On Sun, Dec 24, 2023 at 05:17:12PM -0500, Paul Wouters wrote:
>
> Hi,
>
> Antony added the following code:
>
> +#if defined(HAVE_NFTABLES)
> + if (spd->local->child->has_cat) {
> + ip_selector client =
> selector_from_address(spd->local->host->addr);
> +
> +
On Thu, Jul 20, 2023 at 07:07:31PM +0200, Antony Antony wrote:
> Hi Brady,
>
> See some feedback from testing your latest branch, from an hour ago.
>
> On Thu, Jul 20, 2023 at 05:07:10PM +0200, Brady Johnson wrote:
> > Hello,
> >
> > I submit several patch sets
Hi Brady,
See some feedback from testing your latest branch, from an hour ago.
On Thu, Jul 20, 2023 at 05:07:10PM +0200, Brady Johnson wrote:
> Hello,
>
> I submit several patch sets to my XFRM IP ref-counting PR [0] in the past
> few days. I fixed the assert/segfault that Antony reported on the
On Fri, Mar 03, 2023 at 12:48:32PM +0100, Brady Johnson wrote:
> Ok, agreed it should be decoupled from updown.
>
> I'm trying to determine where to store the ref counted IP addresses
> (v4/v6). I could add it to the pluto_xfrmi struct
> (kernel_xfrm_interface.c/h) but then that would not include
On Fri, Feb 03, 2023 at 10:25:47AM -0500, Paul Wouters wrote:
> On Fri, 3 Feb 2023, Antony Antony wrote:
> Ofcourse, a side effect of doing this was that we _did_ update the
> byte counters so every time the dpddelay period was reached, or a whack
> status or delete was issued, we
Hi,
cagney
antony, check the pexpect in
https://testing.libreswan.org/v4.7-492-g6fcffb2868-main/ikev2-expire-02-packets/OUTPUT/west.pluto.log.gz
kernel: kernel_process_msg_cb() process xfrm message
kernel: netlink_get: XFRM_MSG_EXPIRE message with legth 248
netlink_kernel_sa_expire spi 0x17ab1391
For last couple of years I have been using an extended version of the
FreSWAN diagram and added "duo" and "float"
My motivation was more clear hosts, routing FLOAT with dual uplink.
https://libreswan.org/wiki/images/f/f1/Testnet-202102.png
I have nsrun that support sunset,sunrise, Tokyo. I al
Are there any other feedback? I have will start a testrun and there are no
other issues I plan to merge sa-expire branch to the main in next 12 hours
or so.
Thanks Paul for the review.
-antony
On Sun, Jun 26, 2022 at 06:51:56PM -0400, Paul Wouters wrote:
> On Jun 26, 2022, at 18:35, Antony
On Fri, Jun 24, 2022 at 02:22:14PM -0400, Paul Wouters wrote:
> On Tue, 21 Jun 2022, Antony Antony wrote:
>
> > Hi Paul,
> > Here is a new iteration sa-expire branch. I cherry picked changes from
> > https://github.com/paulwouters/libreswan/tree/sa-expire-2022-01-06
> &
, Jun 21, 2022 at 04:59:01PM +0200, Antony Antony wrote:
> Hi Paul,
> Here is a new iteration sa-expire branch. I cherry picked changes from
> https://github.com/paulwouters/libreswan/tree/sa-expire-2022-01-06
>
> and rebased to origin/main.
>
> I have created a PR to make i
nce.
regards,
-antony
On Thu, Jan 06, 2022 at 10:34:36PM -0500, Paul Wouters wrote:
> On Tue, 7 Dec 2021, Antony Antony wrote:
>
> > I have rebased the branches a couple days ago. minor fixes to ignore
> > acquire SA expire. GiB...EiB support.
>
> I've reviewed and r
remenant from KLIPS
mast?
the one barf could be replaced next.
ipsec: --checknflog would only work if the libreswan was built with
iptables.
On Wed, Jun 08, 2022 at 08:39:20PM +0200, Antony Antony wrote:
> Breaking down task of adding nft support.
>
> On Wed, Jun 08, 2022 at 10:38:16AM -0
Breaking down task of adding nft support.
