[Openswan dev] RFC: Changes to whack's --status output
D. Hugh Redelmeier
hugh at mimosa.com
Thu Nov 25 00:21:14 CET 2004
| From: Ken Bantoft <ken at xelerance.com>
| While debugging the Cisco VPN Client interop stuff, mcr and I decided we
| need update the output of whack's --status output.
It would be good to get a set of goals to make sure nothing is
forgotten. Here are a few contributions:
- whack should use terminology that matches the UI (i.e. ipsec.conf
- the current design of whack allows grep to select everything related
to a particular conn. It does this by prefixing each of the
multiple lines of output with the conn name. I think that this is
a useful characterisitic.
But there are other approaches to the same problem. For example,
--status could be given a name to report on, or pattern to match
names to report on.
- a compact notation is useful: there are often a lot of connections
and being able to see more at once is useful.
- --status dumps "everything". The original idea was that different
userland reporting tools could be selective about displaying the
information. So far, none of those tools has been written AFAIK.
They could produce any of the examples you propose. Perhaps still a
I think that mixing everything from cert details to keying lifetime
in one report may be overkill. Still useful for barfs.
UML tests might be simplified if (some variant of) --status left out
some details that differ between runs but don't matter.
After reading a lot of --status output, I don't think 3 is the best
choice. Just look at the amount of screen real estate it takes.
The current first line of a connection is often too wide. There are
two obvious ways to break.
1. break it into levels. Maximally:
left auth stuff, right auth stuff
left subnet, right subnet
left ip, right ip
left nexthop, right nexthop
2. split between left and right (this used to be done iff the line was
long but management required this to be removed)
Proposal: test out the proposals with --status post-processing. They
can be added to the ipsec command easily.
More information about the Dev