[Swan-dev] What happened to "ipsec show" ?

Brady Johnson bradyjoh at redhat.com
Thu Nov 2 12:49:32 EET 2023 

Here is the PR for this change [0]. I'm not sure why, but the PR is getting
a semgrep failure in github.

The output is the following:

    $ ipsec --briefconnectionstatus
    000 Connection list:
    000
    000 172.16.20.0/24 @ 172.22.18.102 (2KiB in)  <==>  172.16.10.0/24 @
172.22.18.101 (1KiB in) vpnclient.gwn02.xyz.com, reqid=16388
    000
    000 Total IPsec connections: loaded 1, active 1

Notice I added the reqid to the output of the "ipsec connectionstatus"
command.

Can I get a review of this PR, please.

[0] https://github.com/libreswan/libreswan/pull/1350

*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com



On Sat, Oct 28, 2023 at 3:36 AM Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 27 Oct 2023, Brady Johnson wrote:
>
> > And here is the output of the new command I added:
> >
> > ipsec briefconnectionstatus
> > 000 Connection list:
> > 000
> > 000 "vpnclient.gwn02.xyz.com": 172.16.20.0/24===172.22.18.102[O=XYZ
> <http://172.16.20.0/24===172.22.18.102%5BO=XYZ>,
> > CN=vpnclient.gwn02.xyz.com]...172.22.18.101[O=XYZ, CN=
> vpnserver.gwn01.xyz.com]===172.16.10.0/24;
> > 000
> > 000 Total IPsec connections: loaded 1, active 1
> >
> > This still seems a little verbose, but I think it provides just enough
> info. If somebody wants more
> > info, they can just use the "ipsec connectionstatus" command.
>
> The old "ipsec eroute" would have shown something like:
>
> 172.16.20.0/24 -> 172.16.10.0/24 => tun at SPI@172.22.18.101
>
> I was proposing only adding the traffic counter (in+out) and conn name
> (not any IDs because the IDs are long, especially with certs), eg:
>
> 172.16.20.0/24 -> 172.16.10.0/24 => tun at SPI@172.22.18.101  188M
> vpnclient.gwn02.xyz.com
>
> These also used tabs so it would kind of align, eg like (not sure if it
> will render properly in email):
>
>
> 172.16.20.0/24  -> 172.16.10.0/24       => tun at SPI@172.22.18.101
> 188M    vpnclient.gwn02.xyz.com
> 1.1.1.1/32      -> 8.8.8.0/24           => tun at SPI@2.2.2.1
> 88G     blabla.gwn02.xyz.com
>
>
> Of course, we then decided not to put all this into pluto, as everyone
> has their own wishlist for output, and just output json. Then people
> could write their own programs and we could add some favourite /
> standard ones during install or in contrib/
> Then we looked at something dbus compatible, but dbus libraries are
> terrible. Then we looked at varlink.org, but it failed to get momentum.
> Then I thought perhaps some Yang output.
> But I think I'm back at json now :P
>
> Paul
>
> > On Wed, Oct 25, 2023 at 4:18 PM Andrew Cagney <andrew.cagney at gmail.com>
> wrote:
> >       > How about I add "whack --briefconnectionstatus", which would be
> wrapped by "ipsec
> >       briefconnectionstatus"? This would show (at least) what you listed
> above.
> >
> >       It would somehow display both:
> >           host<->host kernel state
> >           selector<->selector kernel policy
> >       ?
> >
> >       I suspect more useful than the reqid are the type of policy(1)
> and/or routing
> >
> >       Andrew
> >
> >       (1) There's a bear trap here, pluto has three words - reject, drop,
> >       hold - that all mean block(linux) / discard(bsd); I'd ignore it
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20231102/42b3d094/attachment.htm>

More information about the Swan-dev mailing list