On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote:
> this week it is https://github.com/libreswan/libreswan/issues/116
I am in favor of adding nft support along with iptable support. Add build
variable? Any thoughts on how to add nft support
Hi,
On Fri, May 20, 2022 at 05:52:02PM -0400, Balaji Thoguluva wrote:
> Hi All,
>
> I have a couple of basic questions.
>
> 1) Is there any way (any parameter) so we can disable the IPsec processing
> in Libreswan and just use the IKE functionality in Libreswan?
There was an option no-kernel or
Hi,
While working on xfrm sa expire messages and extending the parser with
binary prefixes I noticed a bug in our parser, libipsecconf code?
May be it is something for parser experts! Hugh, would you please take a look?
test cases: libipsecconf-09-time-prefix and libipsecconf-10-percentage-prefi
I have rebased the branches a couple days ago. minor fixes to ignore
acquire SA expire. GiB...EiB support.
On Sun, Nov 28, 2021 at 05:21:36PM -0500, Paul Wouters wrote:
> On Nov 27, 2021, at 14:03, Antony Antony wrote:
> >
> > Hi,
> > I rebased this branch and imp
On Sat, Nov 27, 2021 at 07:23:00PM -0500, Andrew Cagney wrote:
>
>
> One thing decide as group is how to represent big number (2^64) bytes
> and
> packets, especially the default 2^64 will appear in "ipsec status:
> output.
> 18446744073709551615 look ug
, 2021 at 02:38:08PM -0400, Paul Wouters wrote:
> On Tue, 6 Apr 2021, Antony Antony wrote:
>
> > > I noticed you used salifebytes= and salifepackets=. I think it would be
> > > more intuitive to call these maxbytes= and maxpackets. Or limit-bytes=
> > > or bytelimit= and
Hugh,
you spotted a bug in debug output.
I think the idea is to log @ reqid=.
either dst or src would change. I also recollect trying to log the ports
when there is encap.
debug output is in:
https://testing.libreswan.org/v4.4-483-g292ec75828-main/ikev2-mobike-05-gcm/OUTPUT/north.pluto.log.gz
On Mon, Apr 19, 2021 at 02:02:39PM -0400, Andrew Cagney wrote:
>
>
> On Mon, 19 Apr 2021 at 11:53, Antony Antony wrote:
>
> On Sat, Apr 17, 2021 at 08:33:18PM -0400, Andrew Cagney wrote:
> > BTW, I took a look at swan-prep --dnssec. As best I can the
On Sat, Apr 17, 2021 at 08:33:18PM -0400, Andrew Cagney wrote:
> BTW, I took a look at swan-prep --dnssec. As best I can the big difference
> between namespaces and KVM is when the config files are installed:
>
> - with KVMs the nsd and unbound directories are set up before the test is run
> (dur
On Sat, Apr 17, 2021 at 11:03:15AM -0400, Andrew Cagney wrote:
> Problem is still there :-( Anyone had some inspiration? For instance with
> nsd-4.3.2-1.fc32.x86_64
> https://testing.libreswan.org/v4.3-474-g9267a3fd5d-main/ikev2-55-ipseckey-06/
> OUTPUT/nic.console.diff
>
> On Mon, 29 Mar 2021
On Mon, Apr 05, 2021 at 01:22:39PM -0400, Paul Wouters wrote:
> On Mon, 5 Apr 2021, Antony Antony wrote:
>
> > Here is my sa expire branch rebased to main.
> >
> > #sa-expire
> > https://github.com/antonyantony/libreswan/tree/sa-expire
>
> Thanks! I had a l
Hi Paul,
Here is my sa expire branch rebased to main.
#sa-expire
https://github.com/antonyantony/libreswan/tree/sa-expire
It need a bit more work to merge to main. I look the code again and fix
"FIXME". It also need more tests.
