Re: [Swan-dev] WIP: supporting xfrm SA expire

On Mon, 5 Apr 2021, Paul Wouters wrote: I noticed you used salifebytes= and salifepackets=. I'm still working with these for now. Since I'm adding code for deleting an IPsec SA when hard timer hits, I also have a need to ignore a hard timer when testing, so I created two new impair values "

Re: [Swan-dev] if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

On Mon, 5 Apr 2021, Andrew Cagney wrote: Is this something like memory leaks which should be checked at the end of every test, or can it be limited to the se-linux specific tests where the goal is to, presumably, tickle these errors? It should be checked at every test, so we know when someth

Re: [Swan-dev] if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

On Mon, 5 Apr 2021 at 19:58, Paul Wouters wrote: > It’s a log of all selinux warnings in permissive mode. > > Is this something like memory leaks which should be checked at the end of every test, or can it be limited to the se-linux specific tests where the goal is to, presumably, tickle these er

Re: [Swan-dev] Bogus "established IKE SA" messages

On Mon, 5 Apr 2021 at 21:14, Paul Wouters wrote: > On Mon, 5 Apr 2021, Andrew Cagney wrote: > > > It's simpler. > > > > 1) We realise we want to delete a child sa > > 2) we send the delete > > 3) we delete it > > 4) we get a response, but we cannot find the child sa

Re: [Swan-dev] auto shutdown of tets

On Mon, 5 Apr 2021, Andrew Cagney wrote: On Mon, 5 Apr 2021 at 20:53, Paul Wouters wrote: I find myself reading the logs and getting confused by additional messages that come in via some automatic shutdown being called. I thought running a single test case would not cause th

Re: [Swan-dev] auto shutdown of tets

On Mon, 5 Apr 2021 at 20:53, Paul Wouters wrote: > > Hi, > > I find myself reading the logs and getting confused by additional > messages that come in via some automatic shutdown being called. > > I thought running a single test case would not cause these? Perhaps > that was never tested with nam

Re: [Swan-dev] Bogus "established IKE SA" messages

On Mon, 5 Apr 2021, Andrew Cagney wrote: It's simpler. 1) We realise we want to delete a child sa 2) we send the delete 3) we delete it 4) we get a response, but we cannot find the child sa SPI Yea, that's too aggressive with deleting the incoming channel.  I'm p

Re: [Swan-dev] Bogus "established IKE SA" messages

On Mon, 5 Apr 2021 at 20:45, Paul Wouters wrote: > On Mon, 5 Apr 2021, Andrew Cagney wrote: > > > although the comment is slightly out-of-date. The bit > SMF2_SUPPRESS_SUCCESS_LOG has been added (more are needed). You could try > adding it to this transition: > > I'll try and play with that. >

[Swan-dev] auto shutdown of tets

Hi, I find myself reading the logs and getting confused by additional messages that come in via some automatic shutdown being called. I thought running a single test case would not cause these? Perhaps that was never tested with namespaces ? Could the automatic shutdown perhaps use ipsec whac

Re: [Swan-dev] Bogus "established IKE SA" messages

On Mon, 5 Apr 2021, Andrew Cagney wrote: although the comment is slightly out-of-date.  The bit SMF2_SUPPRESS_SUCCESS_LOG has been added (more are needed).  You could try adding it to this transition: I'll try and play with that. Also, I wonder if we should keep a recent list of dele

Re: [Swan-dev] if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

It’s a log of all selinux warnings in permissive mode. Sent from my iPhone > On Apr 5, 2021, at 19:52, Andrew Cagney wrote: > >  > Could someone enlighten me as to why this appears in final.sh? :-) > > ___ > Swan-dev mailing list > Swan-dev@lists.li

[Swan-dev] if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

Could someone enlighten me as to why this appears in final.sh? :-) ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] Bogus "established IKE SA" messages

On Mon, 5 Apr 2021 at 19:03, Paul Wouters wrote: > > Eg see this log: > > Apr 5 18:56:32.909849: "west" #4: sent CREATE_CHILD_SA request to rekey > IPsec SA > Apr 5 18:56:32.917812: "west" #4: rekeyed #3 STATE_V2_REKEY_CHILD_I1 and > expire it remaining life 28774.21038s > Apr 5 18:56:32.91792

Re: [Swan-dev] Cut status, was Fwd: [Swan-commit] Changes to ref refs/heads/main

On Mon, 5 Apr 2021 at 15:19, Paul Wouters wrote: > > > > Begin forwarded message: > > *From:* Andrew Cagney > *Date:* April 5, 2021 at 14:49:53 EDT > *To:* swan-com...@lists.libreswan.org > *Subject:* *[Swan-commit] Changes to ref refs/heads/main* > *Reply-To:* swan-dev@lists.libreswan.org > > 

[Swan-dev] Bogus "established IKE SA" messages

Eg see this log: Apr 5 18:56:32.909849: "west" #4: sent CREATE_CHILD_SA request to rekey IPsec SA Apr 5 18:56:32.917812: "west" #4: rekeyed #3 STATE_V2_REKEY_CHILD_I1 and expire it remaining life 28774.21038s Apr 5 18:56:32.917920: "west" #4: negotiated connection [192.0.1.0-192.0.1.255:0

[Swan-dev] Cut status, was Fwd: [Swan-commit] Changes to ref refs/heads/main

Begin forwarded message: > From: Andrew Cagney > Date: April 5, 2021 at 14:49:53 EDT > To: swan-com...@lists.libreswan.org > Subject: [Swan-commit] Changes to ref refs/heads/main > Reply-To: swan-dev@lists.libreswan.org > > New commits: > commit f2e9404f55bb3e8e40a9bf1f4cb28e198cb90603 > Aut

Re: [Swan-dev] WIP: supporting xfrm SA expire

On Mon, 5 Apr 2021, Antony Antony wrote: Here is my sa expire branch rebased to main. #sa-expire https://github.com/antonyantony/libreswan/tree/sa-expire Thanks! I had a look and I think it looks pretty good. It need a bit more work to merge to main. I look the code again and fix "FIXME". I