Re: [Swan-dev] What happened to "ipsec show" ?

Fri, 27 Oct 2023 18:36:54 -0700 

On Fri, 27 Oct 2023, Brady Johnson wrote:


And here is the output of the new command I added:

ipsec briefconnectionstatus
000 Connection list:
000  
000 "vpnclient.gwn02.xyz.com": 172.16.20.0/24===172.22.18.102[O=XYZ,
CN=vpnclient.gwn02.xyz.com]...172.22.18.101[O=XYZ, 
CN=vpnserver.gwn01.xyz.com]===172.16.10.0/24;
000  
000 Total IPsec connections: loaded 1, active 1

This still seems a little verbose, but I think it provides just enough info. If 
somebody wants more
info, they can just use the "ipsec connectionstatus" command.


The old "ipsec eroute" would have shown something like:

172.16.20.0/24 -> 172.16.10.0/24 => tun@[email protected]

I was proposing only adding the traffic counter (in+out) and conn name
(not any IDs because the IDs are long, especially with certs), eg:

172.16.20.0/24 -> 172.16.10.0/24 => tun@[email protected]  188M  
vpnclient.gwn02.xyz.com

These also used tabs so it would kind of align, eg like (not sure if it
will render properly in email):


172.16.20.0/24  -> 172.16.10.0/24    => tun@[email protected]     188M    
vpnclient.gwn02.xyz.com
1.1.1.1/32      -> 8.8.8.0/24                => tun@[email protected]           88G   
  blabla.gwn02.xyz.com


Of course, we then decided not to put all this into pluto, as everyone
has their own wishlist for output, and just output json. Then people
could write their own programs and we could add some favourite /
standard ones during install or in contrib/
Then we looked at something dbus compatible, but dbus libraries are
terrible. Then we looked at varlink.org, but it failed to get momentum.
Then I thought perhaps some Yang output.
But I think I'm back at json now :P

Paul


On Wed, Oct 25, 2023 at 4:18 PM Andrew Cagney <[email protected]> wrote:
      > How about I add "whack --briefconnectionstatus", which would be wrapped by 
"ipsec
      briefconnectionstatus"? This would show (at least) what you listed above.

      It would somehow display both:
          host<->host kernel state
          selector<->selector kernel policy
      ?

      I suspect more useful than the reqid are the type of policy(1) and/or 
routing

      Andrew

      (1) There's a bear trap here, pluto has three words - reject, drop,
      hold - that all mean block(linux) / discard(bsd); I'd ignore it




_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to