If you feel like helping add more tests. This would help to get the
On Wed, Jan 06, 2021 at 09:33:12AM -0500, Andrew Cagney wrote:
> On Mon, 4 Jan 2021 at 11:06, Antony Antony wrote:
> >
> > On Sun, Jan 03, 2021 at 11:54:30AM -0500, Paul Wouters wrote:
> > > On Sun, 3 Jan 2021, Andrew Cagney wrote:
> > >
> > > > Subje
On Sun, Jan 03, 2021 at 11:54:30AM -0500, Paul Wouters wrote:
> On Sun, 3 Jan 2021, Andrew Cagney wrote:
>
> > Subject: [Swan-dev] what is INTERFACE_IP / ifaceip / interface-ip= for?
>
> > I suspect it has something to do with XFRMI. As best I can, in the
> > current code, it is simply being pas
it my fixes or even revert them?
iPhone send Protocol ID: RESERVED (0). So far Cisco is the only outliever we
know of.
regards,
-antony
On Fri, Oct 16, 2020 at 02:36:20PM +, Antony Antony wrote:
> New commits:
> commit f9fada7234b69d069d00d22163229bfe071ef70e
> Author: Antony
On Thu, Oct 15, 2020 at 03:03:35PM -0400, Paul Wouters wrote:
> On Thu, 15 Oct 2020, Antony Antony wrote:
>
> > I am glad to see 4.0 is out.
> > Looking at the commit that bump to 4.0 I notice a drift.
> >
> > Use of IPSECBASEVERSION as oppesed to @IPSECBASEVERSION
I am glad to see 4.0 is out.
Looking at the commit that bump to 4.0 I notice a drift.
Use of IPSECBASEVERSION as oppesed to @IPSECBASEVERSION@ are popping up
When changing to 4.x cycle would be a good time to drift towards
@IPSECBASEVERSION@ again.
Here is a previous discusions and concencus f
On Wed, Sep 16, 2020 at 09:53:49AM -0400, Paul Wouters wrote:
> On Wed, 16 Sep 2020, Antony Antony wrote:
>
> > I had a quic look. IKEv1 need extra message (3 round trips) as opposed to
> > IKEv2(2 round trips). And initiator is installing policies in different
> > orde
On Mon, Sep 28, 2020 at 12:44:03PM -0400, Andrew Cagney wrote:
> I'm planning on removing the sanitizer ipsec-auto-up.n.sed. It removes what I
> consider to be important contextual information from console.txt. For
> instance, consider this output:
I think it is a usefull swanitizer. May be twe
On Mon, Sep 21, 2020 at 05:07:27PM -0400, Andrew Cagney wrote:
>
>
> On Mon, 21 Sep 2020 at 15:32, Antony Antony wrote:
>
> Andrew,
>
> after a closer look I see l2tp and ppp configuration file could be in the
> form 'hostname + ".&quo
On Tue, Sep 22, 2020 at 04:14:34PM -0400, Andrew Cagney wrote:
> Regardless of the end, a line like:
> leftrsasigkey=
> leftrsasigkey2=...
> will always add public keys like:
> (generated?) leftid / leftrsasigkey
> (generated?) leftid / leftrsasigkey2
> to the list of raw public keys.
t have a good fix. So I will leave it for now.
eff59a46350f is only a hack to prevent a common error.
On Mon, Sep 21, 2020 at 07:12:18PM +0200, Antony Antony wrote:
> Hi Andrew,
>
> I do not quite follow your arguments.
>
> when did wel allow west.ipsec.secrets to work? It should not work!
ations of:
> west.ipsec.secrets
> westipsec.secrets
> west.secrets
> ipsec.secrets
> I figured reducing this list to just:
> west.ipsec.secrets
> ipsec.secrets
> (and perhaps only allowing one) + logging the result was for a later pass.
>
> On Mon, 21
On Fri, Sep 18, 2020 at 09:23:33AM -0400, Paul Wouters wrote:
> On Thu, 17 Sep 2020, Antony Antony wrote:
>
> > recent xfrmi changes
> > https://github.com/libreswan/libreswan/commit/78253c41f6200f2f505e14775cdbaca3b40ae5c8
> > has a few conflicts with xfrmi fixes I was
recent xfrmi changes
https://github.com/libreswan/libreswan/commit/78253c41f6200f2f505e14775cdbaca3b40ae5c8
has a few conflicts with xfrmi fixes I was working on, and discused here on
swan-dev. I am not able to follow up the code churn and things going too
fast, may be there is pressure of relea
On Wed, Sep 16, 2020 at 10:35:07PM -0400, Andrew Cagney wrote:
> First, I believe ikev2-03-basic-rawrsa-ckaid is fixed. It uses the CKAID to
> directly locate the raw key in the NSS DB. To confirm it is working, look in
> west.pluto.log for "CKAID".
add an empty file ipsec.secrets in the test di
would help to add IKE policies is use of struct kernel_sa
netlink_raw_eroute() same as netlink_add_sa(). Now that KLIPS is gone we
make this change. Keeping the shunt code as it is.
