[Swan-dev] some test failures

Tue Oct 3 15:23:49 UTC 2017

On Tue, 3 Oct 2017, D. Hugh Redelmeier wrote:

> If you are responsible for a test failure, or know what is going on PLEASE FIX IT.

I have been going through these for a few days, and slowly fixing up as
I go. But there are changes I don't yet understand.

> testing/pluto/ah-pluto-07-klips-netkey/OUTPUT/.console.diff failed west:output-different
> Kind of interesting.
> 	switched from "westnet-eastnet-ah-md5" to "westnet-eastnet-ah-sha1"
> and many othr differences

We see a few new connection switches (and a few switches without a
switch message!). It seems likely these came in via a new call to
refine_host_connection() in the SAN code. I think what might be
happening is that for SAN code we prefer to switch since we are
looking for something better. But in these other cases, I think we
should have prefered the one we were one because it matched. We
might need to pass a bool to refine_host_connection() to signal this.

> testing/pluto/algo-pluto-10/OUTPUT/.console.diff failed west:output-different
> retransmission + discarding packet received during asynchronous work (DNS or crypto) in STATE_QUICK_I1

It passes for me. So this is likely due to retransmit

> testing/pluto/basic-pluto-02/OUTPUT/.console.diff failed east:output-different west:output-different

This seems related to the bug I'm chasing in the audit test case. east
is not properly deleting IPsec SA's when it receives a delete.

> testing/pluto/compress-pluto-01/OUTPUT/.console.diff failed east:output-different west:output-different
> east: a lot of changed XFRM state info.  Why?

Same issue. west issues a down and east is not doing it,

> testing/pluto/certoe-07-nat-2-clients/OUTPUT/.console.diff failed east:output-different road:output-different
> east: different amount of traffic
> road: another XFRM SA?

The NAT tests are very different to me. I was hoping Antony could
explain those a bit better.

> testing/pluto/certoe-08-nat-packet-cop-restart/OUTPUT/.console.diff failed road:output-different
> different ammount of traffic?  Amount not scrubbed, nor id scrubbed?
> -icmp     1 27 src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=XXXX src=192.1.2.23 dst=10.0.10.1 type=0 code=0 id=XXXX mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
> +icmp     1 29 src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=1881 src=192.1.2.23 dst=10.0.10.1 type=0 code=0 id=1881 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

odd that id= appears in lower case. That might be due to our changed
send/receive error code ?

> - conntrack -L -n
> + conntrack -L -n | sed "s/id=[0-9]*/id=XXXX/g"
> IP addresses changed:
> packet cont changed:
> -icmp     1 16 src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=XXXX src=192.1.2.23 dst=192.1.3.209 type=0 code=0 id=XXXX mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
> +icmp     1 17 src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=XXXX src=192.1.2.23 dst=192.1.3.209 type=0 code=0 id=XXXX mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

That's probably ephemeral :(

> testing/pluto/delete-sa-01/OUTPUT/.console.diff failed east:output-different west:output-different
> +whack error: "SAwest-east" unexpected argument "leftrsasigkey"
>
> testing/pluto/delete-sa-03/OUTPUT/.console.diff failed east:output-different west:output-different
> west: divergence starts +002 "west-east" #1: switched from "west-east" to "west-east-c"

i will refix these, it seems perhaps my fix/commit was lost or stashed
without a commit.

> east: divergence starts:
> -000 "west-east": 192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]; prospective erouted; eroute owner: #0
> +000 "west-east": 192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]; erouted; eroute owner: #2

I saw that one and I'm not sure if that change is correct or not.

> testing/pluto/delete-sa-04/OUTPUT/.console.diff failed east:output-different west:output-different
> These differences might be due to some sanitizer problem or script change.  But more is going on.
> - ipsec status |grep EVENT_v1_RETRANSMIT | sed "s/EVENT_v1_RETRANSMIT in /EVENT_v1_RETRANSMIT in .../"
> + ipsec status |grep EVENT_v1_RETRANSMIT | sed "s/EVENT_v1_RETRANSMIT in .*$/EVENT_v1_RETRANSMIT in .../"
> A delete does not happen on west.

This is the problem I'm looking at now, showing up in several test
cases.

Note this all relates to how we deal with auto=add plus changed state,
eg on west --up is called. and east it receives an up request. What
is expected on either end when it receives a delete? Go back to
auto=add or go initiate?

Paul

> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>