Here is the PR for this change [0]. I'm not sure why, but the PR is getting
a semgrep failure in github.
The output is the following:
$ ipsec --briefconnectionstatus
000 Connection list:
000
000 172.16.20.0/24 @ 172.22.18.102 (2KiB in) <==> 172.16.10.0/24 @
172.22.18.101 (1KiB in) vpnclient.gwn02.xyz.com, reqid=16388
000
000 Total IPsec connections: loaded 1, active 1
Notice I added the reqid to the output of the "ipsec connectionstatus"
command.
Can I get a review of this PR, please.
[0] https://github.com/libreswan/libreswan/pull/1350
*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.john...@redhat.com
On Sat, Oct 28, 2023 at 3:36 AM Paul Wouters <p...@nohats.ca> wrote:
> On Fri, 27 Oct 2023, Brady Johnson wrote:
>
> > And here is the output of the new command I added:
> >
> > ipsec briefconnectionstatus
> > 000 Connection list:
> > 000
> > 000 "vpnclient.gwn02.xyz.com": 172.16.20.0/24===172.22.18.102[O=XYZ
> <http://172.16.20.0/24===172.22.18.102%5BO=XYZ>,
> > CN=vpnclient.gwn02.xyz.com]...172.22.18.101[O=XYZ, CN=
> vpnserver.gwn01.xyz.com]===172.16.10.0/24;
> > 000
> > 000 Total IPsec connections: loaded 1, active 1
> >
> > This still seems a little verbose, but I think it provides just enough
> info. If somebody wants more
> > info, they can just use the "ipsec connectionstatus" command.
>
> The old "ipsec eroute" would have shown something like:
>
> 172.16.20.0/24 -> 172.16.10.0/24 => tun@SPI@172.22.18.101
>
> I was proposing only adding the traffic counter (in+out) and conn name
> (not any IDs because the IDs are long, especially with certs), eg:
>
> 172.16.20.0/24 -> 172.16.10.0/24 => tun@SPI@172.22.18.101 188M
> vpnclient.gwn02.xyz.com
>
> These also used tabs so it would kind of align, eg like (not sure if it
> will render properly in email):
>
>
> 172.16.20.0/24 -> 172.16.10.0/24 => tun@SPI@172.22.18.101
> 188M vpnclient.gwn02.xyz.com
> 1.1.1.1/32 -> 8.8.8.0/24 => tun@SPI@2.2.2.1
> 88G blabla.gwn02.xyz.com
>
>
> Of course, we then decided not to put all this into pluto, as everyone
> has their own wishlist for output, and just output json. Then people
> could write their own programs and we could add some favourite /
> standard ones during install or in contrib/
> Then we looked at something dbus compatible, but dbus libraries are
> terrible. Then we looked at varlink.org, but it failed to get momentum.
> Then I thought perhaps some Yang output.
> But I think I'm back at json now :P
>
> Paul
>
> > On Wed, Oct 25, 2023 at 4:18 PM Andrew Cagney <andrew.cag...@gmail.com>
> wrote:
> > > How about I add "whack --briefconnectionstatus", which would be
> wrapped by "ipsec
> > briefconnectionstatus"? This would show (at least) what you listed
> above.
> >
> > It would somehow display both:
> > host<->host kernel state
> > selector<->selector kernel policy
> > ?
> >
> > I suspect more useful than the reqid are the type of policy(1)
> and/or routing
> >
> > Andrew
> >
> > (1) There's a bear trap here, pluto has three words - reject, drop,
> > hold - that all mean block(linux) / discard(bsd); I'd ignore it
> >
> >
> >
>
>
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