On Fri, Sep 04, 2020 at 12:15:05PM -0400, Paul Wouters wrote:
> On Fri, 4 Sep 2020, Antony Antony wr
oh, that was me. I added new tests and sanitizer line when I noticed new
test need it. I did not realize it would affet existing tests. Let me push
the two tests.
Thanks Hugh for spotting them.
On Mon, Aug 31, 2020 at 09:28:04AM -0400, D. Hugh Redelmeier wrote:
> It looks like a new filter was
On Mon, Aug 24, 2020 at 10:15:36PM -0400, Sonia Rovner wrote:
> We are using Libreswan 3.32. We would like to replace the IPsec Kernel
> stack with our software to handle encryption and decryption of data
> packets. We would like to use Libreswan to negotiate the IPSec SA keys for
> us. We have p
On Tue, Aug 18, 2020 at 10:24:03PM -0400, Paul Wouters wrote:
> On Fri, 14 Aug 2020, Andrew Cagney wrote:
>
> > It was pointed out to me (offline) that swan-test contained a bashism
> > (== vs =), but on closer inspection it seems the file is dead so I
> > deleted it.
> >
> > Are there more files
On Wed, Aug 12, 2020 at 03:56:01PM -0400, Paul Wouters wrote:
>
> I know I asked this before, but I just wanted to see if anyone changed
> their view on this since the last time. Should we keep or remove the
> nflog support in libreswan?
I vote to to keep it for now. My reasons below.
> Since we
On Wed, Aug 12, 2020 at 08:37:29AM -0400, Andrew Cagney wrote:
> I'm guessing neither of you use multiple groups of test domains, or if
in my case you are wrong! I have hinted in the previous e-mail how long it
takes to install with 23 groups. Yes I use multiple groups. I have one just
for fedo
I started with this e-mail before Paul's request to stop this attemept.
I guess for this round sshd will survive in default install!
However, I post the e-mail to explictly document usecase of ssh for the
future.
On Mon, Aug 10, 2020 at 10:16:53PM -0400, Paul Wouters wrote:
> On Aug 10, 2020, a
Hi Wolfgang,
The easiest at the moment is namespace testing.
If you have Fedora 32 VM or host namespace testing would work.
That is getting more attention. It also known to work on CentOS and few
tests on Debian.
The Docker teesting has been falling behind. I use it more for Compiling
using vari
On Wed, Aug 05, 2020 at 07:38:28PM -0400, Andrew Cagney wrote:
> it is a starting point, however the disk image (or clones) are:
> - created using kick-start
> - booted as base to install packages
> - booted as build to build libvirt
I have a feeling a better approch is cpompletely avoid the booti
On Mon, May 04, 2020 at 09:09:25PM -0400, Paul Wouters wrote:
> On Mon, 4 May 2020, Andrew Cagney wrote:
>
> > I found this and other tests weren't working as expected:
>
> Yes, because the patch was not in and the test case assuming a patch was
> :)
>
> > # output should be empty
> >
good. F32 guests also looks promising, smooth upgrade.
Running a couple of tests manually passed without any changes. It suggest
minimal changes to console outputs.
I have puhsed initial f32.{ks,mk} may be we can co-ordiante and upgrade
default guest version F32 sooner than letter.
to try F32 k
On Wed, Apr 29, 2020 at 01:35:42PM -0400, Paul Wouters wrote:
> On Wed, 29 Apr 2020, Tuomo Soini wrote:
>
> > > An earlier version of the patch needed that then I relaized that
> > > whole logic different. And fixed it.
