[Openswan dev] RFC: Changes to whack's --status output

D. Hugh Redelmeier hugh at mimosa.com
Thu Nov 25 00:21:14 CET 2004 

| From: Ken Bantoft <ken at xelerance.com>

| While debugging the Cisco VPN Client interop stuff, mcr and I decided we 
| need update the output of whack's --status output.

It would be good to get a set of goals to make sure nothing is
forgotten.  Here are a few contributions:

- whack should use terminology that matches the UI (i.e. ipsec.conf
  etc.)

- the current design of whack allows grep to select everything related
  to a particular conn.  It does this by prefixing each of the
  multiple lines of output with the conn name.  I think that this is
  a useful characterisitic.

  But there are other approaches to the same problem.  For example,
  --status could be given a name to report on, or pattern to match
  names to report on.

- a compact notation is useful: there are often a lot of connections
  and being able to see more at once is useful.

- --status dumps "everything".  The original idea was that different
  userland reporting tools could be selective about displaying the
  information.  So far, none of those tools has been written AFAIK.
  They could produce any of the examples you propose.  Perhaps still a
  good idea.

  I think that mixing everything from cert details to keying lifetime
  in one report may be overkill.  Still useful for barfs.

  UML tests might be simplified if (some variant of) --status left out
  some details that differ between runs but don't matter.

After reading a lot of --status output, I don't think 3 is the best
choice.  Just look at the amount of screen real estate it takes.

The current first line of a connection is often too wide.  There are
two obvious ways to break.

1.  break it into levels.  Maximally:

	left auth stuff, right auth stuff
	left subnet, right subnet
	left ip, right ip
	left nexthop, right nexthop

2. split between left and right (this used to be done iff the line was
   long but management required this to be removed)

Proposal: test out the proposals with --status post-processing.  They
can be added to the ipsec command easily.

More information about the Dev mailing list