On 27 July 2016 at 05:49, Paul Wouters <[email protected]> wrote: > > hi, > > I think we are seeing a few false positives if during final.sh (or just > after it when one end is still executing final.sh) one end shut down and > sends a delete/notify to the other. It can be processed before in > final.sh it runs ipsec look, which then shows up as a missing IPsec SA.
Yes. According to: http://testing.libreswan.org/results/testing/2016-07-26-1948-3.18dr3-207-g57f5c49-dirty-master/nflog-01-global/OUTPUT/debug.log kvmrunner ran the scripts in the order: INFO t1.runner nflog-01-global 1:30:36.794/1:58.900: running scripts: east:eastinit.sh west:westinit.sh west:westrun.sh east:final.sh west:final.sh i.e., the below was first run on east: ipsec look : ==== cut ==== ipsec auto --status : ==== tuc ==== ipsec stop # show no nflog left behind iptables -L -n if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi : ==== end ==== and then, once it finished, it was then run on west. Since the final.sh scripts are no longer being run in parallel, the output may actually be stable - assuming "ipsec stop" blocks until things shut down. > For example: > > http://testing.libreswan.org/results/testing/2016-07-26-1948-3.18dr3-207-g57f5c49-dirty-master/nflog-01-global/OUTPUT/west.console.diff > > http://testing.libreswan.org/results/testing/2016-07-26-1948-3.18dr3-207-g57f5c49-dirty-master/nflog-03-conns/OUTPUT/east.console.diff > This was probably one reason to not call shutdown in final.sh mostly, > although some testcases need to do some specific test and do that, > such as the nflog ones. > > Paul > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