> >
> > I also note that my initial suggestion as a fix was to remove the che
On Wed, Apr 29, 2020 at 06:21:02PM +0200, Antony Antony wrote:
> On Wed, Apr 29, 2020 at 10:44:36AM -0400, Paul Wouters wrote:
> > On Wed, 29 Apr 2020, Antony Antony wrote:
> > Additionally, as I pointed out there is the issue of addresspool without
> > narrowing=yes w
On Wed, Apr 29, 2020 at 09:45:56AM -0400, Andrew Cagney wrote:
>
>
> On Wed, 29 Apr 2020 at 01:54, Antony Antony wrote:
>
> Here is my attempt to fix it. I guess there more attempts Paul and Andrew
> has their own? I didnt commit because there more happen
On Wed, Apr 29, 2020 at 10:44:36AM -0400, Paul Wouters wrote:
> On Wed, 29 Apr 2020, Antony Antony wrote:
>
> > Here is my attempt to fix it. I guess there more attempts Paul and Andrew
> > has their own?
>
> You didn't guess, you replied and you you would read
been testing this? any issues?
regards,
-antony
>From 4a6860c2dce178a591ee9855239a555a68c41fbb Mon Sep 17 00:00:00 2001
From: Antony Antony
Date: Sun, 19 Apr 2020 08:54:48 +
Subject: [PATCH] ikev2: rekey responder check use exising scoring logic
Fix Windows 10 rekey response. Windows dur
Dear fellow developers.
I just noticed the IKEv2 IPsec rekey responder code has regressed beyond
recognition! too many changes after the main regression:) While trying to
figure out I notice logging and debugging lines changed too (possibly old)
some with STATE_ and other without the prefix STA
On Wed, Apr 08, 2020 at 10:07:43AM -0400, Andrew Cagney wrote:
>
>
> On Wed, 8 Apr 2020 at 02:29, Antony Antony wrote:
>
> Hi,
>
> I am hunting a couple of corner cases, IKEv2 rekey initiator failures.
> These issues appear when testing clones. Thin
Hi,
I am hunting a couple of corner cases, IKEv2 rekey initiator failures.
These issues appear when testing clones. Think of 100 IKEv2 Child SAs under
one IKE SA and rekeying them all. In the test rekey margin and salife are
short. Short values do not matter, because looking back in Tuomo prod
On Mon, Mar 30, 2020 at 12:07:17PM -0400, Andrew Cagney wrote:
> I'm cleaning up the impair code.
>
> Internally, the old style #define names are in upper case vis:
> #define IMPAIR_REPLAY_FORWARD ...
> and
> IMPAIR(REPLAY_FORWARD)
> while the new ones (that take parameters) are in lower case
On Tue, Feb 25, 2020 at 10:04:22AM -0500, Andrew Cagney wrote:
> The libreswan's code base has reached an interesting point. We
> support (or are at least trying to support :-) two network interfaces:
>
> - BSDKAME
> - XFRM (does xfrmi qualify as a separate stack?)
no. xfrmi can't work without
On Wed, Mar 11, 2020 at 08:12:05AM -0400, Andrew Cagney wrote:
> On Wed, 11 Mar 2020 at 01:09, Antony Antony wrote:
> >
> > On Tue, Mar 10, 2020 at 11:51:06AM -0400, Andrew Cagney wrote:
> > > I'd like to change this log message as follows:
> > >
> > &g
On Tue, Mar 10, 2020 at 11:51:06AM -0400, Andrew Cagney wrote:
> I'd like to change this log message as follows:
>
> - change #2 (the CHILD SA) to #1 (the IKE SA)
good idea
> - drop "STATE_PARENT_I2: "
It sounds like bad idea to rush this change. An identifier without spaces is
easy grep.
