the other end's ip address and enable monitoring. Next reboot the machine and witness OpenVPN not being able to start. The legacy OpenVPN's seem to be started slightly earlier, in which case such a race condition does not seem to appear.

Expected behavior

To prevent OpenVPN's ifconfig failing, the host route should not exist (as it overlaps with the tunnel). Skipping the host route in these cases is likely the best option.

To avoid the race condition, my suggestion is to check for existence of at least an address on the device in question for the protocol chosen before pushing the host route.

Describe alternatives you considered

none

Relevant log files

Relevant log data from OpenVPN:

Exiting due to fatal error
FreeBSD ifconfig failed: external program exited with error status: 1
/sbin/ifconfig ovpnsX x.x.x.x x.x.x.x mtu 1500 netmask x.x.x.x up

Additional context

Relevant code sections:

core/src/etc/inc/plugins.inc.d/dpinger.inc

Lines 234 to 241 in 1c86776

	if (!empty($gateway['gateway']) && empty($gateway['monitor_noroute'])) {
	if (isset($routes[$gateway['monitor']])) {
	log_msg("Duplicated monitor route ignored for {$gateway['monitor']} on {$gateway['interface']}", LOG_WARNING);
	} else {
	system_host_route($gateway['monitor'], $gateway['gateway']);
	$routes[$gateway['monitor']] = $gateway['gateway'];
	}
	}

core/src/etc/inc/system.inc

Lines 527 to 548 in 1c86776

	function system_host_route($host, $gateway)
	{
	if (is_ipaddrv4($gateway)) {
	$family = 'inet';
	} elseif (is_ipaddrv6($gateway)) {
	$family = 'inet6';
	} else {
	log_msg("ROUTING: not a valid host gateway address: '{$gateway}'", LOG_ERR);
	return;
	}
	/*
	* If the gateway is the same as the host we do not touch the route
	* as this is not needed and it may also break the routing table.
	*/
	if ($host == $gateway) {
	return;
	}
	mwexecf('/sbin/route delete -host -%s %s', [$family, $host], true);
	mwexecf('/sbin/route add -host -%s %s %s', [$family, $host, $gateway]);
	}

Environment

OPNsense 24.1.x (amd64).

[fichtner]

@AdSchellevis this still valid then? the other bug looks like a leftover from the gateways class migration

[AdSchellevis]

@fichtner I think it is, yes. if you only specify a monitor you may still end up with an expected host route when the service is configured after the monitor.