Merge pull request #1338 from txomon/fix-ipsec-policy-exists

Fix: Accept existing XMRF policies and update them intead of raising errors

backend/ipsec/handle_xfrm.go

@@ -16,8 +16,10 @@
 package ipsec
 
 import (
+	"errors"
 	"fmt"
 	"net"
+	"syscall"
 
 	log "github.com/golang/glog"
 	"github.com/vishvananda/netlink"
@@ -30,7 +32,7 @@ func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID in
 
 	dst := remoteLease.Subnet.ToIPNet()
 
-	policy := netlink.XfrmPolicy{
+	policy := &netlink.XfrmPolicy{
 		Src: src,
 		Dst: dst,
 		Dir: dir,
@@ -47,14 +49,23 @@ func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID in
 		Reqid: reqID,
 	}
 
-	log.Infof("Adding ipsec policy: %+v", tmpl)
-
 	policy.Tmpls = append(policy.Tmpls, tmpl)
 
-	if err := netlink.XfrmPolicyAdd(&policy); err != nil {
-		return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
+	if existingPolicy, err := netlink.XfrmPolicyGet(policy); err != nil {
+		if errors.Is(err, syscall.ENOENT) {
+			log.Infof("Adding ipsec policy: %+v", tmpl)
+			if err := netlink.XfrmPolicyAdd(policy); err != nil {
+				return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
+			}
+		} else {
+			return fmt.Errorf("error getting policy: %+v err: %v", policy, err)
+		}
+	} else {
+		log.Info("Updating ipsec policy %+v with %+v", existingPolicy, policy)
+		if err := netlink.XfrmPolicyUpdate(policy); err != nil {
+			return fmt.Errorf("error updating policy: %+v err: %v", policy, err)
+		}
 	}
-
 	return nil
 }