If
On Fri, Mar 06, 2020 at 02:01:39PM -0500, Andrew Cagney wrote:
> Yea,
>
> On Fri, 6 Mar 2020 at 11:47, Antony Antony wrote:
> >
> > while fixing the bug, left=%eth1, reported in
> > https://lists.libreswan.org/pipermail/swan/2020/003458.html. I ran into a
> > !h
while fixing the bug, left=%eth1, reported in
https://lists.libreswan.org/pipermail/swan/2020/003458.html. I ran into a
!happy() and core dump. If I remove the following check the fix would work;
test case addconn-05
sockaddr_to_endpoint
- /* XXX: to strict? */
- if
On Tue, Mar 03, 2020 at 03:05:46PM -0500, Paul Wouters wrote:
> On Tue, 3 Mar 2020, Paul Wouters wrote:
>
> > Current shunt handling cannot deal with this, as the second keyingtries
> > sometimes tries to install a second shunt, which sometimes “works” due to
> > not being widened. This is causi
On Mon, Mar 02, 2020 at 09:59:58AM -0500, D. Hugh Redelmeier wrote:
> | commit 21100cee5f207c24ee55ad6c612a84a6140ba583
> | Author: Paul Wouters
> | Date: Sun Mar 1 21:46:17 2020 -0500
> |
> | IKEv2: Set keyingtries to 1 for Opportunistic Encryption connections.
> |
> | We cannot h
5b695243d is a bad idea.
ipsec-interface=no is the default. We should not add default in the test
case.
Also in this specific case it cause error and test fails. Clearly after the
commit this can't pass.
https://testing.libreswan.org/v3.30-165-g9166798071-master/ikev2-xfrmi-01/OUTPUT/north.
On Wed, Feb 26, 2020 at 11:00:30AM -0500, Paul Wouters wrote:
> On Wed, 26 Feb 2020, Antony Antony wrote:
>
> > > I still do not prefer changing the way versioning works. We have never
> > > done this before.
> >
> > why not?
>
> Because we have never
On Fri, Feb 28, 2020 at 08:50:06AM -0500, Paul Wouters wrote:
> On Fri, 28 Feb 2020, Antony Antony wrote:
>
> > One odd thing is empty pluto.log in master. That makes it a bit harder to
> > analyze.
>
> As I mentioned "ipsec pluto" was used instead of &qu
a quick respond. I quickly double checked with whack --rekey uncommented
It works as expected. So I pushed the change. Lets see output
testing.libreswan.org produce, however, pluto.log might be empty.
One odd thing is empty pluto.log in master. That makes it a bit harder to
analyze.
https://te
On Tue, Feb 25, 2020 at 09:56:41AM -0500, Paul Wouters wrote:
> On Tue, 25 Feb 2020, Antony Antony wrote:
>
> > > Would it be better to do a true 3.30.1?
> >
> > +1 to this idea.
>
> I still do not prefer changing the way versioning works. We have never
> d
On Thu, Feb 20, 2020 at 11:52:09AM -0500, Andrew Cagney wrote:
> On Thu, 20 Feb 2020 at 11:47, Paul Wouters wrote:
> >
> > Thanks for the patch. We will do a 3.31 that still contains KLIPS and
> > has this patch.
>
> Would it be better to do a true 3.30.1?
+1 to this idea.
I also propse next n
b52fc2d fix the build error it cause runtime segfault.
I wonder did you test b52fc2d . my quick test show a segmentation fault at
pluto shutdown.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x in ?? ()
Missing separate debuginfos, use: dnf debuginfo-install
I have an idea to sanitize the transient lines such as
"retransmission; will wait" during testrun.
Some test where we need to the retransmission add a special marker e.g
"ipsec auto --up #retransmits" I suggest "#retransmits" as a
convention. and open to short catchy word. It can also be just
to follow up from IRC. Hopping, for better coordination, instead of stepping
on each other's toes, on DNSSEC test clean ups. My current issue is
difference between two KVM runs, testing.libreswan.org and
swantest.libreswan.fi/s2/. I am not comparing namespace output here. My kvm
run output [1].
Hi Tuomo and Paul,
I am sorry to create tension here. It is not worth loosing sleep over.
It seems I am the only user of libreswan-testing.spec for now.
I am happy to remove it from the repository and keep it local!
By any luck after reading rest of the e-mail, if you think lets keep it in
the g
On Wed, Feb 12, 2020 at 01:57:15PM -0500, Andrew Cagney wrote:
> efence should be enabled on testing?
