[Swan-dev] testing yesterday's tree

Paul Wouters paul at nohats.ca
Tue May 22 03:05:24 UTC 2018


On Fri, 18 May 2018, Andrew Cagney wrote:

>>> - I'm beginning to wonder if there's a race between whack
>>> --trafficstatus showing a connection being up and a connection being up?
>>
>>
>> I have never seen that.
>
> Here's an example:
>
> - whack --trafficstatus shows things up
> - but the first of 4 ping packets goes into the weeds

>  ping -n -c 4 -I 192.0.1.254 192.0.2.254
> PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
> -64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
> 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
> 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
> 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
> --- 192.0.2.254 ping statistics ---
> -4 packets transmitted, 4 received, 0% packet loss, time XXXX
> +4 packets transmitted, 3 received, 25% packet loss, time XXXX
> rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
> west #
>  ipsec whack --trafficstatus
> -006 #4: "westnet-eastnet-auto", type=ESP, add_time=1234567890,
> inBytes=336, outBytes=336, id='@east'
> +006 #4: "westnet-eastnet-auto", type=ESP, add_time=1234567890,
> inBytes=252, outBytes=252, id='@east'

It does show the first ping got sent before the IPsec SA was installed
properly, but the reporting of trafficstatus is correct. It shows
a little less inBytes/outBytes because one ping didn't go through
IPsec.

Maybe we only disagree about the description of the problem?
I do agree there is a race between installing the IPsec SA
and being able to use it. But I think trafficstatus works
correctly.

Paul


More information about the Swan-dev mailing list