>
> make OBJDIR=OBJ.kvm USE_EFENCE=true ALL_ALGS=false USE_SECCOMP=true
> USE_LABELED_IPSEC=true USE_NSS_IPSEC_PROFILE=true SD_RESTART_TYPE=no
> USE_KLIPS=true USE_NSS_PRF= USE_FIPSCHECK=true base
can't start pluto with Electric Fence enabled, on F30 with updates.
I noticed Electric Fence was disabled.
I enabled EF, then pluto, #master on F30, fails to start.
Tuomo suspect pk11-kit is part of issue.
Here are few lines from gdb bt, and link to full bt bellow.
#14 0x7fc59225c1e6 in NSS_
for a while I have been noticing some of the xauth tests failing.
Here is an interesting one
https://testing.libreswan.org/v3.28-1676-gb2d29e7dd1-master/xauth-pluto-25-lsw299/OUTPUT/north.console.diff
It is seems to happen to 2-4 xauth tests.
Initially I thought it is traffic anomaly. As I re-col
CentOS 8 support xfrmi, the back port included kernel-4.18.0-147.el8
https://git.centos.org/rpms/kernel/c/74e6aea855eecc7e3f053ac9837c2b396df80cc7?branch=c8
CONFIG_XFRM_INTERFACE=m
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libr
6:48AM -0500, Andrew Cagney wrote:
> On Thu, 30 Jan 2020 at 06:39, Paul Wouters wrote:
> >
> > On Thu, 30 Jan 2020, Antony Antony wrote:
> >
> > > Here is my proposed patch to compile xfrmi on CentOS8.
> > > Any adjustments?
> >
> > Looks good. P
On Thu, Jan 30, 2020 at 10:35:48AM -0500, Andrew Cagney wrote:
> On Wed, 29 Jan 2020 at 04:06, Paul Wouters wrote:
> >
> > On Wed, 29 Jan 2020, Antony Antony wrote:
> >
> > > Antony foresee new type ttipcider(), as there are objections to reuse
> > > subnet(
Here is my proposed patch to compile xfrmi on CentOS8.
Any adjustments?
make USE_XFRM_INTERFACE_IFLA_HEADER=true USE_XFRM_INTERFACE=true programs
On Fri, Jan 24, 2020 at 07:29:13AM -0500, Paul Wouters wrote:
> On Thu, 23 Jan 2020, Antony Antony wrote:
> >
> > Tested outpu
On Wed, Jan 29, 2020 at 04:00:10AM -0500, Paul Wouters wrote:
> On Tue, 28 Jan 2020, Antony Antony wrote:
>
> > > I understand that is your preference if _any_ solution is needed. But you
> > > didn't answer my real question. Is there any test case that functionally
&
used for ttipcider().
Additionally:
suggests to leave subnet as without ports and protocol, and create
traffic_selectior() for parsing keyword subnet from our config.
On Mon, Jan 27, 2020 at 02:56:02PM -0500, Andrew Cagney wrote:
> On Mon, 27 Jan 2020 at 11:39, Antony Antony wrote:
> >
On Tue, Jan 28, 2020 at 04:59:41PM -0500, Paul Wouters wrote:
> On Tue, 28 Jan 2020, Antony Antony wrote:
>
> > > I see people using cut and paste and suddenly seeing multiple markers and
> > > missing markers. So I prefer to not use it if we can avoid them.
> >
&g
On Tue, Jan 28, 2020 at 08:31:03PM +0100, Paul Wouters wrote:
>
> > On Jan 28, 2020, at 18:45, Andrew Cagney wrote:
> >
> >> On Tue, 28 Jan 2020 at 11:10, Antony Antony wrote:
> >>
> >> I am curious what your thoughts now?
> >> Is it a goo
On Tue, Jan 28, 2020 at 10:45:54AM -0500, Andrew Cagney wrote:
> On Tue, 28 Jan 2020 at 10:22, Antony Antony wrote:
> >
> > On Tue, Jan 28, 2020 at 09:19:52AM -0500, Andrew Cagney wrote:
> > > On Tue, 28 Jan 2020 at 06:31, Antony Antony wrote:
> > > >
&
On Tue, Jan 28, 2020 at 09:19:52AM -0500, Andrew Cagney wrote:
> On Tue, 28 Jan 2020 at 06:31, Antony Antony wrote:
> >
> > the markers should be used in nicinit for simple tests where we use
> > eastinit.sh, nicinit.sh and final.sh
>
> why
Lets start from the basi
the markers should be used in nicinit for simple tests where we use
eastinit.sh, nicinit.sh and final.sh
other wise use 00-host-xx.sh and no final.sh.
otherwise you get crazy things final.sh to avoid runing on nic.
this has NOTHING to do with swantest.
-antony
On Tue, Jan 28, 2020 at 06:17:46AM
On Tue, Jan 28, 2020 at 05:44:10AM -0500, Paul Wouters wrote:
>
> Thanks for finding this bug Antony!
>
> I'm sorry you got bitten by this when you merged in the xfrmi branch.
>
> It does prove a point that branches become stale, and re-merging master
> into them regularly is a good thing. Then
t/OUTPUT/west.console.diff
-antony
On Sun, Jan 26, 2020 at 11:08:08PM +0100, Antony Antony wrote:
> I tracked the regression to addconn. You will see difference ipsec status
> after adding the connection: v2-auth-hash-policy: none
> with "none" the initiator will only propose RSASIG-v1.5.
On Sat, Jan 25, 2020 at 09:41:39PM -0500, Andrew Cagney wrote:
> On Sat, 25 Jan 2020 at 15:29, Antony Antony wrote:
> >
> > First, I noticed sanitizers have improved a lot. Thanks.
> >
> > I know iptable change was discused a while ago[1].
> >
> > Now we ar
first quick answer to Hugh's follow up questions.
On Mon, Jan 27, 2020 at 10:58:45AM -0500, D. Hugh Redelmeier wrote:
> Has iface-ip been advertised?
no. code is incomplete. We can change at this point. I would be happy to.
Though Paul may have signoff. My recollection is, he want something simil
ev2-x509-38-failureshunt/east.conf
Note: I could not reproduce it on other x509 configurations. Some simple
config without also lines does not seems to change with
failureshunt=passthrough.
On Sun, Jan 26, 2020 at 12:40:42PM +0100, Antony Antony wrote:
> after xfrmi merge a change IPsec algori
after xfrmi merge a change IPsec algorithm was noticed. Sorry I didn't
notice this on xfrmi branch alone.
Careful committing new console outputs before this is fixed. If you commit
new outputs now once this regression is fixed those tests may flip back.
cagney: is pointing at commit 32e11cc9b4
gcc 10 is already in Fedora rawhide, likely to be part of Fedora 32.
compiling libreswan using gcc 10 shows more warnings.
Here is a build log on rawhide with gcc 10.
https://travis-ci.org/antonyantony/libreswan/builds/641769798
libreswan travis only compile Fedora 30.
for more distributions inclu
First, I noticed sanitizers have improved a lot. Thanks.
I know iptable change was discused a while ago[1].
Now we are sanitizing sport and dport when it is not default, however, for
some tests like mobike it is not a good idea.
I am still thinking how to change the tests to preserve the ports
On Fri, Jan 24, 2020 at 09:10:40AM -0500, Andrew Cagney wrote:
> On Fri, 24 Jan 2020 at 07:49, Paul Wouters wrote:
> > > On Jan 24, 2020, at 13:44, Andrew Cagney
> > >> They do. no = 0, yes = 1 and the man page does not explain this.
> > >
> > > So if I specify:
> > > ipsec-interface=no
> > > I
while testing xfrmi Tuomo noticed reggression in connswitch code.
We lookd further, and found the issue in test cases too,
ikev2-connswitch-01. Using git bisect:
# first bad commit: [c3ac240cb62e032b3efaebe8cfec79de5ed9ccf2] IKEv2:
# !POLICY_ALLOW_NO_SAN was only checked on initiator, not respond
On Wed, Jan 22, 2020 at 04:32:42PM -0500, Paul Wouters wrote:
> On Wed, 22 Jan 2020, Antony Antony wrote:
>
> > > As no other people are weighing in, I'll stop objecting provided the
> > > parser crashers are resolved.
> >
> > thanks! lets give the n
1 - 100 of 410 matches
Mail list logo